Edit tour

Windows Analysis Report
file.exe

Overview

General Information

Sample name:	file.exe
Analysis ID:	1562585
MD5:	f7efae8e18598bad4b7edc75a514c644
SHA1:	79ce40b967015b1cc1037e559166d4594220bdfe
SHA256:	e783412a767b1986a491ca58c455349e569fe078a1c03e9993d6c02ef459cc8b
Tags:	exeuser-Bitsight
Infos:

Detection

Credential Flusher

Score:	72
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Multi AV Scanner detection for submitted file

Yara detected Credential Flusher

AI detected suspicious sample

Binary is likely a compiled AutoIt script file

Found API chain indicative of sandbox detection

Machine Learning detection for sample

Connects to many different domains

Contains functionality for execution timing, often used to detect debuggers

Contains functionality for read data from the clipboard

Contains functionality to block mouse and keyboard input (often used to hinder debugging)

Contains functionality to call native functions

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to check if a window is minimized (may be used to check if an application is visible)

Contains functionality to communicate with device drivers

Contains functionality to dynamically determine API calls

Contains functionality to execute programs as a different user

Contains functionality to launch a process as a different user

Contains functionality to launch a program with higher privileges

Contains functionality to modify clipboard data

Contains functionality to open a port and listen for incoming connection (possibly a backdoor)

Contains functionality to query CPU information (cpuid)

Contains functionality to read the PEB

Contains functionality to read the clipboard data

Contains functionality to retrieve information about pressed keystrokes

Contains functionality to shutdown / reboot the system

Contains functionality to simulate keystroke presses

Contains functionality to simulate mouse events

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Detected potential crypto function

Drops PE files

Enables debug privileges

Found large amount of non-executed APIs

Found potential string decryption / allocating functions

IP address seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

OS version to string mapping found (often used in BOTs)

PE file contains sections with non-standard names

Potential key logger detected (key state polling based)

Sample execution stops while process was sleeping (likely an evasion)

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Uses taskkill to terminate processes

Classification

Process Tree

System is w10x64

file.exe (PID: 7704 cmdline: "C:\Users\user\Desktop\file.exe" MD5: F7EFAE8E18598BAD4B7EDC75A514C644)

taskkill.exe (PID: 7720 cmdline: taskkill /F /IM firefox.exe /T MD5: CA313FD7E6C2A778FFD21CFB5C1C56CD)

conhost.exe (PID: 7728 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

taskkill.exe (PID: 7856 cmdline: taskkill /F /IM chrome.exe /T MD5: CA313FD7E6C2A778FFD21CFB5C1C56CD)

conhost.exe (PID: 7864 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

taskkill.exe (PID: 7920 cmdline: taskkill /F /IM msedge.exe /T MD5: CA313FD7E6C2A778FFD21CFB5C1C56CD)

conhost.exe (PID: 7928 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

taskkill.exe (PID: 7984 cmdline: taskkill /F /IM opera.exe /T MD5: CA313FD7E6C2A778FFD21CFB5C1C56CD)

conhost.exe (PID: 7992 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

taskkill.exe (PID: 8048 cmdline: taskkill /F /IM brave.exe /T MD5: CA313FD7E6C2A778FFD21CFB5C1C56CD)

conhost.exe (PID: 8056 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

firefox.exe (PID: 8112 cmdline: "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk "https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd" --no-default-browser-check --disable-popup-blocking MD5: C86B1BE9ED6496FE0E0CBE73F81D8045)

firefox.exe (PID: 8148 cmdline: "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd --no-default-browser-check --disable-popup-blocking --attempting-deelevation MD5: C86B1BE9ED6496FE0E0CBE73F81D8045)

firefox.exe (PID: 8164 cmdline: "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd --no-default-browser-check --disable-popup-blocking MD5: C86B1BE9ED6496FE0E0CBE73F81D8045)

firefox.exe (PID: 3760 cmdline: "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2264 -parentBuildID 20230927232528 -prefsHandle 2212 -prefMapHandle 2204 -prefsLen 25298 -prefMapSize 238442 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {16325912-49ac-40f1-bda4-2cac4c4c2137} 8164 "\\.\pipe\gecko-crash-server-pipe.8164" 26487e6e910 socket MD5: C86B1BE9ED6496FE0E0CBE73F81D8045)

firefox.exe (PID: 5668 cmdline: "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3684 -parentBuildID 20230927232528 -prefsHandle 4052 -prefMapHandle 4048 -prefsLen 26313 -prefMapSize 238442 -appDir "C:\Program Files\Mozilla Firefox\browser" - {d996e0e9-af63-49e3-adbf-964172d0344a} 8164 "\\.\pipe\gecko-crash-server-pipe.8164" 2649a108510 rdd MD5: C86B1BE9ED6496FE0E0CBE73F81D8045)

firefox.exe (PID: 636 cmdline: "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5424 -parentBuildID 20230927232528 -sandboxingKind 0 -prefsHandle 5456 -prefMapHandle 5472 -prefsLen 33481 -prefMapSize 238442 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {13e771dd-665e-4a33-a08c-b3d742946c3d} 8164 "\\.\pipe\gecko-crash-server-pipe.8164" 26493ede710 utility MD5: C86B1BE9ED6496FE0E0CBE73F81D8045)

cleanup

Yara Signatures

Memory Dumps

Source	Rule	Description	Author	Strings
Process Memory Space: file.exe PID: 7704	JoeSecurity_CredentialFlusher	Yara detected Credential Flusher	Joe Security

Code function: 0_2_0076EAFF OpenClipboard,IsClipboardFormatAvailable,IsClipboardFormatAvailable,GetClipboardData,CloseClipboard,GlobalLock,CloseClipboard,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,DragQueryFileW,DragQueryFileW,DragQueryFileW,GlobalUnlock,CountClipboardFormats,CloseClipboard,

0_2_0076EAFF

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_0076ED6A OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,

0_2_0076ED6A

Source: C:\Users\user\Desktop\file.exe

0_2_0076EAFF

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_0075AA57 GetKeyboardState,SetKeyboardState,PostMessageW,SendInput,

0_2_0075AA57

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00789576 DefDlgProcW,SendMessageW,GetWindowLongW,SendMessageW,SendMessageW,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,SendMessageW,SendMessageW,SendMessageW,ImageList_SetDragCursorImage,ImageList_BeginDrag,SetCapture,ClientToScreen,ImageList_DragEnter,InvalidateRect,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW,

0_2_00789576

System Summary

Binary is likely a compiled AutoIt script file

Source: file.exe	String found in binary or memory: This is a third-party compiled AutoIt script.
Source: file.exe, 00000000.00000002.1465500901.00000000007B2000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: This is a third-party compiled AutoIt script.	memstr_b0eea8ef-b
Source: file.exe, 00000000.00000002.1465500901.00000000007B2000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: AnyArabicArmenianAvestanBalineseBamumBassa_VahBatakBengaliBopomofoBrahmiBrailleBugineseBuhidCCanadian_AboriginalCarianCaucasian_AlbanianCcCfChakmaChamCherokeeCnCoCommonCopticCsCuneiformCypriotCyrillicDeseretDevanagariDuployanEgyptian_HieroglyphsElbasanEthiopicGeorgianGlagoliticGothicGranthaGreekGujaratiGurmukhiHanHangulHanunooHebrewHiraganaImperial_AramaicInheritedInscriptional_PahlaviInscriptional_ParthianJavaneseKaithiKannadaKatakanaKayah_LiKharoshthiKhmerKhojkiKhudawadiLL&LaoLatinLepchaLimbuLinear_ALinear_BLisuLlLmLoLtLuLycianLydianMMahajaniMalayalamMandaicManichaeanMcMeMeetei_MayekMende_KikakuiMeroitic_CursiveMeroitic_HieroglyphsMiaoMnModiMongolianMroMyanmarNNabataeanNdNew_Tai_LueNkoNlNoOghamOl_ChikiOld_ItalicOld_North_ArabianOld_PermicOld_PersianOld_South_ArabianOld_TurkicOriyaOsmanyaPPahawh_HmongPalmyrenePau_Cin_HauPcPdPePfPhags_PaPhoenicianPiPoPsPsalter_PahlaviRejangRunicSSamaritanSaurashtraScSharadaShavianSiddhamSinhalaSkSmSoSora_SompengSundaneseSyloti_NagriSyriacTagalogTagbanwaTai_LeTai_ThamTai_VietTakriTamilTeluguThaanaThaiTibetanTifinaghTirhutaUgariticVaiWarang_CitiXanXpsXspXucXwdYiZZlZpZsSDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBoxSHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer	memstr_611b86f5-7
Source: file.exe	String found in binary or memory: This is a third-party compiled AutoIt script.	memstr_e2a20302-2
Source: file.exe	String found in binary or memory: AnyArabicArmenianAvestanBalineseBamumBassa_VahBatakBengaliBopomofoBrahmiBrailleBugineseBuhidCCanadian_AboriginalCarianCaucasian_AlbanianCcCfChakmaChamCherokeeCnCoCommonCopticCsCuneiformCypriotCyrillicDeseretDevanagariDuployanEgyptian_HieroglyphsElbasanEthiopicGeorgianGlagoliticGothicGranthaGreekGujaratiGurmukhiHanHangulHanunooHebrewHiraganaImperial_AramaicInheritedInscriptional_PahlaviInscriptional_ParthianJavaneseKaithiKannadaKatakanaKayah_LiKharoshthiKhmerKhojkiKhudawadiLL&LaoLatinLepchaLimbuLinear_ALinear_BLisuLlLmLoLtLuLycianLydianMMahajaniMalayalamMandaicManichaeanMcMeMeetei_MayekMende_KikakuiMeroitic_CursiveMeroitic_HieroglyphsMiaoMnModiMongolianMroMyanmarNNabataeanNdNew_Tai_LueNkoNlNoOghamOl_ChikiOld_ItalicOld_North_ArabianOld_PermicOld_PersianOld_South_ArabianOld_TurkicOriyaOsmanyaPPahawh_HmongPalmyrenePau_Cin_HauPcPdPePfPhags_PaPhoenicianPiPoPsPsalter_PahlaviRejangRunicSSamaritanSaurashtraScSharadaShavianSiddhamSinhalaSkSmSoSora_SompengSundaneseSyloti_NagriSyriacTagalogTagbanwaTai_LeTai_ThamTai_VietTakriTamilTeluguThaanaThaiTibetanTifinaghTirhutaUgariticVaiWarang_CitiXanXpsXspXucXwdYiZZlZpZsSDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBoxSHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer	memstr_ca8bee9b-2

Source: C:\Program Files\Mozilla Firefox\firefox.exe	Code function: 18_2_000001C6E57521F2 NtQuerySystemInformation,		18_2_000001C6E57521F2
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Code function: 18_2_000001C6E575A237 NtQuerySystemInformation,		18_2_000001C6E575A237

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_0075D5EB: CreateFileW,DeviceIoControl,CloseHandle,

0_2_0075D5EB

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00751201 LogonUserW,DuplicateTokenEx,CloseHandle,OpenWindowStationW,GetProcessWindowStation,SetProcessWindowStation,OpenDesktopW,_wcslen,LoadUserProfileW,CreateEnvironmentBlock,CreateProcessAsUserW,UnloadUserProfile,GetProcessHeap,HeapFree,CloseWindowStation,CloseDesktop,SetProcessWindowStation,CloseHandle,DestroyEnvironmentBlock,

0_2_00751201

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_0075E8F6 ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState,

0_2_0075E8F6

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_006FBF40	0_2_006FBF40
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_006F8060	0_2_006F8060
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00762046	0_2_00762046
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00758298	0_2_00758298
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0072E4FF	0_2_0072E4FF
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0072676B	0_2_0072676B
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00784873	0_2_00784873
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_006FCAF0	0_2_006FCAF0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0071CAA0	0_2_0071CAA0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0070CC39	0_2_0070CC39
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00726DD9	0_2_00726DD9
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0070B119	0_2_0070B119
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_006F91C0	0_2_006F91C0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00711394	0_2_00711394
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00711706	0_2_00711706
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0071781B	0_2_0071781B
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0070997D	0_2_0070997D
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_006F7920	0_2_006F7920
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_007119B0	0_2_007119B0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00717A4A	0_2_00717A4A
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00711C77	0_2_00711C77
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00717CA7	0_2_00717CA7
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0077BE44	0_2_0077BE44
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00729EEE	0_2_00729EEE
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00711F32	0_2_00711F32
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Code function: 18_2_000001C6E57521F2	18_2_000001C6E57521F2
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Code function: 18_2_000001C6E575A237	18_2_000001C6E575A237
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Code function: 18_2_000001C6E5752232	18_2_000001C6E5752232
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Code function: 18_2_000001C6E575291C	18_2_000001C6E575291C

Source: C:\Users\user\Desktop\file.exe	Code function: String function: 00710A30 appears 46 times
Source: C:\Users\user\Desktop\file.exe	Code function: String function: 006F9CB3 appears 31 times
Source: C:\Users\user\Desktop\file.exe	Code function: String function: 0070F9F2 appears 40 times

Source: file.exe

Static PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE

Source: classification engine

Classification label: mal72.troj.evad.winEXE@34/38@69/12

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_007637B5 GetLastError,FormatMessageW,

0_2_007637B5

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_007510BF AdjustTokenPrivileges,CloseHandle,		0_2_007510BF
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_007516C3 LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,		0_2_007516C3

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_007651CD SetErrorMode,GetDiskFreeSpaceExW,SetErrorMode,

0_2_007651CD

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_0075D4DC CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,CloseHandle,

0_2_0075D4DC

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_0076648E _wcslen,CoInitialize,CoCreateInstance,CoUninitialize,

0_2_0076648E

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_006F42A2 CreateStreamOnHGlobal,FindResourceExW,LoadResource,SizeofResource,LockResource,

0_2_006F42A2

Source: C:\Program Files\Mozilla Firefox\firefox.exe

File created: C:\Users\user\AppData\Local\Mozilla\Firefox\SkeletonUILock-c388d246

Jump to behavior

Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7992:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7928:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8056:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7864:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7728:120:WilError_03

Source: C:\Program Files\Mozilla Firefox\firefox.exe

File created: C:\Users\user\AppData\Local\Temp\firefox

Jump to behavior

Source: file.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Windows\SysWOW64\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\SysWOW64\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\SysWOW64\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\SysWOW64\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\SysWOW64\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process

Source: C:\Program Files\Mozilla Firefox\firefox.exe

File read: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini

Jump to behavior

Source: C:\Users\user\Desktop\file.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: firefox.exe, 0000000E.00000003.1616034197.00000264A2321000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: SELECT * FROM events WHERE timestamp BETWEEN date(:dateFrom) AND date(:dateTo);
Source: firefox.exe, 0000000E.00000003.1616034197.00000264A2321000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: CREATE TABLE events (id INTEGER PRIMARY KEY, type INTEGER NOT NULL, count INTEGER NOT NULL, timestamp DATE );
Source: firefox.exe, 0000000E.00000003.1616034197.00000264A2321000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: INSERT INTO events (type, count, timestamp) VALUES (:type, 1, date(:date));
Source: firefox.exe, 0000000E.00000003.1616034197.00000264A2321000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: SELECT timestamp FROM events ORDER BY timestamp ASC LIMIT 1;;
Source: firefox.exe, 0000000E.00000003.1616034197.00000264A2321000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: SELECT timestamp FROM events ORDER BY timestamp ASC LIMIT 1;;Fy6
Source: firefox.exe, 0000000E.00000003.1616034197.00000264A2321000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: UPDATE events SET count = count + 1 WHERE id = :id;-
Source: firefox.exe, 0000000E.00000003.1616034197.00000264A2321000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: SELECT sum(count) FROM events;9'
Source: firefox.exe, 0000000E.00000003.1616034197.00000264A2321000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: SELECT sum(count) FROM events;9
Source: firefox.exe, 0000000E.00000003.1616034197.00000264A2321000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: SELECT * FROM events WHERE type = :type AND timestamp = date(:date);

Source: file.exe

ReversingLabs: Detection: 23%

Source: unknown	Process created: C:\Users\user\Desktop\file.exe "C:\Users\user\Desktop\file.exe"
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM firefox.exe /T
Source: C:\Windows\SysWOW64\taskkill.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM chrome.exe /T
Source: C:\Windows\SysWOW64\taskkill.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM msedge.exe /T
Source: C:\Windows\SysWOW64\taskkill.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM opera.exe /T
Source: C:\Windows\SysWOW64\taskkill.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM brave.exe /T
Source: C:\Windows\SysWOW64\taskkill.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk "https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd" --no-default-browser-check --disable-popup-blocking
Source: unknown	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd --no-default-browser-check --disable-popup-blocking --attempting-deelevation
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd --no-default-browser-check --disable-popup-blocking
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2264 -parentBuildID 20230927232528 -prefsHandle 2212 -prefMapHandle 2204 -prefsLen 25298 -prefMapSize 238442 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {16325912-49ac-40f1-bda4-2cac4c4c2137} 8164 "\\.\pipe\gecko-crash-server-pipe.8164" 26487e6e910 socket
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3684 -parentBuildID 20230927232528 -prefsHandle 4052 -prefMapHandle 4048 -prefsLen 26313 -prefMapSize 238442 -appDir "C:\Program Files\Mozilla Firefox\browser" - {d996e0e9-af63-49e3-adbf-964172d0344a} 8164 "\\.\pipe\gecko-crash-server-pipe.8164" 2649a108510 rdd
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5424 -parentBuildID 20230927232528 -sandboxingKind 0 -prefsHandle 5456 -prefMapHandle 5472 -prefsLen 33481 -prefMapSize 238442 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {13e771dd-665e-4a33-a08c-b3d742946c3d} 8164 "\\.\pipe\gecko-crash-server-pipe.8164" 26493ede710 utility
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM firefox.exe /T	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM chrome.exe /T	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM msedge.exe /T	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM opera.exe /T	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM brave.exe /T	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk "https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd" --no-default-browser-check --disable-popup-blocking	Jump to behavior
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd --no-default-browser-check --disable-popup-blocking	Jump to behavior
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2264 -parentBuildID 20230927232528 -prefsHandle 2212 -prefMapHandle 2204 -prefsLen 25298 -prefMapSize 238442 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {16325912-49ac-40f1-bda4-2cac4c4c2137} 8164 "\\.\pipe\gecko-crash-server-pipe.8164" 26487e6e910 socket	Jump to behavior
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3684 -parentBuildID 20230927232528 -prefsHandle 4052 -prefMapHandle 4048 -prefsLen 26313 -prefMapSize 238442 -appDir "C:\Program Files\Mozilla Firefox\browser" - {d996e0e9-af63-49e3-adbf-964172d0344a} 8164 "\\.\pipe\gecko-crash-server-pipe.8164" 2649a108510 rdd	Jump to behavior
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5424 -parentBuildID 20230927232528 -sandboxingKind 0 -prefsHandle 5456 -prefMapHandle 5472 -prefsLen 33481 -prefMapSize 238442 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {13e771dd-665e-4a33-a08c-b3d742946c3d} 8164 "\\.\pipe\gecko-crash-server-pipe.8164" 26493ede710 utility	Jump to behavior
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: unknown unknown	Jump to behavior

Source: C:\Users\user\Desktop\file.exe	Section loaded: wsock32.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: framedynos.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: dbghelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: winsta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: framedynos.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: dbghelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: winsta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: framedynos.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: dbghelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: winsta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: framedynos.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: dbghelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: winsta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: framedynos.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: dbghelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: winsta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: profapi.dll	Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: file.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: file.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: file.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: file.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: file.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: file.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT

Source: file.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: z:\task_1551543573\build\openh264\gmpopenh264.pdbV source: gmpopenh264.dll.tmp.14.dr
Source:	Binary string: NapiNSP.pdbUGP source: firefox.exe, 0000000E.00000003.1663035508.000002649C11C000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: NapiNSP.pdb source: firefox.exe, 0000000E.00000003.1663035508.000002649C11C000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: netprofm.pdb source: firefox.exe, 0000000E.00000003.1663957236.000002649C116000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: z:\task_1551543573\build\openh264\gmpopenh264.pdb source: gmpopenh264.dll.tmp.14.dr
Source:	Binary string: netprofm.pdbUGP source: firefox.exe, 0000000E.00000003.1663957236.000002649C116000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: .Pdbr source: firefox.exe, 0000000E.00000003.1672555249.0000026497C8F000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1590891608.0000026497E78000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1597532316.0000026497CA3000.00000004.00000800.00020000.00000000.sdmp

Source: file.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: file.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: file.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: file.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: file.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_006F42DE GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

0_2_006F42DE

Source: gmpopenh264.dll.tmp.14.dr

Static PE information: section name: .rodata

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00710A76 push ecx; ret

0_2_00710A89

Source: C:\Program Files\Mozilla Firefox\firefox.exe	File created: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\24a4ohrz.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll.tmp			Jump to dropped file
Source: C:\Program Files\Mozilla Firefox\firefox.exe	File created: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\24a4ohrz.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll (copy)			Jump to dropped file

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0070F98E GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,		0_2_0070F98E
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00781C41 IsWindowVisible,IsWindowEnabled,GetForegroundWindow,IsIconic,IsZoomed,		0_2_00781C41

Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Found API chain indicative of sandbox detection

Source: C:\Users\user\Desktop\file.exe

Sandbox detection routine: GetForegroundWindow, DecisionNode, Sleep

graph_0-96184

Source: C:\Program Files\Mozilla Firefox\firefox.exe

Code function: 18_2_000001C6E57521F2 rdtsc

18_2_000001C6E57521F2

Source: C:\Users\user\Desktop\file.exe

API coverage: 3.6 %

Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0075DBBE lstrlenW,GetFileAttributesW,FindFirstFileW,FindClose,	0_2_0075DBBE
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0072C2A2 FindFirstFileExW,	0_2_0072C2A2
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_007668EE FindFirstFileW,FindClose,	0_2_007668EE
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0076698F FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,FileTimeToSystemTime,FileTimeToSystemTime,	0_2_0076698F
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0075D076 FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	0_2_0075D076
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0075D3A9 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	0_2_0075D3A9
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00769642 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	0_2_00769642
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0076979D SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	0_2_0076979D
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00769B2B FindFirstFileW,Sleep,FindNextFileW,FindClose,	0_2_00769B2B
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00765C97 FindFirstFileW,FindNextFileW,FindClose,	0_2_00765C97

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_006F42DE GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

0_2_006F42DE

Source: firefox.exe, 00000010.00000002.3273461266.000001B2EFF40000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllY>
Source: firefox.exe, 00000010.00000002.3269529694.000001B2EF66A000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 00000012.00000002.3268830024.000001C6E4E8A000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 00000012.00000002.3272592073.000001C6E55F0000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 00000014.00000002.3268986071.000001816978A000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 00000014.00000002.3270166262.0000018169B00000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: firefox.exe, 00000010.00000002.3272975430.000001B2EFB13000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW : 2 : 34 : 1 : 1 : 0x20026 : 0x8 : %SystemRoot%\system32\mswsock.dll : : 1234191b-4bf7-4ca7-86e0-dfd7c32b5445
Source: firefox.exe, 00000010.00000002.3273461266.000001B2EFF40000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll\9
Source: firefox.exe, 00000010.00000002.3269529694.000001B2EF66A000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW`
Source: firefox.exe, 00000010.00000002.3273461266.000001B2EFF40000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 00000012.00000002.3272592073.000001C6E55F0000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

Source: C:\Users\user\Desktop\file.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Program Files\Mozilla Firefox\firefox.exe

Code function: 18_2_000001C6E57521F2 rdtsc

18_2_000001C6E57521F2

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_0076EAA2 BlockInput,

0_2_0076EAA2

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00722622 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

0_2_00722622

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_006F42DE GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

0_2_006F42DE

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00714CE8 mov eax, dword ptr fs:[00000030h]

0_2_00714CE8

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00750B62 GetSecurityDescriptorDacl,GetAclInformation,GetLengthSid,GetLengthSid,GetAce,AddAce,GetLengthSid,GetProcessHeap,HeapAlloc,GetLengthSid,CopySid,AddAce,SetSecurityDescriptorDacl,SetUserObjectSecurity,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,

0_2_00750B62

Source: C:\Windows\SysWOW64\taskkill.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Process token adjusted: Debug	Jump to behavior

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00722622 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_00722622
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0071083F IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_0071083F
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_007109D5 SetUnhandledExceptionFilter,	0_2_007109D5
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00710C21 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	0_2_00710C21

Source: C:\Users\user\Desktop\file.exe

0_2_00751201

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00732BA5 KiUserCallbackDispatcher,SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW,

0_2_00732BA5

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_0075B226 SendInput,keybd_event,

0_2_0075B226

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_007722DA GetForegroundWindow,GetDesktopWindow,GetWindowRect,mouse_event,GetCursorPos,mouse_event,

0_2_007722DA

Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM firefox.exe /T	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM chrome.exe /T	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM msedge.exe /T	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM opera.exe /T	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM brave.exe /T	Jump to behavior

Source: C:\Users\user\Desktop\file.exe

0_2_00750B62

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00751663 AllocateAndInitializeSid,CheckTokenMembership,FreeSid,

0_2_00751663

Source: file.exe	Binary or memory string: Run Script:AutoIt script files (.au3, .a3x).au3;.a3xAll files (.).au3#include depth exceeded. Make sure there are no recursive includesError opening the file>>>AUTOIT SCRIPT<<<Bad directive syntax errorUnterminated stringCannot parse #includeUnterminated group of commentsONOFF0%d%dShell_TrayWndREMOVEKEYSEXISTSAPPENDblankinfoquestionstopwarning
Source: file.exe	Binary or memory string: Shell_TrayWnd

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00710698 cpuid

0_2_00710698

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00768195 GetLocalTime,SystemTimeToFileTime,LocalFileTimeToFileTime,GetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,

0_2_00768195

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_0074D27A GetUserNameW,

0_2_0074D27A

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_0072B952 _free,_free,_free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,_free,

0_2_0072B952

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_006F42DE GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

0_2_006F42DE

Stealing of Sensitive Information

Yara detected Credential Flusher

Source: Yara match

File source: Process Memory Space: file.exe PID: 7704, type: MEMORYSTR

Source: file.exe	Binary or memory string: WIN_81
Source: file.exe	Binary or memory string: WIN_XP
Source: file.exe	Binary or memory string: %.3d%S%M%H%m%Y%jX86IA64X64WIN32_NTWIN_11WIN_10WIN_2022WIN_2019WIN_2016WIN_81WIN_2012R2WIN_2012WIN_8WIN_2008R2WIN_7WIN_2008WIN_VISTAWIN_2003WIN_XPeWIN_XPInstallLanguageSYSTEM\CurrentControlSet\Control\Nls\LanguageSchemeLangIDControl Panel\AppearanceUSERPROFILEUSERDOMAINUSERDNSDOMAINGetSystemWow64DirectoryWSeDebugPrivilege:winapistdcallubyte64HKEY_LOCAL_MACHINEHKLMHKEY_CLASSES_ROOTHKCRHKEY_CURRENT_CONFIGHKCCHKEY_CURRENT_USERHKCUHKEY_USERSHKUREG_EXPAND_SZREG_SZREG_MULTI_SZREG_DWORDREG_QWORDREG_BINARYRegDeleteKeyExWadvapi32.dll+.-.\\[\\nrt]\|%%\|%[-+ 0#]?([0-9]\|\)?(\.[0-9]\|\.\)?[hlL]?[diouxXeEfgGs](*UCP)\XISVISIBLEISENABLEDTABLEFTTABRIGHTCURRENTTABSHOWDROPDOWNHIDEDROPDOWNADDSTRINGDELSTRINGFINDSTRINGGETCOUNTSETCURRENTSELECTIONGETCURRENTSELECTIONSELECTSTRINGISCHECKEDCHECKUNCHECKGETSELECTEDGETLINECOUNTGETCURRENTLINEGETCURRENTCOLEDITPASTEGETLINESENDCOMMANDIDGETITEMCOUNTGETSUBITEMCOUNTGETTEXTGETSELECTEDCOUNTISSELECTEDSELECTALLSELECTCLEARSELECTINVERTDESELECTFINDITEMVIEWCHANGEGETTOTALCOUNTCOLLAPSEEXPANDmsctls_statusbar321tooltips_class32%d/%02d/%02dbuttonComboboxListboxSysDateTimePick32SysMonthCal32.icl.exe.dllMsctls_Progress32msctls_trackbar32SysAnimate32msctls_updown32SysTabControl32SysTreeView32SysListView32-----@GUI_DRAGID@GUI_DROPID@GUI_DRAGFILEError text not found (please report)Q\EDEFINEUTF16)UTF)UCP)NO_AUTO_POSSESS)NO_START_OPT)LIMIT_MATCH=LIMIT_RECURSION=CR)LF)CRLF)ANY)ANYCRLF)BSR_ANYCRLF)BSR_UNICODE)argument is not a compiled regular expressionargument not compiled in 16 bit modeinternal error: opcode not recognizedinternal error: missing capturing bracketfailed to get memory
Source: file.exe	Binary or memory string: WIN_XPe
Source: file.exe	Binary or memory string: WIN_VISTA
Source: file.exe	Binary or memory string: WIN_7
Source: file.exe	Binary or memory string: WIN_8

Remote Access Functionality

Yara detected Credential Flusher

Source: Yara match

File source: Process Memory Space: file.exe PID: 7704, type: MEMORYSTR

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00771204 socket,WSAGetLastError,bind,WSAGetLastError,closesocket,listen,WSAGetLastError,closesocket,		0_2_00771204
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00771806 socket,WSAGetLastError,bind,WSAGetLastError,closesocket,		0_2_00771806

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	2 Valid Accounts	1 Windows Management Instrumentation	1 DLL Side-Loading	1 Exploitation for Privilege Escalation	2 Disable or Modify Tools	21 Input Capture	2 System Time Discovery	Remote Services	1 Archive Collected Data	2 Ingress Tool Transfer	Exfiltration Over Other Network Medium	1 System Shutdown/Reboot
Credentials	Domains	Default Accounts	1 Native API	2 Valid Accounts	1 DLL Side-Loading	1 Deobfuscate/Decode Files or Information	LSASS Memory	1 Account Discovery	Remote Desktop Protocol	21 Input Capture	12 Encrypted Channel	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	1 Extra Window Memory Injection	2 Obfuscated Files or Information	Security Account Manager	2 File and Directory Discovery	SMB/Windows Admin Shares	3 Clipboard Data	2 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	2 Valid Accounts	1 DLL Side-Loading	NTDS	16 System Information Discovery	Distributed Component Object Model	Input Capture	3 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	21 Access Token Manipulation	1 Extra Window Memory Injection	LSA Secrets	131 Security Software Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	2 Process Injection	1 Masquerading	Cached Domain Credentials	1 Virtualization/Sandbox Evasion	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	2 Valid Accounts	DCSync	3 Process Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	1 Virtualization/Sandbox Evasion	Proc Filesystem	1 Application Window Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement
Network Topology	Malvertising	Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	21 Access Token Manipulation	/etc/passwd and /etc/shadow	1 System Owner/User Discovery	Direct Cloud VM Connections	Data Staged	Web Protocols	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Internal Defacement
IP Addresses	Compromise Infrastructure	Supply Chain Compromise	PowerShell	Cron	Cron	2 Process Injection	Network Sniffing	Network Service Discovery	Shared Webroot	Local Data Staging	File Transfer Protocols	Exfiltration Over Asymmetric Encrypted Non-C2 Protocol	External Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
file.exe	24%	ReversingLabs	Win32.Trojan.AutoitInject
file.exe	100%	Joe Sandbox ML

Dropped Files

Source	Detection	Scanner	Label	Link
C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\24a4ohrz.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll (copy)	0%	ReversingLabs
C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\24a4ohrz.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll.tmp	0%	ReversingLabs

Name	IP	Active	Malicious	Reputation
example.org	93.184.215.14	true	false	high
star-mini.c10r.facebook.com	157.240.195.35	true	false	high
prod.classify-client.prod.webservices.mozgcp.net	35.190.72.216	true	false	high
prod.balrog.prod.cloudops.mozgcp.net	35.244.181.201	true	false	high
twitter.com	104.244.42.193	true	false	high
prod.detectportal.prod.cloudops.mozgcp.net	34.107.221.82	true	false	high
services.addons.mozilla.org	151.101.129.91	true	false	high
dyna.wikimedia.org	185.15.58.224	true	false	high
prod.remote-settings.prod.webservices.mozgcp.net	34.149.100.209	true	false	high
contile.services.mozilla.com	34.117.188.166	true	false	high
youtube.com	142.250.181.78	true	false	high
prod.content-signature-chains.prod.webservices.mozgcp.net	34.160.144.191	true	false	high
youtube-ui.l.google.com	172.217.19.238	true	false	high
us-west1.prod.sumo.prod.webservices.mozgcp.net	34.149.128.2	true	false	high
reddit.map.fastly.net	151.101.1.140	true	false	high
ipv4only.arpa	192.0.0.170	true	false	high
prod.ads.prod.webservices.mozgcp.net	34.117.188.166	true	false	high
push.services.mozilla.com	34.107.243.93	true	false	high
normandy-cdn.services.mozilla.com	35.201.103.21	true	false	high
telemetry-incoming.r53-2.services.mozilla.com	34.120.208.123	true	false	high
www.reddit.com	unknown	unknown	false	high
spocs.getpocket.com	unknown	unknown	false	high
content-signature-2.cdn.mozilla.net	unknown	unknown	false	high
support.mozilla.org	unknown	unknown	false	high
firefox.settings.services.mozilla.com	unknown	unknown	false	high
www.youtube.com	unknown	unknown	false	high
www.facebook.com	unknown	unknown	false	high
detectportal.firefox.com	unknown	unknown	false	high
normandy.cdn.mozilla.net	unknown	unknown	false	high
shavar.services.mozilla.com	unknown	unknown	false	high
www.wikipedia.org	unknown	unknown	false	high

URLs from Memory and Binaries

Name	Source	Malicious	Reputation
https://play.google.com/store/apps/details?id=org.mozilla.firefox.vpn&referrer=utm_source%3Dfirefox-	firefox.exe, 00000010.00000002.3272692281.000001B2EFA20000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.3272779374.000001C6E56F0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000014.00000002.3269777320.00000181698D0000.00000002.10000000.00040000.00000000.sdmp	false	high
https://bugzilla.mozilla.org/show_bug.cgi?id=1678942	firefox.exe, 0000000E.00000003.1592498354.000002649A667000.00000004.00000800.00020000.00000000.sdmp	false	high
https://getpocket.cdn.mozilla.net/v3/firefox/trending-topics?version=2&consumer_key=$apiKey&locale_l	firefox.exe, 00000014.00000002.3270532691.0000018169DC8000.00000004.00000800.00020000.00000000.sdmp	false	high
https://services.addons.mozilla.org/api/v5/addons/browser-mappings/?browser=%BROWSER%	firefox.exe, 00000010.00000002.3272692281.000001B2EFA20000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.3272779374.000001C6E56F0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000014.00000002.3269777320.00000181698D0000.00000002.10000000.00040000.00000000.sdmp	false	high
https://datastudio.google.com/embed/reporting/	firefox.exe, 0000000E.00000003.1625398910.000002649A6A7000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1610792917.0000026499E81000.00000004.00000800.00020000.00000000.sdmp	false	high
http://www.mozilla.com0	gmpopenh264.dll.tmp.14.dr	false	high
https://developer.mozilla.org/en-US/docs/Web/Web_Components/Using_custom_elements#using_the_lifecycl	firefox.exe, 0000000E.00000003.1596904378.000002649BA70000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1666251433.000002649BA6E000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1486914591.000002649BA73000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1568071778.000002649BA6E000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1487049323.000002649BA6F000.00000004.00000800.00020000.00000000.sdmp	false	high
https://merino.services.mozilla.com/api/v1/suggest	firefox.exe, 00000014.00000002.3270532691.0000018169D87000.00000004.00000800.00020000.00000000.sdmp	false	high
https://monitor.firefox.com/oauth/init?entrypoint=protection_report_monitor&utm_source=about-protect	firefox.exe, 00000010.00000002.3272692281.000001B2EFA20000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.3272779374.000001C6E56F0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000014.00000002.3269777320.00000181698D0000.00000002.10000000.00040000.00000000.sdmp	false	high
https://spocs.getpocket.com/spocs	firefox.exe, 0000000E.00000003.1619450690.000002649B9D8000.00000004.00000800.00020000.00000000.sdmp	false	high
https://www.amazon.com/exec/obidos/external-search/?field-keywords=&ie=UTF-8&mode=blended&tag=mozill	firefox.exe, 0000000E.00000003.1506379313.00000264A0372000.00000004.00000800.00020000.00000000.sdmp	false	high
https://shavar.services.mozilla.com	firefox.exe, 0000000E.00000003.1648866892.0000026499686000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1606979596.000002649969A000.00000004.00000800.00020000.00000000.sdmp	false	high
https://completion.amazon.com/search/complete?q=	firefox.exe, 0000000E.00000003.1599211613.00000264A02A0000.00000004.00000800.00020000.00000000.sdmp	false	high
https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/social-media-tracking-report	firefox.exe, 00000010.00000002.3272692281.000001B2EFA20000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.3272779374.000001C6E56F0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000014.00000002.3269777320.00000181698D0000.00000002.10000000.00040000.00000000.sdmp	false	high
https://addons.mozilla.org/user-media/addon_icons/700/700308-64.png?modified=4bc8e79f	firefox.exe, 0000000E.00000003.1506251265.00000264982CD000.00000004.00000800.00020000.00000000.sdmp	false	high
https://identity.mozilla.com/ids/ecosystem_telemetryU	firefox.exe, 0000000E.00000003.1616034197.00000264A2321000.00000004.00000800.00020000.00000000.sdmp	false	high
https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/send-tab	firefox.exe, 00000010.00000002.3272692281.000001B2EFA20000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.3272779374.000001C6E56F0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000014.00000002.3269777320.00000181698D0000.00000002.10000000.00040000.00000000.sdmp	false	high
https://monitor.firefox.com/breach-details/	firefox.exe, 00000010.00000002.3272692281.000001B2EFA20000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.3272779374.000001C6E56F0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000014.00000002.3269777320.00000181698D0000.00000002.10000000.00040000.00000000.sdmp	false	high
https://github.com/w3c/csswg-drafts/issues/4650	firefox.exe, 0000000E.00000003.1641168247.000002649B8F7000.00000004.00000800.00020000.00000000.sdmp	false	high
https://versioncheck-bg.addons.mozilla.org/update/VersionCheck.php?reqVersion=%REQ_VERSION%&id=%ITEM	firefox.exe, 00000010.00000002.3272692281.000001B2EFA20000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.3272779374.000001C6E56F0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000014.00000002.3269777320.00000181698D0000.00000002.10000000.00040000.00000000.sdmp	false	high
https://xhr.spec.whatwg.org/#sync-warning	firefox.exe, 0000000E.00000003.1633823469.000002649BB25000.00000004.00000800.00020000.00000000.sdmp	false	high
https://www.amazon.com/exec/obidos/external-search/	firefox.exe, 0000000E.00000003.1506379313.00000264A0372000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1513745294.00000264991F5000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1584748250.00000264991F5000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1513830813.00000264991F5000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1513864645.00000264991F5000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1461364985.0000026497B57000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1594701126.00000264991F5000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1572571076.00000264991F5000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1526934482.00000264991F5000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1523574224.00000264991F5000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1461076188.0000026497B1E000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1568432461.00000264991F5000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1513745294.00000264991F8000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1460923636.0000026497900000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1557580716.00000264991F4000.00000004.00000800.00020000.00000000.sdmp	false	high
https://www.msn.com	firefox.exe, 0000000E.00000003.1643823875.000002649B091000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1604883672.000002649B08E000.00000004.00000800.00020000.00000000.sdmp	false	high
https://github.com/mozilla-services/screenshots	firefox.exe, 0000000E.00000003.1461232938.0000026497B3A000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1461537008.0000026497B73000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1461364985.0000026497B57000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1461076188.0000026497B1E000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1460923636.0000026497900000.00000004.00000800.00020000.00000000.sdmp	false	high
https://services.addons.mozilla.org/api/v4/addons/addon/	firefox.exe, 00000010.00000002.3272692281.000001B2EFA20000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.3272779374.000001C6E56F0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000014.00000002.3269777320.00000181698D0000.00000002.10000000.00040000.00000000.sdmp	false	high
https://tracking-protection-issues.herokuapp.com/new	firefox.exe, 00000010.00000002.3272692281.000001B2EFA20000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.3272779374.000001C6E56F0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000014.00000002.3269777320.00000181698D0000.00000002.10000000.00040000.00000000.sdmp	false	high
https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/password-manager-report	firefox.exe, 00000010.00000002.3272692281.000001B2EFA20000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.3272779374.000001C6E56F0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000014.00000002.3269777320.00000181698D0000.00000002.10000000.00040000.00000000.sdmp	false	high
https://youtube.com/	firefox.exe, 0000000E.00000003.1605651933.000002649A53F000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1647557134.0000026499FF0000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1641954316.000002649B59B000.00000004.00000800.00020000.00000000.sdmp	false	high
https://app.adjust.com/167k4ih?campaign=firefox-desktop&adgroup=pb&creative=focus-omc172&redirect=ht	firefox.exe, 0000000E.00000003.1631230297.00000264A23CD000.00000004.00000800.00020000.00000000.sdmp	false	high
https://www.instagram.com/	firefox.exe, 0000000E.00000003.1523195057.000002649934B000.00000004.00000800.00020000.00000000.sdmp	false	high
https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/fingerprinters-report	firefox.exe, 00000010.00000002.3272692281.000001B2EFA20000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.3272779374.000001C6E56F0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000014.00000002.3269777320.00000181698D0000.00000002.10000000.00040000.00000000.sdmp	false	high
https://api.accounts.firefox.com/v1	firefox.exe, 00000010.00000002.3272692281.000001B2EFA20000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.3272779374.000001C6E56F0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000014.00000002.3269777320.00000181698D0000.00000002.10000000.00040000.00000000.sdmp	false	high
https://ok.ru/	firefox.exe, 0000000E.00000003.1647806818.0000026499D87000.00000004.00000800.00020000.00000000.sdmp	false	high
https://support.mozilla.org/products/firefoxgro.allizom.troppus.elMx_wJzrE6l	firefox.exe, 0000000E.00000003.1637032452.00000264A03B0000.00000004.00000800.00020000.00000000.sdmp	false	high
https://www.amazon.com/	firefox.exe, 0000000E.00000003.1618722071.000002649BB42000.00000004.00000800.00020000.00000000.sdmp	false	high
https://addons.mozilla.org/%LOCALE%/%APP%/blocked-addon/%addonID%/%addonVersion%/	firefox.exe, 00000010.00000002.3272692281.000001B2EFA20000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.3272779374.000001C6E56F0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000014.00000002.3269777320.00000181698D0000.00000002.10000000.00040000.00000000.sdmp	false	high
https://developer.mozilla.org/docs/Mozilla/Add-ons/WebExtensions/API/tabs/captureTabMozRequestFullSc	firefox.exe, 0000000E.00000003.1633823469.000002649BB25000.00000004.00000800.00020000.00000000.sdmp	false	high
https://monitor.firefox.com/?entrypoint=protection_report_monitor&utm_source=about-protections	firefox.exe, 00000010.00000002.3272692281.000001B2EFA20000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.3272779374.000001C6E56F0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000014.00000002.3269777320.00000181698D0000.00000002.10000000.00040000.00000000.sdmp	false	high
http://win.mail.ru/cgi-bin/sentmsg?mailto=%s	firefox.exe, 0000000E.00000003.1588344591.0000026493C7D000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1587006335.0000026493C7D000.00000004.00000800.00020000.00000000.sdmp	false	high
https://bridge.sfo1.admarketplace.net/ctp?version=16.0.0&key=1696491991400800003.2&ci=1696491991993.	firefox.exe, 00000010.00000002.3270754644.000001B2EF9C9000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000012.00000002.3269895186.000001C6E50E9000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000014.00000002.3272401824.0000018169E03000.00000004.00000800.00020000.00000000.sdmp, prefs-1.js.14.dr	false	high
https://www.youtube.com/	firefox.exe, 0000000E.00000003.1618722071.000002649BB42000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000012.00000002.3269895186.000001C6E5003000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000014.00000002.3270532691.0000018169D0C000.00000004.00000800.00020000.00000000.sdmp	false	high
https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/shield	firefox.exe, 00000010.00000002.3272692281.000001B2EFA20000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.3272779374.000001C6E56F0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000014.00000002.3269777320.00000181698D0000.00000002.10000000.00040000.00000000.sdmp	false	high
https://MD8.mozilla.org/1/m	firefox.exe, 0000000E.00000003.1507116049.000002649A170000.00000004.00000800.00020000.00000000.sdmp	false	high
https://addons.mozilla.org/firefox/addon/to-google-translate/	firefox.exe, 0000000E.00000003.1648866892.00000264996A0000.00000004.00000800.00020000.00000000.sdmp	false	high
https://getpocket.cdn.mozilla.net/v3/firefox/global-recs?version=3&consumer_key=$apiKey&locale_lang=	firefox.exe, 00000014.00000002.3270532691.0000018169DC8000.00000004.00000800.00020000.00000000.sdmp	false	high
http://127.0.0.1:	firefox.exe, 0000000E.00000003.1644991473.000002649A53F000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1605651933.000002649A53F000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000002.3272692281.000001B2EFA20000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.3272779374.000001C6E56F0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000014.00000002.3269777320.00000181698D0000.00000002.10000000.00040000.00000000.sdmp	false	high
https://bugzilla.mozilla.org/show_bug.cgi?id=1266220	firefox.exe, 0000000E.00000003.1592498354.000002649A667000.00000004.00000800.00020000.00000000.sdmp	false	high
https://searchfox.org/mozilla-central/source/toolkit/components/search/SearchUtils.jsm#145-152	firefox.exe, 0000000E.00000003.1512567944.000002649909A000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1650837180.0000026499098000.00000004.00000800.00020000.00000000.sdmp	false	high
https://bugzilla.mo	firefox.exe, 0000000E.00000003.1599070060.00000264A2317000.00000004.00000800.00020000.00000000.sdmp	false	high
https://mitmdetection.services.mozilla.com/	firefox.exe, 00000010.00000002.3272692281.000001B2EFA20000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.3272779374.000001C6E56F0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000014.00000002.3269777320.00000181698D0000.00000002.10000000.00040000.00000000.sdmp	false	high
https://youtube.com/account?=	recovery.jsonlz4.tmp.14.dr	false	high
https://contile-images.services.mozilla.com/CuERQnIs4CzqjKBh9os6_h9d4CUDCHO3oiqmAQO6VLM.25122.jpg	firefox.exe, 00000010.00000002.3270754644.000001B2EF9C9000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000012.00000002.3269895186.000001C6E50E9000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000014.00000002.3272401824.0000018169E03000.00000004.00000800.00020000.00000000.sdmp, prefs-1.js.14.dr	false	high
https://developer.mozilla.org/docs/Web/API/Element/releasePointerCapture	firefox.exe, 0000000E.00000003.1633823469.000002649BB25000.00000004.00000800.00020000.00000000.sdmp	false	high
https://spocs.getpocket.com/	firefox.exe, 00000014.00000002.3270532691.0000018169D13000.00000004.00000800.00020000.00000000.sdmp	false	high
https://services.addons.mozilla.org/api/v4/abuse/report/addon/	firefox.exe, 00000010.00000002.3272692281.000001B2EFA20000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.3272779374.000001C6E56F0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000014.00000002.3269777320.00000181698D0000.00000002.10000000.00040000.00000000.sdmp	false	high
https://services.addons.mozilla.org/api/v4/addons/search/?guid=%IDS%&lang=%LOCALE%	firefox.exe, 00000010.00000002.3272692281.000001B2EFA20000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.3272779374.000001C6E56F0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000014.00000002.3269777320.00000181698D0000.00000002.10000000.00040000.00000000.sdmp	false	high
https://color.firefox.com/?utm_source=firefox-browser&utm_medium=firefox-browser&utm_content=theme-f	firefox.exe, 00000010.00000002.3272692281.000001B2EFA20000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.3272779374.000001C6E56F0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000014.00000002.3269777320.00000181698D0000.00000002.10000000.00040000.00000000.sdmp	false	high
https://www.iqiyi.com/	firefox.exe, 0000000E.00000003.1488647963.00000264A0095000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1647806818.0000026499D87000.00000004.00000800.00020000.00000000.sdmp	false	high
https://youtube.com/account?=https://accounts.google.co	firefox.exe, 00000014.00000002.3270251449.0000018169C90000.00000004.00000020.00020000.00000000.sdmp	false	high
https://support.mozilla.org/products/firefoxgro.allizom.troppus.	places.sqlite-wal.14.dr	false	high
https://play.google.com/store/apps/details?id=org.mozilla.firefox&referrer=utm_source%3Dprotection_r	firefox.exe, 00000010.00000002.3272692281.000001B2EFA20000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.3272779374.000001C6E56F0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000014.00000002.3269777320.00000181698D0000.00000002.10000000.00040000.00000000.sdmp	false	high
https://monitor.firefox.com/user/breach-stats?includeResolved=true	firefox.exe, 00000010.00000002.3272692281.000001B2EFA20000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.3272779374.000001C6E56F0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000014.00000002.3269777320.00000181698D0000.00000002.10000000.00040000.00000000.sdmp	false	high
https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/cross-site-tracking-report	firefox.exe, 00000010.00000002.3272692281.000001B2EFA20000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.3272779374.000001C6E56F0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000014.00000002.3269777320.00000181698D0000.00000002.10000000.00040000.00000000.sdmp	false	high
https://bugzilla.mozilla.org/show_bug.cgi?id=1584464	firefox.exe, 0000000E.00000003.1641168247.000002649B8F7000.00000004.00000800.00020000.00000000.sdmp	false	high
https://safebrowsing.google.com/safebrowsing/diagnostic?site=	firefox.exe, 00000010.00000002.3272692281.000001B2EFA20000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.3272779374.000001C6E56F0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000014.00000002.3269777320.00000181698D0000.00000002.10000000.00040000.00000000.sdmp	false	high
https://monitor.firefox.com/user/dashboard	firefox.exe, 00000010.00000002.3272692281.000001B2EFA20000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.3272779374.000001C6E56F0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000014.00000002.3269777320.00000181698D0000.00000002.10000000.00040000.00000000.sdmp	false	high
https://versioncheck.addons.mozilla.org/update/VersionCheck.php?reqVersion=%REQ_VERSION%&id=%ITEM_ID	firefox.exe, 00000010.00000002.3272692281.000001B2EFA20000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.3272779374.000001C6E56F0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000014.00000002.3269777320.00000181698D0000.00000002.10000000.00040000.00000000.sdmp	false	high
https://monitor.firefox.com/about	firefox.exe, 00000010.00000002.3272692281.000001B2EFA20000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.3272779374.000001C6E56F0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000014.00000002.3269777320.00000181698D0000.00000002.10000000.00040000.00000000.sdmp	false	high
http://mozilla.org/MPL/2.0/.	firefox.exe, 0000000E.00000003.1619666237.000002649B993000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1512674848.000002649908F000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1526934482.000002649919D000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1591294159.0000026497EEF000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1573123763.00000264984F1000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1586240437.0000026499060000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1573026938.000002649905E000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1606768581.0000026499FF0000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1520421664.000002649936A000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1606424944.000002649A0C8000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1572127218.000002649930F000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1471109254.0000026497EFA000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1597022436.000002649BA53000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1522786015.000002649936A000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1671674702.00000264990D4000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1512567944.000002649909A000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1558339938.00000264990D5000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1558402581.00000264990A1000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1512764132.000002649905E000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1591294159.0000026497EDA000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1523462745.000002649931C000.00000004.00000800.00020000.00000000.sdmp	false	high
https://account.bellmedia.c	firefox.exe, 0000000E.00000003.1603499856.000002649B12D000.00000004.00000800.00020000.00000000.sdmp	false	high
https://login.microsoftonline.com	firefox.exe, 0000000E.00000003.1603499856.000002649B12D000.00000004.00000800.00020000.00000000.sdmp	false	high
https://coverage.mozilla.org	firefox.exe, 00000010.00000002.3272692281.000001B2EFA20000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.3272779374.000001C6E56F0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000014.00000002.3269777320.00000181698D0000.00000002.10000000.00040000.00000000.sdmp	false	high
http://crl.thawte.com/ThawteTimestampingCA.crl0	gmpopenh264.dll.tmp.14.dr	false	high
https://www.zhihu.com/	firefox.exe, 0000000E.00000003.1647806818.0000026499D87000.00000004.00000800.00020000.00000000.sdmp	false	high
http://x1.c.lencr.org/0	firefox.exe, 0000000E.00000003.1602196246.000002649B918000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1605275326.000002649B027000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1619821599.000002649B918000.00000004.00000800.00020000.00000000.sdmp	false	high
http://x1.i.lencr.org/0	firefox.exe, 0000000E.00000003.1602196246.000002649B918000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1605275326.000002649B027000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1619821599.000002649B918000.00000004.00000800.00020000.00000000.sdmp	false	high
https://infra.spec.whatwg.org/#ascii-whitespace	firefox.exe, 0000000E.00000003.1596904378.000002649BA70000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1666251433.000002649BA6E000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1486914591.000002649BA73000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1568071778.000002649BA6E000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1487049323.000002649BA6F000.00000004.00000800.00020000.00000000.sdmp	false	high
https://blocked.cdn.mozilla.net/	firefox.exe, 00000010.00000002.3272692281.000001B2EFA20000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.3272779374.000001C6E56F0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000014.00000002.3269777320.00000181698D0000.00000002.10000000.00040000.00000000.sdmp	false	high
https://developer.mozilla.org/en-US/docs/Glossary/speculative_parsingDocumentWriteIgnored	firefox.exe, 0000000E.00000003.1648307505.0000026499C7D000.00000004.00000800.00020000.00000000.sdmp	false	high
http://developer.mozilla.org/en/docs/DOM:element.addEventListener	firefox.exe, 0000000E.00000003.1633823469.000002649BB1B000.00000004.00000800.00020000.00000000.sdmp	false	high
https://duckduckgo.com/?t=ffab&q=	firefox.exe, 0000000E.00000003.1506379313.00000264A0372000.00000004.00000800.00020000.00000000.sdmp	false	high
https://profiler.firefox.com	firefox.exe, 00000010.00000002.3272692281.000001B2EFA20000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.3272779374.000001C6E56F0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000014.00000002.3269777320.00000181698D0000.00000002.10000000.00040000.00000000.sdmp	false	high
https://outlook.live.com/default.aspx?rru=compose&to=%s	firefox.exe, 0000000E.00000003.1463452465.000002649561B000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1462916340.0000026495633000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1563094548.000002649563A000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1463612066.0000026495632000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1595582612.000002649563A000.00000004.00000800.00020000.00000000.sdmp	false	high
https://identity.mozilla.com/apps/relay	firefox.exe, 0000000E.00000003.1650121638.00000264995BC000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1608303092.00000264995B9000.00000004.00000800.00020000.00000000.sdmp	false	high
https://mozilla.cloudflare-dns.com/dns-query	firefox.exe, 00000010.00000002.3272692281.000001B2EFA20000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.3272779374.000001C6E56F0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000014.00000002.3269777320.00000181698D0000.00000002.10000000.00040000.00000000.sdmp	false	high
https://support.mozilla.org/kb/refresh-firefox-reset-add-ons-and-settings2	firefox.exe, 0000000E.00000003.1603499856.000002649B154000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1643785962.000002649B15A000.00000004.00000800.00020000.00000000.sdmp	false	high
https://mail.yahoo.co.jp/compose/?To=%s	firefox.exe, 0000000E.00000003.1463452465.000002649561B000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1462916340.0000026495633000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1563094548.000002649563A000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1588344591.0000026493C7D000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1463612066.0000026495632000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1595582612.000002649563A000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1587006335.0000026493C7D000.00000004.00000800.00020000.00000000.sdmp	false	high
https://addons.mozilla.org/firefox/addon/reddit-enhancement-suite/	firefox.exe, 0000000E.00000003.1648866892.00000264996A0000.00000004.00000800.00020000.00000000.sdmp	false	high
https://contile.services.mozilla.com/v1/tiles	firefox.exe, 0000000E.00000003.1508315177.0000026498D87000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000002.3272692281.000001B2EFA20000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.3272779374.000001C6E56F0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000014.00000002.3269777320.00000181698D0000.00000002.10000000.00040000.00000000.sdmp	false	high
https://monitor.firefox.com/user/preferences	firefox.exe, 00000010.00000002.3272692281.000001B2EFA20000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.3272779374.000001C6E56F0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000014.00000002.3269777320.00000181698D0000.00000002.10000000.00040000.00000000.sdmp	false	high
https://screenshots.firefox.com/	firefox.exe, 0000000E.00000003.1460923636.0000026497900000.00000004.00000800.00020000.00000000.sdmp	false	high
https://www.google.com/search	firefox.exe, 0000000E.00000003.1602053116.000002649B98B000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1572571076.00000264991F5000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1526934482.00000264991F5000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1523574224.00000264991F5000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1461076188.0000026497B1E000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1568432461.00000264991F5000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1513745294.00000264991F8000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1460923636.0000026497900000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1557580716.00000264991F4000.00000004.00000800.00020000.00000000.sdmp	false	high
https://gpuweb.github.io/gpuweb/	firefox.exe, 0000000E.00000003.1641168247.000002649B8F7000.00000004.00000800.00020000.00000000.sdmp	false	high
https://relay.firefox.com/api/v1/	firefox.exe, 00000010.00000002.3272692281.000001B2EFA20000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.3272779374.000001C6E56F0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000014.00000002.3269777320.00000181698D0000.00000002.10000000.00040000.00000000.sdmp	false	high
https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/tracking-content-report	firefox.exe, 00000010.00000002.3272692281.000001B2EFA20000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.3272779374.000001C6E56F0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000014.00000002.3269777320.00000181698D0000.00000002.10000000.00040000.00000000.sdmp	false	high
https://topsites.services.mozilla.com/cid/	firefox.exe, 00000010.00000002.3272692281.000001B2EFA20000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.3272779374.000001C6E56F0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000014.00000002.3269777320.00000181698D0000.00000002.10000000.00040000.00000000.sdmp	false	high
https://twitter.com/	firefox.exe, 0000000E.00000003.1618722071.000002649BB42000.00000004.00000800.00020000.00000000.sdmp	false	high
https://vk.com/	firefox.exe, 0000000E.00000003.1647806818.0000026499D87000.00000004.00000800.00020000.00000000.sdmp	false	high
https://poczta.interia.pl/mh/?mailto=%s	firefox.exe, 0000000E.00000003.1463452465.000002649561B000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1462916340.0000026495633000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1563094548.000002649563A000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1588344591.0000026493C7D000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1463612066.0000026495632000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1595582612.000002649563A000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1587006335.0000026493C7D000.00000004.00000800.00020000.00000000.sdmp	false	high
https://tools.ietf.org/html/draft-ietf-httpbis-encryption-encoding-02#section-4	firefox.exe, 0000000E.00000003.1633823469.000002649BB25000.00000004.00000800.00020000.00000000.sdmp	false	high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
34.149.100.209	prod.remote-settings.prod.webservices.mozgcp.net	United States	2686	ATGS-MMD-ASUS	false
151.101.129.91	services.addons.mozilla.org	United States	54113	FASTLYUS	false
34.107.243.93	push.services.mozilla.com	United States	15169	GOOGLEUS	false
34.107.221.82	prod.detectportal.prod.cloudops.mozgcp.net	United States	15169	GOOGLEUS	false
35.244.181.201	prod.balrog.prod.cloudops.mozgcp.net	United States	15169	GOOGLEUS	false
34.117.188.166	contile.services.mozilla.com	United States	139070	GOOGLE-AS-APGoogleAsiaPacificPteLtdSG	false
35.201.103.21	normandy-cdn.services.mozilla.com	United States	15169	GOOGLEUS	false
35.190.72.216	prod.classify-client.prod.webservices.mozgcp.net	United States	15169	GOOGLEUS	false
142.250.181.78	youtube.com	United States	15169	GOOGLEUS	false
34.160.144.191	prod.content-signature-chains.prod.webservices.mozgcp.net	United States	2686	ATGS-MMD-ASUS	false
34.120.208.123	telemetry-incoming.r53-2.services.mozilla.com	United States	15169	GOOGLEUS	false

Private

IP
127.0.0.1

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1562585
Start date and time:	2024-11-25 18:34:39 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 8m 7s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Run name:	Run with higher sleep bypass
Number of analysed new started processes analysed:	24
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	file.exe
Detection:	MAL
Classification:	mal72.troj.evad.winEXE@34/38@69/12
EGA Information:	Successful, ratio: 50%
HCA Information:	Successful, ratio: 95% Number of executed functions: 40 Number of non-executed functions: 312
Cookbook Comments:	Found application associated with file extension: .exe Sleeps bigger than 100000000ms are automatically reduced to 1000ms Sleep loops longer than 100000000ms are bypassed. Single calls with delay of 100000000ms and higher are ignored

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, svchost.exe
Excluded IPs from analysis (whitelisted): 52.32.237.164, 52.27.142.243, 34.209.229.249, 172.217.17.42, 172.217.17.74, 172.217.17.46, 88.221.134.155, 88.221.134.209
Excluded domains from analysis (whitelisted): fs.microsoft.com, shavar.prod.mozaws.net, ciscobinary.openh264.org, slscr.update.microsoft.com, incoming.telemetry.mozilla.org, a17.rackcdn.com.mdc.edgesuite.net, detectportal.prod.mozaws.net, aus5.mozilla.org, fe3cr.delivery.mp.microsoft.com, a19.dscg10.akamai.net, redirector.gvt1.com, safebrowsing.googleapis.com, location.services.mozilla.com
Not all processes where analyzed, report is missing behavior information
Report size exceeded maximum capacity and may have missing behavior information.
Report size exceeded maximum capacity and may have missing disassembly code.
Report size getting too big, too many NtCreateFile calls found.
Report size getting too big, too many NtOpenFile calls found.
Report size getting too big, too many NtQueryAttributesFile calls found.
Some HTTP raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.
VT rate limit hit for: file.exe

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
34.117.188.166	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
34.149.100.209	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
151.101.129.91	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
34.160.144.191	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
example.org	file.exe	Get hash	malicious	Credential Flusher	Browse	93.184.215.14
	file.exe	Get hash	malicious	Credential Flusher	Browse	93.184.215.14
	file.exe	Get hash	malicious	Credential Flusher	Browse	93.184.215.14
	file.exe	Get hash	malicious	Credential Flusher	Browse	93.184.215.14
	file.exe	Get hash	malicious	Credential Flusher	Browse	93.184.215.14
	file.exe	Get hash	malicious	Credential Flusher	Browse	93.184.215.14
	file.exe	Get hash	malicious	Credential Flusher	Browse	93.184.215.14
	file.exe	Get hash	malicious	Credential Flusher	Browse	93.184.215.14
	file.exe	Get hash	malicious	Credential Flusher	Browse	93.184.215.14
star-mini.c10r.facebook.com	file.exe	Get hash	malicious	Credential Flusher	Browse	157.240.196.35
	file.exe	Get hash	malicious	Credential Flusher	Browse	157.240.195.35
	file.exe	Get hash	malicious	Credential Flusher	Browse	157.240.195.35
	file.exe	Get hash	malicious	Credential Flusher	Browse	157.240.196.35
	file.exe	Get hash	malicious	Credential Flusher	Browse	157.240.196.35
	file.exe	Get hash	malicious	Credential Flusher	Browse	157.240.196.35
	file.exe	Get hash	malicious	Credential Flusher	Browse	157.240.195.35
	file.exe	Get hash	malicious	Credential Flusher	Browse	157.240.195.35
	file.exe	Get hash	malicious	Credential Flusher	Browse	157.240.196.35
twitter.com	file.exe	Get hash	malicious	Credential Flusher	Browse	104.244.42.1
	file.exe	Get hash	malicious	Credential Flusher	Browse	104.244.42.193
	file.exe	Get hash	malicious	Credential Flusher	Browse	104.244.42.129
	file.exe	Get hash	malicious	Credential Flusher	Browse	104.244.42.129
	file.exe	Get hash	malicious	Credential Flusher	Browse	104.244.42.1
	file.exe	Get hash	malicious	Credential Flusher	Browse	104.244.42.1
	file.exe	Get hash	malicious	Credential Flusher	Browse	104.244.42.65
	file.exe	Get hash	malicious	Credential Flusher	Browse	104.244.42.129
	file.exe	Get hash	malicious	Credential Flusher	Browse	104.244.42.65

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
GOOGLE-AS-APGoogleAsiaPacificPteLtdSG	file.exe	Get hash	malicious	Credential Flusher	Browse	34.117.188.166
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.117.188.166
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.117.188.166
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.117.188.166
	file.exe	Get hash	malicious	Clipboard Hijacker, Cryptbot	Browse	34.116.198.130
	Evjm8L1nEb.exe	Get hash	malicious	Unknown	Browse	34.117.59.81
	Pe4905VGl1.bat	Get hash	malicious	AsyncRAT	Browse	34.117.59.81
	Evjm8L1nEb.exe	Get hash	malicious	Unknown	Browse	34.117.59.81
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.117.188.166
ATGS-MMD-ASUS	http://www.urbanerecycling.com	Get hash	malicious	HTMLPhisher, TechSupportScam	Browse	34.174.208.6
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.160.144.191
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.160.144.191
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.160.144.191
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.160.144.191
	la.bot.arm7.elf	Get hash	malicious	Unknown	Browse	34.19.186.170
	la.bot.m68k.elf	Get hash	malicious	Unknown	Browse	56.84.150.205
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.160.144.191
	la.bot.sh4.elf	Get hash	malicious	Unknown	Browse	56.27.71.122
FASTLYUS	xeno.bat	Get hash	malicious	Unknown	Browse	185.199.110.133
	http://www.urbanerecycling.com	Get hash	malicious	HTMLPhisher, TechSupportScam	Browse	151.101.65.229
	https://clickme.thryv.com/ls/click?upn=u001.dxrPihnXBHUGsddmpkmwUOT9H2uuoftUJgS1ImyDp5PjZ7uor3Bx5LY8846lufrxOd-2B-2FCl5NSKC1v9uXskdIrA-3D-3DPV4X_Uxfyb-2FV90WCSGuHCd77YDe2QH-2FfxD2e5Op8ULStuWwSYUM08QLuqWk0rbdQO8p2GP5XR1Nwn9dFZi5DaOMyz92mdTvaHywQzrJIxcHTOEjrrUNll1a6cdLHKylkZo7LdScnRC-2F7iC6hnMEdduqsWXASxbd-2BZeaoWZvCDaIudlukgt9S3uZsKQeBP86XSjGCyt8CMjRvxL6j1Dyr0eym46qao7knFO6iIo9LZAeoxbyu5E6pzhyc9-2F2VP-2BlZM3Ea-2B-2FiBNpyPNxcoMEQ2om5Ig-2F7RZ8WTAt-2F5MxtsslPlJve5tzpsISP74pi-2B8USUpl-2BAaEmzHGUoeKWRMyxJH35FiSw-3D-3D	Get hash	malicious	Unknown	Browse	151.101.66.137
	AccountDocuments - christinal.docx	Get hash	malicious	Unknown	Browse	199.232.214.172
	file.exe	Get hash	malicious	Credential Flusher	Browse	151.101.1.91
	file.exe	Get hash	malicious	Credential Flusher	Browse	151.101.1.91
	https://eastmancuts.jimdosite.com/	Get hash	malicious	Unknown	Browse	151.101.130.79
	https://www.google.com/url?q=https://clickme.thryv.com/ls/click?upn%3Du001.3HlspJ5fg-2BP4CQkV7GSVhvWTpgC6w0k7sA8b2Z9JBYU9BEMXtqHWLHW9PPcpforJszQ3_jzclrAiO28PBUU1ZLf2yC1YJEF5Rt8zDnz4yKbEuFqXf3c0fVOhzL2fXxOYix3CjCrzlLwoIPSXb9PavK50mtpdK-2FWF7thydb3q6E5ptEQiOVUz527Ewi1t813S-2FHejAJLe09fD2VqgM8mtwuQZA9i83VLkCPF4iItCSPXKUpNgWQKWxjEO6jlBp5GYVLghrpKcDuea5GONmLMVlbh4fQe7dtjhTFxxxExxfN1kv5tnx1PPl9DjYIyE468wz1qa1Z-2FWJgZrJbIFEpqhd4o5tGGyUoiPcIot5l2j9dpjy7QKj99ZiCz-2BBLi5dHUIl8gC4RxZBl-2FMaH4IZlQyWpqM-2BtZ9uE3ezFUl2fORMwAp4lQk-3D%23Cjanetrosenbach@imageindustries.com&source=gmail-imap&ust=1733149343000000&usg=AOvVaw1uIAp-JnZbTlkY9Td9ZLJj	Get hash	malicious	HTMLPhisher	Browse	151.101.66.137
	http://nakheel.com.staffrecords-2024auaqc-iqodlfdhb.copypremium.com/?staffrecords/2024/=c2FiaWthLmFiaWRAbmFraGVlbC5jb20=	Get hash	malicious	Unknown	Browse	151.101.194.137
ATGS-MMD-ASUS	http://www.urbanerecycling.com	Get hash	malicious	HTMLPhisher, TechSupportScam	Browse	34.174.208.6
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.160.144.191
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.160.144.191
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.160.144.191
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.160.144.191
	la.bot.arm7.elf	Get hash	malicious	Unknown	Browse	34.19.186.170
	la.bot.m68k.elf	Get hash	malicious	Unknown	Browse	56.84.150.205
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.160.144.191
	la.bot.sh4.elf	Get hash	malicious	Unknown	Browse	56.27.71.122

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
fb0aa01abe9d8e4037eb3473ca6e2dca	file.exe	Get hash	malicious	Credential Flusher	Browse	35.244.181.201 34.149.100.209 34.160.144.191 151.101.129.91 34.120.208.123
	file.exe	Get hash	malicious	Credential Flusher	Browse	35.244.181.201 34.149.100.209 34.160.144.191 151.101.129.91 34.120.208.123
	file.exe	Get hash	malicious	Credential Flusher	Browse	35.244.181.201 34.149.100.209 34.160.144.191 151.101.129.91 34.120.208.123
	file.exe	Get hash	malicious	Credential Flusher	Browse	35.244.181.201 34.149.100.209 34.160.144.191 151.101.129.91 34.120.208.123
	file.exe	Get hash	malicious	Credential Flusher	Browse	35.244.181.201 34.149.100.209 34.160.144.191 151.101.129.91 34.120.208.123
	file.exe	Get hash	malicious	Credential Flusher	Browse	35.244.181.201 34.149.100.209 34.160.144.191 151.101.129.91 34.120.208.123
	file.exe	Get hash	malicious	Credential Flusher	Browse	35.244.181.201 34.149.100.209 34.160.144.191 151.101.129.91 34.120.208.123
	file.exe	Get hash	malicious	Credential Flusher	Browse	35.244.181.201 34.149.100.209 34.160.144.191 151.101.129.91 34.120.208.123
	file.exe	Get hash	malicious	Credential Flusher	Browse	35.244.181.201 34.149.100.209 34.160.144.191 151.101.129.91 34.120.208.123

Dropped Files

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\24a4ohrz.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll (copy)	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse

Created / dropped Files

C:\ProgramData\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\uninstall_ping_308046B0AF4A39CB_efcf6b67-e024-4947-aab9-07095241970c.json (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	8056
Entropy (8bit):	5.183285011830416
Encrypted:	false
SSDEEP:	192:ef99wMXScHcbhbVbTbfbRbObtbyEl7n4rNJA6unSrDtTkdmSu:W9brcNhnzFSJYrI1nSrDhkdmr
MD5:	41C62C0B4C5EEF7B161A36ABD90DE237
SHA1:	B22B7DF57F7D9E3EC5A5B7074806EEDB64EC971A
SHA-256:	3A63E779D2C72F9181EE25560F827D11FB92BBB192A094F24E209C18A8AF965F
SHA-512:	DCC9BF2AAB34DCCA5A015236519877A7C7401CD88CBD098508CD4CDAAF33901195BFEF2DCCD64F6804A2EF7F0FA0337F9A5FDDB1AB0A550FF630447780224CEB
Malicious:	false
Preview:	{"type":"uninstall","id":"efcf6b67-e024-4947-aab9-07095241970c","creationDate":"2024-11-25T19:35:30.454Z","version":4,"application":{"architecture":"x86-64","buildId":"20230927232528","name":"Firefox","version":"118.0.1","displayVersion":"118.0.1","vendor":"Mozilla","platformVersion":"118.0.1","xpcomAbi":"x86_64-msvc","channel":"release"},"payload":{"otherInstalls":0},"clientId":"965729a8-84e4-4cad-a75d-ac8181902c4b","environment":{"build":{"applicationId":"{ec8030f7-c20a-464f-9b0e-13a3a9e97384}","applicationName":"Firefox","architecture":"x86-64","buildId":"20230927232528","version":"118.0.1","vendor":"Mozilla","displayVersion":"118.0.1","platformVersion":"118.0.1","xpcomAbi":"x86_64-msvc","updaterAvailable":true},"partner":{"distributionId":null,"distributionVersion":null,"partnerId":null,"distributor":null,"distributorChannel":null,"partnerNames":[]},"system":{"memoryMB":8191,"virtualMaxMB":134217728,"cpu":{"isWindowsSMode":false,"count":4,"cores":2,"vendor":"GenuineIntel","name":"I

C:\ProgramData\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\uninstall_ping_308046B0AF4A39CB_efcf6b67-e024-4947-aab9-07095241970c.json.tmp

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	8056
Entropy (8bit):	5.183285011830416
Encrypted:	false
SSDEEP:	192:ef99wMXScHcbhbVbTbfbRbObtbyEl7n4rNJA6unSrDtTkdmSu:W9brcNhnzFSJYrI1nSrDhkdmr
MD5:	41C62C0B4C5EEF7B161A36ABD90DE237
SHA1:	B22B7DF57F7D9E3EC5A5B7074806EEDB64EC971A
SHA-256:	3A63E779D2C72F9181EE25560F827D11FB92BBB192A094F24E209C18A8AF965F
SHA-512:	DCC9BF2AAB34DCCA5A015236519877A7C7401CD88CBD098508CD4CDAAF33901195BFEF2DCCD64F6804A2EF7F0FA0337F9A5FDDB1AB0A550FF630447780224CEB
Malicious:	false
Preview:	{"type":"uninstall","id":"efcf6b67-e024-4947-aab9-07095241970c","creationDate":"2024-11-25T19:35:30.454Z","version":4,"application":{"architecture":"x86-64","buildId":"20230927232528","name":"Firefox","version":"118.0.1","displayVersion":"118.0.1","vendor":"Mozilla","platformVersion":"118.0.1","xpcomAbi":"x86_64-msvc","channel":"release"},"payload":{"otherInstalls":0},"clientId":"965729a8-84e4-4cad-a75d-ac8181902c4b","environment":{"build":{"applicationId":"{ec8030f7-c20a-464f-9b0e-13a3a9e97384}","applicationName":"Firefox","architecture":"x86-64","buildId":"20230927232528","version":"118.0.1","vendor":"Mozilla","displayVersion":"118.0.1","platformVersion":"118.0.1","xpcomAbi":"x86_64-msvc","updaterAvailable":true},"partner":{"distributionId":null,"distributionVersion":null,"partnerId":null,"distributor":null,"distributorChannel":null,"partnerNames":[]},"system":{"memoryMB":8191,"virtualMaxMB":134217728,"cpu":{"isWindowsSMode":false,"count":4,"cores":2,"vendor":"GenuineIntel","name":"I

C:\Users\user\AppData\Local\Temp\mozilla-temp-files\mozilla-temp-41

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	ISO Media, MP4 Base Media v1 [ISO 14496-12:2003]
Category:	dropped
Size (bytes):	32768
Entropy (8bit):	0.4593089050301797
Encrypted:	false
SSDEEP:	48:9SP0nUgwyZXYI65yFRX2D3GNTTfyn0Mk1iA:9SDKaIjo3UzyE1L
MD5:	D910AD167F0217587501FDCDB33CC544
SHA1:	2F57441CEFDC781011B53C1C5D29AC54835AFC1D
SHA-256:	E3699D9404A3FFC1AFF0CA8A3972DC0EF38BDAB927741E9F627C7C55CEA42E81
SHA-512:	F1871BF28FF25EE52BDB99C7A80AB715C7CAC164DCD2FD87E681168EE927FD2C5E80E03C91BB638D955A4627213BF575FF4D9EECAEDA7718C128CF2CE8F7CB3D
Malicious:	false
Preview:	... ftypisom....isomiso2avc1mp41....free....mdat..........E...H..,. .#..x264 - core 152 r2851 ba24899 - H.264/MPEG-4 AVC codec - Copyleft 2003-2017 - http://www.videolan.org/x264.html - options: cabac=1 ref=3 deblock=1:0:0 analyse=0x3:0x113 me=hex subme=7 psy=1 psy_rd=1.00:0.00 mixed_ref=1 me_range=16 chroma_me=1 trellis=1 8x8dct=1 cqm=0 deadzone=21,11 fast_pskip=1 chroma_qp_offset=-2 threads=4 lookahead_threads=1 sliced_threads=0 nr=0 decimate=1 interlaced=0 bluray_compat=0 constrained_intra=0 bframes=3 b_pyramid=2 b_adapt=1 b_bias=0 direct=1 weightb=1 open_gop=0 weightp=2 keyint=250 keyint_min=25 scenecut=40 intra_refresh=0 rc_lookahead=40 rc=crf mbtree=1 crf=23.0 qcomp=0.60 qpmin=0 qpmax=69 qpstep=4 ip_ratio=1.40 aq=1:1.00......e...+...s\|.kG3...'.u.."...,J.w.~.d\..(K....!.+..;....h....(.T.*...M......0..~L..8..B..A.y..R..,.zBP.';j.@.].w..........c......C=.'f....gI.$^.......m5V.L...{U..%V[....8......B..i..^,....:...,..5.m.%dA....moov...lmvhd...................(...........

C:\Users\user\AppData\Local\Temp\tmpaddon

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	Zip archive data, at least v2.0 to extract, compression method=deflate
Category:	dropped
Size (bytes):	453023
Entropy (8bit):	7.997718157581587
Encrypted:	true
SSDEEP:	12288:tESTeqTI2r4ZbCgUKWKNeRcPMb6qlV7hVZe3:tEsed2Xh9/bdzZe3
MD5:	85430BAED3398695717B0263807CF97C
SHA1:	FFFBEE923CEA216F50FCE5D54219A188A5100F41
SHA-256:	A9F4281F82B3579581C389E8583DC9F477C7FD0E20C9DFC91A2E611E21E3407E
SHA-512:	06511F1F6C6D44D076B3C593528C26A602348D9C41689DBF5FF716B671C3CA5756B12CB2E5869F836DEDCE27B1A5CFE79B93C707FD01F8E84B620923BB61B5F1
Malicious:	false
Preview:	PK.........bN...R..........gmpopenh264.dll..\|.E.0.=..I.....1....4f1q.`.........q.....'+....hm{.z..o_.{w........$..($A!...\|L...B&A2.s.{..Dd......c.U.U..9u.S...K.l`...../.d.-....\|.....&....9......wn..x......i.#O.+.Y.l......+....,3.3f..\..c.SSS,............N...GG...F.'.&.:'.K.Z&.>.@.g..M...M.`............ZR....^jg.G.Kb.o~va.....<Z..1.#.O.e.....D..X..i..$imBW..Q&.......P.....,M.,..:.c...-...\...........-i.K.I..4.a..6.....Ov=...W..F.CH.>...a.'.x...#@f...d..u.1....OV.1o}....g.5.._.3.J.Hi.Z.ipM....b.Z....%.G..F................/..3.q..J.....o...%.g.N..}..).3.N%.!..q........^I.m..~...6.#.~+.....A...I]r...x...<IYj....p0..`S.M@.E..f.=.;!.@.....E..E....... .0.n....Jd..d......uM.-.qI.lR..z..=}..r.D.XLZ....x.$..\|c.1.cUkM.&.Qn]..a]t.h...!.6 7..Jd.DvKJ"Wgd*%n...w...Jni.inmr.@M.$'Z.s....#)%..Rs..:.h....R....\..t.6..'.g.........Uj+F.cr:\|..!..K.W.Y...17......,....r.....>.N..3.R.Y.._\...Ir.DNJdM... .k...&V-....z.%...-...D..i..&...6....7.2T).>..0..%.&.

C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\40371339ad31a7e6.customDestinations-ms (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	data
Category:	dropped
Size (bytes):	5488
Entropy (8bit):	3.3130382360436244
Encrypted:	false
SSDEEP:	24:t+0dfyeAvTIUx2dWoM155LN8zm2+0dfyeAvswM+bpoqdWoM155LFX1Rgmc+0dfyV:c0dW0UgdwyzC0dW46Bdw+o0dW4adwM1
MD5:	AE85FA206EC6487F7162E454BB4FEE9E
SHA1:	0FE17EF94172D6D55D01AF037AC96F37F1552356
SHA-256:	9091CA95251F93B45C6D1B625A277F4BA43F99D5AC87FD31CB21CA3C1E319C55
SHA-512:	C004717024ECAAF57C51B2EC1CD3C3A8338D12C3CABEB0330B9C408B3A5C021F3383F284AFE006D1AE26319CD8D44A68AA79C228A082C02CD9F6972BD1BBB781
Malicious:	false
Preview:	...................................FL..................F.@.. ...p.........)\|`?..........S...........................P.O. .:i.....+00.../C:\.....................1.....EW)C..PROGRA~1..t......O.IyYs.....B...............J.....V...P.r.o.g.r.a.m. .F.i.l.e.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.1.....h.1.....CW.X..MOZILL~1..P......CW}WyYs.............................>.M.o.z.i.l.l.a. .F.i.r.e.f.o.x.....b.2..S..<W,. .firefox.exe.H......CW}WyYs...............................f.i.r.e.f.o.x...e.x.e.......[...............-.......Z..............N.....C:\Program Files\Mozilla Firefox\firefox.exe....O.p.e.n. .a. .n.e.w. .b.r.o.w.s.e.r. .t.a.b.....-.n.e.w.-.t.a.b. .a.b.o.u.t.:.b.l.a.n.k.,.C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s.\.M.o.z.i.l.l.a. .F.i.r.e.f.o.x.\.f.i.r.e.f.o.x...e.x.e.........%ProgramFiles%\Mozilla Firefox\firefox.exe................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\6824f4a902c78fbd.customDestinations-ms (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	data
Category:	dropped
Size (bytes):	5488
Entropy (8bit):	3.3130382360436244
Encrypted:	false
SSDEEP:	24:t+0dfyeAvTIUx2dWoM155LN8zm2+0dfyeAvswM+bpoqdWoM155LFX1Rgmc+0dfyV:c0dW0UgdwyzC0dW46Bdw+o0dW4adwM1
MD5:	AE85FA206EC6487F7162E454BB4FEE9E
SHA1:	0FE17EF94172D6D55D01AF037AC96F37F1552356
SHA-256:	9091CA95251F93B45C6D1B625A277F4BA43F99D5AC87FD31CB21CA3C1E319C55
SHA-512:	C004717024ECAAF57C51B2EC1CD3C3A8338D12C3CABEB0330B9C408B3A5C021F3383F284AFE006D1AE26319CD8D44A68AA79C228A082C02CD9F6972BD1BBB781
Malicious:	false
Preview:	...................................FL..................F.@.. ...p.........)\|`?..........S...........................P.O. .:i.....+00.../C:\.....................1.....EW)C..PROGRA~1..t......O.IyYs.....B...............J.....V...P.r.o.g.r.a.m. .F.i.l.e.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.1.....h.1.....CW.X..MOZILL~1..P......CW}WyYs.............................>.M.o.z.i.l.l.a. .F.i.r.e.f.o.x.....b.2..S..<W,. .firefox.exe.H......CW}WyYs...............................f.i.r.e.f.o.x...e.x.e.......[...............-.......Z..............N.....C:\Program Files\Mozilla Firefox\firefox.exe....O.p.e.n. .a. .n.e.w. .b.r.o.w.s.e.r. .t.a.b.....-.n.e.w.-.t.a.b. .a.b.o.u.t.:.b.l.a.n.k.,.C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s.\.M.o.z.i.l.l.a. .F.i.r.e.f.o.x.\.f.i.r.e.f.o.x...e.x.e.........%ProgramFiles%\Mozilla Firefox\firefox.exe................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\9Q4ZY7ZCY6QEXJRRCFZG.temp

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	data
Category:	modified
Size (bytes):	5488
Entropy (8bit):	3.3130382360436244
Encrypted:	false
SSDEEP:	24:t+0dfyeAvTIUx2dWoM155LN8zm2+0dfyeAvswM+bpoqdWoM155LFX1Rgmc+0dfyV:c0dW0UgdwyzC0dW46Bdw+o0dW4adwM1
MD5:	AE85FA206EC6487F7162E454BB4FEE9E
SHA1:	0FE17EF94172D6D55D01AF037AC96F37F1552356
SHA-256:	9091CA95251F93B45C6D1B625A277F4BA43F99D5AC87FD31CB21CA3C1E319C55
SHA-512:	C004717024ECAAF57C51B2EC1CD3C3A8338D12C3CABEB0330B9C408B3A5C021F3383F284AFE006D1AE26319CD8D44A68AA79C228A082C02CD9F6972BD1BBB781
Malicious:	false
Preview:	...................................FL..................F.@.. ...p.........)\|`?..........S...........................P.O. .:i.....+00.../C:\.....................1.....EW)C..PROGRA~1..t......O.IyYs.....B...............J.....V...P.r.o.g.r.a.m. .F.i.l.e.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.1.....h.1.....CW.X..MOZILL~1..P......CW}WyYs.............................>.M.o.z.i.l.l.a. .F.i.r.e.f.o.x.....b.2..S..<W,. .firefox.exe.H......CW}WyYs...............................f.i.r.e.f.o.x...e.x.e.......[...............-.......Z..............N.....C:\Program Files\Mozilla Firefox\firefox.exe....O.p.e.n. .a. .n.e.w. .b.r.o.w.s.e.r. .t.a.b.....-.n.e.w.-.t.a.b. .a.b.o.u.t.:.b.l.a.n.k.,.C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s.\.M.o.z.i.l.l.a. .F.i.r.e.f.o.x.\.f.i.r.e.f.o.x...e.x.e.........%ProgramFiles%\Mozilla Firefox\firefox.exe................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\AK6T8FNAI3R5LJ82937N.temp

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	data
Category:	dropped
Size (bytes):	5488
Entropy (8bit):	3.3130382360436244
Encrypted:	false
SSDEEP:	24:t+0dfyeAvTIUx2dWoM155LN8zm2+0dfyeAvswM+bpoqdWoM155LFX1Rgmc+0dfyV:c0dW0UgdwyzC0dW46Bdw+o0dW4adwM1
MD5:	AE85FA206EC6487F7162E454BB4FEE9E
SHA1:	0FE17EF94172D6D55D01AF037AC96F37F1552356
SHA-256:	9091CA95251F93B45C6D1B625A277F4BA43F99D5AC87FD31CB21CA3C1E319C55
SHA-512:	C004717024ECAAF57C51B2EC1CD3C3A8338D12C3CABEB0330B9C408B3A5C021F3383F284AFE006D1AE26319CD8D44A68AA79C228A082C02CD9F6972BD1BBB781
Malicious:	false
Preview:	...................................FL..................F.@.. ...p.........)\|`?..........S...........................P.O. .:i.....+00.../C:\.....................1.....EW)C..PROGRA~1..t......O.IyYs.....B...............J.....V...P.r.o.g.r.a.m. .F.i.l.e.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.1.....h.1.....CW.X..MOZILL~1..P......CW}WyYs.............................>.M.o.z.i.l.l.a. .F.i.r.e.f.o.x.....b.2..S..<W,. .firefox.exe.H......CW}WyYs...............................f.i.r.e.f.o.x...e.x.e.......[...............-.......Z..............N.....C:\Program Files\Mozilla Firefox\firefox.exe....O.p.e.n. .a. .n.e.w. .b.r.o.w.s.e.r. .t.a.b.....-.n.e.w.-.t.a.b. .a.b.o.u.t.:.b.l.a.n.k.,.C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s.\.M.o.z.i.l.l.a. .F.i.r.e.f.o.x.\.f.i.r.e.f.o.x...e.x.e.........%ProgramFiles%\Mozilla Firefox\firefox.exe................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\24a4ohrz.default-release\ExperimentStoreData.json (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	6150
Entropy (8bit):	4.943522667085511
Encrypted:	false
SSDEEP:	192:7LFS+O1U6OdwiOdEiVoslH5jV/ZiwBhZ08jzLYM+8P:N5dimslH5jVhiwBrl
MD5:	AC80E3B5E45E6439CE80877983C4EF7F
SHA1:	CD1110CB5E9F7BCB26A073F5F0E7CE19C6C28A0B
SHA-256:	B546A753F36C58F27AED354D127420FC19A9D212C1BE2899A01846CFA76990F4
SHA-512:	E27B48CE8A2D4175F289BEC46DD2D05ECEB628B007996ED88909BFC720C96A64522FC19BCE9CAE55C4FD93A9752C236F4BF7EF36DAFFCE50E1EA2125A71592B0
Malicious:	false
Preview:	{"bookmarks-toolbar-default-on":{"slug":"bookmarks-toolbar-default-on","branch":{"slug":"control","ratio":1,"feature":{"value":{},"enabled":false,"featureId":"this-is-included-for-desktop-pre-95-support"},"features":[{"value":{},"enabled":true,"featureId":"bookmarks"}]},"active":true,"enrollmentId":"fbda1f9b-e03c-4207-94bb-3e5ec8a299dc","experimentType":"nimbus","source":"rs-loader","userFacingName":"Bookmarks Toolbar Default On","userFacingDescription":"An experiment that turns the bookmarks toolbar on by default.","lastSeen":"2023-10-05T08:19:30.130Z","featureIds":["bookmarks"],"prefs":[],"isRollout":false},"csv-import-release-rollout":{"slug":"csv-import-release-rollout","branch":{"slug":"enable-csv-import","ratio":1,"feature":{"value":{},"enabled":false,"featureId":"this-is-included-for-desktop-pre-95-support"},"features":[{"value":{"csvImport":true},"enabled":true,"featureId":"cm-csv-import"}]},"active":true,"enrollmentId":"cdbde02e-86fb-4899-ad8a-776106784576","experimentType":"r

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\24a4ohrz.default-release\ExperimentStoreData.json.tmp

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	6150
Entropy (8bit):	4.943522667085511
Encrypted:	false
SSDEEP:	192:7LFS+O1U6OdwiOdEiVoslH5jV/ZiwBhZ08jzLYM+8P:N5dimslH5jVhiwBrl
MD5:	AC80E3B5E45E6439CE80877983C4EF7F
SHA1:	CD1110CB5E9F7BCB26A073F5F0E7CE19C6C28A0B
SHA-256:	B546A753F36C58F27AED354D127420FC19A9D212C1BE2899A01846CFA76990F4
SHA-512:	E27B48CE8A2D4175F289BEC46DD2D05ECEB628B007996ED88909BFC720C96A64522FC19BCE9CAE55C4FD93A9752C236F4BF7EF36DAFFCE50E1EA2125A71592B0
Malicious:	false
Preview:	{"bookmarks-toolbar-default-on":{"slug":"bookmarks-toolbar-default-on","branch":{"slug":"control","ratio":1,"feature":{"value":{},"enabled":false,"featureId":"this-is-included-for-desktop-pre-95-support"},"features":[{"value":{},"enabled":true,"featureId":"bookmarks"}]},"active":true,"enrollmentId":"fbda1f9b-e03c-4207-94bb-3e5ec8a299dc","experimentType":"nimbus","source":"rs-loader","userFacingName":"Bookmarks Toolbar Default On","userFacingDescription":"An experiment that turns the bookmarks toolbar on by default.","lastSeen":"2023-10-05T08:19:30.130Z","featureIds":["bookmarks"],"prefs":[],"isRollout":false},"csv-import-release-rollout":{"slug":"csv-import-release-rollout","branch":{"slug":"enable-csv-import","ratio":1,"feature":{"value":{},"enabled":false,"featureId":"this-is-included-for-desktop-pre-95-support"},"features":[{"value":{"csvImport":true},"enabled":true,"featureId":"cm-csv-import"}]},"active":true,"enrollmentId":"cdbde02e-86fb-4899-ad8a-776106784576","experimentType":"r

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\24a4ohrz.default-release\addonStartup.json.lz4 (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	Mozilla lz4 compressed data, originally 22422 bytes
Category:	dropped
Size (bytes):	5320
Entropy (8bit):	6.6042106566953995
Encrypted:	false
SSDEEP:	96:z2YbKsKNU2xWrp327tGmD4wBON6h6cHAHJVauvjZHjkTymdS1/qTMggiA:zTx2x2t0FDJ4NpkuvjdeplTMp
MD5:	E3E09D3A459131D9A796509E2B74622E
SHA1:	5EA797BF89A9F3FA6D145C5050B65A5789D26684
SHA-256:	56940DF1F209C1289E1FCBDB353AA3308581F3469325BC01584C3C8CC86E09C9
SHA-512:	7F0DA23EC0F97E0D58DB3B6DB6D2FFBAC077847B8C460F18F03CFA0611B313C6A32854E2F8904443DF257960C6FA81F4B1D19409E489488D49963962E338486F
Malicious:	false
Preview:	mozLz40..W....{"app-system-defaults":{"addon....formautofill@mozilla.org&..Gdependencies":[],"enabled":true,"lastModifiedTime":1695865283000,"loader":null,"path":s.....xpi","recommendationStateA...rootURI":"jar:file:///C:/Program%20Files/M.......refox/browser/features/...... !/...unInSafeMode..wsignedD...telemetryKey..7%40R...:1.0.1","version":"..`},"pic..#in.....T.n..w...........S.......(.[......0....0"},"screenshots..T.r.....[.......(.V....-39.......},"webcompat-reporter...Ofals..&.z.....[.......(.]....=1.5.............<.)....p....d......1.z.!18...5.....startupData...pX.astentL..!er...webRequest%..onBefore...[[{"incognitoi.UtabId..!yp...."main_frame"],"url...."://login.microsoftonline.com/","..@us/L.dwindows...},["blocking"]],...Iimag...https://smartT.".f.....etp/facebook.svg",...Aplay....8`script...P.....-....-testbed.herokuapp\.`shims_..3.jsh.bexampl\|.......Pexten{..Q../?..s...S.J/_2..@&_3U..s7.addthis . ic...officialK......-angularjs/current/dist(..t.min.js...track.adB...net/s

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\24a4ohrz.default-release\addonStartup.json.lz4.tmp

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	Mozilla lz4 compressed data, originally 22422 bytes
Category:	dropped
Size (bytes):	5320
Entropy (8bit):	6.6042106566953995
Encrypted:	false
SSDEEP:	96:z2YbKsKNU2xWrp327tGmD4wBON6h6cHAHJVauvjZHjkTymdS1/qTMggiA:zTx2x2t0FDJ4NpkuvjdeplTMp
MD5:	E3E09D3A459131D9A796509E2B74622E
SHA1:	5EA797BF89A9F3FA6D145C5050B65A5789D26684
SHA-256:	56940DF1F209C1289E1FCBDB353AA3308581F3469325BC01584C3C8CC86E09C9
SHA-512:	7F0DA23EC0F97E0D58DB3B6DB6D2FFBAC077847B8C460F18F03CFA0611B313C6A32854E2F8904443DF257960C6FA81F4B1D19409E489488D49963962E338486F
Malicious:	false
Preview:	mozLz40..W....{"app-system-defaults":{"addon....formautofill@mozilla.org&..Gdependencies":[],"enabled":true,"lastModifiedTime":1695865283000,"loader":null,"path":s.....xpi","recommendationStateA...rootURI":"jar:file:///C:/Program%20Files/M.......refox/browser/features/...... !/...unInSafeMode..wsignedD...telemetryKey..7%40R...:1.0.1","version":"..`},"pic..#in.....T.n..w...........S.......(.[......0....0"},"screenshots..T.r.....[.......(.V....-39.......},"webcompat-reporter...Ofals..&.z.....[.......(.]....=1.5.............<.)....p....d......1.z.!18...5.....startupData...pX.astentL..!er...webRequest%..onBefore...[[{"incognitoi.UtabId..!yp...."main_frame"],"url...."://login.microsoftonline.com/","..@us/L.dwindows...},["blocking"]],...Iimag...https://smartT.".f.....etp/facebook.svg",...Aplay....8`script...P.....-....-testbed.herokuapp\.`shims_..3.jsh.bexampl\|.......Pexten{..Q../?..s...S.J/_2..@&_3U..s7.addthis . ic...officialK......-angularjs/current/dist(..t.min.js...track.adB...net/s

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\24a4ohrz.default-release\addons.json (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	24
Entropy (8bit):	3.91829583405449
Encrypted:	false
SSDEEP:	3:YWGifTJE6iHQ:YWGif9EE
MD5:	3088F0272D29FAA42ED452C5E8120B08
SHA1:	C72AA542EF60AFA3DF5DFE1F9FCC06C0B135BE23
SHA-256:	D587CEC944023447DC91BC5F71E2291711BA5ADD337464837909A26F34BC5A06
SHA-512:	B662414EDD6DEF8589304904263584847586ECCA0B0E6296FB3ADB2192D92FB48697C99BD27C4375D192150E3F99102702AF2391117FFF50A9763C74C193D798
Malicious:	false
Preview:	{"schema":6,"addons":[]}

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\24a4ohrz.default-release\addons.json.tmp

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	24
Entropy (8bit):	3.91829583405449
Encrypted:	false
SSDEEP:	3:YWGifTJE6iHQ:YWGif9EE
MD5:	3088F0272D29FAA42ED452C5E8120B08
SHA1:	C72AA542EF60AFA3DF5DFE1F9FCC06C0B135BE23
SHA-256:	D587CEC944023447DC91BC5F71E2291711BA5ADD337464837909A26F34BC5A06
SHA-512:	B662414EDD6DEF8589304904263584847586ECCA0B0E6296FB3ADB2192D92FB48697C99BD27C4375D192150E3F99102702AF2391117FFF50A9763C74C193D798
Malicious:	false
Preview:	{"schema":6,"addons":[]}

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\24a4ohrz.default-release\content-prefs.sqlite

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	SQLite 3.x database, user version 5, last written using SQLite version 3042000, page size 32768, file counter 4, database pages 8, cookie 0x6, schema 4, largest root page 8, UTF-8, vacuum mode 1, version-valid-for 4
Category:	dropped
Size (bytes):	262144
Entropy (8bit):	0.04905141882491872
Encrypted:	false
SSDEEP:	24:DLSvwae+Q8Uu50xj0aWe9LxYkKA25Q5tvAA:DKwae+QtMImelekKDa5
MD5:	8736A542C5564A922C47B19D9CC5E0F2
SHA1:	CE9D58967DA9B5356D6C1D8A482F9CE74DA9097A
SHA-256:	97CE5D8AFBB0AA610219C4FAC3927E32C91BFFD9FD971AF68C718E7B27E40077
SHA-512:	99777325893DC7A95FD49B2DA18D32D65F97CC7A8E482D78EDC32F63245457FA5A52750800C074D552D20B6A215604161FDC88763D93C76A8703470C3064196B
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j......\|....~.}.}z}-\|.................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\24a4ohrz.default-release\crashes\store.json.mozlz4 (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	Mozilla lz4 compressed data, originally 56 bytes
Category:	dropped
Size (bytes):	66
Entropy (8bit):	4.837595020998689
Encrypted:	false
SSDEEP:	3:3fX/xH8IXl/I3v0lb7iioW:vXpH1RPXt
MD5:	A6338865EB252D0EF8FCF11FA9AF3F0D
SHA1:	CECDD4C4DCAE10C2FFC8EB938121B6231DE48CD3
SHA-256:	078648C042B9B08483CE246B7F01371072541A2E90D1BEB0C8009A6118CBD965
SHA-512:	D950227AC83F4E8246D73F9F35C19E88CE65D0CA5F1EF8CCBB02ED6EFC66B1B7E683E2BA0200279D7CA4B49831FD8C3CEB0584265B10ACCFF2611EC1CA8C0C6C
Malicious:	false
Preview:	mozLz40.8.....{"v":1,"crashes":{},"countsByDay....rruptDate":null}

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\24a4ohrz.default-release\crashes\store.json.mozlz4.tmp

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	Mozilla lz4 compressed data, originally 56 bytes
Category:	dropped
Size (bytes):	66
Entropy (8bit):	4.837595020998689
Encrypted:	false
SSDEEP:	3:3fX/xH8IXl/I3v0lb7iioW:vXpH1RPXt
MD5:	A6338865EB252D0EF8FCF11FA9AF3F0D
SHA1:	CECDD4C4DCAE10C2FFC8EB938121B6231DE48CD3
SHA-256:	078648C042B9B08483CE246B7F01371072541A2E90D1BEB0C8009A6118CBD965
SHA-512:	D950227AC83F4E8246D73F9F35C19E88CE65D0CA5F1EF8CCBB02ED6EFC66B1B7E683E2BA0200279D7CA4B49831FD8C3CEB0584265B10ACCFF2611EC1CA8C0C6C
Malicious:	false
Preview:	mozLz40.8.....{"v":1,"crashes":{},"countsByDay....rruptDate":null}

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\24a4ohrz.default-release\extensions.json (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	36830
Entropy (8bit):	5.185849187264327
Encrypted:	false
SSDEEP:	768:0I4nvfwkXU4y6f4k4oB4a4IPN84I4/4uw4J424qF4g:0NPa45
MD5:	6C3BE83A836C11F0781A28C5C276611E
SHA1:	826B42D0E82A04A59A96150A478A9C63172B7506
SHA-256:	FB38EDAD3460F248967331080F6C398248DBC215D16E4BAB3E31CE260E1176B7
SHA-512:	EA67C9DF14F00A17C3044EE63DAFA9E7FA9A4B0F04A4D98CC19F2C9794D6D9A215323E13AD354AF60DE1F31288C565EE4455CFE3B9B8F2877DEF20A4151D4921
Malicious:	false
Preview:	{"schemaVersion":35,"addons":[{"id":"formautofill@mozilla.org","syncGUID":"{fc425cd7-ddd8-48c7-9e11-c0b9f650e5fa}","version":"1.0.1","type":"extension","loader":null,"updateURL":null,"installOrigins":null,"manifestVersion":2,"optionsURL":null,"optionsType":null,"optionsBrowserStyle":true,"aboutURL":null,"defaultLocale":{"name":"Form Autofill","creator":null,"developers":null,"translators":null,"contributors":null},"visible":true,"active":true,"userDisabled":false,"appDisabled":false,"embedderDisabled":false,"installDate":1695865283000,"updateDate":1695865283000,"applyBackgroundUpdates":1,"path":"C:\\Program Files\\Mozilla Firefox\\browser\\features\\formautofill@mozilla.org.xpi","skinnable":false,"sourceURI":null,"releaseNotesURI":null,"softDisabled":false,"foreignInstall":false,"strictCompatibility":true,"locales":[],"targetApplications":[{"id":"toolkit@mozilla.org","minVersion":null,"maxVersion":null}],"targetPlatforms":[],"signedDate":null,"seen":true,"dependencies":[],"incognito":"

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\24a4ohrz.default-release\extensions.json.tmp

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	36830
Entropy (8bit):	5.185849187264327
Encrypted:	false
SSDEEP:	768:0I4nvfwkXU4y6f4k4oB4a4IPN84I4/4uw4J424qF4g:0NPa45
MD5:	6C3BE83A836C11F0781A28C5C276611E
SHA1:	826B42D0E82A04A59A96150A478A9C63172B7506
SHA-256:	FB38EDAD3460F248967331080F6C398248DBC215D16E4BAB3E31CE260E1176B7
SHA-512:	EA67C9DF14F00A17C3044EE63DAFA9E7FA9A4B0F04A4D98CC19F2C9794D6D9A215323E13AD354AF60DE1F31288C565EE4455CFE3B9B8F2877DEF20A4151D4921
Malicious:	false
Preview:	{"schemaVersion":35,"addons":[{"id":"formautofill@mozilla.org","syncGUID":"{fc425cd7-ddd8-48c7-9e11-c0b9f650e5fa}","version":"1.0.1","type":"extension","loader":null,"updateURL":null,"installOrigins":null,"manifestVersion":2,"optionsURL":null,"optionsType":null,"optionsBrowserStyle":true,"aboutURL":null,"defaultLocale":{"name":"Form Autofill","creator":null,"developers":null,"translators":null,"contributors":null},"visible":true,"active":true,"userDisabled":false,"appDisabled":false,"embedderDisabled":false,"installDate":1695865283000,"updateDate":1695865283000,"applyBackgroundUpdates":1,"path":"C:\\Program Files\\Mozilla Firefox\\browser\\features\\formautofill@mozilla.org.xpi","skinnable":false,"sourceURI":null,"releaseNotesURI":null,"softDisabled":false,"foreignInstall":false,"strictCompatibility":true,"locales":[],"targetApplications":[{"id":"toolkit@mozilla.org","minVersion":null,"maxVersion":null}],"targetPlatforms":[],"signedDate":null,"seen":true,"dependencies":[],"incognito":"

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\24a4ohrz.default-release\favicons.sqlite-shm

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	data
Category:	dropped
Size (bytes):	32768
Entropy (8bit):	0.017262956703125623
Encrypted:	false
SSDEEP:	3:G8lQs2TSlElQs2TtPRp//:G0QjSaQjrpX
MD5:	B7C14EC6110FA820CA6B65F5AEC85911
SHA1:	608EEB7488042453C9CA40F7E1398FC1A270F3F4
SHA-256:	FD4C9FDA9CD3F9AE7C962B0DDF37232294D55580E1AA165AA06129B8549389EB
SHA-512:	D8D75760F29B1E27AC9430BC4F4FFCEC39F1590BE5AEF2BFB5A535850302E067C288EF59CF3B2C5751009A22A6957733F9F80FA18F2B0D33D90C068A3F08F3B0
Malicious:	false
Preview:	..-.....................................8...5.....-.....................................8...5...........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\24a4ohrz.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	1021904
Entropy (8bit):	6.648417932394748
Encrypted:	false
SSDEEP:	12288:vYLdTfFKbNSjv92eFN+3wH+NYriA0Iq6lh6VawYIpAvwHN/Uf1h47HAfg1oet:vYLdTZ923NYrjwNpgwef1hzfg1x
MD5:	FE3355639648C417E8307C6D051E3E37
SHA1:	F54602D4B4778DA21BC97C7238FC66AA68C8EE34
SHA-256:	1ED7877024BE63A049DA98733FD282C16BD620530A4FB580DACEC3A78ACE914E
SHA-512:	8F4030BB2464B98ECCBEA6F06EB186D7216932702D94F6B84C56419E9CF65A18309711AB342D1513BF85AED402BC3535A70DB4395874828F0D35C278DD2EAC9C
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Joe Sandbox View:	Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......NH...)...)...)..eM...)..eM...)..eM..)..eM...)...)..i)..XA...)..XA..;)..XA...)...)..g)..cA...)..cA...)..Rich.)..........PE..d....z\.........." .....t................................................................`.........................................P...,...\|...(............P...H...z.................T...........................0...................p............................text...$s.......t.................. ..`.rdata...~...........x..............@..@.data....3..........................@....pdata...H...P...J..................@..@.rodata..............^..............@..@.reloc...............j..............@..B........................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\24a4ohrz.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll.tmp

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	1021904
Entropy (8bit):	6.648417932394748
Encrypted:	false
SSDEEP:	12288:vYLdTfFKbNSjv92eFN+3wH+NYriA0Iq6lh6VawYIpAvwHN/Uf1h47HAfg1oet:vYLdTZ923NYrjwNpgwef1hzfg1x
MD5:	FE3355639648C417E8307C6D051E3E37
SHA1:	F54602D4B4778DA21BC97C7238FC66AA68C8EE34
SHA-256:	1ED7877024BE63A049DA98733FD282C16BD620530A4FB580DACEC3A78ACE914E
SHA-512:	8F4030BB2464B98ECCBEA6F06EB186D7216932702D94F6B84C56419E9CF65A18309711AB342D1513BF85AED402BC3535A70DB4395874828F0D35C278DD2EAC9C
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......NH...)...)...)..eM...)..eM...)..eM..)..eM...)...)..i)..XA...)..XA..;)..XA...)...)..g)..cA...)..cA...)..Rich.)..........PE..d....z\.........." .....t................................................................`.........................................P...,...\|...(............P...H...z.................T...........................0...................p............................text...$s.......t.................. ..`.rdata...~...........x..............@..@.data....3..........................@....pdata...H...P...J..................@..@.rodata..............^..............@..@.reloc...............j..............@..B........................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\24a4ohrz.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.info (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	116
Entropy (8bit):	4.968220104601006
Encrypted:	false
SSDEEP:	3:C3OuN9RAM7VDXcEzq+rEakOvTMBv+FdBAIABv+FEn:0BDUmHlvAWeWEn
MD5:	3D33CDC0B3D281E67DD52E14435DD04F
SHA1:	4DB88689282FD4F9E9E6AB95FCBB23DF6E6485DB
SHA-256:	F526E9F98841D987606EFEAFF7F3E017BA9FD516C4BE83890C7F9A093EA4C47B
SHA-512:	A4A96743332CC8EF0F86BC2E6122618BFC75ED46781DADBAC9E580CD73DF89E74738638A2CCCB4CAA4CBBF393D771D7F2C73F825737CDB247362450A0D4A4BC1
Malicious:	false
Preview:	Name: gmpopenh264.Description: GMP Plugin for OpenH264..Version: 1.8.1.APIs: encode-video[h264], decode-video[h264].

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\24a4ohrz.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.info.tmp

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	116
Entropy (8bit):	4.968220104601006
Encrypted:	false
SSDEEP:	3:C3OuN9RAM7VDXcEzq+rEakOvTMBv+FdBAIABv+FEn:0BDUmHlvAWeWEn
MD5:	3D33CDC0B3D281E67DD52E14435DD04F
SHA1:	4DB88689282FD4F9E9E6AB95FCBB23DF6E6485DB
SHA-256:	F526E9F98841D987606EFEAFF7F3E017BA9FD516C4BE83890C7F9A093EA4C47B
SHA-512:	A4A96743332CC8EF0F86BC2E6122618BFC75ED46781DADBAC9E580CD73DF89E74738638A2CCCB4CAA4CBBF393D771D7F2C73F825737CDB247362450A0D4A4BC1
Malicious:	false
Preview:	Name: gmpopenh264.Description: GMP Plugin for OpenH264..Version: 1.8.1.APIs: encode-video[h264], decode-video[h264].

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\24a4ohrz.default-release\permissions.sqlite

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	SQLite 3.x database, user version 12, last written using SQLite version 3042000, page size 32768, file counter 4, database pages 3, cookie 0x2, schema 4, UTF-8, version-valid-for 4
Category:	dropped
Size (bytes):	98304
Entropy (8bit):	0.07323685731937633
Encrypted:	false
SSDEEP:	12:DBl/A0OWla0mwPxRymgObsCVR45wcYR4fmnsCVR4zki:DLhesh7Owd4+ji
MD5:	190593619C40E18D339D291DFD7BDB66
SHA1:	F7600DDAE522A25183AD5268FF2CD39DC50118AE
SHA-256:	D9D436C5CDAEA28736346B849B6FED330A482F0614DB6EA42294AF316959A52E
SHA-512:	53010010890A8086C55FD9CC2F70F1577CE1E58543CEDF74B7F31BB9D21430FB0B8CDA4E4F00ADE58BA0B4EAF5583B532575F7C8836F35C1D92DF1824B348B04
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j......~s..F~s........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\24a4ohrz.default-release\places.sqlite-shm

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	data
Category:	dropped
Size (bytes):	32768
Entropy (8bit):	0.03933044638635293
Encrypted:	false
SSDEEP:	3:GHlhVibWIL5BbTAlhVibWIL5BbTvol8a9//Ylll4llqlyllel4lt:G7ViyILvUViyILvAL9XIwlio
MD5:	7D3705681FCAF6706F4E6FEEB8B15C2F
SHA1:	841D9D01648DAC46602758D25D88C0728FF52A1B
SHA-256:	AE5AD83D3E66F8CAE6344B43B567354B33F086B7C6825172DEB135AB78E7C6C3
SHA-512:	B197AE2287D624B0E6B426AD24D56E4D1DC8A042A0AEC239144B172FFF7503E5FF7C038A9BE49323C866E090747D0F5E0FBA1ED397F192F81027E4DDB7C57BC9
Malicious:	false
Preview:	..-.....................O.:..m0D....=..$6^....m...-.....................O.:..m0D....=..$6^....m.........................................................'...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\24a4ohrz.default-release\places.sqlite-wal

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	SQLite Write-Ahead Log, version 3007000
Category:	dropped
Size (bytes):	163992
Entropy (8bit):	0.10453944383151144
Encrypted:	false
SSDEEP:	24:KM0Ek4/LxsvYCFoxsMltHWUCVCCQE/QKCHCnxsaJqOpwliL2izu:B04lqNIJtHW+RMVJxS0A
MD5:	54CF06E24BA08459FDD81B49027CD3AF
SHA1:	4E7505F68B9406739677BECA40AEDC140AF77F95
SHA-256:	DC55826DA2AE30985FA1D5AD5A21DBC86EC4A6F1EF68AA3F905B86021B02EB2D
SHA-512:	0F07D255035882B01F55380ED947605B52010D05664953E57C3FF1F0AF1FC5EC9EFDDD58B7ACDF97D7DBE4FEE62D3EDBD1E7F4F3045C273FDCC75069D5A0F890
Malicious:	false
Preview:	7....-..............=..$m...J...............=..$.Q.k^b@.................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\24a4ohrz.default-release\prefs-1.js

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	ASCII text, with very long lines (1765), with CRLF line terminators
Category:	dropped
Size (bytes):	13820
Entropy (8bit):	5.469111425941818
Encrypted:	false
SSDEEP:	192:NzMneRdIYbBp6LnmUzaXc6aRoiKWPa40p5RDNBw8d49mSl:NzyeomUYxXDXrwHw0
MD5:	AE9BB511E37E34FFF411E8DE698B8C02
SHA1:	9C8C18C6FF2EAA253944EE71A341DF6EE32D4CD8
SHA-256:	A9991809D08AF045F10AF88A305A58331CEA0C93F80774B100BE5807A1CC7F20
SHA-512:	CA0A7043F1940E5C99729243BD2E6CB6B9CF986CD1EC8CA77EBDE5319E4491C43EB2C7F51FD0AB9EB08CDA54207B2C417259F5BFDD673DE5D955616F146ABC42
Malicious:	false
Preview:	// Mozilla User Preferences....// DO NOT EDIT THIS FILE...//..// If you make changes to this file while the application is running,..// the changes will be overwritten when the application exits...//..// To change a preference value, you can either:..// - modify it via the UI (e.g. via about:config in the browser); or..// - set it within a user.js file in your profile.....user_pref("app.normandy.first_run", false);..user_pref("app.normandy.migrationsApplied", 12);..user_pref("app.normandy.user_id", "38829aa4-f57e-4fd8-bfd3-d094d57ae30f");..user_pref("app.update.auto.migrated", true);..user_pref("app.update.background.rolledout", true);..user_pref("app.update.backgroundErrors", 2);..user_pref("app.update.lastUpdateTime.addon-background-update-timer", 1732563300);..user_pref("app.update.lastUpdateTime.background-update-timer", 1732563300);..user_pref("app.update.lastUpdateTime.browser-cleanup-thumbnails", 1732563300);..user_pref("app.update.lastUpdateTime.recipe-client-addon-run", 173256

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\24a4ohrz.default-release\prefs.js (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	ASCII text, with very long lines (1765), with CRLF line terminators
Category:	dropped
Size (bytes):	13820
Entropy (8bit):	5.469111425941818
Encrypted:	false
SSDEEP:	192:NzMneRdIYbBp6LnmUzaXc6aRoiKWPa40p5RDNBw8d49mSl:NzyeomUYxXDXrwHw0
MD5:	AE9BB511E37E34FFF411E8DE698B8C02
SHA1:	9C8C18C6FF2EAA253944EE71A341DF6EE32D4CD8
SHA-256:	A9991809D08AF045F10AF88A305A58331CEA0C93F80774B100BE5807A1CC7F20
SHA-512:	CA0A7043F1940E5C99729243BD2E6CB6B9CF986CD1EC8CA77EBDE5319E4491C43EB2C7F51FD0AB9EB08CDA54207B2C417259F5BFDD673DE5D955616F146ABC42
Malicious:	false
Preview:	// Mozilla User Preferences....// DO NOT EDIT THIS FILE...//..// If you make changes to this file while the application is running,..// the changes will be overwritten when the application exits...//..// To change a preference value, you can either:..// - modify it via the UI (e.g. via about:config in the browser); or..// - set it within a user.js file in your profile.....user_pref("app.normandy.first_run", false);..user_pref("app.normandy.migrationsApplied", 12);..user_pref("app.normandy.user_id", "38829aa4-f57e-4fd8-bfd3-d094d57ae30f");..user_pref("app.update.auto.migrated", true);..user_pref("app.update.background.rolledout", true);..user_pref("app.update.backgroundErrors", 2);..user_pref("app.update.lastUpdateTime.addon-background-update-timer", 1732563300);..user_pref("app.update.lastUpdateTime.background-update-timer", 1732563300);..user_pref("app.update.lastUpdateTime.browser-cleanup-thumbnails", 1732563300);..user_pref("app.update.lastUpdateTime.recipe-client-addon-run", 173256

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\24a4ohrz.default-release\protections.sqlite

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	SQLite 3.x database, user version 1, last written using SQLite version 3042000, page size 32768, file counter 4, database pages 2, cookie 0x1, schema 4, UTF-8, version-valid-for 4
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	0.04062825861060003
Encrypted:	false
SSDEEP:	3:lSGBl/l/zl9l/AltllPltlnKollzvulJOlzALRWemFxu7TuRjBFbrl58lcV+wgn8:ltBl/lqN1K4BEJYqWvLue3FMOrMZ0l
MD5:	60C09456D6362C6FBED48C69AA342C3C
SHA1:	58B6E22DAA48C75958B429F662DEC1C011AE74D3
SHA-256:	FE1A432A2CD096B7EEA870D46D07F5197E34B4D10666E6E1C357FAA3F2FE2389
SHA-512:	936DBC887276EF07732783B50EAFE450A8598B0492B8F6C838B337EF3E8A6EA595E7C7A2FA4B3E881887FAAE2D207B953A4C65ED8C964D93118E00D3E03882BD
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j.......x..x..........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\24a4ohrz.default-release\sessionCheckpoints.json (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	90
Entropy (8bit):	4.194538242412464
Encrypted:	false
SSDEEP:	3:YVXKQJAyiVLQwJtJDBA+AJ2LKZXJ3YFwHY:Y9KQOy6Lb1BA+m2L69Yr
MD5:	C4AB2EE59CA41B6D6A6EA911F35BDC00
SHA1:	5942CD6505FC8A9DABA403B082067E1CDEFDFBC4
SHA-256:	00AD9799527C3FD21F3A85012565EAE817490F3E0D417413BF9567BB5909F6A2
SHA-512:	71EA16900479E6AF161E0AAD08C8D1E9DED5868A8D848E7647272F3002E2F2013E16382B677ABE3C6F17792A26293B9E27EC78E16F00BD24BA3D21072BD1CAE2
Malicious:	false
Preview:	{"profile-after-change":true,"final-ui-startup":true,"sessionstore-windows-restored":true}

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\24a4ohrz.default-release\sessionCheckpoints.json.tmp

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	90
Entropy (8bit):	4.194538242412464
Encrypted:	false
SSDEEP:	3:YVXKQJAyiVLQwJtJDBA+AJ2LKZXJ3YFwHY:Y9KQOy6Lb1BA+m2L69Yr
MD5:	C4AB2EE59CA41B6D6A6EA911F35BDC00
SHA1:	5942CD6505FC8A9DABA403B082067E1CDEFDFBC4
SHA-256:	00AD9799527C3FD21F3A85012565EAE817490F3E0D417413BF9567BB5909F6A2
SHA-512:	71EA16900479E6AF161E0AAD08C8D1E9DED5868A8D848E7647272F3002E2F2013E16382B677ABE3C6F17792A26293B9E27EC78E16F00BD24BA3D21072BD1CAE2
Malicious:	false
Preview:	{"profile-after-change":true,"final-ui-startup":true,"sessionstore-windows-restored":true}

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\24a4ohrz.default-release\sessionstore-backups\recovery.baklz4 (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	Mozilla lz4 compressed data, originally 5861 bytes
Category:	dropped
Size (bytes):	1567
Entropy (8bit):	6.337665675092913
Encrypted:	false
SSDEEP:	24:v+USUGlcAxS5WLXnIgpt/pnxQwRlszT5sKDq63eHVY+qo+pTramhujJvyODoxLv7:GUpOxwWtnR6rt3epfyTr4JadRFiw
MD5:	0B5A7CC3D9377C9397BD2566FD9C7665
SHA1:	DCDC1A125B45B7FA7FE430D48C6EA88FC3FAF5E7
SHA-256:	8A1C9AC0357DB1324F76E0832529A60E8901F417B495E1987A94EE868B66ACDE
SHA-512:	E8CDE2C46DEC8350F4841F3C8FDACD56E3DC2186C670532B92468EB74BC7CA4E2C65E68A7AD11142DAA5CA710640B2E93F06CD29E0F7DEACA058C0F205FBE97C
Malicious:	false
Preview:	mozLz40.......{"version":["ses....restore",1],"windows":[{"tab..bentrie....url":"https://youtube.com/account?=.....rs.googl%...v3/signin/challenge/pwd","title[.C..cacheKey":0,"ID":6,"docshellUU...D"{9c539ab8-b542-4908-9e69-60f07a6b76cc}","resultPrincipalURI":null,"hasUserInteracte...true,"triggering8.p_base64z..\"3\":{}^...docIdentifier":7,"persistK..+}],"lastAccessed":1732563305092,"hidden":false,"searchMode...userContextId...attribut...{},"index":1...questedI..p0,"imag....chrome://global/skin/icons/warning.svg"..aselect...,"_closedTZ.@],"_...C..`GroupCF..":-1,"busy...t...Flags":2167541758....dth":1164,"height":891,"screenX":4...Y..Aizem..."maximize......BeforeMin...&..workspace9...890d5fc3-0c4c-4214-a93a-b8e730a022a1","zD..1...Wm..l........j..:....1":{..mUpdate...startTim..`270137...centCrash..B0},".....Dcook.. hoc..."addons.mozilla.org","valu...A4a32081674711da8c0af7e7198f4a549116c7011a74775b8dc2ae1b10b859df4","path":"/","na..a"taarI\|.Recure...,`.Donly..eexpiry..@2832..xoriginA...."

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\24a4ohrz.default-release\sessionstore-backups\recovery.jsonlz4 (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	Mozilla lz4 compressed data, originally 5861 bytes
Category:	dropped
Size (bytes):	1567
Entropy (8bit):	6.337665675092913
Encrypted:	false
SSDEEP:	24:v+USUGlcAxS5WLXnIgpt/pnxQwRlszT5sKDq63eHVY+qo+pTramhujJvyODoxLv7:GUpOxwWtnR6rt3epfyTr4JadRFiw
MD5:	0B5A7CC3D9377C9397BD2566FD9C7665
SHA1:	DCDC1A125B45B7FA7FE430D48C6EA88FC3FAF5E7
SHA-256:	8A1C9AC0357DB1324F76E0832529A60E8901F417B495E1987A94EE868B66ACDE
SHA-512:	E8CDE2C46DEC8350F4841F3C8FDACD56E3DC2186C670532B92468EB74BC7CA4E2C65E68A7AD11142DAA5CA710640B2E93F06CD29E0F7DEACA058C0F205FBE97C
Malicious:	false
Preview:	mozLz40.......{"version":["ses....restore",1],"windows":[{"tab..bentrie....url":"https://youtube.com/account?=.....rs.googl%...v3/signin/challenge/pwd","title[.C..cacheKey":0,"ID":6,"docshellUU...D"{9c539ab8-b542-4908-9e69-60f07a6b76cc}","resultPrincipalURI":null,"hasUserInteracte...true,"triggering8.p_base64z..\"3\":{}^...docIdentifier":7,"persistK..+}],"lastAccessed":1732563305092,"hidden":false,"searchMode...userContextId...attribut...{},"index":1...questedI..p0,"imag....chrome://global/skin/icons/warning.svg"..aselect...,"_closedTZ.@],"_...C..`GroupCF..":-1,"busy...t...Flags":2167541758....dth":1164,"height":891,"screenX":4...Y..Aizem..."maximize......BeforeMin...&..workspace9...890d5fc3-0c4c-4214-a93a-b8e730a022a1","zD..1...Wm..l........j..:....1":{..mUpdate...startTim..`270137...centCrash..B0},".....Dcook.. hoc..."addons.mozilla.org","valu...A4a32081674711da8c0af7e7198f4a549116c7011a74775b8dc2ae1b10b859df4","path":"/","na..a"taarI\|.Recure...,`.Donly..eexpiry..@2832..xoriginA...."

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\24a4ohrz.default-release\sessionstore-backups\recovery.jsonlz4.tmp

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	Mozilla lz4 compressed data, originally 5861 bytes
Category:	dropped
Size (bytes):	1567
Entropy (8bit):	6.337665675092913
Encrypted:	false
SSDEEP:	24:v+USUGlcAxS5WLXnIgpt/pnxQwRlszT5sKDq63eHVY+qo+pTramhujJvyODoxLv7:GUpOxwWtnR6rt3epfyTr4JadRFiw
MD5:	0B5A7CC3D9377C9397BD2566FD9C7665
SHA1:	DCDC1A125B45B7FA7FE430D48C6EA88FC3FAF5E7
SHA-256:	8A1C9AC0357DB1324F76E0832529A60E8901F417B495E1987A94EE868B66ACDE
SHA-512:	E8CDE2C46DEC8350F4841F3C8FDACD56E3DC2186C670532B92468EB74BC7CA4E2C65E68A7AD11142DAA5CA710640B2E93F06CD29E0F7DEACA058C0F205FBE97C
Malicious:	false
Preview:	mozLz40.......{"version":["ses....restore",1],"windows":[{"tab..bentrie....url":"https://youtube.com/account?=.....rs.googl%...v3/signin/challenge/pwd","title[.C..cacheKey":0,"ID":6,"docshellUU...D"{9c539ab8-b542-4908-9e69-60f07a6b76cc}","resultPrincipalURI":null,"hasUserInteracte...true,"triggering8.p_base64z..\"3\":{}^...docIdentifier":7,"persistK..+}],"lastAccessed":1732563305092,"hidden":false,"searchMode...userContextId...attribut...{},"index":1...questedI..p0,"imag....chrome://global/skin/icons/warning.svg"..aselect...,"_closedTZ.@],"_...C..`GroupCF..":-1,"busy...t...Flags":2167541758....dth":1164,"height":891,"screenX":4...Y..Aizem..."maximize......BeforeMin...&..workspace9...890d5fc3-0c4c-4214-a93a-b8e730a022a1","zD..1...Wm..l........j..:....1":{..mUpdate...startTim..`270137...centCrash..B0},".....Dcook.. hoc..."addons.mozilla.org","valu...A4a32081674711da8c0af7e7198f4a549116c7011a74775b8dc2ae1b10b859df4","path":"/","na..a"taarI\|.Recure...,`.Donly..eexpiry..@2832..xoriginA...."

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\24a4ohrz.default-release\storage.sqlite

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	SQLite 3.x database, user version 131075, last written using SQLite version 3042000, page size 512, file counter 4, database pages 8, cookie 0x4, schema 4, UTF-8, version-valid-for 4
Category:	dropped
Size (bytes):	4096
Entropy (8bit):	2.042811512334329
Encrypted:	false
SSDEEP:	24:JBkSldh/cEUcR9PzNFPFHx/GJRBdkOrDcRB1trwDeAq2gRMyxr3:jkSWEUo9LXtR+JdkOnohYsl
MD5:	21235938025E2102017AC8C9748948A4
SHA1:	A1EED1C4588724A8396C95FC9923C0A33B360FF8
SHA-256:	E34B06B180E3F73DC8E441650BB7FE694A9D58E927412D6ED40B0852B784824E
SHA-512:	D334B419A2A75179C17D7F53BF65FCC132ADE03B21059F0007ACDBB08284A281D8CE1C1CC598E6A070024D0DAE158E2E9618E121342BE068E87A051FE33D6061
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\24a4ohrz.default-release\targeting.snapshot.json (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	4411
Entropy (8bit):	5.0117370187269765
Encrypted:	false
SSDEEP:	48:YrSAY3wudxUQZpExB1+anOpWZOVhFu1VuWxzzcsYMsku7f86SLAVL7DV9F5FtsfH:yc3wMTEr5RXxzzcBvbw6KkjVrrc2Rn27
MD5:	8EB4A9F17DCB6F9AEBEDC13ECDD97396
SHA1:	9276CD94BCCF8419CA2A1D8AA652365492C2E936
SHA-256:	9450472D486A8326325557AAE82F00098BA07B0F2FAB53DF38013ECDA5796C4A
SHA-512:	A99F8A4798E4564F9B0C434D35CE49493E62BFD46FA1C1A8076887F792C2A9C79BEA686F9B03732D5E38B00DC1F2713EA8FC8FA5BFDD99385BB16F27EF90A8FB
Malicious:	false
Preview:	{"environment":{"locale":"en-US","localeLanguageCode":"en","browserSettings":{"update":{"channel":"release","enabled":true,"autoDownload":true,"background":true}},"attributionData":{"campaign":"%2528not%2Bset%2529","content":"%2528not%2Bset%2529","dlsource":"mozorg","dltoken":"cd09ae95-e2cf-4b8b-8929-791b0dd48cdd","experiment":"%2528not%2Bset%2529","medium":"referral","source":"www.google.com","ua":"chrome","variation":"%2528not%2Bset%2529"},"currentDate":"2024-11-25T19:34:49.369Z","profileAgeCreated":1696493964214,"usesFirefoxSync":false,"isFxAEnabled":true,"isFxASignedIn":false,"sync":{"desktopDevices":0,"mobileDevices":0,"totalDevices":0},"xpinstallEnabled":true,"addonsInfo":{"addons":{"formautofill@mozilla.org":{"version":"1.0.1","type":"extension","isSystem":true,"isWebExtension":true,"name":"Form Autofill","userDisabled":false,"installDate":"2023-09-28T01:41:23.000Z"},"pictureinpicture@mozilla.org":{"version":"1.0.0","type":"extension","isSystem":true,"isWebExtension":true,"name"

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\24a4ohrz.default-release\targeting.snapshot.json.tmp

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	4411
Entropy (8bit):	5.0117370187269765
Encrypted:	false
SSDEEP:	48:YrSAY3wudxUQZpExB1+anOpWZOVhFu1VuWxzzcsYMsku7f86SLAVL7DV9F5FtsfH:yc3wMTEr5RXxzzcBvbw6KkjVrrc2Rn27
MD5:	8EB4A9F17DCB6F9AEBEDC13ECDD97396
SHA1:	9276CD94BCCF8419CA2A1D8AA652365492C2E936
SHA-256:	9450472D486A8326325557AAE82F00098BA07B0F2FAB53DF38013ECDA5796C4A
SHA-512:	A99F8A4798E4564F9B0C434D35CE49493E62BFD46FA1C1A8076887F792C2A9C79BEA686F9B03732D5E38B00DC1F2713EA8FC8FA5BFDD99385BB16F27EF90A8FB
Malicious:	false
Preview:	{"environment":{"locale":"en-US","localeLanguageCode":"en","browserSettings":{"update":{"channel":"release","enabled":true,"autoDownload":true,"background":true}},"attributionData":{"campaign":"%2528not%2Bset%2529","content":"%2528not%2Bset%2529","dlsource":"mozorg","dltoken":"cd09ae95-e2cf-4b8b-8929-791b0dd48cdd","experiment":"%2528not%2Bset%2529","medium":"referral","source":"www.google.com","ua":"chrome","variation":"%2528not%2Bset%2529"},"currentDate":"2024-11-25T19:34:49.369Z","profileAgeCreated":1696493964214,"usesFirefoxSync":false,"isFxAEnabled":true,"isFxASignedIn":false,"sync":{"desktopDevices":0,"mobileDevices":0,"totalDevices":0},"xpinstallEnabled":true,"addonsInfo":{"addons":{"formautofill@mozilla.org":{"version":"1.0.1","type":"extension","isSystem":true,"isWebExtension":true,"name":"Form Autofill","userDisabled":false,"installDate":"2023-09-28T01:41:23.000Z"},"pictureinpicture@mozilla.org":{"version":"1.0.0","type":"extension","isSystem":true,"isWebExtension":true,"name"

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	6.591462798180881
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	file.exe
File size:	922'112 bytes
MD5:	f7efae8e18598bad4b7edc75a514c644
SHA1:	79ce40b967015b1cc1037e559166d4594220bdfe
SHA256:	e783412a767b1986a491ca58c455349e569fe078a1c03e9993d6c02ef459cc8b
SHA512:	cee4fd112345c70bf55854c850ade99fc796c983add5ed1348a1ccb0d7bac616a155377fde21b026bc8631d3f7bbe9cd57c4e9f7b7ef35a4b3bba20e501f499c
SSDEEP:	12288:nqDEvFo+yo4DdbbMWu/jrQu4M9lBAlKhQcDGB3cuBNGE6iOrpfe4JdaDgaaTMj:nqDEvCTbMWu7rQYlBQcBiT6rprG8aqY
TLSH:	D8159E0273D1C062FFAB92334B5AF6515BBC69260123E61F13A81D79BE701B1563E7A3
File Content Preview:	MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$.......................j:......j:..C...j:......@.*...............................n.......~.............{.......{.......{.........z....

File Icon


Icon Hash:	aaf3e3e3938382a0

Static PE Info

General

Entrypoint:	0x420577
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, TERMINAL_SERVER_AWARE
Time Stamp:	0x6744AD8F [Mon Nov 25 17:02:07 2024 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	5
OS Version Minor:	1
File Version Major:	5
File Version Minor:	1
Subsystem Version Major:	5
Subsystem Version Minor:	1
Import Hash:	948cc502fe9226992dce9417f952fce3

Entrypoint Preview

Instruction
call 00007FB5A901A173h
jmp 00007FB5A9019A7Fh
push ebp
mov ebp, esp
push esi
push dword ptr [ebp+08h]
mov esi, ecx
call 00007FB5A9019C5Dh
mov dword ptr [esi], 0049FDF0h
mov eax, esi
pop esi
pop ebp
retn 0004h
and dword ptr [ecx+04h], 00000000h
mov eax, ecx
and dword ptr [ecx+08h], 00000000h
mov dword ptr [ecx+04h], 0049FDF8h
mov dword ptr [ecx], 0049FDF0h
ret
push ebp
mov ebp, esp
push esi
push dword ptr [ebp+08h]
mov esi, ecx
call 00007FB5A9019C2Ah
mov dword ptr [esi], 0049FE0Ch
mov eax, esi
pop esi
pop ebp
retn 0004h
and dword ptr [ecx+04h], 00000000h
mov eax, ecx
and dword ptr [ecx+08h], 00000000h
mov dword ptr [ecx+04h], 0049FE14h
mov dword ptr [ecx], 0049FE0Ch
ret
push ebp
mov ebp, esp
push esi
mov esi, ecx
lea eax, dword ptr [esi+04h]
mov dword ptr [esi], 0049FDD0h
and dword ptr [eax], 00000000h
and dword ptr [eax+04h], 00000000h
push eax
mov eax, dword ptr [ebp+08h]
add eax, 04h
push eax
call 00007FB5A901C81Dh
pop ecx
pop ecx
mov eax, esi
pop esi
pop ebp
retn 0004h
lea eax, dword ptr [ecx+04h]
mov dword ptr [ecx], 0049FDD0h
push eax
call 00007FB5A901C868h
pop ecx
ret
push ebp
mov ebp, esp
push esi
mov esi, ecx
lea eax, dword ptr [esi+04h]
mov dword ptr [esi], 0049FDD0h
push eax
call 00007FB5A901C851h
test byte ptr [ebp+08h], 00000001h
pop ecx

Rich Headers

Programming Language:

[ C ] VS2008 SP1 build 30729
[IMP] VS2008 SP1 build 30729

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0xc8e64	0x17c	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0xd4000	0xa72c	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0xdf000	0x7594	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0xb0ff0	0x1c	.rdata
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0xc3400	0x18	.rdata
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0xb1010	0x40	.rdata
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x9c000	0x894	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x9ab1d	0x9ac00	0a1473f3064dcbc32ef93c5c8a90f3a6	False	0.565500681542811	data	6.668273581389308	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x9c000	0x2fb82	0x2fc00	c9cf2468b60bf4f80f136ed54b3989fb	False	0.35289185209424084	data	5.691811547483722	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0xcc000	0x706c	0x4800	53b9025d545d65e23295e30afdbd16d9	False	0.04356553819444445	DOS executable (block device driver @\273\)	0.5846666986982398	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0xd4000	0xa72c	0xa800	18db8e34b6ef7225ed085e4d1f73f7b1	False	0.3659551711309524	data	5.6148403036663765	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0xdf000	0x7594	0x7600	c68ee8931a32d45eb82dc450ee40efc3	False	0.7628111758474576	data	6.7972128181359786	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_ICON	0xd45a8	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 192	English	Great Britain	0.7466216216216216
RT_ICON	0xd46d0	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 128, 16 important colors	English	Great Britain	0.3277027027027027
RT_ICON	0xd47f8	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 192	English	Great Britain	0.3885135135135135
RT_ICON	0xd4920	0x2e8	Device independent bitmap graphic, 32 x 64 x 4, image size 0	English	Great Britain	0.3333333333333333
RT_ICON	0xd4c08	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 0	English	Great Britain	0.5
RT_ICON	0xd4d30	0xea8	Device independent bitmap graphic, 48 x 96 x 8, image size 0	English	Great Britain	0.2835820895522388
RT_ICON	0xd5bd8	0x8a8	Device independent bitmap graphic, 32 x 64 x 8, image size 0	English	Great Britain	0.37906137184115524
RT_ICON	0xd6480	0x568	Device independent bitmap graphic, 16 x 32 x 8, image size 0	English	Great Britain	0.23699421965317918
RT_ICON	0xd69e8	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 0	English	Great Britain	0.13858921161825727
RT_ICON	0xd8f90	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 0	English	Great Britain	0.25070356472795496
RT_ICON	0xda038	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 0	English	Great Britain	0.3173758865248227
RT_MENU	0xda4a0	0x50	data	English	Great Britain	0.9
RT_STRING	0xda4f0	0x594	data	English	Great Britain	0.3333333333333333
RT_STRING	0xdaa84	0x68a	data	English	Great Britain	0.2735961768219833
RT_STRING	0xdb110	0x490	data	English	Great Britain	0.3715753424657534
RT_STRING	0xdb5a0	0x5fc	data	English	Great Britain	0.3087467362924282
RT_STRING	0xdbb9c	0x65c	data	English	Great Britain	0.34336609336609336
RT_STRING	0xdc1f8	0x466	data	English	Great Britain	0.3605683836589698
RT_STRING	0xdc660	0x158	Matlab v4 mat-file (little endian) n, numeric, rows 0, columns 0	English	Great Britain	0.502906976744186
RT_RCDATA	0xdc7b8	0x19f4	data			1.0016556291390728
RT_GROUP_ICON	0xde1ac	0x76	data	English	Great Britain	0.6610169491525424
RT_GROUP_ICON	0xde224	0x14	data	English	Great Britain	1.25
RT_GROUP_ICON	0xde238	0x14	data	English	Great Britain	1.15
RT_GROUP_ICON	0xde24c	0x14	data	English	Great Britain	1.25
RT_VERSION	0xde260	0xdc	data	English	Great Britain	0.6181818181818182
RT_MANIFEST	0xde33c	0x3ef	ASCII text, with CRLF line terminators	English	Great Britain	0.5074478649453823

Imports

DLL	Import
WSOCK32.dll	gethostbyname, recv, send, socket, inet_ntoa, setsockopt, ntohs, WSACleanup, WSAStartup, sendto, htons, __WSAFDIsSet, select, accept, listen, bind, inet_addr, ioctlsocket, recvfrom, WSAGetLastError, closesocket, gethostname, connect
VERSION.dll	GetFileVersionInfoW, VerQueryValueW, GetFileVersionInfoSizeW
WINMM.dll	timeGetTime, waveOutSetVolume, mciSendStringW
COMCTL32.dll	ImageList_ReplaceIcon, ImageList_Destroy, ImageList_Remove, ImageList_SetDragCursorImage, ImageList_BeginDrag, ImageList_DragEnter, ImageList_DragLeave, ImageList_EndDrag, ImageList_DragMove, InitCommonControlsEx, ImageList_Create
MPR.dll	WNetGetConnectionW, WNetCancelConnection2W, WNetUseConnectionW, WNetAddConnection2W
WININET.dll	HttpOpenRequestW, InternetCloseHandle, InternetOpenW, InternetSetOptionW, InternetCrackUrlW, HttpQueryInfoW, InternetQueryOptionW, InternetConnectW, HttpSendRequestW, FtpOpenFileW, FtpGetFileSize, InternetOpenUrlW, InternetReadFile, InternetQueryDataAvailable
PSAPI.DLL	GetProcessMemoryInfo
IPHLPAPI.DLL	IcmpSendEcho, IcmpCloseHandle, IcmpCreateFile
USERENV.dll	DestroyEnvironmentBlock, LoadUserProfileW, CreateEnvironmentBlock, UnloadUserProfile
UxTheme.dll	IsThemeActive
KERNEL32.dll	DuplicateHandle, CreateThread, WaitForSingleObject, HeapAlloc, GetProcessHeap, HeapFree, Sleep, GetCurrentThreadId, MultiByteToWideChar, MulDiv, GetVersionExW, IsWow64Process, GetSystemInfo, FreeLibrary, LoadLibraryA, GetProcAddress, SetErrorMode, GetModuleFileNameW, WideCharToMultiByte, lstrcpyW, lstrlenW, GetModuleHandleW, QueryPerformanceCounter, VirtualFreeEx, OpenProcess, VirtualAllocEx, WriteProcessMemory, ReadProcessMemory, CreateFileW, SetFilePointerEx, SetEndOfFile, ReadFile, WriteFile, FlushFileBuffers, TerminateProcess, CreateToolhelp32Snapshot, Process32FirstW, Process32NextW, SetFileTime, GetFileAttributesW, FindFirstFileW, FindClose, GetLongPathNameW, GetShortPathNameW, DeleteFileW, IsDebuggerPresent, CopyFileExW, MoveFileW, CreateDirectoryW, RemoveDirectoryW, SetSystemPowerState, QueryPerformanceFrequency, LoadResource, LockResource, SizeofResource, OutputDebugStringW, GetTempPathW, GetTempFileNameW, DeviceIoControl, LoadLibraryW, GetLocalTime, CompareStringW, GetCurrentThread, EnterCriticalSection, LeaveCriticalSection, GetStdHandle, CreatePipe, InterlockedExchange, TerminateThread, LoadLibraryExW, FindResourceExW, CopyFileW, VirtualFree, FormatMessageW, GetExitCodeProcess, GetPrivateProfileStringW, WritePrivateProfileStringW, GetPrivateProfileSectionW, WritePrivateProfileSectionW, GetPrivateProfileSectionNamesW, FileTimeToLocalFileTime, FileTimeToSystemTime, SystemTimeToFileTime, LocalFileTimeToFileTime, GetDriveTypeW, GetDiskFreeSpaceExW, GetDiskFreeSpaceW, GetVolumeInformationW, SetVolumeLabelW, CreateHardLinkW, SetFileAttributesW, CreateEventW, SetEvent, GetEnvironmentVariableW, SetEnvironmentVariableW, GlobalLock, GlobalUnlock, GlobalAlloc, GetFileSize, GlobalFree, GlobalMemoryStatusEx, Beep, GetSystemDirectoryW, HeapReAlloc, HeapSize, GetComputerNameW, GetWindowsDirectoryW, GetCurrentProcessId, GetProcessIoCounters, CreateProcessW, GetProcessId, SetPriorityClass, VirtualAlloc, GetCurrentDirectoryW, lstrcmpiW, DecodePointer, GetLastError, RaiseException, InitializeCriticalSectionAndSpinCount, DeleteCriticalSection, InterlockedDecrement, InterlockedIncrement, ResetEvent, WaitForSingleObjectEx, IsProcessorFeaturePresent, UnhandledExceptionFilter, SetUnhandledExceptionFilter, GetCurrentProcess, CloseHandle, GetFullPathNameW, GetStartupInfoW, GetSystemTimeAsFileTime, InitializeSListHead, RtlUnwind, SetLastError, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, EncodePointer, ExitProcess, GetModuleHandleExW, ExitThread, ResumeThread, FreeLibraryAndExitThread, GetACP, GetDateFormatW, GetTimeFormatW, LCMapStringW, GetStringTypeW, GetFileType, SetStdHandle, GetConsoleCP, GetConsoleMode, ReadConsoleW, GetTimeZoneInformation, FindFirstFileExW, IsValidCodePage, GetOEMCP, GetCPInfo, GetCommandLineA, GetCommandLineW, GetEnvironmentStringsW, FreeEnvironmentStringsW, SetEnvironmentVariableA, SetCurrentDirectoryW, FindNextFileW, WriteConsoleW
USER32.dll	GetKeyboardLayoutNameW, IsCharAlphaW, IsCharAlphaNumericW, IsCharLowerW, IsCharUpperW, GetMenuStringW, GetSubMenu, GetCaretPos, IsZoomed, GetMonitorInfoW, SetWindowLongW, SetLayeredWindowAttributes, FlashWindow, GetClassLongW, TranslateAcceleratorW, IsDialogMessageW, GetSysColor, InflateRect, DrawFocusRect, DrawTextW, FrameRect, DrawFrameControl, FillRect, PtInRect, DestroyAcceleratorTable, CreateAcceleratorTableW, SetCursor, GetWindowDC, GetSystemMetrics, GetActiveWindow, CharNextW, wsprintfW, RedrawWindow, DrawMenuBar, DestroyMenu, SetMenu, GetWindowTextLengthW, CreateMenu, IsDlgButtonChecked, DefDlgProcW, CallWindowProcW, ReleaseCapture, SetCapture, PeekMessageW, GetInputState, UnregisterHotKey, CharLowerBuffW, MonitorFromPoint, MonitorFromRect, LoadImageW, mouse_event, ExitWindowsEx, SetActiveWindow, FindWindowExW, EnumThreadWindows, SetMenuDefaultItem, InsertMenuItemW, IsMenu, ClientToScreen, GetCursorPos, DeleteMenu, CheckMenuRadioItem, GetMenuItemID, GetMenuItemCount, SetMenuItemInfoW, GetMenuItemInfoW, SetForegroundWindow, IsIconic, FindWindowW, SystemParametersInfoW, LockWindowUpdate, SendInput, GetAsyncKeyState, SetKeyboardState, GetKeyboardState, GetKeyState, VkKeyScanW, LoadStringW, DialogBoxParamW, MessageBeep, EndDialog, SendDlgItemMessageW, GetDlgItem, SetWindowTextW, CopyRect, ReleaseDC, GetDC, EndPaint, BeginPaint, GetClientRect, GetMenu, DestroyWindow, EnumWindows, GetDesktopWindow, IsWindow, IsWindowEnabled, IsWindowVisible, EnableWindow, InvalidateRect, GetWindowLongW, GetWindowThreadProcessId, AttachThreadInput, GetFocus, GetWindowTextW, SendMessageTimeoutW, EnumChildWindows, CharUpperBuffW, GetClassNameW, GetParent, GetDlgCtrlID, SendMessageW, MapVirtualKeyW, PostMessageW, GetWindowRect, SetUserObjectSecurity, CloseDesktop, CloseWindowStation, OpenDesktopW, RegisterHotKey, GetCursorInfo, SetWindowPos, CopyImage, AdjustWindowRectEx, SetRect, SetClipboardData, EmptyClipboard, CountClipboardFormats, CloseClipboard, GetClipboardData, IsClipboardFormatAvailable, OpenClipboard, BlockInput, TrackPopupMenuEx, GetMessageW, SetProcessWindowStation, GetProcessWindowStation, OpenWindowStationW, GetUserObjectSecurity, MessageBoxW, DefWindowProcW, MoveWindow, SetFocus, PostQuitMessage, KillTimer, CreatePopupMenu, RegisterWindowMessageW, SetTimer, ShowWindow, CreateWindowExW, RegisterClassExW, LoadIconW, LoadCursorW, GetSysColorBrush, GetForegroundWindow, MessageBoxA, DestroyIcon, DispatchMessageW, keybd_event, TranslateMessage, ScreenToClient
GDI32.dll	EndPath, DeleteObject, GetTextExtentPoint32W, ExtCreatePen, StrokeAndFillPath, GetDeviceCaps, SetPixel, CloseFigure, LineTo, AngleArc, MoveToEx, Ellipse, CreateCompatibleBitmap, CreateCompatibleDC, PolyDraw, BeginPath, Rectangle, SetViewportOrgEx, GetObjectW, SetBkMode, RoundRect, SetBkColor, CreatePen, SelectObject, StretchBlt, CreateSolidBrush, SetTextColor, CreateFontW, GetTextFaceW, GetStockObject, CreateDCW, GetPixel, DeleteDC, GetDIBits, StrokePath
COMDLG32.dll	GetSaveFileNameW, GetOpenFileNameW
ADVAPI32.dll	GetAce, RegEnumValueW, RegDeleteValueW, RegDeleteKeyW, RegEnumKeyExW, RegSetValueExW, RegOpenKeyExW, RegCloseKey, RegQueryValueExW, RegConnectRegistryW, InitializeSecurityDescriptor, InitializeAcl, AdjustTokenPrivileges, OpenThreadToken, OpenProcessToken, LookupPrivilegeValueW, DuplicateTokenEx, CreateProcessAsUserW, CreateProcessWithLogonW, GetLengthSid, CopySid, LogonUserW, AllocateAndInitializeSid, CheckTokenMembership, FreeSid, GetTokenInformation, RegCreateKeyExW, GetSecurityDescriptorDacl, GetAclInformation, GetUserNameW, AddAce, SetSecurityDescriptorDacl, InitiateSystemShutdownExW
SHELL32.dll	DragFinish, DragQueryPoint, ShellExecuteExW, DragQueryFileW, SHEmptyRecycleBinW, SHGetPathFromIDListW, SHBrowseForFolderW, SHCreateShellItem, SHGetDesktopFolder, SHGetSpecialFolderLocation, SHGetFolderPathW, SHFileOperationW, ExtractIconExW, Shell_NotifyIconW, ShellExecuteW
ole32.dll	CoTaskMemAlloc, CoTaskMemFree, CLSIDFromString, ProgIDFromCLSID, CLSIDFromProgID, OleSetMenuDescriptor, MkParseDisplayName, OleSetContainedObject, CoCreateInstance, IIDFromString, StringFromGUID2, CreateStreamOnHGlobal, OleInitialize, OleUninitialize, CoInitialize, CoUninitialize, GetRunningObjectTable, CoGetInstanceFromFile, CoGetObject, CoInitializeSecurity, CoCreateInstanceEx, CoSetProxyBlanket
OLEAUT32.dll	CreateStdDispatch, CreateDispTypeInfo, UnRegisterTypeLib, UnRegisterTypeLibForUser, RegisterTypeLibForUser, RegisterTypeLib, LoadTypeLibEx, VariantCopyInd, SysReAllocString, SysFreeString, VariantChangeType, SafeArrayDestroyData, SafeArrayUnaccessData, SafeArrayAccessData, SafeArrayAllocData, SafeArrayAllocDescriptorEx, SafeArrayCreateVector, SysStringLen, QueryPathOfRegTypeLib, SysAllocString, VariantInit, VariantClear, DispCallFunc, VariantTimeToSystemTime, VarR8FromDec, SafeArrayGetVartype, SafeArrayDestroyDescriptor, VariantCopy, OleLoadPicture

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	Great Britain

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Nov 25, 2024 18:35:43.274036884 CET	49713	443	192.168.2.8	35.190.72.216
Nov 25, 2024 18:35:43.274096966 CET	443	49713	35.190.72.216	192.168.2.8
Nov 25, 2024 18:35:43.274395943 CET	49713	443	192.168.2.8	35.190.72.216
Nov 25, 2024 18:35:43.279218912 CET	49713	443	192.168.2.8	35.190.72.216
Nov 25, 2024 18:35:43.279236078 CET	443	49713	35.190.72.216	192.168.2.8
Nov 25, 2024 18:35:43.290920973 CET	49714	443	192.168.2.8	142.250.181.78
Nov 25, 2024 18:35:43.290951014 CET	443	49714	142.250.181.78	192.168.2.8
Nov 25, 2024 18:35:43.291064024 CET	49715	443	192.168.2.8	142.250.181.78
Nov 25, 2024 18:35:43.291100979 CET	443	49715	142.250.181.78	192.168.2.8
Nov 25, 2024 18:35:43.292737961 CET	49714	443	192.168.2.8	142.250.181.78
Nov 25, 2024 18:35:43.292740107 CET	49715	443	192.168.2.8	142.250.181.78
Nov 25, 2024 18:35:43.296384096 CET	49714	443	192.168.2.8	142.250.181.78
Nov 25, 2024 18:35:43.296400070 CET	443	49714	142.250.181.78	192.168.2.8
Nov 25, 2024 18:35:43.297763109 CET	49715	443	192.168.2.8	142.250.181.78
Nov 25, 2024 18:35:43.297776937 CET	443	49715	142.250.181.78	192.168.2.8
Nov 25, 2024 18:35:44.163284063 CET	49716	80	192.168.2.8	34.107.221.82
Nov 25, 2024 18:35:44.163774967 CET	49717	443	192.168.2.8	34.117.188.166
Nov 25, 2024 18:35:44.163815022 CET	443	49717	34.117.188.166	192.168.2.8
Nov 25, 2024 18:35:44.164084911 CET	49717	443	192.168.2.8	34.117.188.166
Nov 25, 2024 18:35:44.166481972 CET	49717	443	192.168.2.8	34.117.188.166
Nov 25, 2024 18:35:44.166497946 CET	443	49717	34.117.188.166	192.168.2.8
Nov 25, 2024 18:35:44.167018890 CET	49718	443	192.168.2.8	34.117.188.166
Nov 25, 2024 18:35:44.167038918 CET	443	49718	34.117.188.166	192.168.2.8
Nov 25, 2024 18:35:44.167248964 CET	49719	443	192.168.2.8	35.244.181.201
Nov 25, 2024 18:35:44.167256117 CET	443	49719	35.244.181.201	192.168.2.8
Nov 25, 2024 18:35:44.169095993 CET	49718	443	192.168.2.8	34.117.188.166
Nov 25, 2024 18:35:44.169220924 CET	49719	443	192.168.2.8	35.244.181.201
Nov 25, 2024 18:35:44.171410084 CET	49718	443	192.168.2.8	34.117.188.166
Nov 25, 2024 18:35:44.171422958 CET	443	49718	34.117.188.166	192.168.2.8
Nov 25, 2024 18:35:44.171724081 CET	49719	443	192.168.2.8	35.244.181.201
Nov 25, 2024 18:35:44.171737909 CET	443	49719	35.244.181.201	192.168.2.8
Nov 25, 2024 18:35:44.285739899 CET	80	49716	34.107.221.82	192.168.2.8
Nov 25, 2024 18:35:44.285834074 CET	49716	80	192.168.2.8	34.107.221.82
Nov 25, 2024 18:35:44.285948992 CET	49716	80	192.168.2.8	34.107.221.82
Nov 25, 2024 18:35:44.406248093 CET	80	49716	34.107.221.82	192.168.2.8
Nov 25, 2024 18:35:44.651859045 CET	443	49713	35.190.72.216	192.168.2.8
Nov 25, 2024 18:35:44.651948929 CET	49713	443	192.168.2.8	35.190.72.216
Nov 25, 2024 18:35:44.675154924 CET	49713	443	192.168.2.8	35.190.72.216
Nov 25, 2024 18:35:44.675193071 CET	443	49713	35.190.72.216	192.168.2.8
Nov 25, 2024 18:35:44.675393105 CET	49713	443	192.168.2.8	35.190.72.216
Nov 25, 2024 18:35:44.675564051 CET	443	49713	35.190.72.216	192.168.2.8
Nov 25, 2024 18:35:44.675899982 CET	49720	443	192.168.2.8	35.190.72.216
Nov 25, 2024 18:35:44.675950050 CET	443	49720	35.190.72.216	192.168.2.8
Nov 25, 2024 18:35:44.681169033 CET	49713	443	192.168.2.8	35.190.72.216
Nov 25, 2024 18:35:44.681221962 CET	49720	443	192.168.2.8	35.190.72.216
Nov 25, 2024 18:35:44.698174000 CET	49720	443	192.168.2.8	35.190.72.216
Nov 25, 2024 18:35:44.698196888 CET	443	49720	35.190.72.216	192.168.2.8
Nov 25, 2024 18:35:45.135822058 CET	443	49715	142.250.181.78	192.168.2.8
Nov 25, 2024 18:35:45.136303902 CET	49715	443	192.168.2.8	142.250.181.78
Nov 25, 2024 18:35:45.136842966 CET	443	49715	142.250.181.78	192.168.2.8
Nov 25, 2024 18:35:45.137806892 CET	49715	443	192.168.2.8	142.250.181.78
Nov 25, 2024 18:35:45.142273903 CET	49715	443	192.168.2.8	142.250.181.78
Nov 25, 2024 18:35:45.142283916 CET	443	49715	142.250.181.78	192.168.2.8
Nov 25, 2024 18:35:45.142376900 CET	49715	443	192.168.2.8	142.250.181.78
Nov 25, 2024 18:35:45.142456055 CET	443	49715	142.250.181.78	192.168.2.8
Nov 25, 2024 18:35:45.142575979 CET	49715	443	192.168.2.8	142.250.181.78
Nov 25, 2024 18:35:45.327308893 CET	443	49714	142.250.181.78	192.168.2.8
Nov 25, 2024 18:35:45.327419043 CET	49714	443	192.168.2.8	142.250.181.78
Nov 25, 2024 18:35:45.328048944 CET	443	49714	142.250.181.78	192.168.2.8
Nov 25, 2024 18:35:45.328136921 CET	49714	443	192.168.2.8	142.250.181.78
Nov 25, 2024 18:35:45.392743111 CET	80	49716	34.107.221.82	192.168.2.8
Nov 25, 2024 18:35:45.414182901 CET	443	49717	34.117.188.166	192.168.2.8
Nov 25, 2024 18:35:45.414419889 CET	49717	443	192.168.2.8	34.117.188.166
Nov 25, 2024 18:35:45.420325994 CET	443	49718	34.117.188.166	192.168.2.8
Nov 25, 2024 18:35:45.420491934 CET	49718	443	192.168.2.8	34.117.188.166
Nov 25, 2024 18:35:45.445377111 CET	49716	80	192.168.2.8	34.107.221.82
Nov 25, 2024 18:35:45.457561970 CET	443	49719	35.244.181.201	192.168.2.8
Nov 25, 2024 18:35:45.457653999 CET	49719	443	192.168.2.8	35.244.181.201
Nov 25, 2024 18:35:45.503251076 CET	49719	443	192.168.2.8	35.244.181.201
Nov 25, 2024 18:35:45.503309011 CET	443	49719	35.244.181.201	192.168.2.8
Nov 25, 2024 18:35:45.504379034 CET	443	49719	35.244.181.201	192.168.2.8
Nov 25, 2024 18:35:45.508948088 CET	49722	443	192.168.2.8	34.160.144.191
Nov 25, 2024 18:35:45.508985996 CET	443	49722	34.160.144.191	192.168.2.8
Nov 25, 2024 18:35:45.510446072 CET	49722	443	192.168.2.8	34.160.144.191
Nov 25, 2024 18:35:45.511341095 CET	49722	443	192.168.2.8	34.160.144.191
Nov 25, 2024 18:35:45.511351109 CET	443	49722	34.160.144.191	192.168.2.8
Nov 25, 2024 18:35:45.514591932 CET	49714	443	192.168.2.8	142.250.181.78
Nov 25, 2024 18:35:45.514605999 CET	443	49714	142.250.181.78	192.168.2.8
Nov 25, 2024 18:35:45.514754057 CET	49714	443	192.168.2.8	142.250.181.78
Nov 25, 2024 18:35:45.514807940 CET	443	49714	142.250.181.78	192.168.2.8
Nov 25, 2024 18:35:45.515408993 CET	49719	443	192.168.2.8	35.244.181.201
Nov 25, 2024 18:35:45.515486002 CET	49719	443	192.168.2.8	35.244.181.201
Nov 25, 2024 18:35:45.515677929 CET	49717	443	192.168.2.8	34.117.188.166
Nov 25, 2024 18:35:45.515703917 CET	443	49717	34.117.188.166	192.168.2.8
Nov 25, 2024 18:35:45.515752077 CET	49717	443	192.168.2.8	34.117.188.166
Nov 25, 2024 18:35:45.515872002 CET	443	49719	35.244.181.201	192.168.2.8
Nov 25, 2024 18:35:45.515944004 CET	443	49717	34.117.188.166	192.168.2.8
Nov 25, 2024 18:35:45.516061068 CET	49714	443	192.168.2.8	142.250.181.78
Nov 25, 2024 18:35:45.516073942 CET	49719	443	192.168.2.8	35.244.181.201
Nov 25, 2024 18:35:45.516088009 CET	49717	443	192.168.2.8	34.117.188.166
Nov 25, 2024 18:35:45.517304897 CET	49718	443	192.168.2.8	34.117.188.166
Nov 25, 2024 18:35:45.517318964 CET	443	49718	34.117.188.166	192.168.2.8
Nov 25, 2024 18:35:45.517402887 CET	49718	443	192.168.2.8	34.117.188.166
Nov 25, 2024 18:35:45.517947912 CET	443	49718	34.117.188.166	192.168.2.8
Nov 25, 2024 18:35:45.518059015 CET	49718	443	192.168.2.8	34.117.188.166
Nov 25, 2024 18:35:45.568989992 CET	49716	80	192.168.2.8	34.107.221.82
Nov 25, 2024 18:35:45.700973034 CET	49723	443	192.168.2.8	34.117.188.166
Nov 25, 2024 18:35:45.701004982 CET	443	49723	34.117.188.166	192.168.2.8
Nov 25, 2024 18:35:45.715055943 CET	49723	443	192.168.2.8	34.117.188.166
Nov 25, 2024 18:35:45.722069979 CET	49723	443	192.168.2.8	34.117.188.166
Nov 25, 2024 18:35:45.722085953 CET	443	49723	34.117.188.166	192.168.2.8
Nov 25, 2024 18:35:45.852683067 CET	80	49716	34.107.221.82	192.168.2.8
Nov 25, 2024 18:35:45.854639053 CET	49716	80	192.168.2.8	34.107.221.82
Nov 25, 2024 18:35:45.872529984 CET	49724	80	192.168.2.8	34.107.221.82
Nov 25, 2024 18:35:45.872752905 CET	49725	80	192.168.2.8	34.107.221.82
Nov 25, 2024 18:35:45.993371010 CET	80	49724	34.107.221.82	192.168.2.8
Nov 25, 2024 18:35:45.993459940 CET	49724	80	192.168.2.8	34.107.221.82
Nov 25, 2024 18:35:45.993495941 CET	80	49725	34.107.221.82	192.168.2.8
Nov 25, 2024 18:35:45.993555069 CET	49725	80	192.168.2.8	34.107.221.82
Nov 25, 2024 18:35:45.993655920 CET	49724	80	192.168.2.8	34.107.221.82
Nov 25, 2024 18:35:45.993877888 CET	49725	80	192.168.2.8	34.107.221.82
Nov 25, 2024 18:35:46.008548021 CET	443	49720	35.190.72.216	192.168.2.8
Nov 25, 2024 18:35:46.008732080 CET	49720	443	192.168.2.8	35.190.72.216
Nov 25, 2024 18:35:46.015542984 CET	49720	443	192.168.2.8	35.190.72.216
Nov 25, 2024 18:35:46.015549898 CET	443	49720	35.190.72.216	192.168.2.8
Nov 25, 2024 18:35:46.015642881 CET	49720	443	192.168.2.8	35.190.72.216
Nov 25, 2024 18:35:46.015822887 CET	443	49720	35.190.72.216	192.168.2.8
Nov 25, 2024 18:35:46.016032934 CET	49720	443	192.168.2.8	35.190.72.216
Nov 25, 2024 18:35:46.114387035 CET	80	49724	34.107.221.82	192.168.2.8
Nov 25, 2024 18:35:46.114404917 CET	80	49725	34.107.221.82	192.168.2.8
Nov 25, 2024 18:35:46.938136101 CET	443	49722	34.160.144.191	192.168.2.8
Nov 25, 2024 18:35:46.938215971 CET	49722	443	192.168.2.8	34.160.144.191
Nov 25, 2024 18:35:46.942847013 CET	49722	443	192.168.2.8	34.160.144.191
Nov 25, 2024 18:35:46.942853928 CET	443	49722	34.160.144.191	192.168.2.8
Nov 25, 2024 18:35:46.943105936 CET	443	49722	34.160.144.191	192.168.2.8
Nov 25, 2024 18:35:46.946866989 CET	49722	443	192.168.2.8	34.160.144.191
Nov 25, 2024 18:35:46.946980000 CET	49722	443	192.168.2.8	34.160.144.191
Nov 25, 2024 18:35:46.946989059 CET	443	49722	34.160.144.191	192.168.2.8
Nov 25, 2024 18:35:46.947068930 CET	49722	443	192.168.2.8	34.160.144.191
Nov 25, 2024 18:35:47.078135967 CET	443	49723	34.117.188.166	192.168.2.8
Nov 25, 2024 18:35:47.078150988 CET	443	49723	34.117.188.166	192.168.2.8
Nov 25, 2024 18:35:47.078341961 CET	49723	443	192.168.2.8	34.117.188.166
Nov 25, 2024 18:35:47.120573044 CET	49723	443	192.168.2.8	34.117.188.166
Nov 25, 2024 18:35:47.120590925 CET	443	49723	34.117.188.166	192.168.2.8
Nov 25, 2024 18:35:47.120723009 CET	49723	443	192.168.2.8	34.117.188.166
Nov 25, 2024 18:35:47.120829105 CET	443	49723	34.117.188.166	192.168.2.8
Nov 25, 2024 18:35:47.121244907 CET	49726	443	192.168.2.8	34.117.188.166
Nov 25, 2024 18:35:47.121285915 CET	443	49726	34.117.188.166	192.168.2.8
Nov 25, 2024 18:35:47.124114037 CET	49723	443	192.168.2.8	34.117.188.166
Nov 25, 2024 18:35:47.124114990 CET	49726	443	192.168.2.8	34.117.188.166
Nov 25, 2024 18:35:47.126244068 CET	49726	443	192.168.2.8	34.117.188.166
Nov 25, 2024 18:35:47.126255989 CET	443	49726	34.117.188.166	192.168.2.8
Nov 25, 2024 18:35:47.127185106 CET	80	49725	34.107.221.82	192.168.2.8
Nov 25, 2024 18:35:47.171302080 CET	80	49724	34.107.221.82	192.168.2.8
Nov 25, 2024 18:35:47.181648970 CET	49725	80	192.168.2.8	34.107.221.82
Nov 25, 2024 18:35:47.213833094 CET	49724	80	192.168.2.8	34.107.221.82
Nov 25, 2024 18:35:48.431881905 CET	443	49726	34.117.188.166	192.168.2.8
Nov 25, 2024 18:35:48.431984901 CET	49726	443	192.168.2.8	34.117.188.166
Nov 25, 2024 18:35:48.436711073 CET	49726	443	192.168.2.8	34.117.188.166
Nov 25, 2024 18:35:48.436714888 CET	443	49726	34.117.188.166	192.168.2.8
Nov 25, 2024 18:35:48.436933041 CET	49726	443	192.168.2.8	34.117.188.166
Nov 25, 2024 18:35:48.437084913 CET	443	49726	34.117.188.166	192.168.2.8
Nov 25, 2024 18:35:48.437241077 CET	49726	443	192.168.2.8	34.117.188.166
Nov 25, 2024 18:35:49.567745924 CET	49724	80	192.168.2.8	34.107.221.82
Nov 25, 2024 18:35:49.569804907 CET	49725	80	192.168.2.8	34.107.221.82
Nov 25, 2024 18:35:49.688425064 CET	80	49724	34.107.221.82	192.168.2.8
Nov 25, 2024 18:35:49.690380096 CET	80	49725	34.107.221.82	192.168.2.8
Nov 25, 2024 18:35:49.915391922 CET	80	49725	34.107.221.82	192.168.2.8
Nov 25, 2024 18:35:49.917165995 CET	80	49724	34.107.221.82	192.168.2.8
Nov 25, 2024 18:35:49.975895882 CET	49724	80	192.168.2.8	34.107.221.82
Nov 25, 2024 18:35:49.975931883 CET	49725	80	192.168.2.8	34.107.221.82
Nov 25, 2024 18:35:53.351061106 CET	49724	80	192.168.2.8	34.107.221.82
Nov 25, 2024 18:35:53.471976042 CET	80	49724	34.107.221.82	192.168.2.8
Nov 25, 2024 18:35:53.692298889 CET	80	49724	34.107.221.82	192.168.2.8
Nov 25, 2024 18:35:53.735932112 CET	49724	80	192.168.2.8	34.107.221.82
Nov 25, 2024 18:35:54.008677959 CET	49731	443	192.168.2.8	34.107.243.93
Nov 25, 2024 18:35:54.008701086 CET	443	49731	34.107.243.93	192.168.2.8
Nov 25, 2024 18:35:54.017388105 CET	49731	443	192.168.2.8	34.107.243.93
Nov 25, 2024 18:35:54.018829107 CET	49731	443	192.168.2.8	34.107.243.93
Nov 25, 2024 18:35:54.018840075 CET	443	49731	34.107.243.93	192.168.2.8
Nov 25, 2024 18:35:55.246797085 CET	443	49731	34.107.243.93	192.168.2.8
Nov 25, 2024 18:35:55.246814013 CET	443	49731	34.107.243.93	192.168.2.8
Nov 25, 2024 18:35:55.246876955 CET	49731	443	192.168.2.8	34.107.243.93
Nov 25, 2024 18:35:55.458498001 CET	49731	443	192.168.2.8	34.107.243.93
Nov 25, 2024 18:35:55.458525896 CET	443	49731	34.107.243.93	192.168.2.8
Nov 25, 2024 18:35:55.458605051 CET	49731	443	192.168.2.8	34.107.243.93
Nov 25, 2024 18:35:55.458782911 CET	443	49731	34.107.243.93	192.168.2.8
Nov 25, 2024 18:35:55.465068102 CET	49731	443	192.168.2.8	34.107.243.93
Nov 25, 2024 18:35:55.595571995 CET	49725	80	192.168.2.8	34.107.221.82
Nov 25, 2024 18:35:55.739694118 CET	80	49725	34.107.221.82	192.168.2.8
Nov 25, 2024 18:35:55.811203957 CET	49732	443	192.168.2.8	35.244.181.201
Nov 25, 2024 18:35:55.811244011 CET	443	49732	35.244.181.201	192.168.2.8
Nov 25, 2024 18:35:55.812936068 CET	49732	443	192.168.2.8	35.244.181.201
Nov 25, 2024 18:35:55.813198090 CET	49732	443	192.168.2.8	35.244.181.201
Nov 25, 2024 18:35:55.813213110 CET	443	49732	35.244.181.201	192.168.2.8
Nov 25, 2024 18:35:55.945259094 CET	80	49725	34.107.221.82	192.168.2.8
Nov 25, 2024 18:35:56.000140905 CET	49725	80	192.168.2.8	34.107.221.82
Nov 25, 2024 18:35:56.107481956 CET	49724	80	192.168.2.8	34.107.221.82
Nov 25, 2024 18:35:56.233875990 CET	80	49724	34.107.221.82	192.168.2.8
Nov 25, 2024 18:35:56.447462082 CET	80	49724	34.107.221.82	192.168.2.8
Nov 25, 2024 18:35:56.501157999 CET	49724	80	192.168.2.8	34.107.221.82
Nov 25, 2024 18:35:57.071151018 CET	49733	443	192.168.2.8	34.120.208.123
Nov 25, 2024 18:35:57.071216106 CET	443	49733	34.120.208.123	192.168.2.8
Nov 25, 2024 18:35:57.071748972 CET	49733	443	192.168.2.8	34.120.208.123
Nov 25, 2024 18:35:57.073375940 CET	49733	443	192.168.2.8	34.120.208.123
Nov 25, 2024 18:35:57.073414087 CET	443	49733	34.120.208.123	192.168.2.8
Nov 25, 2024 18:35:57.127228022 CET	443	49732	35.244.181.201	192.168.2.8
Nov 25, 2024 18:35:57.127358913 CET	49732	443	192.168.2.8	35.244.181.201
Nov 25, 2024 18:35:57.132426977 CET	49732	443	192.168.2.8	35.244.181.201
Nov 25, 2024 18:35:57.132431984 CET	443	49732	35.244.181.201	192.168.2.8
Nov 25, 2024 18:35:57.133251905 CET	443	49732	35.244.181.201	192.168.2.8
Nov 25, 2024 18:35:57.135719061 CET	49732	443	192.168.2.8	35.244.181.201
Nov 25, 2024 18:35:57.135840893 CET	49732	443	192.168.2.8	35.244.181.201
Nov 25, 2024 18:35:57.136089087 CET	443	49732	35.244.181.201	192.168.2.8
Nov 25, 2024 18:35:57.136219978 CET	49732	443	192.168.2.8	35.244.181.201
Nov 25, 2024 18:35:57.242357969 CET	49734	443	192.168.2.8	34.149.100.209
Nov 25, 2024 18:35:57.242384911 CET	443	49734	34.149.100.209	192.168.2.8
Nov 25, 2024 18:35:57.242465973 CET	49734	443	192.168.2.8	34.149.100.209
Nov 25, 2024 18:35:57.244014025 CET	49734	443	192.168.2.8	34.149.100.209
Nov 25, 2024 18:35:57.244024992 CET	443	49734	34.149.100.209	192.168.2.8
Nov 25, 2024 18:35:57.370099068 CET	49725	80	192.168.2.8	34.107.221.82
Nov 25, 2024 18:35:57.493407965 CET	80	49725	34.107.221.82	192.168.2.8
Nov 25, 2024 18:35:57.710602045 CET	80	49725	34.107.221.82	192.168.2.8
Nov 25, 2024 18:35:57.718076944 CET	49724	80	192.168.2.8	34.107.221.82
Nov 25, 2024 18:35:57.758176088 CET	49725	80	192.168.2.8	34.107.221.82
Nov 25, 2024 18:35:57.844772100 CET	80	49724	34.107.221.82	192.168.2.8
Nov 25, 2024 18:35:58.058425903 CET	80	49724	34.107.221.82	192.168.2.8
Nov 25, 2024 18:35:58.105928898 CET	49724	80	192.168.2.8	34.107.221.82
Nov 25, 2024 18:35:58.642667055 CET	443	49734	34.149.100.209	192.168.2.8
Nov 25, 2024 18:35:58.642751932 CET	49734	443	192.168.2.8	34.149.100.209
Nov 25, 2024 18:35:58.642913103 CET	443	49733	34.120.208.123	192.168.2.8
Nov 25, 2024 18:35:58.642987013 CET	49733	443	192.168.2.8	34.120.208.123
Nov 25, 2024 18:35:59.647089958 CET	49734	443	192.168.2.8	34.149.100.209
Nov 25, 2024 18:35:59.647126913 CET	443	49734	34.149.100.209	192.168.2.8
Nov 25, 2024 18:35:59.647169113 CET	49734	443	192.168.2.8	34.149.100.209
Nov 25, 2024 18:35:59.647284985 CET	49733	443	192.168.2.8	34.120.208.123
Nov 25, 2024 18:35:59.647310972 CET	443	49733	34.120.208.123	192.168.2.8
Nov 25, 2024 18:35:59.647357941 CET	49733	443	192.168.2.8	34.120.208.123
Nov 25, 2024 18:35:59.647849083 CET	443	49733	34.120.208.123	192.168.2.8
Nov 25, 2024 18:35:59.648154020 CET	49733	443	192.168.2.8	34.120.208.123
Nov 25, 2024 18:35:59.648271084 CET	443	49734	34.149.100.209	192.168.2.8
Nov 25, 2024 18:35:59.660495043 CET	49725	80	192.168.2.8	34.107.221.82
Nov 25, 2024 18:35:59.662924051 CET	49734	443	192.168.2.8	34.149.100.209
Nov 25, 2024 18:35:59.682337046 CET	49735	443	192.168.2.8	34.149.100.209
Nov 25, 2024 18:35:59.682374954 CET	443	49735	34.149.100.209	192.168.2.8
Nov 25, 2024 18:35:59.683013916 CET	49735	443	192.168.2.8	34.149.100.209
Nov 25, 2024 18:35:59.684789896 CET	49735	443	192.168.2.8	34.149.100.209
Nov 25, 2024 18:35:59.684803009 CET	443	49735	34.149.100.209	192.168.2.8
Nov 25, 2024 18:35:59.781126976 CET	80	49725	34.107.221.82	192.168.2.8
Nov 25, 2024 18:35:59.914838076 CET	49736	443	192.168.2.8	34.149.100.209
Nov 25, 2024 18:35:59.914988041 CET	443	49736	34.149.100.209	192.168.2.8
Nov 25, 2024 18:35:59.916090012 CET	49736	443	192.168.2.8	34.149.100.209
Nov 25, 2024 18:35:59.916331053 CET	49736	443	192.168.2.8	34.149.100.209
Nov 25, 2024 18:35:59.916347027 CET	443	49736	34.149.100.209	192.168.2.8
Nov 25, 2024 18:35:59.937630892 CET	49737	443	192.168.2.8	34.120.208.123
Nov 25, 2024 18:35:59.937668085 CET	443	49737	34.120.208.123	192.168.2.8
Nov 25, 2024 18:35:59.940118074 CET	49737	443	192.168.2.8	34.120.208.123
Nov 25, 2024 18:35:59.941582918 CET	49737	443	192.168.2.8	34.120.208.123
Nov 25, 2024 18:35:59.941596031 CET	443	49737	34.120.208.123	192.168.2.8
Nov 25, 2024 18:35:59.988234043 CET	80	49725	34.107.221.82	192.168.2.8
Nov 25, 2024 18:35:59.991189003 CET	49724	80	192.168.2.8	34.107.221.82
Nov 25, 2024 18:36:00.049276114 CET	49725	80	192.168.2.8	34.107.221.82
Nov 25, 2024 18:36:00.114988089 CET	80	49724	34.107.221.82	192.168.2.8
Nov 25, 2024 18:36:00.385901928 CET	80	49724	34.107.221.82	192.168.2.8
Nov 25, 2024 18:36:00.428263903 CET	49724	80	192.168.2.8	34.107.221.82
Nov 25, 2024 18:36:00.607964993 CET	49738	443	192.168.2.8	34.107.243.93
Nov 25, 2024 18:36:00.608019114 CET	443	49738	34.107.243.93	192.168.2.8
Nov 25, 2024 18:36:00.611424923 CET	49738	443	192.168.2.8	34.107.243.93
Nov 25, 2024 18:36:00.613024950 CET	49738	443	192.168.2.8	34.107.243.93
Nov 25, 2024 18:36:00.613046885 CET	443	49738	34.107.243.93	192.168.2.8
Nov 25, 2024 18:36:01.033689976 CET	443	49735	34.149.100.209	192.168.2.8
Nov 25, 2024 18:36:01.033776045 CET	49735	443	192.168.2.8	34.149.100.209
Nov 25, 2024 18:36:01.058813095 CET	49735	443	192.168.2.8	34.149.100.209
Nov 25, 2024 18:36:01.058830976 CET	443	49735	34.149.100.209	192.168.2.8
Nov 25, 2024 18:36:01.058928013 CET	49735	443	192.168.2.8	34.149.100.209
Nov 25, 2024 18:36:01.059587002 CET	443	49735	34.149.100.209	192.168.2.8
Nov 25, 2024 18:36:01.059952974 CET	49735	443	192.168.2.8	34.149.100.209
Nov 25, 2024 18:36:01.118762970 CET	49725	80	192.168.2.8	34.107.221.82
Nov 25, 2024 18:36:01.176351070 CET	443	49737	34.120.208.123	192.168.2.8
Nov 25, 2024 18:36:01.176424026 CET	49737	443	192.168.2.8	34.120.208.123
Nov 25, 2024 18:36:01.180449963 CET	49737	443	192.168.2.8	34.120.208.123
Nov 25, 2024 18:36:01.180461884 CET	443	49737	34.120.208.123	192.168.2.8
Nov 25, 2024 18:36:01.180546999 CET	49737	443	192.168.2.8	34.120.208.123
Nov 25, 2024 18:36:01.180639982 CET	443	49737	34.120.208.123	192.168.2.8
Nov 25, 2024 18:36:01.181471109 CET	49737	443	192.168.2.8	34.120.208.123
Nov 25, 2024 18:36:01.183856964 CET	49739	443	192.168.2.8	34.120.208.123
Nov 25, 2024 18:36:01.183883905 CET	443	49739	34.120.208.123	192.168.2.8
Nov 25, 2024 18:36:01.184014082 CET	49739	443	192.168.2.8	34.120.208.123
Nov 25, 2024 18:36:01.185424089 CET	49739	443	192.168.2.8	34.120.208.123
Nov 25, 2024 18:36:01.185437918 CET	443	49739	34.120.208.123	192.168.2.8
Nov 25, 2024 18:36:01.202222109 CET	443	49736	34.149.100.209	192.168.2.8
Nov 25, 2024 18:36:01.202297926 CET	49736	443	192.168.2.8	34.149.100.209
Nov 25, 2024 18:36:01.204922915 CET	49736	443	192.168.2.8	34.149.100.209
Nov 25, 2024 18:36:01.204932928 CET	443	49736	34.149.100.209	192.168.2.8
Nov 25, 2024 18:36:01.205172062 CET	443	49736	34.149.100.209	192.168.2.8
Nov 25, 2024 18:36:01.207582951 CET	49736	443	192.168.2.8	34.149.100.209
Nov 25, 2024 18:36:01.207669020 CET	49736	443	192.168.2.8	34.149.100.209
Nov 25, 2024 18:36:01.207724094 CET	443	49736	34.149.100.209	192.168.2.8
Nov 25, 2024 18:36:01.207803965 CET	49736	443	192.168.2.8	34.149.100.209
Nov 25, 2024 18:36:01.239152908 CET	80	49725	34.107.221.82	192.168.2.8
Nov 25, 2024 18:36:01.304353952 CET	49740	443	192.168.2.8	34.120.208.123
Nov 25, 2024 18:36:01.304392099 CET	443	49740	34.120.208.123	192.168.2.8
Nov 25, 2024 18:36:01.304557085 CET	49741	443	192.168.2.8	34.120.208.123
Nov 25, 2024 18:36:01.304599047 CET	443	49741	34.120.208.123	192.168.2.8
Nov 25, 2024 18:36:01.304713011 CET	49742	443	192.168.2.8	34.120.208.123
Nov 25, 2024 18:36:01.304723024 CET	443	49742	34.120.208.123	192.168.2.8
Nov 25, 2024 18:36:01.307142973 CET	49741	443	192.168.2.8	34.120.208.123
Nov 25, 2024 18:36:01.307163954 CET	49740	443	192.168.2.8	34.120.208.123
Nov 25, 2024 18:36:01.307163954 CET	49742	443	192.168.2.8	34.120.208.123
Nov 25, 2024 18:36:01.307305098 CET	49740	443	192.168.2.8	34.120.208.123
Nov 25, 2024 18:36:01.307321072 CET	443	49740	34.120.208.123	192.168.2.8
Nov 25, 2024 18:36:01.307476997 CET	49742	443	192.168.2.8	34.120.208.123
Nov 25, 2024 18:36:01.307487011 CET	443	49742	34.120.208.123	192.168.2.8
Nov 25, 2024 18:36:01.307543993 CET	49741	443	192.168.2.8	34.120.208.123
Nov 25, 2024 18:36:01.307564974 CET	443	49741	34.120.208.123	192.168.2.8
Nov 25, 2024 18:36:01.307858944 CET	49743	443	192.168.2.8	34.120.208.123
Nov 25, 2024 18:36:01.307867050 CET	443	49743	34.120.208.123	192.168.2.8
Nov 25, 2024 18:36:01.308414936 CET	49743	443	192.168.2.8	34.120.208.123
Nov 25, 2024 18:36:01.308547020 CET	49743	443	192.168.2.8	34.120.208.123
Nov 25, 2024 18:36:01.308559895 CET	443	49743	34.120.208.123	192.168.2.8
Nov 25, 2024 18:36:01.446878910 CET	80	49725	34.107.221.82	192.168.2.8
Nov 25, 2024 18:36:01.450573921 CET	49724	80	192.168.2.8	34.107.221.82
Nov 25, 2024 18:36:01.500186920 CET	49725	80	192.168.2.8	34.107.221.82
Nov 25, 2024 18:36:01.606602907 CET	80	49724	34.107.221.82	192.168.2.8
Nov 25, 2024 18:36:01.819930077 CET	80	49724	34.107.221.82	192.168.2.8
Nov 25, 2024 18:36:01.870085955 CET	49724	80	192.168.2.8	34.107.221.82
Nov 25, 2024 18:36:01.896719933 CET	443	49738	34.107.243.93	192.168.2.8
Nov 25, 2024 18:36:01.896822929 CET	49738	443	192.168.2.8	34.107.243.93
Nov 25, 2024 18:36:01.902381897 CET	49738	443	192.168.2.8	34.107.243.93
Nov 25, 2024 18:36:01.902388096 CET	443	49738	34.107.243.93	192.168.2.8
Nov 25, 2024 18:36:01.902502060 CET	49738	443	192.168.2.8	34.107.243.93
Nov 25, 2024 18:36:01.902555943 CET	443	49738	34.107.243.93	192.168.2.8
Nov 25, 2024 18:36:01.902648926 CET	49738	443	192.168.2.8	34.107.243.93
Nov 25, 2024 18:36:02.128113031 CET	49725	80	192.168.2.8	34.107.221.82
Nov 25, 2024 18:36:02.250650883 CET	80	49725	34.107.221.82	192.168.2.8
Nov 25, 2024 18:36:02.454853058 CET	80	49725	34.107.221.82	192.168.2.8
Nov 25, 2024 18:36:02.459168911 CET	49724	80	192.168.2.8	34.107.221.82
Nov 25, 2024 18:36:02.503115892 CET	49725	80	192.168.2.8	34.107.221.82
Nov 25, 2024 18:36:02.586013079 CET	80	49724	34.107.221.82	192.168.2.8
Nov 25, 2024 18:36:02.621119976 CET	443	49739	34.120.208.123	192.168.2.8
Nov 25, 2024 18:36:02.621193886 CET	49739	443	192.168.2.8	34.120.208.123
Nov 25, 2024 18:36:02.625339031 CET	49739	443	192.168.2.8	34.120.208.123
Nov 25, 2024 18:36:02.625349045 CET	443	49739	34.120.208.123	192.168.2.8
Nov 25, 2024 18:36:02.625462055 CET	49739	443	192.168.2.8	34.120.208.123
Nov 25, 2024 18:36:02.625559092 CET	443	49739	34.120.208.123	192.168.2.8
Nov 25, 2024 18:36:02.628366947 CET	49739	443	192.168.2.8	34.120.208.123
Nov 25, 2024 18:36:02.629467010 CET	49725	80	192.168.2.8	34.107.221.82
Nov 25, 2024 18:36:02.731651068 CET	443	49742	34.120.208.123	192.168.2.8
Nov 25, 2024 18:36:02.732403040 CET	49742	443	192.168.2.8	34.120.208.123
Nov 25, 2024 18:36:02.736022949 CET	49742	443	192.168.2.8	34.120.208.123
Nov 25, 2024 18:36:02.736032963 CET	443	49742	34.120.208.123	192.168.2.8
Nov 25, 2024 18:36:02.736449957 CET	443	49742	34.120.208.123	192.168.2.8
Nov 25, 2024 18:36:02.738871098 CET	49742	443	192.168.2.8	34.120.208.123
Nov 25, 2024 18:36:02.739022970 CET	49742	443	192.168.2.8	34.120.208.123
Nov 25, 2024 18:36:02.739064932 CET	443	49742	34.120.208.123	192.168.2.8
Nov 25, 2024 18:36:02.739595890 CET	49742	443	192.168.2.8	34.120.208.123
Nov 25, 2024 18:36:02.751821041 CET	443	49740	34.120.208.123	192.168.2.8
Nov 25, 2024 18:36:02.751923084 CET	49740	443	192.168.2.8	34.120.208.123
Nov 25, 2024 18:36:02.755341053 CET	49740	443	192.168.2.8	34.120.208.123
Nov 25, 2024 18:36:02.755347013 CET	443	49740	34.120.208.123	192.168.2.8
Nov 25, 2024 18:36:02.755580902 CET	443	49740	34.120.208.123	192.168.2.8
Nov 25, 2024 18:36:02.755703926 CET	80	49725	34.107.221.82	192.168.2.8
Nov 25, 2024 18:36:02.757371902 CET	49740	443	192.168.2.8	34.120.208.123
Nov 25, 2024 18:36:02.757371902 CET	49740	443	192.168.2.8	34.120.208.123
Nov 25, 2024 18:36:02.757496119 CET	443	49740	34.120.208.123	192.168.2.8
Nov 25, 2024 18:36:02.758069992 CET	49740	443	192.168.2.8	34.120.208.123
Nov 25, 2024 18:36:02.758207083 CET	443	49743	34.120.208.123	192.168.2.8
Nov 25, 2024 18:36:02.758377075 CET	443	49741	34.120.208.123	192.168.2.8
Nov 25, 2024 18:36:02.758424997 CET	49743	443	192.168.2.8	34.120.208.123
Nov 25, 2024 18:36:02.758819103 CET	49741	443	192.168.2.8	34.120.208.123
Nov 25, 2024 18:36:02.761210918 CET	49743	443	192.168.2.8	34.120.208.123
Nov 25, 2024 18:36:02.761224031 CET	443	49743	34.120.208.123	192.168.2.8
Nov 25, 2024 18:36:02.761455059 CET	443	49743	34.120.208.123	192.168.2.8
Nov 25, 2024 18:36:02.763544083 CET	49741	443	192.168.2.8	34.120.208.123
Nov 25, 2024 18:36:02.763550043 CET	443	49741	34.120.208.123	192.168.2.8
Nov 25, 2024 18:36:02.763797998 CET	443	49741	34.120.208.123	192.168.2.8
Nov 25, 2024 18:36:02.766623974 CET	49743	443	192.168.2.8	34.120.208.123
Nov 25, 2024 18:36:02.766735077 CET	49743	443	192.168.2.8	34.120.208.123
Nov 25, 2024 18:36:02.766746998 CET	443	49743	34.120.208.123	192.168.2.8
Nov 25, 2024 18:36:02.766757965 CET	443	49743	34.120.208.123	192.168.2.8
Nov 25, 2024 18:36:02.767000914 CET	49741	443	192.168.2.8	34.120.208.123
Nov 25, 2024 18:36:02.767019033 CET	49741	443	192.168.2.8	34.120.208.123
Nov 25, 2024 18:36:02.767143965 CET	443	49741	34.120.208.123	192.168.2.8
Nov 25, 2024 18:36:02.767498970 CET	49741	443	192.168.2.8	34.120.208.123
Nov 25, 2024 18:36:02.802196026 CET	80	49724	34.107.221.82	192.168.2.8
Nov 25, 2024 18:36:02.857409954 CET	49724	80	192.168.2.8	34.107.221.82
Nov 25, 2024 18:36:02.961524963 CET	80	49725	34.107.221.82	192.168.2.8
Nov 25, 2024 18:36:02.965527058 CET	49724	80	192.168.2.8	34.107.221.82
Nov 25, 2024 18:36:02.971334934 CET	443	49743	34.120.208.123	192.168.2.8
Nov 25, 2024 18:36:02.971518993 CET	49743	443	192.168.2.8	34.120.208.123
Nov 25, 2024 18:36:03.004565954 CET	49725	80	192.168.2.8	34.107.221.82
Nov 25, 2024 18:36:03.085927010 CET	80	49724	34.107.221.82	192.168.2.8
Nov 25, 2024 18:36:03.299243927 CET	80	49724	34.107.221.82	192.168.2.8
Nov 25, 2024 18:36:03.358863115 CET	49724	80	192.168.2.8	34.107.221.82
Nov 25, 2024 18:36:10.627605915 CET	49745	443	192.168.2.8	34.149.100.209
Nov 25, 2024 18:36:10.627624989 CET	443	49745	34.149.100.209	192.168.2.8
Nov 25, 2024 18:36:10.628232956 CET	49746	443	192.168.2.8	35.190.72.216
Nov 25, 2024 18:36:10.628242016 CET	443	49746	35.190.72.216	192.168.2.8
Nov 25, 2024 18:36:10.630239964 CET	49745	443	192.168.2.8	34.149.100.209
Nov 25, 2024 18:36:10.630377054 CET	49746	443	192.168.2.8	35.190.72.216
Nov 25, 2024 18:36:10.630377054 CET	49745	443	192.168.2.8	34.149.100.209
Nov 25, 2024 18:36:10.630404949 CET	443	49745	34.149.100.209	192.168.2.8
Nov 25, 2024 18:36:10.632900000 CET	49746	443	192.168.2.8	35.190.72.216
Nov 25, 2024 18:36:10.632915020 CET	443	49746	35.190.72.216	192.168.2.8
Nov 25, 2024 18:36:10.761760950 CET	49747	443	192.168.2.8	35.244.181.201
Nov 25, 2024 18:36:10.761796951 CET	443	49747	35.244.181.201	192.168.2.8
Nov 25, 2024 18:36:10.762021065 CET	49747	443	192.168.2.8	35.244.181.201
Nov 25, 2024 18:36:10.762203932 CET	49747	443	192.168.2.8	35.244.181.201
Nov 25, 2024 18:36:10.762217045 CET	443	49747	35.244.181.201	192.168.2.8
Nov 25, 2024 18:36:10.797298908 CET	49748	443	192.168.2.8	35.201.103.21
Nov 25, 2024 18:36:10.797338009 CET	443	49748	35.201.103.21	192.168.2.8
Nov 25, 2024 18:36:10.797436953 CET	49748	443	192.168.2.8	35.201.103.21
Nov 25, 2024 18:36:10.798866034 CET	49748	443	192.168.2.8	35.201.103.21
Nov 25, 2024 18:36:10.798886061 CET	443	49748	35.201.103.21	192.168.2.8
Nov 25, 2024 18:36:10.842951059 CET	49749	443	192.168.2.8	151.101.129.91
Nov 25, 2024 18:36:10.842967033 CET	443	49749	151.101.129.91	192.168.2.8
Nov 25, 2024 18:36:10.843517065 CET	49749	443	192.168.2.8	151.101.129.91
Nov 25, 2024 18:36:10.843662977 CET	49749	443	192.168.2.8	151.101.129.91
Nov 25, 2024 18:36:10.843669891 CET	443	49749	151.101.129.91	192.168.2.8
Nov 25, 2024 18:36:11.867067099 CET	443	49745	34.149.100.209	192.168.2.8
Nov 25, 2024 18:36:11.867172956 CET	49745	443	192.168.2.8	34.149.100.209
Nov 25, 2024 18:36:11.870702982 CET	49745	443	192.168.2.8	34.149.100.209
Nov 25, 2024 18:36:11.870711088 CET	443	49745	34.149.100.209	192.168.2.8
Nov 25, 2024 18:36:11.870996952 CET	443	49745	34.149.100.209	192.168.2.8
Nov 25, 2024 18:36:11.873486042 CET	49745	443	192.168.2.8	34.149.100.209
Nov 25, 2024 18:36:11.873608112 CET	49745	443	192.168.2.8	34.149.100.209
Nov 25, 2024 18:36:11.873631001 CET	443	49745	34.149.100.209	192.168.2.8
Nov 25, 2024 18:36:11.873831987 CET	49745	443	192.168.2.8	34.149.100.209
Nov 25, 2024 18:36:11.877233982 CET	49725	80	192.168.2.8	34.107.221.82
Nov 25, 2024 18:36:11.919153929 CET	443	49746	35.190.72.216	192.168.2.8
Nov 25, 2024 18:36:11.919224024 CET	49746	443	192.168.2.8	35.190.72.216
Nov 25, 2024 18:36:11.924098969 CET	49746	443	192.168.2.8	35.190.72.216
Nov 25, 2024 18:36:11.924107075 CET	443	49746	35.190.72.216	192.168.2.8
Nov 25, 2024 18:36:11.924190998 CET	49746	443	192.168.2.8	35.190.72.216
Nov 25, 2024 18:36:11.924240112 CET	443	49746	35.190.72.216	192.168.2.8
Nov 25, 2024 18:36:11.924901009 CET	49746	443	192.168.2.8	35.190.72.216
Nov 25, 2024 18:36:12.004529953 CET	80	49725	34.107.221.82	192.168.2.8
Nov 25, 2024 18:36:12.013278008 CET	443	49747	35.244.181.201	192.168.2.8
Nov 25, 2024 18:36:12.013416052 CET	49747	443	192.168.2.8	35.244.181.201
Nov 25, 2024 18:36:12.018383980 CET	49747	443	192.168.2.8	35.244.181.201
Nov 25, 2024 18:36:12.018413067 CET	443	49747	35.244.181.201	192.168.2.8
Nov 25, 2024 18:36:12.018678904 CET	443	49747	35.244.181.201	192.168.2.8
Nov 25, 2024 18:36:12.022439003 CET	49747	443	192.168.2.8	35.244.181.201
Nov 25, 2024 18:36:12.022516966 CET	49747	443	192.168.2.8	35.244.181.201
Nov 25, 2024 18:36:12.022571087 CET	443	49747	35.244.181.201	192.168.2.8
Nov 25, 2024 18:36:12.025300980 CET	49747	443	192.168.2.8	35.244.181.201
Nov 25, 2024 18:36:12.186492920 CET	443	49749	151.101.129.91	192.168.2.8
Nov 25, 2024 18:36:12.186722994 CET	49749	443	192.168.2.8	151.101.129.91
Nov 25, 2024 18:36:12.190310955 CET	49749	443	192.168.2.8	151.101.129.91
Nov 25, 2024 18:36:12.190321922 CET	443	49749	151.101.129.91	192.168.2.8
Nov 25, 2024 18:36:12.190582037 CET	443	49749	151.101.129.91	192.168.2.8
Nov 25, 2024 18:36:12.193214893 CET	49749	443	192.168.2.8	151.101.129.91
Nov 25, 2024 18:36:12.193330050 CET	49749	443	192.168.2.8	151.101.129.91
Nov 25, 2024 18:36:12.193339109 CET	443	49749	151.101.129.91	192.168.2.8
Nov 25, 2024 18:36:12.200970888 CET	49749	443	192.168.2.8	151.101.129.91
Nov 25, 2024 18:36:12.208682060 CET	49750	443	192.168.2.8	34.107.243.93
Nov 25, 2024 18:36:12.208709955 CET	443	49750	34.107.243.93	192.168.2.8
Nov 25, 2024 18:36:12.208787918 CET	49750	443	192.168.2.8	34.107.243.93
Nov 25, 2024 18:36:12.209355116 CET	80	49725	34.107.221.82	192.168.2.8
Nov 25, 2024 18:36:12.210238934 CET	49750	443	192.168.2.8	34.107.243.93
Nov 25, 2024 18:36:12.210251093 CET	443	49750	34.107.243.93	192.168.2.8
Nov 25, 2024 18:36:12.212420940 CET	49724	80	192.168.2.8	34.107.221.82
Nov 25, 2024 18:36:12.229770899 CET	443	49748	35.201.103.21	192.168.2.8
Nov 25, 2024 18:36:12.229871988 CET	49748	443	192.168.2.8	35.201.103.21
Nov 25, 2024 18:36:12.234925032 CET	49748	443	192.168.2.8	35.201.103.21
Nov 25, 2024 18:36:12.234940052 CET	443	49748	35.201.103.21	192.168.2.8
Nov 25, 2024 18:36:12.235021114 CET	49748	443	192.168.2.8	35.201.103.21
Nov 25, 2024 18:36:12.235132933 CET	443	49748	35.201.103.21	192.168.2.8
Nov 25, 2024 18:36:12.236021042 CET	49748	443	192.168.2.8	35.201.103.21
Nov 25, 2024 18:36:12.238754988 CET	49725	80	192.168.2.8	34.107.221.82
Nov 25, 2024 18:36:12.240751028 CET	49751	443	192.168.2.8	34.149.100.209
Nov 25, 2024 18:36:12.240797997 CET	443	49751	34.149.100.209	192.168.2.8
Nov 25, 2024 18:36:12.240938902 CET	49751	443	192.168.2.8	34.149.100.209
Nov 25, 2024 18:36:12.241028070 CET	49751	443	192.168.2.8	34.149.100.209
Nov 25, 2024 18:36:12.241038084 CET	443	49751	34.149.100.209	192.168.2.8
Nov 25, 2024 18:36:12.332726955 CET	80	49724	34.107.221.82	192.168.2.8
Nov 25, 2024 18:36:12.341114998 CET	49752	443	192.168.2.8	35.244.181.201
Nov 25, 2024 18:36:12.341154099 CET	443	49752	35.244.181.201	192.168.2.8
Nov 25, 2024 18:36:12.341406107 CET	49753	443	192.168.2.8	35.244.181.201
Nov 25, 2024 18:36:12.341433048 CET	443	49753	35.244.181.201	192.168.2.8
Nov 25, 2024 18:36:12.341648102 CET	49754	443	192.168.2.8	35.244.181.201
Nov 25, 2024 18:36:12.341656923 CET	443	49754	35.244.181.201	192.168.2.8
Nov 25, 2024 18:36:12.342735052 CET	49752	443	192.168.2.8	35.244.181.201
Nov 25, 2024 18:36:12.342827082 CET	49753	443	192.168.2.8	35.244.181.201
Nov 25, 2024 18:36:12.342828989 CET	49754	443	192.168.2.8	35.244.181.201
Nov 25, 2024 18:36:12.342905998 CET	49752	443	192.168.2.8	35.244.181.201
Nov 25, 2024 18:36:12.342931032 CET	443	49752	35.244.181.201	192.168.2.8
Nov 25, 2024 18:36:12.343044043 CET	49753	443	192.168.2.8	35.244.181.201
Nov 25, 2024 18:36:12.343053102 CET	443	49753	35.244.181.201	192.168.2.8
Nov 25, 2024 18:36:12.343122959 CET	49754	443	192.168.2.8	35.244.181.201
Nov 25, 2024 18:36:12.343132019 CET	443	49754	35.244.181.201	192.168.2.8
Nov 25, 2024 18:36:12.359148979 CET	80	49725	34.107.221.82	192.168.2.8
Nov 25, 2024 18:36:12.547936916 CET	80	49724	34.107.221.82	192.168.2.8
Nov 25, 2024 18:36:12.565387011 CET	80	49725	34.107.221.82	192.168.2.8
Nov 25, 2024 18:36:12.569210052 CET	49724	80	192.168.2.8	34.107.221.82
Nov 25, 2024 18:36:12.605478048 CET	49725	80	192.168.2.8	34.107.221.82
Nov 25, 2024 18:36:12.689599991 CET	80	49724	34.107.221.82	192.168.2.8
Nov 25, 2024 18:36:12.970443964 CET	80	49724	34.107.221.82	192.168.2.8
Nov 25, 2024 18:36:13.022264004 CET	49724	80	192.168.2.8	34.107.221.82
Nov 25, 2024 18:36:13.469274998 CET	443	49750	34.107.243.93	192.168.2.8
Nov 25, 2024 18:36:13.469363928 CET	49750	443	192.168.2.8	34.107.243.93
Nov 25, 2024 18:36:13.475446939 CET	49750	443	192.168.2.8	34.107.243.93
Nov 25, 2024 18:36:13.475462914 CET	443	49750	34.107.243.93	192.168.2.8
Nov 25, 2024 18:36:13.475569963 CET	49750	443	192.168.2.8	34.107.243.93
Nov 25, 2024 18:36:13.475625038 CET	443	49750	34.107.243.93	192.168.2.8
Nov 25, 2024 18:36:13.475819111 CET	49750	443	192.168.2.8	34.107.243.93
Nov 25, 2024 18:36:13.478368998 CET	49725	80	192.168.2.8	34.107.221.82
Nov 25, 2024 18:36:13.561573029 CET	443	49751	34.149.100.209	192.168.2.8
Nov 25, 2024 18:36:13.563090086 CET	49751	443	192.168.2.8	34.149.100.209
Nov 25, 2024 18:36:13.567158937 CET	49751	443	192.168.2.8	34.149.100.209
Nov 25, 2024 18:36:13.567187071 CET	443	49751	34.149.100.209	192.168.2.8
Nov 25, 2024 18:36:13.567447901 CET	443	49751	34.149.100.209	192.168.2.8
Nov 25, 2024 18:36:13.569616079 CET	49751	443	192.168.2.8	34.149.100.209
Nov 25, 2024 18:36:13.569720984 CET	49751	443	192.168.2.8	34.149.100.209
Nov 25, 2024 18:36:13.569801092 CET	443	49751	34.149.100.209	192.168.2.8
Nov 25, 2024 18:36:13.569897890 CET	49751	443	192.168.2.8	34.149.100.209
Nov 25, 2024 18:36:13.598778963 CET	80	49725	34.107.221.82	192.168.2.8
Nov 25, 2024 18:36:13.623054028 CET	443	49752	35.244.181.201	192.168.2.8
Nov 25, 2024 18:36:13.623136997 CET	49752	443	192.168.2.8	35.244.181.201
Nov 25, 2024 18:36:13.626251936 CET	49752	443	192.168.2.8	35.244.181.201
Nov 25, 2024 18:36:13.626260996 CET	443	49752	35.244.181.201	192.168.2.8
Nov 25, 2024 18:36:13.626523018 CET	443	49752	35.244.181.201	192.168.2.8
Nov 25, 2024 18:36:13.628571033 CET	49752	443	192.168.2.8	35.244.181.201
Nov 25, 2024 18:36:13.628583908 CET	443	49753	35.244.181.201	192.168.2.8
Nov 25, 2024 18:36:13.628704071 CET	49752	443	192.168.2.8	35.244.181.201
Nov 25, 2024 18:36:13.628707886 CET	443	49752	35.244.181.201	192.168.2.8
Nov 25, 2024 18:36:13.628719091 CET	443	49752	35.244.181.201	192.168.2.8
Nov 25, 2024 18:36:13.629479885 CET	49753	443	192.168.2.8	35.244.181.201
Nov 25, 2024 18:36:13.632807970 CET	49753	443	192.168.2.8	35.244.181.201
Nov 25, 2024 18:36:13.632817030 CET	443	49753	35.244.181.201	192.168.2.8
Nov 25, 2024 18:36:13.633372068 CET	443	49753	35.244.181.201	192.168.2.8
Nov 25, 2024 18:36:13.634999037 CET	49753	443	192.168.2.8	35.244.181.201
Nov 25, 2024 18:36:13.635093927 CET	49753	443	192.168.2.8	35.244.181.201
Nov 25, 2024 18:36:13.635188103 CET	443	49753	35.244.181.201	192.168.2.8
Nov 25, 2024 18:36:13.635422945 CET	49753	443	192.168.2.8	35.244.181.201
Nov 25, 2024 18:36:13.652236938 CET	443	49754	35.244.181.201	192.168.2.8
Nov 25, 2024 18:36:13.652318954 CET	49754	443	192.168.2.8	35.244.181.201
Nov 25, 2024 18:36:13.654700041 CET	49754	443	192.168.2.8	35.244.181.201
Nov 25, 2024 18:36:13.654706955 CET	443	49754	35.244.181.201	192.168.2.8
Nov 25, 2024 18:36:13.654941082 CET	443	49754	35.244.181.201	192.168.2.8
Nov 25, 2024 18:36:13.657216072 CET	49754	443	192.168.2.8	35.244.181.201
Nov 25, 2024 18:36:13.657322884 CET	49754	443	192.168.2.8	35.244.181.201
Nov 25, 2024 18:36:13.657352924 CET	443	49754	35.244.181.201	192.168.2.8
Nov 25, 2024 18:36:13.659874916 CET	49754	443	192.168.2.8	35.244.181.201
Nov 25, 2024 18:36:13.803742886 CET	80	49725	34.107.221.82	192.168.2.8
Nov 25, 2024 18:36:13.806840897 CET	49724	80	192.168.2.8	34.107.221.82
Nov 25, 2024 18:36:13.835330009 CET	443	49752	35.244.181.201	192.168.2.8
Nov 25, 2024 18:36:13.835398912 CET	49752	443	192.168.2.8	35.244.181.201
Nov 25, 2024 18:36:13.855876923 CET	49725	80	192.168.2.8	34.107.221.82
Nov 25, 2024 18:36:13.927745104 CET	80	49724	34.107.221.82	192.168.2.8
Nov 25, 2024 18:36:14.161684990 CET	80	49724	34.107.221.82	192.168.2.8
Nov 25, 2024 18:36:14.210105896 CET	49724	80	192.168.2.8	34.107.221.82
Nov 25, 2024 18:36:23.816154957 CET	49725	80	192.168.2.8	34.107.221.82
Nov 25, 2024 18:36:23.936745882 CET	80	49725	34.107.221.82	192.168.2.8
Nov 25, 2024 18:36:24.170540094 CET	49724	80	192.168.2.8	34.107.221.82
Nov 25, 2024 18:36:24.295676947 CET	80	49724	34.107.221.82	192.168.2.8
Nov 25, 2024 18:36:33.640796900 CET	49757	443	192.168.2.8	34.107.243.93
Nov 25, 2024 18:36:33.640851021 CET	443	49757	34.107.243.93	192.168.2.8
Nov 25, 2024 18:36:33.641149998 CET	49757	443	192.168.2.8	34.107.243.93
Nov 25, 2024 18:36:33.642632008 CET	49757	443	192.168.2.8	34.107.243.93
Nov 25, 2024 18:36:33.642648935 CET	443	49757	34.107.243.93	192.168.2.8
Nov 25, 2024 18:36:33.945297003 CET	49725	80	192.168.2.8	34.107.221.82
Nov 25, 2024 18:36:34.067344904 CET	80	49725	34.107.221.82	192.168.2.8
Nov 25, 2024 18:36:34.299586058 CET	49724	80	192.168.2.8	34.107.221.82
Nov 25, 2024 18:36:34.421529055 CET	80	49724	34.107.221.82	192.168.2.8
Nov 25, 2024 18:36:34.921822071 CET	443	49757	34.107.243.93	192.168.2.8
Nov 25, 2024 18:36:34.921933889 CET	49757	443	192.168.2.8	34.107.243.93
Nov 25, 2024 18:36:34.926748037 CET	49757	443	192.168.2.8	34.107.243.93
Nov 25, 2024 18:36:34.926759958 CET	443	49757	34.107.243.93	192.168.2.8
Nov 25, 2024 18:36:34.926863909 CET	49757	443	192.168.2.8	34.107.243.93
Nov 25, 2024 18:36:34.926906109 CET	443	49757	34.107.243.93	192.168.2.8
Nov 25, 2024 18:36:34.927546024 CET	49757	443	192.168.2.8	34.107.243.93
Nov 25, 2024 18:36:34.929333925 CET	49725	80	192.168.2.8	34.107.221.82
Nov 25, 2024 18:36:35.050467968 CET	80	49725	34.107.221.82	192.168.2.8
Nov 25, 2024 18:36:35.255075932 CET	80	49725	34.107.221.82	192.168.2.8
Nov 25, 2024 18:36:35.257707119 CET	49724	80	192.168.2.8	34.107.221.82
Nov 25, 2024 18:36:35.302465916 CET	49725	80	192.168.2.8	34.107.221.82
Nov 25, 2024 18:36:35.378170967 CET	80	49724	34.107.221.82	192.168.2.8
Nov 25, 2024 18:36:35.595158100 CET	80	49724	34.107.221.82	192.168.2.8
Nov 25, 2024 18:36:35.650340080 CET	49724	80	192.168.2.8	34.107.221.82
Nov 25, 2024 18:36:40.793555975 CET	49758	443	192.168.2.8	34.120.208.123
Nov 25, 2024 18:36:40.793596029 CET	443	49758	34.120.208.123	192.168.2.8
Nov 25, 2024 18:36:40.793714046 CET	49759	443	192.168.2.8	34.120.208.123
Nov 25, 2024 18:36:40.793747902 CET	443	49759	34.120.208.123	192.168.2.8
Nov 25, 2024 18:36:40.793834925 CET	49760	443	192.168.2.8	34.120.208.123
Nov 25, 2024 18:36:40.793879032 CET	443	49760	34.120.208.123	192.168.2.8
Nov 25, 2024 18:36:40.793953896 CET	49761	443	192.168.2.8	34.120.208.123
Nov 25, 2024 18:36:40.793993950 CET	443	49761	34.120.208.123	192.168.2.8
Nov 25, 2024 18:36:40.794066906 CET	49762	443	192.168.2.8	34.120.208.123
Nov 25, 2024 18:36:40.794076920 CET	443	49762	34.120.208.123	192.168.2.8
Nov 25, 2024 18:36:40.794183969 CET	49763	443	192.168.2.8	34.120.208.123
Nov 25, 2024 18:36:40.794192076 CET	443	49763	34.120.208.123	192.168.2.8
Nov 25, 2024 18:36:40.794284105 CET	49758	443	192.168.2.8	34.120.208.123
Nov 25, 2024 18:36:40.794296980 CET	49760	443	192.168.2.8	34.120.208.123
Nov 25, 2024 18:36:40.794298887 CET	49761	443	192.168.2.8	34.120.208.123
Nov 25, 2024 18:36:40.794301033 CET	49759	443	192.168.2.8	34.120.208.123
Nov 25, 2024 18:36:40.794444084 CET	49763	443	192.168.2.8	34.120.208.123
Nov 25, 2024 18:36:40.794444084 CET	49762	443	192.168.2.8	34.120.208.123
Nov 25, 2024 18:36:40.794447899 CET	49758	443	192.168.2.8	34.120.208.123
Nov 25, 2024 18:36:40.794461966 CET	443	49758	34.120.208.123	192.168.2.8
Nov 25, 2024 18:36:40.794661045 CET	49763	443	192.168.2.8	34.120.208.123
Nov 25, 2024 18:36:40.794672966 CET	443	49763	34.120.208.123	192.168.2.8
Nov 25, 2024 18:36:40.794749975 CET	49762	443	192.168.2.8	34.120.208.123
Nov 25, 2024 18:36:40.794765949 CET	443	49762	34.120.208.123	192.168.2.8
Nov 25, 2024 18:36:40.794825077 CET	49761	443	192.168.2.8	34.120.208.123
Nov 25, 2024 18:36:40.794831991 CET	443	49761	34.120.208.123	192.168.2.8
Nov 25, 2024 18:36:40.794900894 CET	49760	443	192.168.2.8	34.120.208.123
Nov 25, 2024 18:36:40.794914961 CET	443	49760	34.120.208.123	192.168.2.8
Nov 25, 2024 18:36:40.794982910 CET	49759	443	192.168.2.8	34.120.208.123
Nov 25, 2024 18:36:40.794994116 CET	443	49759	34.120.208.123	192.168.2.8
Nov 25, 2024 18:36:42.086396933 CET	443	49758	34.120.208.123	192.168.2.8
Nov 25, 2024 18:36:42.087496996 CET	443	49762	34.120.208.123	192.168.2.8
Nov 25, 2024 18:36:42.087791920 CET	49758	443	192.168.2.8	34.120.208.123
Nov 25, 2024 18:36:42.088803053 CET	49762	443	192.168.2.8	34.120.208.123
Nov 25, 2024 18:36:42.090527058 CET	49758	443	192.168.2.8	34.120.208.123
Nov 25, 2024 18:36:42.090538025 CET	443	49758	34.120.208.123	192.168.2.8
Nov 25, 2024 18:36:42.090778112 CET	443	49758	34.120.208.123	192.168.2.8
Nov 25, 2024 18:36:42.092673063 CET	49762	443	192.168.2.8	34.120.208.123
Nov 25, 2024 18:36:42.092686892 CET	443	49762	34.120.208.123	192.168.2.8
Nov 25, 2024 18:36:42.093035936 CET	443	49762	34.120.208.123	192.168.2.8
Nov 25, 2024 18:36:42.095416069 CET	49758	443	192.168.2.8	34.120.208.123
Nov 25, 2024 18:36:42.095525026 CET	49758	443	192.168.2.8	34.120.208.123
Nov 25, 2024 18:36:42.095557928 CET	443	49758	34.120.208.123	192.168.2.8
Nov 25, 2024 18:36:42.095979929 CET	49764	443	192.168.2.8	34.120.208.123
Nov 25, 2024 18:36:42.096002102 CET	443	49764	34.120.208.123	192.168.2.8
Nov 25, 2024 18:36:42.096160889 CET	49762	443	192.168.2.8	34.120.208.123
Nov 25, 2024 18:36:42.096215010 CET	49762	443	192.168.2.8	34.120.208.123
Nov 25, 2024 18:36:42.096352100 CET	443	49762	34.120.208.123	192.168.2.8
Nov 25, 2024 18:36:42.096573114 CET	49765	443	192.168.2.8	34.120.208.123
Nov 25, 2024 18:36:42.096607924 CET	443	49765	34.120.208.123	192.168.2.8
Nov 25, 2024 18:36:42.096707106 CET	49758	443	192.168.2.8	34.120.208.123
Nov 25, 2024 18:36:42.096708059 CET	49762	443	192.168.2.8	34.120.208.123
Nov 25, 2024 18:36:42.096724987 CET	49764	443	192.168.2.8	34.120.208.123
Nov 25, 2024 18:36:42.096878052 CET	49765	443	192.168.2.8	34.120.208.123
Nov 25, 2024 18:36:42.096880913 CET	49764	443	192.168.2.8	34.120.208.123
Nov 25, 2024 18:36:42.096895933 CET	443	49764	34.120.208.123	192.168.2.8
Nov 25, 2024 18:36:42.096949100 CET	49765	443	192.168.2.8	34.120.208.123
Nov 25, 2024 18:36:42.096960068 CET	443	49765	34.120.208.123	192.168.2.8
Nov 25, 2024 18:36:42.099915028 CET	49725	80	192.168.2.8	34.107.221.82
Nov 25, 2024 18:36:42.105084896 CET	443	49759	34.120.208.123	192.168.2.8
Nov 25, 2024 18:36:42.105313063 CET	49759	443	192.168.2.8	34.120.208.123
Nov 25, 2024 18:36:42.107695103 CET	443	49761	34.120.208.123	192.168.2.8
Nov 25, 2024 18:36:42.107841015 CET	49759	443	192.168.2.8	34.120.208.123
Nov 25, 2024 18:36:42.107847929 CET	443	49759	34.120.208.123	192.168.2.8
Nov 25, 2024 18:36:42.108063936 CET	443	49759	34.120.208.123	192.168.2.8
Nov 25, 2024 18:36:42.108093023 CET	49761	443	192.168.2.8	34.120.208.123
Nov 25, 2024 18:36:42.110219955 CET	49761	443	192.168.2.8	34.120.208.123
Nov 25, 2024 18:36:42.110228062 CET	443	49761	34.120.208.123	192.168.2.8
Nov 25, 2024 18:36:42.110451937 CET	443	49761	34.120.208.123	192.168.2.8
Nov 25, 2024 18:36:42.111978054 CET	49759	443	192.168.2.8	34.120.208.123
Nov 25, 2024 18:36:42.112073898 CET	49759	443	192.168.2.8	34.120.208.123
Nov 25, 2024 18:36:42.112096071 CET	443	49759	34.120.208.123	192.168.2.8
Nov 25, 2024 18:36:42.112509012 CET	49759	443	192.168.2.8	34.120.208.123
Nov 25, 2024 18:36:42.112884045 CET	49761	443	192.168.2.8	34.120.208.123
Nov 25, 2024 18:36:42.112978935 CET	49761	443	192.168.2.8	34.120.208.123
Nov 25, 2024 18:36:42.113063097 CET	443	49761	34.120.208.123	192.168.2.8
Nov 25, 2024 18:36:42.113107920 CET	49761	443	192.168.2.8	34.120.208.123
Nov 25, 2024 18:36:42.116821051 CET	443	49760	34.120.208.123	192.168.2.8
Nov 25, 2024 18:36:42.116902113 CET	49760	443	192.168.2.8	34.120.208.123
Nov 25, 2024 18:36:42.119323969 CET	49760	443	192.168.2.8	34.120.208.123
Nov 25, 2024 18:36:42.119334936 CET	443	49760	34.120.208.123	192.168.2.8
Nov 25, 2024 18:36:42.119659901 CET	443	49760	34.120.208.123	192.168.2.8
Nov 25, 2024 18:36:42.120995998 CET	49760	443	192.168.2.8	34.120.208.123
Nov 25, 2024 18:36:42.121092081 CET	49760	443	192.168.2.8	34.120.208.123
Nov 25, 2024 18:36:42.121161938 CET	443	49760	34.120.208.123	192.168.2.8
Nov 25, 2024 18:36:42.121234894 CET	49760	443	192.168.2.8	34.120.208.123
Nov 25, 2024 18:36:42.126610994 CET	443	49763	34.120.208.123	192.168.2.8
Nov 25, 2024 18:36:42.127046108 CET	49763	443	192.168.2.8	34.120.208.123
Nov 25, 2024 18:36:42.129647970 CET	49763	443	192.168.2.8	34.120.208.123
Nov 25, 2024 18:36:42.129656076 CET	443	49763	34.120.208.123	192.168.2.8
Nov 25, 2024 18:36:42.129872084 CET	443	49763	34.120.208.123	192.168.2.8
Nov 25, 2024 18:36:42.131819010 CET	49763	443	192.168.2.8	34.120.208.123
Nov 25, 2024 18:36:42.131903887 CET	49763	443	192.168.2.8	34.120.208.123
Nov 25, 2024 18:36:42.131956100 CET	443	49763	34.120.208.123	192.168.2.8
Nov 25, 2024 18:36:42.132308960 CET	49763	443	192.168.2.8	34.120.208.123
Nov 25, 2024 18:36:42.222558975 CET	80	49725	34.107.221.82	192.168.2.8
Nov 25, 2024 18:36:42.427350998 CET	80	49725	34.107.221.82	192.168.2.8
Nov 25, 2024 18:36:42.430260897 CET	49724	80	192.168.2.8	34.107.221.82
Nov 25, 2024 18:36:42.469644070 CET	49725	80	192.168.2.8	34.107.221.82
Nov 25, 2024 18:36:42.550762892 CET	80	49724	34.107.221.82	192.168.2.8
Nov 25, 2024 18:36:42.763788939 CET	80	49724	34.107.221.82	192.168.2.8
Nov 25, 2024 18:36:42.824465036 CET	49724	80	192.168.2.8	34.107.221.82
Nov 25, 2024 18:36:43.472733974 CET	443	49765	34.120.208.123	192.168.2.8
Nov 25, 2024 18:36:43.473056078 CET	49765	443	192.168.2.8	34.120.208.123
Nov 25, 2024 18:36:43.476843119 CET	49765	443	192.168.2.8	34.120.208.123
Nov 25, 2024 18:36:43.476850033 CET	443	49765	34.120.208.123	192.168.2.8
Nov 25, 2024 18:36:43.477235079 CET	443	49765	34.120.208.123	192.168.2.8
Nov 25, 2024 18:36:43.479892015 CET	49765	443	192.168.2.8	34.120.208.123
Nov 25, 2024 18:36:43.480057955 CET	49765	443	192.168.2.8	34.120.208.123
Nov 25, 2024 18:36:43.480067968 CET	443	49765	34.120.208.123	192.168.2.8
Nov 25, 2024 18:36:43.480305910 CET	49765	443	192.168.2.8	34.120.208.123
Nov 25, 2024 18:36:43.483000040 CET	49725	80	192.168.2.8	34.107.221.82
Nov 25, 2024 18:36:43.514041901 CET	443	49764	34.120.208.123	192.168.2.8
Nov 25, 2024 18:36:43.514178038 CET	49764	443	192.168.2.8	34.120.208.123
Nov 25, 2024 18:36:43.517435074 CET	49764	443	192.168.2.8	34.120.208.123
Nov 25, 2024 18:36:43.517445087 CET	443	49764	34.120.208.123	192.168.2.8
Nov 25, 2024 18:36:43.517765045 CET	443	49764	34.120.208.123	192.168.2.8
Nov 25, 2024 18:36:43.520190001 CET	49764	443	192.168.2.8	34.120.208.123
Nov 25, 2024 18:36:43.520344019 CET	49764	443	192.168.2.8	34.120.208.123
Nov 25, 2024 18:36:43.520349026 CET	443	49764	34.120.208.123	192.168.2.8
Nov 25, 2024 18:36:43.521389008 CET	49764	443	192.168.2.8	34.120.208.123
Nov 25, 2024 18:36:43.603688002 CET	80	49725	34.107.221.82	192.168.2.8
Nov 25, 2024 18:36:43.808444977 CET	80	49725	34.107.221.82	192.168.2.8
Nov 25, 2024 18:36:43.811758041 CET	49724	80	192.168.2.8	34.107.221.82
Nov 25, 2024 18:36:43.858171940 CET	49725	80	192.168.2.8	34.107.221.82
Nov 25, 2024 18:36:43.935811043 CET	80	49724	34.107.221.82	192.168.2.8
Nov 25, 2024 18:36:44.149487019 CET	80	49724	34.107.221.82	192.168.2.8
Nov 25, 2024 18:36:44.190229893 CET	49724	80	192.168.2.8	34.107.221.82
Nov 25, 2024 18:36:53.821260929 CET	49725	80	192.168.2.8	34.107.221.82
Nov 25, 2024 18:36:53.945735931 CET	80	49725	34.107.221.82	192.168.2.8
Nov 25, 2024 18:36:54.153486967 CET	49724	80	192.168.2.8	34.107.221.82
Nov 25, 2024 18:36:54.274543047 CET	80	49724	34.107.221.82	192.168.2.8
Nov 25, 2024 18:37:03.946228027 CET	49725	80	192.168.2.8	34.107.221.82
Nov 25, 2024 18:37:04.070204020 CET	80	49725	34.107.221.82	192.168.2.8
Nov 25, 2024 18:37:04.284971952 CET	49724	80	192.168.2.8	34.107.221.82
Nov 25, 2024 18:37:04.409343958 CET	80	49724	34.107.221.82	192.168.2.8
Nov 25, 2024 18:37:14.076463938 CET	49725	80	192.168.2.8	34.107.221.82
Nov 25, 2024 18:37:14.197084904 CET	80	49725	34.107.221.82	192.168.2.8
Nov 25, 2024 18:37:14.415256023 CET	49724	80	192.168.2.8	34.107.221.82
Nov 25, 2024 18:37:14.535650015 CET	80	49724	34.107.221.82	192.168.2.8
Nov 25, 2024 18:37:14.937704086 CET	49766	443	192.168.2.8	34.107.243.93
Nov 25, 2024 18:37:14.937736034 CET	443	49766	34.107.243.93	192.168.2.8
Nov 25, 2024 18:37:14.937819004 CET	49766	443	192.168.2.8	34.107.243.93
Nov 25, 2024 18:37:14.939469099 CET	49766	443	192.168.2.8	34.107.243.93
Nov 25, 2024 18:37:14.939480066 CET	443	49766	34.107.243.93	192.168.2.8
Nov 25, 2024 18:37:16.209213972 CET	443	49766	34.107.243.93	192.168.2.8
Nov 25, 2024 18:37:16.214255095 CET	49766	443	192.168.2.8	34.107.243.93
Nov 25, 2024 18:37:16.225836039 CET	49766	443	192.168.2.8	34.107.243.93
Nov 25, 2024 18:37:16.225857019 CET	443	49766	34.107.243.93	192.168.2.8
Nov 25, 2024 18:37:16.225950956 CET	49766	443	192.168.2.8	34.107.243.93
Nov 25, 2024 18:37:16.226006985 CET	443	49766	34.107.243.93	192.168.2.8
Nov 25, 2024 18:37:16.226296902 CET	49766	443	192.168.2.8	34.107.243.93
Nov 25, 2024 18:37:16.228931904 CET	49725	80	192.168.2.8	34.107.221.82
Nov 25, 2024 18:37:16.353655100 CET	80	49725	34.107.221.82	192.168.2.8
Nov 25, 2024 18:37:16.558587074 CET	80	49725	34.107.221.82	192.168.2.8
Nov 25, 2024 18:37:16.578846931 CET	49724	80	192.168.2.8	34.107.221.82
Nov 25, 2024 18:37:16.621633053 CET	49725	80	192.168.2.8	34.107.221.82
Nov 25, 2024 18:37:16.700613022 CET	80	49724	34.107.221.82	192.168.2.8
Nov 25, 2024 18:37:16.927795887 CET	80	49724	34.107.221.82	192.168.2.8
Nov 25, 2024 18:37:16.969532967 CET	49724	80	192.168.2.8	34.107.221.82
Nov 25, 2024 18:37:26.581260920 CET	49725	80	192.168.2.8	34.107.221.82
Nov 25, 2024 18:37:26.702263117 CET	80	49725	34.107.221.82	192.168.2.8
Nov 25, 2024 18:37:26.928992033 CET	49724	80	192.168.2.8	34.107.221.82
Nov 25, 2024 18:37:27.056185961 CET	80	49724	34.107.221.82	192.168.2.8
Nov 25, 2024 18:37:36.710942984 CET	49725	80	192.168.2.8	34.107.221.82
Nov 25, 2024 18:37:36.831733942 CET	80	49725	34.107.221.82	192.168.2.8
Nov 25, 2024 18:37:37.058875084 CET	49724	80	192.168.2.8	34.107.221.82
Nov 25, 2024 18:37:37.179774046 CET	80	49724	34.107.221.82	192.168.2.8
Nov 25, 2024 18:37:46.839401960 CET	49725	80	192.168.2.8	34.107.221.82
Nov 25, 2024 18:37:46.960000992 CET	80	49725	34.107.221.82	192.168.2.8
Nov 25, 2024 18:37:47.187221050 CET	49724	80	192.168.2.8	34.107.221.82
Nov 25, 2024 18:37:47.308064938 CET	80	49724	34.107.221.82	192.168.2.8
Nov 25, 2024 18:37:56.969106913 CET	49725	80	192.168.2.8	34.107.221.82
Nov 25, 2024 18:37:57.096664906 CET	80	49725	34.107.221.82	192.168.2.8
Nov 25, 2024 18:37:57.316873074 CET	49724	80	192.168.2.8	34.107.221.82
Nov 25, 2024 18:37:57.438988924 CET	80	49724	34.107.221.82	192.168.2.8
Nov 25, 2024 18:38:07.097558022 CET	49725	80	192.168.2.8	34.107.221.82
Nov 25, 2024 18:38:07.223360062 CET	80	49725	34.107.221.82	192.168.2.8
Nov 25, 2024 18:38:07.445293903 CET	49724	80	192.168.2.8	34.107.221.82
Nov 25, 2024 18:38:07.568509102 CET	80	49724	34.107.221.82	192.168.2.8
Nov 25, 2024 18:38:17.225022078 CET	49725	80	192.168.2.8	34.107.221.82
Nov 25, 2024 18:38:17.348345041 CET	80	49725	34.107.221.82	192.168.2.8
Nov 25, 2024 18:38:17.594382048 CET	49724	80	192.168.2.8	34.107.221.82
Nov 25, 2024 18:38:17.721821070 CET	80	49724	34.107.221.82	192.168.2.8
Nov 25, 2024 18:38:27.352777004 CET	49725	80	192.168.2.8	34.107.221.82
Nov 25, 2024 18:38:27.473484039 CET	80	49725	34.107.221.82	192.168.2.8
Nov 25, 2024 18:38:27.722783089 CET	49724	80	192.168.2.8	34.107.221.82
Nov 25, 2024 18:38:27.845072985 CET	80	49724	34.107.221.82	192.168.2.8
Nov 25, 2024 18:38:36.773216963 CET	49767	443	192.168.2.8	34.107.243.93
Nov 25, 2024 18:38:36.773312092 CET	443	49767	34.107.243.93	192.168.2.8
Nov 25, 2024 18:38:36.773585081 CET	49767	443	192.168.2.8	34.107.243.93
Nov 25, 2024 18:38:36.778881073 CET	49767	443	192.168.2.8	34.107.243.93
Nov 25, 2024 18:38:36.778913975 CET	443	49767	34.107.243.93	192.168.2.8
Nov 25, 2024 18:38:37.481904984 CET	49725	80	192.168.2.8	34.107.221.82
Nov 25, 2024 18:38:37.607379913 CET	80	49725	34.107.221.82	192.168.2.8
Nov 25, 2024 18:38:37.851779938 CET	49724	80	192.168.2.8	34.107.221.82
Nov 25, 2024 18:38:37.972582102 CET	80	49724	34.107.221.82	192.168.2.8
Nov 25, 2024 18:38:38.103069067 CET	443	49767	34.107.243.93	192.168.2.8
Nov 25, 2024 18:38:38.103250980 CET	49767	443	192.168.2.8	34.107.243.93
Nov 25, 2024 18:38:38.108666897 CET	49767	443	192.168.2.8	34.107.243.93
Nov 25, 2024 18:38:38.108680010 CET	443	49767	34.107.243.93	192.168.2.8
Nov 25, 2024 18:38:38.108768940 CET	49767	443	192.168.2.8	34.107.243.93
Nov 25, 2024 18:38:38.108943939 CET	443	49767	34.107.243.93	192.168.2.8
Nov 25, 2024 18:38:38.111368895 CET	49725	80	192.168.2.8	34.107.221.82
Nov 25, 2024 18:38:38.127568960 CET	49767	443	192.168.2.8	34.107.243.93
Nov 25, 2024 18:38:38.236177921 CET	80	49725	34.107.221.82	192.168.2.8
Nov 25, 2024 18:38:38.442984104 CET	80	49725	34.107.221.82	192.168.2.8
Nov 25, 2024 18:38:38.447299004 CET	49724	80	192.168.2.8	34.107.221.82
Nov 25, 2024 18:38:38.490201950 CET	49725	80	192.168.2.8	34.107.221.82
Nov 25, 2024 18:38:38.567931890 CET	80	49724	34.107.221.82	192.168.2.8
Nov 25, 2024 18:38:38.780824900 CET	80	49724	34.107.221.82	192.168.2.8
Nov 25, 2024 18:38:38.832789898 CET	49724	80	192.168.2.8	34.107.221.82

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Nov 25, 2024 18:35:43.125751972 CET	50198	53	192.168.2.8	1.1.1.1
Nov 25, 2024 18:35:43.126060009 CET	60718	53	192.168.2.8	1.1.1.1
Nov 25, 2024 18:35:43.264766932 CET	53	50198	1.1.1.1	192.168.2.8
Nov 25, 2024 18:35:43.290292978 CET	64381	53	192.168.2.8	1.1.1.1
Nov 25, 2024 18:35:43.291380882 CET	57666	53	192.168.2.8	1.1.1.1
Nov 25, 2024 18:35:43.292057991 CET	53626	53	192.168.2.8	1.1.1.1
Nov 25, 2024 18:35:43.435647964 CET	53	64381	1.1.1.1	192.168.2.8
Nov 25, 2024 18:35:43.436568022 CET	53	57666	1.1.1.1	192.168.2.8
Nov 25, 2024 18:35:43.436599970 CET	53	53626	1.1.1.1	192.168.2.8
Nov 25, 2024 18:35:43.438116074 CET	54764	53	192.168.2.8	1.1.1.1
Nov 25, 2024 18:35:43.438621044 CET	53568	53	192.168.2.8	1.1.1.1
Nov 25, 2024 18:35:43.439551115 CET	50455	53	192.168.2.8	1.1.1.1
Nov 25, 2024 18:35:43.456393003 CET	60755	53	192.168.2.8	1.1.1.1
Nov 25, 2024 18:35:43.470890999 CET	57573	53	192.168.2.8	1.1.1.1
Nov 25, 2024 18:35:43.627756119 CET	53	60755	1.1.1.1	192.168.2.8
Nov 25, 2024 18:35:43.627862930 CET	53	54764	1.1.1.1	192.168.2.8
Nov 25, 2024 18:35:43.628241062 CET	53	50455	1.1.1.1	192.168.2.8
Nov 25, 2024 18:35:43.628509045 CET	53	57573	1.1.1.1	192.168.2.8
Nov 25, 2024 18:35:43.824886084 CET	53	53568	1.1.1.1	192.168.2.8
Nov 25, 2024 18:35:44.165971994 CET	55247	53	192.168.2.8	1.1.1.1
Nov 25, 2024 18:35:44.166516066 CET	60831	53	192.168.2.8	1.1.1.1
Nov 25, 2024 18:35:44.168422937 CET	49374	53	192.168.2.8	1.1.1.1
Nov 25, 2024 18:35:44.305803061 CET	53	55247	1.1.1.1	192.168.2.8
Nov 25, 2024 18:35:44.306471109 CET	55514	53	192.168.2.8	1.1.1.1
Nov 25, 2024 18:35:44.307246923 CET	53	60831	1.1.1.1	192.168.2.8
Nov 25, 2024 18:35:44.308007956 CET	61532	53	192.168.2.8	1.1.1.1
Nov 25, 2024 18:35:44.309103966 CET	53	49374	1.1.1.1	192.168.2.8
Nov 25, 2024 18:35:44.309649944 CET	60161	53	192.168.2.8	1.1.1.1
Nov 25, 2024 18:35:44.444204092 CET	53	55514	1.1.1.1	192.168.2.8
Nov 25, 2024 18:35:44.447880030 CET	53	60161	1.1.1.1	192.168.2.8
Nov 25, 2024 18:35:44.450922012 CET	53	61532	1.1.1.1	192.168.2.8
Nov 25, 2024 18:35:45.145879984 CET	51700	53	192.168.2.8	1.1.1.1
Nov 25, 2024 18:35:45.292805910 CET	53	51700	1.1.1.1	192.168.2.8
Nov 25, 2024 18:35:45.498065948 CET	54210	53	192.168.2.8	1.1.1.1
Nov 25, 2024 18:35:45.567230940 CET	59379	53	192.168.2.8	1.1.1.1
Nov 25, 2024 18:35:45.582895994 CET	54342	53	192.168.2.8	1.1.1.1
Nov 25, 2024 18:35:45.643362999 CET	53	54210	1.1.1.1	192.168.2.8
Nov 25, 2024 18:35:45.648931980 CET	53791	53	192.168.2.8	1.1.1.1
Nov 25, 2024 18:35:45.689460039 CET	62283	53	192.168.2.8	1.1.1.1
Nov 25, 2024 18:35:45.835211039 CET	53	59379	1.1.1.1	192.168.2.8
Nov 25, 2024 18:35:45.869824886 CET	53	54342	1.1.1.1	192.168.2.8
Nov 25, 2024 18:35:45.870702982 CET	53	53791	1.1.1.1	192.168.2.8
Nov 25, 2024 18:35:49.628958941 CET	60332	53	192.168.2.8	1.1.1.1
Nov 25, 2024 18:35:49.767257929 CET	53	60332	1.1.1.1	192.168.2.8
Nov 25, 2024 18:35:49.768424988 CET	62628	53	192.168.2.8	1.1.1.1
Nov 25, 2024 18:35:50.138550043 CET	53	62628	1.1.1.1	192.168.2.8
Nov 25, 2024 18:35:50.159940004 CET	50970	53	192.168.2.8	1.1.1.1
Nov 25, 2024 18:35:50.297750950 CET	53	50970	1.1.1.1	192.168.2.8
Nov 25, 2024 18:35:53.351833105 CET	55364	53	192.168.2.8	1.1.1.1
Nov 25, 2024 18:35:53.579912901 CET	61141	53	192.168.2.8	1.1.1.1
Nov 25, 2024 18:35:53.722970009 CET	53	61141	1.1.1.1	192.168.2.8
Nov 25, 2024 18:35:53.724056005 CET	56779	53	192.168.2.8	1.1.1.1
Nov 25, 2024 18:35:53.869153976 CET	53	56779	1.1.1.1	192.168.2.8
Nov 25, 2024 18:35:53.869811058 CET	57577	53	192.168.2.8	1.1.1.1
Nov 25, 2024 18:35:53.987665892 CET	53	62596	1.1.1.1	192.168.2.8
Nov 25, 2024 18:35:54.007850885 CET	53	57577	1.1.1.1	192.168.2.8
Nov 25, 2024 18:35:55.651141882 CET	54032	53	192.168.2.8	1.1.1.1
Nov 25, 2024 18:35:55.888643026 CET	53	54032	1.1.1.1	192.168.2.8
Nov 25, 2024 18:35:55.894457102 CET	59500	53	192.168.2.8	1.1.1.1
Nov 25, 2024 18:35:56.033058882 CET	53	59500	1.1.1.1	192.168.2.8
Nov 25, 2024 18:35:57.071649075 CET	64364	53	192.168.2.8	1.1.1.1
Nov 25, 2024 18:35:57.101424932 CET	50933	53	192.168.2.8	1.1.1.1
Nov 25, 2024 18:35:57.209434986 CET	53	64364	1.1.1.1	192.168.2.8
Nov 25, 2024 18:35:57.210473061 CET	54395	53	192.168.2.8	1.1.1.1
Nov 25, 2024 18:35:57.240675926 CET	53	50933	1.1.1.1	192.168.2.8
Nov 25, 2024 18:35:57.242394924 CET	60583	53	192.168.2.8	1.1.1.1
Nov 25, 2024 18:35:57.356164932 CET	53	54395	1.1.1.1	192.168.2.8
Nov 25, 2024 18:35:57.382313967 CET	53	60583	1.1.1.1	192.168.2.8
Nov 25, 2024 18:35:57.384818077 CET	64309	53	192.168.2.8	1.1.1.1
Nov 25, 2024 18:35:57.526299000 CET	53	64309	1.1.1.1	192.168.2.8
Nov 25, 2024 18:36:00.608215094 CET	53988	53	192.168.2.8	1.1.1.1
Nov 25, 2024 18:36:00.748967886 CET	53	53988	1.1.1.1	192.168.2.8
Nov 25, 2024 18:36:01.850102901 CET	55789	53	192.168.2.8	1.1.1.1
Nov 25, 2024 18:36:01.850217104 CET	50644	53	192.168.2.8	1.1.1.1
Nov 25, 2024 18:36:01.850452900 CET	61929	53	192.168.2.8	1.1.1.1
Nov 25, 2024 18:36:01.989808083 CET	53	55789	1.1.1.1	192.168.2.8
Nov 25, 2024 18:36:01.990329027 CET	53	50644	1.1.1.1	192.168.2.8
Nov 25, 2024 18:36:01.991096973 CET	53	61929	1.1.1.1	192.168.2.8
Nov 25, 2024 18:36:01.991118908 CET	62022	53	192.168.2.8	1.1.1.1
Nov 25, 2024 18:36:01.991903067 CET	55572	53	192.168.2.8	1.1.1.1
Nov 25, 2024 18:36:01.993232965 CET	58750	53	192.168.2.8	1.1.1.1
Nov 25, 2024 18:36:02.132186890 CET	53	62022	1.1.1.1	192.168.2.8
Nov 25, 2024 18:36:02.132420063 CET	53	55572	1.1.1.1	192.168.2.8
Nov 25, 2024 18:36:02.133934975 CET	53	58750	1.1.1.1	192.168.2.8
Nov 25, 2024 18:36:02.133951902 CET	56386	53	192.168.2.8	1.1.1.1
Nov 25, 2024 18:36:02.134443998 CET	58426	53	192.168.2.8	1.1.1.1
Nov 25, 2024 18:36:02.134787083 CET	63465	53	192.168.2.8	1.1.1.1
Nov 25, 2024 18:36:02.274389029 CET	53	56386	1.1.1.1	192.168.2.8
Nov 25, 2024 18:36:02.275449038 CET	54670	53	192.168.2.8	1.1.1.1
Nov 25, 2024 18:36:02.276643038 CET	53	63465	1.1.1.1	192.168.2.8
Nov 25, 2024 18:36:02.277302027 CET	60264	53	192.168.2.8	1.1.1.1
Nov 25, 2024 18:36:02.284627914 CET	53	58426	1.1.1.1	192.168.2.8
Nov 25, 2024 18:36:02.421817064 CET	53	60264	1.1.1.1	192.168.2.8
Nov 25, 2024 18:36:02.422419071 CET	53	54670	1.1.1.1	192.168.2.8
Nov 25, 2024 18:36:02.422780037 CET	61195	53	192.168.2.8	1.1.1.1
Nov 25, 2024 18:36:02.423515081 CET	59999	53	192.168.2.8	1.1.1.1
Nov 25, 2024 18:36:02.567986965 CET	53	61195	1.1.1.1	192.168.2.8
Nov 25, 2024 18:36:02.568759918 CET	62233	53	192.168.2.8	1.1.1.1
Nov 25, 2024 18:36:02.661735058 CET	53	59999	1.1.1.1	192.168.2.8
Nov 25, 2024 18:36:02.665772915 CET	64639	53	192.168.2.8	1.1.1.1
Nov 25, 2024 18:36:02.715768099 CET	53	62233	1.1.1.1	192.168.2.8
Nov 25, 2024 18:36:02.811579943 CET	53	64639	1.1.1.1	192.168.2.8
Nov 25, 2024 18:36:10.609088898 CET	63690	53	192.168.2.8	1.1.1.1
Nov 25, 2024 18:36:10.609915972 CET	62151	53	192.168.2.8	1.1.1.1
Nov 25, 2024 18:36:10.630054951 CET	55413	53	192.168.2.8	1.1.1.1
Nov 25, 2024 18:36:10.747610092 CET	53	62151	1.1.1.1	192.168.2.8
Nov 25, 2024 18:36:10.796304941 CET	53	55413	1.1.1.1	192.168.2.8
Nov 25, 2024 18:36:10.797816992 CET	58788	53	192.168.2.8	1.1.1.1
Nov 25, 2024 18:36:10.841938972 CET	53	63690	1.1.1.1	192.168.2.8
Nov 25, 2024 18:36:10.843447924 CET	53460	53	192.168.2.8	1.1.1.1
Nov 25, 2024 18:36:10.939709902 CET	53	58788	1.1.1.1	192.168.2.8
Nov 25, 2024 18:36:10.940320015 CET	56309	53	192.168.2.8	1.1.1.1
Nov 25, 2024 18:36:10.999341965 CET	53	53460	1.1.1.1	192.168.2.8
Nov 25, 2024 18:36:11.000278950 CET	50909	53	192.168.2.8	1.1.1.1
Nov 25, 2024 18:36:11.185556889 CET	53	56309	1.1.1.1	192.168.2.8
Nov 25, 2024 18:36:11.277096033 CET	53	50909	1.1.1.1	192.168.2.8
Nov 25, 2024 18:36:12.209368944 CET	51064	53	192.168.2.8	1.1.1.1
Nov 25, 2024 18:36:12.347191095 CET	53	51064	1.1.1.1	192.168.2.8
Nov 25, 2024 18:36:33.500189066 CET	57159	53	192.168.2.8	1.1.1.1
Nov 25, 2024 18:36:33.639766932 CET	53	57159	1.1.1.1	192.168.2.8
Nov 25, 2024 18:36:33.641081095 CET	53462	53	192.168.2.8	1.1.1.1
Nov 25, 2024 18:36:33.779366016 CET	53	53462	1.1.1.1	192.168.2.8
Nov 25, 2024 18:36:34.929616928 CET	58568	53	192.168.2.8	1.1.1.1
Nov 25, 2024 18:36:40.793801069 CET	58502	53	192.168.2.8	1.1.1.1
Nov 25, 2024 18:36:40.933876038 CET	53	58502	1.1.1.1	192.168.2.8
Nov 25, 2024 18:37:14.938247919 CET	56019	53	192.168.2.8	1.1.1.1
Nov 25, 2024 18:37:15.080111027 CET	53	56019	1.1.1.1	192.168.2.8
Nov 25, 2024 18:38:36.482551098 CET	50532	53	192.168.2.8	1.1.1.1
Nov 25, 2024 18:38:36.627877951 CET	53	50532	1.1.1.1	192.168.2.8
Nov 25, 2024 18:38:36.629839897 CET	50234	53	192.168.2.8	1.1.1.1
Nov 25, 2024 18:38:36.772125006 CET	53	50234	1.1.1.1	192.168.2.8
Nov 25, 2024 18:38:36.773473978 CET	58098	53	192.168.2.8	1.1.1.1
Nov 25, 2024 18:38:36.917975903 CET	53	58098	1.1.1.1	192.168.2.8
Nov 25, 2024 18:38:38.112039089 CET	59770	53	192.168.2.8	1.1.1.1

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Nov 25, 2024 18:35:43.125751972 CET	192.168.2.8	1.1.1.1	0x54e3	Standard query (0)	youtube.com	A (IP address)	IN (0x0001)	false
Nov 25, 2024 18:35:43.126060009 CET	192.168.2.8	1.1.1.1	0xc341	Standard query (0)	detectportal.firefox.com	A (IP address)	IN (0x0001)	false
Nov 25, 2024 18:35:43.290292978 CET	192.168.2.8	1.1.1.1	0x8d1f	Standard query (0)	prod.detectportal.prod.cloudops.mozgcp.net	A (IP address)	IN (0x0001)	false
Nov 25, 2024 18:35:43.291380882 CET	192.168.2.8	1.1.1.1	0x1530	Standard query (0)	prod.classify-client.prod.webservices.mozgcp.net	A (IP address)	IN (0x0001)	false
Nov 25, 2024 18:35:43.292057991 CET	192.168.2.8	1.1.1.1	0xb3a0	Standard query (0)	youtube.com	A (IP address)	IN (0x0001)	false
Nov 25, 2024 18:35:43.438116074 CET	192.168.2.8	1.1.1.1	0xa460	Standard query (0)	prod.detectportal.prod.cloudops.mozgcp.net	28	IN (0x0001)	false
Nov 25, 2024 18:35:43.438621044 CET	192.168.2.8	1.1.1.1	0xabe8	Standard query (0)	prod.classify-client.prod.webservices.mozgcp.net	28	IN (0x0001)	false
Nov 25, 2024 18:35:43.439551115 CET	192.168.2.8	1.1.1.1	0x7b27	Standard query (0)	youtube.com	28	IN (0x0001)	false
Nov 25, 2024 18:35:43.456393003 CET	192.168.2.8	1.1.1.1	0x7d95	Standard query (0)	contile.services.mozilla.com	A (IP address)	IN (0x0001)	false
Nov 25, 2024 18:35:43.470890999 CET	192.168.2.8	1.1.1.1	0x2bef	Standard query (0)	spocs.getpocket.com	A (IP address)	IN (0x0001)	false
Nov 25, 2024 18:35:44.165971994 CET	192.168.2.8	1.1.1.1	0xa223	Standard query (0)	contile.services.mozilla.com	A (IP address)	IN (0x0001)	false
Nov 25, 2024 18:35:44.166516066 CET	192.168.2.8	1.1.1.1	0x7e4a	Standard query (0)	prod.ads.prod.webservices.mozgcp.net	A (IP address)	IN (0x0001)	false
Nov 25, 2024 18:35:44.168422937 CET	192.168.2.8	1.1.1.1	0xae07	Standard query (0)	prod.balrog.prod.cloudops.mozgcp.net	A (IP address)	IN (0x0001)	false
Nov 25, 2024 18:35:44.306471109 CET	192.168.2.8	1.1.1.1	0x6295	Standard query (0)	contile.services.mozilla.com	28	IN (0x0001)	false
Nov 25, 2024 18:35:44.308007956 CET	192.168.2.8	1.1.1.1	0xf80b	Standard query (0)	prod.ads.prod.webservices.mozgcp.net	28	IN (0x0001)	false
Nov 25, 2024 18:35:44.309649944 CET	192.168.2.8	1.1.1.1	0xa3f	Standard query (0)	prod.balrog.prod.cloudops.mozgcp.net	28	IN (0x0001)	false
Nov 25, 2024 18:35:45.145879984 CET	192.168.2.8	1.1.1.1	0x2c3f	Standard query (0)	content-signature-2.cdn.mozilla.net	A (IP address)	IN (0x0001)	false
Nov 25, 2024 18:35:45.498065948 CET	192.168.2.8	1.1.1.1	0xaad0	Standard query (0)	prod.content-signature-chains.prod.webservices.mozgcp.net	A (IP address)	IN (0x0001)	false
Nov 25, 2024 18:35:45.567230940 CET	192.168.2.8	1.1.1.1	0xf20	Standard query (0)	example.org	A (IP address)	IN (0x0001)	false
Nov 25, 2024 18:35:45.582895994 CET	192.168.2.8	1.1.1.1	0xff48	Standard query (0)	ipv4only.arpa	A (IP address)	IN (0x0001)	false
Nov 25, 2024 18:35:45.648931980 CET	192.168.2.8	1.1.1.1	0x8f49	Standard query (0)	prod.content-signature-chains.prod.webservices.mozgcp.net	28	IN (0x0001)	false
Nov 25, 2024 18:35:45.689460039 CET	192.168.2.8	1.1.1.1	0xbeb3	Standard query (0)	detectportal.firefox.com	A (IP address)	IN (0x0001)	false
Nov 25, 2024 18:35:49.628958941 CET	192.168.2.8	1.1.1.1	0x2924	Standard query (0)	support.mozilla.org	A (IP address)	IN (0x0001)	false
Nov 25, 2024 18:35:49.768424988 CET	192.168.2.8	1.1.1.1	0xcd6e	Standard query (0)	us-west1.prod.sumo.prod.webservices.mozgcp.net	A (IP address)	IN (0x0001)	false
Nov 25, 2024 18:35:50.159940004 CET	192.168.2.8	1.1.1.1	0x69c6	Standard query (0)	us-west1.prod.sumo.prod.webservices.mozgcp.net	28	IN (0x0001)	false
Nov 25, 2024 18:35:53.351833105 CET	192.168.2.8	1.1.1.1	0x76e1	Standard query (0)	shavar.services.mozilla.com	A (IP address)	IN (0x0001)	false
Nov 25, 2024 18:35:53.579912901 CET	192.168.2.8	1.1.1.1	0xcb85	Standard query (0)	push.services.mozilla.com	A (IP address)	IN (0x0001)	false
Nov 25, 2024 18:35:53.724056005 CET	192.168.2.8	1.1.1.1	0x629f	Standard query (0)	push.services.mozilla.com	A (IP address)	IN (0x0001)	false
Nov 25, 2024 18:35:53.869811058 CET	192.168.2.8	1.1.1.1	0x141a	Standard query (0)	push.services.mozilla.com	28	IN (0x0001)	false
Nov 25, 2024 18:35:55.651141882 CET	192.168.2.8	1.1.1.1	0x5e58	Standard query (0)	prod.balrog.prod.cloudops.mozgcp.net	A (IP address)	IN (0x0001)	false
Nov 25, 2024 18:35:55.894457102 CET	192.168.2.8	1.1.1.1	0xe1c6	Standard query (0)	prod.balrog.prod.cloudops.mozgcp.net	28	IN (0x0001)	false
Nov 25, 2024 18:35:57.071649075 CET	192.168.2.8	1.1.1.1	0x5df2	Standard query (0)	telemetry-incoming.r53-2.services.mozilla.com	A (IP address)	IN (0x0001)	false
Nov 25, 2024 18:35:57.101424932 CET	192.168.2.8	1.1.1.1	0xd839	Standard query (0)	firefox.settings.services.mozilla.com	A (IP address)	IN (0x0001)	false
Nov 25, 2024 18:35:57.210473061 CET	192.168.2.8	1.1.1.1	0x90f8	Standard query (0)	telemetry-incoming.r53-2.services.mozilla.com	28	IN (0x0001)	false
Nov 25, 2024 18:35:57.242394924 CET	192.168.2.8	1.1.1.1	0x1766	Standard query (0)	prod.remote-settings.prod.webservices.mozgcp.net	A (IP address)	IN (0x0001)	false
Nov 25, 2024 18:35:57.384818077 CET	192.168.2.8	1.1.1.1	0xdc97	Standard query (0)	prod.remote-settings.prod.webservices.mozgcp.net	28	IN (0x0001)	false
Nov 25, 2024 18:36:00.608215094 CET	192.168.2.8	1.1.1.1	0x82e	Standard query (0)	push.services.mozilla.com	28	IN (0x0001)	false
Nov 25, 2024 18:36:01.850102901 CET	192.168.2.8	1.1.1.1	0x3fc6	Standard query (0)	www.youtube.com	A (IP address)	IN (0x0001)	false
Nov 25, 2024 18:36:01.850217104 CET	192.168.2.8	1.1.1.1	0x7d7b	Standard query (0)	www.facebook.com	A (IP address)	IN (0x0001)	false
Nov 25, 2024 18:36:01.850452900 CET	192.168.2.8	1.1.1.1	0x6cf1	Standard query (0)	www.wikipedia.org	A (IP address)	IN (0x0001)	false
Nov 25, 2024 18:36:01.991118908 CET	192.168.2.8	1.1.1.1	0xb6db	Standard query (0)	youtube-ui.l.google.com	A (IP address)	IN (0x0001)	false
Nov 25, 2024 18:36:01.991903067 CET	192.168.2.8	1.1.1.1	0xa04a	Standard query (0)	star-mini.c10r.facebook.com	A (IP address)	IN (0x0001)	false
Nov 25, 2024 18:36:01.993232965 CET	192.168.2.8	1.1.1.1	0x56c4	Standard query (0)	dyna.wikimedia.org	A (IP address)	IN (0x0001)	false
Nov 25, 2024 18:36:02.133951902 CET	192.168.2.8	1.1.1.1	0x62e2	Standard query (0)	youtube-ui.l.google.com	28	IN (0x0001)	false
Nov 25, 2024 18:36:02.134443998 CET	192.168.2.8	1.1.1.1	0x51c8	Standard query (0)	dyna.wikimedia.org	28	IN (0x0001)	false
Nov 25, 2024 18:36:02.134787083 CET	192.168.2.8	1.1.1.1	0xdf34	Standard query (0)	star-mini.c10r.facebook.com	28	IN (0x0001)	false
Nov 25, 2024 18:36:02.275449038 CET	192.168.2.8	1.1.1.1	0x7013	Standard query (0)	www.reddit.com	A (IP address)	IN (0x0001)	false
Nov 25, 2024 18:36:02.277302027 CET	192.168.2.8	1.1.1.1	0x7bd0	Standard query (0)	twitter.com	A (IP address)	IN (0x0001)	false
Nov 25, 2024 18:36:02.422780037 CET	192.168.2.8	1.1.1.1	0x93eb	Standard query (0)	twitter.com	A (IP address)	IN (0x0001)	false
Nov 25, 2024 18:36:02.423515081 CET	192.168.2.8	1.1.1.1	0x8d9e	Standard query (0)	reddit.map.fastly.net	A (IP address)	IN (0x0001)	false
Nov 25, 2024 18:36:02.568759918 CET	192.168.2.8	1.1.1.1	0xc04e	Standard query (0)	twitter.com	28	IN (0x0001)	false
Nov 25, 2024 18:36:02.665772915 CET	192.168.2.8	1.1.1.1	0x8baa	Standard query (0)	reddit.map.fastly.net	28	IN (0x0001)	false
Nov 25, 2024 18:36:10.609088898 CET	192.168.2.8	1.1.1.1	0x4b76	Standard query (0)	services.addons.mozilla.org	A (IP address)	IN (0x0001)	false
Nov 25, 2024 18:36:10.609915972 CET	192.168.2.8	1.1.1.1	0x74ec	Standard query (0)	prod.balrog.prod.cloudops.mozgcp.net	28	IN (0x0001)	false
Nov 25, 2024 18:36:10.630054951 CET	192.168.2.8	1.1.1.1	0xedde	Standard query (0)	normandy.cdn.mozilla.net	A (IP address)	IN (0x0001)	false
Nov 25, 2024 18:36:10.797816992 CET	192.168.2.8	1.1.1.1	0xf7b	Standard query (0)	normandy-cdn.services.mozilla.com	A (IP address)	IN (0x0001)	false
Nov 25, 2024 18:36:10.843447924 CET	192.168.2.8	1.1.1.1	0x8204	Standard query (0)	services.addons.mozilla.org	A (IP address)	IN (0x0001)	false
Nov 25, 2024 18:36:10.940320015 CET	192.168.2.8	1.1.1.1	0xd09d	Standard query (0)	normandy-cdn.services.mozilla.com	28	IN (0x0001)	false
Nov 25, 2024 18:36:11.000278950 CET	192.168.2.8	1.1.1.1	0x94b	Standard query (0)	services.addons.mozilla.org	28	IN (0x0001)	false
Nov 25, 2024 18:36:12.209368944 CET	192.168.2.8	1.1.1.1	0xc87b	Standard query (0)	push.services.mozilla.com	28	IN (0x0001)	false
Nov 25, 2024 18:36:33.500189066 CET	192.168.2.8	1.1.1.1	0x5c40	Standard query (0)	push.services.mozilla.com	A (IP address)	IN (0x0001)	false
Nov 25, 2024 18:36:33.641081095 CET	192.168.2.8	1.1.1.1	0xaaf6	Standard query (0)	push.services.mozilla.com	28	IN (0x0001)	false
Nov 25, 2024 18:36:34.929616928 CET	192.168.2.8	1.1.1.1	0x3971	Standard query (0)	detectportal.firefox.com	A (IP address)	IN (0x0001)	false
Nov 25, 2024 18:36:40.793801069 CET	192.168.2.8	1.1.1.1	0xea03	Standard query (0)	telemetry-incoming.r53-2.services.mozilla.com	28	IN (0x0001)	false
Nov 25, 2024 18:37:14.938247919 CET	192.168.2.8	1.1.1.1	0xd5cc	Standard query (0)	push.services.mozilla.com	28	IN (0x0001)	false
Nov 25, 2024 18:38:36.482551098 CET	192.168.2.8	1.1.1.1	0x66a7	Standard query (0)	push.services.mozilla.com	A (IP address)	IN (0x0001)	false
Nov 25, 2024 18:38:36.629839897 CET	192.168.2.8	1.1.1.1	0xc6	Standard query (0)	push.services.mozilla.com	A (IP address)	IN (0x0001)	false
Nov 25, 2024 18:38:36.773473978 CET	192.168.2.8	1.1.1.1	0xb41	Standard query (0)	push.services.mozilla.com	28	IN (0x0001)	false
Nov 25, 2024 18:38:38.112039089 CET	192.168.2.8	1.1.1.1	0x6449	Standard query (0)	detectportal.firefox.com	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Nov 25, 2024 18:35:43.264766932 CET	1.1.1.1	192.168.2.8	0x54e3	No error (0)	youtube.com		142.250.181.78	A (IP address)	IN (0x0001)	false
Nov 25, 2024 18:35:43.265012026 CET	1.1.1.1	192.168.2.8	0x79cf	No error (0)	prod.classify-client.prod.webservices.mozgcp.net		35.190.72.216	A (IP address)	IN (0x0001)	false
Nov 25, 2024 18:35:43.265151978 CET	1.1.1.1	192.168.2.8	0xc341	No error (0)	detectportal.firefox.com	detectportal.prod.mozaws.net		CNAME (Canonical name)	IN (0x0001)	false
Nov 25, 2024 18:35:43.265151978 CET	1.1.1.1	192.168.2.8	0xc341	No error (0)	prod.detectportal.prod.cloudops.mozgcp.net		34.107.221.82	A (IP address)	IN (0x0001)	false
Nov 25, 2024 18:35:43.435647964 CET	1.1.1.1	192.168.2.8	0x8d1f	No error (0)	prod.detectportal.prod.cloudops.mozgcp.net		34.107.221.82	A (IP address)	IN (0x0001)	false
Nov 25, 2024 18:35:43.436568022 CET	1.1.1.1	192.168.2.8	0x1530	No error (0)	prod.classify-client.prod.webservices.mozgcp.net		35.190.72.216	A (IP address)	IN (0x0001)	false
Nov 25, 2024 18:35:43.436599970 CET	1.1.1.1	192.168.2.8	0xb3a0	No error (0)	youtube.com		142.250.181.142	A (IP address)	IN (0x0001)	false
Nov 25, 2024 18:35:43.627756119 CET	1.1.1.1	192.168.2.8	0x7d95	No error (0)	contile.services.mozilla.com		34.117.188.166	A (IP address)	IN (0x0001)	false
Nov 25, 2024 18:35:43.627862930 CET	1.1.1.1	192.168.2.8	0xa460	No error (0)	prod.detectportal.prod.cloudops.mozgcp.net			28	IN (0x0001)	false
Nov 25, 2024 18:35:43.628241062 CET	1.1.1.1	192.168.2.8	0x7b27	No error (0)	youtube.com			28	IN (0x0001)	false
Nov 25, 2024 18:35:43.628509045 CET	1.1.1.1	192.168.2.8	0x2bef	No error (0)	spocs.getpocket.com	prod.ads.prod.webservices.mozgcp.net		CNAME (Canonical name)	IN (0x0001)	false
Nov 25, 2024 18:35:43.628509045 CET	1.1.1.1	192.168.2.8	0x2bef	No error (0)	prod.ads.prod.webservices.mozgcp.net		34.117.188.166	A (IP address)	IN (0x0001)	false
Nov 25, 2024 18:35:43.661989927 CET	1.1.1.1	192.168.2.8	0xfee5	No error (0)	balrog-aus5.r53-2.services.mozilla.com	prod.balrog.prod.cloudops.mozgcp.net		CNAME (Canonical name)	IN (0x0001)	false
Nov 25, 2024 18:35:43.661989927 CET	1.1.1.1	192.168.2.8	0xfee5	No error (0)	prod.balrog.prod.cloudops.mozgcp.net		35.244.181.201	A (IP address)	IN (0x0001)	false
Nov 25, 2024 18:35:44.305803061 CET	1.1.1.1	192.168.2.8	0xa223	No error (0)	contile.services.mozilla.com		34.117.188.166	A (IP address)	IN (0x0001)	false
Nov 25, 2024 18:35:44.307246923 CET	1.1.1.1	192.168.2.8	0x7e4a	No error (0)	prod.ads.prod.webservices.mozgcp.net		34.117.188.166	A (IP address)	IN (0x0001)	false
Nov 25, 2024 18:35:44.309103966 CET	1.1.1.1	192.168.2.8	0xae07	No error (0)	prod.balrog.prod.cloudops.mozgcp.net		35.244.181.201	A (IP address)	IN (0x0001)	false
Nov 25, 2024 18:35:45.292805910 CET	1.1.1.1	192.168.2.8	0x2c3f	No error (0)	content-signature-2.cdn.mozilla.net	content-signature-chains.prod.autograph.services.mozaws.net		CNAME (Canonical name)	IN (0x0001)	false
Nov 25, 2024 18:35:45.292805910 CET	1.1.1.1	192.168.2.8	0x2c3f	No error (0)	content-signature-chains.prod.autograph.services.mozaws.net	prod.content-signature-chains.prod.webservices.mozgcp.net		CNAME (Canonical name)	IN (0x0001)	false
Nov 25, 2024 18:35:45.292805910 CET	1.1.1.1	192.168.2.8	0x2c3f	No error (0)	prod.content-signature-chains.prod.webservices.mozgcp.net		34.160.144.191	A (IP address)	IN (0x0001)	false
Nov 25, 2024 18:35:45.643362999 CET	1.1.1.1	192.168.2.8	0xaad0	No error (0)	prod.content-signature-chains.prod.webservices.mozgcp.net		34.160.144.191	A (IP address)	IN (0x0001)	false
Nov 25, 2024 18:35:45.835211039 CET	1.1.1.1	192.168.2.8	0xf20	No error (0)	example.org		93.184.215.14	A (IP address)	IN (0x0001)	false
Nov 25, 2024 18:35:45.869824886 CET	1.1.1.1	192.168.2.8	0xff48	No error (0)	ipv4only.arpa		192.0.0.170	A (IP address)	IN (0x0001)	false
Nov 25, 2024 18:35:45.869824886 CET	1.1.1.1	192.168.2.8	0xff48	No error (0)	ipv4only.arpa		192.0.0.171	A (IP address)	IN (0x0001)	false
Nov 25, 2024 18:35:45.870702982 CET	1.1.1.1	192.168.2.8	0x8f49	No error (0)	prod.content-signature-chains.prod.webservices.mozgcp.net			28	IN (0x0001)	false
Nov 25, 2024 18:35:45.871440887 CET	1.1.1.1	192.168.2.8	0xbeb3	No error (0)	detectportal.firefox.com	detectportal.prod.mozaws.net		CNAME (Canonical name)	IN (0x0001)	false
Nov 25, 2024 18:35:45.871440887 CET	1.1.1.1	192.168.2.8	0xbeb3	No error (0)	prod.detectportal.prod.cloudops.mozgcp.net		34.107.221.82	A (IP address)	IN (0x0001)	false
Nov 25, 2024 18:35:49.767257929 CET	1.1.1.1	192.168.2.8	0x2924	No error (0)	support.mozilla.org	prod.sumo.prod.webservices.mozgcp.net		CNAME (Canonical name)	IN (0x0001)	false
Nov 25, 2024 18:35:49.767257929 CET	1.1.1.1	192.168.2.8	0x2924	No error (0)	prod.sumo.prod.webservices.mozgcp.net	us-west1.prod.sumo.prod.webservices.mozgcp.net		CNAME (Canonical name)	IN (0x0001)	false
Nov 25, 2024 18:35:49.767257929 CET	1.1.1.1	192.168.2.8	0x2924	No error (0)	us-west1.prod.sumo.prod.webservices.mozgcp.net		34.149.128.2	A (IP address)	IN (0x0001)	false
Nov 25, 2024 18:35:50.138550043 CET	1.1.1.1	192.168.2.8	0xcd6e	No error (0)	us-west1.prod.sumo.prod.webservices.mozgcp.net		34.149.128.2	A (IP address)	IN (0x0001)	false
Nov 25, 2024 18:35:53.598541021 CET	1.1.1.1	192.168.2.8	0x76e1	No error (0)	shavar.services.mozilla.com	shavar.prod.mozaws.net		CNAME (Canonical name)	IN (0x0001)	false
Nov 25, 2024 18:35:53.722970009 CET	1.1.1.1	192.168.2.8	0xcb85	No error (0)	push.services.mozilla.com		34.107.243.93	A (IP address)	IN (0x0001)	false
Nov 25, 2024 18:35:53.869153976 CET	1.1.1.1	192.168.2.8	0x629f	No error (0)	push.services.mozilla.com		34.107.243.93	A (IP address)	IN (0x0001)	false
Nov 25, 2024 18:35:55.797076941 CET	1.1.1.1	192.168.2.8	0x26b5	No error (0)	balrog-aus5.r53-2.services.mozilla.com	prod.balrog.prod.cloudops.mozgcp.net		CNAME (Canonical name)	IN (0x0001)	false
Nov 25, 2024 18:35:55.797076941 CET	1.1.1.1	192.168.2.8	0x26b5	No error (0)	prod.balrog.prod.cloudops.mozgcp.net		35.244.181.201	A (IP address)	IN (0x0001)	false
Nov 25, 2024 18:35:55.888643026 CET	1.1.1.1	192.168.2.8	0x5e58	No error (0)	prod.balrog.prod.cloudops.mozgcp.net		35.244.181.201	A (IP address)	IN (0x0001)	false
Nov 25, 2024 18:35:57.069899082 CET	1.1.1.1	192.168.2.8	0x589	No error (0)	telemetry-incoming.r53-2.services.mozilla.com		34.120.208.123	A (IP address)	IN (0x0001)	false
Nov 25, 2024 18:35:57.209434986 CET	1.1.1.1	192.168.2.8	0x5df2	No error (0)	telemetry-incoming.r53-2.services.mozilla.com		34.120.208.123	A (IP address)	IN (0x0001)	false
Nov 25, 2024 18:35:57.240675926 CET	1.1.1.1	192.168.2.8	0xd839	No error (0)	firefox.settings.services.mozilla.com	prod.remote-settings.prod.webservices.mozgcp.net		CNAME (Canonical name)	IN (0x0001)	false
Nov 25, 2024 18:35:57.240675926 CET	1.1.1.1	192.168.2.8	0xd839	No error (0)	prod.remote-settings.prod.webservices.mozgcp.net		34.149.100.209	A (IP address)	IN (0x0001)	false
Nov 25, 2024 18:35:57.382313967 CET	1.1.1.1	192.168.2.8	0x1766	No error (0)	prod.remote-settings.prod.webservices.mozgcp.net		34.149.100.209	A (IP address)	IN (0x0001)	false
Nov 25, 2024 18:35:59.802166939 CET	1.1.1.1	192.168.2.8	0x9ebc	No error (0)	telemetry-incoming.r53-2.services.mozilla.com		34.120.208.123	A (IP address)	IN (0x0001)	false
Nov 25, 2024 18:36:01.989808083 CET	1.1.1.1	192.168.2.8	0x3fc6	No error (0)	www.youtube.com	youtube-ui.l.google.com		CNAME (Canonical name)	IN (0x0001)	false
Nov 25, 2024 18:36:01.989808083 CET	1.1.1.1	192.168.2.8	0x3fc6	No error (0)	youtube-ui.l.google.com		172.217.19.238	A (IP address)	IN (0x0001)	false
Nov 25, 2024 18:36:01.989808083 CET	1.1.1.1	192.168.2.8	0x3fc6	No error (0)	youtube-ui.l.google.com		142.250.181.46	A (IP address)	IN (0x0001)	false
Nov 25, 2024 18:36:01.989808083 CET	1.1.1.1	192.168.2.8	0x3fc6	No error (0)	youtube-ui.l.google.com		142.250.181.78	A (IP address)	IN (0x0001)	false
Nov 25, 2024 18:36:01.989808083 CET	1.1.1.1	192.168.2.8	0x3fc6	No error (0)	youtube-ui.l.google.com		142.250.181.142	A (IP address)	IN (0x0001)	false
Nov 25, 2024 18:36:01.989808083 CET	1.1.1.1	192.168.2.8	0x3fc6	No error (0)	youtube-ui.l.google.com		172.217.21.46	A (IP address)	IN (0x0001)	false
Nov 25, 2024 18:36:01.989808083 CET	1.1.1.1	192.168.2.8	0x3fc6	No error (0)	youtube-ui.l.google.com		172.217.17.78	A (IP address)	IN (0x0001)	false
Nov 25, 2024 18:36:01.989808083 CET	1.1.1.1	192.168.2.8	0x3fc6	No error (0)	youtube-ui.l.google.com		172.217.19.206	A (IP address)	IN (0x0001)	false
Nov 25, 2024 18:36:01.989808083 CET	1.1.1.1	192.168.2.8	0x3fc6	No error (0)	youtube-ui.l.google.com		172.217.17.46	A (IP address)	IN (0x0001)	false
Nov 25, 2024 18:36:01.990329027 CET	1.1.1.1	192.168.2.8	0x7d7b	No error (0)	www.facebook.com	star-mini.c10r.facebook.com		CNAME (Canonical name)	IN (0x0001)	false
Nov 25, 2024 18:36:01.990329027 CET	1.1.1.1	192.168.2.8	0x7d7b	No error (0)	star-mini.c10r.facebook.com		157.240.195.35	A (IP address)	IN (0x0001)	false
Nov 25, 2024 18:36:01.991096973 CET	1.1.1.1	192.168.2.8	0x6cf1	No error (0)	www.wikipedia.org	dyna.wikimedia.org		CNAME (Canonical name)	IN (0x0001)	false
Nov 25, 2024 18:36:01.991096973 CET	1.1.1.1	192.168.2.8	0x6cf1	No error (0)	dyna.wikimedia.org		185.15.58.224	A (IP address)	IN (0x0001)	false
Nov 25, 2024 18:36:02.132186890 CET	1.1.1.1	192.168.2.8	0xb6db	No error (0)	youtube-ui.l.google.com		172.217.19.238	A (IP address)	IN (0x0001)	false
Nov 25, 2024 18:36:02.132186890 CET	1.1.1.1	192.168.2.8	0xb6db	No error (0)	youtube-ui.l.google.com		172.217.17.78	A (IP address)	IN (0x0001)	false
Nov 25, 2024 18:36:02.132186890 CET	1.1.1.1	192.168.2.8	0xb6db	No error (0)	youtube-ui.l.google.com		142.250.181.78	A (IP address)	IN (0x0001)	false
Nov 25, 2024 18:36:02.132186890 CET	1.1.1.1	192.168.2.8	0xb6db	No error (0)	youtube-ui.l.google.com		172.217.21.46	A (IP address)	IN (0x0001)	false
Nov 25, 2024 18:36:02.132186890 CET	1.1.1.1	192.168.2.8	0xb6db	No error (0)	youtube-ui.l.google.com		172.217.17.46	A (IP address)	IN (0x0001)	false
Nov 25, 2024 18:36:02.132186890 CET	1.1.1.1	192.168.2.8	0xb6db	No error (0)	youtube-ui.l.google.com		172.217.19.206	A (IP address)	IN (0x0001)	false
Nov 25, 2024 18:36:02.132186890 CET	1.1.1.1	192.168.2.8	0xb6db	No error (0)	youtube-ui.l.google.com		142.250.181.46	A (IP address)	IN (0x0001)	false
Nov 25, 2024 18:36:02.132186890 CET	1.1.1.1	192.168.2.8	0xb6db	No error (0)	youtube-ui.l.google.com		142.250.181.142	A (IP address)	IN (0x0001)	false
Nov 25, 2024 18:36:02.132420063 CET	1.1.1.1	192.168.2.8	0xa04a	No error (0)	star-mini.c10r.facebook.com		157.240.196.35	A (IP address)	IN (0x0001)	false
Nov 25, 2024 18:36:02.133934975 CET	1.1.1.1	192.168.2.8	0x56c4	No error (0)	dyna.wikimedia.org		185.15.58.224	A (IP address)	IN (0x0001)	false
Nov 25, 2024 18:36:02.274389029 CET	1.1.1.1	192.168.2.8	0x62e2	No error (0)	youtube-ui.l.google.com			28	IN (0x0001)	false
Nov 25, 2024 18:36:02.274389029 CET	1.1.1.1	192.168.2.8	0x62e2	No error (0)	youtube-ui.l.google.com			28	IN (0x0001)	false
Nov 25, 2024 18:36:02.274389029 CET	1.1.1.1	192.168.2.8	0x62e2	No error (0)	youtube-ui.l.google.com			28	IN (0x0001)	false
Nov 25, 2024 18:36:02.274389029 CET	1.1.1.1	192.168.2.8	0x62e2	No error (0)	youtube-ui.l.google.com			28	IN (0x0001)	false
Nov 25, 2024 18:36:02.276643038 CET	1.1.1.1	192.168.2.8	0xdf34	No error (0)	star-mini.c10r.facebook.com			28	IN (0x0001)	false
Nov 25, 2024 18:36:02.284627914 CET	1.1.1.1	192.168.2.8	0x51c8	No error (0)	dyna.wikimedia.org			28	IN (0x0001)	false
Nov 25, 2024 18:36:02.421817064 CET	1.1.1.1	192.168.2.8	0x7bd0	No error (0)	twitter.com		104.244.42.193	A (IP address)	IN (0x0001)	false
Nov 25, 2024 18:36:02.421817064 CET	1.1.1.1	192.168.2.8	0x7bd0	No error (0)	twitter.com		104.244.42.1	A (IP address)	IN (0x0001)	false
Nov 25, 2024 18:36:02.421817064 CET	1.1.1.1	192.168.2.8	0x7bd0	No error (0)	twitter.com		104.244.42.129	A (IP address)	IN (0x0001)	false
Nov 25, 2024 18:36:02.421817064 CET	1.1.1.1	192.168.2.8	0x7bd0	No error (0)	twitter.com		104.244.42.65	A (IP address)	IN (0x0001)	false
Nov 25, 2024 18:36:02.422419071 CET	1.1.1.1	192.168.2.8	0x7013	No error (0)	www.reddit.com	reddit.map.fastly.net		CNAME (Canonical name)	IN (0x0001)	false
Nov 25, 2024 18:36:02.422419071 CET	1.1.1.1	192.168.2.8	0x7013	No error (0)	reddit.map.fastly.net		151.101.1.140	A (IP address)	IN (0x0001)	false
Nov 25, 2024 18:36:02.422419071 CET	1.1.1.1	192.168.2.8	0x7013	No error (0)	reddit.map.fastly.net		151.101.65.140	A (IP address)	IN (0x0001)	false
Nov 25, 2024 18:36:02.422419071 CET	1.1.1.1	192.168.2.8	0x7013	No error (0)	reddit.map.fastly.net		151.101.129.140	A (IP address)	IN (0x0001)	false
Nov 25, 2024 18:36:02.422419071 CET	1.1.1.1	192.168.2.8	0x7013	No error (0)	reddit.map.fastly.net		151.101.193.140	A (IP address)	IN (0x0001)	false
Nov 25, 2024 18:36:02.567986965 CET	1.1.1.1	192.168.2.8	0x93eb	No error (0)	twitter.com		104.244.42.65	A (IP address)	IN (0x0001)	false
Nov 25, 2024 18:36:02.661735058 CET	1.1.1.1	192.168.2.8	0x8d9e	No error (0)	reddit.map.fastly.net		151.101.1.140	A (IP address)	IN (0x0001)	false
Nov 25, 2024 18:36:02.661735058 CET	1.1.1.1	192.168.2.8	0x8d9e	No error (0)	reddit.map.fastly.net		151.101.65.140	A (IP address)	IN (0x0001)	false
Nov 25, 2024 18:36:02.661735058 CET	1.1.1.1	192.168.2.8	0x8d9e	No error (0)	reddit.map.fastly.net		151.101.129.140	A (IP address)	IN (0x0001)	false
Nov 25, 2024 18:36:02.661735058 CET	1.1.1.1	192.168.2.8	0x8d9e	No error (0)	reddit.map.fastly.net		151.101.193.140	A (IP address)	IN (0x0001)	false
Nov 25, 2024 18:36:10.748672962 CET	1.1.1.1	192.168.2.8	0xee58	No error (0)	balrog-aus5.r53-2.services.mozilla.com	prod.balrog.prod.cloudops.mozgcp.net		CNAME (Canonical name)	IN (0x0001)	false
Nov 25, 2024 18:36:10.748672962 CET	1.1.1.1	192.168.2.8	0xee58	No error (0)	prod.balrog.prod.cloudops.mozgcp.net		35.244.181.201	A (IP address)	IN (0x0001)	false
Nov 25, 2024 18:36:10.796304941 CET	1.1.1.1	192.168.2.8	0xedde	No error (0)	normandy.cdn.mozilla.net	normandy-cdn.services.mozilla.com		CNAME (Canonical name)	IN (0x0001)	false
Nov 25, 2024 18:36:10.796304941 CET	1.1.1.1	192.168.2.8	0xedde	No error (0)	normandy-cdn.services.mozilla.com		35.201.103.21	A (IP address)	IN (0x0001)	false
Nov 25, 2024 18:36:10.841938972 CET	1.1.1.1	192.168.2.8	0x4b76	No error (0)	services.addons.mozilla.org		151.101.129.91	A (IP address)	IN (0x0001)	false
Nov 25, 2024 18:36:10.841938972 CET	1.1.1.1	192.168.2.8	0x4b76	No error (0)	services.addons.mozilla.org		151.101.1.91	A (IP address)	IN (0x0001)	false
Nov 25, 2024 18:36:10.841938972 CET	1.1.1.1	192.168.2.8	0x4b76	No error (0)	services.addons.mozilla.org		151.101.193.91	A (IP address)	IN (0x0001)	false
Nov 25, 2024 18:36:10.841938972 CET	1.1.1.1	192.168.2.8	0x4b76	No error (0)	services.addons.mozilla.org		151.101.65.91	A (IP address)	IN (0x0001)	false
Nov 25, 2024 18:36:10.939709902 CET	1.1.1.1	192.168.2.8	0xf7b	No error (0)	normandy-cdn.services.mozilla.com		35.201.103.21	A (IP address)	IN (0x0001)	false
Nov 25, 2024 18:36:10.999341965 CET	1.1.1.1	192.168.2.8	0x8204	No error (0)	services.addons.mozilla.org		151.101.193.91	A (IP address)	IN (0x0001)	false
Nov 25, 2024 18:36:10.999341965 CET	1.1.1.1	192.168.2.8	0x8204	No error (0)	services.addons.mozilla.org		151.101.1.91	A (IP address)	IN (0x0001)	false
Nov 25, 2024 18:36:10.999341965 CET	1.1.1.1	192.168.2.8	0x8204	No error (0)	services.addons.mozilla.org		151.101.65.91	A (IP address)	IN (0x0001)	false
Nov 25, 2024 18:36:10.999341965 CET	1.1.1.1	192.168.2.8	0x8204	No error (0)	services.addons.mozilla.org		151.101.129.91	A (IP address)	IN (0x0001)	false
Nov 25, 2024 18:36:11.277096033 CET	1.1.1.1	192.168.2.8	0x94b	No error (0)	services.addons.mozilla.org			28	IN (0x0001)	false
Nov 25, 2024 18:36:11.277096033 CET	1.1.1.1	192.168.2.8	0x94b	No error (0)	services.addons.mozilla.org			28	IN (0x0001)	false
Nov 25, 2024 18:36:11.277096033 CET	1.1.1.1	192.168.2.8	0x94b	No error (0)	services.addons.mozilla.org			28	IN (0x0001)	false
Nov 25, 2024 18:36:11.277096033 CET	1.1.1.1	192.168.2.8	0x94b	No error (0)	services.addons.mozilla.org			28	IN (0x0001)	false
Nov 25, 2024 18:36:12.339833975 CET	1.1.1.1	192.168.2.8	0x4e22	No error (0)	balrog-aus5.r53-2.services.mozilla.com	prod.balrog.prod.cloudops.mozgcp.net		CNAME (Canonical name)	IN (0x0001)	false
Nov 25, 2024 18:36:12.339833975 CET	1.1.1.1	192.168.2.8	0x4e22	No error (0)	prod.balrog.prod.cloudops.mozgcp.net		35.244.181.201	A (IP address)	IN (0x0001)	false
Nov 25, 2024 18:36:14.227260113 CET	1.1.1.1	192.168.2.8	0xe562	No error (0)	a21ed24aedde648804e7-228765c84088fef4ff5e70f2710398e9.r17.cf1.rackcdn.com	a17.rackcdn.com		CNAME (Canonical name)	IN (0x0001)	false
Nov 25, 2024 18:36:14.227260113 CET	1.1.1.1	192.168.2.8	0xe562	No error (0)	a17.rackcdn.com	a17.rackcdn.com.mdc.edgesuite.net		CNAME (Canonical name)	IN (0x0001)	false
Nov 25, 2024 18:36:33.639766932 CET	1.1.1.1	192.168.2.8	0x5c40	No error (0)	push.services.mozilla.com		34.107.243.93	A (IP address)	IN (0x0001)	false
Nov 25, 2024 18:36:35.070425034 CET	1.1.1.1	192.168.2.8	0x3971	No error (0)	detectportal.firefox.com	detectportal.prod.mozaws.net		CNAME (Canonical name)	IN (0x0001)	false
Nov 25, 2024 18:36:35.070425034 CET	1.1.1.1	192.168.2.8	0x3971	No error (0)	prod.detectportal.prod.cloudops.mozgcp.net		34.107.221.82	A (IP address)	IN (0x0001)	false
Nov 25, 2024 18:36:40.792287111 CET	1.1.1.1	192.168.2.8	0xcf36	No error (0)	telemetry-incoming.r53-2.services.mozilla.com		34.120.208.123	A (IP address)	IN (0x0001)	false
Nov 25, 2024 18:38:36.627877951 CET	1.1.1.1	192.168.2.8	0x66a7	No error (0)	push.services.mozilla.com		34.107.243.93	A (IP address)	IN (0x0001)	false
Nov 25, 2024 18:38:36.772125006 CET	1.1.1.1	192.168.2.8	0xc6	No error (0)	push.services.mozilla.com		34.107.243.93	A (IP address)	IN (0x0001)	false
Nov 25, 2024 18:38:38.268333912 CET	1.1.1.1	192.168.2.8	0x6449	No error (0)	detectportal.firefox.com	detectportal.prod.mozaws.net		CNAME (Canonical name)	IN (0x0001)	false
Nov 25, 2024 18:38:38.268333912 CET	1.1.1.1	192.168.2.8	0x6449	No error (0)	prod.detectportal.prod.cloudops.mozgcp.net		34.107.221.82	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

detectportal.firefox.com

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.8	49716	34.107.221.82	80	8164	C:\Program Files\Mozilla Firefox\firefox.exe

Timestamp	Bytes transferred	Direction	Data
Nov 25, 2024 18:35:44.285948992 CET	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Nov 25, 2024 18:35:45.392743111 CET	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Sun, 24 Nov 2024 17:47:27 GMT Age: 85698 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.8	49724	34.107.221.82	80	8164	C:\Program Files\Mozilla Firefox\firefox.exe

Timestamp	Bytes transferred	Direction	Data
Nov 25, 2024 18:35:45.993655920 CET	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Nov 25, 2024 18:35:47.171302080 CET	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Mon, 25 Nov 2024 03:13:58 GMT Age: 51709 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Nov 25, 2024 18:35:49.567745924 CET	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Nov 25, 2024 18:35:49.917165995 CET	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Mon, 25 Nov 2024 03:13:58 GMT Age: 51711 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Nov 25, 2024 18:35:53.351061106 CET	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Nov 25, 2024 18:35:53.692298889 CET	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Mon, 25 Nov 2024 03:13:58 GMT Age: 51715 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Nov 25, 2024 18:35:56.107481956 CET	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Nov 25, 2024 18:35:56.447462082 CET	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Mon, 25 Nov 2024 03:13:58 GMT Age: 51718 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Nov 25, 2024 18:35:57.718076944 CET	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Nov 25, 2024 18:35:58.058425903 CET	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Mon, 25 Nov 2024 03:13:58 GMT Age: 51719 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Nov 25, 2024 18:35:59.991189003 CET	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Nov 25, 2024 18:36:00.385901928 CET	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Mon, 25 Nov 2024 03:13:58 GMT Age: 51722 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Nov 25, 2024 18:36:01.450573921 CET	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Nov 25, 2024 18:36:01.819930077 CET	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Mon, 25 Nov 2024 03:13:58 GMT Age: 51723 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Nov 25, 2024 18:36:02.459168911 CET	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Nov 25, 2024 18:36:02.802196026 CET	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Mon, 25 Nov 2024 03:13:58 GMT Age: 51724 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Nov 25, 2024 18:36:02.965527058 CET	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Nov 25, 2024 18:36:03.299243927 CET	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Mon, 25 Nov 2024 03:13:58 GMT Age: 51725 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Nov 25, 2024 18:36:12.212420940 CET	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Nov 25, 2024 18:36:12.547936916 CET	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Mon, 25 Nov 2024 03:13:58 GMT Age: 51734 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Nov 25, 2024 18:36:12.569210052 CET	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Nov 25, 2024 18:36:12.970443964 CET	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Mon, 25 Nov 2024 03:13:58 GMT Age: 51734 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Nov 25, 2024 18:36:13.806840897 CET	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Nov 25, 2024 18:36:14.161684990 CET	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Mon, 25 Nov 2024 03:13:58 GMT Age: 51735 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Nov 25, 2024 18:36:24.170540094 CET	6	OUT	Data Raw: 00 Data Ascii:
Nov 25, 2024 18:36:34.299586058 CET	6	OUT	Data Raw: 00 Data Ascii:
Nov 25, 2024 18:36:35.257707119 CET	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Nov 25, 2024 18:36:35.595158100 CET	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Mon, 25 Nov 2024 03:13:58 GMT Age: 51757 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Nov 25, 2024 18:36:42.430260897 CET	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Nov 25, 2024 18:36:42.763788939 CET	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Mon, 25 Nov 2024 03:13:58 GMT Age: 51764 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Nov 25, 2024 18:36:43.811758041 CET	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Nov 25, 2024 18:36:44.149487019 CET	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Mon, 25 Nov 2024 03:13:58 GMT Age: 51765 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Nov 25, 2024 18:36:54.153486967 CET	6	OUT	Data Raw: 00 Data Ascii:
Nov 25, 2024 18:37:04.284971952 CET	6	OUT	Data Raw: 00 Data Ascii:
Nov 25, 2024 18:37:14.415256023 CET	6	OUT	Data Raw: 00 Data Ascii:
Nov 25, 2024 18:37:16.578846931 CET	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Nov 25, 2024 18:37:16.927795887 CET	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Mon, 25 Nov 2024 03:13:58 GMT Age: 51798 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Nov 25, 2024 18:37:26.928992033 CET	6	OUT	Data Raw: 00 Data Ascii:
Nov 25, 2024 18:37:37.058875084 CET	6	OUT	Data Raw: 00 Data Ascii:
Nov 25, 2024 18:37:47.187221050 CET	6	OUT	Data Raw: 00 Data Ascii:
Nov 25, 2024 18:37:57.316873074 CET	6	OUT	Data Raw: 00 Data Ascii:
Nov 25, 2024 18:38:07.445293903 CET	6	OUT	Data Raw: 00 Data Ascii:
Nov 25, 2024 18:38:38.447299004 CET	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Nov 25, 2024 18:38:38.780824900 CET	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Mon, 25 Nov 2024 03:13:58 GMT Age: 51880 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.8	49725	34.107.221.82	80	8164	C:\Program Files\Mozilla Firefox\firefox.exe

Timestamp	Bytes transferred	Direction	Data
Nov 25, 2024 18:35:45.993877888 CET	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Nov 25, 2024 18:35:47.127185106 CET	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Sun, 24 Nov 2024 17:38:12 GMT Age: 86254 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Nov 25, 2024 18:35:49.569804907 CET	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Nov 25, 2024 18:35:49.915391922 CET	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Sun, 24 Nov 2024 17:38:12 GMT Age: 86257 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Nov 25, 2024 18:35:55.595571995 CET	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Nov 25, 2024 18:35:55.945259094 CET	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Sun, 24 Nov 2024 17:38:12 GMT Age: 86263 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Nov 25, 2024 18:35:57.370099068 CET	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Nov 25, 2024 18:35:57.710602045 CET	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Sun, 24 Nov 2024 17:38:12 GMT Age: 86265 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Nov 25, 2024 18:35:59.660495043 CET	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Nov 25, 2024 18:35:59.988234043 CET	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Sun, 24 Nov 2024 17:38:12 GMT Age: 86267 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Nov 25, 2024 18:36:01.118762970 CET	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Nov 25, 2024 18:36:01.446878910 CET	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Sun, 24 Nov 2024 17:38:12 GMT Age: 86269 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Nov 25, 2024 18:36:02.128113031 CET	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Nov 25, 2024 18:36:02.454853058 CET	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Sun, 24 Nov 2024 17:38:12 GMT Age: 86270 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Nov 25, 2024 18:36:02.629467010 CET	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Nov 25, 2024 18:36:02.961524963 CET	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Sun, 24 Nov 2024 17:38:12 GMT Age: 86270 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Nov 25, 2024 18:36:11.877233982 CET	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Nov 25, 2024 18:36:12.209355116 CET	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Sun, 24 Nov 2024 17:38:12 GMT Age: 86280 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Nov 25, 2024 18:36:12.238754988 CET	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Nov 25, 2024 18:36:12.565387011 CET	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Sun, 24 Nov 2024 17:38:12 GMT Age: 86280 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Nov 25, 2024 18:36:13.478368998 CET	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Nov 25, 2024 18:36:13.803742886 CET	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Sun, 24 Nov 2024 17:38:12 GMT Age: 86281 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Nov 25, 2024 18:36:23.816154957 CET	6	OUT	Data Raw: 00 Data Ascii:
Nov 25, 2024 18:36:33.945297003 CET	6	OUT	Data Raw: 00 Data Ascii:
Nov 25, 2024 18:36:34.929333925 CET	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Nov 25, 2024 18:36:35.255075932 CET	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Sun, 24 Nov 2024 17:38:12 GMT Age: 86303 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Nov 25, 2024 18:36:42.099915028 CET	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Nov 25, 2024 18:36:42.427350998 CET	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Sun, 24 Nov 2024 17:38:12 GMT Age: 86310 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Nov 25, 2024 18:36:43.483000040 CET	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Nov 25, 2024 18:36:43.808444977 CET	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Sun, 24 Nov 2024 17:38:12 GMT Age: 86311 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Nov 25, 2024 18:36:53.821260929 CET	6	OUT	Data Raw: 00 Data Ascii:
Nov 25, 2024 18:37:03.946228027 CET	6	OUT	Data Raw: 00 Data Ascii:
Nov 25, 2024 18:37:14.076463938 CET	6	OUT	Data Raw: 00 Data Ascii:
Nov 25, 2024 18:37:16.228931904 CET	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Nov 25, 2024 18:37:16.558587074 CET	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Sun, 24 Nov 2024 17:38:12 GMT Age: 86344 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Nov 25, 2024 18:37:26.581260920 CET	6	OUT	Data Raw: 00 Data Ascii:
Nov 25, 2024 18:37:36.710942984 CET	6	OUT	Data Raw: 00 Data Ascii:
Nov 25, 2024 18:37:46.839401960 CET	6	OUT	Data Raw: 00 Data Ascii:
Nov 25, 2024 18:37:56.969106913 CET	6	OUT	Data Raw: 00 Data Ascii:
Nov 25, 2024 18:38:07.097558022 CET	6	OUT	Data Raw: 00 Data Ascii:
Nov 25, 2024 18:38:38.111368895 CET	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Nov 25, 2024 18:38:38.442984104 CET	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Sun, 24 Nov 2024 17:47:27 GMT Age: 85871 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>

Target ID:	0
Start time:	12:35:33
Start date:	25/11/2024
Path:	C:\Users\user\Desktop\file.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\file.exe"
Imagebase:	0x6f0000
File size:	922'112 bytes
MD5 hash:	F7EFAE8E18598BAD4B7EDC75A514C644
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	1
Start time:	12:35:33
Start date:	25/11/2024
Path:	C:\Windows\SysWOW64\taskkill.exe
Wow64 process (32bit):	true
Commandline:	taskkill /F /IM firefox.exe /T
Imagebase:	0x5c0000
File size:	74'240 bytes
MD5 hash:	CA313FD7E6C2A778FFD21CFB5C1C56CD
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	2
Start time:	12:35:33
Start date:	25/11/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6ee680000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	4
Start time:	12:35:36
Start date:	25/11/2024
Path:	C:\Windows\SysWOW64\taskkill.exe
Wow64 process (32bit):	true
Commandline:	taskkill /F /IM chrome.exe /T
Imagebase:	0x5c0000
File size:	74'240 bytes
MD5 hash:	CA313FD7E6C2A778FFD21CFB5C1C56CD
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	5
Start time:	12:35:36
Start date:	25/11/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6ee680000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	6
Start time:	12:35:36
Start date:	25/11/2024
Path:	C:\Windows\SysWOW64\taskkill.exe
Wow64 process (32bit):	true
Commandline:	taskkill /F /IM msedge.exe /T
Imagebase:	0x5c0000
File size:	74'240 bytes
MD5 hash:	CA313FD7E6C2A778FFD21CFB5C1C56CD
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	7
Start time:	12:35:36
Start date:	25/11/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6ee680000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	8
Start time:	12:35:36
Start date:	25/11/2024
Path:	C:\Windows\SysWOW64\taskkill.exe
Wow64 process (32bit):	true
Commandline:	taskkill /F /IM opera.exe /T
Imagebase:	0x5c0000
File size:	74'240 bytes
MD5 hash:	CA313FD7E6C2A778FFD21CFB5C1C56CD
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	9
Start time:	12:35:36
Start date:	25/11/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6ee680000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	10
Start time:	12:35:36
Start date:	25/11/2024
Path:	C:\Windows\SysWOW64\taskkill.exe
Wow64 process (32bit):	true
Commandline:	taskkill /F /IM brave.exe /T
Imagebase:	0x5c0000
File size:	74'240 bytes
MD5 hash:	CA313FD7E6C2A778FFD21CFB5C1C56CD
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	11
Start time:	12:35:36
Start date:	25/11/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6ee680000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	12
Start time:	12:35:37
Start date:	25/11/2024
Path:	C:\Program Files\Mozilla Firefox\firefox.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk "https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd" --no-default-browser-check --disable-popup-blocking
Imagebase:	0x7ff6d20e0000
File size:	676'768 bytes
MD5 hash:	C86B1BE9ED6496FE0E0CBE73F81D8045
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	13
Start time:	12:35:37
Start date:	25/11/2024
Path:	C:\Program Files\Mozilla Firefox\firefox.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd --no-default-browser-check --disable-popup-blocking --attempting-deelevation
Imagebase:	0x7ff6d20e0000
File size:	676'768 bytes
MD5 hash:	C86B1BE9ED6496FE0E0CBE73F81D8045
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	14
Start time:	12:35:37
Start date:	25/11/2024
Path:	C:\Program Files\Mozilla Firefox\firefox.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd --no-default-browser-check --disable-popup-blocking
Imagebase:	0x7ff6d20e0000
File size:	676'768 bytes
MD5 hash:	C86B1BE9ED6496FE0E0CBE73F81D8045
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Target ID:	16
Start time:	12:35:39
Start date:	25/11/2024
Path:	C:\Program Files\Mozilla Firefox\firefox.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2264 -parentBuildID 20230927232528 -prefsHandle 2212 -prefMapHandle 2204 -prefsLen 25298 -prefMapSize 238442 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {16325912-49ac-40f1-bda4-2cac4c4c2137} 8164 "\\.\pipe\gecko-crash-server-pipe.8164" 26487e6e910 socket
Imagebase:	0x7ff6d20e0000
File size:	676'768 bytes
MD5 hash:	C86B1BE9ED6496FE0E0CBE73F81D8045
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Target ID:	18
Start time:	12:35:42
Start date:	25/11/2024
Path:	C:\Program Files\Mozilla Firefox\firefox.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3684 -parentBuildID 20230927232528 -prefsHandle 4052 -prefMapHandle 4048 -prefsLen 26313 -prefMapSize 238442 -appDir "C:\Program Files\Mozilla Firefox\browser" - {d996e0e9-af63-49e3-adbf-964172d0344a} 8164 "\\.\pipe\gecko-crash-server-pipe.8164" 2649a108510 rdd
Imagebase:	0x7ff6d20e0000
File size:	676'768 bytes
MD5 hash:	C86B1BE9ED6496FE0E0CBE73F81D8045
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Target ID:	20
Start time:	12:35:55
Start date:	25/11/2024
Path:	C:\Program Files\Mozilla Firefox\firefox.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5424 -parentBuildID 20230927232528 -sandboxingKind 0 -prefsHandle 5456 -prefMapHandle 5472 -prefsLen 33481 -prefMapSize 238442 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {13e771dd-665e-4a33-a08c-b3d742946c3d} 8164 "\\.\pipe\gecko-crash-server-pipe.8164" 26493ede710 utility
Imagebase:	0x7ff6d20e0000
File size:	676'768 bytes
MD5 hash:	C86B1BE9ED6496FE0E0CBE73F81D8045
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Execution Graph

Execution Coverage:	2.1%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	6.8%
Total number of Nodes:	1566
Total number of Limit Nodes:	65

Executed Functions

Function 006F42DE Relevance: 21.2, APIs: 9, Strings: 3, Instructions: 235
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetVersionExW.KERNEL32(?), ref: 006F430D

Part of subcall function 006F6B57: _wcslen.LIBCMT ref: 006F6B6A

GetCurrentProcess.KERNEL32(?,0078CB64,00000000,?,?), ref: 006F4422
IsWow64Process.KERNEL32(00000000,?,?), ref: 006F4429
LoadLibraryA.KERNEL32(kernel32.dll,?,?), ref: 006F4454
GetProcAddress.KERNEL32(00000000,GetNativeSystemInfo), ref: 006F4466
GetNativeSystemInfo.KERNELBASE(?,?,?), ref: 006F4474
FreeLibrary.KERNEL32(00000000,?,?), ref: 006F447B
GetSystemInfo.KERNEL32(?,?,?), ref: 006F44A0

Strings

GetNativeSystemInfo, xrefs: 006F4460
|O, xrefs: 007336F8
kernel32.dll, xrefs: 006F444F

Memory Dump Source

Source File: 00000000.00000002.1465363834.00000000006F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006F0000, based on PE: true

Associated: 00000000.00000002.1465335232.00000000006F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465500901.000000000078C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465500901.00000000007B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465599093.00000000007BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465630010.00000000007C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6f0000_file.jbxd

Similarity

API ID: InfoLibraryProcessSystem$AddressCurrentFreeLoadNativeProcVersionWow64_wcslen
String ID: GetNativeSystemInfo$kernel32.dll$|O
API String ID: 3290436268-3101561225
Opcode ID: d3eb0e19b6ded4871dfdadbf5ed48db3b9bc16b4ab4e35b9114f177fc5573d1e
Instruction ID: bfb33f692eb5ddec5effe2fa464038af20d54a5839bb4057c4e65ddd3cce24ea
Opcode Fuzzy Hash: d3eb0e19b6ded4871dfdadbf5ed48db3b9bc16b4ab4e35b9114f177fc5573d1e
Instruction Fuzzy Hash: 08A1D27291A2C4CFD722D7697C819A53FE5AB67308B88D5BCD441A3E23D63C4509CB2D

Function 006F42A2 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 61
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateStreamOnHGlobal.COMBASE(00000000,00000001,?,?,?,?,?,006F50AA,?,?,00000000,00000000), ref: 006F42B2
FindResourceExW.KERNEL32(?,0000000A,SCRIPT,00000000,?,?,006F50AA,?,?,00000000,00000000), ref: 006F42C9
LoadResource.KERNEL32(?,00000000,?,?,006F50AA,?,?,00000000,00000000,?,?,?,?,?,?,006F4F20), ref: 007335BE
SizeofResource.KERNEL32(?,00000000,?,?,006F50AA,?,?,00000000,00000000,?,?,?,?,?,?,006F4F20), ref: 007335D3
LockResource.KERNEL32(006F50AA,?,?,006F50AA,?,?,00000000,00000000,?,?,?,?,?,?,006F4F20,?), ref: 007335E6

Strings

SCRIPT, xrefs: 006F42BF

Memory Dump Source

Source File: 00000000.00000002.1465363834.00000000006F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006F0000, based on PE: true

Associated: 00000000.00000002.1465335232.00000000006F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465500901.000000000078C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465500901.00000000007B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465599093.00000000007BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465630010.00000000007C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6f0000_file.jbxd

Similarity

API ID: Resource$CreateFindGlobalLoadLockSizeofStream
String ID: SCRIPT
API String ID: 3051347437-3967369404
Opcode ID: 8c9eb8e5dda3171f46bb3c9db251046699a43b1cb8552f3a2a42e2e5fefd57a9
Instruction ID: 6ae619d4c4a7bddbe49379928d1abe8708617eb6bf3251e74d3be33d64e7f559
Opcode Fuzzy Hash: 8c9eb8e5dda3171f46bb3c9db251046699a43b1cb8552f3a2a42e2e5fefd57a9
Instruction Fuzzy Hash: 0B117970240704BFEB228BA5DC49F677BBAEFC5B51F208169F50296AA0DB71D9008B30

Function 00732BA5 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 62
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetCurrentDirectoryW.KERNEL32(?), ref: 006F2B6B

Part of subcall function 006F3A5A: GetModuleFileNameW.KERNEL32(00000000,?,00007FFF,007C1418,?,006F2E7F,?,?,?,00000000), ref: 006F3A78

Part of subcall function 006F9CB3: _wcslen.LIBCMT ref: 006F9CBD

GetForegroundWindow.USER32(runas,?,?,?,?,?,007B2224), ref: 00732C10
ShellExecuteW.SHELL32(00000000,?,?,007B2224), ref: 00732C17

Strings

runas, xrefs: 00732C0B

Memory Dump Source

Source File: 00000000.00000002.1465363834.00000000006F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006F0000, based on PE: true

Associated: 00000000.00000002.1465335232.00000000006F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465500901.000000000078C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465500901.00000000007B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465599093.00000000007BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465630010.00000000007C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6f0000_file.jbxd

Similarity

API ID: CurrentDirectoryExecuteFileForegroundModuleNameShellWindow_wcslen
String ID: runas
API String ID: 448630720-4000483414
Opcode ID: ea07eb2544b9e9917baf421bb46a8415cb7cb844d13380eeb2bb517a647beffe
Instruction ID: 810fe24c9158d9b237f9410603c16c03b0685cb8b0898ba4a9563d6a1054aa05
Opcode Fuzzy Hash: ea07eb2544b9e9917baf421bb46a8415cb7cb844d13380eeb2bb517a647beffe
Instruction Fuzzy Hash: 4D110A3110835E6AC745FF24D852EBD77A69F91340F44542DF742021A3DF38960A871A

Function 0075D4DC Relevance: 6.1, APIs: 4, Instructions: 86
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateToolhelp32Snapshot.KERNEL32 ref: 0075D501
Process32FirstW.KERNEL32(00000000,?), ref: 0075D50F
Process32NextW.KERNEL32(00000000,?), ref: 0075D52F
CloseHandle.KERNELBASE(00000000), ref: 0075D5DC

Memory Dump Source

Source File: 00000000.00000002.1465363834.00000000006F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006F0000, based on PE: true

Associated: 00000000.00000002.1465335232.00000000006F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465500901.000000000078C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465500901.00000000007B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465599093.00000000007BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465630010.00000000007C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6f0000_file.jbxd

Similarity

API ID: Process32$CloseCreateFirstHandleNextSnapshotToolhelp32
String ID:
API String ID: 420147892-0
Opcode ID: 7e35d506056e9c8903c5d4d283166490505b2f59fbd046265e858adf4b366906
Instruction ID: 5f375bf7525dc27c593a1e2038a3a8b6de1e234d43fe69811230efc22501d680
Opcode Fuzzy Hash: 7e35d506056e9c8903c5d4d283166490505b2f59fbd046265e858adf4b366906
Instruction Fuzzy Hash: D731C2710083049FD315EF54C885ABFBBF8EF99344F10092DF685821A1EBB19A49CBA2

Function 0075DBBE Relevance: 6.0, APIs: 4, Instructions: 29filestringCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(?,00735222), ref: 0075DBCE
GetFileAttributesW.KERNELBASE(?), ref: 0075DBDD
FindFirstFileW.KERNEL32(?,?), ref: 0075DBEE
FindClose.KERNEL32(00000000), ref: 0075DBFA

Memory Dump Source

Source File: 00000000.00000002.1465363834.00000000006F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006F0000, based on PE: true

Associated: 00000000.00000002.1465335232.00000000006F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465500901.000000000078C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465500901.00000000007B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465599093.00000000007BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465630010.00000000007C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6f0000_file.jbxd

Similarity

API ID: FileFind$AttributesCloseFirstlstrlen
String ID:
API String ID: 2695905019-0
Opcode ID: 42c521a66fef9db12bc306570d10d546a65c99ed7971b04a38641253756ce76a
Instruction ID: 4d1624d1ad3212269bec84c3e52e9e8bf17e427575339129a798f9070ab2d7ea
Opcode Fuzzy Hash: 42c521a66fef9db12bc306570d10d546a65c99ed7971b04a38641253756ce76a
Instruction Fuzzy Hash: 50F0A0308509149B92316B78AC0D8AE37ACAE01336F208702F836C20E0EBF85D5886B9

Function 00714CE8 Relevance: 4.5, APIs: 3, Instructions: 20COMMONLIBRARYCODE

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(007228E9,?,00714CBE,007228E9,007B88B8,0000000C,00714E15,007228E9,00000002,00000000,?,007228E9), ref: 00714D09
TerminateProcess.KERNEL32(00000000,?,00714CBE,007228E9,007B88B8,0000000C,00714E15,007228E9,00000002,00000000,?,007228E9), ref: 00714D10
ExitProcess.KERNEL32 ref: 00714D22

Memory Dump Source

Source File: 00000000.00000002.1465363834.00000000006F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006F0000, based on PE: true

Associated: 00000000.00000002.1465335232.00000000006F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465500901.000000000078C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465500901.00000000007B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465599093.00000000007BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465630010.00000000007C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6f0000_file.jbxd

Similarity

API ID: Process$CurrentExitTerminate
String ID:
API String ID: 1703294689-0
Opcode ID: 9d5f12ca2c66172c14a2fda7e6b5a2e12c2b13bd9c8a428957e4b127a8756132
Instruction ID: ab36784b0e7721a6d028d3618f5912b28790d166e4a13e305f65210a32da91ed
Opcode Fuzzy Hash: 9d5f12ca2c66172c14a2fda7e6b5a2e12c2b13bd9c8a428957e4b127a8756132
Instruction Fuzzy Hash: 04E0B631540548ABCF12AF68ED0DA983B69FB41B81B208014FD498A562CB3DDD82DB94

Function 006FBF40 Relevance: 2.4, Strings: 1, Instructions: 1178COMMON

Download Yara Rule

Strings

p#|, xrefs: 007407CE

Memory Dump Source

Source File: 00000000.00000002.1465363834.00000000006F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006F0000, based on PE: true

Associated: 00000000.00000002.1465335232.00000000006F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465500901.000000000078C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465500901.00000000007B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465599093.00000000007BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465630010.00000000007C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6f0000_file.jbxd

Similarity

API ID: BuffCharUpper
String ID: p#|
API String ID: 3964851224-1286273844
Opcode ID: 58e338a9d85986720203b6bd8a536bbd23656303787d60c252ad9c29dfa56025
Instruction ID: 50371d7846ab44650b63ae75ea0d22a347d10d277bdd53a1d17fa52179b19ac5
Opcode Fuzzy Hash: 58e338a9d85986720203b6bd8a536bbd23656303787d60c252ad9c29dfa56025
Instruction Fuzzy Hash: 6BA27C70608345CFC714DF28C580B6ABBE2BF89314F14896DEA9A8B352D775EC45CB92

Function 0077AFF9 Relevance: 24.4, APIs: 16, Instructions: 418
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_wcslen.LIBCMT ref: 0077B198
GetSystemDirectoryW.KERNEL32(00000000,00000000), ref: 0077B1B0
GetSystemDirectoryW.KERNEL32(00000000,00000000), ref: 0077B1D4
_wcslen.LIBCMT ref: 0077B200
GetCurrentDirectoryW.KERNEL32(00000000,00000000), ref: 0077B214
GetCurrentDirectoryW.KERNEL32(00000000,00000000), ref: 0077B236
_wcslen.LIBCMT ref: 0077B332

Part of subcall function 007605A7: GetStdHandle.KERNEL32(000000F6), ref: 007605C6

_wcslen.LIBCMT ref: 0077B34B
_wcslen.LIBCMT ref: 0077B366
CreateProcessW.KERNELBASE(00000000,?,00000000,00000000,?,?,00000000,?,?,?), ref: 0077B3B6
GetLastError.KERNEL32(00000000), ref: 0077B407
CloseHandle.KERNEL32(?), ref: 0077B439
CloseHandle.KERNEL32(00000000), ref: 0077B44A
CloseHandle.KERNEL32(00000000), ref: 0077B45C
CloseHandle.KERNEL32(00000000), ref: 0077B46E
CloseHandle.KERNEL32(?), ref: 0077B4E3

Memory Dump Source

Source File: 00000000.00000002.1465363834.00000000006F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006F0000, based on PE: true

Associated: 00000000.00000002.1465335232.00000000006F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465500901.000000000078C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465500901.00000000007B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465599093.00000000007BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465630010.00000000007C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6f0000_file.jbxd

Similarity

API ID: Handle$Close_wcslen$Directory$CurrentSystem$CreateErrorLastProcess
String ID:
API String ID: 2178637699-0
Opcode ID: 4dbf9c6fff7ae77fe02b2c9c82afbbb4a54475c863c3962dfb8c6d67f13baff5
Instruction ID: f7755ea78470aaa072517814cd61e2719ea4f2cd06ce6fb7eddaf6d3308722c3
Opcode Fuzzy Hash: 4dbf9c6fff7ae77fe02b2c9c82afbbb4a54475c863c3962dfb8c6d67f13baff5
Instruction Fuzzy Hash: C5F19931608344DFCB24EF24C895B6EBBE1AF85354F14855DF9998B2A2CB39EC44CB52

Function 006FD730 Relevance: 21.6, APIs: 14, Instructions: 626timeCOMMON

Download Yara Rule

APIs

GetInputState.USER32 ref: 006FD807
timeGetTime.WINMM ref: 006FDA07

Memory Dump Source

Source File: 00000000.00000002.1465363834.00000000006F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006F0000, based on PE: true

Associated: 00000000.00000002.1465335232.00000000006F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465500901.000000000078C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465500901.00000000007B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465599093.00000000007BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465630010.00000000007C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6f0000_file.jbxd

Similarity

API ID: InputStateTimetime
String ID:
API String ID: 2164325655-0
Opcode ID: 7e00a11c7e67758c854830abcadae05e96a51f8f229a10aba21c8056cfec8d76
Instruction ID: 6f826fa52db7b91bec1bb6d2feaa53c9aee87b6d8604f52d27b3a165c456432d
Opcode Fuzzy Hash: 7e00a11c7e67758c854830abcadae05e96a51f8f229a10aba21c8056cfec8d76
Instruction Fuzzy Hash: 79420F70608246DFD728CF24C888BBAB7E2BF41304F54861DFA6587292D778F855CB92

Function 006F2CD4 Relevance: 19.3, APIs: 7, Strings: 4, Instructions: 53
windowregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSysColorBrush.USER32(0000000F), ref: 006F2D07
RegisterClassExW.USER32(00000030), ref: 006F2D31
RegisterWindowMessageW.USER32(TaskbarCreated), ref: 006F2D42
InitCommonControlsEx.COMCTL32(?), ref: 006F2D5F
ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 006F2D6F
LoadIconW.USER32(000000A9), ref: 006F2D85
ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 006F2D94

Strings

0, xrefs: 006F2CE9
+, xrefs: 006F2CF0
TaskbarCreated, xrefs: 006F2D37
AutoIt v3 GUI, xrefs: 006F2D23

Memory Dump Source

Source File: 00000000.00000002.1465363834.00000000006F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006F0000, based on PE: true

Associated: 00000000.00000002.1465335232.00000000006F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465500901.000000000078C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465500901.00000000007B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465599093.00000000007BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465630010.00000000007C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6f0000_file.jbxd

Similarity

API ID: IconImageList_Register$BrushClassColorCommonControlsCreateInitLoadMessageReplaceWindow
String ID: +$0$AutoIt v3 GUI$TaskbarCreated
API String ID: 2914291525-1005189915
Opcode ID: 261b4aa453543745a4393cf2f89ac3ee93f52e93fb760a2885c7f90bfe40ffb7
Instruction ID: 10b8735791ca88a5889bbce3309e6fe9bae6b82ff4509761922e93c747601159
Opcode Fuzzy Hash: 261b4aa453543745a4393cf2f89ac3ee93f52e93fb760a2885c7f90bfe40ffb7
Instruction Fuzzy Hash: E021F4B1941348EFDB01DFA4EC49BDDBBB4FB09700F50812AF611A62A0D7B95540CFA9

Function 0073065B Relevance: 17.8, APIs: 9, Strings: 1, Instructions: 272
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 0073039A: CreateFileW.KERNELBASE(00000000,00000000,?,00730704,?,?,00000000,?,00730704,00000000,0000000C), ref: 007303B7

GetLastError.KERNEL32 ref: 0073076F
__dosmaperr.LIBCMT ref: 00730776
GetFileType.KERNELBASE(00000000), ref: 00730782
GetLastError.KERNEL32 ref: 0073078C
__dosmaperr.LIBCMT ref: 00730795
CloseHandle.KERNEL32(00000000), ref: 007307B5
CloseHandle.KERNEL32(?), ref: 007308FF
GetLastError.KERNEL32 ref: 00730931
__dosmaperr.LIBCMT ref: 00730938

Strings

H, xrefs: 007308BD

Memory Dump Source

Source File: 00000000.00000002.1465363834.00000000006F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006F0000, based on PE: true

Associated: 00000000.00000002.1465335232.00000000006F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465500901.000000000078C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465500901.00000000007B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465599093.00000000007BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465630010.00000000007C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6f0000_file.jbxd

Similarity

API ID: ErrorLast__dosmaperr$CloseFileHandle$CreateType
String ID: H
API String ID: 4237864984-2852464175
Opcode ID: ee884e5262730f706690a50c5ced9f7385f672eb177cc19d42a39166bd58ca92
Instruction ID: 814cf7f12f1c01291aa563d9c599fc718ebc3d5a71c66a92a44ce126a0baa576
Opcode Fuzzy Hash: ee884e5262730f706690a50c5ced9f7385f672eb177cc19d42a39166bd58ca92
Instruction Fuzzy Hash: 99A12632A00118CFEF19EF68DC66BAE7BA0AB06320F14415DF8159B2D2D7399D52CBD5

Function 006F344D Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 201
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 006F3A5A: GetModuleFileNameW.KERNEL32(00000000,?,00007FFF,007C1418,?,006F2E7F,?,?,?,00000000), ref: 006F3A78

Part of subcall function 006F3357: GetFullPathNameW.KERNEL32(?,00007FFF,?,?), ref: 006F3379

RegOpenKeyExW.KERNELBASE(80000001,Software\AutoIt v3\AutoIt,00000000,00000001,?,?,\Include\), ref: 006F356A
RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,00000000,?), ref: 0073318D
RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,?,?,00000000), ref: 007331CE
RegCloseKey.ADVAPI32(?), ref: 00733210
_wcslen.LIBCMT ref: 00733277
_wcslen.LIBCMT ref: 00733286

Strings

\, xrefs: 0073328C
Include, xrefs: 00733184, 007331C5
\Include\, xrefs: 006F3527
Software\AutoIt v3\AutoIt, xrefs: 006F3560

Memory Dump Source

Source File: 00000000.00000002.1465363834.00000000006F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006F0000, based on PE: true

Associated: 00000000.00000002.1465335232.00000000006F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465500901.000000000078C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465500901.00000000007B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465599093.00000000007BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465630010.00000000007C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6f0000_file.jbxd

Similarity

API ID: NameQueryValue_wcslen$CloseFileFullModuleOpenPath
String ID: Include$Software\AutoIt v3\AutoIt$\$\Include\
API String ID: 98802146-2727554177
Opcode ID: 986a2bda6568f1441b5cb90313446efbe92dd1e61f7f25fcb7d8b10684690faf
Instruction ID: eaaa0b604b170fc6a89f2b8c26f1ca75f029a5a878cac33c59359c84becc9441
Opcode Fuzzy Hash: 986a2bda6568f1441b5cb90313446efbe92dd1e61f7f25fcb7d8b10684690faf
Instruction Fuzzy Hash: 1F71C2714043459EC314EF69DC81DABBBE8FF85340F40852EF545832A2EB7C9A49CB6A

Function 006F2B83 Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 63
windowregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSysColorBrush.USER32(0000000F), ref: 006F2B8E
LoadCursorW.USER32(00000000,00007F00), ref: 006F2B9D
LoadIconW.USER32(00000063), ref: 006F2BB3
LoadIconW.USER32(000000A4), ref: 006F2BC5
LoadIconW.USER32(000000A2), ref: 006F2BD7
LoadImageW.USER32(00000063,00000001,00000010,00000010,00000000), ref: 006F2BEF
RegisterClassExW.USER32(?), ref: 006F2C40

Part of subcall function 006F2CD4: GetSysColorBrush.USER32(0000000F), ref: 006F2D07
Part of subcall function 006F2CD4: RegisterClassExW.USER32(00000030), ref: 006F2D31
Part of subcall function 006F2CD4: RegisterWindowMessageW.USER32(TaskbarCreated), ref: 006F2D42
Part of subcall function 006F2CD4: InitCommonControlsEx.COMCTL32(?), ref: 006F2D5F
Part of subcall function 006F2CD4: ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 006F2D6F
Part of subcall function 006F2CD4: LoadIconW.USER32(000000A9), ref: 006F2D85
Part of subcall function 006F2CD4: ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 006F2D94

Strings

AutoIt v3, xrefs: 006F2C2F
#, xrefs: 006F2C16
0, xrefs: 006F2C0F

Memory Dump Source

Source File: 00000000.00000002.1465363834.00000000006F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006F0000, based on PE: true

Associated: 00000000.00000002.1465335232.00000000006F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465500901.000000000078C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465500901.00000000007B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465599093.00000000007BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465630010.00000000007C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6f0000_file.jbxd

Similarity

API ID: Load$Icon$ImageRegister$BrushClassColorList_$CommonControlsCreateCursorInitMessageReplaceWindow
String ID: #$0$AutoIt v3
API String ID: 423443420-4155596026
Opcode ID: 1c09b66398ca25a6e477380d5259a60204576c0167f158afb6fd9853d64fa475
Instruction ID: 619bda8e1e5dd58b0a3c9750131b52716f3031ba6e666ca34e3cd5ecac6e8477
Opcode Fuzzy Hash: 1c09b66398ca25a6e477380d5259a60204576c0167f158afb6fd9853d64fa475
Instruction Fuzzy Hash: E9217C70E40358ABDB119FA5EC54EA97FB4FB09B54F90802EE600A26A1D3B94510CF98

Function 006F3170 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 145
windowtimeregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DefWindowProcW.USER32(?,?,?,?,?,?,?,?,?,006F316A,?,?), ref: 006F31D8
KillTimer.USER32(?,00000001,?,?,?,?,?,006F316A,?,?), ref: 006F3204
SetTimer.USER32(?,00000001,000002EE,00000000), ref: 006F3227
RegisterWindowMessageW.USER32(TaskbarCreated,?,?,?,?,?,006F316A,?,?), ref: 006F3232
CreatePopupMenu.USER32 ref: 006F3246
PostQuitMessage.USER32(00000000), ref: 006F3267

Strings

TaskbarCreated, xrefs: 006F322D

Memory Dump Source

Source File: 00000000.00000002.1465363834.00000000006F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006F0000, based on PE: true

Associated: 00000000.00000002.1465335232.00000000006F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465500901.000000000078C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465500901.00000000007B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465599093.00000000007BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465630010.00000000007C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6f0000_file.jbxd

Similarity

API ID: MessageTimerWindow$CreateKillMenuPopupPostProcQuitRegister
String ID: TaskbarCreated
API String ID: 129472671-2362178303
Opcode ID: 093b3b53cc938ab3c2edec1a4a67c7054767818c41009e875bdcfc2476be4079
Instruction ID: a01d5a45436f9f6cd91b7223eef79f38b44239824edfe5f8bacef976548227b5
Opcode Fuzzy Hash: 093b3b53cc938ab3c2edec1a4a67c7054767818c41009e875bdcfc2476be4079
Instruction Fuzzy Hash: 7E410531240268A6EB156B789D0DFB9371BE706344F54813DFB06853A3CB7A9B4287A9

Function 006F1410 Relevance: 14.3, APIs: 7, Strings: 1, Instructions: 332
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

mciSendStringW.WINMM(close all,00000000,00000000,00000000), ref: 006F1459
CoUninitialize.COMBASE ref: 006F14F8
UnregisterHotKey.USER32(?), ref: 006F16DD
DestroyWindow.USER32(?), ref: 007324B9
FreeLibrary.KERNEL32(?), ref: 0073251E
VirtualFree.KERNEL32(?,00000000,00008000), ref: 0073254B

Strings

close all, xrefs: 006F1454

Memory Dump Source

Source File: 00000000.00000002.1465363834.00000000006F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006F0000, based on PE: true

Associated: 00000000.00000002.1465335232.00000000006F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465500901.000000000078C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465500901.00000000007B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465599093.00000000007BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465630010.00000000007C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6f0000_file.jbxd

Similarity

API ID: Free$DestroyLibrarySendStringUninitializeUnregisterVirtualWindow
String ID: close all
API String ID: 469580280-3243417748
Opcode ID: fccadda37b54c7b732271e80f4db301959f777b296914fa2b809902d15d2bce2
Instruction ID: fc8095a10414fe957b3a2407741e96d24e23693c7f4bdf6b8e40508bd08c8b03
Opcode Fuzzy Hash: fccadda37b54c7b732271e80f4db301959f777b296914fa2b809902d15d2bce2
Instruction Fuzzy Hash: 33D18D31701212CFDB29EF15C499A29F7A2BF05740F2442ADE94AAB252DB34AD23CF54

Function 006F2C63 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 44
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateWindowExW.USER32(00000000,AutoIt v3,AutoIt v3,00CF0000,80000000,80000000,0000012C,00000064,00000000,00000000,00000000,00000001), ref: 006F2C91
CreateWindowExW.USER32(00000000,edit,00000000,50B008C4,00000000,00000000,00000000,00000000,00000000,00000001,00000000), ref: 006F2CB2
ShowWindow.USER32(00000000,?,?,?,?,?,?,006F1CAD,?), ref: 006F2CC6
ShowWindow.USER32(00000000,?,?,?,?,?,?,006F1CAD,?), ref: 006F2CCF

Strings

AutoIt v3, xrefs: 006F2C89, 006F2C8E, 006F2C8F
edit, xrefs: 006F2CAC

Memory Dump Source

Source File: 00000000.00000002.1465363834.00000000006F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006F0000, based on PE: true

Associated: 00000000.00000002.1465335232.00000000006F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465500901.000000000078C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465500901.00000000007B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465599093.00000000007BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465630010.00000000007C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6f0000_file.jbxd

Similarity

API ID: Window$CreateShow
String ID: AutoIt v3$edit
API String ID: 1584632944-3779509399
Opcode ID: 8b51384d925be66b80aa702c6d80a1636d5e56da78759943126459ad730c4473
Instruction ID: 73ef97aecc4785caf035b1f63602230cc1e68bb42ba33e3d613c39f403f3ba0f
Opcode Fuzzy Hash: 8b51384d925be66b80aa702c6d80a1636d5e56da78759943126459ad730c4473
Instruction Fuzzy Hash: C1F0DA755802D07AEB311717AC08E772FBDD7C7F64B51806EF900A29A1C6791850DBB8

Function 00722DF8 Relevance: 7.6, APIs: 5, Instructions: 53
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetLastError.KERNEL32(?,?,?,0071F2DE,00723863,007C1444,?,0070FDF5,?,?,006FA976,00000010,007C1440,006F13FC,?,006F13C6), ref: 00722DFD
_free.LIBCMT ref: 00722E32
_free.LIBCMT ref: 00722E59
SetLastError.KERNEL32(00000000,006F1129), ref: 00722E66
SetLastError.KERNEL32(00000000,006F1129), ref: 00722E6F

Memory Dump Source

Source File: 00000000.00000002.1465363834.00000000006F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006F0000, based on PE: true

Associated: 00000000.00000002.1465335232.00000000006F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465500901.000000000078C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465500901.00000000007B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465599093.00000000007BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465630010.00000000007C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6f0000_file.jbxd

Similarity

API ID: ErrorLast$_free
String ID:
API String ID: 3170660625-0
Opcode ID: daf8e482003bdb5b0f2135b4960636a0a711ba683b14609380f693e61a949ea3
Instruction ID: e598fa0a8ffeb089e74afe79e2b0b274e55de3ee07774f1653f7e996a701bfa8
Opcode Fuzzy Hash: daf8e482003bdb5b0f2135b4960636a0a711ba683b14609380f693e61a949ea3
Instruction Fuzzy Hash: 0F01F472A45620B7C61327387C4EE3B265DABD57A1B22812CF421A21D3EA7CCC036174

Function 006F3B1C Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 58
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RegOpenKeyExW.KERNELBASE(80000001,Control Panel\Mouse,00000000,00000001,00000000,?,?,80000001,80000001,?,006F3B0F,SwapMouseButtons,00000004,?), ref: 006F3B40
RegQueryValueExW.KERNELBASE(00000000,00000000,00000000,00000000,?,?,?,?,?,80000001,80000001,?,006F3B0F,SwapMouseButtons,00000004,?), ref: 006F3B61
RegCloseKey.KERNELBASE(00000000,?,?,?,80000001,80000001,?,006F3B0F,SwapMouseButtons,00000004,?), ref: 006F3B83

Strings

Control Panel\Mouse, xrefs: 006F3B3E

Memory Dump Source

Source File: 00000000.00000002.1465363834.00000000006F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006F0000, based on PE: true

Associated: 00000000.00000002.1465335232.00000000006F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465500901.000000000078C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465500901.00000000007B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465599093.00000000007BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465630010.00000000007C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6f0000_file.jbxd

Similarity

API ID: CloseOpenQueryValue
String ID: Control Panel\Mouse
API String ID: 3677997916-824357125
Opcode ID: ab26b74802349e11f21f9953a9dc8e6a17e032cf05392f807c6313a8887cb2ac
Instruction ID: addff818681a50a355382d7a5bb5a9530e668ff14bf083e67d44c23cf96e627f
Opcode Fuzzy Hash: ab26b74802349e11f21f9953a9dc8e6a17e032cf05392f807c6313a8887cb2ac
Instruction Fuzzy Hash: E4115AB1511219FFDB218FA4DC44AFEB7B9EF20780B10845AA901D7210E2319E419764

Function 006F3923 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 94windowCOMMON

Download Yara Rule

APIs

LoadStringW.USER32(00000065,?,0000007F,00000104), ref: 007333A2

Part of subcall function 006F6B57: _wcslen.LIBCMT ref: 006F6B6A

Shell_NotifyIconW.SHELL32(00000001,?), ref: 006F3A04

Strings

Line: , xrefs: 007333EB

Memory Dump Source

Source File: 00000000.00000002.1465363834.00000000006F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006F0000, based on PE: true

Associated: 00000000.00000002.1465335232.00000000006F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465500901.000000000078C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465500901.00000000007B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465599093.00000000007BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465630010.00000000007C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6f0000_file.jbxd

Similarity

API ID: IconLoadNotifyShell_String_wcslen
String ID: Line:
API String ID: 2289894680-1585850449
Opcode ID: 99b8b40f107eb9d49693ecc1dd9bf5862fe5ea98d149c44ce51b52ae35559321
Instruction ID: 2ab629e3223dbfb8b2d11ed3f3b4978e17b4013b037c09081379d2f9391f04a6
Opcode Fuzzy Hash: 99b8b40f107eb9d49693ecc1dd9bf5862fe5ea98d149c44ce51b52ae35559321
Instruction Fuzzy Hash: 99312671408358AED321EB10DC45FFBB7D9AB41314F00452EF69983292EB789A48C7CA

Function 006F2DE3 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 64COMMON

Download Yara Rule

APIs

GetOpenFileNameW.COMDLG32(?), ref: 00732C8C

Part of subcall function 006F3AA2: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,006F3A97,?,?,006F2E7F,?,?,?,00000000), ref: 006F3AC2

Part of subcall function 006F2DA5: GetLongPathNameW.KERNELBASE(?,?,00007FFF), ref: 006F2DC4

Strings

X, xrefs: 00732C5A
`e{, xrefs: 00732C85

Memory Dump Source

Source File: 00000000.00000002.1465363834.00000000006F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006F0000, based on PE: true

Associated: 00000000.00000002.1465335232.00000000006F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465500901.000000000078C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465500901.00000000007B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465599093.00000000007BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465630010.00000000007C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6f0000_file.jbxd

Similarity

API ID: Name$Path$FileFullLongOpen
String ID: X$`e{
API String ID: 779396738-1989916424
Opcode ID: d058bcea549ff1f03d67c2e2872817c5cd7dd9c9aed22a9a318c75672e61678f
Instruction ID: 6396e7e6238377aa46dc700a13be9394f7925e38848aa42167c01199b2a173ec
Opcode Fuzzy Hash: d058bcea549ff1f03d67c2e2872817c5cd7dd9c9aed22a9a318c75672e61678f
Instruction Fuzzy Hash: 1121A571A0029C9FDF41DF94C845BEE7BF9AF49304F108069E605B7242DBBC5A898F65

Function 0070FDDB Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 43COMMON

Download Yara Rule

APIs

__CxxThrowException@8.LIBVCRUNTIME ref: 00710668

Part of subcall function 007132A4: RaiseException.KERNEL32(?,?,?,0071068A,?,007C1444,?,?,?,?,?,?,0071068A,006F1129,007B8738,006F1129), ref: 00713304

__CxxThrowException@8.LIBVCRUNTIME ref: 00710685

Strings

Unknown exception, xrefs: 00710692

Memory Dump Source

Source File: 00000000.00000002.1465363834.00000000006F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006F0000, based on PE: true

Associated: 00000000.00000002.1465335232.00000000006F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465500901.000000000078C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465500901.00000000007B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465599093.00000000007BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465630010.00000000007C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6f0000_file.jbxd

Similarity

API ID: Exception@8Throw$ExceptionRaise
String ID: Unknown exception
API String ID: 3476068407-410509341
Opcode ID: b566a078f75858074cebe739719ddfa978c574e35b2ce3a5d005b4b1ac3286c5
Instruction ID: 3ff082557eb870f3e78328d944c1df3c4a747753a38f45c0d2c85532e193c835
Opcode Fuzzy Hash: b566a078f75858074cebe739719ddfa978c574e35b2ce3a5d005b4b1ac3286c5
Instruction Fuzzy Hash: 8DF02234A0020CF7CB04B6ACD85ADDE77AC6E00314B604131F824928D2EFBDDAEAC6C0

Function 006F10F3 Relevance: 4.7, APIs: 3, Instructions: 153comCOMMON

Download Yara Rule

APIs

Part of subcall function 006F1BC3: MapVirtualKeyW.USER32(0000005B,00000000), ref: 006F1BF4
Part of subcall function 006F1BC3: MapVirtualKeyW.USER32(00000010,00000000), ref: 006F1BFC
Part of subcall function 006F1BC3: MapVirtualKeyW.USER32(000000A0,00000000), ref: 006F1C07
Part of subcall function 006F1BC3: MapVirtualKeyW.USER32(000000A1,00000000), ref: 006F1C12
Part of subcall function 006F1BC3: MapVirtualKeyW.USER32(00000011,00000000), ref: 006F1C1A
Part of subcall function 006F1BC3: MapVirtualKeyW.USER32(00000012,00000000), ref: 006F1C22

Part of subcall function 006F1B4A: RegisterWindowMessageW.USER32(00000004,?,006F12C4), ref: 006F1BA2

GetStdHandle.KERNEL32(000000F6,00000000,00000000), ref: 006F136A
OleInitialize.OLE32 ref: 006F1388
CloseHandle.KERNEL32(00000000,00000000), ref: 007324AB

Memory Dump Source

Source File: 00000000.00000002.1465363834.00000000006F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006F0000, based on PE: true

Associated: 00000000.00000002.1465335232.00000000006F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465500901.000000000078C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465500901.00000000007B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465599093.00000000007BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465630010.00000000007C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6f0000_file.jbxd

Similarity

API ID: Virtual$Handle$CloseInitializeMessageRegisterWindow
String ID:
API String ID: 1986988660-0
Opcode ID: 08f485441bffbd6edf89561544d260c5f3610b03e966a85ae9a79218e7da894c
Instruction ID: 6d70cc0456171961539d02c42d86215f0f846c678b6175362f2ca123c132296d
Opcode Fuzzy Hash: 08f485441bffbd6edf89561544d260c5f3610b03e966a85ae9a79218e7da894c
Instruction Fuzzy Hash: F671A9B49152448E8388EF79B855E653BE1AB8B3903D4C27ED50AC7363EB3C85218F5C

Function 0075C161 Relevance: 4.6, APIs: 3, Instructions: 74timewindowCOMMON

Download Yara Rule

APIs

Part of subcall function 006F3923: Shell_NotifyIconW.SHELL32(00000001,?), ref: 006F3A04

Shell_NotifyIconW.SHELL32(00000001,000003A8), ref: 0075C259
KillTimer.USER32(?,00000001,?,?), ref: 0075C261
SetTimer.USER32(?,00000001,000002EE,00000000), ref: 0075C270

Memory Dump Source

Source File: 00000000.00000002.1465363834.00000000006F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006F0000, based on PE: true

Associated: 00000000.00000002.1465335232.00000000006F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465500901.000000000078C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465500901.00000000007B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465599093.00000000007BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465630010.00000000007C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6f0000_file.jbxd

Similarity

API ID: IconNotifyShell_Timer$Kill
String ID:
API String ID: 3500052701-0
Opcode ID: 6d2a444370319f4109785dbccc68116e30a442f66a86055630ff1bb02c0cae0e
Instruction ID: bf8217b8e7f97210d7b851ddb419a0a5e4c217dd5d7e27902e80d94fd2331347
Opcode Fuzzy Hash: 6d2a444370319f4109785dbccc68116e30a442f66a86055630ff1bb02c0cae0e
Instruction Fuzzy Hash: D531D970904344AFEB338F648855BE7BBECAF06305F00449DD6DA97241C7B85A88CB55

Function 007286AE Relevance: 4.6, APIs: 3, Instructions: 61COMMONLIBRARYCODE

Download Yara Rule

APIs

CloseHandle.KERNELBASE(00000000,00000000,?,?,007285CC,?,007B8CC8,0000000C), ref: 00728704
GetLastError.KERNEL32(?,007285CC,?,007B8CC8,0000000C), ref: 0072870E
__dosmaperr.LIBCMT ref: 00728739

Memory Dump Source

Source File: 00000000.00000002.1465363834.00000000006F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006F0000, based on PE: true

Associated: 00000000.00000002.1465335232.00000000006F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465500901.000000000078C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465500901.00000000007B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465599093.00000000007BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465630010.00000000007C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6f0000_file.jbxd

Similarity

API ID: CloseErrorHandleLast__dosmaperr
String ID:
API String ID: 2583163307-0
Opcode ID: 3f3a40236356bad329c4ca4fc8cf67f4b2f88a42722f72991bbb891d6f281a12
Instruction ID: 78f0b26da4a3fdfa55ff383634b7d4d3781b1adbca27e3acfb2c282a2f37d0b9
Opcode Fuzzy Hash: 3f3a40236356bad329c4ca4fc8cf67f4b2f88a42722f72991bbb891d6f281a12
Instruction Fuzzy Hash: 50018932A07230A6D2A0A334B84DB7E27494B82778F39411DF8148B1D3DEBECC818292

Function 006FDB38 Relevance: 4.5, APIs: 3, Instructions: 29windowsleepCOMMON

Download Yara Rule

APIs

TranslateMessage.USER32(?), ref: 006FDB7B
DispatchMessageW.USER32(?), ref: 006FDB89
PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 006FDB9F
Sleep.KERNELBASE(0000000A), ref: 006FDBB1
TranslateAcceleratorW.USER32(?,?,?), ref: 00741CC9

Memory Dump Source

Source File: 00000000.00000002.1465363834.00000000006F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006F0000, based on PE: true

Associated: 00000000.00000002.1465335232.00000000006F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465500901.000000000078C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465500901.00000000007B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465599093.00000000007BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465630010.00000000007C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6f0000_file.jbxd

Similarity

API ID: Message$Translate$AcceleratorDispatchPeekSleep
String ID:
API String ID: 3288985973-0
Opcode ID: a0ecb034015c8e412e320c01ed2672c70c93fa99ad08e673da71db5348b6b2e6
Instruction ID: 3992c808abeaa52968c3b651923552ca7c461b7eb7cb759349eff1a9923b13f5
Opcode Fuzzy Hash: a0ecb034015c8e412e320c01ed2672c70c93fa99ad08e673da71db5348b6b2e6
Instruction Fuzzy Hash: F4F054306443459BE730DB608C89FEA73A9EB45350F508A28E619C30D0DB38A4849B29

Function 00701310 Relevance: 4.0, APIs: 1, Strings: 1, Instructions: 531COMMON

Download Yara Rule

APIs

__Init_thread_footer.LIBCMT ref: 007017F6

Strings

CALL, xrefs: 007017C6

Memory Dump Source

Source File: 00000000.00000002.1465363834.00000000006F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006F0000, based on PE: true

Associated: 00000000.00000002.1465335232.00000000006F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465500901.000000000078C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465500901.00000000007B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465599093.00000000007BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465630010.00000000007C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6f0000_file.jbxd

Similarity

API ID: Init_thread_footer
String ID: CALL
API String ID: 1385522511-4196123274
Opcode ID: ebc7e16c8ca3c2ea93f7cd302fa0df15b6c41925b84907d4f8862585b7133c64
Instruction ID: f0fb413540be04d3ae5303bf0c7f50742ac210e515c0182aedb3b6ba8cde1755
Opcode Fuzzy Hash: ebc7e16c8ca3c2ea93f7cd302fa0df15b6c41925b84907d4f8862585b7133c64
Instruction Fuzzy Hash: 76229B70608241DFC714DF14C884A2ABBF1BF85314F548A6DF4968B3A2D77AE951CB92

Function 006F3837 Relevance: 3.1, APIs: 2, Instructions: 77windowCOMMON

Download Yara Rule

APIs

Shell_NotifyIconW.SHELL32(00000000,?), ref: 006F3908

Memory Dump Source

Source File: 00000000.00000002.1465363834.00000000006F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006F0000, based on PE: true

Associated: 00000000.00000002.1465335232.00000000006F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465500901.000000000078C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465500901.00000000007B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465599093.00000000007BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465630010.00000000007C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6f0000_file.jbxd

Similarity

API ID: IconNotifyShell_
String ID:
API String ID: 1144537725-0
Opcode ID: aa9c22aa9bf5d9bd45aaab8beb1ee790ffddca71b48e40d1a6d7cc8ace9e6ec9
Instruction ID: b076c5f99da09a3f395cb3310365c06473dd5ab22949947a05f8b9c13ff470f0
Opcode Fuzzy Hash: aa9c22aa9bf5d9bd45aaab8beb1ee790ffddca71b48e40d1a6d7cc8ace9e6ec9
Instruction Fuzzy Hash: 7531B1705043449FD721DF24D884BE7BBE8FB49748F00492EFA9983341E7B9AA44CB56

Function 0070F645 Relevance: 3.0, APIs: 2, Instructions: 29sleeptimeCOMMON

Download Yara Rule

APIs

timeGetTime.WINMM ref: 0070F661

Part of subcall function 006FD730: GetInputState.USER32 ref: 006FD807

Sleep.KERNEL32(00000000), ref: 0074F2DE

Memory Dump Source

Source File: 00000000.00000002.1465363834.00000000006F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006F0000, based on PE: true

Associated: 00000000.00000002.1465335232.00000000006F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465500901.000000000078C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465500901.00000000007B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465599093.00000000007BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465630010.00000000007C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6f0000_file.jbxd

Similarity

API ID: InputSleepStateTimetime
String ID:
API String ID: 4149333218-0
Opcode ID: 64fe47f009f58e54b75aa31e1abf5f1620d59d113d45db650c809fc3d0d48b57
Instruction ID: 192a172e0c1c9b7921cacc8387b441db4d7cf94cfdb0efdbc49a6e2f7ff85665
Opcode Fuzzy Hash: 64fe47f009f58e54b75aa31e1abf5f1620d59d113d45db650c809fc3d0d48b57
Instruction Fuzzy Hash: 5EF08C312802099FD350EF69D459B6AB7EAFF46760F00402AE959C72A0DB74B800CBA8

Function 006F4ECB Relevance: 1.6, APIs: 1, Instructions: 65libraryCOMMON

Download Yara Rule

APIs

Part of subcall function 006F4E90: LoadLibraryA.KERNEL32(kernel32.dll,?,?,006F4EDD,?,007C1418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 006F4E9C
Part of subcall function 006F4E90: GetProcAddress.KERNEL32(00000000,Wow64DisableWow64FsRedirection), ref: 006F4EAE
Part of subcall function 006F4E90: FreeLibrary.KERNEL32(00000000,?,?,006F4EDD,?,007C1418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 006F4EC0

LoadLibraryExW.KERNEL32(?,00000000,00000002,?,007C1418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 006F4EFD

Part of subcall function 006F4E59: LoadLibraryA.KERNEL32(kernel32.dll,?,?,00733CDE,?,007C1418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 006F4E62
Part of subcall function 006F4E59: GetProcAddress.KERNEL32(00000000,Wow64RevertWow64FsRedirection), ref: 006F4E74
Part of subcall function 006F4E59: FreeLibrary.KERNEL32(00000000,?,?,00733CDE,?,007C1418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 006F4E87

Memory Dump Source

Source File: 00000000.00000002.1465363834.00000000006F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006F0000, based on PE: true

Associated: 00000000.00000002.1465335232.00000000006F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465500901.000000000078C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465500901.00000000007B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465599093.00000000007BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465630010.00000000007C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6f0000_file.jbxd

Similarity

API ID: Library$Load$AddressFreeProc
String ID:
API String ID: 2632591731-0
Opcode ID: 7919660873c5c5730be5c3678afb1a602f33becd61a453befbb8a3c5ca3b5885
Instruction ID: 4f6d9a5912f484d799da3136ebcbd1eebd5e5f03e4ef5c397744da33d1af0555
Opcode Fuzzy Hash: 7919660873c5c5730be5c3678afb1a602f33becd61a453befbb8a3c5ca3b5885
Instruction Fuzzy Hash: 4811E731610209ABDB24FB64DC07FBE77A6AF80710F10842DF646A65C1DE749E459764

Function 00728402 Relevance: 1.6, APIs: 1, Instructions: 54COMMON

Download Yara Rule

APIs

__wsopen_s.LIBCMT ref: 00728440

Memory Dump Source

Source File: 00000000.00000002.1465363834.00000000006F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006F0000, based on PE: true

Associated: 00000000.00000002.1465335232.00000000006F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465500901.000000000078C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465500901.00000000007B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465599093.00000000007BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465630010.00000000007C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6f0000_file.jbxd

Similarity

API ID: __wsopen_s
String ID:
API String ID: 3347428461-0
Opcode ID: bd741925cfc033a8e6f10ee59d40d04e4c43115ad3ef45cbf81c168e085ca6fb
Instruction ID: a8dfe66e76d78645882cc718ea8104d1e3e4ab3258c9ba3828d65bdc59e67ad5
Opcode Fuzzy Hash: bd741925cfc033a8e6f10ee59d40d04e4c43115ad3ef45cbf81c168e085ca6fb
Instruction Fuzzy Hash: 3211187590410AEFCB05DF58E94599A7BF5EF48314F144059F808AB312DB35EA21CBA5

Function 0071E602 Relevance: 1.5, APIs: 1, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1465363834.00000000006F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006F0000, based on PE: true

Associated: 00000000.00000002.1465335232.00000000006F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465500901.000000000078C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465500901.00000000007B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465599093.00000000007BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465630010.00000000007C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6f0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d6c69ec2a70ac845cc05b5f137181c3f07394ab8b33ef369e8c7ef627d5c9574
Instruction ID: 89d35c641f45834f52d01ccadfd0ada6d12470f7817bdf94f8a339b99201c9b3
Opcode Fuzzy Hash: d6c69ec2a70ac845cc05b5f137181c3f07394ab8b33ef369e8c7ef627d5c9574
Instruction Fuzzy Hash: 3FF02D32511A20EBC7313E6D9C0DBDA33A89F52330F100715FD21931D2CB7CE88289A6

Function 00724C7D Relevance: 1.5, APIs: 1, Instructions: 39memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(00000008,006F1129,00000000,?,00722E29,00000001,00000364,?,?,?,0071F2DE,00723863,007C1444,?,0070FDF5,?), ref: 00724CBE

Memory Dump Source

Source File: 00000000.00000002.1465363834.00000000006F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006F0000, based on PE: true

Associated: 00000000.00000002.1465335232.00000000006F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465500901.000000000078C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465500901.00000000007B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465599093.00000000007BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465630010.00000000007C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6f0000_file.jbxd

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: 8d5c020f1db0aa62e8aa598f820cc8649e6665d8c7565ef09660a26da68e5504
Instruction ID: fbeb9fe61937e281a508d7987d89aef227a2cb7648b180479fd804b07e348b54
Opcode Fuzzy Hash: 8d5c020f1db0aa62e8aa598f820cc8649e6665d8c7565ef09660a26da68e5504
Instruction Fuzzy Hash: 26F0E932602234A7DB315F6EFC09F9A3788BF41BA0B148125F815A62C1CA7CDC8186F0

Function 00723820 Relevance: 1.5, APIs: 1, Instructions: 32memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(00000000,?,007C1444,?,0070FDF5,?,?,006FA976,00000010,007C1440,006F13FC,?,006F13C6,?,006F1129), ref: 00723852

Memory Dump Source

Source File: 00000000.00000002.1465363834.00000000006F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006F0000, based on PE: true

Associated: 00000000.00000002.1465335232.00000000006F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465500901.000000000078C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465500901.00000000007B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465599093.00000000007BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465630010.00000000007C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6f0000_file.jbxd

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: f68e799db8d5642a417fe5d779a2290add1fcc2429904d590d204c765f12506b
Instruction ID: 00fb8e42888eb6fc247f1e28535fa7fe42c80cb8513aff4843af31f4894709a6
Opcode Fuzzy Hash: f68e799db8d5642a417fe5d779a2290add1fcc2429904d590d204c765f12506b
Instruction Fuzzy Hash: 93E0E5331002349AE721266ABC09BDA3759AB42FB0F160026FD059A5C1CB2DDD0182F0

Function 006F4F39 Relevance: 1.5, APIs: 1, Instructions: 28COMMON

Download Yara Rule

APIs

FreeLibrary.KERNEL32(?,?,007C1418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 006F4F6D

Memory Dump Source

Source File: 00000000.00000002.1465363834.00000000006F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006F0000, based on PE: true

Associated: 00000000.00000002.1465335232.00000000006F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465500901.000000000078C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465500901.00000000007B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465599093.00000000007BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465630010.00000000007C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6f0000_file.jbxd

Similarity

API ID: FreeLibrary
String ID:
API String ID: 3664257935-0
Opcode ID: b6d8b35fd168b447f1fdb83ffa08b10653653540de5406d45c408c69dffafcdd
Instruction ID: 5e81bb97224f6cd6d6b310e92864c2c032c2a0becbe783af9c79aa87731597ea
Opcode Fuzzy Hash: b6d8b35fd168b447f1fdb83ffa08b10653653540de5406d45c408c69dffafcdd
Instruction Fuzzy Hash: E9F03071506755CFDB349F68D494863B7E6BF54329320C97EE2DE82A21CB319884DF10

Function 00782A55 Relevance: 1.5, APIs: 1, Instructions: 25COMMON

Download Yara Rule

APIs

IsWindow.USER32(00000000), ref: 00782A66

Memory Dump Source

Source File: 00000000.00000002.1465363834.00000000006F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006F0000, based on PE: true

Associated: 00000000.00000002.1465335232.00000000006F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465500901.000000000078C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465500901.00000000007B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465599093.00000000007BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465630010.00000000007C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6f0000_file.jbxd

Similarity

API ID: Window
String ID:
API String ID: 2353593579-0
Opcode ID: 7a824b23ab57762db266ed9383c6a5d58c3f2a3e74a763bb56a8a8142ec6d461
Instruction ID: 4e9cafbbc2bc0a8473f16809b829ed518cb251becfaf3a2e65b3e02cb0a071f9
Opcode Fuzzy Hash: 7a824b23ab57762db266ed9383c6a5d58c3f2a3e74a763bb56a8a8142ec6d461
Instruction Fuzzy Hash: EAE04F7639011AAAC718FB30DC888FA735CEF503967108536AC2AC2111EB38999687A0

Function 006F30F2 Relevance: 1.5, APIs: 1, Instructions: 24windowCOMMON

Download Yara Rule

APIs

Shell_NotifyIconW.SHELL32(00000002,?), ref: 006F314E

Memory Dump Source

Source File: 00000000.00000002.1465363834.00000000006F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006F0000, based on PE: true

Associated: 00000000.00000002.1465335232.00000000006F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465500901.000000000078C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465500901.00000000007B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465599093.00000000007BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465630010.00000000007C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6f0000_file.jbxd

Similarity

API ID: IconNotifyShell_
String ID:
API String ID: 1144537725-0
Opcode ID: 045856c2fccc6746f36f197aa7923b4bcfc634d16c69033f70fc8e4d110f0e16
Instruction ID: e2cfade92d782b7e5d68521b068452be8167d34505292cf7f15ebddd9c4242d7
Opcode Fuzzy Hash: 045856c2fccc6746f36f197aa7923b4bcfc634d16c69033f70fc8e4d110f0e16
Instruction Fuzzy Hash: 55F0A7709003589FE752DB24DC49BD57BBCB70170CF0040E9A64896283D7784798CF55

Function 006F2DA5 Relevance: 1.5, APIs: 1, Instructions: 23COMMON

Download Yara Rule

APIs

GetLongPathNameW.KERNELBASE(?,?,00007FFF), ref: 006F2DC4

Part of subcall function 006F6B57: _wcslen.LIBCMT ref: 006F6B6A

Memory Dump Source

Source File: 00000000.00000002.1465363834.00000000006F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006F0000, based on PE: true

Associated: 00000000.00000002.1465335232.00000000006F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465500901.000000000078C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465500901.00000000007B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465599093.00000000007BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465630010.00000000007C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6f0000_file.jbxd

Similarity

API ID: LongNamePath_wcslen
String ID:
API String ID: 541455249-0
Opcode ID: c273ec153243ad6a233154a54d39eb5c7f1c8566040e4448e3cbb5ebf50cc5f8
Instruction ID: 8646eb9d05ec5e4f82dfabc3c5fd303199abb9500026e1ce3017d3e535a4bd62
Opcode Fuzzy Hash: c273ec153243ad6a233154a54d39eb5c7f1c8566040e4448e3cbb5ebf50cc5f8
Instruction Fuzzy Hash: BCE0CD726001245BD7119258DC05FEA77DDDFC8790F044075FD09D7248D974AD808654

Function 006F2B3D Relevance: 1.5, APIs: 1, Instructions: 22COMMON

Download Yara Rule

APIs

Part of subcall function 006F3837: Shell_NotifyIconW.SHELL32(00000000,?), ref: 006F3908

Part of subcall function 006FD730: GetInputState.USER32 ref: 006FD807

SetCurrentDirectoryW.KERNEL32(?), ref: 006F2B6B

Part of subcall function 006F30F2: Shell_NotifyIconW.SHELL32(00000002,?), ref: 006F314E

Memory Dump Source

Source File: 00000000.00000002.1465363834.00000000006F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006F0000, based on PE: true

Associated: 00000000.00000002.1465335232.00000000006F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465500901.000000000078C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465500901.00000000007B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465599093.00000000007BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465630010.00000000007C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6f0000_file.jbxd

Similarity

API ID: IconNotifyShell_$CurrentDirectoryInputState
String ID:
API String ID: 3667716007-0
Opcode ID: b82e9e42c42bb3905a29932e20b9a5defeeb0222abd97b726935b57ed2fcfcf0
Instruction ID: 0a2a1430e74186a31e279ce161757eba35f902e487869157281d9aecf88536da
Opcode Fuzzy Hash: b82e9e42c42bb3905a29932e20b9a5defeeb0222abd97b726935b57ed2fcfcf0
Instruction Fuzzy Hash: 07E0263130425C02CA48BB3498129BDA34BCBD2392F80143EF34243263CE288645432A

Function 0073039A Relevance: 1.5, APIs: 1, Instructions: 15fileCOMMONLIBRARYCODE

Download Yara Rule

APIs

CreateFileW.KERNELBASE(00000000,00000000,?,00730704,?,?,00000000,?,00730704,00000000,0000000C), ref: 007303B7

Memory Dump Source

Source File: 00000000.00000002.1465363834.00000000006F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006F0000, based on PE: true

Associated: 00000000.00000002.1465335232.00000000006F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465500901.000000000078C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465500901.00000000007B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465599093.00000000007BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465630010.00000000007C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6f0000_file.jbxd

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: d449854f82fa2ac3603ad0a3e5acaa4bcd5a8aa759ae897da951b84352582ce9
Instruction ID: 417a8fe82aa286ef05461d616f921cae280ab48bece95c43877f64a9f0850ea5
Opcode Fuzzy Hash: d449854f82fa2ac3603ad0a3e5acaa4bcd5a8aa759ae897da951b84352582ce9
Instruction Fuzzy Hash: E2D06C3204010DBBDF028F84DD4AEDA3BAAFB48714F118000BE1856020C736E821AB94

Function 006F1CAD Relevance: 1.5, APIs: 1, Instructions: 8COMMON

Download Yara Rule

APIs

SystemParametersInfoW.USER32(00002001,00000000,00000002), ref: 006F1CBC

Memory Dump Source

Source File: 00000000.00000002.1465363834.00000000006F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006F0000, based on PE: true

Associated: 00000000.00000002.1465335232.00000000006F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465500901.000000000078C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465500901.00000000007B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465599093.00000000007BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465630010.00000000007C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6f0000_file.jbxd

Similarity

API ID: InfoParametersSystem
String ID:
API String ID: 3098949447-0
Opcode ID: 2ed80db7acf26cc4e70df6325e5d74c93342329f083b86b2bae76261ac4b2a7a
Instruction ID: 2ac375eb8d8debe194e5de060c1e98905746a755dcfb8cf1efb39f741a6144b0
Opcode Fuzzy Hash: 2ed80db7acf26cc4e70df6325e5d74c93342329f083b86b2bae76261ac4b2a7a
Instruction Fuzzy Hash: ADC09B352C03049FF6155780BC5AF117754A348B04F64C005F609555E3C3F51431D758

Non-executed Functions

Function 00789576 Relevance: 74.1, APIs: 39, Strings: 3, Instructions: 625windowkeyboardCOMMON

Download Yara Rule

APIs

Part of subcall function 00709BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00709BB2

DefDlgProcW.USER32(?,0000004E,?,?,?,?,?,?), ref: 0078961A
SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 0078965B
GetWindowLongW.USER32(FFFFFDD9,000000F0), ref: 0078969F
SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 007896C9
SendMessageW.USER32 ref: 007896F2
GetKeyState.USER32(00000011), ref: 0078978B
GetKeyState.USER32(00000009), ref: 00789798
SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 007897AE
GetKeyState.USER32(00000010), ref: 007897B8
SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 007897E9
SendMessageW.USER32 ref: 00789810
SendMessageW.USER32(?,00001030,?,00787E95), ref: 00789918
ImageList_SetDragCursorImage.COMCTL32(00000000,00000000,00000000,?,?,?), ref: 0078992E
ImageList_BeginDrag.COMCTL32(00000000,000000F8,000000F0), ref: 00789941
SetCapture.USER32(?), ref: 0078994A
ClientToScreen.USER32(?,?), ref: 007899AF
ImageList_DragEnter.COMCTL32(00000000,?,?), ref: 007899BC
InvalidateRect.USER32(?,00000000,00000001,?,?,?), ref: 007899D6
ReleaseCapture.USER32 ref: 007899E1
GetCursorPos.USER32(?), ref: 00789A19
ScreenToClient.USER32(?,?), ref: 00789A26
SendMessageW.USER32(?,00001012,00000000,?), ref: 00789A80
SendMessageW.USER32 ref: 00789AAE
SendMessageW.USER32(?,00001111,00000000,?), ref: 00789AEB
SendMessageW.USER32 ref: 00789B1A
SendMessageW.USER32(?,0000110B,00000009,00000000), ref: 00789B3B
SendMessageW.USER32(?,0000110B,00000009,?), ref: 00789B4A
GetCursorPos.USER32(?), ref: 00789B68
ScreenToClient.USER32(?,?), ref: 00789B75
GetParent.USER32(?), ref: 00789B93
SendMessageW.USER32(?,00001012,00000000,?), ref: 00789BFA
SendMessageW.USER32 ref: 00789C2B
ClientToScreen.USER32(?,?), ref: 00789C84
TrackPopupMenuEx.USER32(?,00000000,?,?,?,00000000), ref: 00789CB4
SendMessageW.USER32(?,00001111,00000000,?), ref: 00789CDE
SendMessageW.USER32 ref: 00789D01
ClientToScreen.USER32(?,?), ref: 00789D4E
TrackPopupMenuEx.USER32(?,00000080,?,?,?,00000000), ref: 00789D82

Part of subcall function 00709944: GetWindowLongW.USER32(?,000000EB), ref: 00709952

GetWindowLongW.USER32(?,000000F0), ref: 00789E05

Strings

p#|, xrefs: 00789990
F, xrefs: 00789D07
@GUI_DRAGID, xrefs: 0078997D

Memory Dump Source

Source File: 00000000.00000002.1465363834.00000000006F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006F0000, based on PE: true

Associated: 00000000.00000002.1465335232.00000000006F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465500901.000000000078C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465500901.00000000007B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465599093.00000000007BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465630010.00000000007C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6f0000_file.jbxd

Similarity

API ID: MessageSend$ClientScreen$ImageLongWindow$CursorDragList_State$CaptureMenuPopupTrack$BeginEnterInvalidateParentProcRectRelease
String ID: @GUI_DRAGID$F$p#|
API String ID: 3429851547-2998581402
Opcode ID: e7f96a0b66cb70bc0c7d9cc410f12e70f484bd6848227bfd7af0749270081dfa
Instruction ID: 391cc37cd13a00ab3ccd0a427f083d52df191fef17a394b400b31840b8bb8476
Opcode Fuzzy Hash: e7f96a0b66cb70bc0c7d9cc410f12e70f484bd6848227bfd7af0749270081dfa
Instruction Fuzzy Hash: 17428A70244240EFDB25EF24CC44EBABBE5EF49310F18466DF699872A1E739E850CB55

Function 00784873 Relevance: 60.1, APIs: 33, Strings: 1, Instructions: 566windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000408,00000000,00000000), ref: 007848F3
SendMessageW.USER32(00000000,00000188,00000000,00000000), ref: 00784908
SendMessageW.USER32(00000000,0000018A,00000000,00000000), ref: 00784927
SendMessageW.USER32(?,00000148,00000000,00000000), ref: 0078494B
SendMessageW.USER32(00000000,00000147,00000000,00000000), ref: 0078495C
SendMessageW.USER32(00000000,00000149,00000000,00000000), ref: 0078497B
SendMessageW.USER32(00000000,0000130B,00000000,00000000), ref: 007849AE
SendMessageW.USER32(00000000,0000133C,00000000,?), ref: 007849D4
SendMessageW.USER32(00000000,0000110A,00000009,00000000), ref: 00784A0F
SendMessageW.USER32(00000000,0000113E,00000000,00000004), ref: 00784A56
SendMessageW.USER32(00000000,0000113E,00000000,00000004), ref: 00784A7E
IsMenu.USER32(?), ref: 00784A97
GetMenuItemInfoW.USER32(?,?,00000000,?), ref: 00784AF2
GetMenuItemInfoW.USER32(?,?,00000000,?), ref: 00784B20
GetWindowLongW.USER32(?,000000F0), ref: 00784B94
SendMessageW.USER32(?,0000113E,00000000,00000008), ref: 00784BE3
SendMessageW.USER32(00000000,00001001,00000000,?), ref: 00784C82
wsprintfW.USER32 ref: 00784CAE
SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 00784CC9
GetWindowTextW.USER32(?,00000000,00000001), ref: 00784CF1
SendMessageW.USER32(00000000,000000F0,00000000,00000000), ref: 00784D13
SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 00784D33
GetWindowTextW.USER32(?,00000000,00000001), ref: 00784D5A

Strings

%d/%02d/%02d, xrefs: 00784CA8

Memory Dump Source

Source File: 00000000.00000002.1465363834.00000000006F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006F0000, based on PE: true

Associated: 00000000.00000002.1465335232.00000000006F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465500901.000000000078C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465500901.00000000007B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465599093.00000000007BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465630010.00000000007C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6f0000_file.jbxd

Similarity

API ID: MessageSend$MenuWindow$InfoItemText$Longwsprintf
String ID: %d/%02d/%02d
API String ID: 4054740463-328681919
Opcode ID: 1b77e29ecd573c24e41dc3389be49cb8b683c21d9504dea05b5e8ab411b7ead6
Instruction ID: e92870cfc897ca186c64f31cbde98abd1c3615df21439a9765147f37726b5e1b
Opcode Fuzzy Hash: 1b77e29ecd573c24e41dc3389be49cb8b683c21d9504dea05b5e8ab411b7ead6
Instruction Fuzzy Hash: 19121071680255ABEB25AF28CC49FAE7BF8FF44310F144169F515DB2E1DBB89940CB60

Function 0070F98E Relevance: 43.9, APIs: 24, Strings: 1, Instructions: 130keyboardthreadwindowCOMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32(00000000,00000000,00000000), ref: 0070F998
FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 0074F474
IsIconic.USER32(00000000), ref: 0074F47D
ShowWindow.USER32(00000000,00000009), ref: 0074F48A
SetForegroundWindow.USER32(00000000), ref: 0074F494
GetWindowThreadProcessId.USER32(00000000,00000000), ref: 0074F4AA
GetCurrentThreadId.KERNEL32 ref: 0074F4B1
GetWindowThreadProcessId.USER32(00000000,00000000), ref: 0074F4BD
AttachThreadInput.USER32(?,00000000,00000001), ref: 0074F4CE
AttachThreadInput.USER32(?,00000000,00000001), ref: 0074F4D6
AttachThreadInput.USER32(00000000,000000FF,00000001), ref: 0074F4DE
SetForegroundWindow.USER32(00000000), ref: 0074F4E1
MapVirtualKeyW.USER32(00000012,00000000), ref: 0074F4F6
keybd_event.USER32(00000012,00000000), ref: 0074F501
MapVirtualKeyW.USER32(00000012,00000000), ref: 0074F50B
keybd_event.USER32(00000012,00000000), ref: 0074F510
MapVirtualKeyW.USER32(00000012,00000000), ref: 0074F519
keybd_event.USER32(00000012,00000000), ref: 0074F51E
MapVirtualKeyW.USER32(00000012,00000000), ref: 0074F528
keybd_event.USER32(00000012,00000000), ref: 0074F52D
SetForegroundWindow.USER32(00000000), ref: 0074F530
AttachThreadInput.USER32(?,000000FF,00000000), ref: 0074F557

Strings

Shell_TrayWnd, xrefs: 0074F46F

Memory Dump Source

Source File: 00000000.00000002.1465363834.00000000006F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006F0000, based on PE: true

Associated: 00000000.00000002.1465335232.00000000006F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465500901.000000000078C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465500901.00000000007B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465599093.00000000007BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465630010.00000000007C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6f0000_file.jbxd

Similarity

API ID: Window$Thread$AttachForegroundInputVirtualkeybd_event$Process$CurrentFindIconicShow
String ID: Shell_TrayWnd
API String ID: 4125248594-2988720461
Opcode ID: 5f46899d4f1d3a3d2c373726635a6e9e0b7e7acb80c5d0035e6b1b78573790a7
Instruction ID: 9a15fe23ea14f96198f41597f367b180c1770884184518e40bb36ce34b1f39d9
Opcode Fuzzy Hash: 5f46899d4f1d3a3d2c373726635a6e9e0b7e7acb80c5d0035e6b1b78573790a7
Instruction Fuzzy Hash: CD317471B80218BBEB216BB55C4AFBF7E6CEB44B50F204065F601E61D1D7B85D10AB74

Function 00751201 Relevance: 40.5, APIs: 19, Strings: 4, Instructions: 241COMMON

Download Yara Rule

APIs

Part of subcall function 007516C3: LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 0075170D
Part of subcall function 007516C3: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 0075173A
Part of subcall function 007516C3: GetLastError.KERNEL32 ref: 0075174A

LogonUserW.ADVAPI32(?,?,?,00000000,00000000,?), ref: 00751286
DuplicateTokenEx.ADVAPI32(?,00000000,00000000,00000002,00000001,?), ref: 007512A8
CloseHandle.KERNEL32(?), ref: 007512B9
OpenWindowStationW.USER32(winsta0,00000000,00060000), ref: 007512D1
GetProcessWindowStation.USER32 ref: 007512EA
SetProcessWindowStation.USER32(00000000), ref: 007512F4
OpenDesktopW.USER32(default,00000000,00000000,00060081), ref: 00751310

Part of subcall function 007510BF: AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000,?,007511FC), ref: 007510D4
Part of subcall function 007510BF: CloseHandle.KERNEL32(?,?,007511FC), ref: 007510E9

Strings

, xrefs: 0075125A
winsta0, xrefs: 007512CC
Z{, xrefs: 00751392
default, xrefs: 0075130B

Memory Dump Source

Source File: 00000000.00000002.1465363834.00000000006F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006F0000, based on PE: true

Associated: 00000000.00000002.1465335232.00000000006F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465500901.000000000078C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465500901.00000000007B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465599093.00000000007BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465630010.00000000007C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6f0000_file.jbxd

Similarity

API ID: StationTokenWindow$AdjustCloseHandleOpenPrivilegesProcess$DesktopDuplicateErrorLastLogonLookupPrivilegeUserValue
String ID: $default$winsta0$Z{
API String ID: 22674027-874364712
Opcode ID: 9c9733670ef505e628cecf327d791e9e4fc6667958b62e83f5ef796d0849bb08
Instruction ID: 245574a88036ff71d3641f2656f19fe3a08682fa984146c00da1fa51475ce9f5
Opcode Fuzzy Hash: 9c9733670ef505e628cecf327d791e9e4fc6667958b62e83f5ef796d0849bb08
Instruction Fuzzy Hash: 3E819B71A00249AFDF219FA4DC49FEE7BB9EF04706F148129FD10A61A0D7B98949CB64

Function 00750B62 Relevance: 31.7, APIs: 21, Instructions: 202memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 007510F9: GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 00751114
Part of subcall function 007510F9: GetLastError.KERNEL32(?,00000000,00000000,?,?,00750B9B,?,?,?), ref: 00751120
Part of subcall function 007510F9: GetProcessHeap.KERNEL32(00000008,?,?,00000000,00000000,?,?,00750B9B,?,?,?), ref: 0075112F
Part of subcall function 007510F9: HeapAlloc.KERNEL32(00000000,?,00000000,00000000,?,?,00750B9B,?,?,?), ref: 00751136
Part of subcall function 007510F9: GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 0075114D

GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 00750BCC
GetAclInformation.ADVAPI32(?,?,0000000C,00000002), ref: 00750C00
GetLengthSid.ADVAPI32(?), ref: 00750C17
GetAce.ADVAPI32(?,00000000,?), ref: 00750C51
AddAce.ADVAPI32(?,00000002,000000FF,?,?), ref: 00750C6D
GetLengthSid.ADVAPI32(?), ref: 00750C84
GetProcessHeap.KERNEL32(00000008,00000008), ref: 00750C8C
HeapAlloc.KERNEL32(00000000), ref: 00750C93
GetLengthSid.ADVAPI32(?,00000008,?), ref: 00750CB4
CopySid.ADVAPI32(00000000), ref: 00750CBB
AddAce.ADVAPI32(?,00000002,000000FF,00000000,?), ref: 00750CEA
SetSecurityDescriptorDacl.ADVAPI32(?,00000001,?,00000000), ref: 00750D0C
SetUserObjectSecurity.USER32(?,00000004,?), ref: 00750D1E
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00750D45
HeapFree.KERNEL32(00000000), ref: 00750D4C
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00750D55
HeapFree.KERNEL32(00000000), ref: 00750D5C
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00750D65
HeapFree.KERNEL32(00000000), ref: 00750D6C
GetProcessHeap.KERNEL32(00000000,?), ref: 00750D78
HeapFree.KERNEL32(00000000), ref: 00750D7F

Part of subcall function 00751193: GetProcessHeap.KERNEL32(00000008,00750BB1,?,00000000,?,00750BB1,?), ref: 007511A1
Part of subcall function 00751193: HeapAlloc.KERNEL32(00000000,?,00000000,?,00750BB1,?), ref: 007511A8
Part of subcall function 00751193: InitializeSecurityDescriptor.ADVAPI32(00000000,00000001,?,00000000,?,00750BB1,?), ref: 007511B7

Memory Dump Source

Source File: 00000000.00000002.1465363834.00000000006F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006F0000, based on PE: true

Associated: 00000000.00000002.1465335232.00000000006F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465500901.000000000078C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465500901.00000000007B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465599093.00000000007BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465630010.00000000007C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6f0000_file.jbxd

Similarity

API ID: Heap$Process$Security$Free$AllocDescriptorLengthObjectUser$Dacl$CopyErrorInformationInitializeLast
String ID:
API String ID: 4175595110-0
Opcode ID: cc2f4d1cee01c892fb93b639cbe6f2bb473a6d0892a27a6ec8ea2a825cd5a193
Instruction ID: 185483a9b0fa871c2bce86a78c8aac2766bd16635e6d9c2c89f5e93bd7a63ff1
Opcode Fuzzy Hash: cc2f4d1cee01c892fb93b639cbe6f2bb473a6d0892a27a6ec8ea2a825cd5a193
Instruction Fuzzy Hash: 72715D71A0020AABDF11DFE4DC49FEEBBB8BF05341F148515ED14A6191D7B9A909CBB0

Function 0076EAFF Relevance: 30.2, APIs: 20, Instructions: 191clipboardfileCOMMON

Download Yara Rule

APIs

OpenClipboard.USER32(0078CC08), ref: 0076EB29
IsClipboardFormatAvailable.USER32(0000000D), ref: 0076EB37
GetClipboardData.USER32(0000000D), ref: 0076EB43
CloseClipboard.USER32 ref: 0076EB4F
GlobalLock.KERNEL32(00000000), ref: 0076EB87
CloseClipboard.USER32 ref: 0076EB91
GlobalUnlock.KERNEL32(00000000), ref: 0076EBBC
IsClipboardFormatAvailable.USER32(00000001), ref: 0076EBC9
GetClipboardData.USER32(00000001), ref: 0076EBD1
GlobalLock.KERNEL32(00000000), ref: 0076EBE2
GlobalUnlock.KERNEL32(00000000), ref: 0076EC22
IsClipboardFormatAvailable.USER32(0000000F), ref: 0076EC38
GetClipboardData.USER32(0000000F), ref: 0076EC44
GlobalLock.KERNEL32(00000000), ref: 0076EC55
DragQueryFileW.SHELL32(00000000,000000FF,00000000,00000000), ref: 0076EC77
DragQueryFileW.SHELL32(00000000,?,?,00000104), ref: 0076EC94
DragQueryFileW.SHELL32(00000000,?,?,00000104), ref: 0076ECD2
GlobalUnlock.KERNEL32(00000000), ref: 0076ECF3
CountClipboardFormats.USER32 ref: 0076ED14
CloseClipboard.USER32 ref: 0076ED59

Memory Dump Source

Source File: 00000000.00000002.1465363834.00000000006F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006F0000, based on PE: true

Associated: 00000000.00000002.1465335232.00000000006F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465500901.000000000078C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465500901.00000000007B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465599093.00000000007BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465630010.00000000007C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6f0000_file.jbxd

Similarity

API ID: Clipboard$Global$AvailableCloseDataDragFileFormatLockQueryUnlock$CountFormatsOpen
String ID:
API String ID: 420908878-0
Opcode ID: 0146bf1957a2626fb259eb3e1ebb4238de7a29ba1b64589548d24b7b6d4ed8a6
Instruction ID: 4404d7f34f2237ee630e3336d7ba97201f6038773100f548b5fa0cb4050f9fec
Opcode Fuzzy Hash: 0146bf1957a2626fb259eb3e1ebb4238de7a29ba1b64589548d24b7b6d4ed8a6
Instruction Fuzzy Hash: AA6101782042059FD301EF20D888F3A77A4AF84744F28851DF95B872A2DB39DD05CBB6

Function 0076698F Relevance: 21.4, APIs: 7, Strings: 5, Instructions: 363timefileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?), ref: 007669BE
FindClose.KERNEL32(00000000), ref: 00766A12
FileTimeToLocalFileTime.KERNEL32(?,?), ref: 00766A4E
FileTimeToLocalFileTime.KERNEL32(?,?), ref: 00766A75

Part of subcall function 006F9CB3: _wcslen.LIBCMT ref: 006F9CBD

FileTimeToSystemTime.KERNEL32(?,?), ref: 00766AB2
FileTimeToSystemTime.KERNEL32(?,?), ref: 00766ADF

Strings

%4d%02d%02d%02d%02d%02d, xrefs: 00766B6A
%4d%02d%02d%02d%02d%02d%03d, xrefs: 00766B32
%02d, xrefs: 00766C00, 00766C0A, 00766C5A, 00766CAA, 00766CFA, 00766D4A
%03d, xrefs: 00766DA2
%4d, xrefs: 00766BB1

Memory Dump Source

Source File: 00000000.00000002.1465363834.00000000006F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006F0000, based on PE: true

Associated: 00000000.00000002.1465335232.00000000006F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465500901.000000000078C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465500901.00000000007B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465599093.00000000007BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465630010.00000000007C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6f0000_file.jbxd

Similarity

API ID: Time$File$FindLocalSystem$CloseFirst_wcslen
String ID: %02d$%03d$%4d$%4d%02d%02d%02d%02d%02d$%4d%02d%02d%02d%02d%02d%03d
API String ID: 3830820486-3289030164
Opcode ID: d6e6e491498f5bf8d27e31ca161e4410b35f2a8245762a2cae123dcc9a8bee8c
Instruction ID: d1c0e1b93ae42a96693c7a46fd13f79c360aae7c7898552e2dfb932ae4de7967
Opcode Fuzzy Hash: d6e6e491498f5bf8d27e31ca161e4410b35f2a8245762a2cae123dcc9a8bee8c
Instruction Fuzzy Hash: 0BD160B2508344AFC354EBA4C885EBBB7EDAF88704F44491DF685C6191EB38DA04CB62

Function 00769642 Relevance: 21.1, APIs: 11, Strings: 1, Instructions: 118fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?,75568FB0,?,00000000), ref: 00769663
GetFileAttributesW.KERNEL32(?), ref: 007696A1
SetFileAttributesW.KERNEL32(?,?), ref: 007696BB
FindNextFileW.KERNEL32(00000000,?), ref: 007696D3
FindClose.KERNEL32(00000000), ref: 007696DE
FindFirstFileW.KERNEL32(*.*,?), ref: 007696FA
SetCurrentDirectoryW.KERNEL32(?), ref: 0076974A
SetCurrentDirectoryW.KERNEL32(007B6B7C), ref: 00769768
FindNextFileW.KERNEL32(00000000,00000010), ref: 00769772
FindClose.KERNEL32(00000000), ref: 0076977F
FindClose.KERNEL32(00000000), ref: 0076978F

Strings

*.*, xrefs: 007696F5

Memory Dump Source

Source File: 00000000.00000002.1465363834.00000000006F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006F0000, based on PE: true

Associated: 00000000.00000002.1465335232.00000000006F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465500901.000000000078C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465500901.00000000007B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465599093.00000000007BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465630010.00000000007C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6f0000_file.jbxd

Similarity

API ID: Find$File$Close$AttributesCurrentDirectoryFirstNext
String ID: *.*
API String ID: 1409584000-438819550
Opcode ID: a58f187623d99f051618d45e3410e2409c59fc011f59bb9076c485a3dfd117ae
Instruction ID: 4e262bc9e429f572775f87dd016ed5c6afbf1ee16df3399eb358d5345393d915
Opcode Fuzzy Hash: a58f187623d99f051618d45e3410e2409c59fc011f59bb9076c485a3dfd117ae
Instruction Fuzzy Hash: 2A31B572540219AEDF15AFB4EC49AEE77ACAF49320F208165FA16E20D0DB3CDD44CB24

Function 0076979D Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 111fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?,75568FB0,?,00000000), ref: 007697BE
FindNextFileW.KERNEL32(00000000,?), ref: 00769819
FindClose.KERNEL32(00000000), ref: 00769824
FindFirstFileW.KERNEL32(*.*,?), ref: 00769840
SetCurrentDirectoryW.KERNEL32(?), ref: 00769890
SetCurrentDirectoryW.KERNEL32(007B6B7C), ref: 007698AE
FindNextFileW.KERNEL32(00000000,00000010), ref: 007698B8
FindClose.KERNEL32(00000000), ref: 007698C5
FindClose.KERNEL32(00000000), ref: 007698D5

Part of subcall function 0075DAE5: CreateFileW.KERNEL32(?,40000000,00000001,00000000,00000003,02000080,00000000), ref: 0075DB00

Strings

*.*, xrefs: 0076983B

Memory Dump Source

Source File: 00000000.00000002.1465363834.00000000006F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006F0000, based on PE: true

Associated: 00000000.00000002.1465335232.00000000006F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465500901.000000000078C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465500901.00000000007B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465599093.00000000007BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465630010.00000000007C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6f0000_file.jbxd

Similarity

API ID: Find$File$Close$CurrentDirectoryFirstNext$Create
String ID: *.*
API String ID: 2640511053-438819550
Opcode ID: 0a58c34c98b88d676bb7650e0b475e4acd12880612eb16e7e3a180cbe253f124
Instruction ID: 3b7ea4a954050bdb0877674eae8f3e2dc657391f0a8d63cf0c78d54e144dcfea
Opcode Fuzzy Hash: 0a58c34c98b88d676bb7650e0b475e4acd12880612eb16e7e3a180cbe253f124
Instruction Fuzzy Hash: 1031C77254021AAADF15AFB4DC48ADE77ACAF46320F208155EE11A30D0DB3CDD85CB64

Function 0077BE44 Relevance: 17.0, APIs: 11, Instructions: 456registryCOMMON

Download Yara Rule

APIs

Part of subcall function 0077C998: CharUpperBuffW.USER32(?,?,?,?,?,?,?,0077B6AE,?,?), ref: 0077C9B5
Part of subcall function 0077C998: _wcslen.LIBCMT ref: 0077C9F1
Part of subcall function 0077C998: _wcslen.LIBCMT ref: 0077CA68
Part of subcall function 0077C998: _wcslen.LIBCMT ref: 0077CA9E

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 0077BF3E
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?,?,?), ref: 0077BFA9
RegCloseKey.ADVAPI32(00000000), ref: 0077BFCD
RegQueryValueExW.ADVAPI32(?,?,00000000,?,00000000,?), ref: 0077C02C
RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,?,00000008), ref: 0077C0E7
RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,?,?,?,00000000), ref: 0077C154
RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,?,?,?,00000000), ref: 0077C1E9
RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,00000000,?,?,?,00000000), ref: 0077C23A
RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,?,?,?,00000000), ref: 0077C2E3
RegCloseKey.ADVAPI32(?,?,00000000), ref: 0077C382
RegCloseKey.ADVAPI32(00000000), ref: 0077C38F

Memory Dump Source

Source File: 00000000.00000002.1465363834.00000000006F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006F0000, based on PE: true

Associated: 00000000.00000002.1465335232.00000000006F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465500901.000000000078C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465500901.00000000007B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465599093.00000000007BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465630010.00000000007C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6f0000_file.jbxd

Similarity

API ID: QueryValue$Close_wcslen$BuffCharConnectOpenRegistryUpper
String ID:
API String ID: 3102970594-0
Opcode ID: 67d26fb4c51038dff62b7891c22520356d25ede0b716673924f2e6b803b6b5e7
Instruction ID: 6599e65ff68f993805badaf388c1717feebf6e3da91991f5be4cd8c61c6d25e9
Opcode Fuzzy Hash: 67d26fb4c51038dff62b7891c22520356d25ede0b716673924f2e6b803b6b5e7
Instruction Fuzzy Hash: B0027071604200AFDB15CF24C895E2ABBE5EF89358F18C49DF84ADB2A2D735EC45CB52

Function 00768195 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 186timeCOMMON

Download Yara Rule

APIs

GetLocalTime.KERNEL32(?), ref: 00768257
SystemTimeToFileTime.KERNEL32(?,?), ref: 00768267
LocalFileTimeToFileTime.KERNEL32(?,?), ref: 00768273
GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 00768310
SetCurrentDirectoryW.KERNEL32(?), ref: 00768324
SetCurrentDirectoryW.KERNEL32(?), ref: 00768356
SetCurrentDirectoryW.KERNEL32(?,?,?,?,?), ref: 0076838C
SetCurrentDirectoryW.KERNEL32(?), ref: 00768395

Strings

*.*, xrefs: 0076839B

Memory Dump Source

Source File: 00000000.00000002.1465363834.00000000006F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006F0000, based on PE: true

Associated: 00000000.00000002.1465335232.00000000006F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465500901.000000000078C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465500901.00000000007B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465599093.00000000007BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465630010.00000000007C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6f0000_file.jbxd

Similarity

API ID: CurrentDirectoryTime$File$Local$System
String ID: *.*
API String ID: 1464919966-438819550
Opcode ID: 2583f88ad4a83735a3148a3e4a98fd6b39f619d8c727d066a43f31ea2ac93eb1
Instruction ID: 6966f23882d20f9d7347539d527305490eda45d06f292df4d47f0d6bbb41735d
Opcode Fuzzy Hash: 2583f88ad4a83735a3148a3e4a98fd6b39f619d8c727d066a43f31ea2ac93eb1
Instruction Fuzzy Hash: A8618DB25043099FCB50EF64C8449AEB3E9FF89310F04891DFA8AC7251DB39E945CB96

Function 0075D076 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 172fileCOMMON

Download Yara Rule

APIs

Part of subcall function 006F3AA2: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,006F3A97,?,?,006F2E7F,?,?,?,00000000), ref: 006F3AC2

Part of subcall function 0075E199: GetFileAttributesW.KERNEL32(?,0075CF95), ref: 0075E19A

FindFirstFileW.KERNEL32(?,?), ref: 0075D122
DeleteFileW.KERNEL32(?,?,?,?,?,00000000,?,?,?), ref: 0075D1DD
MoveFileW.KERNEL32(?,?), ref: 0075D1F0
DeleteFileW.KERNEL32(?,?,?,?), ref: 0075D20D
FindNextFileW.KERNEL32(00000000,00000010), ref: 0075D237

Part of subcall function 0075D29C: CopyFileExW.KERNEL32(?,?,00000000,00000000,00000000,00000008,?,?,0075D21C,?,?), ref: 0075D2B2

FindClose.KERNEL32(00000000,?,?,?), ref: 0075D253
FindClose.KERNEL32(00000000), ref: 0075D264

Strings

\*.*, xrefs: 0075D0CD, 0075D0D6, 0075D0EB

Memory Dump Source

Source File: 00000000.00000002.1465363834.00000000006F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006F0000, based on PE: true

Associated: 00000000.00000002.1465335232.00000000006F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465500901.000000000078C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465500901.00000000007B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465599093.00000000007BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465630010.00000000007C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6f0000_file.jbxd

Similarity

API ID: File$Find$CloseDelete$AttributesCopyFirstFullMoveNameNextPath
String ID: \*.*
API String ID: 1946585618-1173974218
Opcode ID: 3efe82975dc6dd2b533cf63dd8ebac02aa5b9c85cac791820bcfcb73a600d4eb
Instruction ID: ef9c61889bef9c79f82f29c517a78333ba6bee415b301c4c676ed8127da2a322
Opcode Fuzzy Hash: 3efe82975dc6dd2b533cf63dd8ebac02aa5b9c85cac791820bcfcb73a600d4eb
Instruction Fuzzy Hash: 8861AD3180511D9BCF25EBE0C9929FDB7B6AF15301F204169E90277291EB786F0DCB64

Function 0076ED6A Relevance: 13.6, APIs: 9, Instructions: 102clipboardmemoryCOMMON

Download Yara Rule

APIs

OpenClipboard.USER32 ref: 0076ED91
EmptyClipboard.USER32 ref: 0076ED97
GlobalAlloc.KERNEL32(00000002,?), ref: 0076EDAC
CloseClipboard.USER32 ref: 0076EEA3

Memory Dump Source

Source File: 00000000.00000002.1465363834.00000000006F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006F0000, based on PE: true

Associated: 00000000.00000002.1465335232.00000000006F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465500901.000000000078C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465500901.00000000007B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465599093.00000000007BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465630010.00000000007C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6f0000_file.jbxd

Similarity

API ID: Clipboard$AllocCloseEmptyGlobalOpen
String ID:
API String ID: 1737998785-0
Opcode ID: 1d433345739e007795023dc037aeb654d452cf65e5766adf40ad3f86fa5571f1
Instruction ID: bc9576be86d27f0f733062295de579ceb024eb41510a00384b4d4f4a0ee410cf
Opcode Fuzzy Hash: 1d433345739e007795023dc037aeb654d452cf65e5766adf40ad3f86fa5571f1
Instruction Fuzzy Hash: 864182356046119FE711DF15D848F19BBE5FF44328F24C09DE8168BAA2D77AEC41CBA4

Function 0075E8F6 Relevance: 12.3, APIs: 3, Strings: 4, Instructions: 57shutdownCOMMON

Download Yara Rule

APIs

Part of subcall function 007516C3: LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 0075170D
Part of subcall function 007516C3: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 0075173A
Part of subcall function 007516C3: GetLastError.KERNEL32 ref: 0075174A

ExitWindowsEx.USER32(?,00000000), ref: 0075E932

Strings

, xrefs: 0075E920
, xrefs: 0075E95C
@, xrefs: 0075E925
SeShutdownPrivilege, xrefs: 0075E902

Memory Dump Source

Source File: 00000000.00000002.1465363834.00000000006F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006F0000, based on PE: true

Associated: 00000000.00000002.1465335232.00000000006F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465500901.000000000078C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465500901.00000000007B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465599093.00000000007BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465630010.00000000007C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6f0000_file.jbxd

Similarity

API ID: AdjustErrorExitLastLookupPrivilegePrivilegesTokenValueWindows
String ID: $ $@$SeShutdownPrivilege
API String ID: 2234035333-3163812486
Opcode ID: 2b2e7c4b117c12c7d90523498a59288d59bf9e1041d9d5e98c3f8327d733059e
Instruction ID: 8372db146b15fc07f741e701f1968cb17ad9d9037ed44f986237ce8b16ce0009
Opcode Fuzzy Hash: 2b2e7c4b117c12c7d90523498a59288d59bf9e1041d9d5e98c3f8327d733059e
Instruction Fuzzy Hash: F5012B72A10210ABEB182674AC8AFFF725CDB04743F254422FC03E20D1D7EC6D4882A5

Function 00771204 Relevance: 12.1, APIs: 8, Instructions: 113networkCOMMON

Download Yara Rule

APIs

socket.WSOCK32(00000002,00000001,00000006,?,00000002,00000000), ref: 00771276
WSAGetLastError.WSOCK32 ref: 00771283
bind.WSOCK32(00000000,?,00000010), ref: 007712BA
WSAGetLastError.WSOCK32 ref: 007712C5
closesocket.WSOCK32(00000000), ref: 007712F4
listen.WSOCK32(00000000,00000005), ref: 00771303
WSAGetLastError.WSOCK32 ref: 0077130D
closesocket.WSOCK32(00000000), ref: 0077133C

Memory Dump Source

Source File: 00000000.00000002.1465363834.00000000006F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006F0000, based on PE: true

Associated: 00000000.00000002.1465335232.00000000006F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465500901.000000000078C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465500901.00000000007B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465599093.00000000007BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465630010.00000000007C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6f0000_file.jbxd

Similarity

API ID: ErrorLast$closesocket$bindlistensocket
String ID:
API String ID: 540024437-0
Opcode ID: f32b7a055f25461b2369a6be1ddf666b36a33926cd858f0b1bd2bea64ddf6bc6
Instruction ID: e6099ecf034785d0af87bd3b67bd56c3a2d92b192ef014f5842178ff30b7a14d
Opcode Fuzzy Hash: f32b7a055f25461b2369a6be1ddf666b36a33926cd858f0b1bd2bea64ddf6bc6
Instruction Fuzzy Hash: F44183316001009FDB10DF68C498B29BBE6BF46358F68C198D95A9F293C779ED85CBE1

Function 0072B952 Relevance: 10.9, APIs: 7, Instructions: 370timeCOMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 0072B9D4
_free.LIBCMT ref: 0072B9F8
_free.LIBCMT ref: 0072BB7F
GetTimeZoneInformation.KERNEL32(?,00000000,00000000,00000000,?,00793700), ref: 0072BB91
WideCharToMultiByte.KERNEL32(00000000,00000000,007C121C,000000FF,00000000,0000003F,00000000,?,?), ref: 0072BC09
WideCharToMultiByte.KERNEL32(00000000,00000000,007C1270,000000FF,?,0000003F,00000000,?), ref: 0072BC36
_free.LIBCMT ref: 0072BD4B

Memory Dump Source

Source File: 00000000.00000002.1465363834.00000000006F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006F0000, based on PE: true

Associated: 00000000.00000002.1465335232.00000000006F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465500901.000000000078C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465500901.00000000007B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465599093.00000000007BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465630010.00000000007C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6f0000_file.jbxd

Similarity

API ID: _free$ByteCharMultiWide$InformationTimeZone
String ID:
API String ID: 314583886-0
Opcode ID: 868f4087cda2567060c0dd5f6392d206bbb618cb713c33fcd05f06fc32e5c059
Instruction ID: 229ed9a17a98a9a451b1b3719cafe0c608c888460a844d72e6b14717851a9821
Opcode Fuzzy Hash: 868f4087cda2567060c0dd5f6392d206bbb618cb713c33fcd05f06fc32e5c059
Instruction Fuzzy Hash: 03C13B71A04225EFCB20DF78AC45BAE7BB9EF46310F5481AEE491D7252D7389E41C750

Function 0075D3A9 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 91fileCOMMON

Download Yara Rule

APIs

Part of subcall function 006F3AA2: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,006F3A97,?,?,006F2E7F,?,?,?,00000000), ref: 006F3AC2

Part of subcall function 0075E199: GetFileAttributesW.KERNEL32(?,0075CF95), ref: 0075E19A

FindFirstFileW.KERNEL32(?,?), ref: 0075D420
DeleteFileW.KERNEL32(?,?,?,?), ref: 0075D470
FindNextFileW.KERNEL32(00000000,00000010), ref: 0075D481
FindClose.KERNEL32(00000000), ref: 0075D498
FindClose.KERNEL32(00000000), ref: 0075D4A1

Strings

\*.*, xrefs: 0075D3F2

Memory Dump Source

Source File: 00000000.00000002.1465363834.00000000006F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006F0000, based on PE: true

Associated: 00000000.00000002.1465335232.00000000006F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465500901.000000000078C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465500901.00000000007B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465599093.00000000007BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465630010.00000000007C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6f0000_file.jbxd

Similarity

API ID: FileFind$Close$AttributesDeleteFirstFullNameNextPath
String ID: \*.*
API String ID: 2649000838-1173974218
Opcode ID: 51a0e0f4e9768224d210e2bc2c0d1e3bb22b8424ee051e641f9b0a5490cdd30e
Instruction ID: 031cb8306a2e121ab9cfe66d4bb7da1c7f7890ee2746d58081a72a9dc151bf88
Opcode Fuzzy Hash: 51a0e0f4e9768224d210e2bc2c0d1e3bb22b8424ee051e641f9b0a5490cdd30e
Instruction Fuzzy Hash: EA318D710083899BC225EF64C8918BFB7E9BE91341F404A1DF9D592291EB74AE0D8767

Function 0072E4FF Relevance: 10.1, APIs: 1, Strings: 4, Instructions: 1381COMMON

Download Yara Rule

APIs

__floor_pentium4.LIBCMT ref: 0072E645

Strings

1#INF, xrefs: 0072F852
1#SNAN, xrefs: 0072F844
1#IND, xrefs: 0072F83D
1#QNAN, xrefs: 0072F84B

Memory Dump Source

Source File: 00000000.00000002.1465363834.00000000006F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006F0000, based on PE: true

Associated: 00000000.00000002.1465335232.00000000006F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465500901.000000000078C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465500901.00000000007B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465599093.00000000007BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465630010.00000000007C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6f0000_file.jbxd

Similarity

API ID: __floor_pentium4
String ID: 1#IND$1#INF$1#QNAN$1#SNAN
API String ID: 4168288129-2761157908
Opcode ID: d8e1548292b49f4e65de767891889716c67a5cd9825f6a37839116d1e85bdbc1
Instruction ID: e3d3907dfb85b903ca39f63b230aa840d37dc49aff41b9d666b6541c021c3a14
Opcode Fuzzy Hash: d8e1548292b49f4e65de767891889716c67a5cd9825f6a37839116d1e85bdbc1
Instruction Fuzzy Hash: 18C22B72E046288FDB25CE28ED447EAB7B5EB49305F1541EAD84DE7241E778AE818F40

Function 0076648E Relevance: 9.1, APIs: 4, Strings: 1, Instructions: 367comCOMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 007664DC
CoInitialize.OLE32(00000000), ref: 00766639
CoCreateInstance.OLE32(0078FCF8,00000000,00000001,0078FB68,?), ref: 00766650
CoUninitialize.OLE32 ref: 007668D4

Strings

.lnk, xrefs: 007664BA, 00766524, 007665E0

Memory Dump Source

Source File: 00000000.00000002.1465363834.00000000006F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006F0000, based on PE: true

Associated: 00000000.00000002.1465335232.00000000006F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465500901.000000000078C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465500901.00000000007B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465599093.00000000007BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465630010.00000000007C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6f0000_file.jbxd

Similarity

API ID: CreateInitializeInstanceUninitialize_wcslen
String ID: .lnk
API String ID: 886957087-24824748
Opcode ID: 9f15c5b2206e12cd40489f2a0ed8ceb16e54e76a9ba7e26470486d5c3975ff41
Instruction ID: 0dcf667158a03ae67e46dbaaafaa20a3d27080d1a1d3cfa194faad14f4b01ae4
Opcode Fuzzy Hash: 9f15c5b2206e12cd40489f2a0ed8ceb16e54e76a9ba7e26470486d5c3975ff41
Instruction Fuzzy Hash: ABD14B715083059FC314EF24C881A6BB7E9FF94704F50496DF6968B2A2EB70ED05CBA6

Function 007722DA Relevance: 9.1, APIs: 6, Instructions: 103COMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32(?,?,00000000), ref: 007722E8

Part of subcall function 0076E4EC: GetWindowRect.USER32(?,?), ref: 0076E504

GetDesktopWindow.USER32 ref: 00772312
GetWindowRect.USER32(00000000), ref: 00772319
mouse_event.USER32(00008001,?,?,00000002,00000002), ref: 00772355
GetCursorPos.USER32(?), ref: 00772381
mouse_event.USER32(00008001,?,?,00000000,00000000), ref: 007723DF

Memory Dump Source

Source File: 00000000.00000002.1465363834.00000000006F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006F0000, based on PE: true

Associated: 00000000.00000002.1465335232.00000000006F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465500901.000000000078C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465500901.00000000007B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465599093.00000000007BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465630010.00000000007C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6f0000_file.jbxd

Similarity

API ID: Window$Rectmouse_event$CursorDesktopForeground
String ID:
API String ID: 2387181109-0
Opcode ID: 94e14e3fc4bfb39b6316009fcf61c52e3a36f0877392366ffc469de3f414d4c6
Instruction ID: a32b034916f33f58c61e9ba03bc726c63390cf88ff098c09b19010078ac193f5
Opcode Fuzzy Hash: 94e14e3fc4bfb39b6316009fcf61c52e3a36f0877392366ffc469de3f414d4c6
Instruction Fuzzy Hash: 413104721043059FCB20DF14D848F9BBBE9FF84354F104919F99997182DB38EA09CBA2

Function 00769B2B Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 119filesleepCOMMON

Download Yara Rule

APIs

Part of subcall function 006F9CB3: _wcslen.LIBCMT ref: 006F9CBD

FindFirstFileW.KERNEL32(00000001,?,*.*,?,?,00000000,00000000), ref: 00769B78
FindClose.KERNEL32(00000000,?,00000000,00000000), ref: 00769C8B

Part of subcall function 00763874: GetInputState.USER32 ref: 007638CB
Part of subcall function 00763874: PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00763966

Sleep.KERNEL32(0000000A,?,00000000,00000000), ref: 00769BA8
FindNextFileW.KERNEL32(?,?,?,00000000,00000000), ref: 00769C75

Strings

*.*, xrefs: 00769B5D

Memory Dump Source

Source File: 00000000.00000002.1465363834.00000000006F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006F0000, based on PE: true

Associated: 00000000.00000002.1465335232.00000000006F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465500901.000000000078C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465500901.00000000007B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465599093.00000000007BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465630010.00000000007C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6f0000_file.jbxd

Similarity

API ID: Find$File$CloseFirstInputMessageNextPeekSleepState_wcslen
String ID: *.*
API String ID: 1972594611-438819550
Opcode ID: 47a5e3c764a83ae042188892ab559d2d02cead62c976f05a89e9c0df960af6c5
Instruction ID: c4051c243f947cb6d34c517dd0e654399f72c883632f1d4e5610bbcacd317711
Opcode Fuzzy Hash: 47a5e3c764a83ae042188892ab559d2d02cead62c976f05a89e9c0df960af6c5
Instruction Fuzzy Hash: 954180B194421A9FCF55DF64C989AEEBBB9EF05310F204059F906A2191EB389E84CF64

Function 0070997D Relevance: 7.9, APIs: 5, Instructions: 375COMMON

Download Yara Rule

APIs

Part of subcall function 00709BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00709BB2

DefDlgProcW.USER32(?,?,?,?,?), ref: 00709A4E
GetSysColor.USER32(0000000F), ref: 00709B23
SetBkColor.GDI32(?,00000000), ref: 00709B36

Memory Dump Source

Source File: 00000000.00000002.1465363834.00000000006F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006F0000, based on PE: true

Associated: 00000000.00000002.1465335232.00000000006F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465500901.000000000078C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465500901.00000000007B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465599093.00000000007BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465630010.00000000007C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6f0000_file.jbxd

Similarity

API ID: Color$LongProcWindow
String ID:
API String ID: 3131106179-0
Opcode ID: 8ba80c43f4d7593c57599d0c50862352191084c311dc8f2160ba130d8a684c46
Instruction ID: 8e48776cd0c3e488f3ab629538a606b2a39ef6991e10fff6a013babdafe79fba
Opcode Fuzzy Hash: 8ba80c43f4d7593c57599d0c50862352191084c311dc8f2160ba130d8a684c46
Instruction Fuzzy Hash: 92A106B0209444FEE729AA2C8C8DE7B3ADDDB86350B558319F612D69D3CB2D9D01C376

Function 00771806 Relevance: 7.7, APIs: 5, Instructions: 153networkCOMMON

Download Yara Rule

APIs

Part of subcall function 0077304E: inet_addr.WSOCK32(?,?,?,?,?,00000000), ref: 0077307A
Part of subcall function 0077304E: _wcslen.LIBCMT ref: 0077309B

socket.WSOCK32(00000002,00000002,00000011,?,?,00000000), ref: 0077185D
WSAGetLastError.WSOCK32 ref: 00771884
bind.WSOCK32(00000000,?,00000010), ref: 007718DB
WSAGetLastError.WSOCK32 ref: 007718E6
closesocket.WSOCK32(00000000), ref: 00771915

Memory Dump Source

Source File: 00000000.00000002.1465363834.00000000006F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006F0000, based on PE: true

Associated: 00000000.00000002.1465335232.00000000006F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465500901.000000000078C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465500901.00000000007B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465599093.00000000007BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465630010.00000000007C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6f0000_file.jbxd

Similarity

API ID: ErrorLast$_wcslenbindclosesocketinet_addrsocket
String ID:
API String ID: 1601658205-0
Opcode ID: 0030fc8364ca060fee9c9b1aa6cd0c8ec2259b2f5877ac40c0661f4cb5746f2a
Instruction ID: 24c93251120ff6210d421b816d9aa475b7c9d25fd6f9be4660c93a3b930a20f9
Opcode Fuzzy Hash: 0030fc8364ca060fee9c9b1aa6cd0c8ec2259b2f5877ac40c0661f4cb5746f2a
Instruction Fuzzy Hash: 2A51B371A402049FDB10AF24C886F3A77E6AB45728F54C45CFA095F3C3C775AD418BA5

Function 00781C41 Relevance: 7.6, APIs: 5, Instructions: 83windowCOMMON

Download Yara Rule

APIs

IsWindowVisible.USER32 ref: 00781CC0
IsWindowEnabled.USER32 ref: 00781CCE
GetForegroundWindow.USER32(?,?,00000001,?), ref: 00781CDB
IsIconic.USER32 ref: 00781CE9
IsZoomed.USER32 ref: 00781CF7

Memory Dump Source

Source File: 00000000.00000002.1465363834.00000000006F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006F0000, based on PE: true

Associated: 00000000.00000002.1465335232.00000000006F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465500901.000000000078C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465500901.00000000007B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465599093.00000000007BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465630010.00000000007C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6f0000_file.jbxd

Similarity

API ID: Window$EnabledForegroundIconicVisibleZoomed
String ID:
API String ID: 292994002-0
Opcode ID: d36ec0b42df1be5caa9c2af7ebdf803230f9ca7f3b7e549930a47de256d6d2fc
Instruction ID: 6be39a0c512a095129c42b0d68a1772c7272aec84622dc2cf20c5a0f537d8d4e
Opcode Fuzzy Hash: d36ec0b42df1be5caa9c2af7ebdf803230f9ca7f3b7e549930a47de256d6d2fc
Instruction Fuzzy Hash: 9721D6317C02015FD721AF1AC844B267BA9EF85325B598068E845CB352D779DC43CBA4

Function 006F8060 Relevance: 7.4, Strings: 5, Instructions: 1151COMMON

Download Yara Rule

Strings

ERCP, xrefs: 006F813C
VUUU, xrefs: 006F83FA
VUUU, xrefs: 006F843C
VUUU, xrefs: 00735DF0
VUUU, xrefs: 006F83E8

Memory Dump Source

Source File: 00000000.00000002.1465363834.00000000006F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006F0000, based on PE: true

Associated: 00000000.00000002.1465335232.00000000006F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465500901.000000000078C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465500901.00000000007B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465599093.00000000007BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465630010.00000000007C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6f0000_file.jbxd

Similarity

API ID:
String ID: ERCP$VUUU$VUUU$VUUU$VUUU
API String ID: 0-1546025612
Opcode ID: d5212dfbe54eda9ff058103fd65e9f3ae6f6208db9da2887de4ee4529831d01e
Instruction ID: 51d157787780522fc46dedbb13c82e8670b6a9f5551586503b4d9319a3b0b9cf
Opcode Fuzzy Hash: d5212dfbe54eda9ff058103fd65e9f3ae6f6208db9da2887de4ee4529831d01e
Instruction Fuzzy Hash: DEA25E71A0061ECFEF24CF58C8417BEB7B2BB54314F2485A9D915AB286EB749D81CB90

Function 00758298 Relevance: 6.6, APIs: 1, Strings: 3, Instructions: 568stringCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(?,?,?,00000000), ref: 007582AA

Strings

tb{, xrefs: 007584F4
(, xrefs: 007582F0
|, xrefs: 007582DA

Memory Dump Source

Source File: 00000000.00000002.1465363834.00000000006F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006F0000, based on PE: true

Associated: 00000000.00000002.1465335232.00000000006F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465500901.000000000078C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465500901.00000000007B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465599093.00000000007BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465630010.00000000007C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6f0000_file.jbxd

Similarity

API ID: lstrlen
String ID: ($tb{$|
API String ID: 1659193697-2424425762
Opcode ID: fc8de6ca8a1d0755a042a99b62ccd7a828b4a1ff4533c4016b65438e6c1933d5
Instruction ID: d6fd577f1fd255f5104dcd2a5b53bc4fe6395b4ed12bb0fcab4c6a4da3222669
Opcode Fuzzy Hash: fc8de6ca8a1d0755a042a99b62ccd7a828b4a1ff4533c4016b65438e6c1933d5
Instruction Fuzzy Hash: 3F323975A00605DFC768CF59C0819AAB7F0FF48710B15C56EE89AEB3A1EB74E941CB40

Function 0075AA57 Relevance: 6.1, APIs: 4, Instructions: 107keyboardwindowCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?,00000001,00000040,00000000), ref: 0075AAAC
SetKeyboardState.USER32(00000080), ref: 0075AAC8
PostMessageW.USER32(?,00000102,00000001,00000001), ref: 0075AB36
SendInput.USER32(00000001,?,0000001C,00000001,00000040,00000000), ref: 0075AB88

Memory Dump Source

Source File: 00000000.00000002.1465363834.00000000006F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006F0000, based on PE: true

Associated: 00000000.00000002.1465335232.00000000006F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465500901.000000000078C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465500901.00000000007B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465599093.00000000007BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465630010.00000000007C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6f0000_file.jbxd

Similarity

API ID: KeyboardState$InputMessagePostSend
String ID:
API String ID: 432972143-0
Opcode ID: 40513e9ab12224b186063bc48017ca530ee520c7b0f134e277decbaaa81d02d2
Instruction ID: 073cd4af78875cb7496392593274f760d11e960e1b9150c215b9d2b10a660f01
Opcode Fuzzy Hash: 40513e9ab12224b186063bc48017ca530ee520c7b0f134e277decbaaa81d02d2
Instruction Fuzzy Hash: E231FCB0A40248BEFF358A64CC05BFA77A6AB44312F14433BF981565D1D3BD8989C7E6

Function 0076CE44 Relevance: 6.1, APIs: 4, Instructions: 75filenetworkCOMMON

Download Yara Rule

APIs

InternetReadFile.WININET(?,?,00000400,?), ref: 0076CE89
GetLastError.KERNEL32(?,00000000), ref: 0076CEEA
SetEvent.KERNEL32(?,?,00000000), ref: 0076CEFE

Memory Dump Source

Source File: 00000000.00000002.1465363834.00000000006F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006F0000, based on PE: true

Associated: 00000000.00000002.1465335232.00000000006F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465500901.000000000078C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465500901.00000000007B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465599093.00000000007BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465630010.00000000007C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6f0000_file.jbxd

Similarity

API ID: ErrorEventFileInternetLastRead
String ID:
API String ID: 234945975-0
Opcode ID: 6a68a1169e33cd6dc2c81c3e3f4312bdadbd0d8b32a14d9bebe23cfb299b3a20
Instruction ID: f10b1a183c64d82cebf25dacf6613ded5936a87948b403cb8022de6755ef7c3d
Opcode Fuzzy Hash: 6a68a1169e33cd6dc2c81c3e3f4312bdadbd0d8b32a14d9bebe23cfb299b3a20
Instruction Fuzzy Hash: C721B0B25003059BE732DF65C948BA6B7FCEB10314F10841EEA87D2191E779EE44CB64

Function 00765C97 Relevance: 4.6, APIs: 3, Instructions: 138fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?), ref: 00765CC1
FindNextFileW.KERNEL32(00000000,?), ref: 00765D17
FindClose.KERNEL32(?), ref: 00765D5F

Memory Dump Source

Source File: 00000000.00000002.1465363834.00000000006F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006F0000, based on PE: true

Associated: 00000000.00000002.1465335232.00000000006F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465500901.000000000078C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465500901.00000000007B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465599093.00000000007BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465630010.00000000007C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6f0000_file.jbxd

Similarity

API ID: Find$File$CloseFirstNext
String ID:
API String ID: 3541575487-0
Opcode ID: c0a0d985a55f0220481a07ddda898ed3085559bf108a8b2286543e3ec0c7ece1
Instruction ID: 0e15442345051acab69c67550e155aefb70d81de10d14f58c0d78ca5149fd965
Opcode Fuzzy Hash: c0a0d985a55f0220481a07ddda898ed3085559bf108a8b2286543e3ec0c7ece1
Instruction Fuzzy Hash: 29519974704A019FC714CF28C4D4AAAB7E4FF49324F14855EE99A8B3A2CB34ED44CBA1

Function 00722622 Relevance: 4.6, APIs: 3, Instructions: 78COMMONLIBRARYCODE

Download Yara Rule

APIs

IsDebuggerPresent.KERNEL32 ref: 0072271A
SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 00722724
UnhandledExceptionFilter.KERNEL32(?), ref: 00722731

Memory Dump Source

Source File: 00000000.00000002.1465363834.00000000006F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006F0000, based on PE: true

Associated: 00000000.00000002.1465335232.00000000006F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465500901.000000000078C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465500901.00000000007B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465599093.00000000007BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465630010.00000000007C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6f0000_file.jbxd

Similarity

API ID: ExceptionFilterUnhandled$DebuggerPresent
String ID:
API String ID: 3906539128-0
Opcode ID: dd965d0c43a2e8c3b38e8de39a5cd4c3e0c208a68284a05afdaa8d03b0149d7f
Instruction ID: 5bf8273e004ac992a457038b1850a035939794ff1999e44467df463e49ee43e4
Opcode Fuzzy Hash: dd965d0c43a2e8c3b38e8de39a5cd4c3e0c208a68284a05afdaa8d03b0149d7f
Instruction Fuzzy Hash: FF31D77494122CABCB21DF68DC897DDBBB8AF08310F5081DAE41CA72A1E7749F818F45

Function 007651CD Relevance: 4.6, APIs: 3, Instructions: 76COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 007651DA
GetDiskFreeSpaceExW.KERNEL32(?,?,?,?), ref: 00765238
SetErrorMode.KERNEL32(00000000), ref: 007652A1

Memory Dump Source

Source File: 00000000.00000002.1465363834.00000000006F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006F0000, based on PE: true

Associated: 00000000.00000002.1465335232.00000000006F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465500901.000000000078C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465500901.00000000007B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465599093.00000000007BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465630010.00000000007C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6f0000_file.jbxd

Similarity

API ID: ErrorMode$DiskFreeSpace
String ID:
API String ID: 1682464887-0
Opcode ID: 0d290ce92187b5c26585d97dc0fdc30ceaf6df03d638fd62ab386847d9261e85
Instruction ID: fcba2fda55c32763ccf7f9d6f138a2743949c58ebbabca00a073281fe5adad3b
Opcode Fuzzy Hash: 0d290ce92187b5c26585d97dc0fdc30ceaf6df03d638fd62ab386847d9261e85
Instruction Fuzzy Hash: D1316B75A00508DFDB00DF54D888EADBBB5FF48314F188099E905AB3A2CB35E846CBA0

Function 007516C3 Relevance: 4.6, APIs: 3, Instructions: 68COMMON

Download Yara Rule

APIs

Part of subcall function 0070FDDB: __CxxThrowException@8.LIBVCRUNTIME ref: 00710668
Part of subcall function 0070FDDB: __CxxThrowException@8.LIBVCRUNTIME ref: 00710685

LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 0075170D
AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 0075173A
GetLastError.KERNEL32 ref: 0075174A

Memory Dump Source

Source File: 00000000.00000002.1465363834.00000000006F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006F0000, based on PE: true

Associated: 00000000.00000002.1465335232.00000000006F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465500901.000000000078C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465500901.00000000007B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465599093.00000000007BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465630010.00000000007C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6f0000_file.jbxd

Similarity

API ID: Exception@8Throw$AdjustErrorLastLookupPrivilegePrivilegesTokenValue
String ID:
API String ID: 577356006-0
Opcode ID: d59423e9ac81de078baa67eda5f9d379a44a20b812539463a63a56afc662c30a
Instruction ID: a8acd766461cde6dd45ae41ddc78bc026ed034f7e73a709d2f7bdf15e303f7bb
Opcode Fuzzy Hash: d59423e9ac81de078baa67eda5f9d379a44a20b812539463a63a56afc662c30a
Instruction Fuzzy Hash: 411101B2500304EFD7289F64EC86EABB7F9EB44711B20852EE45653681EB78BC418B20

Function 0075D5EB Relevance: 4.6, APIs: 3, Instructions: 58fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(?,00000080,00000003,00000000,00000003,00000080,00000000), ref: 0075D608
DeviceIoControl.KERNEL32(00000000,002D1400,?,0000000C,?,00000028,?,00000000), ref: 0075D645
CloseHandle.KERNEL32(?,?,00000080,00000003,00000000,00000003,00000080,00000000), ref: 0075D650

Memory Dump Source

Source File: 00000000.00000002.1465363834.00000000006F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006F0000, based on PE: true

Associated: 00000000.00000002.1465335232.00000000006F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465500901.000000000078C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465500901.00000000007B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465599093.00000000007BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465630010.00000000007C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6f0000_file.jbxd

Similarity

API ID: CloseControlCreateDeviceFileHandle
String ID:
API String ID: 33631002-0
Opcode ID: 29a770467d28d94bdabb12f477136e3704aabd6347871aae580d27dcf3536e91
Instruction ID: 59044493744779d3752fbd3e751ee06c6e3aedf93ddbe045716990b4b6e02f26
Opcode Fuzzy Hash: 29a770467d28d94bdabb12f477136e3704aabd6347871aae580d27dcf3536e91
Instruction Fuzzy Hash: 36117C71E01228BBDB208F949C48FAFBBBCEB45B50F108111F904E7290C2B44A058BA1

Function 00751663 Relevance: 4.5, APIs: 3, Instructions: 40memoryCOMMON

Download Yara Rule

APIs

AllocateAndInitializeSid.ADVAPI32(?,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,?,?), ref: 0075168C
CheckTokenMembership.ADVAPI32(00000000,?,?), ref: 007516A1
FreeSid.ADVAPI32(?), ref: 007516B1

Memory Dump Source

Source File: 00000000.00000002.1465363834.00000000006F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006F0000, based on PE: true

Associated: 00000000.00000002.1465335232.00000000006F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465500901.000000000078C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465500901.00000000007B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465599093.00000000007BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465630010.00000000007C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6f0000_file.jbxd

Similarity

API ID: AllocateCheckFreeInitializeMembershipToken
String ID:
API String ID: 3429775523-0
Opcode ID: f0b26960f140cec9e3e71c8ff22989b7be0069f58faca88d7a29588d681199e7
Instruction ID: 799be79c4c61676ae9308c147a5fd6a2315ae5f9bfd06efc2f66066beb8b12b8
Opcode Fuzzy Hash: f0b26960f140cec9e3e71c8ff22989b7be0069f58faca88d7a29588d681199e7
Instruction Fuzzy Hash: CFF04971940308FBDB00CFE09C89EAEBBBCEB04241F504460E500E2180D774AA048B64

Function 0072C2A2 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 127COMMON

Download Yara Rule

Strings

/, xrefs: 0072C36C

Memory Dump Source

Source File: 00000000.00000002.1465363834.00000000006F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006F0000, based on PE: true

Associated: 00000000.00000002.1465335232.00000000006F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465500901.000000000078C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465500901.00000000007B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465599093.00000000007BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465630010.00000000007C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6f0000_file.jbxd

Similarity

API ID:
String ID: /
API String ID: 0-2043925204
Opcode ID: 21fae46d127c0048696d68547fac73c321bd3b71d6a2253061351b77454a3c01
Instruction ID: 50035a5f0a1c7c43a984b297a5a07a5194c820441f0fd803bdac463f427bc422
Opcode Fuzzy Hash: 21fae46d127c0048696d68547fac73c321bd3b71d6a2253061351b77454a3c01
Instruction Fuzzy Hash: C3412A72500229ABCB20DFB9EC49EAF77B8EB94354F104669F905D7181E6749D818B50

Function 0074D27A Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 10COMMON

Download Yara Rule

APIs

GetUserNameW.ADVAPI32(?,?), ref: 0074D28C

Strings

X64, xrefs: 0074D2A8

Memory Dump Source

Source File: 00000000.00000002.1465363834.00000000006F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006F0000, based on PE: true

Associated: 00000000.00000002.1465335232.00000000006F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465500901.000000000078C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465500901.00000000007B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465599093.00000000007BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465630010.00000000007C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6f0000_file.jbxd

Similarity

API ID: NameUser
String ID: X64
API String ID: 2645101109-893830106
Opcode ID: 7537543f3e06c5d2b59ff7ae6f939fd7997e0debba408cdcac58c254a34073bc
Instruction ID: 02aa5243219dbabb5daaf2508a65863e7fc47346bd269a1ba14c2470b70157d9
Opcode Fuzzy Hash: 7537543f3e06c5d2b59ff7ae6f939fd7997e0debba408cdcac58c254a34073bc
Instruction Fuzzy Hash: 78D0C9B480111DEBCBA0CB90DC88DD9B3BCBB04345F104251F106A2140D77899488F20

Function 0071CAA0 Relevance: 3.5, APIs: 2, Instructions: 464COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1465363834.00000000006F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006F0000, based on PE: true

Associated: 00000000.00000002.1465335232.00000000006F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465500901.000000000078C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465500901.00000000007B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465599093.00000000007BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465630010.00000000007C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6f0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2fbdbeface8d474e65e3d830227d731b015bc4fe83c76ff0107a9da6199ccf29
Instruction ID: a784fde2932e66391fa6593ce2eb468100691ea19348762339c60e3ae029bb85
Opcode Fuzzy Hash: 2fbdbeface8d474e65e3d830227d731b015bc4fe83c76ff0107a9da6199ccf29
Instruction Fuzzy Hash: 48024B72E402199BDF15CFADC8806EDBBF5EF48314F25816AD819EB380D734AE418B94

Function 006FCAF0 Relevance: 3.2, Strings: 2, Instructions: 659COMMON

Download Yara Rule

Strings

p#|, xrefs: 006FCF7F
Variable is not of type 'Object'., xrefs: 00740C40

Memory Dump Source

Source File: 00000000.00000002.1465363834.00000000006F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006F0000, based on PE: true

Associated: 00000000.00000002.1465335232.00000000006F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465500901.000000000078C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465500901.00000000007B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465599093.00000000007BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465630010.00000000007C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6f0000_file.jbxd

Similarity

API ID:
String ID: Variable is not of type 'Object'.$p#|
API String ID: 0-140544570
Opcode ID: 116a8c93bcb21619c344646a270963424b021dd6540ffbbcf3422729e1c3909c
Instruction ID: d01eeec8b42d4c7b103de8fdc97a25af08f397a9beeb8b2638a010f7c62bb072
Opcode Fuzzy Hash: 116a8c93bcb21619c344646a270963424b021dd6540ffbbcf3422729e1c3909c
Instruction Fuzzy Hash: 55328D7090021CDFCF14DF94CA95AFDB7B6BF05314F148059EA06AB292D779AD46CBA0

Function 007668EE Relevance: 3.1, APIs: 2, Instructions: 57fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?), ref: 00766918
FindClose.KERNEL32(00000000), ref: 00766961

Memory Dump Source

Source File: 00000000.00000002.1465363834.00000000006F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006F0000, based on PE: true

Associated: 00000000.00000002.1465335232.00000000006F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465500901.000000000078C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465500901.00000000007B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465599093.00000000007BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465630010.00000000007C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6f0000_file.jbxd

Similarity

API ID: Find$CloseFileFirst
String ID:
API String ID: 2295610775-0
Opcode ID: c9cba707c3a41332daddbb39c39cf1122c26cdb390d59a20471d631463d5811b
Instruction ID: 946586fbf5d891cbf882aafd5d0fc2684294cb645e6391514f2d02595fb78898
Opcode Fuzzy Hash: c9cba707c3a41332daddbb39c39cf1122c26cdb390d59a20471d631463d5811b
Instruction Fuzzy Hash: AF11D0316042059FD710CF29C484A26BBE5FF84328F54C69DE86A8F2A2CB34EC05CB90

Function 007637B5 Relevance: 3.0, APIs: 2, Instructions: 33windowCOMMON

Download Yara Rule

APIs

GetLastError.KERNEL32(00000000,?,00000FFF,00000000,?,?,?,00774891,?,?,00000035,?), ref: 007637E4
FormatMessageW.KERNEL32(00001000,00000000,?,00000000,?,00000FFF,00000000,?,?,?,00774891,?,?,00000035,?), ref: 007637F4

Memory Dump Source

Source File: 00000000.00000002.1465363834.00000000006F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006F0000, based on PE: true

Associated: 00000000.00000002.1465335232.00000000006F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465500901.000000000078C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465500901.00000000007B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465599093.00000000007BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465630010.00000000007C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6f0000_file.jbxd

Similarity

API ID: ErrorFormatLastMessage
String ID:
API String ID: 3479602957-0
Opcode ID: eaaa90872d037d478e97af73e84e713d38d6ce93225d656bb64fc7df5135b71a
Instruction ID: 46d4d1bac44366ae50372ed912194b3b33dc3458729e757cc6e1ce58dd98935c
Opcode Fuzzy Hash: eaaa90872d037d478e97af73e84e713d38d6ce93225d656bb64fc7df5135b71a
Instruction Fuzzy Hash: D0F0E5B06052296AE72017769C8DFEB3BAEEFC4761F000265F509D2281D9749904C7B4

Function 0075B226 Relevance: 3.0, APIs: 2, Instructions: 29keyboardCOMMON

Download Yara Rule

APIs

SendInput.USER32(00000001,?,0000001C,?,?,00000002), ref: 0075B25D
keybd_event.USER32(?,76C1C0D0,?,00000000), ref: 0075B270

Memory Dump Source

Source File: 00000000.00000002.1465363834.00000000006F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006F0000, based on PE: true

Associated: 00000000.00000002.1465335232.00000000006F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465500901.000000000078C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465500901.00000000007B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465599093.00000000007BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465630010.00000000007C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6f0000_file.jbxd

Similarity

API ID: InputSendkeybd_event
String ID:
API String ID: 3536248340-0
Opcode ID: 3eb39bee4975ec1909556d39160a227f9a57ee218eb47d90af6b2538227a0715
Instruction ID: dbe7bb4b0b8816c845003aed18cff498e1e8ceec8dd7106588717e00d8123309
Opcode Fuzzy Hash: 3eb39bee4975ec1909556d39160a227f9a57ee218eb47d90af6b2538227a0715
Instruction Fuzzy Hash: CAF01D7184428DABDF059FA0C805BFE7BB4FF08305F10C009F955A5191C77D86159FA4

Function 007510BF Relevance: 3.0, APIs: 2, Instructions: 24COMMON

Download Yara Rule

APIs

AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000,?,007511FC), ref: 007510D4
CloseHandle.KERNEL32(?,?,007511FC), ref: 007510E9

Memory Dump Source

Source File: 00000000.00000002.1465363834.00000000006F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006F0000, based on PE: true

Associated: 00000000.00000002.1465335232.00000000006F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465500901.000000000078C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465500901.00000000007B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465599093.00000000007BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465630010.00000000007C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6f0000_file.jbxd

Similarity

API ID: AdjustCloseHandlePrivilegesToken
String ID:
API String ID: 81990902-0
Opcode ID: b9d32ef546ec2b8b704af9b373f2045c882265fa48a583edfd3660c2cdabdaa4
Instruction ID: 52a08e18ee6b74f55ae8786dd88e28ddb965372eeb77f812890c4c6af4894243
Opcode Fuzzy Hash: b9d32ef546ec2b8b704af9b373f2045c882265fa48a583edfd3660c2cdabdaa4
Instruction Fuzzy Hash: 8AE04F32004600EEE7262B61FC09E7377E9EB04311B20C92DF4A5808F1DB76AC90DB64

Function 0072676B Relevance: 1.8, APIs: 1, Instructions: 269COMMONLIBRARYCODE

Download Yara Rule

APIs

RaiseException.KERNEL32(C000000D,00000000,00000001,?,?,00000008,?,?,00726766,?,?,00000008,?,?,0072FEFE,00000000), ref: 00726998

Memory Dump Source

Source File: 00000000.00000002.1465363834.00000000006F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006F0000, based on PE: true

Associated: 00000000.00000002.1465335232.00000000006F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465500901.000000000078C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465500901.00000000007B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465599093.00000000007BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465630010.00000000007C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6f0000_file.jbxd

Similarity

API ID: ExceptionRaise
String ID:
API String ID: 3997070919-0
Opcode ID: 2905eec165dfff64997dd97ff0de311c23e2a9d5816b9a15c4bf76501c82d1d6
Instruction ID: 91d3b1df60aad6147dc9de3d94ed8f0737ddaffeebbe5b29866f539f06fed5d8
Opcode Fuzzy Hash: 2905eec165dfff64997dd97ff0de311c23e2a9d5816b9a15c4bf76501c82d1d6
Instruction Fuzzy Hash: 51B148316106189FD719CF28D48AB657BA0FF05364F25C69AE8D9CF2A2C739E981CB40

Function 0070B119 Relevance: 1.8, Strings: 1, Instructions: 511COMMON

Download Yara Rule

Strings

, xrefs: 0074851F

Memory Dump Source

Source File: 00000000.00000002.1465363834.00000000006F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006F0000, based on PE: true

Associated: 00000000.00000002.1465335232.00000000006F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465500901.000000000078C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465500901.00000000007B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465599093.00000000007BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465630010.00000000007C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6f0000_file.jbxd

Similarity

API ID:
String ID:
API String ID: 0-3916222277
Opcode ID: 9e3c7c6e11921ca34d6ae5860b379845dad78f4eed114fb801859351fa38e6de
Instruction ID: 5e88f9de49730de69faf2a7de7a68e0142094b836f3f58ece2115c2b80dc3968
Opcode Fuzzy Hash: 9e3c7c6e11921ca34d6ae5860b379845dad78f4eed114fb801859351fa38e6de
Instruction Fuzzy Hash: 8A124071900229DFDB54CF58C881AEEB7F5FF48710F14819AE849EB295DB389E81CB91

Function 0076EAA2 Relevance: 1.5, APIs: 1, Instructions: 25keyboardCOMMON

Download Yara Rule

APIs

BlockInput.USER32(00000001), ref: 0076EABD

Memory Dump Source

Source File: 00000000.00000002.1465363834.00000000006F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006F0000, based on PE: true

Associated: 00000000.00000002.1465335232.00000000006F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465500901.000000000078C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465500901.00000000007B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465599093.00000000007BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465630010.00000000007C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6f0000_file.jbxd

Similarity

API ID: BlockInput
String ID:
API String ID: 3456056419-0
Opcode ID: f95f11fd11d90becfa6e7ed1c822834d2b5decadc272e625332b7645e5169d67
Instruction ID: a05868667fbddac56f579678e69aee6dd9d0fa2de95856abc2dd87c5a49d911e
Opcode Fuzzy Hash: f95f11fd11d90becfa6e7ed1c822834d2b5decadc272e625332b7645e5169d67
Instruction Fuzzy Hash: 2AE04F352002089FC710EF99D844EAAF7EAAF98770F10C42AFD4AC7351DB74E8408BA4

Function 007109D5 Relevance: 1.5, APIs: 1, Instructions: 3COMMON

Download Yara Rule

APIs

SetUnhandledExceptionFilter.KERNEL32(Function_000209E1,007103EE), ref: 007109DA

Memory Dump Source

Source File: 00000000.00000002.1465363834.00000000006F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006F0000, based on PE: true

Associated: 00000000.00000002.1465335232.00000000006F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465500901.000000000078C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465500901.00000000007B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465599093.00000000007BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465630010.00000000007C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6f0000_file.jbxd

Similarity

API ID: ExceptionFilterUnhandled
String ID:
API String ID: 3192549508-0
Opcode ID: 497e48832632899f06585627cf79dbf50c98f76b5e9902b9452f4e19d5cac428
Instruction ID: 904296e70eab61751267da4243684bd7227597b102c653e16a97a5edd82e2cdf
Opcode Fuzzy Hash: 497e48832632899f06585627cf79dbf50c98f76b5e9902b9452f4e19d5cac428
Instruction Fuzzy Hash:

Function 0071781B Relevance: 1.5, Strings: 1, Instructions: 214COMMON

Download Yara Rule

Strings

0, xrefs: 0071798B

Memory Dump Source

Source File: 00000000.00000002.1465363834.00000000006F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006F0000, based on PE: true

Associated: 00000000.00000002.1465335232.00000000006F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465500901.000000000078C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465500901.00000000007B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465599093.00000000007BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465630010.00000000007C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6f0000_file.jbxd

Similarity

API ID:
String ID: 0
API String ID: 0-4108050209
Opcode ID: 9084b4e029052128895840c3c28e948f6724b1d83b91d22a18243ac96ad56844
Instruction ID: 5b141596717b04cbeca30450a2fb426da03f5e764549d8829c8621b5e6f8cda2
Opcode Fuzzy Hash: 9084b4e029052128895840c3c28e948f6724b1d83b91d22a18243ac96ad56844
Instruction Fuzzy Hash: DE515AB160C7459BDB3C456C889E7FE63B99B12340F180509E882DB2C2C61DEECAD356

Function 00762046 Relevance: 1.3, Strings: 1, Instructions: 72COMMON

Download Yara Rule

Strings

0&|, xrefs: 00762053

Memory Dump Source

Source File: 00000000.00000002.1465363834.00000000006F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006F0000, based on PE: true

Associated: 00000000.00000002.1465335232.00000000006F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465500901.000000000078C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465500901.00000000007B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465599093.00000000007BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465630010.00000000007C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6f0000_file.jbxd

Similarity

API ID:
String ID: 0&|
API String ID: 0-1095205553
Opcode ID: 84dbe7e1acdd3b8362112475fe2ca0a8550df4907b7eff91fae41d2abaa92318
Instruction ID: 4c39fa1226f2f874897c7de784906fef8e5a90cde67c5f74a5baf4926ed8c6d1
Opcode Fuzzy Hash: 84dbe7e1acdd3b8362112475fe2ca0a8550df4907b7eff91fae41d2abaa92318
Instruction Fuzzy Hash: 3621D5322206158BD728CF79C82267A73E5A754310F14862EE4A7D37D1DE3EA905CB94

Function 00726DD9 Relevance: .6, Instructions: 637COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1465363834.00000000006F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006F0000, based on PE: true

Associated: 00000000.00000002.1465335232.00000000006F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465500901.000000000078C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465500901.00000000007B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465599093.00000000007BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465630010.00000000007C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6f0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 067eee942d04fbce1f5fcfb2c44beb9201b80a07337c43c1a36f222c5916e57d
Instruction ID: 1eec1fa6f4d6a65e187051957936a749c5ffa8745bf7c3b02ea72e8ba241647d
Opcode Fuzzy Hash: 067eee942d04fbce1f5fcfb2c44beb9201b80a07337c43c1a36f222c5916e57d
Instruction Fuzzy Hash: E3325721D29F514DD727A635ED62335A289AFB73C5F15C337F81AB59AAEB2CC4838100

Function 0070CC39 Relevance: .6, Instructions: 635COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1465363834.00000000006F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006F0000, based on PE: true

Associated: 00000000.00000002.1465335232.00000000006F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465500901.000000000078C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465500901.00000000007B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465599093.00000000007BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465630010.00000000007C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6f0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5a6f28e58858fe4bced97187e8df461b60da526c961d31a20f6aab28edfd508f
Instruction ID: ade38043bbb61fe05644ea87c892396dea8e9e2b81539dd518de3ce22f549491
Opcode Fuzzy Hash: 5a6f28e58858fe4bced97187e8df461b60da526c961d31a20f6aab28edfd508f
Instruction Fuzzy Hash: AB322431B02115CBEF6ACF28C4D067E77E1EB45304F29866AD44A9B292E73CDD81DB61

Function 006F7920 Relevance: .6, Instructions: 563COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1465363834.00000000006F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006F0000, based on PE: true

Associated: 00000000.00000002.1465335232.00000000006F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465500901.000000000078C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465500901.00000000007B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465599093.00000000007BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465630010.00000000007C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6f0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b6e1e302398ff3bc432cb9c8b484247d55fe014ee346491586440abb66f49560
Instruction ID: e4fd4e029b0f3187815befbf3a6d5e5e239febc050153fd63d8e0676303c0ae9
Opcode Fuzzy Hash: b6e1e302398ff3bc432cb9c8b484247d55fe014ee346491586440abb66f49560
Instruction Fuzzy Hash: 6F2290B0A04609DFDF14CFA4C881AFEB7F6FF44300F144629E916A7291EB39A955CB54

Function 006F91C0 Relevance: .5, Instructions: 475COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1465363834.00000000006F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006F0000, based on PE: true

Associated: 00000000.00000002.1465335232.00000000006F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465500901.000000000078C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465500901.00000000007B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465599093.00000000007BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465630010.00000000007C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6f0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 769eee3102322401e9c4cee68284ce7a8cccb82ec0b9b9f68b4f8c9bad7562c3
Instruction ID: 05b66eafda1619f997a29fe017104e8dc38ecaac20a5c0664cc4bea33bd06559
Opcode Fuzzy Hash: 769eee3102322401e9c4cee68284ce7a8cccb82ec0b9b9f68b4f8c9bad7562c3
Instruction Fuzzy Hash: EE02B4B1A00209EBDF14DF64D881BAEB7B2FF44300F118169E9169B3D1EB35AE51CB95

Function 00729EEE Relevance: .3, Instructions: 294COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1465363834.00000000006F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006F0000, based on PE: true

Associated: 00000000.00000002.1465335232.00000000006F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465500901.000000000078C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465500901.00000000007B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465599093.00000000007BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465630010.00000000007C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6f0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7076f3f756463febdcdbf3319e23dfdb81d6062cb862dacc51a5fe1237f01de6
Instruction ID: 77a2de8879f3c632e4e8d010829035629ec0413e7c1c46c3d7765211db2467ff
Opcode Fuzzy Hash: 7076f3f756463febdcdbf3319e23dfdb81d6062cb862dacc51a5fe1237f01de6
Instruction Fuzzy Hash: 4AB12320D6AF505DD72396398831336B65CAFBB6D5F91D31BFC2A74D22EB2686834140

Function 00711C77 Relevance: .3, Instructions: 254COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1465363834.00000000006F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006F0000, based on PE: true

Associated: 00000000.00000002.1465335232.00000000006F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465500901.000000000078C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465500901.00000000007B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465599093.00000000007BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465630010.00000000007C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6f0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 93657a121f16255c59120ad0d08fdbba6372c273009ad596b4ecdf6e8f3c6909
Instruction ID: 87558c01b2c2096b0eaa61ed1fe254848871f534a2894b163aa6ec7fb4fd5f27
Opcode Fuzzy Hash: 93657a121f16255c59120ad0d08fdbba6372c273009ad596b4ecdf6e8f3c6909
Instruction Fuzzy Hash: 6F91AA722080E34ADB2D467E94340BEFFE15A923A235A079DD5F2CF1C5FE18D998D620

Function 007119B0 Relevance: .2, Instructions: 240COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1465363834.00000000006F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006F0000, based on PE: true

Associated: 00000000.00000002.1465335232.00000000006F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465500901.000000000078C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465500901.00000000007B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465599093.00000000007BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465630010.00000000007C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6f0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 40101273f58913c3cb3bc7eb54df01d47b4121c3e67d19f11ec2cb23d33ea445
Instruction ID: 32f8ddb0aa0125807037b8225808e58753f24e5817b7bdbea925e78d1cb81e86
Opcode Fuzzy Hash: 40101273f58913c3cb3bc7eb54df01d47b4121c3e67d19f11ec2cb23d33ea445
Instruction Fuzzy Hash: D591A37220D0E34ADB2D427E84740BDFFE15A923A135A479ED5F2CE1C1FD28D5A4D620

Function 00717A4A Relevance: .2, Instructions: 237COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1465363834.00000000006F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006F0000, based on PE: true

Associated: 00000000.00000002.1465335232.00000000006F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465500901.000000000078C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465500901.00000000007B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465599093.00000000007BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465630010.00000000007C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6f0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 40f2d8fb9554034da7b57cab2a4b76432bcf956f5bc44325fa079945c87bc2a2
Instruction ID: 65a1f723822b0c915a2c774eb89ee040b6101187353bd43d5ee6017fcdd77e7d
Opcode Fuzzy Hash: 40f2d8fb9554034da7b57cab2a4b76432bcf956f5bc44325fa079945c87bc2a2
Instruction Fuzzy Hash: 9E6118B160C74996DB3C5A2C8995BFE63B9DF41700F244919E842DB2C1DB1DDEC2C396

Function 00717CA7 Relevance: .2, Instructions: 237COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1465363834.00000000006F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006F0000, based on PE: true

Associated: 00000000.00000002.1465335232.00000000006F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465500901.000000000078C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465500901.00000000007B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465599093.00000000007BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465630010.00000000007C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6f0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 155914fd3cfd53e57316b3c98b5c6d2af9e174612cc4bb90497549baed847948
Instruction ID: ee5e4d417bb9930c0e04b40094fd9cb68a10fac1bb928fd1240112bc2e06386a
Opcode Fuzzy Hash: 155914fd3cfd53e57316b3c98b5c6d2af9e174612cc4bb90497549baed847948
Instruction Fuzzy Hash: A461467130C60D96DB3C4A2C6896BFE23F49F42704F104959E9C2DB2C1DA1EEDC6C256

Function 00711706 Relevance: .2, Instructions: 232COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1465363834.00000000006F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006F0000, based on PE: true

Associated: 00000000.00000002.1465335232.00000000006F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465500901.000000000078C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465500901.00000000007B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465599093.00000000007BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465630010.00000000007C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6f0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 70da388f96bbbf26b230a155b4728740b34f0d100ea60ab2bbadb9d7d0befbf0
Instruction ID: 74e2377194124575f37d05107b23843174a73c9973cd779d81f9868402ac1a52
Opcode Fuzzy Hash: 70da388f96bbbf26b230a155b4728740b34f0d100ea60ab2bbadb9d7d0befbf0
Instruction Fuzzy Hash: 118163726090E30DDB6D823E85344BEFFE15A923B135A479DD5F2CE1C1EE289694E620

Function 00772ADE Relevance: 77.5, APIs: 40, Strings: 4, Instructions: 486filecommemoryCOMMON

Download Yara Rule

APIs

DeleteObject.GDI32(00000000), ref: 00772B30
DeleteObject.GDI32(00000000), ref: 00772B43
DestroyWindow.USER32 ref: 00772B52
GetDesktopWindow.USER32 ref: 00772B6D
GetWindowRect.USER32(00000000), ref: 00772B74
SetRect.USER32(?,00000000,00000000,00000007,00000002), ref: 00772CA3
AdjustWindowRectEx.USER32(?,88C00000,00000000,?), ref: 00772CB1
CreateWindowExW.USER32(?,AutoIt v3,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00772CF8
GetClientRect.USER32(00000000,?), ref: 00772D04
CreateWindowExW.USER32(00000000,static,00000000,5000000E,00000000,00000000,?,?,00000000,00000000,00000000), ref: 00772D40
CreateFileW.KERNEL32(?,80000000,00000000,00000000,00000003,00000000,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00772D62
GetFileSize.KERNEL32(00000000,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00772D75
GlobalAlloc.KERNEL32(00000002,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00772D80
GlobalLock.KERNEL32(00000000), ref: 00772D89
ReadFile.KERNEL32(00000000,00000000,00000000,?,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00772D98
GlobalUnlock.KERNEL32(00000000), ref: 00772DA1
CloseHandle.KERNEL32(00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00772DA8
GlobalFree.KERNEL32(00000000), ref: 00772DB3
CreateStreamOnHGlobal.OLE32(00000000,00000001,?,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00772DC5
OleLoadPicture.OLEAUT32(?,00000000,00000000,0078FC38,00000000), ref: 00772DDB
GlobalFree.KERNEL32(00000000), ref: 00772DEB
CopyImage.USER32(00000007,00000000,00000000,00000000,00002000), ref: 00772E11
SendMessageW.USER32(00000000,00000172,00000000,00000007), ref: 00772E30
SetWindowPos.USER32(00000000,00000000,00000000,00000000,?,?,00000020,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00772E52
ShowWindow.USER32(00000004,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 0077303F

Strings

static, xrefs: 00772D3A, 00772E91
DISPLAY, xrefs: 00772EA2
AutoIt v3, xrefs: 00772CF2
, xrefs: 00772FC5

Memory Dump Source

Source File: 00000000.00000002.1465363834.00000000006F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006F0000, based on PE: true

Associated: 00000000.00000002.1465335232.00000000006F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465500901.000000000078C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465500901.00000000007B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465599093.00000000007BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465630010.00000000007C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6f0000_file.jbxd

Similarity

API ID: Window$Global$CreateRect$File$DeleteFreeObject$AdjustAllocClientCloseCopyDesktopDestroyHandleImageLoadLockMessagePictureReadSendShowSizeStreamUnlock
String ID: $AutoIt v3$DISPLAY$static
API String ID: 2211948467-2373415609
Opcode ID: b7d0cd24f97609c75debcaf556f8dcf92568cedd2072246cd28b13e724f6a2fa
Instruction ID: 9824b90020045b80b193656a953e2cb58b8aaee30b6222d37baaccd9ed0afbe5
Opcode Fuzzy Hash: b7d0cd24f97609c75debcaf556f8dcf92568cedd2072246cd28b13e724f6a2fa
Instruction Fuzzy Hash: 39027F71900208AFDB15DF64CC89EAE7BB9FF49350F108158F915AB2A1DB78ED01CB64

Function 007870D5 Relevance: 49.8, APIs: 33, Instructions: 273COMMON

Download Yara Rule

APIs

SetTextColor.GDI32(?,00000000), ref: 0078712F
GetSysColorBrush.USER32(0000000F), ref: 00787160
GetSysColor.USER32(0000000F), ref: 0078716C
SetBkColor.GDI32(?,000000FF), ref: 00787186
SelectObject.GDI32(?,?), ref: 00787195
InflateRect.USER32(?,000000FF,000000FF), ref: 007871C0
GetSysColor.USER32(00000010), ref: 007871C8
CreateSolidBrush.GDI32(00000000), ref: 007871CF
FrameRect.USER32(?,?,00000000), ref: 007871DE
DeleteObject.GDI32(00000000), ref: 007871E5
InflateRect.USER32(?,000000FE,000000FE), ref: 00787230
FillRect.USER32(?,?,?), ref: 00787262
GetWindowLongW.USER32(?,000000F0), ref: 00787284

Part of subcall function 007873E8: GetSysColor.USER32(00000012), ref: 00787421
Part of subcall function 007873E8: SetTextColor.GDI32(?,?), ref: 00787425
Part of subcall function 007873E8: GetSysColorBrush.USER32(0000000F), ref: 0078743B
Part of subcall function 007873E8: GetSysColor.USER32(0000000F), ref: 00787446
Part of subcall function 007873E8: GetSysColor.USER32(00000011), ref: 00787463
Part of subcall function 007873E8: CreatePen.GDI32(00000000,00000001,00743C00), ref: 00787471
Part of subcall function 007873E8: SelectObject.GDI32(?,00000000), ref: 00787482
Part of subcall function 007873E8: SetBkColor.GDI32(?,00000000), ref: 0078748B
Part of subcall function 007873E8: SelectObject.GDI32(?,?), ref: 00787498
Part of subcall function 007873E8: InflateRect.USER32(?,000000FF,000000FF), ref: 007874B7
Part of subcall function 007873E8: RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 007874CE
Part of subcall function 007873E8: GetWindowLongW.USER32(00000000,000000F0), ref: 007874DB

Memory Dump Source

Source File: 00000000.00000002.1465363834.00000000006F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006F0000, based on PE: true

Associated: 00000000.00000002.1465335232.00000000006F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465500901.000000000078C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465500901.00000000007B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465599093.00000000007BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465630010.00000000007C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6f0000_file.jbxd

Similarity

API ID: Color$Rect$Object$BrushInflateSelect$CreateLongTextWindow$DeleteFillFrameRoundSolid
String ID:
API String ID: 4124339563-0
Opcode ID: 9eec641af010bceb455124d65a5d9cbf00a282142d2c18ace65e603ea1d4f4e3
Instruction ID: be51df0df916fac22941e5d8dbaba171575a269cf26cf59f90d650a01ab8c321
Opcode Fuzzy Hash: 9eec641af010bceb455124d65a5d9cbf00a282142d2c18ace65e603ea1d4f4e3
Instruction Fuzzy Hash: 64A1B072448305EFDB06AF60DC48E5B7BA9FF89320F304A19F962961E1D738E944CB65

Function 00708D85 Relevance: 47.7, APIs: 26, Strings: 1, Instructions: 480windowCOMMON

Download Yara Rule

APIs

DestroyWindow.USER32(?,?), ref: 00708E14
SendMessageW.USER32(?,00001308,?,00000000), ref: 00746AC5
ImageList_Remove.COMCTL32(?,000000FF,?), ref: 00746AFE
MoveWindow.USER32(?,?,?,?,?,00000000), ref: 00746F43

Part of subcall function 00708F62: InvalidateRect.USER32(?,00000000,00000001,?,?,?,00708BE8,?,00000000,?,?,?,?,00708BBA,00000000,?), ref: 00708FC5

SendMessageW.USER32(?,00001053), ref: 00746F7F
SendMessageW.USER32(?,00001008,000000FF,00000000), ref: 00746F96
ImageList_Destroy.COMCTL32(00000000,?), ref: 00746FAC
ImageList_Destroy.COMCTL32(00000000,?), ref: 00746FB7

Strings

0, xrefs: 00746DCF

Memory Dump Source

Source File: 00000000.00000002.1465363834.00000000006F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006F0000, based on PE: true

Associated: 00000000.00000002.1465335232.00000000006F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465500901.000000000078C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465500901.00000000007B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465599093.00000000007BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465630010.00000000007C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6f0000_file.jbxd

Similarity

API ID: DestroyImageList_MessageSend$Window$InvalidateMoveRectRemove
String ID: 0
API String ID: 2760611726-4108050209
Opcode ID: 6a1a028eb8594c5e491d902a64a5ea05d3a773e381ce138322e43b35f5413181
Instruction ID: 3a69abcf036d06a0250c2a0ddf2bce76566739300c814011aa9d292105663c80
Opcode Fuzzy Hash: 6a1a028eb8594c5e491d902a64a5ea05d3a773e381ce138322e43b35f5413181
Instruction Fuzzy Hash: AB12BE70600251DFDB25CF24C888BA5B7E1FB46300F6485A9F5958B2A2CB39EC51DFA6

Function 00772711 Relevance: 45.8, APIs: 22, Strings: 4, Instructions: 330windowCOMMON

Download Yara Rule

APIs

DestroyWindow.USER32(00000000), ref: 0077273E
SystemParametersInfoW.USER32(00000030,00000000,?,00000000), ref: 0077286A
SetRect.USER32(?,00000000,00000000,0000012C,?), ref: 007728A9
AdjustWindowRectEx.USER32(?,88C00000,00000000,00000008), ref: 007728B9
CreateWindowExW.USER32(00000008,AutoIt v3,?,88C00000,000000FF,?,?,?,00000000,00000000,00000000), ref: 00772900
GetClientRect.USER32(00000000,?), ref: 0077290C
CreateWindowExW.USER32(00000000,static,?,50000000,?,00000004,00000500,-00000017,00000000,00000000,00000000), ref: 00772955
CreateDCW.GDI32(DISPLAY,00000000,00000000,00000000), ref: 00772964
GetStockObject.GDI32(00000011), ref: 00772974
SelectObject.GDI32(00000000,00000000), ref: 00772978
GetTextFaceW.GDI32(00000000,00000040,?,?,50000000,?,00000004,00000500,-00000017,00000000,00000000,00000000,?,88C00000,000000FF,?), ref: 00772988
GetDeviceCaps.GDI32(00000000,0000005A), ref: 00772991
DeleteDC.GDI32(00000000), ref: 0077299A
CreateFontW.GDI32(00000000,00000000,00000000,00000000,00000258,00000000,00000000,00000000,00000001,00000004,00000000,00000002,00000000,?), ref: 007729C6
SendMessageW.USER32(00000030,00000000,00000001), ref: 007729DD
CreateWindowExW.USER32(00000200,msctls_progress32,00000000,50000001,?,-0000001D,00000104,00000014,00000000,00000000,00000000), ref: 00772A1D
SendMessageW.USER32(00000000,00000401,00000000,00640000), ref: 00772A31
SendMessageW.USER32(00000404,00000001,00000000), ref: 00772A42
CreateWindowExW.USER32(00000000,static,?,50000000,?,00000041,00000500,-00000027,00000000,00000000,00000000), ref: 00772A77
GetStockObject.GDI32(00000011), ref: 00772A82
SendMessageW.USER32(00000030,00000000,?,50000000), ref: 00772A8D
ShowWindow.USER32(00000004,?,50000000,?,00000004,00000500,-00000017,00000000,00000000,00000000,?,88C00000,000000FF,?,?,?), ref: 00772A97

Strings

static, xrefs: 0077294F, 00772A71
DISPLAY, xrefs: 0077295A
AutoIt v3, xrefs: 007728F8
msctls_progress32, xrefs: 00772A13

Memory Dump Source

Source File: 00000000.00000002.1465363834.00000000006F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006F0000, based on PE: true

Associated: 00000000.00000002.1465335232.00000000006F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465500901.000000000078C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465500901.00000000007B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465599093.00000000007BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465630010.00000000007C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6f0000_file.jbxd

Similarity

API ID: Window$Create$MessageSend$ObjectRect$Stock$AdjustCapsClientDeleteDestroyDeviceFaceFontInfoParametersSelectShowSystemText
String ID: AutoIt v3$DISPLAY$msctls_progress32$static
API String ID: 2910397461-517079104
Opcode ID: 264b1dc13d571fb2cd0368f794fa311372746b61eeaf7c10ca134f39ab7f10f5
Instruction ID: f69cf8864e50b11d122cc1b7fd95fdc7d8b10526f20625587284271bb31ee8c3
Opcode Fuzzy Hash: 264b1dc13d571fb2cd0368f794fa311372746b61eeaf7c10ca134f39ab7f10f5
Instruction Fuzzy Hash: 5CB162B1A40209AFDB14DF68CD89FAE7BB9EB05714F108118FA15E7291D778ED40CBA4

Function 00764ADF Relevance: 45.7, APIs: 3, Strings: 23, Instructions: 191COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 00764AED
GetDriveTypeW.KERNEL32(?,0078CB68,?,\\.\,0078CC08), ref: 00764BCA
SetErrorMode.KERNEL32(00000000,0078CB68,?,\\.\,0078CC08), ref: 00764D36

Strings

SAS, xrefs: 00764CC9
1394, xrefs: 00764C9F
\\.\, xrefs: 00764B3F
USB, xrefs: 00764CB4
Fibre, xrefs: 00764CAD
Virtual, xrefs: 00764CE5
SCSI, xrefs: 00764C8A
CDROM, xrefs: 00764BFB
ATA, xrefs: 00764C98
SSD, xrefs: 00764C4A
iSCSI, xrefs: 00764CC2
SATA, xrefs: 00764CD0
MMC, xrefs: 00764CDE
Network, xrefs: 00764C02
RAID, xrefs: 00764CBB
FileBackedVirtual, xrefs: 00764CEC
Fixed, xrefs: 00764C09
Removable, xrefs: 00764C10, 00764C15
Unknown, xrefs: 00764BED, 00764C83
SSA, xrefs: 00764CA6
ATAPI, xrefs: 00764C91
RAMDisk, xrefs: 00764BF4
PhysicalDrive, xrefs: 00764B76

Memory Dump Source

Source File: 00000000.00000002.1465363834.00000000006F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006F0000, based on PE: true

Associated: 00000000.00000002.1465335232.00000000006F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465500901.000000000078C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465500901.00000000007B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465599093.00000000007BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465630010.00000000007C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6f0000_file.jbxd

Similarity

API ID: ErrorMode$DriveType
String ID: 1394$ATA$ATAPI$CDROM$Fibre$FileBackedVirtual$Fixed$MMC$Network$PhysicalDrive$RAID$RAMDisk$Removable$SAS$SATA$SCSI$SSA$SSD$USB$Unknown$Virtual$\\.\$iSCSI
API String ID: 2907320926-4222207086
Opcode ID: 530c3b80d751626368767e08cf3d8714f62f674684b045b3fdec0fe3a239177a
Instruction ID: a62570f7710f179d1cceceb6059f88aa7dc41c348914373f1142afbdd155e3f9
Opcode Fuzzy Hash: 530c3b80d751626368767e08cf3d8714f62f674684b045b3fdec0fe3a239177a
Instruction Fuzzy Hash: F261D0B070510ADBCB54DF28CA91AB97BB1AF04340B288419FE07AB791DB3DED41DB65

Function 007873E8 Relevance: 39.2, APIs: 26, Instructions: 201windowCOMMON

Download Yara Rule

APIs

GetSysColor.USER32(00000012), ref: 00787421
SetTextColor.GDI32(?,?), ref: 00787425
GetSysColorBrush.USER32(0000000F), ref: 0078743B
GetSysColor.USER32(0000000F), ref: 00787446
CreateSolidBrush.GDI32(?), ref: 0078744B
GetSysColor.USER32(00000011), ref: 00787463
CreatePen.GDI32(00000000,00000001,00743C00), ref: 00787471
SelectObject.GDI32(?,00000000), ref: 00787482
SetBkColor.GDI32(?,00000000), ref: 0078748B
SelectObject.GDI32(?,?), ref: 00787498
InflateRect.USER32(?,000000FF,000000FF), ref: 007874B7
RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 007874CE
GetWindowLongW.USER32(00000000,000000F0), ref: 007874DB
SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 0078752A
GetWindowTextW.USER32(00000000,00000000,00000001), ref: 00787554
InflateRect.USER32(?,000000FD,000000FD), ref: 00787572
DrawFocusRect.USER32(?,?), ref: 0078757D
GetSysColor.USER32(00000011), ref: 0078758E
SetTextColor.GDI32(?,00000000), ref: 00787596
DrawTextW.USER32(?,007870F5,000000FF,?,00000000), ref: 007875A8
SelectObject.GDI32(?,?), ref: 007875BF
DeleteObject.GDI32(?), ref: 007875CA
SelectObject.GDI32(?,?), ref: 007875D0
DeleteObject.GDI32(?), ref: 007875D5
SetTextColor.GDI32(?,?), ref: 007875DB
SetBkColor.GDI32(?,?), ref: 007875E5

Memory Dump Source

Source File: 00000000.00000002.1465363834.00000000006F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006F0000, based on PE: true

Associated: 00000000.00000002.1465335232.00000000006F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465500901.000000000078C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465500901.00000000007B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465599093.00000000007BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465630010.00000000007C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6f0000_file.jbxd

Similarity

API ID: Color$Object$Text$RectSelect$BrushCreateDeleteDrawInflateWindow$FocusLongMessageRoundSendSolid
String ID:
API String ID: 1996641542-0
Opcode ID: 83fd8d42ab1c99d14ae03f2b0e732f1cd52eeab46bfd900395fafa10548168fb
Instruction ID: adfaaa96afbffe21092051664207bd97fd9462e8cfa7c4d1402bbb678355ad41
Opcode Fuzzy Hash: 83fd8d42ab1c99d14ae03f2b0e732f1cd52eeab46bfd900395fafa10548168fb
Instruction Fuzzy Hash: 46616E72D40218EFDF059FA4DC49EAE7FB9EB08320F218115F915AB2A1D7789940CBA4

Function 00780FF3 Relevance: 37.0, APIs: 18, Strings: 3, Instructions: 284windowCOMMON

Download Yara Rule

APIs

GetCursorPos.USER32(?), ref: 00781128
GetDesktopWindow.USER32 ref: 0078113D
GetWindowRect.USER32(00000000), ref: 00781144
GetWindowLongW.USER32(?,000000F0), ref: 00781199
DestroyWindow.USER32(?), ref: 007811B9
CreateWindowExW.USER32(00000008,tooltips_class32,00000000,7FFFFFFD,80000000,80000000,80000000,80000000,00000000,00000000,00000000,00000000), ref: 007811ED
SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 0078120B
SendMessageW.USER32(00000000,00000418,00000000,?), ref: 0078121D
SendMessageW.USER32(00000000,00000421,?,?), ref: 00781232
SendMessageW.USER32(00000000,0000041D,00000000,00000000), ref: 00781245
IsWindowVisible.USER32(00000000), ref: 007812A1
SendMessageW.USER32(00000000,00000412,00000000,D8F0D8F0), ref: 007812BC
SendMessageW.USER32(00000000,00000411,00000001,00000030), ref: 007812D0
GetWindowRect.USER32(00000000,?), ref: 007812E8
MonitorFromPoint.USER32(?,?,00000002), ref: 0078130E
GetMonitorInfoW.USER32(00000000,?), ref: 00781328
CopyRect.USER32(?,?), ref: 0078133F
SendMessageW.USER32(00000000,00000412,00000000), ref: 007813AA

Strings

0, xrefs: 007810D3
tooltips_class32, xrefs: 007811E6
(, xrefs: 0078131B

Memory Dump Source

Source File: 00000000.00000002.1465363834.00000000006F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006F0000, based on PE: true

Associated: 00000000.00000002.1465335232.00000000006F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465500901.000000000078C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465500901.00000000007B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465599093.00000000007BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465630010.00000000007C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6f0000_file.jbxd

Similarity

API ID: MessageSendWindow$Rect$Monitor$CopyCreateCursorDesktopDestroyFromInfoLongPointVisible
String ID: ($0$tooltips_class32
API String ID: 698492251-4156429822
Opcode ID: fba2226dea6a22a820fe746667c154aeb9dce281b8096017e8cbf36109f98e6f
Instruction ID: 79626eb9fc2be9dfa5b28fe78f6882f9fe7d669834b0b3b5555e9b4b177cb5f9
Opcode Fuzzy Hash: fba2226dea6a22a820fe746667c154aeb9dce281b8096017e8cbf36109f98e6f
Instruction Fuzzy Hash: 95B1BE71644341AFD700EF64C888B6BBBE9FF84310F40891CF9999B2A1D735E845CBA6

Function 00780241 Relevance: 35.4, APIs: 7, Strings: 13, Instructions: 391windowCOMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?), ref: 007802E5
_wcslen.LIBCMT ref: 0078031F
_wcslen.LIBCMT ref: 00780389
_wcslen.LIBCMT ref: 007803F1
_wcslen.LIBCMT ref: 00780475
SendMessageW.USER32(?,00001032,00000000,00000000), ref: 007804C5
SendMessageW.USER32(?,0000102C,00000000,00000002), ref: 00780504

Part of subcall function 0070F9F2: _wcslen.LIBCMT ref: 0070F9FD

Part of subcall function 0075223F: SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00752258
Part of subcall function 0075223F: SendMessageW.USER32(?,0000102C,00000000,00000002), ref: 0075228A

Strings

SELECTINVERT, xrefs: 0078057E
SELECTCLEAR, xrefs: 0078052D
DESELECT, xrefs: 0078059C
VIEWCHANGE, xrefs: 00780675
GETSUBITEMCOUNT, xrefs: 00780384, 0078039F
FINDITEM, xrefs: 00780627
GETITEMCOUNT, xrefs: 00780316, 00780337
GETTEXT, xrefs: 007803EC, 00780407
GETSELECTEDCOUNT, xrefs: 00780470, 0078048B
SELECT, xrefs: 00780548
SELECTALL, xrefs: 00780515
GETSELECTED, xrefs: 007805E1
ISSELECTED, xrefs: 007804DD

Memory Dump Source

Source File: 00000000.00000002.1465363834.00000000006F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006F0000, based on PE: true

Associated: 00000000.00000002.1465335232.00000000006F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465500901.000000000078C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465500901.00000000007B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465599093.00000000007BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465630010.00000000007C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6f0000_file.jbxd

Similarity

API ID: _wcslen$MessageSend$BuffCharUpper
String ID: DESELECT$FINDITEM$GETITEMCOUNT$GETSELECTED$GETSELECTEDCOUNT$GETSUBITEMCOUNT$GETTEXT$ISSELECTED$SELECT$SELECTALL$SELECTCLEAR$SELECTINVERT$VIEWCHANGE
API String ID: 1103490817-719923060
Opcode ID: b709556fd7626ef85f706d20f956111bf6bde9bf4ca13cb14367d33e8c12db72
Instruction ID: 375a1c974579522526d7313c22976976441856aedc5d297619bb8263621b5f63
Opcode Fuzzy Hash: b709556fd7626ef85f706d20f956111bf6bde9bf4ca13cb14367d33e8c12db72
Instruction Fuzzy Hash: 84E1DD312482018FC794EF24C45197AB7E6BFC9314B144A6CF8969B6A2DB38ED49CB91

Function 00708891 Relevance: 33.5, APIs: 18, Strings: 1, Instructions: 282windowtimeCOMMON

Download Yara Rule

APIs

SystemParametersInfoW.USER32(00000030,00000000,000000FF,00000000), ref: 00708968
GetSystemMetrics.USER32(00000007), ref: 00708970
SystemParametersInfoW.USER32(00000030,00000000,000000FF,00000000), ref: 0070899B
GetSystemMetrics.USER32(00000008), ref: 007089A3
GetSystemMetrics.USER32(00000004), ref: 007089C8
SetRect.USER32(000000FF,00000000,00000000,000000FF,000000FF), ref: 007089E5
AdjustWindowRectEx.USER32(000000FF,?,00000000,?), ref: 007089F5
CreateWindowExW.USER32(?,AutoIt v3 GUI,?,?,?,000000FF,000000FF,000000FF,?,00000000,00000000), ref: 00708A28
SetWindowLongW.USER32(00000000,000000EB,00000000), ref: 00708A3C
GetClientRect.USER32(00000000,000000FF), ref: 00708A5A
GetStockObject.GDI32(00000011), ref: 00708A76
SendMessageW.USER32(00000000,00000030,00000000), ref: 00708A81

Part of subcall function 0070912D: GetCursorPos.USER32(?), ref: 00709141
Part of subcall function 0070912D: ScreenToClient.USER32(00000000,?), ref: 0070915E
Part of subcall function 0070912D: GetAsyncKeyState.USER32(00000001), ref: 00709183
Part of subcall function 0070912D: GetAsyncKeyState.USER32(00000002), ref: 0070919D

SetTimer.USER32(00000000,00000000,00000028,007090FC), ref: 00708AA8

Strings

AutoIt v3 GUI, xrefs: 00708A20

Memory Dump Source

Source File: 00000000.00000002.1465363834.00000000006F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006F0000, based on PE: true

Associated: 00000000.00000002.1465335232.00000000006F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465500901.000000000078C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465500901.00000000007B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465599093.00000000007BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465630010.00000000007C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6f0000_file.jbxd

Similarity

API ID: System$MetricsRectWindow$AsyncClientInfoParametersState$AdjustCreateCursorLongMessageObjectScreenSendStockTimer
String ID: AutoIt v3 GUI
API String ID: 1458621304-248962490
Opcode ID: 715c597f980aef09f9a0ad9c3994cf66c390be2eae56f5b67324d7ae885ef6fc
Instruction ID: 6401232ba5d88105b64214e7f1864ceb24a29ed022e6ed79716bb170fe3721d1
Opcode Fuzzy Hash: 715c597f980aef09f9a0ad9c3994cf66c390be2eae56f5b67324d7ae885ef6fc
Instruction Fuzzy Hash: 58B16D71A40209DFDF15DF68CC49BAA3BB5FB49314F218229FA15A72D0DB38E840CB55

Function 00750D8B Relevance: 31.7, APIs: 21, Instructions: 202memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 007510F9: GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 00751114
Part of subcall function 007510F9: GetLastError.KERNEL32(?,00000000,00000000,?,?,00750B9B,?,?,?), ref: 00751120
Part of subcall function 007510F9: GetProcessHeap.KERNEL32(00000008,?,?,00000000,00000000,?,?,00750B9B,?,?,?), ref: 0075112F
Part of subcall function 007510F9: HeapAlloc.KERNEL32(00000000,?,00000000,00000000,?,?,00750B9B,?,?,?), ref: 00751136
Part of subcall function 007510F9: GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 0075114D

GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 00750DF5
GetAclInformation.ADVAPI32(?,?,0000000C,00000002), ref: 00750E29
GetLengthSid.ADVAPI32(?), ref: 00750E40
GetAce.ADVAPI32(?,00000000,?), ref: 00750E7A
AddAce.ADVAPI32(?,00000002,000000FF,?,?), ref: 00750E96
GetLengthSid.ADVAPI32(?), ref: 00750EAD
GetProcessHeap.KERNEL32(00000008,00000008), ref: 00750EB5
HeapAlloc.KERNEL32(00000000), ref: 00750EBC
GetLengthSid.ADVAPI32(?,00000008,?), ref: 00750EDD
CopySid.ADVAPI32(00000000), ref: 00750EE4
AddAce.ADVAPI32(?,00000002,000000FF,00000000,?), ref: 00750F13
SetSecurityDescriptorDacl.ADVAPI32(?,00000001,?,00000000), ref: 00750F35
SetUserObjectSecurity.USER32(?,00000004,?), ref: 00750F47
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00750F6E
HeapFree.KERNEL32(00000000), ref: 00750F75
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00750F7E
HeapFree.KERNEL32(00000000), ref: 00750F85
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00750F8E
HeapFree.KERNEL32(00000000), ref: 00750F95
GetProcessHeap.KERNEL32(00000000,?), ref: 00750FA1
HeapFree.KERNEL32(00000000), ref: 00750FA8

Part of subcall function 00751193: GetProcessHeap.KERNEL32(00000008,00750BB1,?,00000000,?,00750BB1,?), ref: 007511A1
Part of subcall function 00751193: HeapAlloc.KERNEL32(00000000,?,00000000,?,00750BB1,?), ref: 007511A8
Part of subcall function 00751193: InitializeSecurityDescriptor.ADVAPI32(00000000,00000001,?,00000000,?,00750BB1,?), ref: 007511B7

Memory Dump Source

Source File: 00000000.00000002.1465363834.00000000006F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006F0000, based on PE: true

Associated: 00000000.00000002.1465335232.00000000006F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465500901.000000000078C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465500901.00000000007B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465599093.00000000007BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465630010.00000000007C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6f0000_file.jbxd

Similarity

API ID: Heap$Process$Security$Free$AllocDescriptorLengthObjectUser$Dacl$CopyErrorInformationInitializeLast
String ID:
API String ID: 4175595110-0
Opcode ID: 09958bc268ad3cb8aa8ecc5bf7908215b84524ac4d73ba186bb3123e33dd18e7
Instruction ID: 44b0ab8088c148651034bb9230fdaba50a5687ef42b6c60e8b2d76fcce29ceb6
Opcode Fuzzy Hash: 09958bc268ad3cb8aa8ecc5bf7908215b84524ac4d73ba186bb3123e33dd18e7
Instruction Fuzzy Hash: B6715E7190020AEBDF219FA4DC49FEEBBB8BF04741F148115F919E6191D7799A09CBB0

Function 0077C3B7 Relevance: 30.2, APIs: 11, Strings: 6, Instructions: 495registryCOMMON

Download Yara Rule

APIs

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 0077C4BD
RegCreateKeyExW.ADVAPI32(?,?,00000000,0078CC08,00000000,?,00000000,?,?), ref: 0077C544
RegCloseKey.ADVAPI32(00000000,00000000,00000000), ref: 0077C5A4
_wcslen.LIBCMT ref: 0077C5F4
_wcslen.LIBCMT ref: 0077C66F
RegSetValueExW.ADVAPI32(00000001,?,00000000,00000001,?,?), ref: 0077C6B2
RegSetValueExW.ADVAPI32(00000001,?,00000000,00000007,?,?), ref: 0077C7C1
RegSetValueExW.ADVAPI32(00000001,?,00000000,0000000B,?,00000008), ref: 0077C84D
RegCloseKey.ADVAPI32(?), ref: 0077C881
RegCloseKey.ADVAPI32(00000000), ref: 0077C88E
RegSetValueExW.ADVAPI32(00000001,?,00000000,00000003,00000000,00000000), ref: 0077C960

Strings

REG_EXPAND_SZ, xrefs: 0077C5CD
REG_DWORD, xrefs: 0077C804
REG_SZ, xrefs: 0077C644
REG_QWORD, xrefs: 0077C8C3
REG_MULTI_SZ, xrefs: 0077C6F5
REG_BINARY, xrefs: 0077C913

Memory Dump Source

Source File: 00000000.00000002.1465363834.00000000006F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006F0000, based on PE: true

Associated: 00000000.00000002.1465335232.00000000006F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465500901.000000000078C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465500901.00000000007B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465599093.00000000007BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465630010.00000000007C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6f0000_file.jbxd

Similarity

API ID: Value$Close$_wcslen$ConnectCreateRegistry
String ID: REG_BINARY$REG_DWORD$REG_EXPAND_SZ$REG_MULTI_SZ$REG_QWORD$REG_SZ
API String ID: 9721498-966354055
Opcode ID: 276850313b5a08cf26971280ee63581e009812b73c62eed35e663e63277378fd
Instruction ID: d3ebae17e31971fdb62de6e80e078127e1119c216cd7e198d37a33d29927448a
Opcode Fuzzy Hash: 276850313b5a08cf26971280ee63581e009812b73c62eed35e663e63277378fd
Instruction Fuzzy Hash: 8F1267352042019FDB15DF24C881A2AB7E6EF88754F14C89CF98A9B3A2DB35FD45CB85

Function 0078091E Relevance: 30.1, APIs: 6, Strings: 11, Instructions: 372windowCOMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?), ref: 007809C6
_wcslen.LIBCMT ref: 00780A01
SendMessageW.USER32(?,00001105,00000000,00000000), ref: 00780A54
_wcslen.LIBCMT ref: 00780A8A
_wcslen.LIBCMT ref: 00780B06
_wcslen.LIBCMT ref: 00780B81

Part of subcall function 0070F9F2: _wcslen.LIBCMT ref: 0070F9FD

Part of subcall function 00752BE8: SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 00752BFA

Strings

GETTOTALCOUNT, xrefs: 007809F2, 00780A17
GETTEXT, xrefs: 00780C97
SELECT, xrefs: 00780D11
EXISTS, xrefs: 00780B7C, 00780B97
EXPAND, xrefs: 00780BF8
GETSELECTED, xrefs: 00780C4E
COLLAPSE, xrefs: 00780B01, 00780B1C
UNCHECK, xrefs: 00780D3E
ISCHECKED, xrefs: 00780CE1
CHECK, xrefs: 00780A85, 00780AA0
GETITEMCOUNT, xrefs: 00780C1E

Memory Dump Source

Source File: 00000000.00000002.1465363834.00000000006F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006F0000, based on PE: true

Associated: 00000000.00000002.1465335232.00000000006F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465500901.000000000078C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465500901.00000000007B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465599093.00000000007BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465630010.00000000007C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6f0000_file.jbxd

Similarity

API ID: _wcslen$MessageSend$BuffCharUpper
String ID: CHECK$COLLAPSE$EXISTS$EXPAND$GETITEMCOUNT$GETSELECTED$GETTEXT$GETTOTALCOUNT$ISCHECKED$SELECT$UNCHECK
API String ID: 1103490817-4258414348
Opcode ID: 20eaf88e0eec19585bb09baef393912ae022ed87ffb1e88d25e0b56af66ec69a
Instruction ID: 73ba9d24a6f8112ca6db4ce58ee19e109a2adb95051309455ef39aef8cf1e298
Opcode Fuzzy Hash: 20eaf88e0eec19585bb09baef393912ae022ed87ffb1e88d25e0b56af66ec69a
Instruction Fuzzy Hash: FCE1AC71248301CFC758EF24C45096AB7E2BF98314F14895CF8969B3A2DB38ED49CB92

Function 0077C998 Relevance: 30.0, APIs: 7, Strings: 10, Instructions: 242COMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?,?,?,?,?,?,0077B6AE,?,?), ref: 0077C9B5
_wcslen.LIBCMT ref: 0077C9F1
_wcslen.LIBCMT ref: 0077CA68
_wcslen.LIBCMT ref: 0077CA9E
_wcslen.LIBCMT ref: 0077CAF9
_wcslen.LIBCMT ref: 0077CB2F
_wcslen.LIBCMT ref: 0077CB7F

Strings

HKEY_CURRENT_USER, xrefs: 0077CBBD
HKEY_LOCAL_MACHINE, xrefs: 0077CA62, 0077CA67
HKU, xrefs: 0077CBF0
HKEY_CURRENT_CONFIG, xrefs: 0077CB79, 0077CB7E
HKEY_USERS, xrefs: 0077CBDF
HKLM, xrefs: 0077CA98, 0077CA9D
HKCC, xrefs: 0077CBAC
HKEY_CLASSES_ROOT, xrefs: 0077CAF3, 0077CAF8
HKCU, xrefs: 0077CBCE
HKCR, xrefs: 0077CB29, 0077CB2E

Memory Dump Source

Source File: 00000000.00000002.1465363834.00000000006F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006F0000, based on PE: true

Associated: 00000000.00000002.1465335232.00000000006F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465500901.000000000078C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465500901.00000000007B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465599093.00000000007BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465630010.00000000007C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6f0000_file.jbxd

Similarity

API ID: _wcslen$BuffCharUpper
String ID: HKCC$HKCR$HKCU$HKEY_CLASSES_ROOT$HKEY_CURRENT_CONFIG$HKEY_CURRENT_USER$HKEY_LOCAL_MACHINE$HKEY_USERS$HKLM$HKU
API String ID: 1256254125-909552448
Opcode ID: 26faa52ef5fd53481696ddb05aecb6fe4ed3bbced7cb683a4e3cc6cb2e7a0e5f
Instruction ID: 48b1a3a6888d44cdb3ae678f1c3b1a63f02e1639d89a5fb6e7e8c7355bde553b
Opcode Fuzzy Hash: 26faa52ef5fd53481696ddb05aecb6fe4ed3bbced7cb683a4e3cc6cb2e7a0e5f
Instruction Fuzzy Hash: B271E67260016A8BCF22DE7CCD416FA33919BA87D4B25C52CF85DA7294EA3DDD44C3A0

Function 0078833C Relevance: 29.9, APIs: 14, Strings: 3, Instructions: 196windowlibraryCOMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 0078835A
_wcslen.LIBCMT ref: 0078836E
_wcslen.LIBCMT ref: 00788391
_wcslen.LIBCMT ref: 007883B4
LoadImageW.USER32(00000000,?,00000001,?,?,00002010), ref: 007883F2
LoadLibraryExW.KERNEL32(?,00000000,00000032,00000000,?,?,?,?,?,00785BF2), ref: 0078844E
LoadImageW.USER32(?,?,00000001,?,?,00000000), ref: 00788487
LoadImageW.USER32(00000000,?,00000001,?,?,00000000), ref: 007884CA
LoadImageW.USER32(?,?,00000001,?,?,00000000), ref: 00788501
FreeLibrary.KERNEL32(?), ref: 0078850D
ExtractIconExW.SHELL32(?,00000000,00000000,00000000,00000001), ref: 0078851D
DestroyIcon.USER32(?,?,?,?,?,00785BF2), ref: 0078852C
SendMessageW.USER32(?,00000170,00000000,00000000), ref: 00788549
SendMessageW.USER32(?,00000064,00000172,00000001), ref: 00788555

Strings

.exe, xrefs: 00788388
.icl, xrefs: 00788368
.dll, xrefs: 007883AB

Memory Dump Source

Source File: 00000000.00000002.1465363834.00000000006F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006F0000, based on PE: true

Associated: 00000000.00000002.1465335232.00000000006F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465500901.000000000078C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465500901.00000000007B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465599093.00000000007BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465630010.00000000007C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6f0000_file.jbxd

Similarity

API ID: Load$Image_wcslen$IconLibraryMessageSend$DestroyExtractFree
String ID: .dll$.exe$.icl
API String ID: 799131459-1154884017
Opcode ID: 6b412e0254c9c2ba2627ba600f2472ba604e526f5d74ca266c39eeb1aa9cfcd7
Instruction ID: cba729cb586143a4dcae90faa06fe8ee46b06703b14b4d7ea96f9ecf7ff498b5
Opcode Fuzzy Hash: 6b412e0254c9c2ba2627ba600f2472ba604e526f5d74ca266c39eeb1aa9cfcd7
Instruction Fuzzy Hash: 8761D172580219FAEB14EF64CC45BFE77A8BF04721F608509F915E60D1DB78A990C7A0

Function 006F7778 Relevance: 28.3, APIs: 1, Strings: 15, Instructions: 273COMMON

Download Yara Rule

Strings

#cs, xrefs: 006F7873, 006F78C5
#comments-end, xrefs: 006F78D9
Bad directive syntax error, xrefs: 0073519A
", xrefs: 00735153
', xrefs: 00735169
#pragma compile, xrefs: 006F77D3
#ce, xrefs: 006F78ED
Unterminated group of comments, xrefs: 0073528C
#requireadmin, xrefs: 006F77FF
#OnAutoItStartRegister, xrefs: 006F7817
#include, xrefs: 006F7847
#comments-start, xrefs: 006F785F, 006F78B1
#include-once, xrefs: 006F782F
Cannot parse #include, xrefs: 00735279
#notrayicon, xrefs: 006F77E7

Memory Dump Source

Source File: 00000000.00000002.1465363834.00000000006F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006F0000, based on PE: true

Associated: 00000000.00000002.1465335232.00000000006F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465500901.000000000078C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465500901.00000000007B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465599093.00000000007BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465630010.00000000007C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6f0000_file.jbxd

Similarity

API ID:
String ID: "$#OnAutoItStartRegister$#ce$#comments-end$#comments-start$#cs$#include$#include-once$#notrayicon$#pragma compile$#requireadmin$'$Bad directive syntax error$Cannot parse #include$Unterminated group of comments
API String ID: 0-1645009161
Opcode ID: ed9c9ae0b731e5dc62000146fc97837c1ce9b5d19015a8c1a1648ccde133a6bc
Instruction ID: c6229d0b700f9a94923fc7205740f3bf559b54c57198078aee75d17d1967ef05
Opcode Fuzzy Hash: ed9c9ae0b731e5dc62000146fc97837c1ce9b5d19015a8c1a1648ccde133a6bc
Instruction Fuzzy Hash: 1B81F6B1644609FBEB21BF64CC46FFE77AAAF15300F044024FA04AA1D6EB78D955C7A1

Function 00763E79 Relevance: 28.2, APIs: 8, Strings: 8, Instructions: 205COMMON

Download Yara Rule

APIs

CharLowerBuffW.USER32(?,?), ref: 00763EF8
_wcslen.LIBCMT ref: 00763F03
_wcslen.LIBCMT ref: 00763F5A
_wcslen.LIBCMT ref: 00763F98
GetDriveTypeW.KERNEL32(?), ref: 00763FD6
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 0076401E
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 00764059
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 00764087

Strings

set cd door , xrefs: 00764028
close cd wait, xrefs: 00764072
close, xrefs: 00763EFE, 00763F18
wait, xrefs: 00764044
open, xrefs: 00763F54, 00763F59
open , xrefs: 00763FE5
type cdaudio alias cd wait, xrefs: 00764001
closed, xrefs: 00763F08, 00763F2D, 00763F46, 00763F7E, 00763F97

Memory Dump Source

Source File: 00000000.00000002.1465363834.00000000006F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006F0000, based on PE: true

Associated: 00000000.00000002.1465335232.00000000006F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465500901.000000000078C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465500901.00000000007B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465599093.00000000007BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465630010.00000000007C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6f0000_file.jbxd

Similarity

API ID: SendString_wcslen$BuffCharDriveLowerType
String ID: type cdaudio alias cd wait$ wait$close$close cd wait$closed$open$open $set cd door
API String ID: 1839972693-4113822522
Opcode ID: 3cbd617b2ff9051a8ff7b1ceb22c6d6df0a5ee297bf172bc9799fa6c13f34208
Instruction ID: a2d7883c05ab1d7f271356490f4627562f4e175b7b5a08a8872abaec26b05bfd
Opcode Fuzzy Hash: 3cbd617b2ff9051a8ff7b1ceb22c6d6df0a5ee297bf172bc9799fa6c13f34208
Instruction Fuzzy Hash: 987124726042169FC310EF24C8809BBB7F5EF94754F10492DFA9693291EB38ED45CB51

Function 00755A1B Relevance: 27.2, APIs: 18, Instructions: 198windowtimeCOMMON

Download Yara Rule

APIs

LoadIconW.USER32(00000063), ref: 00755A2E
SendMessageW.USER32(?,00000080,00000000,00000000), ref: 00755A40
SetWindowTextW.USER32(?,?), ref: 00755A57
GetDlgItem.USER32(?,000003EA), ref: 00755A6C
SetWindowTextW.USER32(00000000,?), ref: 00755A72
GetDlgItem.USER32(?,000003E9), ref: 00755A82
SetWindowTextW.USER32(00000000,?), ref: 00755A88
SendDlgItemMessageW.USER32(?,000003E9,000000CC,?,00000000), ref: 00755AA9
SendDlgItemMessageW.USER32(?,000003E9,000000C5,00000000,00000000), ref: 00755AC3
GetWindowRect.USER32(?,?), ref: 00755ACC
_wcslen.LIBCMT ref: 00755B33
SetWindowTextW.USER32(?,?), ref: 00755B6F
GetDesktopWindow.USER32 ref: 00755B75
GetWindowRect.USER32(00000000), ref: 00755B7C
MoveWindow.USER32(?,?,00000080,00000000,?,00000000), ref: 00755BD3
GetClientRect.USER32(?,?), ref: 00755BE0
PostMessageW.USER32(?,00000005,00000000,?), ref: 00755C05
SetTimer.USER32(?,0000040A,00000000,00000000), ref: 00755C2F

Memory Dump Source

Source File: 00000000.00000002.1465363834.00000000006F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006F0000, based on PE: true

Associated: 00000000.00000002.1465335232.00000000006F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465500901.000000000078C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465500901.00000000007B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465599093.00000000007BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465630010.00000000007C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6f0000_file.jbxd

Similarity

API ID: Window$ItemMessageText$RectSend$ClientDesktopIconLoadMovePostTimer_wcslen
String ID:
API String ID: 895679908-0
Opcode ID: 7f3484598fe8607e13042e80e4a55a6bbd374854c4a649561542f8f5adf5162b
Instruction ID: 3a96d082bc561c26d955753d6f09b825a9918f901eeb439f8b73c5875247ac95
Opcode Fuzzy Hash: 7f3484598fe8607e13042e80e4a55a6bbd374854c4a649561542f8f5adf5162b
Instruction Fuzzy Hash: 8371A271A00B05DFDB21DFA8CD59BAEBBF5FF48705F104518E542A25A0D7B8E904CB60

Function 0076FE0E Relevance: 27.1, APIs: 18, Instructions: 128COMMON

Download Yara Rule

APIs

LoadCursorW.USER32(00000000,00007F89), ref: 0076FE27
LoadCursorW.USER32(00000000,00007F8A), ref: 0076FE32
LoadCursorW.USER32(00000000,00007F00), ref: 0076FE3D
LoadCursorW.USER32(00000000,00007F03), ref: 0076FE48
LoadCursorW.USER32(00000000,00007F8B), ref: 0076FE53
LoadCursorW.USER32(00000000,00007F01), ref: 0076FE5E
LoadCursorW.USER32(00000000,00007F81), ref: 0076FE69
LoadCursorW.USER32(00000000,00007F88), ref: 0076FE74
LoadCursorW.USER32(00000000,00007F80), ref: 0076FE7F
LoadCursorW.USER32(00000000,00007F86), ref: 0076FE8A
LoadCursorW.USER32(00000000,00007F83), ref: 0076FE95
LoadCursorW.USER32(00000000,00007F85), ref: 0076FEA0
LoadCursorW.USER32(00000000,00007F82), ref: 0076FEAB
LoadCursorW.USER32(00000000,00007F84), ref: 0076FEB6
LoadCursorW.USER32(00000000,00007F04), ref: 0076FEC1
LoadCursorW.USER32(00000000,00007F02), ref: 0076FECC
GetCursorInfo.USER32(?), ref: 0076FEDC
GetLastError.KERNEL32 ref: 0076FF1E

Memory Dump Source

Source File: 00000000.00000002.1465363834.00000000006F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006F0000, based on PE: true

Associated: 00000000.00000002.1465335232.00000000006F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465500901.000000000078C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465500901.00000000007B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465599093.00000000007BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465630010.00000000007C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6f0000_file.jbxd

Similarity

API ID: Cursor$Load$ErrorInfoLast
String ID:
API String ID: 3215588206-0
Opcode ID: fc72c8e21f8080ce7cec6e5b28b0bb923723177a9509ab0d0e6607f37d34cf81
Instruction ID: f79cb431d93f6fe3879e79bdba3deffdea568ad6f0aa986026fd1b6ef19c1c22
Opcode Fuzzy Hash: fc72c8e21f8080ce7cec6e5b28b0bb923723177a9509ab0d0e6607f37d34cf81
Instruction Fuzzy Hash: 244153B0D443196ADB109FBA9C8585EBFE8FF04354B50452AE519E7281DB7899018F91

Function 007530F7 Relevance: 26.6, APIs: 8, Strings: 7, Instructions: 400COMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 0075318D
_wcslen.LIBCMT ref: 007531F8

Strings

INSTANCE, xrefs: 00753453
[{, xrefs: 0075339A
REGEXPCLASS, xrefs: 00753255, 00753266
CLASS, xrefs: 00753188, 007531A5
CLASSNN, xrefs: 007531F3, 00753204
TEXT, xrefs: 0075347C
NAME, xrefs: 00753335, 00753346

Memory Dump Source

Source File: 00000000.00000002.1465363834.00000000006F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006F0000, based on PE: true

Associated: 00000000.00000002.1465335232.00000000006F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465500901.000000000078C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465500901.00000000007B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465599093.00000000007BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465630010.00000000007C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6f0000_file.jbxd

Similarity

API ID: _wcslen
String ID: CLASS$CLASSNN$INSTANCE$NAME$REGEXPCLASS$TEXT$[{
API String ID: 176396367-669646794
Opcode ID: 9ae6060e64349fff247518dbdba72be8148d856ed597807c8dd0f333e6cb176c
Instruction ID: 4852e6b19362d05293c4e77bc153c8206258e10b0ffbb7b7cc225fb0a57bae5d
Opcode Fuzzy Hash: 9ae6060e64349fff247518dbdba72be8148d856ed597807c8dd0f333e6cb176c
Instruction Fuzzy Hash: A7E1F932A00516EBCB149F78C4517FEFBB1BF04791F548129E856E7260DBB8AE8D8790

Function 007100C6 Relevance: 26.3, APIs: 10, Strings: 5, Instructions: 81COMMON

Download Yara Rule

APIs

__scrt_initialize_thread_safe_statics_platform_specific.LIBCMT ref: 007100C6

Part of subcall function 007100ED: InitializeCriticalSectionAndSpinCount.KERNEL32(007C070C,00000FA0,22999B24,?,?,?,?,007323B3,000000FF), ref: 0071011C
Part of subcall function 007100ED: GetModuleHandleW.KERNEL32(api-ms-win-core-synch-l1-2-0.dll,?,?,?,?,007323B3,000000FF), ref: 00710127
Part of subcall function 007100ED: GetModuleHandleW.KERNEL32(kernel32.dll,?,?,?,?,007323B3,000000FF), ref: 00710138
Part of subcall function 007100ED: GetProcAddress.KERNEL32(00000000,InitializeConditionVariable), ref: 0071014E
Part of subcall function 007100ED: GetProcAddress.KERNEL32(00000000,SleepConditionVariableCS), ref: 0071015C
Part of subcall function 007100ED: GetProcAddress.KERNEL32(00000000,WakeAllConditionVariable), ref: 0071016A
Part of subcall function 007100ED: __crt_fast_encode_pointer.LIBVCRUNTIME ref: 00710195
Part of subcall function 007100ED: __crt_fast_encode_pointer.LIBVCRUNTIME ref: 007101A0

___scrt_fastfail.LIBCMT ref: 007100E7

Part of subcall function 007100A3: __onexit.LIBCMT ref: 007100A9

Strings

kernel32.dll, xrefs: 00710133
SleepConditionVariableCS, xrefs: 00710154
InitializeConditionVariable, xrefs: 00710148
api-ms-win-core-synch-l1-2-0.dll, xrefs: 00710122
WakeAllConditionVariable, xrefs: 00710162

Memory Dump Source

Source File: 00000000.00000002.1465363834.00000000006F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006F0000, based on PE: true

Associated: 00000000.00000002.1465335232.00000000006F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465500901.000000000078C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465500901.00000000007B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465599093.00000000007BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465630010.00000000007C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6f0000_file.jbxd

Similarity

API ID: AddressProc$HandleModule__crt_fast_encode_pointer$CountCriticalInitializeSectionSpin___scrt_fastfail__onexit__scrt_initialize_thread_safe_statics_platform_specific
String ID: InitializeConditionVariable$SleepConditionVariableCS$WakeAllConditionVariable$api-ms-win-core-synch-l1-2-0.dll$kernel32.dll
API String ID: 66158676-1714406822
Opcode ID: eee71713bd19dbb1a8c87b44e9be1979cf6aaa35df2df00320e45628780fa942
Instruction ID: e66e1c273826ffa72c42a0f7e1840a10cf95471ea7ff20e14ee962c3d4cbaa17
Opcode Fuzzy Hash: eee71713bd19dbb1a8c87b44e9be1979cf6aaa35df2df00320e45628780fa942
Instruction Fuzzy Hash: FA21C8B2A84714EBD7116B78AC4DB9D3394EB04F51F108129F901E26D1DABC98808BE4

Function 007644C0 Relevance: 24.8, APIs: 7, Strings: 7, Instructions: 309COMMON

Download Yara Rule

APIs

CharLowerBuffW.USER32(00000000,00000000,0078CC08), ref: 00764527
_wcslen.LIBCMT ref: 0076453B
_wcslen.LIBCMT ref: 00764599
_wcslen.LIBCMT ref: 007645F4
_wcslen.LIBCMT ref: 0076463F
_wcslen.LIBCMT ref: 007646A7

Part of subcall function 0070F9F2: _wcslen.LIBCMT ref: 0070F9FD

GetDriveTypeW.KERNEL32(?,007B6BF0,00000061), ref: 00764743

Strings

cdrom, xrefs: 0076458F, 00764594
ramdisk, xrefs: 007646F1
network, xrefs: 0076469D, 007646A2
removable, xrefs: 007645EA, 007645EF
fixed, xrefs: 00764635, 0076463A
unknown, xrefs: 00764708
all, xrefs: 00764531, 00764536

Memory Dump Source

Source File: 00000000.00000002.1465363834.00000000006F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006F0000, based on PE: true

Associated: 00000000.00000002.1465335232.00000000006F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465500901.000000000078C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465500901.00000000007B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465599093.00000000007BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465630010.00000000007C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6f0000_file.jbxd

Similarity

API ID: _wcslen$BuffCharDriveLowerType
String ID: all$cdrom$fixed$network$ramdisk$removable$unknown
API String ID: 2055661098-1000479233
Opcode ID: 7495e85859b1ead8de7cdb2a6b1d2b0feb18b9d3cefa75c9cb7e2a29eab00119
Instruction ID: 8b9ce1a1ecece5846fc3a31751f9e6f51c645ee377d4b3d00df8b8afa5776fb4
Opcode Fuzzy Hash: 7495e85859b1ead8de7cdb2a6b1d2b0feb18b9d3cefa75c9cb7e2a29eab00119
Instruction Fuzzy Hash: E6B1CF716083029FC714DF28C890A7AB7E5BFA5760F50491DF997C7292E738E944CBA2

Function 0078911E Relevance: 24.7, APIs: 10, Strings: 4, Instructions: 181windowfileCOMMON

Download Yara Rule

APIs

Part of subcall function 00709BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00709BB2

DragQueryPoint.SHELL32(?,?), ref: 00789147

Part of subcall function 00787674: ClientToScreen.USER32(?,?), ref: 0078769A
Part of subcall function 00787674: GetWindowRect.USER32(?,?), ref: 00787710
Part of subcall function 00787674: PtInRect.USER32(?,?,00788B89), ref: 00787720

SendMessageW.USER32(?,000000B0,?,?), ref: 007891B0
DragQueryFileW.SHELL32(?,000000FF,00000000,00000000), ref: 007891BB
DragQueryFileW.SHELL32(?,00000000,?,00000104), ref: 007891DE
SendMessageW.USER32(?,000000C2,00000001,?), ref: 00789225
SendMessageW.USER32(?,000000B0,?,?), ref: 0078923E
SendMessageW.USER32(?,000000B1,?,?), ref: 00789255
SendMessageW.USER32(?,000000B1,?,?), ref: 00789277
DragFinish.SHELL32(?), ref: 0078927E
DefDlgProcW.USER32(?,00000233,?,00000000,?,?,?), ref: 00789371

Strings

@GUI_DROPID, xrefs: 0078929E
@GUI_DRAGID, xrefs: 007892E9
@GUI_DRAGFILE, xrefs: 00789320
p#|, xrefs: 007892BB

Memory Dump Source

Source File: 00000000.00000002.1465363834.00000000006F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006F0000, based on PE: true

Associated: 00000000.00000002.1465335232.00000000006F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465500901.000000000078C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465500901.00000000007B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465599093.00000000007BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465630010.00000000007C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6f0000_file.jbxd

Similarity

API ID: MessageSend$Drag$Query$FileRectWindow$ClientFinishLongPointProcScreen
String ID: @GUI_DRAGFILE$@GUI_DRAGID$@GUI_DROPID$p#|
API String ID: 221274066-704254282
Opcode ID: 724aa9b50a8b6baa82540750f990b18b5c5a20d2a0cf435abe284b4d79b5a50a
Instruction ID: 82b4458ee9ca065fbe53dd0a0b236cbbd416fadf477bf234c2c212343454a7db
Opcode Fuzzy Hash: 724aa9b50a8b6baa82540750f990b18b5c5a20d2a0cf435abe284b4d79b5a50a
Instruction Fuzzy Hash: BC61AC71108305AFC701EF60DC89EAFBBE9EF89350F10092DF695921A1DB349A49CB66

Function 006F326F Relevance: 23.0, APIs: 12, Strings: 1, Instructions: 214windowCOMMON

Download Yara Rule

APIs

GetMenuItemCount.USER32(007C1990), ref: 00732F8D
GetMenuItemCount.USER32(007C1990), ref: 0073303D
GetCursorPos.USER32(?), ref: 00733081
SetForegroundWindow.USER32(00000000), ref: 0073308A
TrackPopupMenuEx.USER32(007C1990,00000000,?,00000000,00000000,00000000), ref: 0073309D
PostMessageW.USER32(00000000,00000000,00000000,00000000), ref: 007330A9

Strings

0, xrefs: 006F327D

Memory Dump Source

Source File: 00000000.00000002.1465363834.00000000006F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006F0000, based on PE: true

Associated: 00000000.00000002.1465335232.00000000006F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465500901.000000000078C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465500901.00000000007B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465599093.00000000007BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465630010.00000000007C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6f0000_file.jbxd

Similarity

API ID: Menu$CountItem$CursorForegroundMessagePopupPostTrackWindow
String ID: 0
API String ID: 36266755-4108050209
Opcode ID: 5c61ad56d8daacd943fa27e7c3a9613fed289e25bd07b40a938394ffe6823376
Instruction ID: 9f30a9d84441f52882867247d7bd43e5218b76219c0f1c18628d96a9df15bc14
Opcode Fuzzy Hash: 5c61ad56d8daacd943fa27e7c3a9613fed289e25bd07b40a938394ffe6823376
Instruction Fuzzy Hash: 13713C70644216BEFB359F24CC49FAABF65FF01364F204216F6246A2E2C7B9AD11C764

Function 00786CD9 Relevance: 22.9, APIs: 11, Strings: 2, Instructions: 194windowCOMMON

Download Yara Rule

APIs

DestroyWindow.USER32(00000000,?), ref: 00786DEB

Part of subcall function 006F6B57: _wcslen.LIBCMT ref: 006F6B6A

CreateWindowExW.USER32(00000008,tooltips_class32,00000000,?,80000000,80000000,80000000,80000000,?,00000000,00000000,?), ref: 00786E5F
SendMessageW.USER32(00000000,00000433,00000000,00000030), ref: 00786E81
SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 00786E94
DestroyWindow.USER32(?), ref: 00786EB5
CreateWindowExW.USER32(00000008,tooltips_class32,00000000,?,80000000,80000000,80000000,80000000,?,00000000,006F0000,00000000), ref: 00786EE4
SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 00786EFD
GetDesktopWindow.USER32 ref: 00786F16
GetWindowRect.USER32(00000000), ref: 00786F1D
SendMessageW.USER32(00000000,00000418,00000000,?), ref: 00786F35
SendMessageW.USER32(00000000,00000421,?,00000000), ref: 00786F4D

Part of subcall function 00709944: GetWindowLongW.USER32(?,000000EB), ref: 00709952

Strings

0, xrefs: 00786D98
tooltips_class32, xrefs: 00786E58, 00786EDD

Memory Dump Source

Source File: 00000000.00000002.1465363834.00000000006F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006F0000, based on PE: true

Associated: 00000000.00000002.1465335232.00000000006F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465500901.000000000078C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465500901.00000000007B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465599093.00000000007BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465630010.00000000007C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6f0000_file.jbxd

Similarity

API ID: Window$MessageSend$CreateDestroy$DesktopLongRect_wcslen
String ID: 0$tooltips_class32
API String ID: 2429346358-3619404913
Opcode ID: a6955c1b14df404ddb1a6f48329d183adfe00db6c04a87dde382daa279af5834
Instruction ID: 1c50e25f7d7cf64e9ec8685aa1ebcc982307d35a2c2ca9458caf952cc8df88d6
Opcode Fuzzy Hash: a6955c1b14df404ddb1a6f48329d183adfe00db6c04a87dde382daa279af5834
Instruction Fuzzy Hash: 94717870284244AFDB21DF18DC48FAABBE9FB89304F54446DFA8987261D778E905CB25

Function 0076C476 Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 143networkCOMMON

Download Yara Rule

APIs

InternetConnectW.WININET(?,?,?,?,?,?,00000000,00000000), ref: 0076C4B0
GetLastError.KERNEL32(?,00000003,?,?,?,?,?,?), ref: 0076C4C3
SetEvent.KERNEL32(?,?,00000003,?,?,?,?,?,?), ref: 0076C4D7
HttpOpenRequestW.WININET(00000000,00000000,?,00000000,00000000,00000000,?,00000000), ref: 0076C4F0
InternetQueryOptionW.WININET(00000000,0000001F,?,?), ref: 0076C533
InternetSetOptionW.WININET(00000000,0000001F,00000100,00000004), ref: 0076C549
HttpSendRequestW.WININET(00000000,00000000,00000000,00000000,00000000), ref: 0076C554
HttpQueryInfoW.WININET(00000000,00000005,?,?,?), ref: 0076C584
GetLastError.KERNEL32(?,00000003,?,?,?,?,?,?), ref: 0076C5DC
SetEvent.KERNEL32(?,?,00000003,?,?,?,?,?,?), ref: 0076C5F0
InternetCloseHandle.WININET(00000000), ref: 0076C5FB

Strings

, xrefs: 0076C575

Memory Dump Source

Source File: 00000000.00000002.1465363834.00000000006F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006F0000, based on PE: true

Associated: 00000000.00000002.1465335232.00000000006F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465500901.000000000078C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465500901.00000000007B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465599093.00000000007BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465630010.00000000007C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6f0000_file.jbxd

Similarity

API ID: Internet$Http$ErrorEventLastOptionQueryRequest$CloseConnectHandleInfoOpenSend
String ID:
API String ID: 3800310941-3916222277
Opcode ID: 16df5e4230239937fd3373e6be41bbdeb5cab2899969ac21bd74fc946cf21a8b
Instruction ID: 5c342a209f024a323c885b20ed4ef4a2f8acffaa5ba6af2d7654d21d3c84fcd4
Opcode Fuzzy Hash: 16df5e4230239937fd3373e6be41bbdeb5cab2899969ac21bd74fc946cf21a8b
Instruction Fuzzy Hash: 22515EB1540208BFEB228F61CD48ABB7BBCFF08744F24841AF987D6551DB38E9549B64

Function 0078856F Relevance: 22.6, APIs: 15, Instructions: 131filecommemoryCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(?,80000000,00000000,00000000,00000003,00000000,00000000,00000000,?,?,?,?,?,00000000,?,000000EC), ref: 00788592
GetFileSize.KERNEL32(00000000,00000000,?,?,?,?,00000000,?,000000EC,?,000000F0), ref: 007885A2
GlobalAlloc.KERNEL32(00000002,00000000,?,?,?,?,00000000,?,000000EC,?,000000F0), ref: 007885AD
CloseHandle.KERNEL32(00000000,?,?,?,?,00000000,?,000000EC,?,000000F0), ref: 007885BA
GlobalLock.KERNEL32(00000000), ref: 007885C8
ReadFile.KERNEL32(00000000,00000000,00000000,?,00000000,?,?,?,?,00000000,?,000000EC,?,000000F0), ref: 007885D7
GlobalUnlock.KERNEL32(00000000), ref: 007885E0
CloseHandle.KERNEL32(00000000,?,?,?,?,00000000,?,000000EC,?,000000F0), ref: 007885E7
CreateStreamOnHGlobal.OLE32(00000000,00000001,000000F0,?,?,?,?,00000000,?,000000EC,?,000000F0), ref: 007885F8
OleLoadPicture.OLEAUT32(000000F0,00000000,00000000,0078FC38,?), ref: 00788611
GlobalFree.KERNEL32(00000000), ref: 00788621
GetObjectW.GDI32(?,00000018,?), ref: 00788641
CopyImage.USER32(?,00000000,00000000,?,00002000), ref: 00788671
DeleteObject.GDI32(?), ref: 00788699
SendMessageW.USER32(?,00000172,00000000,00000000), ref: 007886AF

Memory Dump Source

Source File: 00000000.00000002.1465363834.00000000006F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006F0000, based on PE: true

Associated: 00000000.00000002.1465335232.00000000006F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465500901.000000000078C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465500901.00000000007B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465599093.00000000007BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465630010.00000000007C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6f0000_file.jbxd

Similarity

API ID: Global$File$CloseCreateHandleObject$AllocCopyDeleteFreeImageLoadLockMessagePictureReadSendSizeStreamUnlock
String ID:
API String ID: 3840717409-0
Opcode ID: 5612f5c273118012d324dc64a6d7cd3d168f7faec5c1bdb6b19582e96122195e
Instruction ID: 9455179b720ddb24584b13ea8b58290d2fce87123568c050a45cec4e719f8244
Opcode Fuzzy Hash: 5612f5c273118012d324dc64a6d7cd3d168f7faec5c1bdb6b19582e96122195e
Instruction Fuzzy Hash: 03413D75680208AFDB11DF65DC88EAA7BB9FF89711F208058F905D7251DB389D01DB35

Function 007614BD Relevance: 21.4, APIs: 10, Strings: 2, Instructions: 360timeCOMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(00000000), ref: 00761502
VariantCopy.OLEAUT32(?,?), ref: 0076150B
VariantClear.OLEAUT32(?), ref: 00761517
VariantTimeToSystemTime.OLEAUT32(?,?,?), ref: 007615FB
VarR8FromDec.OLEAUT32(?,?), ref: 00761657
VariantInit.OLEAUT32(?), ref: 00761708
SysFreeString.OLEAUT32(?), ref: 0076178C
VariantClear.OLEAUT32(?), ref: 007617D8
VariantClear.OLEAUT32(?), ref: 007617E7
VariantInit.OLEAUT32(00000000), ref: 00761823

Strings

%4d%02d%02d%02d%02d%02d, xrefs: 00761625
Default, xrefs: 007616AF

Memory Dump Source

Source File: 00000000.00000002.1465363834.00000000006F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006F0000, based on PE: true

Associated: 00000000.00000002.1465335232.00000000006F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465500901.000000000078C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465500901.00000000007B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465599093.00000000007BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465630010.00000000007C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6f0000_file.jbxd

Similarity

API ID: Variant$ClearInit$Time$CopyFreeFromStringSystem
String ID: %4d%02d%02d%02d%02d%02d$Default
API String ID: 1234038744-3931177956
Opcode ID: 6e6c3c168dd5a5b96439d367d7f97e55304098afc9e3c928edf56a34cba50668
Instruction ID: 447e5a87b5115c9485694d26e9814906ca33f21cbe9f1394481d512d5a44a5ef
Opcode Fuzzy Hash: 6e6c3c168dd5a5b96439d367d7f97e55304098afc9e3c928edf56a34cba50668
Instruction Fuzzy Hash: 10D1F271A00205EBDB109F65D88DB79F7B5BF44700F58815AF807AB582EB38ED50DB61

Function 0077B60E Relevance: 21.3, APIs: 10, Strings: 2, Instructions: 285registrylibraryloaderCOMMON

Download Yara Rule

APIs

Part of subcall function 006F9CB3: _wcslen.LIBCMT ref: 006F9CBD

Part of subcall function 0077C998: CharUpperBuffW.USER32(?,?,?,?,?,?,?,0077B6AE,?,?), ref: 0077C9B5
Part of subcall function 0077C998: _wcslen.LIBCMT ref: 0077C9F1
Part of subcall function 0077C998: _wcslen.LIBCMT ref: 0077CA68
Part of subcall function 0077C998: _wcslen.LIBCMT ref: 0077CA9E

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 0077B6F4
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 0077B772
RegDeleteValueW.ADVAPI32(?,?), ref: 0077B80A
RegCloseKey.ADVAPI32(?), ref: 0077B87E
RegCloseKey.ADVAPI32(?), ref: 0077B89C
LoadLibraryA.KERNEL32(advapi32.dll), ref: 0077B8F2
GetProcAddress.KERNEL32(00000000,RegDeleteKeyExW), ref: 0077B904
RegDeleteKeyW.ADVAPI32(?,?), ref: 0077B922
FreeLibrary.KERNEL32(00000000), ref: 0077B983
RegCloseKey.ADVAPI32(00000000), ref: 0077B994

Strings

RegDeleteKeyExW, xrefs: 0077B8FE
advapi32.dll, xrefs: 0077B8ED

Memory Dump Source

Source File: 00000000.00000002.1465363834.00000000006F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006F0000, based on PE: true

Associated: 00000000.00000002.1465335232.00000000006F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465500901.000000000078C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465500901.00000000007B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465599093.00000000007BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465630010.00000000007C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6f0000_file.jbxd

Similarity

API ID: _wcslen$Close$DeleteLibrary$AddressBuffCharConnectFreeLoadOpenProcRegistryUpperValue
String ID: RegDeleteKeyExW$advapi32.dll
API String ID: 146587525-4033151799
Opcode ID: 0076d48f25cd45e33f1baf0a263b472da73dd3776eeeebb178a134823d715b13
Instruction ID: 9ba3bc1f61596b5e199808fe296a123f317f8057bd5389162c2dbe51a70d6c34
Opcode Fuzzy Hash: 0076d48f25cd45e33f1baf0a263b472da73dd3776eeeebb178a134823d715b13
Instruction Fuzzy Hash: 02C16C70208201EFDB14DF14C494F2ABBE5BF84358F14C45CE5AA8B2A2CB79E845CB92

Function 0077255C Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 169windowCOMMON

Download Yara Rule

APIs

GetDC.USER32(00000000), ref: 007725D8
CreateCompatibleBitmap.GDI32(00000000,?,?), ref: 007725E8
CreateCompatibleDC.GDI32(?), ref: 007725F4
SelectObject.GDI32(00000000,?), ref: 00772601
StretchBlt.GDI32(?,00000000,00000000,?,?,?,00000006,?,?,?,00CC0020), ref: 0077266D
GetDIBits.GDI32(?,?,00000000,00000000,00000000,00000028,00000000), ref: 007726AC
GetDIBits.GDI32(?,?,00000000,?,00000000,00000028,00000000), ref: 007726D0
SelectObject.GDI32(?,?), ref: 007726D8
DeleteObject.GDI32(?), ref: 007726E1
DeleteDC.GDI32(?), ref: 007726E8
ReleaseDC.USER32(00000000,?), ref: 007726F3

Strings

(, xrefs: 0077268D

Memory Dump Source

Source File: 00000000.00000002.1465363834.00000000006F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006F0000, based on PE: true

Associated: 00000000.00000002.1465335232.00000000006F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465500901.000000000078C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465500901.00000000007B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465599093.00000000007BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465630010.00000000007C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6f0000_file.jbxd

Similarity

API ID: Object$BitsCompatibleCreateDeleteSelect$BitmapReleaseStretch
String ID: (
API String ID: 2598888154-3887548279
Opcode ID: 7938704a25b2e036b3097a71d3767b4535b11a6efa4f3734ec045cf63249df98
Instruction ID: 44e01638d8fc8123b0e1ceabaed59ddc4a356817a6e70a0f8672131cc8b38f4f
Opcode Fuzzy Hash: 7938704a25b2e036b3097a71d3767b4535b11a6efa4f3734ec045cf63249df98
Instruction Fuzzy Hash: 2E6115B5D00209EFCF05CFA4D888AAEBBF5FF48310F20852AE559A7251E734A941CF64

Function 0072DA5D Relevance: 19.6, APIs: 13, Instructions: 114COMMONLIBRARYCODE

Download Yara Rule

APIs

___free_lconv_mon.LIBCMT ref: 0072DAA1

Part of subcall function 0072D63C: _free.LIBCMT ref: 0072D659
Part of subcall function 0072D63C: _free.LIBCMT ref: 0072D66B
Part of subcall function 0072D63C: _free.LIBCMT ref: 0072D67D
Part of subcall function 0072D63C: _free.LIBCMT ref: 0072D68F
Part of subcall function 0072D63C: _free.LIBCMT ref: 0072D6A1
Part of subcall function 0072D63C: _free.LIBCMT ref: 0072D6B3
Part of subcall function 0072D63C: _free.LIBCMT ref: 0072D6C5
Part of subcall function 0072D63C: _free.LIBCMT ref: 0072D6D7
Part of subcall function 0072D63C: _free.LIBCMT ref: 0072D6E9
Part of subcall function 0072D63C: _free.LIBCMT ref: 0072D6FB
Part of subcall function 0072D63C: _free.LIBCMT ref: 0072D70D
Part of subcall function 0072D63C: _free.LIBCMT ref: 0072D71F
Part of subcall function 0072D63C: _free.LIBCMT ref: 0072D731

_free.LIBCMT ref: 0072DA96

Part of subcall function 007229C8: RtlFreeHeap.NTDLL(00000000,00000000,?,0072D7D1,00000000,00000000,00000000,00000000,?,0072D7F8,00000000,00000007,00000000,?,0072DBF5,00000000), ref: 007229DE
Part of subcall function 007229C8: GetLastError.KERNEL32(00000000,?,0072D7D1,00000000,00000000,00000000,00000000,?,0072D7F8,00000000,00000007,00000000,?,0072DBF5,00000000,00000000), ref: 007229F0

_free.LIBCMT ref: 0072DAB8
_free.LIBCMT ref: 0072DACD
_free.LIBCMT ref: 0072DAD8
_free.LIBCMT ref: 0072DAFA
_free.LIBCMT ref: 0072DB0D
_free.LIBCMT ref: 0072DB1B
_free.LIBCMT ref: 0072DB26
_free.LIBCMT ref: 0072DB5E
_free.LIBCMT ref: 0072DB65
_free.LIBCMT ref: 0072DB82
_free.LIBCMT ref: 0072DB9A

Memory Dump Source

Source File: 00000000.00000002.1465363834.00000000006F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006F0000, based on PE: true

Associated: 00000000.00000002.1465335232.00000000006F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465500901.000000000078C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465500901.00000000007B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465599093.00000000007BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465630010.00000000007C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6f0000_file.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast___free_lconv_mon
String ID:
API String ID: 161543041-0
Opcode ID: fbab61daa6e1ca46dd4917aa0dbf40bc73da13ffb298b3acdc7fc0b6b8ef5514
Instruction ID: 12c952bde6553e6687f1add7f44f500840b6ec9c168d5ef4ccfbddabc94a47db
Opcode Fuzzy Hash: fbab61daa6e1ca46dd4917aa0dbf40bc73da13ffb298b3acdc7fc0b6b8ef5514
Instruction Fuzzy Hash: ED315C71604224EFEB31AB38F849B5677E9FF04310F518429E489E71A2DA38FC818B60

Function 0075365B Relevance: 19.5, APIs: 10, Strings: 1, Instructions: 267windowtimeCOMMON

Download Yara Rule

APIs

GetClassNameW.USER32(?,?,00000100), ref: 0075369C
_wcslen.LIBCMT ref: 007536A7
SendMessageTimeoutW.USER32(?,?,00000101,00000000,00000002,00001388,?), ref: 00753797
GetClassNameW.USER32(?,?,00000400), ref: 0075380C
GetDlgCtrlID.USER32(?), ref: 0075385D
GetWindowRect.USER32(?,?), ref: 00753882
GetParent.USER32(?), ref: 007538A0
ScreenToClient.USER32(00000000), ref: 007538A7
GetClassNameW.USER32(?,?,00000100), ref: 00753921
GetWindowTextW.USER32(?,?,00000400), ref: 0075395D

Strings

%s%u, xrefs: 00753734

Memory Dump Source

Source File: 00000000.00000002.1465363834.00000000006F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006F0000, based on PE: true

Associated: 00000000.00000002.1465335232.00000000006F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465500901.000000000078C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465500901.00000000007B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465599093.00000000007BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465630010.00000000007C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6f0000_file.jbxd

Similarity

API ID: ClassName$Window$ClientCtrlMessageParentRectScreenSendTextTimeout_wcslen
String ID: %s%u
API String ID: 4010501982-679674701
Opcode ID: fb780586aa6200fa9b1dd8b182551f0d9ece2ac654cb408ff93c150d23bcfe57
Instruction ID: 1a11795e8818dc097fa23be0d0152b4a382a3325a392ef9139e2cb1668e900cb
Opcode Fuzzy Hash: fb780586aa6200fa9b1dd8b182551f0d9ece2ac654cb408ff93c150d23bcfe57
Instruction Fuzzy Hash: A191F9B1204606EFD709DF24C885BEAF7A8FF44355F008519FD99C21A0DB78EA59CBA1

Function 00754954 Relevance: 19.5, APIs: 10, Strings: 1, Instructions: 253COMMON

Download Yara Rule

APIs

GetClassNameW.USER32(?,?,00000400), ref: 00754994
GetWindowTextW.USER32(?,?,00000400), ref: 007549DA
_wcslen.LIBCMT ref: 007549EB
CharUpperBuffW.USER32(?,00000000), ref: 007549F7
_wcsstr.LIBVCRUNTIME ref: 00754A2C
GetClassNameW.USER32(00000018,?,00000400), ref: 00754A64
GetWindowTextW.USER32(?,?,00000400), ref: 00754A9D
GetClassNameW.USER32(00000018,?,00000400), ref: 00754AE6
GetClassNameW.USER32(?,?,00000400), ref: 00754B20
GetWindowRect.USER32(?,?), ref: 00754B8B

Strings

ThumbnailClass, xrefs: 00754A6F, 00754AF1

Memory Dump Source

Source File: 00000000.00000002.1465363834.00000000006F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006F0000, based on PE: true

Associated: 00000000.00000002.1465335232.00000000006F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465500901.000000000078C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465500901.00000000007B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465599093.00000000007BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465630010.00000000007C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6f0000_file.jbxd

Similarity

API ID: ClassName$Window$Text$BuffCharRectUpper_wcslen_wcsstr
String ID: ThumbnailClass
API String ID: 1311036022-1241985126
Opcode ID: c4f5fd482cc76d94b6b341c630ab877385cfe699313dd2b2cb2654f211574e27
Instruction ID: abf19ec6c0d414644cbe29b8e1c9bf19b6f3918c205c02f58f417f8b64f98beb
Opcode Fuzzy Hash: c4f5fd482cc76d94b6b341c630ab877385cfe699313dd2b2cb2654f211574e27
Instruction Fuzzy Hash: 6591BE71104209DFDB05CF14C985BEA77E8FF84319F048469FD859A096EBB8ED89CBA1

Function 00788D0E Relevance: 19.5, APIs: 10, Strings: 1, Instructions: 221windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00709BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00709BB2

PostMessageW.USER32(?,00000111,00000000,00000000), ref: 00788D5A
GetFocus.USER32 ref: 00788D6A
GetDlgCtrlID.USER32(00000000), ref: 00788D75
DefDlgProcW.USER32(?,00000111,?,?,00000000,?,?,?,?,?,?,?), ref: 00788E1D
GetMenuItemInfoW.USER32(?,00000000,00000000,?), ref: 00788ECF
GetMenuItemCount.USER32(?), ref: 00788EEC
GetMenuItemID.USER32(?,00000000), ref: 00788EFC
GetMenuItemInfoW.USER32(?,-00000001,00000001,?), ref: 00788F2E
GetMenuItemInfoW.USER32(?,?,00000001,?), ref: 00788F70
CheckMenuRadioItem.USER32(?,00000000,?,00000000,00000400), ref: 00788FA1

Strings

0, xrefs: 00788E9F

Memory Dump Source

Source File: 00000000.00000002.1465363834.00000000006F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006F0000, based on PE: true

Associated: 00000000.00000002.1465335232.00000000006F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465500901.000000000078C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465500901.00000000007B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465599093.00000000007BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465630010.00000000007C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6f0000_file.jbxd

Similarity

API ID: ItemMenu$Info$CheckCountCtrlFocusLongMessagePostProcRadioWindow
String ID: 0
API String ID: 1026556194-4108050209
Opcode ID: 4dd68f38616c21a23c33457557d23f0acee6dddb03eddeedb746f1279dd467e4
Instruction ID: 142c0be85152397e8593d4d34404b54e6fe846608eae7ec2b0270b0b1fa8957f
Opcode Fuzzy Hash: 4dd68f38616c21a23c33457557d23f0acee6dddb03eddeedb746f1279dd467e4
Instruction Fuzzy Hash: BC81B0715443019FDB51EF24D888A6B77E9FB88314F54056DFA9497291DB38D900CB62

Function 0075DC0E Relevance: 19.4, APIs: 6, Strings: 5, Instructions: 178COMMON

Download Yara Rule

APIs

GetFileVersionInfoSizeW.VERSION(?,?), ref: 0075DC20
GetFileVersionInfoW.VERSION(?,00000000,00000000,00000000,?,?), ref: 0075DC46
_wcslen.LIBCMT ref: 0075DC50
_wcsstr.LIBVCRUNTIME ref: 0075DCA0
VerQueryValueW.VERSION(?,\VarFileInfo\Translation,?,?,?,?,?,?,00000000,?,?), ref: 0075DCBC

Strings

StringFileInfo\, xrefs: 0075DC8F
DefaultLangCodepage, xrefs: 0075DD1F
\VarFileInfo\Translation, xrefs: 0075DCB4
04090000, xrefs: 0075DCF2
%u.%u.%u.%u, xrefs: 0075DD9A

Memory Dump Source

Source File: 00000000.00000002.1465363834.00000000006F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006F0000, based on PE: true

Associated: 00000000.00000002.1465335232.00000000006F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465500901.000000000078C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465500901.00000000007B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465599093.00000000007BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465630010.00000000007C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6f0000_file.jbxd

Similarity

API ID: FileInfoVersion$QuerySizeValue_wcslen_wcsstr
String ID: %u.%u.%u.%u$04090000$DefaultLangCodepage$StringFileInfo\$\VarFileInfo\Translation
API String ID: 1939486746-1459072770
Opcode ID: b62467326c8dacef26171fe34d7d6f77b0d40b07759e7fb8c270434f283bd284
Instruction ID: da168887d21df026582bd7da74b9c6bbd0f476e6c7b0b7ead51592f58950c311
Opcode Fuzzy Hash: b62467326c8dacef26171fe34d7d6f77b0d40b07759e7fb8c270434f283bd284
Instruction Fuzzy Hash: 7A410872640205BADB21A774DC0BEFF77ACEF45711F10006AFA00A61C2EA7C9E4187B5

Function 0077CC34 Relevance: 19.4, APIs: 9, Strings: 2, Instructions: 104registryCOMMON

Download Yara Rule

APIs

RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?,?,?,00000000), ref: 0077CC64
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?,?,?,00000000), ref: 0077CC8D
FreeLibrary.KERNEL32(00000000,?,?,00000000), ref: 0077CD48

Part of subcall function 0077CC34: RegCloseKey.ADVAPI32(?,?,?,00000000), ref: 0077CCAA
Part of subcall function 0077CC34: LoadLibraryA.KERNEL32(advapi32.dll,?,?,00000000), ref: 0077CCBD
Part of subcall function 0077CC34: GetProcAddress.KERNEL32(00000000,RegDeleteKeyExW), ref: 0077CCCF
Part of subcall function 0077CC34: FreeLibrary.KERNEL32(00000000,?,?,00000000), ref: 0077CD05
Part of subcall function 0077CC34: RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?,?,?,00000000), ref: 0077CD28

RegDeleteKeyW.ADVAPI32(?,?), ref: 0077CCF3

Strings

RegDeleteKeyExW, xrefs: 0077CCC9
advapi32.dll, xrefs: 0077CCB8

Memory Dump Source

Source File: 00000000.00000002.1465363834.00000000006F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006F0000, based on PE: true

Associated: 00000000.00000002.1465335232.00000000006F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465500901.000000000078C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465500901.00000000007B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465599093.00000000007BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465630010.00000000007C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6f0000_file.jbxd

Similarity

API ID: Library$EnumFree$AddressCloseDeleteLoadOpenProc
String ID: RegDeleteKeyExW$advapi32.dll
API String ID: 2734957052-4033151799
Opcode ID: c5e524595237d347c6b36f7d18dd78a077343d1adece20a420431257d3cf4a66
Instruction ID: b045c0fe27b37ccbc5acbd8e7216c0e1c85f58dc7a76a29281d9ea40e21167ee
Opcode Fuzzy Hash: c5e524595237d347c6b36f7d18dd78a077343d1adece20a420431257d3cf4a66
Instruction Fuzzy Hash: 813183B1A41118BBDB228B50DC88EFFBB7CEF49780F108169B909E6140D7389A45DBB4

Function 00763D1E Relevance: 19.4, APIs: 8, Strings: 3, Instructions: 101fileCOMMON

Download Yara Rule

APIs

GetFullPathNameW.KERNEL32(?,00007FFF,?,?), ref: 00763D40
_wcslen.LIBCMT ref: 00763D6D
CreateDirectoryW.KERNEL32(?,00000000), ref: 00763D9D
CreateFileW.KERNEL32(?,40000000,00000000,00000000,00000003,02200000,00000000), ref: 00763DBE
RemoveDirectoryW.KERNEL32(?), ref: 00763DCE
DeviceIoControl.KERNEL32(00000000,000900A4,?,?,00000000,00000000,?,00000000), ref: 00763E55
CloseHandle.KERNEL32(00000000), ref: 00763E60
CloseHandle.KERNEL32(00000000), ref: 00763E6B

Strings

\??\%s, xrefs: 00763D5B
:, xrefs: 00763D82
\, xrefs: 00763D77

Memory Dump Source

Source File: 00000000.00000002.1465363834.00000000006F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006F0000, based on PE: true

Associated: 00000000.00000002.1465335232.00000000006F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465500901.000000000078C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465500901.00000000007B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465599093.00000000007BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465630010.00000000007C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6f0000_file.jbxd

Similarity

API ID: CloseCreateDirectoryHandle$ControlDeviceFileFullNamePathRemove_wcslen
String ID: :$\$\??\%s
API String ID: 1149970189-3457252023
Opcode ID: d46e0ae64b63659f3f4a27ab2327a3dcea221244c38558c10b6863e29bce3269
Instruction ID: adeff77e454b14f9bb07e036f309f0f19760c1e7c9f3d2713554d97a034693cd
Opcode Fuzzy Hash: d46e0ae64b63659f3f4a27ab2327a3dcea221244c38558c10b6863e29bce3269
Instruction Fuzzy Hash: 423183B1A40209ABDB219BA4DC49FEF77BCEF89700F1041A5F915D6190E7789744CB64

Function 0075E6B0 Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 72sleepwindowtimeCOMMON

Download Yara Rule

APIs

timeGetTime.WINMM ref: 0075E6B4

Part of subcall function 0070E551: timeGetTime.WINMM(?,?,0075E6D4), ref: 0070E555

Sleep.KERNEL32(0000000A), ref: 0075E6E1
EnumThreadWindows.USER32(?,Function_0006E665,00000000), ref: 0075E705
FindWindowExW.USER32(00000000,00000000,BUTTON,00000000), ref: 0075E727
SetActiveWindow.USER32 ref: 0075E746
SendMessageW.USER32(00000000,000000F5,00000000,00000000), ref: 0075E754
SendMessageW.USER32(00000010,00000000,00000000), ref: 0075E773
Sleep.KERNEL32(000000FA), ref: 0075E77E
IsWindow.USER32 ref: 0075E78A
EndDialog.USER32(00000000), ref: 0075E79B

Strings

BUTTON, xrefs: 0075E719

Memory Dump Source

Source File: 00000000.00000002.1465363834.00000000006F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006F0000, based on PE: true

Associated: 00000000.00000002.1465335232.00000000006F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465500901.000000000078C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465500901.00000000007B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465599093.00000000007BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465630010.00000000007C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6f0000_file.jbxd

Similarity

API ID: Window$MessageSendSleepTimetime$ActiveDialogEnumFindThreadWindows
String ID: BUTTON
API String ID: 1194449130-3405671355
Opcode ID: 7d917289d48beae6e35ec2d8ce96406d988b01d1e75e40c1753b182eb4cd4e08
Instruction ID: 7014dcb33fa94f3a853937121aca6634ba5ca6369022c1a360dde5a15c98ac17
Opcode Fuzzy Hash: 7d917289d48beae6e35ec2d8ce96406d988b01d1e75e40c1753b182eb4cd4e08
Instruction Fuzzy Hash: 6D21A4B0340244AFEB055F20ECC9E653B69FB5534AF208828F951915B2DFBD9D099B3C

Function 0075E9FC Relevance: 19.3, APIs: 5, Strings: 6, Instructions: 71COMMON

Download Yara Rule

APIs

Part of subcall function 006F9CB3: _wcslen.LIBCMT ref: 006F9CBD

mciSendStringW.WINMM(status PlayMe mode,?,00000100,00000000), ref: 0075EA5D
mciSendStringW.WINMM(close PlayMe,00000000,00000000,00000000), ref: 0075EA73
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 0075EA84
mciSendStringW.WINMM(play PlayMe wait,00000000,00000000,00000000), ref: 0075EA96
mciSendStringW.WINMM(play PlayMe,00000000,00000000,00000000), ref: 0075EAA7

Strings

play PlayMe wait, xrefs: 0075EA91
status PlayMe mode, xrefs: 0075EA58
open , xrefs: 0075EA0C
close PlayMe, xrefs: 0075EA6E, 0075EA9B
alias PlayMe, xrefs: 0075EA36
play PlayMe, xrefs: 0075EAA2

Memory Dump Source

Source File: 00000000.00000002.1465363834.00000000006F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006F0000, based on PE: true

Associated: 00000000.00000002.1465335232.00000000006F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465500901.000000000078C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465500901.00000000007B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465599093.00000000007BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465630010.00000000007C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6f0000_file.jbxd

Similarity

API ID: SendString$_wcslen
String ID: alias PlayMe$close PlayMe$open $play PlayMe$play PlayMe wait$status PlayMe mode
API String ID: 2420728520-1007645807
Opcode ID: 7b7ce32fe2901ae32a3b1980b79fed0c32526992dc2dd20ff3ea84e133f543a3
Instruction ID: 8917b95d265feee65eff03a0a2a25dbc65c85336e2a580e6174b11f4b918460e
Opcode Fuzzy Hash: 7b7ce32fe2901ae32a3b1980b79fed0c32526992dc2dd20ff3ea84e133f543a3
Instruction Fuzzy Hash: 7A117372A9026D79D724E7B1DC4AEFF6B7CEBD1B40F00442DBA11A20D1EEB81A45C5B0

Function 00755CC6 Relevance: 18.2, APIs: 12, Instructions: 173COMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,00000001), ref: 00755CE2
GetWindowRect.USER32(00000000,?), ref: 00755CFB
MoveWindow.USER32(?,0000000A,00000004,?,?,00000004,00000000), ref: 00755D59
GetDlgItem.USER32(?,00000002), ref: 00755D69
GetWindowRect.USER32(00000000,?), ref: 00755D7B
MoveWindow.USER32(?,?,00000004,00000000,?,00000004,00000000), ref: 00755DCF
GetDlgItem.USER32(?,000003E9), ref: 00755DDD
GetWindowRect.USER32(00000000,?), ref: 00755DEF
MoveWindow.USER32(?,0000000A,00000000,?,00000004,00000000), ref: 00755E31
GetDlgItem.USER32(?,000003EA), ref: 00755E44
MoveWindow.USER32(00000000,0000000A,0000000A,?,-00000005,00000000), ref: 00755E5A
InvalidateRect.USER32(?,00000000,00000001), ref: 00755E67

Memory Dump Source

Source File: 00000000.00000002.1465363834.00000000006F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006F0000, based on PE: true

Associated: 00000000.00000002.1465335232.00000000006F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465500901.000000000078C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465500901.00000000007B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465599093.00000000007BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465630010.00000000007C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6f0000_file.jbxd

Similarity

API ID: Window$ItemMoveRect$Invalidate
String ID:
API String ID: 3096461208-0
Opcode ID: 37fc532a057888145fd4584b96f97d0ada8e86125eae3feb62a59ba6e21f196e
Instruction ID: 1883a302a67e59c02bbaabe777226b062de0d1b66b81d340a902004954bd23d9
Opcode Fuzzy Hash: 37fc532a057888145fd4584b96f97d0ada8e86125eae3feb62a59ba6e21f196e
Instruction Fuzzy Hash: 96512F71B40609AFDF18CF68DD99AAE7BB5FF48301F248129F915E6290D7749E04CB60

Function 00708BCD Relevance: 18.2, APIs: 12, Instructions: 168timeCOMMON

Download Yara Rule

APIs

Part of subcall function 00708F62: InvalidateRect.USER32(?,00000000,00000001,?,?,?,00708BE8,?,00000000,?,?,?,?,00708BBA,00000000,?), ref: 00708FC5

DestroyWindow.USER32(?), ref: 00708C81
KillTimer.USER32(00000000,?,?,?,?,00708BBA,00000000,?), ref: 00708D1B
DestroyAcceleratorTable.USER32(00000000), ref: 00746973
ImageList_Destroy.COMCTL32(00000000,?,?,?,?,?,?,00000000,?,?,?,?,00708BBA,00000000,?), ref: 007469A1
ImageList_Destroy.COMCTL32(?,?,?,?,?,?,?,00000000,?,?,?,?,00708BBA,00000000,?), ref: 007469B8
ImageList_Destroy.COMCTL32(00000000,?,?,?,?,?,?,?,?,00000000,?,?,?,?,00708BBA,00000000), ref: 007469D4
DeleteObject.GDI32(00000000), ref: 007469E6

Memory Dump Source

Source File: 00000000.00000002.1465363834.00000000006F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006F0000, based on PE: true

Associated: 00000000.00000002.1465335232.00000000006F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465500901.000000000078C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465500901.00000000007B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465599093.00000000007BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465630010.00000000007C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6f0000_file.jbxd

Similarity

API ID: Destroy$ImageList_$AcceleratorDeleteInvalidateKillObjectRectTableTimerWindow
String ID:
API String ID: 641708696-0
Opcode ID: 8419eac3b3b65147e12ec46c5ba9f5c3cb3023ad9e36e5a314939522d125a837
Instruction ID: ef3d2a40cc47f696936859003e0aba3e73c6df71032fadb201e885a2dd47dab9
Opcode Fuzzy Hash: 8419eac3b3b65147e12ec46c5ba9f5c3cb3023ad9e36e5a314939522d125a837
Instruction Fuzzy Hash: B361AF30102600DFDB669F14D948B2677F1FB42312F64866CE0829A9A0CB7DBD90DF6A

Function 00709838 Relevance: 18.1, APIs: 12, Instructions: 137COMMON

Download Yara Rule

APIs

Part of subcall function 00709944: GetWindowLongW.USER32(?,000000EB), ref: 00709952

GetSysColor.USER32(0000000F), ref: 00709862

Memory Dump Source

Source File: 00000000.00000002.1465363834.00000000006F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006F0000, based on PE: true

Associated: 00000000.00000002.1465335232.00000000006F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465500901.000000000078C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465500901.00000000007B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465599093.00000000007BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465630010.00000000007C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6f0000_file.jbxd

Similarity

API ID: ColorLongWindow
String ID:
API String ID: 259745315-0
Opcode ID: 3bb73a9189323ad994f2a82dd7e7530b2e9846deee1cf80bbe215d19496be240
Instruction ID: d540e176220e47c5f1c598983384b4ecb3fac53ee7257b557d86a751e97fc2e5
Opcode Fuzzy Hash: 3bb73a9189323ad994f2a82dd7e7530b2e9846deee1cf80bbe215d19496be240
Instruction Fuzzy Hash: 6741A171544644EFDB215F389C88BB93BA5AB46330F248715FAA28B2E3D7399C41DB20

Function 00728D45 Relevance: 17.8, APIs: 9, Strings: 1, Instructions: 300COMMONLIBRARYCODE

Download Yara Rule

Strings

.q, xrefs: 0072903A, 00728FD0, 00728FF2

Memory Dump Source

Source File: 00000000.00000002.1465363834.00000000006F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006F0000, based on PE: true

Associated: 00000000.00000002.1465335232.00000000006F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465500901.000000000078C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465500901.00000000007B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465599093.00000000007BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465630010.00000000007C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6f0000_file.jbxd

Similarity

API ID:
String ID: .q
API String ID: 0-2393120612
Opcode ID: b2b4698ade1b7e969dd0221b34b0c8931477b74cddff6daae37d4cb1f67d607b
Instruction ID: 7b5d890c2336b60a44089c652920c63548469d72719a24cb468cd58db69cb3e3
Opcode Fuzzy Hash: b2b4698ade1b7e969dd0221b34b0c8931477b74cddff6daae37d4cb1f67d607b
Instruction Fuzzy Hash: 0FC10575E0426AEFCB21DFA8E845BEDBBB0BF09310F184059E515A7392CB3D9941CB61

Function 007596E2 Relevance: 17.6, APIs: 5, Strings: 5, Instructions: 137windowCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,?,00000FFF,00000001,00000000,?,?,0073F7F8,00000001,0000138C,00000001,?,00000001,00000000,?,?), ref: 00759717
LoadStringW.USER32(00000000,?,0073F7F8,00000001), ref: 00759720

Part of subcall function 006F9CB3: _wcslen.LIBCMT ref: 006F9CBD

GetModuleHandleW.KERNEL32(00000000,00000001,?,00000FFF,?,?,0073F7F8,00000001,0000138C,00000001,?,00000001,00000000,?,?,00000000), ref: 00759742
LoadStringW.USER32(00000000,?,0073F7F8,00000001), ref: 00759745
MessageBoxW.USER32(00000000,00000000,?,00011010), ref: 00759866

Strings

%s (%d) : ==> %s: %s %s, xrefs: 0075984A
Line %d (File "%s"):, xrefs: 0075978F
Error: , xrefs: 0075981D
^ ERROR, xrefs: 007597FB
Line %d:, xrefs: 007597A0

Memory Dump Source

Source File: 00000000.00000002.1465363834.00000000006F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006F0000, based on PE: true

Associated: 00000000.00000002.1465335232.00000000006F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465500901.000000000078C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465500901.00000000007B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465599093.00000000007BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465630010.00000000007C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6f0000_file.jbxd

Similarity

API ID: HandleLoadModuleString$Message_wcslen
String ID: Error: $%s (%d) : ==> %s: %s %s$Line %d (File "%s"):$Line %d:$^ ERROR
API String ID: 747408836-2268648507
Opcode ID: 3b3f1f992dab0ccce3a8e2a13a3d57d263fb001475fa9e6f1412bbc1242b4709
Instruction ID: 53dff9934effa73d0a5ba84cc42df78de0c749341256499a4ac3094341e0fff2
Opcode Fuzzy Hash: 3b3f1f992dab0ccce3a8e2a13a3d57d263fb001475fa9e6f1412bbc1242b4709
Instruction Fuzzy Hash: E8414B7280021DAACB45EBE0CD86EFE7379AF14341F200429F70572192EA796F48CB75

Function 007506DE Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 127registryshareCOMMON

Download Yara Rule

APIs

Part of subcall function 006F6B57: _wcslen.LIBCMT ref: 006F6B6A

WNetAddConnection2W.MPR(?,?,?,00000000), ref: 007507A2
RegConnectRegistryW.ADVAPI32(?,80000002,?), ref: 007507BE
RegOpenKeyExW.ADVAPI32(?,?,00000000,00020019,?,?,SOFTWARE\Classes\), ref: 007507DA
RegQueryValueExW.ADVAPI32(?,00000000,00000000,00000000,?,?,?,SOFTWARE\Classes\), ref: 00750804
CLSIDFromString.OLE32(?,000001FE,?,SOFTWARE\Classes\), ref: 0075082C
RegCloseKey.ADVAPI32(?,?,SOFTWARE\Classes\), ref: 00750837
RegCloseKey.ADVAPI32(?,?,SOFTWARE\Classes\), ref: 0075083C

Strings

SOFTWARE\Classes\, xrefs: 0075070E
\CLSID, xrefs: 00750724
\IPC$, xrefs: 00750784

Memory Dump Source

Source File: 00000000.00000002.1465363834.00000000006F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006F0000, based on PE: true

Associated: 00000000.00000002.1465335232.00000000006F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465500901.000000000078C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465500901.00000000007B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465599093.00000000007BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465630010.00000000007C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6f0000_file.jbxd

Similarity

API ID: Close$ConnectConnection2FromOpenQueryRegistryStringValue_wcslen
String ID: SOFTWARE\Classes\$\CLSID$\IPC$
API String ID: 323675364-22481851
Opcode ID: f8dafb145044a6ae4b2a856035026bf50786c264aaa0e050f5a574eb0c74b575
Instruction ID: d219c69a87d7eea47d1fd82b3a4dbb875234d138f65661f58675d4647dde8d3a
Opcode Fuzzy Hash: f8dafb145044a6ae4b2a856035026bf50786c264aaa0e050f5a574eb0c74b575
Instruction Fuzzy Hash: B04118B2C1022DABDF15EBA4DC85DFDB779BF04390F144129E915A3261EB74AE04CBA4

Function 00773C30 Relevance: 16.8, APIs: 11, Instructions: 344fileCOMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 00773C5C
CoInitialize.OLE32(00000000), ref: 00773C8A
CoUninitialize.OLE32 ref: 00773C94
_wcslen.LIBCMT ref: 00773D2D
GetRunningObjectTable.OLE32(00000000,?), ref: 00773DB1
SetErrorMode.KERNEL32(00000001,00000029), ref: 00773ED5
CoGetInstanceFromFile.OLE32(00000000,?,00000000,00000015,00000002,?,00000001,?), ref: 00773F0E
CoGetObject.OLE32(?,00000000,0078FB98,?), ref: 00773F2D
SetErrorMode.KERNEL32(00000000), ref: 00773F40
SetErrorMode.KERNEL32(00000000,00000000,00000000,00000000,00000000), ref: 00773FC4
VariantClear.OLEAUT32(?), ref: 00773FD8

Memory Dump Source

Source File: 00000000.00000002.1465363834.00000000006F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006F0000, based on PE: true

Associated: 00000000.00000002.1465335232.00000000006F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465500901.000000000078C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465500901.00000000007B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465599093.00000000007BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465630010.00000000007C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6f0000_file.jbxd

Similarity

API ID: ErrorMode$ObjectVariant$ClearFileFromInitInitializeInstanceRunningTableUninitialize_wcslen
String ID:
API String ID: 429561992-0
Opcode ID: 4503ef084823df79a23f3395ed8f0d92370b8e4f07ef56c5ad5da510527f1607
Instruction ID: d550ce4e73ba067b8c3e39022257928e0b13d38c99b550d1190ec20e0aa95d8b
Opcode Fuzzy Hash: 4503ef084823df79a23f3395ed8f0d92370b8e4f07ef56c5ad5da510527f1607
Instruction Fuzzy Hash: 9EC166716083059FDB00DF68C88492BBBE9FF89784F10891DF98A9B250D775EE05CB62

Function 00767A96 Relevance: 16.8, APIs: 11, Instructions: 298comCOMMON

Download Yara Rule

APIs

CoInitialize.OLE32(00000000), ref: 00767AF3
SHGetSpecialFolderLocation.SHELL32(00000000,00000000,?), ref: 00767B8F
SHGetDesktopFolder.SHELL32(?), ref: 00767BA3
CoCreateInstance.OLE32(0078FD08,00000000,00000001,007B6E6C,?), ref: 00767BEF
SHCreateShellItem.SHELL32(00000000,00000000,?,00000003), ref: 00767C74
CoTaskMemFree.OLE32(?,?), ref: 00767CCC
SHBrowseForFolderW.SHELL32(?), ref: 00767D57
SHGetPathFromIDListW.SHELL32(00000000,?), ref: 00767D7A
CoTaskMemFree.OLE32(00000000), ref: 00767D81
CoTaskMemFree.OLE32(00000000), ref: 00767DD6
CoUninitialize.OLE32 ref: 00767DDC

Memory Dump Source

Source File: 00000000.00000002.1465363834.00000000006F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006F0000, based on PE: true

Associated: 00000000.00000002.1465335232.00000000006F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465500901.000000000078C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465500901.00000000007B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465599093.00000000007BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465630010.00000000007C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6f0000_file.jbxd

Similarity

API ID: FolderFreeTask$Create$BrowseDesktopFromInitializeInstanceItemListLocationPathShellSpecialUninitialize
String ID:
API String ID: 2762341140-0
Opcode ID: efaa6b11ed361bac7e5d1218474d3561bcf79c85f657905ca2e5394f54106a0a
Instruction ID: 9e0a588f4f9123726da1928419f903d5d7702a9cbceabed55399d90e0ca08370
Opcode Fuzzy Hash: efaa6b11ed361bac7e5d1218474d3561bcf79c85f657905ca2e5394f54106a0a
Instruction Fuzzy Hash: 62C12A75A04109AFCB14DFA4C884DAEBBF9FF48354B148498E91ADB361D734EE45CBA0

Function 0078541D Relevance: 16.7, APIs: 11, Instructions: 191windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00000158,000000FF,00000158), ref: 00785504
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 00785515
CharNextW.USER32(00000158), ref: 00785544
SendMessageW.USER32(?,0000014B,00000000,00000000), ref: 00785585
SendMessageW.USER32(?,00000158,000000FF,0000014E), ref: 0078559B
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 007855AC

Memory Dump Source

Source File: 00000000.00000002.1465363834.00000000006F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006F0000, based on PE: true

Associated: 00000000.00000002.1465335232.00000000006F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465500901.000000000078C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465500901.00000000007B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465599093.00000000007BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465630010.00000000007C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6f0000_file.jbxd

Similarity

API ID: MessageSend$CharNext
String ID:
API String ID: 1350042424-0
Opcode ID: 7328d4428e422e6545b85af50cddc9d9edc654dd94aca999edb251ce33cebfbb
Instruction ID: fe72a6848a80de42802a13e699a7b7b34a1f6b9962c65fca8e9cc17728d45376
Opcode Fuzzy Hash: 7328d4428e422e6545b85af50cddc9d9edc654dd94aca999edb251ce33cebfbb
Instruction Fuzzy Hash: 8B61A070A80608EFDF11AF54CC84DFE7BB9EF05721F208195F929A6290D77C9A80DB60

Function 0074FA88 Relevance: 16.6, APIs: 11, Instructions: 122memoryCOMMON

Download Yara Rule

APIs

SafeArrayAllocDescriptorEx.OLEAUT32(0000000C,?,?), ref: 0074FAAF
SafeArrayAllocData.OLEAUT32(?), ref: 0074FB08
VariantInit.OLEAUT32(?), ref: 0074FB1A
SafeArrayAccessData.OLEAUT32(?,?), ref: 0074FB3A
VariantCopy.OLEAUT32(?,?), ref: 0074FB8D
SafeArrayUnaccessData.OLEAUT32(?), ref: 0074FBA1
VariantClear.OLEAUT32(?), ref: 0074FBB6
SafeArrayDestroyData.OLEAUT32(?), ref: 0074FBC3
SafeArrayDestroyDescriptor.OLEAUT32(?), ref: 0074FBCC
VariantClear.OLEAUT32(?), ref: 0074FBDE
SafeArrayDestroyDescriptor.OLEAUT32(?), ref: 0074FBE9

Memory Dump Source

Source File: 00000000.00000002.1465363834.00000000006F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006F0000, based on PE: true

Associated: 00000000.00000002.1465335232.00000000006F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465500901.000000000078C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465500901.00000000007B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465599093.00000000007BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465630010.00000000007C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6f0000_file.jbxd

Similarity

API ID: ArraySafe$DataVariant$DescriptorDestroy$AllocClear$AccessCopyInitUnaccess
String ID:
API String ID: 2706829360-0
Opcode ID: dfcb48ee2e354e28066a233203fd8ed9276631ef6841e08bf9cfae590fb60ac7
Instruction ID: c02f544abf7a5736330dd99f3ef1d8fcfced276d04e58fd1d027cdc45cb219c9
Opcode Fuzzy Hash: dfcb48ee2e354e28066a233203fd8ed9276631ef6841e08bf9cfae590fb60ac7
Instruction Fuzzy Hash: 7E415F75A00219DFCB01DF64D858DAEBBB9FF49354F10C069E90AA7261CB38A945CBA4

Function 00759C79 Relevance: 16.6, APIs: 11, Instructions: 119keyboardCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?), ref: 00759CA1
GetAsyncKeyState.USER32(000000A0), ref: 00759D22
GetKeyState.USER32(000000A0), ref: 00759D3D
GetAsyncKeyState.USER32(000000A1), ref: 00759D57
GetKeyState.USER32(000000A1), ref: 00759D6C
GetAsyncKeyState.USER32(00000011), ref: 00759D84
GetKeyState.USER32(00000011), ref: 00759D96
GetAsyncKeyState.USER32(00000012), ref: 00759DAE
GetKeyState.USER32(00000012), ref: 00759DC0
GetAsyncKeyState.USER32(0000005B), ref: 00759DD8
GetKeyState.USER32(0000005B), ref: 00759DEA

Memory Dump Source

Source File: 00000000.00000002.1465363834.00000000006F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006F0000, based on PE: true

Associated: 00000000.00000002.1465335232.00000000006F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465500901.000000000078C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465500901.00000000007B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465599093.00000000007BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465630010.00000000007C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6f0000_file.jbxd

Similarity

API ID: State$Async$Keyboard
String ID:
API String ID: 541375521-0
Opcode ID: 9d9198fa41a8d682ff76d443be7d1d5f288242e7c75ad33009a13967670ea5f3
Instruction ID: 30c3bdb5939949c4b32f1b72b57e9704c58a20ec064dd55a38e1d919cdcadc49
Opcode Fuzzy Hash: 9d9198fa41a8d682ff76d443be7d1d5f288242e7c75ad33009a13967670ea5f3
Instruction Fuzzy Hash: 0A41A4346047C9A9FF71967088143E5BEB06B11345F08805ADFC65A6C2EBEDA9CCC7A2

Function 0077055B Relevance: 16.0, APIs: 8, Strings: 1, Instructions: 207networkfileCOMMON

Download Yara Rule

APIs

WSAStartup.WSOCK32(00000101,?), ref: 007705BC
inet_addr.WSOCK32(?), ref: 0077061C
gethostbyname.WSOCK32(?), ref: 00770628
IcmpCreateFile.IPHLPAPI ref: 00770636
IcmpSendEcho.IPHLPAPI(?,?,?,00000005,00000000,?,00000029,00000FA0), ref: 007706C6
IcmpSendEcho.IPHLPAPI(00000000,00000000,?,00000005,00000000,?,00000029,00000FA0), ref: 007706E5
IcmpCloseHandle.IPHLPAPI(?), ref: 007707B9
WSACleanup.WSOCK32 ref: 007707BF

Strings

Ping, xrefs: 00770676

Memory Dump Source

Source File: 00000000.00000002.1465363834.00000000006F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006F0000, based on PE: true

Associated: 00000000.00000002.1465335232.00000000006F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465500901.000000000078C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465500901.00000000007B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465599093.00000000007BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465630010.00000000007C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6f0000_file.jbxd

Similarity

API ID: Icmp$EchoSend$CleanupCloseCreateFileHandleStartupgethostbynameinet_addr
String ID: Ping
API String ID: 1028309954-2246546115
Opcode ID: 9ab073fbc317147902c774a0f5d116ee4471c4dd41da79d0def2e2dffbe8386d
Instruction ID: cce3b79c96911d325d18ee02f25c78c6d1cc8ad134976bd0a21d04e67bccf565
Opcode Fuzzy Hash: 9ab073fbc317147902c774a0f5d116ee4471c4dd41da79d0def2e2dffbe8386d
Instruction Fuzzy Hash: 7E918A75604201DFDB24CF15C888F2ABBE1AF84358F14C5A9E5698B6A2C738ED41CFD1

Function 00778CD3 Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 193COMMON

Download Yara Rule

APIs

CharLowerBuffW.USER32(?,?,00000000,?), ref: 00778CF3

Part of subcall function 00758E54: _wcslen.LIBCMT ref: 00758E77

_wcslen.LIBCMT ref: 00778D4E
_wcslen.LIBCMT ref: 00778D9C
_wcslen.LIBCMT ref: 00778DDC
_wcslen.LIBCMT ref: 00778E6E

Strings

cdecl, xrefs: 00778D48, 00778D4D
winapi, xrefs: 00778D96, 00778D9B
none, xrefs: 00778E65, 00778E6A
stdcall, xrefs: 00778DD6, 00778DDB

Memory Dump Source

Source File: 00000000.00000002.1465363834.00000000006F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006F0000, based on PE: true

Associated: 00000000.00000002.1465335232.00000000006F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465500901.000000000078C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465500901.00000000007B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465599093.00000000007BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465630010.00000000007C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6f0000_file.jbxd

Similarity

API ID: _wcslen$BuffCharLower
String ID: cdecl$none$stdcall$winapi
API String ID: 707087890-567219261
Opcode ID: 4e865d26b1bcfb030f79a8cba36f4c52bc58001fe5554bf99733409850eb8486
Instruction ID: cc6fe095db737f8d91cd04d7983331495a5e658dc5b563460a0b21c9115e6edf
Opcode Fuzzy Hash: 4e865d26b1bcfb030f79a8cba36f4c52bc58001fe5554bf99733409850eb8486
Instruction Fuzzy Hash: C551D731A405169BCF64DF6CC8449BEB7A6BF643A4B208229E529E73C4DF78DD40C791

Function 0077372C Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 187comCOMMON

Download Yara Rule

APIs

CoInitialize.OLE32 ref: 00773774
CoUninitialize.OLE32 ref: 0077377F
CoCreateInstance.OLE32(?,00000000,00000017,0078FB78,?), ref: 007737D9
IIDFromString.OLE32(?,?), ref: 0077384C
VariantInit.OLEAUT32(?), ref: 007738E4
VariantClear.OLEAUT32(?), ref: 00773936

Strings

Invalid parameter, xrefs: 00773865
Failed to create object, xrefs: 007737E4, 0077389A
NULL Pointer assignment, xrefs: 0077381E

Memory Dump Source

Source File: 00000000.00000002.1465363834.00000000006F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006F0000, based on PE: true

Associated: 00000000.00000002.1465335232.00000000006F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465500901.000000000078C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465500901.00000000007B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465599093.00000000007BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465630010.00000000007C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6f0000_file.jbxd

Similarity

API ID: Variant$ClearCreateFromInitInitializeInstanceStringUninitialize
String ID: Failed to create object$Invalid parameter$NULL Pointer assignment
API String ID: 636576611-1287834457
Opcode ID: e816d7742408c5e78cfa0e20f0aa13c8610c4cfef74bf41a97a75070c5b72af6
Instruction ID: 099ffa9bf7b1d27d9bb6eedebb37015aaa51948e1cb5f76558ab01171af23cab
Opcode Fuzzy Hash: e816d7742408c5e78cfa0e20f0aa13c8610c4cfef74bf41a97a75070c5b72af6
Instruction Fuzzy Hash: 7761C1B0208301EFD710DF54C889F6AB7E4EF48750F108909F9899B291C778EE48DBA6

Function 00788B02 Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 149windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00709BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00709BB2

Part of subcall function 0070912D: GetCursorPos.USER32(?), ref: 00709141
Part of subcall function 0070912D: ScreenToClient.USER32(00000000,?), ref: 0070915E
Part of subcall function 0070912D: GetAsyncKeyState.USER32(00000001), ref: 00709183
Part of subcall function 0070912D: GetAsyncKeyState.USER32(00000002), ref: 0070919D

ImageList_DragLeave.COMCTL32(00000000,00000000,00000001,?,?,?,?), ref: 00788B6B
ImageList_EndDrag.COMCTL32 ref: 00788B71
ReleaseCapture.USER32 ref: 00788B77
SetWindowTextW.USER32(?,00000000), ref: 00788C12
SendMessageW.USER32(?,000000B1,00000000,000000FF), ref: 00788C25
DefDlgProcW.USER32(?,00000202,?,?,00000000,00000001,?,?,?,?), ref: 00788CFF

Strings

@GUI_DROPID, xrefs: 00788C51
p#|, xrefs: 00788C71
@GUI_DRAGFILE, xrefs: 00788C9A

Memory Dump Source

Source File: 00000000.00000002.1465363834.00000000006F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006F0000, based on PE: true

Associated: 00000000.00000002.1465335232.00000000006F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465500901.000000000078C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465500901.00000000007B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465599093.00000000007BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465630010.00000000007C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6f0000_file.jbxd

Similarity

API ID: AsyncDragImageList_StateWindow$CaptureClientCursorLeaveLongMessageProcReleaseScreenSendText
String ID: @GUI_DRAGFILE$@GUI_DROPID$p#|
API String ID: 1924731296-624169274
Opcode ID: de1c4c31da4fa8515e60151e0b0b9c6b1581a444be1025a16fce40b4ea9da6be
Instruction ID: f5505c1d5108d0f3aa2aeefb361eaf242c8a86d363913991420016425bb49cf1
Opcode Fuzzy Hash: de1c4c31da4fa8515e60151e0b0b9c6b1581a444be1025a16fce40b4ea9da6be
Instruction Fuzzy Hash: D751CD70204304AFD704EF20DC5AFAA77E5FB88710F90062DF956972E2CB78A904CB66

Function 00763388 Relevance: 15.9, APIs: 3, Strings: 6, Instructions: 149COMMON

Download Yara Rule

APIs

LoadStringW.USER32(00000066,?,00000FFF,?), ref: 007633CF

Part of subcall function 006F9CB3: _wcslen.LIBCMT ref: 006F9CBD

LoadStringW.USER32(00000072,?,00000FFF,?), ref: 007633F0

Strings

^ ERROR , xrefs: 0076349E
"%s" (%d) : ==> %s:%s%s, xrefs: 00763504
Line %d (File "%s"):, xrefs: 00763443, 0076345C
Error: , xrefs: 007634D1
Incorrect parameters to object property !, xrefs: 007634AB
"%s" (%d) : ==> %s:, xrefs: 00763522

Memory Dump Source

Source File: 00000000.00000002.1465363834.00000000006F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006F0000, based on PE: true

Associated: 00000000.00000002.1465335232.00000000006F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465500901.000000000078C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465500901.00000000007B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465599093.00000000007BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465630010.00000000007C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6f0000_file.jbxd

Similarity

API ID: LoadString$_wcslen
String ID: Error: $"%s" (%d) : ==> %s:$"%s" (%d) : ==> %s:%s%s$Incorrect parameters to object property !$Line %d (File "%s"):$^ ERROR
API String ID: 4099089115-3080491070
Opcode ID: 99f8fdca20ca3f4d1d2d8e228d56354cb71b779b3bf872edc60593c6a1a0dd7a
Instruction ID: 78c4cdee54c3f165de55a398c07988ca7066bdc011a5be2a3144514be9a681dd
Opcode Fuzzy Hash: 99f8fdca20ca3f4d1d2d8e228d56354cb71b779b3bf872edc60593c6a1a0dd7a
Instruction Fuzzy Hash: 445192B2900259AADF15EBE0CD46EFEB779EF04340F204069F60572192EB796F58CB64

Function 0075B5C8 Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 142COMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?), ref: 0075B5FC
_wcslen.LIBCMT ref: 0075B608
_wcslen.LIBCMT ref: 0075B64D
_wcslen.LIBCMT ref: 0075B68C
_wcslen.LIBCMT ref: 0075B6C7

Strings

REMOVE, xrefs: 0075B602, 0075B607
EXISTS, xrefs: 0075B686, 0075B68B
KEYS, xrefs: 0075B647, 0075B64C
APPEND, xrefs: 0075B6C1, 0075B6C6

Memory Dump Source

Source File: 00000000.00000002.1465363834.00000000006F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006F0000, based on PE: true

Associated: 00000000.00000002.1465335232.00000000006F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465500901.000000000078C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465500901.00000000007B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465599093.00000000007BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465630010.00000000007C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6f0000_file.jbxd

Similarity

API ID: _wcslen$BuffCharUpper
String ID: APPEND$EXISTS$KEYS$REMOVE
API String ID: 1256254125-769500911
Opcode ID: 40cfeadae82c185158ef096958d836b64946d1443aed56a4ffd42feef3f0b164
Instruction ID: db8fda3f0b131fe515acdc3ceee4930c879137f8caf041394daaddb7177a07d6
Opcode Fuzzy Hash: 40cfeadae82c185158ef096958d836b64946d1443aed56a4ffd42feef3f0b164
Instruction Fuzzy Hash: EB41D532A000279ACB205F7DC8905FEB7A5EFA0755B24452AED21DB284E77DDD8AC790

Function 00765393 Relevance: 15.9, APIs: 4, Strings: 5, Instructions: 103COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 007653A0
GetDiskFreeSpaceW.KERNEL32(?,?,?,?,?,00000002,00000001), ref: 00765416
GetLastError.KERNEL32 ref: 00765420
SetErrorMode.KERNEL32(00000000,READY), ref: 007654A7

Strings

INVALID, xrefs: 00765459
NOTREADY, xrefs: 0076544B
READY, xrefs: 00765460, 00765468
READONLY, xrefs: 00765452
UNKNOWN, xrefs: 00765444

Memory Dump Source

Source File: 00000000.00000002.1465363834.00000000006F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006F0000, based on PE: true

Associated: 00000000.00000002.1465335232.00000000006F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465500901.000000000078C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465500901.00000000007B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465599093.00000000007BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465630010.00000000007C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6f0000_file.jbxd

Similarity

API ID: Error$Mode$DiskFreeLastSpace
String ID: INVALID$NOTREADY$READONLY$READY$UNKNOWN
API String ID: 4194297153-14809454
Opcode ID: 3b8e7ec1cfaa6ed7f26d9ee4c3653ed115c23fdc36599e7716a5a1780f6f8380
Instruction ID: bd9717827c21566033214c46c38781ef8eec149bf8970e097deff72adaea3df9
Opcode Fuzzy Hash: 3b8e7ec1cfaa6ed7f26d9ee4c3653ed115c23fdc36599e7716a5a1780f6f8380
Instruction Fuzzy Hash: 0C31C375A005489FCB11DF68C484BAA7FB4FF05305F1480A9E906DB292DF79DD86DBA0

Function 00783C46 Relevance: 15.9, APIs: 7, Strings: 2, Instructions: 101windowCOMMON

Download Yara Rule

APIs

CreateMenu.USER32 ref: 00783C79
SetMenu.USER32(?,00000000), ref: 00783C88
GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00783D10
IsMenu.USER32(?), ref: 00783D24
CreatePopupMenu.USER32 ref: 00783D2E
InsertMenuItemW.USER32(?,?,00000001,00000030), ref: 00783D5B
DrawMenuBar.USER32 ref: 00783D63

Strings

0, xrefs: 00783C54
F, xrefs: 00783D4E

Memory Dump Source

Source File: 00000000.00000002.1465363834.00000000006F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006F0000, based on PE: true

Associated: 00000000.00000002.1465335232.00000000006F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465500901.000000000078C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465500901.00000000007B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465599093.00000000007BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465630010.00000000007C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6f0000_file.jbxd

Similarity

API ID: Menu$CreateItem$DrawInfoInsertPopup
String ID: 0$F
API String ID: 161812096-3044882817
Opcode ID: 29bbe522185d1d24ccdf789e965fabc82bc66f910a5f4784c13c6ef0d2e5e6ce
Instruction ID: c9ff8da0dc2af69a5960a6826345918449c4857957bb653877399c74aa17a3f8
Opcode Fuzzy Hash: 29bbe522185d1d24ccdf789e965fabc82bc66f910a5f4784c13c6ef0d2e5e6ce
Instruction Fuzzy Hash: B8418B75A01209EFDF14DF68D844EAA7BB5FF49310F244028F90697360D738AA10CFA4

Function 00751EDF Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 78windowCOMMON

Download Yara Rule

APIs

Part of subcall function 006F9CB3: _wcslen.LIBCMT ref: 006F9CBD

Part of subcall function 00753CA7: GetClassNameW.USER32(?,?,000000FF), ref: 00753CCA

SendMessageW.USER32(?,0000018C,000000FF,00020000), ref: 00751F64
GetDlgCtrlID.USER32 ref: 00751F6F
GetParent.USER32 ref: 00751F8B
SendMessageW.USER32(00000000,?,00000111,?), ref: 00751F8E
GetDlgCtrlID.USER32(?), ref: 00751F97
GetParent.USER32(?), ref: 00751FAB
SendMessageW.USER32(00000000,?,00000111,?), ref: 00751FAE

Strings

ComboBox, xrefs: 00751EEC
ListBox, xrefs: 00751F21

Memory Dump Source

Source File: 00000000.00000002.1465363834.00000000006F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006F0000, based on PE: true

Associated: 00000000.00000002.1465335232.00000000006F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465500901.000000000078C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465500901.00000000007B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465599093.00000000007BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465630010.00000000007C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6f0000_file.jbxd

Similarity

API ID: MessageSend$CtrlParent$ClassName_wcslen
String ID: ComboBox$ListBox
API String ID: 711023334-1403004172
Opcode ID: 00946dfccc9f0c13f191146aad2d86eeb4b03dd789493c4f55f56aa994bc282d
Instruction ID: 1d7402e61a9391ecdb3754ec7d4074f7e929d76dc6aaeacb18614420e1e4bb6c
Opcode Fuzzy Hash: 00946dfccc9f0c13f191146aad2d86eeb4b03dd789493c4f55f56aa994bc282d
Instruction Fuzzy Hash: 3021FF70A00218BBCF05AFA0DC84EFEBBB9EF05341B104599F961A32E1DB794908CB74

Function 00783A23 Relevance: 15.2, APIs: 10, Instructions: 182windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,0000101F,00000000,00000000), ref: 00783A9D
SendMessageW.USER32(00000000,?,0000101F,00000000), ref: 00783AA0
GetWindowLongW.USER32(?,000000F0), ref: 00783AC7
SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00783AEA
SendMessageW.USER32(?,0000104D,00000000,00000007), ref: 00783B62
SendMessageW.USER32(?,00001074,00000000,00000007), ref: 00783BAC
SendMessageW.USER32(?,00001057,00000000,00000000), ref: 00783BC7
SendMessageW.USER32(?,0000101D,00001004,00000000), ref: 00783BE2
SendMessageW.USER32(?,0000101E,00001004,00000000), ref: 00783BF6
SendMessageW.USER32(?,00001008,00000000,00000007), ref: 00783C13

Memory Dump Source

Source File: 00000000.00000002.1465363834.00000000006F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006F0000, based on PE: true

Associated: 00000000.00000002.1465335232.00000000006F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465500901.000000000078C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465500901.00000000007B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465599093.00000000007BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465630010.00000000007C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6f0000_file.jbxd

Similarity

API ID: MessageSend$LongWindow
String ID:
API String ID: 312131281-0
Opcode ID: 2b5217332b70628de70eb2d36904d564b7a06239b083c792c6a2f3b8da87be82
Instruction ID: 9d90404b9290680fab63a3589dfddade3b03aceeb10eddf0fb339db5edc2900b
Opcode Fuzzy Hash: 2b5217332b70628de70eb2d36904d564b7a06239b083c792c6a2f3b8da87be82
Instruction Fuzzy Hash: 16617FB5940248AFDB10DF68CC81EEE77F8EF09710F1041A9FA15A7292D778AE45DB60

Function 0075B12F Relevance: 15.1, APIs: 10, Instructions: 88threadCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 0075B151
GetForegroundWindow.USER32(00000000,?,?,?,?,?,0075A1E1,?,00000001), ref: 0075B165
GetWindowThreadProcessId.USER32(00000000), ref: 0075B16C
AttachThreadInput.USER32(00000000,00000000,00000001,?,?,?,?,?,0075A1E1,?,00000001), ref: 0075B17B
GetWindowThreadProcessId.USER32(?,00000000), ref: 0075B18D
AttachThreadInput.USER32(?,00000000,00000001,?,?,?,?,?,0075A1E1,?,00000001), ref: 0075B1A6
AttachThreadInput.USER32(00000000,00000000,00000001,?,?,?,?,?,0075A1E1,?,00000001), ref: 0075B1B8
AttachThreadInput.USER32(00000000,00000000,?,?,?,?,?,0075A1E1,?,00000001), ref: 0075B1FD
AttachThreadInput.USER32(?,?,00000000,?,?,?,?,?,0075A1E1,?,00000001), ref: 0075B212
AttachThreadInput.USER32(00000000,?,00000000,?,?,?,?,?,0075A1E1,?,00000001), ref: 0075B21D

Memory Dump Source

Source File: 00000000.00000002.1465363834.00000000006F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006F0000, based on PE: true

Associated: 00000000.00000002.1465335232.00000000006F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465500901.000000000078C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465500901.00000000007B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465599093.00000000007BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465630010.00000000007C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6f0000_file.jbxd

Similarity

API ID: Thread$AttachInput$Window$Process$CurrentForeground
String ID:
API String ID: 2156557900-0
Opcode ID: d05a92c2470e946d081ad448301862561217f3cc7a88b58557334756238f2fde
Instruction ID: e1fa470ee8ed2b5fc97f0c78e312b568c0345db098024ffcb3005f5cca2dc856
Opcode Fuzzy Hash: d05a92c2470e946d081ad448301862561217f3cc7a88b58557334756238f2fde
Instruction Fuzzy Hash: BD318E72640604AFDB119F64EC49FBD7BAABB51312F20C019FE01DA190D7BC9A848F78

Function 00722C80 Relevance: 15.1, APIs: 10, Instructions: 54COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 00722C94

Part of subcall function 007229C8: RtlFreeHeap.NTDLL(00000000,00000000,?,0072D7D1,00000000,00000000,00000000,00000000,?,0072D7F8,00000000,00000007,00000000,?,0072DBF5,00000000), ref: 007229DE
Part of subcall function 007229C8: GetLastError.KERNEL32(00000000,?,0072D7D1,00000000,00000000,00000000,00000000,?,0072D7F8,00000000,00000007,00000000,?,0072DBF5,00000000,00000000), ref: 007229F0

_free.LIBCMT ref: 00722CA0
_free.LIBCMT ref: 00722CAB
_free.LIBCMT ref: 00722CB6
_free.LIBCMT ref: 00722CC1
_free.LIBCMT ref: 00722CCC
_free.LIBCMT ref: 00722CD7
_free.LIBCMT ref: 00722CE2
_free.LIBCMT ref: 00722CED
_free.LIBCMT ref: 00722CFB

Memory Dump Source

Source File: 00000000.00000002.1465363834.00000000006F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006F0000, based on PE: true

Associated: 00000000.00000002.1465335232.00000000006F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465500901.000000000078C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465500901.00000000007B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465599093.00000000007BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465630010.00000000007C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6f0000_file.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: 6cdaeb16ae950897123b5bb02bbd3f5dd34a0acce4833595c865a34a9247c166
Instruction ID: 4ba1eb87de32280607a79ed89fd75a1658bc2be73e68c27ac4a544f0887edac3
Opcode Fuzzy Hash: 6cdaeb16ae950897123b5bb02bbd3f5dd34a0acce4833595c865a34a9247c166
Instruction Fuzzy Hash: 62119476100118FFCB02EF54E846CDD3BA5BF09350F9144A5F9886B232D635FA919F90

Function 00767DF0 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 230COMMON

Download Yara Rule

APIs

GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 00767FAD
SetCurrentDirectoryW.KERNEL32(?), ref: 00767FC1
GetFileAttributesW.KERNEL32(?), ref: 00767FEB
SetFileAttributesW.KERNEL32(?,00000000), ref: 00768005
SetCurrentDirectoryW.KERNEL32(?), ref: 00768017
SetCurrentDirectoryW.KERNEL32(?), ref: 00768060
SetCurrentDirectoryW.KERNEL32(?,?,?,?,?), ref: 007680B0

Strings

*.*, xrefs: 00768066

Memory Dump Source

Source File: 00000000.00000002.1465363834.00000000006F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006F0000, based on PE: true

Associated: 00000000.00000002.1465335232.00000000006F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465500901.000000000078C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465500901.00000000007B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465599093.00000000007BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465630010.00000000007C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6f0000_file.jbxd

Similarity

API ID: CurrentDirectory$AttributesFile
String ID: *.*
API String ID: 769691225-438819550
Opcode ID: 58883dfdefe54fa52d6fa2c3cb82fca1ba61625cd1d0d9c8a67f5443cea8d793
Instruction ID: 04f09617abdb3e516a5a7abda52a9417306852107230f9f94092b7f9aca5c4fb
Opcode Fuzzy Hash: 58883dfdefe54fa52d6fa2c3cb82fca1ba61625cd1d0d9c8a67f5443cea8d793
Instruction Fuzzy Hash: CE81C0725082059BCB28EF54C8449BAB3E9BF88354F144D5EFD86C7250EB3ADD49CB52

Function 006F5BEA Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 184windowCOMMON

Download Yara Rule

APIs

SetWindowLongW.USER32(?,000000EB), ref: 006F5C7A

Part of subcall function 006F5D0A: GetClientRect.USER32(?,?), ref: 006F5D30
Part of subcall function 006F5D0A: GetWindowRect.USER32(?,?), ref: 006F5D71
Part of subcall function 006F5D0A: ScreenToClient.USER32(?,?), ref: 006F5D99

GetDC.USER32 ref: 007346F5
SendMessageW.USER32(?,00000031,00000000,00000000), ref: 00734708
SelectObject.GDI32(00000000,00000000), ref: 00734716
SelectObject.GDI32(00000000,00000000), ref: 0073472B
ReleaseDC.USER32(?,00000000), ref: 00734733
MoveWindow.USER32(?,?,?,?,?,?,?,00000031,00000000,00000000), ref: 007347C4

Strings

U, xrefs: 00734693

Memory Dump Source

Source File: 00000000.00000002.1465363834.00000000006F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006F0000, based on PE: true

Associated: 00000000.00000002.1465335232.00000000006F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465500901.000000000078C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465500901.00000000007B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465599093.00000000007BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465630010.00000000007C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6f0000_file.jbxd

Similarity

API ID: Window$ClientObjectRectSelect$LongMessageMoveReleaseScreenSend
String ID: U
API String ID: 4009187628-3372436214
Opcode ID: 7303afe74a6e53cbce81f969d1864dc4245e50acf17667ad310d1e094eb3b328
Instruction ID: 4c7eedaf408b0fdb5500e689764b595cec6e08fa5ed67cde1aca675bd300278b
Opcode Fuzzy Hash: 7303afe74a6e53cbce81f969d1864dc4245e50acf17667ad310d1e094eb3b328
Instruction Fuzzy Hash: 9A71D131500209DFDF298F64C985ABA3BB2FF46360F144269EA565A2A7C338AC41DF60

Function 0076359C Relevance: 14.2, APIs: 3, Strings: 5, Instructions: 150COMMON

Download Yara Rule

APIs

LoadStringW.USER32(00000066,?,00000FFF,00000000), ref: 007635E4

Part of subcall function 006F9CB3: _wcslen.LIBCMT ref: 006F9CBD

LoadStringW.USER32(007C2390,?,00000FFF,?), ref: 0076360A

Strings

"%s" (%d) : ==> %s:%s%s, xrefs: 00763724
Line %d (File "%s"):, xrefs: 0076366B
Error: , xrefs: 007636EF
^ ERROR, xrefs: 007636C9
"%s" (%d) : ==> %s:, xrefs: 00763742

Memory Dump Source

Source File: 00000000.00000002.1465363834.00000000006F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006F0000, based on PE: true

Associated: 00000000.00000002.1465335232.00000000006F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465500901.000000000078C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465500901.00000000007B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465599093.00000000007BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465630010.00000000007C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6f0000_file.jbxd

Similarity

API ID: LoadString$_wcslen
String ID: Error: $"%s" (%d) : ==> %s:$"%s" (%d) : ==> %s:%s%s$Line %d (File "%s"):$^ ERROR
API String ID: 4099089115-2391861430
Opcode ID: 37145be153f7ab62fc36173322615a993c22a85ae12a2620b86095f96146f86f
Instruction ID: e10a40480995b39667355dd7d2eebb9b19676080376a61d7f6e5c3939bb3626e
Opcode Fuzzy Hash: 37145be153f7ab62fc36173322615a993c22a85ae12a2620b86095f96146f86f
Instruction Fuzzy Hash: 9C516FB2800259AADF15EBA0DC46EFDBB75EF05340F144129F60572192DB391B98DB64

Function 0076C253 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 94networkCOMMON

Download Yara Rule

APIs

InternetOpenUrlW.WININET(?,?,00000000,00000000,?,00000000), ref: 0076C272
HttpSendRequestW.WININET(00000000,00000000,00000000,00000000,00000000), ref: 0076C29A
HttpQueryInfoW.WININET(00000000,00000005,?,?,?), ref: 0076C2CA
GetLastError.KERNEL32 ref: 0076C322
SetEvent.KERNEL32(?), ref: 0076C336
InternetCloseHandle.WININET(00000000), ref: 0076C341

Strings

, xrefs: 0076C2BB

Memory Dump Source

Source File: 00000000.00000002.1465363834.00000000006F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006F0000, based on PE: true

Associated: 00000000.00000002.1465335232.00000000006F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465500901.000000000078C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465500901.00000000007B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465599093.00000000007BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465630010.00000000007C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6f0000_file.jbxd

Similarity

API ID: HttpInternet$CloseErrorEventHandleInfoLastOpenQueryRequestSend
String ID:
API String ID: 3113390036-3916222277
Opcode ID: 6d985060a6edf76e10a6f8f124ca63c1ac058bb2508b60797d03432635154eb1
Instruction ID: 3018b3c625e58c766e3bad2db9617578e3239a745f1d3adb10e57b83d7c9b4e3
Opcode Fuzzy Hash: 6d985060a6edf76e10a6f8f124ca63c1ac058bb2508b60797d03432635154eb1
Instruction Fuzzy Hash: 87316BB1640208AFD7239F66DC88ABB7AFCEB49744B14851EF88796240DB38DD049B75

Function 0075989B Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 74windowCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,?,?,00000FFF,00000000,?,00733AAF,?,?,Bad directive syntax error,0078CC08,00000000,00000010,?,?,>>>AUTOIT SCRIPT<<<), ref: 007598BC
LoadStringW.USER32(00000000,?,00733AAF,?), ref: 007598C3

Part of subcall function 006F9CB3: _wcslen.LIBCMT ref: 006F9CBD

MessageBoxW.USER32(00000000,00000001,00000001,00011010), ref: 00759987

Strings

Error: , xrefs: 00759955
., xrefs: 0075996D
Line %d (File "%s"):, xrefs: 0075992D
%s (%d) : ==> %s.: %s %s, xrefs: 007598F1
Line %d:, xrefs: 00759912

Memory Dump Source

Source File: 00000000.00000002.1465363834.00000000006F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006F0000, based on PE: true

Associated: 00000000.00000002.1465335232.00000000006F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465500901.000000000078C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465500901.00000000007B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465599093.00000000007BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465630010.00000000007C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6f0000_file.jbxd

Similarity

API ID: HandleLoadMessageModuleString_wcslen
String ID: Error: $%s (%d) : ==> %s.: %s %s$.$Line %d (File "%s"):$Line %d:
API String ID: 858772685-4153970271
Opcode ID: ed0178f4acf853678f697cf9c6cc0b4be4a31954d97c112f345b7b611cb94980
Instruction ID: cf5ed17916c7cb4248747f4303e38a24201b56d205eafc854ea87648b027dae8
Opcode Fuzzy Hash: ed0178f4acf853678f697cf9c6cc0b4be4a31954d97c112f345b7b611cb94980
Instruction Fuzzy Hash: 4F21717284026EEBDF16EF90CC0AEFD7775BF14341F044429F615620A2EB79A618CB20

Function 0075209F Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 71windowCOMMON

Download Yara Rule

APIs

GetParent.USER32 ref: 007520AB
GetClassNameW.USER32(00000000,?,00000100), ref: 007520C0
SendMessageW.USER32(00000000,00000111,0000702B,00000000), ref: 0075214D

Strings

list, xrefs: 0075212F
details, xrefs: 007520FB
SHELLDLL_DefView, xrefs: 007520CC
smallicons, xrefs: 00752115
largeicons, xrefs: 007520E1

Memory Dump Source

Source File: 00000000.00000002.1465363834.00000000006F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006F0000, based on PE: true

Associated: 00000000.00000002.1465335232.00000000006F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465500901.000000000078C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465500901.00000000007B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465599093.00000000007BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465630010.00000000007C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6f0000_file.jbxd

Similarity

API ID: ClassMessageNameParentSend
String ID: SHELLDLL_DefView$details$largeicons$list$smallicons
API String ID: 1290815626-3381328864
Opcode ID: d1d2e55f5f6327fc04d6920ea078af23a57108bcc42dea4863de1ec89db8361c
Instruction ID: 616e47f73424716a9405112a684a4330a11bb0be592494c653550452081593bd
Opcode Fuzzy Hash: d1d2e55f5f6327fc04d6920ea078af23a57108bcc42dea4863de1ec89db8361c
Instruction Fuzzy Hash: 1511E7B6684B0AF9F60522249C0AEE7379CDF06325B204126FE04A50D2FABD58475654

Function 0072CE90 Relevance: 13.7, APIs: 9, Instructions: 209COMMON

Download Yara Rule

APIs

___from_strstr_to_strchr.LIBCMT ref: 0072CEB7
_free.LIBCMT ref: 0072CF22
_free.LIBCMT ref: 0072CF48
_free.LIBCMT ref: 0072CF71
_free.LIBCMT ref: 0072CFA9
_free.LIBCMT ref: 0072CFDA
_free.LIBCMT ref: 0072D01B
SetEnvironmentVariableA.KERNEL32(00000000,00000000), ref: 0072D09C
_free.LIBCMT ref: 0072D0B5

Memory Dump Source

Source File: 00000000.00000002.1465363834.00000000006F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006F0000, based on PE: true

Associated: 00000000.00000002.1465335232.00000000006F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465500901.000000000078C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465500901.00000000007B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465599093.00000000007BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465630010.00000000007C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6f0000_file.jbxd

Similarity

API ID: _free$EnvironmentVariable___from_strstr_to_strchr
String ID:
API String ID: 1282221369-0
Opcode ID: a8656a42edb4eac80db2e938770c0a843939830362fd8ba680bb4888a257d615
Instruction ID: 4f8c82df85369014c29155fa517e4f15253ad8322821a2b9e406b4f81b56eb6e
Opcode Fuzzy Hash: a8656a42edb4eac80db2e938770c0a843939830362fd8ba680bb4888a257d615
Instruction Fuzzy Hash: DF617772A04320EFDB32AFB4BD89A6D7BA5AF15310F04426DF841A7292E63D9D4187D0

Function 007850D4 Relevance: 13.7, APIs: 9, Instructions: 162windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00002001,00000000,00000000), ref: 00785186
ShowWindow.USER32(?,00000000), ref: 007851C7
ShowWindow.USER32(?,00000005,?,00000000), ref: 007851CD
SetFocus.USER32(?,?,00000005,?,00000000), ref: 007851D1

Part of subcall function 00786FBA: DeleteObject.GDI32(00000000), ref: 00786FE6

GetWindowLongW.USER32(?,000000F0), ref: 0078520D
SetWindowLongW.USER32(?,000000F0,00000000), ref: 0078521A
InvalidateRect.USER32(?,00000000,00000001,?,00000001), ref: 0078524D
SendMessageW.USER32(?,00001001,00000000,000000FE), ref: 00785287
SendMessageW.USER32(?,00001026,00000000,000000FE), ref: 00785296

Memory Dump Source

Source File: 00000000.00000002.1465363834.00000000006F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006F0000, based on PE: true

Associated: 00000000.00000002.1465335232.00000000006F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465500901.000000000078C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465500901.00000000007B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465599093.00000000007BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465630010.00000000007C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6f0000_file.jbxd

Similarity

API ID: Window$MessageSend$LongShow$DeleteFocusInvalidateObjectRect
String ID:
API String ID: 3210457359-0
Opcode ID: 179d1a943607db8083e47ec500a43ae4d63386c51a36f7350144f2928a370530
Instruction ID: c63cc40b62dc488f0d260b9683e407a3d790ea09e3d068b5556f5df8376a7d7d
Opcode Fuzzy Hash: 179d1a943607db8083e47ec500a43ae4d63386c51a36f7350144f2928a370530
Instruction Fuzzy Hash: 49518F70AD0A08FEEF21AF28CC4DBD93BA5BB05361F248111F615D62E1CB7DA990DB51

Function 00708B06 Relevance: 13.7, APIs: 9, Instructions: 155windowCOMMON

Download Yara Rule

APIs

LoadImageW.USER32(00000000,?,?,00000010,00000010,00000010), ref: 00746890
ExtractIconExW.SHELL32(?,?,00000000,00000000,00000001), ref: 007468A9
LoadImageW.USER32(00000000,?,00000001,00000000,00000000,00000050), ref: 007468B9
ExtractIconExW.SHELL32(?,?,?,00000000,00000001), ref: 007468D1
SendMessageW.USER32(00000000,00000080,00000000,00000000), ref: 007468F2
DestroyIcon.USER32(00000000,?,00000010,00000010,00000010,?,?,?,?,?,00708874,00000000,00000000,00000000,000000FF,00000000), ref: 00746901
SendMessageW.USER32(00000000,00000080,00000001,00000000), ref: 0074691E
DestroyIcon.USER32(00000000,?,00000010,00000010,00000010,?,?,?,?,?,00708874,00000000,00000000,00000000,000000FF,00000000), ref: 0074692D

Memory Dump Source

Source File: 00000000.00000002.1465363834.00000000006F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006F0000, based on PE: true

Associated: 00000000.00000002.1465335232.00000000006F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465500901.000000000078C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465500901.00000000007B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465599093.00000000007BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465630010.00000000007C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6f0000_file.jbxd

Similarity

API ID: Icon$DestroyExtractImageLoadMessageSend
String ID:
API String ID: 1268354404-0
Opcode ID: a6f4f88c4fc41413974022a7447c5a4767f1ece617887e1eaf28cf9dbad60ab0
Instruction ID: 00be32ce6fc7760494847da7be1a7e85abeca5984f1ac061f71b80baea5b73bb
Opcode Fuzzy Hash: a6f4f88c4fc41413974022a7447c5a4767f1ece617887e1eaf28cf9dbad60ab0
Instruction Fuzzy Hash: BD516AB0600209EFDB20CF24CC55FAA7BF5EB59760F204628F956962E0DB78E990DB51

Function 0076C143 Relevance: 13.6, APIs: 9, Instructions: 95networkCOMMON

Download Yara Rule

APIs

InternetConnectW.WININET(?,?,?,?,?,?,00000000,00000000), ref: 0076C182
GetLastError.KERNEL32 ref: 0076C195
SetEvent.KERNEL32(?), ref: 0076C1A9

Part of subcall function 0076C253: InternetOpenUrlW.WININET(?,?,00000000,00000000,?,00000000), ref: 0076C272
Part of subcall function 0076C253: GetLastError.KERNEL32 ref: 0076C322
Part of subcall function 0076C253: SetEvent.KERNEL32(?), ref: 0076C336
Part of subcall function 0076C253: InternetCloseHandle.WININET(00000000), ref: 0076C341

Memory Dump Source

Source File: 00000000.00000002.1465363834.00000000006F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006F0000, based on PE: true

Associated: 00000000.00000002.1465335232.00000000006F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465500901.000000000078C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465500901.00000000007B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465599093.00000000007BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465630010.00000000007C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6f0000_file.jbxd

Similarity

API ID: Internet$ErrorEventLast$CloseConnectHandleOpen
String ID:
API String ID: 337547030-0
Opcode ID: 7c7f177256f71029dbdf45b4c1b64152087c8bfb9c8f62293ac039ca6bbf58fa
Instruction ID: ee995f543d033202cf4b090cc2f275ba57ca47af16357acfff83cf2858ebf3b0
Opcode Fuzzy Hash: 7c7f177256f71029dbdf45b4c1b64152087c8bfb9c8f62293ac039ca6bbf58fa
Instruction Fuzzy Hash: 1F318A71240605AFDB229FB5DC58A77BBF8FF18300B14842EFD9B86610D739E8149BA0

Function 007525A2 Relevance: 13.6, APIs: 9, Instructions: 60sleepkeyboardwindowCOMMON

Download Yara Rule

APIs

Part of subcall function 00753A3D: GetWindowThreadProcessId.USER32(?,00000000), ref: 00753A57
Part of subcall function 00753A3D: GetCurrentThreadId.KERNEL32 ref: 00753A5E
Part of subcall function 00753A3D: AttachThreadInput.USER32(00000000,?,00000000,00000000,?,007525B3), ref: 00753A65

MapVirtualKeyW.USER32(00000025,00000000), ref: 007525BD
PostMessageW.USER32(?,00000100,00000025,00000000), ref: 007525DB
Sleep.KERNEL32(00000000,?,00000100,00000025,00000000), ref: 007525DF
MapVirtualKeyW.USER32(00000025,00000000), ref: 007525E9
PostMessageW.USER32(?,00000100,00000027,00000000), ref: 00752601
Sleep.KERNEL32(00000000,?,00000100,00000027,00000000), ref: 00752605
MapVirtualKeyW.USER32(00000025,00000000), ref: 0075260F
PostMessageW.USER32(?,00000101,00000027,00000000), ref: 00752623
Sleep.KERNEL32(00000000,?,00000101,00000027,00000000,?,00000100,00000027,00000000), ref: 00752627

Memory Dump Source

Source File: 00000000.00000002.1465363834.00000000006F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006F0000, based on PE: true

Associated: 00000000.00000002.1465335232.00000000006F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465500901.000000000078C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465500901.00000000007B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465599093.00000000007BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465630010.00000000007C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6f0000_file.jbxd

Similarity

API ID: MessagePostSleepThreadVirtual$AttachCurrentInputProcessWindow
String ID:
API String ID: 2014098862-0
Opcode ID: a57c55acbc9da54c2f47d03062b264fe7253e7246ed5121c578da1a4f43f69c2
Instruction ID: cb2648fa751256cf50849e800b85249f6d6f483923dbe5629194305c542494f7
Opcode Fuzzy Hash: a57c55acbc9da54c2f47d03062b264fe7253e7246ed5121c578da1a4f43f69c2
Instruction Fuzzy Hash: 3601F570780214BBFB1067688C8EF993F59DB4AB52F204011F314AE0E1C9F518498A79

Function 00751803 Relevance: 13.5, APIs: 9, Instructions: 49memorythreadCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000008,0000000C,?,00000000,?,00751449,?,?,00000000), ref: 0075180C
HeapAlloc.KERNEL32(00000000,?,00751449,?,?,00000000), ref: 00751813
GetCurrentProcess.KERNEL32(00000000,00000000,00000000,00000002,?,00751449,?,?,00000000), ref: 00751828
GetCurrentProcess.KERNEL32(?,00000000,?,00751449,?,?,00000000), ref: 00751830
DuplicateHandle.KERNEL32(00000000,?,00751449,?,?,00000000), ref: 00751833
GetCurrentProcess.KERNEL32(00000000,00000000,00000000,00000002,?,00751449,?,?,00000000), ref: 00751843
GetCurrentProcess.KERNEL32(00751449,00000000,?,00751449,?,?,00000000), ref: 0075184B
DuplicateHandle.KERNEL32(00000000,?,00751449,?,?,00000000), ref: 0075184E
CreateThread.KERNEL32(00000000,00000000,00751874,00000000,00000000,00000000), ref: 00751868

Memory Dump Source

Source File: 00000000.00000002.1465363834.00000000006F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006F0000, based on PE: true

Associated: 00000000.00000002.1465335232.00000000006F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465500901.000000000078C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465500901.00000000007B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465599093.00000000007BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465630010.00000000007C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6f0000_file.jbxd

Similarity

API ID: Process$Current$DuplicateHandleHeap$AllocCreateThread
String ID:
API String ID: 1957940570-0
Opcode ID: a58311335bc974cc3abb949d523aeba84d24a826c081e0e95ce0f0079266cf19
Instruction ID: b5cf55e92d97822bf4f7c9113cb8a7e9312b6e5041710581ea8a4511d2dfb7d4
Opcode Fuzzy Hash: a58311335bc974cc3abb949d523aeba84d24a826c081e0e95ce0f0079266cf19
Instruction Fuzzy Hash: C701BFB5680308BFE711ABA5DC8EF573B6CEB89B11F518411FA05DB191D6759C00CB34

Function 0077A0E2 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 160COMMON

Download Yara Rule

APIs

Part of subcall function 0075D4DC: CreateToolhelp32Snapshot.KERNEL32 ref: 0075D501
Part of subcall function 0075D4DC: Process32FirstW.KERNEL32(00000000,?), ref: 0075D50F
Part of subcall function 0075D4DC: CloseHandle.KERNELBASE(00000000), ref: 0075D5DC

OpenProcess.KERNEL32(00000001,00000000,?), ref: 0077A16D
GetLastError.KERNEL32 ref: 0077A180
OpenProcess.KERNEL32(00000001,00000000,?), ref: 0077A1B3
TerminateProcess.KERNEL32(00000000,00000000), ref: 0077A268
GetLastError.KERNEL32(00000000), ref: 0077A273
CloseHandle.KERNEL32(00000000), ref: 0077A2C4

Strings

SeDebugPrivilege, xrefs: 0077A18F

Memory Dump Source

Source File: 00000000.00000002.1465363834.00000000006F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006F0000, based on PE: true

Associated: 00000000.00000002.1465335232.00000000006F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465500901.000000000078C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465500901.00000000007B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465599093.00000000007BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465630010.00000000007C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6f0000_file.jbxd

Similarity

API ID: Process$CloseErrorHandleLastOpen$CreateFirstProcess32SnapshotTerminateToolhelp32
String ID: SeDebugPrivilege
API String ID: 2533919879-2896544425
Opcode ID: 540513f56aad41e6f2b3ea8dc56b35635d4b29d10aae7d9e15846f9b33605e56
Instruction ID: 37f663d38c15f42fd836a01bef9102819a744e07ebbec559621508f81ff6f84c
Opcode Fuzzy Hash: 540513f56aad41e6f2b3ea8dc56b35635d4b29d10aae7d9e15846f9b33605e56
Instruction Fuzzy Hash: 69619071204242AFEB10DF18C494F29BBE1AF84358F54C49CE45A8B7A3C77AEC45CB96

Function 00783886 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 141windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00001036,00000010,00000010), ref: 00783925
SendMessageW.USER32(00000000,00001036,00000000,?), ref: 0078393A
SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000013), ref: 00783954
_wcslen.LIBCMT ref: 00783999
SendMessageW.USER32(?,00001057,00000000,?), ref: 007839C6
SendMessageW.USER32(?,00001061,?,0000000F), ref: 007839F4

Strings

SysListView32, xrefs: 007838F7

Memory Dump Source

Source File: 00000000.00000002.1465363834.00000000006F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006F0000, based on PE: true

Associated: 00000000.00000002.1465335232.00000000006F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465500901.000000000078C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465500901.00000000007B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465599093.00000000007BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465630010.00000000007C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6f0000_file.jbxd

Similarity

API ID: MessageSend$Window_wcslen
String ID: SysListView32
API String ID: 2147712094-78025650
Opcode ID: db986a58536a828a65cbe028fc81234e602975ce299ef5154719a103e1f4ba08
Instruction ID: e2842cc984d57a1d63e0b54bae4065658f2348368f5b2ed07be70f0ad34bcc89
Opcode Fuzzy Hash: db986a58536a828a65cbe028fc81234e602975ce299ef5154719a103e1f4ba08
Instruction Fuzzy Hash: ED41E771A40208ABDF21AF68CC49FEA77A9EF08754F100126F544E7181D778DE80CB94

Function 0075BC5E Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 137windowCOMMON

Download Yara Rule

APIs

GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 0075BCFD
IsMenu.USER32(00000000), ref: 0075BD1D
CreatePopupMenu.USER32 ref: 0075BD53
GetMenuItemCount.USER32(00C355D0), ref: 0075BDA4
InsertMenuItemW.USER32(00C355D0,?,00000001,00000030), ref: 0075BDCC

Strings

2, xrefs: 0075BD37
0, xrefs: 0075BCA8

Memory Dump Source

Source File: 00000000.00000002.1465363834.00000000006F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006F0000, based on PE: true

Associated: 00000000.00000002.1465335232.00000000006F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465500901.000000000078C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465500901.00000000007B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465599093.00000000007BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465630010.00000000007C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6f0000_file.jbxd

Similarity

API ID: Menu$Item$CountCreateInfoInsertPopup
String ID: 0$2
API String ID: 93392585-3793063076
Opcode ID: 99651cf760704b39609eb4ce7c0b4f93e6043f92c10b04a96f9ec1b132868601
Instruction ID: 386d1b282b8b455a632f98134ab78a557b350cd6fcd6f9424092dd1eafba8b86
Opcode Fuzzy Hash: 99651cf760704b39609eb4ce7c0b4f93e6043f92c10b04a96f9ec1b132868601
Instruction Fuzzy Hash: B5517B70A00309DBDF11CFA8D888BFEBBF4AF45316F248159EC1197291D7B8A949CB61

Function 00712D20 Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 117COMMON

Download Yara Rule

APIs

_ValidateLocalCookies.LIBCMT ref: 00712D4B
___except_validate_context_record.LIBVCRUNTIME ref: 00712D53
_ValidateLocalCookies.LIBCMT ref: 00712DE1
__IsNonwritableInCurrentImage.LIBCMT ref: 00712E0C
_ValidateLocalCookies.LIBCMT ref: 00712E61

Strings

csm, xrefs: 00712DF6
&Hq, xrefs: 00712DFE, 00712E07, 00712E18

Memory Dump Source

Source File: 00000000.00000002.1465363834.00000000006F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006F0000, based on PE: true

Associated: 00000000.00000002.1465335232.00000000006F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465500901.000000000078C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465500901.00000000007B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465599093.00000000007BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465630010.00000000007C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6f0000_file.jbxd

Similarity

API ID: CookiesLocalValidate$CurrentImageNonwritable___except_validate_context_record
String ID: &Hq$csm
API String ID: 1170836740-317068433
Opcode ID: b3f7ed0c9a83d83299ef0f0873e31c18a238bf715fa21ad7c1669a5dc733f9c8
Instruction ID: 175750d4f8c881dbfc515427b00d5abb0d47f08f8a0487aaf561e1f6cfcdf7af
Opcode Fuzzy Hash: b3f7ed0c9a83d83299ef0f0873e31c18a238bf715fa21ad7c1669a5dc733f9c8
Instruction Fuzzy Hash: 72416234A00209EBCF10DF6CD849ADEBBA5BF45324F148155E9146B3D3D739AAA6CBD0

Function 0075C874 Relevance: 12.3, APIs: 2, Strings: 5, Instructions: 81windowCOMMON

Download Yara Rule

APIs

LoadIconW.USER32(00000000,00007F03), ref: 0075C913

Strings

stop, xrefs: 0075C8E4
warning, xrefs: 0075C8FC
question, xrefs: 0075C8CC
info, xrefs: 0075C8B4
blank, xrefs: 0075C895

Memory Dump Source

Source File: 00000000.00000002.1465363834.00000000006F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006F0000, based on PE: true

Associated: 00000000.00000002.1465335232.00000000006F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465500901.000000000078C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465500901.00000000007B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465599093.00000000007BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465630010.00000000007C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6f0000_file.jbxd

Similarity

API ID: IconLoad
String ID: blank$info$question$stop$warning
API String ID: 2457776203-404129466
Opcode ID: 3d4611a5dbf2fad985378be9907091a3a0f2fa59de56789dc40da533ccf81ecd
Instruction ID: d5ebca643b4d40691b99835648592fabd401d1ea85355c3123b453de7bdb4073
Opcode Fuzzy Hash: 3d4611a5dbf2fad985378be9907091a3a0f2fa59de56789dc40da533ccf81ecd
Instruction Fuzzy Hash: E9110D32689306BEE7025B549C83FEA679CDF15766B60402AFD00B62C2EBFC7D445268

Function 0075DE27 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 70networkCOMMON

Download Yara Rule

APIs

WSAStartup.WSOCK32(00000101,?), ref: 0075DE42
gethostname.WSOCK32(?,00000100), ref: 0075DE5C
gethostbyname.WSOCK32(?), ref: 0075DE69
inet_ntoa.WSOCK32(?), ref: 0075DEAB
_strcat.LIBCMT ref: 0075DEB9
WSACleanup.WSOCK32 ref: 0075DEDE

Strings

0.0.0.0, xrefs: 0075DE87

Memory Dump Source

Source File: 00000000.00000002.1465363834.00000000006F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006F0000, based on PE: true

Associated: 00000000.00000002.1465335232.00000000006F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465500901.000000000078C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465500901.00000000007B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465599093.00000000007BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465630010.00000000007C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6f0000_file.jbxd

Similarity

API ID: CleanupStartup_strcatgethostbynamegethostnameinet_ntoa
String ID: 0.0.0.0
API String ID: 642191829-3771769585
Opcode ID: f644a8d4f21f650abff2543993b67ef66d951a9067ae0a5c6d201b20bfc88f31
Instruction ID: 4296d53dace2ae8e54e57a1523784d3b74a81f3a3193b6f94e57f11bcd1f4249
Opcode Fuzzy Hash: f644a8d4f21f650abff2543993b67ef66d951a9067ae0a5c6d201b20bfc88f31
Instruction Fuzzy Hash: 8311E171944119EBDB31AB249C0BEEE77ACDB11712F1001A9F905AA091EFBC9E858B60

Function 0075ED19 Relevance: 12.1, APIs: 8, Instructions: 137timeCOMMON

Download Yara Rule

APIs

GetLocalTime.KERNEL32 ref: 0075ED2A
_wcslen.LIBCMT ref: 0075ED3B
_wcslen.LIBCMT ref: 0075ED79
_wcslen.LIBCMT ref: 0075EDAF
_wcslen.LIBCMT ref: 0075EDDF
_wcslen.LIBCMT ref: 0075EDEF
_wcslen.LIBCMT ref: 0075EE2B
_wcslen.LIBCMT ref: 0075EE5A

Memory Dump Source

Source File: 00000000.00000002.1465363834.00000000006F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006F0000, based on PE: true

Associated: 00000000.00000002.1465335232.00000000006F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465500901.000000000078C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465500901.00000000007B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465599093.00000000007BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465630010.00000000007C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6f0000_file.jbxd

Similarity

API ID: _wcslen$LocalTime
String ID:
API String ID: 952045576-0
Opcode ID: 424cc9ff9b3bff7e3e49e669453a6b6023aa6b8ac4840d8519a8f4a95e5cc4d2
Instruction ID: c8e9cf535339611322ccd8637d62911d96357a915f7bcb464b262aedc60a5255
Opcode Fuzzy Hash: 424cc9ff9b3bff7e3e49e669453a6b6023aa6b8ac4840d8519a8f4a95e5cc4d2
Instruction Fuzzy Hash: 5641B366C10218B5DB11EBF8888E9CFB7B8AF45710F508466E914F3162FB38E785C7A5

Function 0070F8D8 Relevance: 12.1, APIs: 8, Instructions: 124COMMON

Download Yara Rule

APIs

ShowWindow.USER32(FFFFFFFF,000000FF,?,00000000,?,0074682C,00000004,00000000,00000000), ref: 0070F953
ShowWindow.USER32(FFFFFFFF,00000006,?,00000000,?,0074682C,00000004,00000000,00000000), ref: 0074F3D1
ShowWindow.USER32(FFFFFFFF,000000FF,?,00000000,?,0074682C,00000004,00000000,00000000), ref: 0074F454

Memory Dump Source

Source File: 00000000.00000002.1465363834.00000000006F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006F0000, based on PE: true

Associated: 00000000.00000002.1465335232.00000000006F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465500901.000000000078C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465500901.00000000007B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465599093.00000000007BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465630010.00000000007C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6f0000_file.jbxd

Similarity

API ID: ShowWindow
String ID:
API String ID: 1268545403-0
Opcode ID: c76fcf18afdbe6d8ecede97a0904efb1f7734709e1b115d11b84949ff56de640
Instruction ID: 58062a9ddef47536a55838bdada3611ee509dafff885bb1d858e57239f44a91e
Opcode Fuzzy Hash: c76fcf18afdbe6d8ecede97a0904efb1f7734709e1b115d11b84949ff56de640
Instruction Fuzzy Hash: 6A410931628680FED7359B2DD888B2A7BD1AB96314F24863DE047D2DE1D73DB881C711

Function 00782D03 Relevance: 12.1, APIs: 8, Instructions: 95windowCOMMON

Download Yara Rule

APIs

DeleteObject.GDI32(00000000), ref: 00782D1B
GetDC.USER32(00000000), ref: 00782D23
GetDeviceCaps.GDI32(00000000,0000005A), ref: 00782D2E
ReleaseDC.USER32(00000000,00000000), ref: 00782D3A
CreateFontW.GDI32(?,00000000,00000000,00000000,?,00000000,00000000,00000000,00000001,00000004,00000000,?,00000000,?), ref: 00782D76
SendMessageW.USER32(?,00000030,00000000,00000001), ref: 00782D87
MoveWindow.USER32(?,?,?,?,?,00000000,?,?,00785A65,?,?,000000FF,00000000,?,000000FF,?), ref: 00782DC2
SendMessageW.USER32(?,00000142,00000000,00000000), ref: 00782DE1

Memory Dump Source

Source File: 00000000.00000002.1465363834.00000000006F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006F0000, based on PE: true

Associated: 00000000.00000002.1465335232.00000000006F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465500901.000000000078C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465500901.00000000007B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465599093.00000000007BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465630010.00000000007C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6f0000_file.jbxd

Similarity

API ID: MessageSend$CapsCreateDeleteDeviceFontMoveObjectReleaseWindow
String ID:
API String ID: 3864802216-0
Opcode ID: 14427f616d73fa6907ea19979327dabc114a9bb531a94df9feb3790701645590
Instruction ID: 9aaa591067bc6a00d8c51464526928253b7cefff33d1e563a5ad6e937866a6e9
Opcode Fuzzy Hash: 14427f616d73fa6907ea19979327dabc114a9bb531a94df9feb3790701645590
Instruction Fuzzy Hash: ED319C72281214BFEB158F50CC8AFEB3FA9EF09751F148065FE089A291D6799C41CBB4

Function 00755622 Relevance: 12.1, APIs: 8, Instructions: 92COMMON

Download Yara Rule

APIs

_memcmp.LIBVCRUNTIME ref: 00755637
_memcmp.LIBVCRUNTIME ref: 00755659
_memcmp.LIBVCRUNTIME ref: 00755671
_memcmp.LIBVCRUNTIME ref: 00755684
_memcmp.LIBVCRUNTIME ref: 0075569E
_memcmp.LIBVCRUNTIME ref: 007556B1
_memcmp.LIBVCRUNTIME ref: 007556C9
_memcmp.LIBVCRUNTIME ref: 007556E4

Memory Dump Source

Source File: 00000000.00000002.1465363834.00000000006F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006F0000, based on PE: true

Associated: 00000000.00000002.1465335232.00000000006F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465500901.000000000078C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465500901.00000000007B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465599093.00000000007BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465630010.00000000007C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6f0000_file.jbxd

Similarity

API ID: _memcmp
String ID:
API String ID: 2931989736-0
Opcode ID: 618a3bf5aa80ac921cdcd7c0ef17d74cc0e01a78d56c9147e87be2492173cb7b
Instruction ID: 30419b0e74881b562b65933df5e45b863faf76f21ca6775c2e6807151a2c6ec8
Opcode Fuzzy Hash: 618a3bf5aa80ac921cdcd7c0ef17d74cc0e01a78d56c9147e87be2492173cb7b
Instruction Fuzzy Hash: 4021DAA1A81949F7D31465258DA2FFA335CEF14786F940020FE049E581F7ACEE1886A5

Function 00774FAE Relevance: 10.9, APIs: 4, Strings: 2, Instructions: 359COMMON

Download Yara Rule

Strings

Not an Object type, xrefs: 00775007
NULL Pointer assignment, xrefs: 0077502E, 00775383

Memory Dump Source

Source File: 00000000.00000002.1465363834.00000000006F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006F0000, based on PE: true

Associated: 00000000.00000002.1465335232.00000000006F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465500901.000000000078C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465500901.00000000007B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465599093.00000000007BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465630010.00000000007C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6f0000_file.jbxd

Similarity

API ID:
String ID: NULL Pointer assignment$Not an Object type
API String ID: 0-572801152
Opcode ID: df91a5bad2662d50a2b42cc68be5ea8bc64726b19142cd286b19b1dc13afc349
Instruction ID: cdebb49b68b67ee788687039e004ed00d93bc27adbe0c89837a5f8c611282718
Opcode Fuzzy Hash: df91a5bad2662d50a2b42cc68be5ea8bc64726b19142cd286b19b1dc13afc349
Instruction Fuzzy Hash: D3D1C771A0060A9FDF10CF68C885BAEB7B5FF48384F14C469E919AB291D7B4DD45CB60

Function 00731522 Relevance: 10.8, APIs: 7, Instructions: 268COMMON

Download Yara Rule

APIs

GetCPInfo.KERNEL32(00000000,00000000,?,7FFFFFFF,?,?,007317FB,00000000,00000000,?,00000000,?,?,?,?,00000000), ref: 007315CE
MultiByteToWideChar.KERNEL32(00000000,00000009,00000000,00000000,00000000,00000000,?,007317FB,00000000,00000000,?,00000000,?,?,?,?), ref: 00731651
MultiByteToWideChar.KERNEL32(00000000,00000001,00000000,00000000,00000000,007317FB,?,007317FB,00000000,00000000,?,00000000,?,?,?,?), ref: 007316E4
MultiByteToWideChar.KERNEL32(00000000,00000009,00000000,00000000,00000000,00000000,?,007317FB,00000000,00000000,?,00000000,?,?,?,?), ref: 007316FB

Part of subcall function 00723820: RtlAllocateHeap.NTDLL(00000000,?,007C1444,?,0070FDF5,?,?,006FA976,00000010,007C1440,006F13FC,?,006F13C6,?,006F1129), ref: 00723852

MultiByteToWideChar.KERNEL32(00000000,00000001,00000000,00000000,00000000,00000000,?,007317FB,00000000,00000000,?,00000000,?,?,?,?), ref: 00731777
__freea.LIBCMT ref: 007317A2
__freea.LIBCMT ref: 007317AE

Memory Dump Source

Source File: 00000000.00000002.1465363834.00000000006F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006F0000, based on PE: true

Associated: 00000000.00000002.1465335232.00000000006F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465500901.000000000078C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465500901.00000000007B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465599093.00000000007BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465630010.00000000007C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6f0000_file.jbxd

Similarity

API ID: ByteCharMultiWide$__freea$AllocateHeapInfo
String ID:
API String ID: 2829977744-0
Opcode ID: 2dda1da09ee7e2aa06c67f6762c8bbff0244695e9239fc5e4be017da9576a378
Instruction ID: 173d6199f30aec0eaed584f86fc0d25ca0937f4058abdcee8b90f320c39cb468
Opcode Fuzzy Hash: 2dda1da09ee7e2aa06c67f6762c8bbff0244695e9239fc5e4be017da9576a378
Instruction Fuzzy Hash: DC919371E002169AEF218FB4CC85EEE7BB5AF49710F984669E805E7242DB3DDD50CB60

Function 00774523 Relevance: 10.8, APIs: 4, Strings: 2, Instructions: 262COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 00774648
VariantInit.OLEAUT32(?), ref: 00774749
VariantClear.OLEAUT32(?), ref: 00774753
VariantClear.OLEAUT32(?), ref: 007747B0

Strings

Incorrect Object type in FOR..IN loop, xrefs: 0077472C
Null Object assignment in FOR..IN loop, xrefs: 007745D8, 00774706, 007747BE

Memory Dump Source

Source File: 00000000.00000002.1465363834.00000000006F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006F0000, based on PE: true

Associated: 00000000.00000002.1465335232.00000000006F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465500901.000000000078C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465500901.00000000007B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465599093.00000000007BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465630010.00000000007C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6f0000_file.jbxd

Similarity

API ID: Variant$ClearInit
String ID: Incorrect Object type in FOR..IN loop$Null Object assignment in FOR..IN loop
API String ID: 2610073882-625585964
Opcode ID: 2c21a5785859caa7e3b7e98f68ebab8967f7289e9716cb5d366de98cf8a64971
Instruction ID: c8e7b2d352b5d70aaf4c2618f54d1d951ed69fb90584610b7acb7969ea0000aa
Opcode Fuzzy Hash: 2c21a5785859caa7e3b7e98f68ebab8967f7289e9716cb5d366de98cf8a64971
Instruction Fuzzy Hash: B6916271A00219EBDF24CFA4C845FAEBBB8EF46754F10C559F519AB280D7789941CFA0

Function 00761187 Relevance: 10.8, APIs: 7, Instructions: 254COMMON

Download Yara Rule

APIs

SafeArrayGetVartype.OLEAUT32(00000001,?), ref: 0076125C
SafeArrayAccessData.OLEAUT32(00000000,?), ref: 00761284
SafeArrayUnaccessData.OLEAUT32(00000001), ref: 007612A8
SafeArrayAccessData.OLEAUT32(00000001,?), ref: 007612D8
SafeArrayAccessData.OLEAUT32(00000001,?), ref: 0076135F
SafeArrayAccessData.OLEAUT32(00000001,?), ref: 007613C4
SafeArrayAccessData.OLEAUT32(00000001,?), ref: 00761430

Memory Dump Source

Source File: 00000000.00000002.1465363834.00000000006F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006F0000, based on PE: true

Associated: 00000000.00000002.1465335232.00000000006F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465500901.000000000078C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465500901.00000000007B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465599093.00000000007BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465630010.00000000007C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6f0000_file.jbxd

Similarity

API ID: ArraySafe$Data$Access$UnaccessVartype
String ID:
API String ID: 2550207440-0
Opcode ID: 65483c050741166fbd26d691ca11e564710b325ec8c79bd34461196793ec2722
Instruction ID: c7ae924ef3fd78fe7d662162ee61e43a8d466a2c6913b0ffa6c22eafc1a497f3
Opcode Fuzzy Hash: 65483c050741166fbd26d691ca11e564710b325ec8c79bd34461196793ec2722
Instruction Fuzzy Hash: 1591C271A00209DFDB01DFA4C899BBE7BB5FF45324F598029E902E7291D77CA941CB94

Function 0070948A Relevance: 10.8, APIs: 7, Instructions: 254COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1465363834.00000000006F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006F0000, based on PE: true

Associated: 00000000.00000002.1465335232.00000000006F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465500901.000000000078C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465500901.00000000007B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465599093.00000000007BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465630010.00000000007C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6f0000_file.jbxd

Similarity

API ID: ObjectSelect$BeginCreatePath
String ID:
API String ID: 3225163088-0
Opcode ID: 50c4801a2cea4c39e82ed2f7ed8bc837fc7cc70796b3d983852495cc1ce427b4
Instruction ID: 7e7c15ce928e9e1878e3b21cbc256493149d1ba38d742b50e05cfa682511daf3
Opcode Fuzzy Hash: 50c4801a2cea4c39e82ed2f7ed8bc837fc7cc70796b3d983852495cc1ce427b4
Instruction Fuzzy Hash: 74915C71D40219EFCB15CFA9CC88AEEBBB8FF49320F248155E515B7292D378A951CB60

Function 00773947 Relevance: 10.7, APIs: 4, Strings: 2, Instructions: 240COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 0077396B
CharUpperBuffW.USER32(?,?), ref: 00773A7A
_wcslen.LIBCMT ref: 00773A8A
VariantClear.OLEAUT32(?), ref: 00773C1F

Part of subcall function 00760CDF: VariantInit.OLEAUT32(00000000), ref: 00760D1F
Part of subcall function 00760CDF: VariantCopy.OLEAUT32(?,?), ref: 00760D28
Part of subcall function 00760CDF: VariantClear.OLEAUT32(?), ref: 00760D34

Strings

Incorrect Parameter format, xrefs: 007739A6, 00773BA1
AUTOIT.ERROR, xrefs: 00773A80, 00773A85

Memory Dump Source

Source File: 00000000.00000002.1465363834.00000000006F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006F0000, based on PE: true

Associated: 00000000.00000002.1465335232.00000000006F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465500901.000000000078C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465500901.00000000007B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465599093.00000000007BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465630010.00000000007C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6f0000_file.jbxd

Similarity

API ID: Variant$ClearInit$BuffCharCopyUpper_wcslen
String ID: AUTOIT.ERROR$Incorrect Parameter format
API String ID: 4137639002-1221869570
Opcode ID: 91652315efbddcf4db30e007a875b216a3d65f17a1d9efa616824daee338305a
Instruction ID: a9945a5eb244a4553fdb799320341d015296751d2d89daa60813075a069c87b4
Opcode Fuzzy Hash: 91652315efbddcf4db30e007a875b216a3d65f17a1d9efa616824daee338305a
Instruction Fuzzy Hash: 989164756083059FCB04EF24C48596AB7E5FF88354F14892EF88A9B351DB38EE05CB92

Function 00774BAD Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 236COMMON

Download Yara Rule

APIs

Part of subcall function 0075000E: CLSIDFromProgID.OLE32(?,?,?,00000000,?,?,?,-C000001E,00000001,?,0074FF41,80070057,?,?,?,0075035E), ref: 0075002B
Part of subcall function 0075000E: ProgIDFromCLSID.OLE32(?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,0074FF41,80070057,?,?), ref: 00750046
Part of subcall function 0075000E: lstrcmpiW.KERNEL32(?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,0074FF41,80070057,?,?), ref: 00750054
Part of subcall function 0075000E: CoTaskMemFree.OLE32(00000000,?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,0074FF41,80070057,?), ref: 00750064

CoInitializeSecurity.OLE32(00000000,000000FF,00000000,00000000,00000002,00000003,00000000,00000000,00000000,00000001,?,?), ref: 00774C51
_wcslen.LIBCMT ref: 00774D59
CoCreateInstanceEx.OLE32(?,00000000,00000015,?,00000001,?), ref: 00774DCF
CoTaskMemFree.OLE32(?), ref: 00774DDA

Strings

NULL Pointer assignment, xrefs: 00774E23, 00774E52

Memory Dump Source

Source File: 00000000.00000002.1465363834.00000000006F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006F0000, based on PE: true

Associated: 00000000.00000002.1465335232.00000000006F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465500901.000000000078C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465500901.00000000007B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465599093.00000000007BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465630010.00000000007C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6f0000_file.jbxd

Similarity

API ID: FreeFromProgTask$CreateInitializeInstanceSecurity_wcslenlstrcmpi
String ID: NULL Pointer assignment
API String ID: 614568839-2785691316
Opcode ID: 1564ae66068353b1baf69a6a34bd4ee7c0113274bf52be60d1fefba0d42dd93c
Instruction ID: 9d0046661b032ce2696cd3fc625af29639961f15502db80d7de1bd825310d975
Opcode Fuzzy Hash: 1564ae66068353b1baf69a6a34bd4ee7c0113274bf52be60d1fefba0d42dd93c
Instruction Fuzzy Hash: 54913771D0021DEFDF15DFA4C880AEEB7B9BF08350F108569E919A7281EB749A44CFA0

Function 007820FD Relevance: 10.7, APIs: 7, Instructions: 196windowCOMMON

Download Yara Rule

APIs

GetMenu.USER32(?), ref: 00782183
GetMenuItemCount.USER32(00000000), ref: 007821B5
GetMenuStringW.USER32(00000000,00000000,?,00007FFF,00000400), ref: 007821DD
_wcslen.LIBCMT ref: 00782213
GetMenuItemID.USER32(?,?), ref: 0078224D
GetSubMenu.USER32(?,?), ref: 0078225B

Part of subcall function 00753A3D: GetWindowThreadProcessId.USER32(?,00000000), ref: 00753A57
Part of subcall function 00753A3D: GetCurrentThreadId.KERNEL32 ref: 00753A5E
Part of subcall function 00753A3D: AttachThreadInput.USER32(00000000,?,00000000,00000000,?,007525B3), ref: 00753A65

PostMessageW.USER32(?,00000111,00000000,00000000), ref: 007822E3

Part of subcall function 0075E97B: Sleep.KERNEL32 ref: 0075E9F3

Memory Dump Source

Source File: 00000000.00000002.1465363834.00000000006F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006F0000, based on PE: true

Associated: 00000000.00000002.1465335232.00000000006F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465500901.000000000078C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465500901.00000000007B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465599093.00000000007BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465630010.00000000007C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6f0000_file.jbxd

Similarity

API ID: Menu$Thread$Item$AttachCountCurrentInputMessagePostProcessSleepStringWindow_wcslen
String ID:
API String ID: 4196846111-0
Opcode ID: 263ee18100cd2eca6b371c96dfb06e292c6dfa5bf3461161a10699d7363d027c
Instruction ID: 71575960c1d1819f5536aaa5bf033b841b1ecf0f6357a87b1f8a780d85332123
Opcode Fuzzy Hash: 263ee18100cd2eca6b371c96dfb06e292c6dfa5bf3461161a10699d7363d027c
Instruction Fuzzy Hash: 61717175E40209EFCB10EF64C845AAEB7F5FF48321F258459E916EB352D738AD428B90

Function 00787E9E Relevance: 10.7, APIs: 7, Instructions: 193windowCOMMON

Download Yara Rule

APIs

IsWindow.USER32(00C356C0), ref: 00787F37
IsWindowEnabled.USER32(00C356C0), ref: 00787F43
SendMessageW.USER32(00000000,0000041C,00000000,00000000), ref: 0078801E
SendMessageW.USER32(00C356C0,000000B0,?,?), ref: 00788051
IsDlgButtonChecked.USER32(?,?), ref: 00788089
GetWindowLongW.USER32(00C356C0,000000EC), ref: 007880AB
SendMessageW.USER32(?,000000A1,00000002,00000000), ref: 007880C3

Memory Dump Source

Source File: 00000000.00000002.1465363834.00000000006F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006F0000, based on PE: true

Associated: 00000000.00000002.1465335232.00000000006F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465500901.000000000078C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465500901.00000000007B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465599093.00000000007BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465630010.00000000007C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6f0000_file.jbxd

Similarity

API ID: MessageSendWindow$ButtonCheckedEnabledLong
String ID:
API String ID: 4072528602-0
Opcode ID: 2941ff41e178d64e65feb8dd29d14db28ff99ec63104c2df10479d5cee0acc71
Instruction ID: 3d307188b51241ebca09802228fec48df1edcca65fcae6107f5215f8b6524329
Opcode Fuzzy Hash: 2941ff41e178d64e65feb8dd29d14db28ff99ec63104c2df10479d5cee0acc71
Instruction Fuzzy Hash: 0D71B274688204AFEB25AF55CC84FAA7BB5FF09300F644059FA4697261CB39EC46DB20

Function 0075AEBA Relevance: 10.7, APIs: 7, Instructions: 162windowCOMMON

Download Yara Rule

APIs

GetParent.USER32(?), ref: 0075AEF9
GetKeyboardState.USER32(?), ref: 0075AF0E
SetKeyboardState.USER32(?), ref: 0075AF6F
PostMessageW.USER32(?,00000101,00000010,?), ref: 0075AF9D
PostMessageW.USER32(?,00000101,00000011,?), ref: 0075AFBC
PostMessageW.USER32(?,00000101,00000012,?), ref: 0075AFFD
PostMessageW.USER32(?,00000101,0000005B,?), ref: 0075B020

Memory Dump Source

Source File: 00000000.00000002.1465363834.00000000006F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006F0000, based on PE: true

Associated: 00000000.00000002.1465335232.00000000006F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465500901.000000000078C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465500901.00000000007B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465599093.00000000007BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465630010.00000000007C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6f0000_file.jbxd

Similarity

API ID: MessagePost$KeyboardState$Parent
String ID:
API String ID: 87235514-0
Opcode ID: 19407b863129cd9cb4f4917e81377a3d1dccb253b3bdeab7ef728dc30555df53
Instruction ID: 43c2b46accf22bb0b10e43eae4984bcafa97ba056e8e1f13d6277e2c5393c59a
Opcode Fuzzy Hash: 19407b863129cd9cb4f4917e81377a3d1dccb253b3bdeab7ef728dc30555df53
Instruction Fuzzy Hash: 275103A0A043D53DFB3242348C4ABFABEA95B06305F088599E9D9454C2D3EDECCCD361

Function 0075ACDA Relevance: 10.7, APIs: 7, Instructions: 161windowCOMMON

Download Yara Rule

APIs

GetParent.USER32(00000000), ref: 0075AD19
GetKeyboardState.USER32(?), ref: 0075AD2E
SetKeyboardState.USER32(?), ref: 0075AD8F
PostMessageW.USER32(00000000,00000100,00000010,?), ref: 0075ADBB
PostMessageW.USER32(00000000,00000100,00000011,?), ref: 0075ADD8
PostMessageW.USER32(00000000,00000100,00000012,?), ref: 0075AE17
PostMessageW.USER32(00000000,00000100,0000005B,?), ref: 0075AE38

Memory Dump Source

Source File: 00000000.00000002.1465363834.00000000006F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006F0000, based on PE: true

Associated: 00000000.00000002.1465335232.00000000006F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465500901.000000000078C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465500901.00000000007B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465599093.00000000007BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465630010.00000000007C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6f0000_file.jbxd

Similarity

API ID: MessagePost$KeyboardState$Parent
String ID:
API String ID: 87235514-0
Opcode ID: ccfb31d704fede2079639bfafd95c8c7687f75776f9be1e6a40c3b0182a76a79
Instruction ID: 98b0ec7c0f03fcb248c619e2d550cc0bba7561d2347df88a85d786f2bc1d6897
Opcode Fuzzy Hash: ccfb31d704fede2079639bfafd95c8c7687f75776f9be1e6a40c3b0182a76a79
Instruction Fuzzy Hash: C95108A16047D53DFB3353348C46BFABEA86B05302F0886A8E5D5568C2D2DCEC8CD762

Function 0072542E Relevance: 10.7, APIs: 7, Instructions: 152fileCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetConsoleCP.KERNEL32(00733CD6,?,?,?,?,?,?,?,?,00725BA3,?,?,00733CD6,?,?), ref: 00725470
__fassign.LIBCMT ref: 007254EB
__fassign.LIBCMT ref: 00725506
WideCharToMultiByte.KERNEL32(?,00000000,?,00000001,00733CD6,00000005,00000000,00000000), ref: 0072552C
WriteFile.KERNEL32(?,00733CD6,00000000,00725BA3,00000000,?,?,?,?,?,?,?,?,?,00725BA3,?), ref: 0072554B
WriteFile.KERNEL32(?,?,00000001,00725BA3,00000000,?,?,?,?,?,?,?,?,?,00725BA3,?), ref: 00725584

Memory Dump Source

Source File: 00000000.00000002.1465363834.00000000006F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006F0000, based on PE: true

Associated: 00000000.00000002.1465335232.00000000006F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465500901.000000000078C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465500901.00000000007B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465599093.00000000007BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465630010.00000000007C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6f0000_file.jbxd

Similarity

API ID: FileWrite__fassign$ByteCharConsoleMultiWide
String ID:
API String ID: 1324828854-0
Opcode ID: 9320480439b530dc13ebd2a30c427c216a1df92c57152c3f6ea203c4c187549e
Instruction ID: f0748af104d366a9e6e36f65e85aa38fdb7a7cbbc6aa8b87503825ec96da804a
Opcode Fuzzy Hash: 9320480439b530dc13ebd2a30c427c216a1df92c57152c3f6ea203c4c187549e
Instruction Fuzzy Hash: 4B51E6709006589FDB11CFA8E885AEEBBFAEF09300F14411AF555E7291E734DA51CBA0

Function 007710B8 Relevance: 10.6, APIs: 7, Instructions: 110networkCOMMON

Download Yara Rule

APIs

Part of subcall function 0077304E: inet_addr.WSOCK32(?,?,?,?,?,00000000), ref: 0077307A
Part of subcall function 0077304E: _wcslen.LIBCMT ref: 0077309B

socket.WSOCK32(00000002,00000001,00000006,?,?,00000000), ref: 00771112
WSAGetLastError.WSOCK32 ref: 00771121
WSAGetLastError.WSOCK32 ref: 007711C9
closesocket.WSOCK32(00000000), ref: 007711F9

Memory Dump Source

Source File: 00000000.00000002.1465363834.00000000006F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006F0000, based on PE: true

Associated: 00000000.00000002.1465335232.00000000006F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465500901.000000000078C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465500901.00000000007B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465599093.00000000007BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465630010.00000000007C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6f0000_file.jbxd

Similarity

API ID: ErrorLast$_wcslenclosesocketinet_addrsocket
String ID:
API String ID: 2675159561-0
Opcode ID: 2585b4b633c5bc37d60476f858c5d4c6ce46c02a9ec1401547b118b389199a8a
Instruction ID: 50064738d61d7fa6d2e11a604ac5061098c0f912a9db6882017b187195683c09
Opcode Fuzzy Hash: 2585b4b633c5bc37d60476f858c5d4c6ce46c02a9ec1401547b118b389199a8a
Instruction Fuzzy Hash: 3E410531600208AFDB109F58C884BA9B7EAEF453A4F94C059FE099F291C778ED41CBE5

Function 0075CF00 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 108filestringCOMMON

Download Yara Rule

APIs

Part of subcall function 0075DDE0: GetFullPathNameW.KERNEL32(00000000,00007FFF,?,?,?,?,?,?,0075CF22,?), ref: 0075DDFD

Part of subcall function 0075DDE0: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,?,0075CF22,?), ref: 0075DE16

lstrcmpiW.KERNEL32(?,?), ref: 0075CF45
MoveFileW.KERNEL32(?,?), ref: 0075CF7F
_wcslen.LIBCMT ref: 0075D005
_wcslen.LIBCMT ref: 0075D01B
SHFileOperationW.SHELL32(?), ref: 0075D061

Strings

\*.*, xrefs: 0075CFF3

Memory Dump Source

Source File: 00000000.00000002.1465363834.00000000006F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006F0000, based on PE: true

Associated: 00000000.00000002.1465335232.00000000006F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465500901.000000000078C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465500901.00000000007B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465599093.00000000007BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465630010.00000000007C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6f0000_file.jbxd

Similarity

API ID: FileFullNamePath_wcslen$MoveOperationlstrcmpi
String ID: \*.*
API String ID: 3164238972-1173974218
Opcode ID: 200798e983109d9137dd41d17ee0bd7b1a74bfc09ac8792a75e9c72aab3955af
Instruction ID: e4baa755111b02fb29f3439ccc982d1086a83ac2c2ed48232108715fca3c723e
Opcode Fuzzy Hash: 200798e983109d9137dd41d17ee0bd7b1a74bfc09ac8792a75e9c72aab3955af
Instruction Fuzzy Hash: 6E4158729452189FDF27EBA4DD85BDD77B9AF08381F1000E6E505E7181EA78AB88CB50

Function 00782DFD Relevance: 10.6, APIs: 7, Instructions: 99windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,000000F0,00000000,00000000), ref: 00782E1C
GetWindowLongW.USER32(?,000000F0), ref: 00782E4F
GetWindowLongW.USER32(?,000000F0), ref: 00782E84
SendMessageW.USER32(?,000000F1,00000000,00000000), ref: 00782EB6
SendMessageW.USER32(?,000000F1,00000001,00000000), ref: 00782EE0
GetWindowLongW.USER32(?,000000F0), ref: 00782EF1
SetWindowLongW.USER32(?,000000F0,00000000), ref: 00782F0B

Memory Dump Source

Source File: 00000000.00000002.1465363834.00000000006F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006F0000, based on PE: true

Associated: 00000000.00000002.1465335232.00000000006F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465500901.000000000078C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465500901.00000000007B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465599093.00000000007BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465630010.00000000007C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6f0000_file.jbxd

Similarity

API ID: LongWindow$MessageSend
String ID:
API String ID: 2178440468-0
Opcode ID: 73f1092b80914555e03d3945e6767c7e241e0b40bb8cb0e34b9fa582462a0f01
Instruction ID: 804c07137c7e814db1ce394ad43d5093c6d5e1db9b3efabd78ce106d83d62f91
Opcode Fuzzy Hash: 73f1092b80914555e03d3945e6767c7e241e0b40bb8cb0e34b9fa582462a0f01
Instruction Fuzzy Hash: 2D312430784240AFEB21DF18DC88F6537E0FB8A711F6541A5F9008F2B2CB79A841DB18

Function 00757726 Relevance: 10.6, APIs: 7, Instructions: 94memoryCOMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 00757769
MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 0075778F
SysAllocString.OLEAUT32(00000000), ref: 00757792
SysAllocString.OLEAUT32(?), ref: 007577B0
SysFreeString.OLEAUT32(?), ref: 007577B9
StringFromGUID2.OLE32(?,?,00000028), ref: 007577DE
SysAllocString.OLEAUT32(?), ref: 007577EC

Memory Dump Source

Source File: 00000000.00000002.1465363834.00000000006F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006F0000, based on PE: true

Associated: 00000000.00000002.1465335232.00000000006F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465500901.000000000078C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465500901.00000000007B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465599093.00000000007BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465630010.00000000007C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6f0000_file.jbxd

Similarity

API ID: String$Alloc$ByteCharMultiWide$FreeFrom
String ID:
API String ID: 3761583154-0
Opcode ID: b9f780c6cf4622a427ac278be8e4c0e81904a7abdf5d6da0604d495b1fa75122
Instruction ID: ff62cb7265b04c89bc506edd1b589e9c118b2050de2b3f3416c528c884021729
Opcode Fuzzy Hash: b9f780c6cf4622a427ac278be8e4c0e81904a7abdf5d6da0604d495b1fa75122
Instruction Fuzzy Hash: EA21AE76604219AFDB14DFA8EC88CFB77ACEB09364B108425FE04DB290D6B8DC85C764

Function 007577FD Relevance: 10.6, APIs: 7, Instructions: 89memoryCOMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 00757842
MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 00757868
SysAllocString.OLEAUT32(00000000), ref: 0075786B
SysAllocString.OLEAUT32 ref: 0075788C
SysFreeString.OLEAUT32 ref: 00757895
StringFromGUID2.OLE32(?,?,00000028), ref: 007578AF
SysAllocString.OLEAUT32(?), ref: 007578BD

Memory Dump Source

Source File: 00000000.00000002.1465363834.00000000006F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006F0000, based on PE: true

Associated: 00000000.00000002.1465335232.00000000006F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465500901.000000000078C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465500901.00000000007B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465599093.00000000007BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465630010.00000000007C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6f0000_file.jbxd

Similarity

API ID: String$Alloc$ByteCharMultiWide$FreeFrom
String ID:
API String ID: 3761583154-0
Opcode ID: 521aaa602bd6b03e0372f9302cb3b6ab6d9fe8321b3620994b8f1bf8e20460e3
Instruction ID: eb7b3d1b527b1082b8b090b2cd7bd3f25f49f6f783dc2fd8a1ea5ec2067de122
Opcode Fuzzy Hash: 521aaa602bd6b03e0372f9302cb3b6ab6d9fe8321b3620994b8f1bf8e20460e3
Instruction Fuzzy Hash: 9D21B671604214AFDB149FB8EC8CDBA77ECEB083607108125F915CB2A1D6B8EC85CB74

Function 007604D2 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 80pipeCOMMON

Download Yara Rule

APIs

GetStdHandle.KERNEL32(0000000C), ref: 007604F2
CreatePipe.KERNEL32(?,?,0000000C,00000000), ref: 0076052E

Strings

nul, xrefs: 00760567

Memory Dump Source

Source File: 00000000.00000002.1465363834.00000000006F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006F0000, based on PE: true

Associated: 00000000.00000002.1465335232.00000000006F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465500901.000000000078C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465500901.00000000007B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465599093.00000000007BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465630010.00000000007C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6f0000_file.jbxd

Similarity

API ID: CreateHandlePipe
String ID: nul
API String ID: 1424370930-2873401336
Opcode ID: bf562c7bc8ca070ff47e0de1135247bdac2c376ebba4c2ef7c6256db116512be
Instruction ID: b3ccd2694ab8212a2ad8ffe708e7ab3d650ee2d943f15b5f691cdbb34494ca9d
Opcode Fuzzy Hash: bf562c7bc8ca070ff47e0de1135247bdac2c376ebba4c2ef7c6256db116512be
Instruction Fuzzy Hash: 88216D75500305ABDB209F29DC48E9B77A4BF45724F204A19FCA3D62E1E7749960CFA0

Function 007605A7 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 80pipeCOMMON

Download Yara Rule

APIs

GetStdHandle.KERNEL32(000000F6), ref: 007605C6
CreatePipe.KERNEL32(?,?,0000000C,00000000), ref: 00760601

Strings

nul, xrefs: 00760639

Memory Dump Source

Source File: 00000000.00000002.1465363834.00000000006F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006F0000, based on PE: true

Associated: 00000000.00000002.1465335232.00000000006F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465500901.000000000078C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465500901.00000000007B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465599093.00000000007BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465630010.00000000007C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6f0000_file.jbxd

Similarity

API ID: CreateHandlePipe
String ID: nul
API String ID: 1424370930-2873401336
Opcode ID: 3ac5b9948fe64ef3964872e08ea51655523e647eb665edfa41faa2a83419fe30
Instruction ID: e1164f290825a9b661b52a09fe31ff87035fa40ea3799fa6f797f5fdcbd35497
Opcode Fuzzy Hash: 3ac5b9948fe64ef3964872e08ea51655523e647eb665edfa41faa2a83419fe30
Instruction Fuzzy Hash: AE2192755403059BDB209F69CC48E9B77F4BF95720F204A19FCA2E72E0D7B89860CBA5

Function 007840AD Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 75windowCOMMON

Download Yara Rule

APIs

Part of subcall function 006F600E: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 006F604C
Part of subcall function 006F600E: GetStockObject.GDI32(00000011), ref: 006F6060
Part of subcall function 006F600E: SendMessageW.USER32(00000000,00000030,00000000), ref: 006F606A

SendMessageW.USER32(00000000,00002001,00000000,FF000000), ref: 00784112
SendMessageW.USER32(?,00000409,00000000,FF000000), ref: 0078411F
SendMessageW.USER32(?,00000402,00000000,00000000), ref: 0078412A
SendMessageW.USER32(?,00000401,00000000,00640000), ref: 00784139
SendMessageW.USER32(?,00000404,00000001,00000000), ref: 00784145

Strings

Msctls_Progress32, xrefs: 007840E3

Memory Dump Source

Source File: 00000000.00000002.1465363834.00000000006F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006F0000, based on PE: true

Associated: 00000000.00000002.1465335232.00000000006F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465500901.000000000078C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465500901.00000000007B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465599093.00000000007BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465630010.00000000007C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6f0000_file.jbxd

Similarity

API ID: MessageSend$CreateObjectStockWindow
String ID: Msctls_Progress32
API String ID: 1025951953-3636473452
Opcode ID: bffd124a16a446b07b14fbbc1b6f15efa6339f895212aca077cd2682daefa7fa
Instruction ID: 098f50dcfb9805f0a8ee65a256388d9b89ab346d4ba5666e3545e3ab9157f0d4
Opcode Fuzzy Hash: bffd124a16a446b07b14fbbc1b6f15efa6339f895212aca077cd2682daefa7fa
Instruction Fuzzy Hash: 6F1190B219021EBEEF119F64CC85EE77F9DEF08798F114110BA18A2090CA769C21DBA4

Function 0072D7DF Relevance: 10.6, APIs: 7, Instructions: 65COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 0072D7A3: _free.LIBCMT ref: 0072D7CC

_free.LIBCMT ref: 0072D82D

Part of subcall function 007229C8: RtlFreeHeap.NTDLL(00000000,00000000,?,0072D7D1,00000000,00000000,00000000,00000000,?,0072D7F8,00000000,00000007,00000000,?,0072DBF5,00000000), ref: 007229DE
Part of subcall function 007229C8: GetLastError.KERNEL32(00000000,?,0072D7D1,00000000,00000000,00000000,00000000,?,0072D7F8,00000000,00000007,00000000,?,0072DBF5,00000000,00000000), ref: 007229F0

_free.LIBCMT ref: 0072D838
_free.LIBCMT ref: 0072D843
_free.LIBCMT ref: 0072D897
_free.LIBCMT ref: 0072D8A2
_free.LIBCMT ref: 0072D8AD
_free.LIBCMT ref: 0072D8B8

Memory Dump Source

Source File: 00000000.00000002.1465363834.00000000006F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006F0000, based on PE: true

Associated: 00000000.00000002.1465335232.00000000006F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465500901.000000000078C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465500901.00000000007B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465599093.00000000007BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465630010.00000000007C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6f0000_file.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: d5e9bbcb1dbdafe4c8d3bd98f36014f41f46dc5d4a3df644b036f3c2391e0fc8
Instruction ID: 1afe24cca967fabe254edcbf039692efef0bcaa5f2b506780b165991184ffe64
Opcode Fuzzy Hash: d5e9bbcb1dbdafe4c8d3bd98f36014f41f46dc5d4a3df644b036f3c2391e0fc8
Instruction Fuzzy Hash: 66111F71540B24FAD531BFB0EC4BFCB7BDC6F04700F804825B2D9A65A3DA6DB9464A50

Function 0075DA5A Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 46windowCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,?,?,00000100,00000000), ref: 0075DA74
LoadStringW.USER32(00000000), ref: 0075DA7B
GetModuleHandleW.KERNEL32(00000000,00001389,?,00000100), ref: 0075DA91
LoadStringW.USER32(00000000), ref: 0075DA98
MessageBoxW.USER32(00000000,?,?,00011010), ref: 0075DADC

Strings

%s (%d) : ==> %s: %s %s, xrefs: 0075DAB9

Memory Dump Source

Source File: 00000000.00000002.1465363834.00000000006F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006F0000, based on PE: true

Associated: 00000000.00000002.1465335232.00000000006F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465500901.000000000078C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465500901.00000000007B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465599093.00000000007BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465630010.00000000007C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6f0000_file.jbxd

Similarity

API ID: HandleLoadModuleString$Message
String ID: %s (%d) : ==> %s: %s %s
API String ID: 4072794657-3128320259
Opcode ID: ad19c24180b3d3a57e553763f91df8453c3be53c9dfe566d020d0232d4d2fd0a
Instruction ID: 4373ce88f1f94738d44e13432e3bdb75e02e45de9a4a6b399f1a988944ee4f47
Opcode Fuzzy Hash: ad19c24180b3d3a57e553763f91df8453c3be53c9dfe566d020d0232d4d2fd0a
Instruction Fuzzy Hash: 240186F2940208BFF711ABA09D8DEE7336CE708701F5084A6B706E2041E6789E844F74

Function 0076096B Relevance: 10.5, APIs: 7, Instructions: 35synchronizationthreadCOMMON

Download Yara Rule

APIs

InterlockedExchange.KERNEL32(00C2E950,00C2E950), ref: 0076097B
EnterCriticalSection.KERNEL32(00C2E930,00000000), ref: 0076098D
TerminateThread.KERNEL32(?,000001F6), ref: 0076099B
WaitForSingleObject.KERNEL32(?,000003E8), ref: 007609A9
CloseHandle.KERNEL32(?), ref: 007609B8
InterlockedExchange.KERNEL32(00C2E950,000001F6), ref: 007609C8
LeaveCriticalSection.KERNEL32(00C2E930), ref: 007609CF

Memory Dump Source

Source File: 00000000.00000002.1465363834.00000000006F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006F0000, based on PE: true

Associated: 00000000.00000002.1465335232.00000000006F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465500901.000000000078C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465500901.00000000007B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465599093.00000000007BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465630010.00000000007C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6f0000_file.jbxd

Similarity

API ID: CriticalExchangeInterlockedSection$CloseEnterHandleLeaveObjectSingleTerminateThreadWait
String ID:
API String ID: 3495660284-0
Opcode ID: 2bc716a8fae4d546c190055ee3e7a5670d53fd285702ba6397198a261b76262e
Instruction ID: b8e5d453e1effccd3a14ae9616b267381f3d83c02d55cba54f66346106e98f40
Opcode Fuzzy Hash: 2bc716a8fae4d546c190055ee3e7a5670d53fd285702ba6397198a261b76262e
Instruction Fuzzy Hash: 9AF0EC32482A12BBD7525FA4EE8DBD6BB39FF05712F506025F202908E1C779A465CFA4

Function 00771C60 Relevance: 9.3, APIs: 6, Instructions: 298networkCOMMON

Download Yara Rule

APIs

__WSAFDIsSet.WSOCK32(00000000,?,00000000,00000000,?,00000064,00000000), ref: 00771DC0
#17.WSOCK32(00000000,?,?,00000000,?,00000010), ref: 00771DE1
WSAGetLastError.WSOCK32 ref: 00771DF2
htons.WSOCK32(?,?,?,?,?), ref: 00771EDB
inet_ntoa.WSOCK32(?), ref: 00771E8C

Part of subcall function 007539E8: _strlen.LIBCMT ref: 007539F2

Part of subcall function 00773224: MultiByteToWideChar.KERNEL32(00000000,00000001,?,?,00000000,00000000,00000000,?,?,?,?,0076EC0C), ref: 00773240

_strlen.LIBCMT ref: 00771F35

Memory Dump Source

Source File: 00000000.00000002.1465363834.00000000006F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006F0000, based on PE: true

Associated: 00000000.00000002.1465335232.00000000006F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465500901.000000000078C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465500901.00000000007B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465599093.00000000007BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465630010.00000000007C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6f0000_file.jbxd

Similarity

API ID: _strlen$ByteCharErrorLastMultiWidehtonsinet_ntoa
String ID:
API String ID: 3203458085-0
Opcode ID: 17598e754298d2499c0bc4990e32d93fd3570adfddb4172819a228e812cffcdf
Instruction ID: fa05398699192be18078c17777d9838c8c2bc32660e085f73f7fb3c6c9035f86
Opcode Fuzzy Hash: 17598e754298d2499c0bc4990e32d93fd3570adfddb4172819a228e812cffcdf
Instruction Fuzzy Hash: 7CB1EF31204340AFC724DF28C895E3A7BE6AF85358F94894CF55A5B2E2CB75ED42CB91

Function 006F5D0A Relevance: 9.3, APIs: 6, Instructions: 276COMMON

Download Yara Rule

APIs

GetClientRect.USER32(?,?), ref: 006F5D30
GetWindowRect.USER32(?,?), ref: 006F5D71
ScreenToClient.USER32(?,?), ref: 006F5D99
GetClientRect.USER32(?,?), ref: 006F5ED7
GetWindowRect.USER32(?,?), ref: 006F5EF8

Memory Dump Source

Source File: 00000000.00000002.1465363834.00000000006F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006F0000, based on PE: true

Associated: 00000000.00000002.1465335232.00000000006F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465500901.000000000078C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465500901.00000000007B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465599093.00000000007BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465630010.00000000007C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6f0000_file.jbxd

Similarity

API ID: Rect$Client$Window$Screen
String ID:
API String ID: 1296646539-0
Opcode ID: 52ae2b35f9646bb065a760303ec3dd565197787f2338e8d99e14890730c7c181
Instruction ID: 7d31dfb5911191ccacbccf869b06517d2d7c5efa573a63fcbaec35345e967da9
Opcode Fuzzy Hash: 52ae2b35f9646bb065a760303ec3dd565197787f2338e8d99e14890730c7c181
Instruction Fuzzy Hash: EBB16A74A0074ADBDB14CFA9C4807FAB7F2FF58310F14841AEAAAD7250DB34AA51DB54

Function 007201B7 Relevance: 9.3, APIs: 6, Instructions: 269COMMON

Download Yara Rule

APIs

__allrem.LIBCMT ref: 007200BA
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 007200D6
__allrem.LIBCMT ref: 007200ED
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 0072010B
__allrem.LIBCMT ref: 00720122
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00720140

Memory Dump Source

Source File: 00000000.00000002.1465363834.00000000006F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006F0000, based on PE: true

Associated: 00000000.00000002.1465335232.00000000006F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465500901.000000000078C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465500901.00000000007B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465599093.00000000007BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465630010.00000000007C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6f0000_file.jbxd

Similarity

API ID: Unothrow_t@std@@@__allrem__ehfuncinfo$??2@
String ID:
API String ID: 1992179935-0
Opcode ID: 8fbb49ba762f8ece8e29681380aa111ddf72d6c7443a1a5a7b6c612577c50f6c
Instruction ID: 1448efe4918906e19afd48361064357949cfdd21720e7c138b423e9941ae403a
Opcode Fuzzy Hash: 8fbb49ba762f8ece8e29681380aa111ddf72d6c7443a1a5a7b6c612577c50f6c
Instruction Fuzzy Hash: 78811372A00716EBE7209E2CDC45BAE73E9AF41724F24413EF511D62C2E7B8D9418BA0

Function 007261FE Relevance: 9.2, APIs: 6, Instructions: 216COMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000001,00000000,?,?,00000000,00000000,?,007182D9,007182D9,?,?,?,0072644F,00000001,00000001,8BE85006), ref: 00726258
MultiByteToWideChar.KERNEL32(00000001,00000001,?,?,00000000,?,?,?,?,0072644F,00000001,00000001,8BE85006,?,?,?), ref: 007262DE
WideCharToMultiByte.KERNEL32(00000001,00000000,00000000,00000000,?,8BE85006,00000000,00000000,?,00000400,00000000,?,00000000,00000000,00000000,00000000), ref: 007263D8
__freea.LIBCMT ref: 007263E5

Part of subcall function 00723820: RtlAllocateHeap.NTDLL(00000000,?,007C1444,?,0070FDF5,?,?,006FA976,00000010,007C1440,006F13FC,?,006F13C6,?,006F1129), ref: 00723852

__freea.LIBCMT ref: 007263EE
__freea.LIBCMT ref: 00726413

Memory Dump Source

Source File: 00000000.00000002.1465363834.00000000006F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006F0000, based on PE: true

Associated: 00000000.00000002.1465335232.00000000006F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465500901.000000000078C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465500901.00000000007B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465599093.00000000007BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465630010.00000000007C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6f0000_file.jbxd

Similarity

API ID: ByteCharMultiWide__freea$AllocateHeap
String ID:
API String ID: 1414292761-0
Opcode ID: 62e8d611f639e44711a71492d4b91871877e20a2e00fd38300e94792d82bd946
Instruction ID: a63a65485d08a10314fd460e494bd6e3732a7d241c1f4bf11e21596a508eedfb
Opcode Fuzzy Hash: 62e8d611f639e44711a71492d4b91871877e20a2e00fd38300e94792d82bd946
Instruction Fuzzy Hash: C451E472A00266ABEB259F64EC85EBF77A9EF44710F15466AFC05D6182DB3CDC40C6A0

Function 0077BBDB Relevance: 9.2, APIs: 6, Instructions: 191registryCOMMON

Download Yara Rule

APIs

Part of subcall function 006F9CB3: _wcslen.LIBCMT ref: 006F9CBD

Part of subcall function 0077C998: CharUpperBuffW.USER32(?,?,?,?,?,?,?,0077B6AE,?,?), ref: 0077C9B5
Part of subcall function 0077C998: _wcslen.LIBCMT ref: 0077C9F1
Part of subcall function 0077C998: _wcslen.LIBCMT ref: 0077CA68
Part of subcall function 0077C998: _wcslen.LIBCMT ref: 0077CA9E

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 0077BCCA
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 0077BD25
RegCloseKey.ADVAPI32(00000000), ref: 0077BD6A
RegEnumValueW.ADVAPI32(?,-00000001,?,?,00000000,?,00000000,00000000), ref: 0077BD99
RegCloseKey.ADVAPI32(?,?,00000000), ref: 0077BDF3
RegCloseKey.ADVAPI32(?), ref: 0077BDFF

Memory Dump Source

Source File: 00000000.00000002.1465363834.00000000006F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006F0000, based on PE: true

Associated: 00000000.00000002.1465335232.00000000006F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465500901.000000000078C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465500901.00000000007B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465599093.00000000007BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465630010.00000000007C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6f0000_file.jbxd

Similarity

API ID: _wcslen$Close$BuffCharConnectEnumOpenRegistryUpperValue
String ID:
API String ID: 1120388591-0
Opcode ID: 302c1a3ee32049da78e5d68a5453cbaa04e3a539d144ac08fd09fbc777da141a
Instruction ID: 658be8d3059b528af7ef49a7bffcf4318b9ba3d3d0e7331eaeab8021780cd77d
Opcode Fuzzy Hash: 302c1a3ee32049da78e5d68a5453cbaa04e3a539d144ac08fd09fbc777da141a
Instruction Fuzzy Hash: C081AE70208241EFDB15DF24C885E2ABBE5FF84348F14895CF5598B2A2DB35ED45CBA2

Function 0074F7AD Relevance: 9.2, APIs: 6, Instructions: 183memoryCOMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(00000035), ref: 0074F7B9
SysAllocString.OLEAUT32(00000001), ref: 0074F860
VariantCopy.OLEAUT32(0074FA64,00000000), ref: 0074F889
VariantClear.OLEAUT32(0074FA64), ref: 0074F8AD
VariantCopy.OLEAUT32(0074FA64,00000000), ref: 0074F8B1
VariantClear.OLEAUT32(?), ref: 0074F8BB

Memory Dump Source

Source File: 00000000.00000002.1465363834.00000000006F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006F0000, based on PE: true

Associated: 00000000.00000002.1465335232.00000000006F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465500901.000000000078C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465500901.00000000007B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465599093.00000000007BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465630010.00000000007C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6f0000_file.jbxd

Similarity

API ID: Variant$ClearCopy$AllocInitString
String ID:
API String ID: 3859894641-0
Opcode ID: 3b34bf1b8c24ee941da77df9627f8e57ddc2674c356a7c77ebdba68451090f56
Instruction ID: ec9e3d9b90591e487bce1ef6c8c32fe68fef92523c23e9f237fd379d516cdda6
Opcode Fuzzy Hash: 3b34bf1b8c24ee941da77df9627f8e57ddc2674c356a7c77ebdba68451090f56
Instruction Fuzzy Hash: A551E831A01350FACF24AF65D895B39B3E9EF45310F24946BE905DF291DB789C40CB66

Function 0076910C Relevance: 9.1, APIs: 4, Strings: 1, Instructions: 383COMMON

Download Yara Rule

APIs

Part of subcall function 006F7620: _wcslen.LIBCMT ref: 006F7625

Part of subcall function 006F6B57: _wcslen.LIBCMT ref: 006F6B6A

GetOpenFileNameW.COMDLG32(00000058), ref: 007694E5
_wcslen.LIBCMT ref: 00769506
_wcslen.LIBCMT ref: 0076952D
GetSaveFileNameW.COMDLG32(00000058), ref: 00769585

Strings

X, xrefs: 00769412

Memory Dump Source

Source File: 00000000.00000002.1465363834.00000000006F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006F0000, based on PE: true

Associated: 00000000.00000002.1465335232.00000000006F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465500901.000000000078C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465500901.00000000007B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465599093.00000000007BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465630010.00000000007C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6f0000_file.jbxd

Similarity

API ID: _wcslen$FileName$OpenSave
String ID: X
API String ID: 83654149-3081909835
Opcode ID: d1573e4062cf4475a122e1f1a8d19bd36de2281acffc17797638bc0464f05641
Instruction ID: f230bf961fca39a3a512a14de3350054990f7e318c1751faffdbc62919021378
Opcode Fuzzy Hash: d1573e4062cf4475a122e1f1a8d19bd36de2281acffc17797638bc0464f05641
Instruction Fuzzy Hash: A1E1C031608350DFC764DF24C881A6AB7E5BF85310F04896DFA8A9B3A2DB34DD05CB92

Function 0070920C Relevance: 9.1, APIs: 6, Instructions: 113COMMON

Download Yara Rule

APIs

Part of subcall function 00709BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00709BB2

BeginPaint.USER32(?,?,?), ref: 00709241
GetWindowRect.USER32(?,?), ref: 007092A5
ScreenToClient.USER32(?,?), ref: 007092C2
SetViewportOrgEx.GDI32(00000000,?,?,00000000), ref: 007092D3
EndPaint.USER32(?,?,?,?,?), ref: 00709321
Rectangle.GDI32(00000000,00000000,00000000,?,?), ref: 007471EA

Part of subcall function 00709339: BeginPath.GDI32(00000000), ref: 00709357

Memory Dump Source

Source File: 00000000.00000002.1465363834.00000000006F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006F0000, based on PE: true

Associated: 00000000.00000002.1465335232.00000000006F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465500901.000000000078C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465500901.00000000007B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465599093.00000000007BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465630010.00000000007C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6f0000_file.jbxd

Similarity

API ID: BeginPaintWindow$ClientLongPathRectRectangleScreenViewport
String ID:
API String ID: 3050599898-0
Opcode ID: 1c0862f2e33c7f3850da33c4ba0a619ef271c6851af7f86c036e767d50adb979
Instruction ID: 98a535ef260e3817fb7e410b431aee19ca7989793a3903c476e9043b61a3adc9
Opcode Fuzzy Hash: 1c0862f2e33c7f3850da33c4ba0a619ef271c6851af7f86c036e767d50adb979
Instruction Fuzzy Hash: 13419E70104240EFD721DF24CC88FBA7BF8EB86320F144229FA94872E2C779A845DB61

Function 007607EF Relevance: 9.1, APIs: 6, Instructions: 107fileCOMMON

Download Yara Rule

APIs

InterlockedExchange.KERNEL32(?,000001F5), ref: 0076080C
ReadFile.KERNEL32(?,?,0000FFFF,?,00000000), ref: 00760847
EnterCriticalSection.KERNEL32(?), ref: 00760863
LeaveCriticalSection.KERNEL32(?), ref: 007608DC
ReadFile.KERNEL32(?,?,0000FFFF,00000000,00000000), ref: 007608F3
InterlockedExchange.KERNEL32(?,000001F6), ref: 00760921

Memory Dump Source

Source File: 00000000.00000002.1465363834.00000000006F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006F0000, based on PE: true

Associated: 00000000.00000002.1465335232.00000000006F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465500901.000000000078C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465500901.00000000007B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465599093.00000000007BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465630010.00000000007C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6f0000_file.jbxd

Similarity

API ID: CriticalExchangeFileInterlockedReadSection$EnterLeave
String ID:
API String ID: 3368777196-0
Opcode ID: fd58ef240bbfdc4f78106cdc6b27153f0842a6bdc70243438366e26ddccfbd15
Instruction ID: de871908a9623606b76d00d81261791eff14ea4e8a91f77fe988c82480815218
Opcode Fuzzy Hash: fd58ef240bbfdc4f78106cdc6b27153f0842a6bdc70243438366e26ddccfbd15
Instruction Fuzzy Hash: 7A418B71900205EBDF15EF54DC85AAA77B9FF04310F1080A9ED019B297D738EE64DBA4

Function 007881DB Relevance: 9.1, APIs: 6, Instructions: 104windowCOMMON

Download Yara Rule

APIs

ShowWindow.USER32(FFFFFFFF,00000000,?,00000000,00000000,?,0074F3AB,00000000,?,?,00000000,?,0074682C,00000004,00000000,00000000), ref: 0078824C
EnableWindow.USER32(?,00000000), ref: 00788272
ShowWindow.USER32(FFFFFFFF,00000000), ref: 007882D1
ShowWindow.USER32(?,00000004), ref: 007882E5
EnableWindow.USER32(?,00000001), ref: 0078830B
SendMessageW.USER32(?,0000130C,00000000,00000000), ref: 0078832F

Memory Dump Source

Source File: 00000000.00000002.1465363834.00000000006F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006F0000, based on PE: true

Associated: 00000000.00000002.1465335232.00000000006F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465500901.000000000078C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465500901.00000000007B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465599093.00000000007BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465630010.00000000007C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6f0000_file.jbxd

Similarity

API ID: Window$Show$Enable$MessageSend
String ID:
API String ID: 642888154-0
Opcode ID: 551b5e476bc6bbd88d906736f0fac8d2523a485143ad5faea51135a9cbcff66c
Instruction ID: 041c31116a5dc495104308e61c343544a98483a27ed198fcd37af87f3bfe7734
Opcode Fuzzy Hash: 551b5e476bc6bbd88d906736f0fac8d2523a485143ad5faea51135a9cbcff66c
Instruction Fuzzy Hash: 9141C734641644EFDB62EF14C899FE87BE0FB06714F9841B9E5088B263CB39A841CB55

Function 00754C7D Relevance: 9.1, APIs: 6, Instructions: 87windowCOMMON

Download Yara Rule

APIs

IsWindowVisible.USER32(?), ref: 00754C95
SendMessageW.USER32(?,0000000E,00000000,00000000), ref: 00754CB2
SendMessageW.USER32(?,0000000D,00000001,00000000), ref: 00754CEA
_wcslen.LIBCMT ref: 00754D08
CharUpperBuffW.USER32(00000000,00000000,?,?,?,?), ref: 00754D10
_wcsstr.LIBVCRUNTIME ref: 00754D1A

Memory Dump Source

Source File: 00000000.00000002.1465363834.00000000006F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006F0000, based on PE: true

Associated: 00000000.00000002.1465335232.00000000006F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465500901.000000000078C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465500901.00000000007B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465599093.00000000007BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465630010.00000000007C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6f0000_file.jbxd

Similarity

API ID: MessageSend$BuffCharUpperVisibleWindow_wcslen_wcsstr
String ID:
API String ID: 72514467-0
Opcode ID: c65e7640c7a0681f114bf5dac554e017f91221f2c18ec3048d3e4e23620cba93
Instruction ID: 80c845f5c8e5ce54eecaa5dfd64cb6d3b7ae8ded7b7e7d34d5c2c8e5528c06a9
Opcode Fuzzy Hash: c65e7640c7a0681f114bf5dac554e017f91221f2c18ec3048d3e4e23620cba93
Instruction Fuzzy Hash: 20210732704200BBEB255B39DC09EBB7BA8DF45754F108079FD05CA191EAA9DC8483A0

Function 0076581E Relevance: 9.1, APIs: 4, Strings: 1, Instructions: 336comCOMMON

Download Yara Rule

APIs

Part of subcall function 006F3AA2: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,006F3A97,?,?,006F2E7F,?,?,?,00000000), ref: 006F3AC2

_wcslen.LIBCMT ref: 0076587B
CoInitialize.OLE32(00000000), ref: 00765995
CoCreateInstance.OLE32(0078FCF8,00000000,00000001,0078FB68,?), ref: 007659AE
CoUninitialize.OLE32 ref: 007659CC

Strings

.lnk, xrefs: 00765876, 007658C1, 00765985

Memory Dump Source

Source File: 00000000.00000002.1465363834.00000000006F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006F0000, based on PE: true

Associated: 00000000.00000002.1465335232.00000000006F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465500901.000000000078C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465500901.00000000007B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465599093.00000000007BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465630010.00000000007C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6f0000_file.jbxd

Similarity

API ID: CreateFullInitializeInstanceNamePathUninitialize_wcslen
String ID: .lnk
API String ID: 3172280962-24824748
Opcode ID: 4a0b4e9806cb6726aed67474fe0a0bf873c836b61f2b07f73f256bcd1ffc180a
Instruction ID: d1629f60ab4d46bc41e67cbcfbe99a6500b77a915c579279c1efcd5d9cfe0f77
Opcode Fuzzy Hash: 4a0b4e9806cb6726aed67474fe0a0bf873c836b61f2b07f73f256bcd1ffc180a
Instruction Fuzzy Hash: BAD163B0608705DFC714DF24C484A2ABBE2EF89720F14895DF98A9B361DB35EC45CB92

Function 0075175D Relevance: 9.1, APIs: 6, Instructions: 68memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 00750FB4: GetTokenInformation.ADVAPI32(?,00000002,?,00000000,?), ref: 00750FCA
Part of subcall function 00750FB4: GetLastError.KERNEL32(?,00000002,?,00000000,?), ref: 00750FD6
Part of subcall function 00750FB4: GetProcessHeap.KERNEL32(00000008,?,?,00000002,?,00000000,?), ref: 00750FE5
Part of subcall function 00750FB4: HeapAlloc.KERNEL32(00000000,?,00000002,?,00000000,?), ref: 00750FEC
Part of subcall function 00750FB4: GetTokenInformation.ADVAPI32(?,00000002,00000000,?,?,?,00000002,?,00000000,?), ref: 00751002

GetLengthSid.ADVAPI32(?,00000000,00751335), ref: 007517AE
GetProcessHeap.KERNEL32(00000008,00000000), ref: 007517BA
HeapAlloc.KERNEL32(00000000), ref: 007517C1
CopySid.ADVAPI32(00000000,00000000,?), ref: 007517DA
GetProcessHeap.KERNEL32(00000000,00000000,00751335), ref: 007517EE
HeapFree.KERNEL32(00000000), ref: 007517F5

Memory Dump Source

Source File: 00000000.00000002.1465363834.00000000006F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006F0000, based on PE: true

Associated: 00000000.00000002.1465335232.00000000006F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465500901.000000000078C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465500901.00000000007B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465599093.00000000007BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465630010.00000000007C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6f0000_file.jbxd

Similarity

API ID: Heap$Process$AllocInformationToken$CopyErrorFreeLastLength
String ID:
API String ID: 3008561057-0
Opcode ID: 10f02fa8e1d947b6e70b963c8a64f910f795f1178a8e6c3f82f730ab3e37d84a
Instruction ID: a9b38d549f08852019cecabb9043fdce9a4f242589952f46a396ca45c4dc240c
Opcode Fuzzy Hash: 10f02fa8e1d947b6e70b963c8a64f910f795f1178a8e6c3f82f730ab3e37d84a
Instruction Fuzzy Hash: 8711EE71900204FFDB119FA8CC89BEE7BA8EB49357F608918F841A7210C779AD08CB64

Function 007514CE Relevance: 9.1, APIs: 6, Instructions: 64processCOMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(0000000A,00000004), ref: 007514FF
OpenProcessToken.ADVAPI32(00000000), ref: 00751506
CreateEnvironmentBlock.USERENV(?,00000004,00000001), ref: 00751515
CloseHandle.KERNEL32(00000004), ref: 00751520
CreateProcessWithLogonW.ADVAPI32(?,?,?,00000000,00000000,?,?,00000000,?,?,?), ref: 0075154F
DestroyEnvironmentBlock.USERENV(00000000), ref: 00751563

Memory Dump Source

Source File: 00000000.00000002.1465363834.00000000006F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006F0000, based on PE: true

Associated: 00000000.00000002.1465335232.00000000006F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465500901.000000000078C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465500901.00000000007B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465599093.00000000007BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465630010.00000000007C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6f0000_file.jbxd

Similarity

API ID: Process$BlockCreateEnvironment$CloseCurrentDestroyHandleLogonOpenTokenWith
String ID:
API String ID: 1413079979-0
Opcode ID: 7a10509afb59f1379325a8d5509a8a5e5f56df12a27ddae0bb3e96466fbf2ed7
Instruction ID: e75fcf4db73e20b276d74a7b3258543dcd8e2be7e5bc16f1b0af935f104eb6b4
Opcode Fuzzy Hash: 7a10509afb59f1379325a8d5509a8a5e5f56df12a27ddae0bb3e96466fbf2ed7
Instruction Fuzzy Hash: 0E119D7210024DABDF128F94DD09FDE3BA9EF48746F148018FE05A2060D3B9CE64EB61

Function 00713382 Relevance: 9.1, APIs: 6, Instructions: 60COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,00713379,00712FE5), ref: 00713390
___vcrt_FlsGetValue.LIBVCRUNTIME ref: 0071339E
___vcrt_FlsSetValue.LIBVCRUNTIME ref: 007133B7
SetLastError.KERNEL32(00000000,?,00713379,00712FE5), ref: 00713409

Memory Dump Source

Source File: 00000000.00000002.1465363834.00000000006F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006F0000, based on PE: true

Associated: 00000000.00000002.1465335232.00000000006F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465500901.000000000078C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465500901.00000000007B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465599093.00000000007BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465630010.00000000007C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6f0000_file.jbxd

Similarity

API ID: ErrorLastValue___vcrt_
String ID:
API String ID: 3852720340-0
Opcode ID: 3cab00ca017b173196a88a3d2a9a804673e7045c6d10fd5eecd5c87a6eaac056
Instruction ID: 51a2c378b7f0f0745b192ae783725b8ec376fa60c7ccda76f7ea5c2530ad018a
Opcode Fuzzy Hash: 3cab00ca017b173196a88a3d2a9a804673e7045c6d10fd5eecd5c87a6eaac056
Instruction Fuzzy Hash: 7C01D832709311FEAB163B7C7C89AE62A54EB053757208329F420891F1EF1D4E82555C

Function 00722D74 Relevance: 9.0, APIs: 6, Instructions: 50COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,00725686,00733CD6,?,00000000,?,00725B6A,?,?,?,?,?,0071E6D1,?,007B8A48), ref: 00722D78
_free.LIBCMT ref: 00722DAB
_free.LIBCMT ref: 00722DD3
SetLastError.KERNEL32(00000000,?,?,?,?,0071E6D1,?,007B8A48,00000010,006F4F4A,?,?,00000000,00733CD6), ref: 00722DE0
SetLastError.KERNEL32(00000000,?,?,?,?,0071E6D1,?,007B8A48,00000010,006F4F4A,?,?,00000000,00733CD6), ref: 00722DEC
_abort.LIBCMT ref: 00722DF2

Memory Dump Source

Source File: 00000000.00000002.1465363834.00000000006F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006F0000, based on PE: true

Associated: 00000000.00000002.1465335232.00000000006F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465500901.000000000078C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465500901.00000000007B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465599093.00000000007BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465630010.00000000007C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6f0000_file.jbxd

Similarity

API ID: ErrorLast$_free$_abort
String ID:
API String ID: 3160817290-0
Opcode ID: 2f6445917f3f6ad09ddad1adb98e7ad45f4f77057038a84a1a37a6c7dff37b39
Instruction ID: 8f2e20fcfd7680177b93526e69c5df9602b220f54b239d21fc306b2fef6c09b7
Opcode Fuzzy Hash: 2f6445917f3f6ad09ddad1adb98e7ad45f4f77057038a84a1a37a6c7dff37b39
Instruction Fuzzy Hash: 0BF0A436744630B7C2132738BC0EE5A2699ABC27A1B348518F824A21E3EE3CD8434271

Function 00788A24 Relevance: 9.0, APIs: 6, Instructions: 49COMMON

Download Yara Rule

APIs

Part of subcall function 00709639: ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 00709693
Part of subcall function 00709639: SelectObject.GDI32(?,00000000), ref: 007096A2
Part of subcall function 00709639: BeginPath.GDI32(?), ref: 007096B9
Part of subcall function 00709639: SelectObject.GDI32(?,00000000), ref: 007096E2

MoveToEx.GDI32(?,-00000002,00000000,00000000), ref: 00788A4E
LineTo.GDI32(?,00000003,00000000), ref: 00788A62
MoveToEx.GDI32(?,00000000,-00000002,00000000), ref: 00788A70
LineTo.GDI32(?,00000000,00000003), ref: 00788A80
EndPath.GDI32(?), ref: 00788A90
StrokePath.GDI32(?), ref: 00788AA0

Memory Dump Source

Source File: 00000000.00000002.1465363834.00000000006F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006F0000, based on PE: true

Associated: 00000000.00000002.1465335232.00000000006F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465500901.000000000078C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465500901.00000000007B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465599093.00000000007BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465630010.00000000007C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6f0000_file.jbxd

Similarity

API ID: Path$LineMoveObjectSelect$BeginCreateStroke
String ID:
API String ID: 43455801-0
Opcode ID: ffeebf866c53322efe65dd4445f821584b676a1fa6fcd843b3c3896cf8e1b8f7
Instruction ID: c181f26711c3f93bd8eeb671c485d6ee4f7abccfe4da059d77179bee05462b11
Opcode Fuzzy Hash: ffeebf866c53322efe65dd4445f821584b676a1fa6fcd843b3c3896cf8e1b8f7
Instruction Fuzzy Hash: 2F11097604014CFFDB129F90DC88EAA7F6DEB08390F10C022BA199A1A1C775AD55DBA5

Function 007551FD Relevance: 9.0, APIs: 6, Instructions: 49COMMON

Download Yara Rule

APIs

GetDC.USER32(00000000), ref: 00755218
GetDeviceCaps.GDI32(00000000,00000058), ref: 00755229
GetDeviceCaps.GDI32(00000000,0000005A), ref: 00755230
ReleaseDC.USER32(00000000,00000000), ref: 00755238
MulDiv.KERNEL32(000009EC,?,00000000), ref: 0075524F
MulDiv.KERNEL32(000009EC,00000001,?), ref: 00755261

Memory Dump Source

Source File: 00000000.00000002.1465363834.00000000006F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006F0000, based on PE: true

Associated: 00000000.00000002.1465335232.00000000006F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465500901.000000000078C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465500901.00000000007B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465599093.00000000007BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465630010.00000000007C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6f0000_file.jbxd

Similarity

API ID: CapsDevice$Release
String ID:
API String ID: 1035833867-0
Opcode ID: 02022d740eb6246694591aa68447d8c398ab71e7c0a2944ab95ab3ce9d99aafd
Instruction ID: 3bcfc23e3958c9843d3e68ba5671cef554421089ca8612eb8cb7e15037d33cda
Opcode Fuzzy Hash: 02022d740eb6246694591aa68447d8c398ab71e7c0a2944ab95ab3ce9d99aafd
Instruction Fuzzy Hash: 02018FB5E40708BBEB119BB59C49A4EBFB8FF48351F148065FA04E7280DA749804CBA4

Function 006F1BC3 Relevance: 9.0, APIs: 6, Instructions: 44keyboardCOMMON

Download Yara Rule

APIs

MapVirtualKeyW.USER32(0000005B,00000000), ref: 006F1BF4
MapVirtualKeyW.USER32(00000010,00000000), ref: 006F1BFC
MapVirtualKeyW.USER32(000000A0,00000000), ref: 006F1C07
MapVirtualKeyW.USER32(000000A1,00000000), ref: 006F1C12
MapVirtualKeyW.USER32(00000011,00000000), ref: 006F1C1A
MapVirtualKeyW.USER32(00000012,00000000), ref: 006F1C22

Memory Dump Source

Source File: 00000000.00000002.1465363834.00000000006F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006F0000, based on PE: true

Associated: 00000000.00000002.1465335232.00000000006F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465500901.000000000078C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465500901.00000000007B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465599093.00000000007BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465630010.00000000007C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6f0000_file.jbxd

Similarity

API ID: Virtual
String ID:
API String ID: 4278518827-0
Opcode ID: 8c936e60a9ff9f21b0eeeb87c08297ef4943b0d7cb250b50fdccf73afe202e7f
Instruction ID: dc52a45f81e59df53f09d4cb4478895fb6cb274729cd119423b2b3a544d7a0d4
Opcode Fuzzy Hash: 8c936e60a9ff9f21b0eeeb87c08297ef4943b0d7cb250b50fdccf73afe202e7f
Instruction Fuzzy Hash: ED016CB09427597DE3008F5A8C85B52FFA8FF19354F00415B915C47941C7F5A864CBE5

Function 0075EB20 Relevance: 9.0, APIs: 6, Instructions: 42windowtimethreadCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,00000010,00000000,00000000), ref: 0075EB30
SendMessageTimeoutW.USER32(?,00000010,00000000,00000000,00000002,000001F4,?), ref: 0075EB46
GetWindowThreadProcessId.USER32(?,?), ref: 0075EB55
OpenProcess.KERNEL32(001F0FFF,00000000,?,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 0075EB64
TerminateProcess.KERNEL32(00000000,00000000,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 0075EB6E
CloseHandle.KERNEL32(00000000,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 0075EB75

Memory Dump Source

Source File: 00000000.00000002.1465363834.00000000006F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006F0000, based on PE: true

Associated: 00000000.00000002.1465335232.00000000006F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465500901.000000000078C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465500901.00000000007B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465599093.00000000007BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465630010.00000000007C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6f0000_file.jbxd

Similarity

API ID: Process$Message$CloseHandleOpenPostSendTerminateThreadTimeoutWindow
String ID:
API String ID: 839392675-0
Opcode ID: fd8dd470a1ef6a2c04d5a99aa90b80a716631d7d1400dd653a3cc8d21542fbc9
Instruction ID: b71502eb6c1a5ae8472fe98ca8871064704503f5bace4415a16056f7298a8e31
Opcode Fuzzy Hash: fd8dd470a1ef6a2c04d5a99aa90b80a716631d7d1400dd653a3cc8d21542fbc9
Instruction Fuzzy Hash: 80F054B2680158BBE72257529C4EEEF3E7CEFCAB11F108168F601D1091E7B85A01C7B9

Function 00747439 Relevance: 9.0, APIs: 6, Instructions: 37windowCOMMON

Download Yara Rule

APIs

GetClientRect.USER32(?), ref: 00747452
SendMessageW.USER32(?,00001328,00000000,?), ref: 00747469
GetWindowDC.USER32(?), ref: 00747475
GetPixel.GDI32(00000000,?,?), ref: 00747484
ReleaseDC.USER32(?,00000000), ref: 00747496
GetSysColor.USER32(00000005), ref: 007474B0

Memory Dump Source

Source File: 00000000.00000002.1465363834.00000000006F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006F0000, based on PE: true

Associated: 00000000.00000002.1465335232.00000000006F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465500901.000000000078C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465500901.00000000007B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465599093.00000000007BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465630010.00000000007C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6f0000_file.jbxd

Similarity

API ID: ClientColorMessagePixelRectReleaseSendWindow
String ID:
API String ID: 272304278-0
Opcode ID: b2c04a6b364f9ebf910a225393034433fd02af79c6198e0d3b9be5bdbf40494d
Instruction ID: 5072e42ba2c72739ca1f03e128ace99d6486bb8fe1e9d0f711dec9abbb0657c2
Opcode Fuzzy Hash: b2c04a6b364f9ebf910a225393034433fd02af79c6198e0d3b9be5bdbf40494d
Instruction Fuzzy Hash: B801AD31540205EFDB125FA4EC08BBA7BB5FF04321F708164F915A21A1CB391E51EB24

Function 00751874 Relevance: 9.0, APIs: 6, Instructions: 23memorysynchronizationCOMMON

Download Yara Rule

APIs

WaitForSingleObject.KERNEL32(?,000000FF), ref: 0075187F
UnloadUserProfile.USERENV(?,?), ref: 0075188B
CloseHandle.KERNEL32(?), ref: 00751894
CloseHandle.KERNEL32(?), ref: 0075189C
GetProcessHeap.KERNEL32(00000000,?), ref: 007518A5
HeapFree.KERNEL32(00000000), ref: 007518AC

Memory Dump Source

Source File: 00000000.00000002.1465363834.00000000006F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006F0000, based on PE: true

Associated: 00000000.00000002.1465335232.00000000006F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465500901.000000000078C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465500901.00000000007B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465599093.00000000007BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465630010.00000000007C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6f0000_file.jbxd

Similarity

API ID: CloseHandleHeap$FreeObjectProcessProfileSingleUnloadUserWait
String ID:
API String ID: 146765662-0
Opcode ID: ab2892cac1b7e3f227b3f554b57302e357ca59fb2278e9e92853eedd7f3e525a
Instruction ID: 5bf06edb8c93edaf652fcf37e14bfbde19d55178d2d1d09c34f3359cf9663953
Opcode Fuzzy Hash: ab2892cac1b7e3f227b3f554b57302e357ca59fb2278e9e92853eedd7f3e525a
Instruction Fuzzy Hash: DCE0E576484105BBDB025FA1ED0CD0ABF39FF49B22B20C220F22581474CB369821EF68

Function 006FBBE0 Relevance: 9.0, APIs: 1, Strings: 4, Instructions: 232COMMON

Download Yara Rule

APIs

__Init_thread_footer.LIBCMT ref: 006FBEB3

Strings

D%|, xrefs: 006FBDED, 006FBD91, 006FBD1B
D%|, xrefs: 006FBE9A
D%|, xrefs: 006FBCA2
D%|D%|, xrefs: 006FBCA5

Memory Dump Source

Source File: 00000000.00000002.1465363834.00000000006F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006F0000, based on PE: true

Associated: 00000000.00000002.1465335232.00000000006F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465500901.000000000078C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465500901.00000000007B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465599093.00000000007BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465630010.00000000007C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6f0000_file.jbxd

Similarity

API ID: Init_thread_footer
String ID: D%|$D%|$D%|$D%|D%|
API String ID: 1385522511-1919417341
Opcode ID: c0bb3beacb4b493bfca605f3ce42163a00baf8eac437c51b9a3155336f29d56e
Instruction ID: a6a2339168449304bc59e8c2df3c7d58a01ebad32c883df4aa44af37913edcf0
Opcode Fuzzy Hash: c0bb3beacb4b493bfca605f3ce42163a00baf8eac437c51b9a3155336f29d56e
Instruction Fuzzy Hash: F9913A75A0020ACFCB18CF58C091ABAB7F2FF58310F24916EDA55AB351D775E982CB90

Function 00777B7E Relevance: 9.0, APIs: 1, Strings: 4, Instructions: 230COMMON

Download Yara Rule

APIs

Part of subcall function 00710242: EnterCriticalSection.KERNEL32(007C070C,007C1884,?,?,0070198B,007C2518,?,?,?,006F12F9,00000000), ref: 0071024D
Part of subcall function 00710242: LeaveCriticalSection.KERNEL32(007C070C,?,0070198B,007C2518,?,?,?,006F12F9,00000000), ref: 0071028A

Part of subcall function 006F9CB3: _wcslen.LIBCMT ref: 006F9CBD

Part of subcall function 007100A3: __onexit.LIBCMT ref: 007100A9

__Init_thread_footer.LIBCMT ref: 00777BFB

Part of subcall function 007101F8: EnterCriticalSection.KERNEL32(007C070C,?,?,00708747,007C2514), ref: 00710202
Part of subcall function 007101F8: LeaveCriticalSection.KERNEL32(007C070C,?,00708747,007C2514), ref: 00710235

Strings

G, xrefs: 00777C7F
5, xrefs: 00777C78
Variable must be of type 'Object'., xrefs: 00777C3A
+Tt, xrefs: 00777E2E

Memory Dump Source

Source File: 00000000.00000002.1465363834.00000000006F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006F0000, based on PE: true

Associated: 00000000.00000002.1465335232.00000000006F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465500901.000000000078C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465500901.00000000007B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465599093.00000000007BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465630010.00000000007C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6f0000_file.jbxd

Similarity

API ID: CriticalSection$EnterLeave$Init_thread_footer__onexit_wcslen
String ID: +Tt$5$G$Variable must be of type 'Object'.
API String ID: 535116098-3166622399
Opcode ID: 492e1cba6b7e6078dcf362fb5c13de03ff8a612f331a7009b398e1bb6627fba7
Instruction ID: 4d6ec24e7cc24684db50f201b954bee1d09339f9c5f4a51c73af656a73437236
Opcode Fuzzy Hash: 492e1cba6b7e6078dcf362fb5c13de03ff8a612f331a7009b398e1bb6627fba7
Instruction Fuzzy Hash: 9B916B70A04209EFCF19EF54D8959BDB7B6BF48340F10805DF81A9B292DB79AE41CB61

Function 0075C5D0 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 191windowCOMMON

Download Yara Rule

APIs

Part of subcall function 006F7620: _wcslen.LIBCMT ref: 006F7625

GetMenuItemInfoW.USER32(?,?,00000000,?), ref: 0075C6EE
_wcslen.LIBCMT ref: 0075C735
SetMenuItemInfoW.USER32(?,?,00000000,?), ref: 0075C79C
SetMenuDefaultItem.USER32(?,000000FF,00000000), ref: 0075C7CA

Strings

0, xrefs: 0075C6AF

Memory Dump Source

Source File: 00000000.00000002.1465363834.00000000006F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006F0000, based on PE: true

Associated: 00000000.00000002.1465335232.00000000006F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465500901.000000000078C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465500901.00000000007B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465599093.00000000007BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465630010.00000000007C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6f0000_file.jbxd

Similarity

API ID: ItemMenu$Info_wcslen$Default
String ID: 0
API String ID: 1227352736-4108050209
Opcode ID: 17d70e1affa854cdbd513d326076400c2399079e35072ffb441ff5dcfdb3f0d0
Instruction ID: f0bf199edd7a0dd4bdb1a58e9f22ab7deddbb8a817906bcec6f903759c4797c7
Opcode Fuzzy Hash: 17d70e1affa854cdbd513d326076400c2399079e35072ffb441ff5dcfdb3f0d0
Instruction Fuzzy Hash: 6E51CD716043019FD7529E28C885BAAB7E8EB49311F040A2DFD95D35E1DBB8DD088B96

Function 0077AD64 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 176COMMON

Download Yara Rule

APIs

ShellExecuteExW.SHELL32(0000003C), ref: 0077AEA3

Part of subcall function 006F7620: _wcslen.LIBCMT ref: 006F7625

GetProcessId.KERNEL32(00000000), ref: 0077AF38
CloseHandle.KERNEL32(00000000), ref: 0077AF67

Strings

<, xrefs: 0077AE6B
@, xrefs: 0077AE72

Memory Dump Source

Source File: 00000000.00000002.1465363834.00000000006F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006F0000, based on PE: true

Associated: 00000000.00000002.1465335232.00000000006F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465500901.000000000078C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465500901.00000000007B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465599093.00000000007BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465630010.00000000007C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6f0000_file.jbxd

Similarity

API ID: CloseExecuteHandleProcessShell_wcslen
String ID: <$@
API String ID: 146682121-1426351568
Opcode ID: ebb7df6a16b4f2759255e16ab0ce636b85bf5a785fee38efbbb111bcd154f495
Instruction ID: 36fa17f7a5a338d6470c7d7a9b1f27d5701809272e3144c651d68e628d4db51b
Opcode Fuzzy Hash: ebb7df6a16b4f2759255e16ab0ce636b85bf5a785fee38efbbb111bcd154f495
Instruction Fuzzy Hash: 70715870A00619EFDF14DF54C485AAEBBF1BF48314F048499E81AAB392CB78ED45CB95

Function 0075719E Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 120comlibraryloaderCOMMON

Download Yara Rule

APIs

CoCreateInstance.OLE32(?,00000000,00000005,?,?,?,?,?,?,?,?,?,?,?), ref: 00757206
SetErrorMode.KERNEL32(00000001,?,?,?,?,?,?,?,?,?), ref: 0075723C
GetProcAddress.KERNEL32(?,DllGetClassObject), ref: 0075724D
SetErrorMode.KERNEL32(00000000,?,?,?,?,?,?,?,?,?), ref: 007572CF

Strings

DllGetClassObject, xrefs: 00757242

Memory Dump Source

Source File: 00000000.00000002.1465363834.00000000006F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006F0000, based on PE: true

Associated: 00000000.00000002.1465335232.00000000006F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465500901.000000000078C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465500901.00000000007B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465599093.00000000007BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465630010.00000000007C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6f0000_file.jbxd

Similarity

API ID: ErrorMode$AddressCreateInstanceProc
String ID: DllGetClassObject
API String ID: 753597075-1075368562
Opcode ID: ad068af2697cee50e3991c0fb82b1d0837fb1b0c4bc6d2ef4e32ed84e1f2bb8b
Instruction ID: 2500557ea6bfadbc8e8e555e8eaca64a45d0d9a33310d8dea1a93657f5d2fd55
Opcode Fuzzy Hash: ad068af2697cee50e3991c0fb82b1d0837fb1b0c4bc6d2ef4e32ed84e1f2bb8b
Instruction Fuzzy Hash: 15412FB1A04204EFDB19CF54D884ADA7BB9FF44311F2480A9BD059F20AD7F9D949DBA0

Function 00783D7C Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 101windowCOMMON

Download Yara Rule

APIs

GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00783E35
IsMenu.USER32(?), ref: 00783E4A
InsertMenuItemW.USER32(?,?,00000001,00000030), ref: 00783E92
DrawMenuBar.USER32 ref: 00783EA5

Strings

0, xrefs: 00783D89

Memory Dump Source

Source File: 00000000.00000002.1465363834.00000000006F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006F0000, based on PE: true

Associated: 00000000.00000002.1465335232.00000000006F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465500901.000000000078C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465500901.00000000007B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465599093.00000000007BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465630010.00000000007C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6f0000_file.jbxd

Similarity

API ID: Menu$Item$DrawInfoInsert
String ID: 0
API String ID: 3076010158-4108050209
Opcode ID: 0033662af6e438ea43784c621679c17f70cbe0642a08ca5f7442bd5c84dd9cf7
Instruction ID: 96cb4e19ce9829bfec9b42c85715fdb406e71f327e3ba72335bb807463959e34
Opcode Fuzzy Hash: 0033662af6e438ea43784c621679c17f70cbe0642a08ca5f7442bd5c84dd9cf7
Instruction Fuzzy Hash: 54416775A00209EFDF10EF69D884EAABBB9FF49750F148129E915A7250D738AE50CF60

Function 00751DE2 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 93windowCOMMON

Download Yara Rule

APIs

Part of subcall function 006F9CB3: _wcslen.LIBCMT ref: 006F9CBD

Part of subcall function 00753CA7: GetClassNameW.USER32(?,?,000000FF), ref: 00753CCA

SendMessageW.USER32(?,00000188,00000000,00000000), ref: 00751E66
SendMessageW.USER32(?,0000018A,00000000,00000000), ref: 00751E79
SendMessageW.USER32(?,00000189,?,00000000), ref: 00751EA9

Part of subcall function 006F6B57: _wcslen.LIBCMT ref: 006F6B6A

Strings

ComboBox, xrefs: 00751DF0
ListBox, xrefs: 00751E25

Memory Dump Source

Source File: 00000000.00000002.1465363834.00000000006F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006F0000, based on PE: true

Associated: 00000000.00000002.1465335232.00000000006F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465500901.000000000078C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465500901.00000000007B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465599093.00000000007BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465630010.00000000007C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6f0000_file.jbxd

Similarity

API ID: MessageSend$_wcslen$ClassName
String ID: ComboBox$ListBox
API String ID: 2081771294-1403004172
Opcode ID: 221faca31f4dea402f844c126f06b8a7db75591d8e1637636ec93e7c47236bd2
Instruction ID: 04d357dc859e23d447d26f1c598157ec078bf2f71f30cb606fc9ea03d6214c51
Opcode Fuzzy Hash: 221faca31f4dea402f844c126f06b8a7db75591d8e1637636ec93e7c47236bd2
Instruction Fuzzy Hash: 64212371A00108AADB14AB64CC4AEFFB7B9DF42392B54452DFC21A31E0DB7C490D8630

Function 00782F17 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 78windowlibraryCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000467,00000000,?), ref: 00782F8D
LoadLibraryW.KERNEL32(?), ref: 00782F94
SendMessageW.USER32(?,00000467,00000000,00000000), ref: 00782FA9
DestroyWindow.USER32(?), ref: 00782FB1

Strings

SysAnimate32, xrefs: 00782F68

Memory Dump Source

Source File: 00000000.00000002.1465363834.00000000006F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006F0000, based on PE: true

Associated: 00000000.00000002.1465335232.00000000006F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465500901.000000000078C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465500901.00000000007B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465599093.00000000007BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465630010.00000000007C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6f0000_file.jbxd

Similarity

API ID: MessageSend$DestroyLibraryLoadWindow
String ID: SysAnimate32
API String ID: 3529120543-1011021900
Opcode ID: 6bab799fbdfdc5e8477529c6bae4495a1147cea30e4ee6cf22ffffccd1257618
Instruction ID: 6ac55fad217ebeb4d56f21c5679c82e5ab2b9c5db22c1e75d9400a5f3952187c
Opcode Fuzzy Hash: 6bab799fbdfdc5e8477529c6bae4495a1147cea30e4ee6cf22ffffccd1257618
Instruction Fuzzy Hash: 6921DC71244209ABEB116F64DC84EBB37B9EF59325F204628FA10D20A2D779DC52D760

Function 00714D6D Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 38libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,?,?,?,00714D1E,007228E9,?,00714CBE,007228E9,007B88B8,0000000C,00714E15,007228E9,00000002), ref: 00714D8D
GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 00714DA0
FreeLibrary.KERNEL32(00000000,?,?,?,00714D1E,007228E9,?,00714CBE,007228E9,007B88B8,0000000C,00714E15,007228E9,00000002,00000000), ref: 00714DC3

Strings

CorExitProcess, xrefs: 00714D98
mscoree.dll, xrefs: 00714D86

Memory Dump Source

Source File: 00000000.00000002.1465363834.00000000006F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006F0000, based on PE: true

Associated: 00000000.00000002.1465335232.00000000006F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465500901.000000000078C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465500901.00000000007B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465599093.00000000007BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465630010.00000000007C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6f0000_file.jbxd

Similarity

API ID: AddressFreeHandleLibraryModuleProc
String ID: CorExitProcess$mscoree.dll
API String ID: 4061214504-1276376045
Opcode ID: d79c2c11f14421247a80fe0f9c609ff4503a685a1b2fefc4b0ea11c70cf96681
Instruction ID: a60a8ddf281e321e215309b37d842430cf9265f98bafa8870bf575e69f663f40
Opcode Fuzzy Hash: d79c2c11f14421247a80fe0f9c609ff4503a685a1b2fefc4b0ea11c70cf96681
Instruction Fuzzy Hash: 50F0A430A50208BFDF115F94EC49BDDBBB5EF04712F104094F905A2190CB385A80CBD5

Function 0074D3A0 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 29libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32 ref: 0074D3AD
GetProcAddress.KERNEL32(00000000,GetSystemWow64DirectoryW), ref: 0074D3BF
FreeLibrary.KERNEL32(00000000), ref: 0074D3E5

Strings

X64, xrefs: 0074D2A8
GetSystemWow64DirectoryW, xrefs: 0074D3B9

Memory Dump Source

Source File: 00000000.00000002.1465363834.00000000006F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006F0000, based on PE: true

Associated: 00000000.00000002.1465335232.00000000006F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465500901.000000000078C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465500901.00000000007B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465599093.00000000007BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465630010.00000000007C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6f0000_file.jbxd

Similarity

API ID: Library$AddressFreeLoadProc
String ID: GetSystemWow64DirectoryW$X64
API String ID: 145871493-2590602151
Opcode ID: 1398769871505b99b96302531416c5284ffe9f5d3739c445aaa8e42bf0f6fbbc
Instruction ID: c8ddcf0debd29f68919594a95a8c24b44f848730b5640cc1e3df3fd0def3d41b
Opcode Fuzzy Hash: 1398769871505b99b96302531416c5284ffe9f5d3739c445aaa8e42bf0f6fbbc
Instruction Fuzzy Hash: EEF055B1942620DBD3322B108C8CA693714BF02B01BA4C1A8F882E1140DBBCCC4087A3

Function 006F4E90 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 24libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,?,?,006F4EDD,?,007C1418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 006F4E9C
GetProcAddress.KERNEL32(00000000,Wow64DisableWow64FsRedirection), ref: 006F4EAE
FreeLibrary.KERNEL32(00000000,?,?,006F4EDD,?,007C1418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 006F4EC0

Strings

Wow64DisableWow64FsRedirection, xrefs: 006F4EA8
kernel32.dll, xrefs: 006F4E94

Memory Dump Source

Source File: 00000000.00000002.1465363834.00000000006F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006F0000, based on PE: true

Associated: 00000000.00000002.1465335232.00000000006F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465500901.000000000078C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465500901.00000000007B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465599093.00000000007BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465630010.00000000007C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6f0000_file.jbxd

Similarity

API ID: Library$AddressFreeLoadProc
String ID: Wow64DisableWow64FsRedirection$kernel32.dll
API String ID: 145871493-3689287502
Opcode ID: ebc41899d6c57628edc0fcb7bffad33162250c04a5340a5daa3dfd13d6b3d37c
Instruction ID: 73e56fe7ae25a64dd119656c15408736bece67047b2e6dc23b4b0a324607781d
Opcode Fuzzy Hash: ebc41899d6c57628edc0fcb7bffad33162250c04a5340a5daa3dfd13d6b3d37c
Instruction Fuzzy Hash: 06E08675E416265B93331B257C5CBAB6955AF81F627154115FE00D2700DF78CD0582B4

Function 006F4E59 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 22libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,?,?,00733CDE,?,007C1418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 006F4E62
GetProcAddress.KERNEL32(00000000,Wow64RevertWow64FsRedirection), ref: 006F4E74
FreeLibrary.KERNEL32(00000000,?,?,00733CDE,?,007C1418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 006F4E87

Strings

Wow64RevertWow64FsRedirection, xrefs: 006F4E6E
kernel32.dll, xrefs: 006F4E5B

Memory Dump Source

Source File: 00000000.00000002.1465363834.00000000006F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006F0000, based on PE: true

Associated: 00000000.00000002.1465335232.00000000006F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465500901.000000000078C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465500901.00000000007B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465599093.00000000007BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465630010.00000000007C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6f0000_file.jbxd

Similarity

API ID: Library$AddressFreeLoadProc
String ID: Wow64RevertWow64FsRedirection$kernel32.dll
API String ID: 145871493-1355242751
Opcode ID: b381ffbad5e2b9d3c02faa571e5cf21ab09144d63e53e76d45bd37a27af63a78
Instruction ID: c9692e604211d32838d9acf19ece3a169ae7b5b5ff51c54b766ed49d9534d06e
Opcode Fuzzy Hash: b381ffbad5e2b9d3c02faa571e5cf21ab09144d63e53e76d45bd37a27af63a78
Instruction Fuzzy Hash: DFD0C271946A255747331B257C0CEDB2A1AAF81F113154210BA00A2210CF38CD0583F4

Function 00762947 Relevance: 7.8, APIs: 5, Instructions: 313fileCOMMON

Download Yara Rule

APIs

DeleteFileW.KERNEL32(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 00762C05
DeleteFileW.KERNEL32(?), ref: 00762C87
CopyFileW.KERNEL32(?,?,00000000,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001), ref: 00762C9D
DeleteFileW.KERNEL32(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 00762CAE
DeleteFileW.KERNEL32(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 00762CC0

Memory Dump Source

Source File: 00000000.00000002.1465363834.00000000006F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006F0000, based on PE: true

Associated: 00000000.00000002.1465335232.00000000006F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465500901.000000000078C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465500901.00000000007B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465599093.00000000007BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465630010.00000000007C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6f0000_file.jbxd

Similarity

API ID: File$Delete$Copy
String ID:
API String ID: 3226157194-0
Opcode ID: 82cbd8a142bec5700fe62ec3afd60b20b7d57812df187fb91d7184b8fe1edac2
Instruction ID: bb091ef65f907e9c66fd6dfebf16511a9d8047dcf5dd4e6b0cff7f00e40252f8
Opcode Fuzzy Hash: 82cbd8a142bec5700fe62ec3afd60b20b7d57812df187fb91d7184b8fe1edac2
Instruction Fuzzy Hash: E8B1617190051DABDF61DBA4CC89EDE77BDEF08300F1040A6FA0AE6142EA349E458F65

Function 0077A387 Relevance: 7.8, APIs: 5, Instructions: 256COMMON

Download Yara Rule

APIs

GetCurrentProcessId.KERNEL32 ref: 0077A427
OpenProcess.KERNEL32(00000410,00000000,00000000), ref: 0077A435
GetProcessIoCounters.KERNEL32(00000000,?), ref: 0077A468
CloseHandle.KERNEL32(?), ref: 0077A63D

Memory Dump Source

Source File: 00000000.00000002.1465363834.00000000006F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006F0000, based on PE: true

Associated: 00000000.00000002.1465335232.00000000006F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465500901.000000000078C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465500901.00000000007B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465599093.00000000007BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465630010.00000000007C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6f0000_file.jbxd

Similarity

API ID: Process$CloseCountersCurrentHandleOpen
String ID:
API String ID: 3488606520-0
Opcode ID: 74c232d930dbab51590e388b167ebeb776125f3ad36ea9b93aa1e337e20a91cc
Instruction ID: ae6024d21a71c04595ed09d4d8db1b07bd000ad223ea012a7e7b2b357146a774
Opcode Fuzzy Hash: 74c232d930dbab51590e388b167ebeb776125f3ad36ea9b93aa1e337e20a91cc
Instruction Fuzzy Hash: 7CA1A171604301AFEB20DF24C886F2AB7E5AF84714F14C85DF95A9B2D2D7B4EC418B96

Function 0072BB27 Relevance: 7.7, APIs: 5, Instructions: 171timeCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetTimeZoneInformation.KERNEL32(?,00000000,00000000,00000000,?,00793700), ref: 0072BB91
WideCharToMultiByte.KERNEL32(00000000,00000000,007C121C,000000FF,00000000,0000003F,00000000,?,?), ref: 0072BC09
WideCharToMultiByte.KERNEL32(00000000,00000000,007C1270,000000FF,?,0000003F,00000000,?), ref: 0072BC36
_free.LIBCMT ref: 0072BB7F

Part of subcall function 007229C8: RtlFreeHeap.NTDLL(00000000,00000000,?,0072D7D1,00000000,00000000,00000000,00000000,?,0072D7F8,00000000,00000007,00000000,?,0072DBF5,00000000), ref: 007229DE
Part of subcall function 007229C8: GetLastError.KERNEL32(00000000,?,0072D7D1,00000000,00000000,00000000,00000000,?,0072D7F8,00000000,00000007,00000000,?,0072DBF5,00000000,00000000), ref: 007229F0

_free.LIBCMT ref: 0072BD4B

Memory Dump Source

Source File: 00000000.00000002.1465363834.00000000006F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006F0000, based on PE: true

Associated: 00000000.00000002.1465335232.00000000006F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465500901.000000000078C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465500901.00000000007B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465599093.00000000007BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465630010.00000000007C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6f0000_file.jbxd

Similarity

API ID: ByteCharMultiWide_free$ErrorFreeHeapInformationLastTimeZone
String ID:
API String ID: 1286116820-0
Opcode ID: 5a05d1af083f7069b220192268d966370d8ef0eaf0bb2faefbd774ed6f4a10d5
Instruction ID: 9eed53f748f337eaa76ec910636683ad4108499f672949787f328f0e69a60833
Opcode Fuzzy Hash: 5a05d1af083f7069b220192268d966370d8ef0eaf0bb2faefbd774ed6f4a10d5
Instruction Fuzzy Hash: B051E971900229EFCB10EF65AC85DAEB7BCFF45310B50826EE554D7192EB389D818B64

Function 0075E3FB Relevance: 7.7, APIs: 5, Instructions: 167filestringCOMMON

Download Yara Rule

APIs

Part of subcall function 0075DDE0: GetFullPathNameW.KERNEL32(00000000,00007FFF,?,?,?,?,?,?,0075CF22,?), ref: 0075DDFD

Part of subcall function 0075DDE0: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,?,0075CF22,?), ref: 0075DE16

Part of subcall function 0075E199: GetFileAttributesW.KERNEL32(?,0075CF95), ref: 0075E19A

lstrcmpiW.KERNEL32(?,?), ref: 0075E473
MoveFileW.KERNEL32(?,?), ref: 0075E4AC
_wcslen.LIBCMT ref: 0075E5EB
_wcslen.LIBCMT ref: 0075E603
SHFileOperationW.SHELL32(?,?,?,?,?,?), ref: 0075E650

Memory Dump Source

Source File: 00000000.00000002.1465363834.00000000006F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006F0000, based on PE: true

Associated: 00000000.00000002.1465335232.00000000006F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465500901.000000000078C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465500901.00000000007B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465599093.00000000007BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465630010.00000000007C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6f0000_file.jbxd

Similarity

API ID: File$FullNamePath_wcslen$AttributesMoveOperationlstrcmpi
String ID:
API String ID: 3183298772-0
Opcode ID: cff009c88600eec4d955c27ed19c04b06fa06fff8678f731953015826c257eb6
Instruction ID: a7d55b635211755304065c72c264fc72cafe916f4b61d4afb53b0841c8874b6b
Opcode Fuzzy Hash: cff009c88600eec4d955c27ed19c04b06fa06fff8678f731953015826c257eb6
Instruction Fuzzy Hash: 525175B24083859BC778DB94DC859DB73ECAF84341F00491EFA89D3191EF79A68C8766

Function 0077B9C9 Relevance: 7.7, APIs: 5, Instructions: 167registryCOMMON

Download Yara Rule

APIs

Part of subcall function 006F9CB3: _wcslen.LIBCMT ref: 006F9CBD

Part of subcall function 0077C998: CharUpperBuffW.USER32(?,?,?,?,?,?,?,0077B6AE,?,?), ref: 0077C9B5
Part of subcall function 0077C998: _wcslen.LIBCMT ref: 0077C9F1
Part of subcall function 0077C998: _wcslen.LIBCMT ref: 0077CA68
Part of subcall function 0077C998: _wcslen.LIBCMT ref: 0077CA9E

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 0077BAA5
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 0077BB00
RegEnumKeyExW.ADVAPI32(?,-00000001,?,?,00000000,00000000,00000000,?), ref: 0077BB63
RegCloseKey.ADVAPI32(?,?), ref: 0077BBA6
RegCloseKey.ADVAPI32(00000000), ref: 0077BBB3

Memory Dump Source

Source File: 00000000.00000002.1465363834.00000000006F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006F0000, based on PE: true

Associated: 00000000.00000002.1465335232.00000000006F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465500901.000000000078C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465500901.00000000007B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465599093.00000000007BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465630010.00000000007C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6f0000_file.jbxd

Similarity

API ID: _wcslen$Close$BuffCharConnectEnumOpenRegistryUpper
String ID:
API String ID: 826366716-0
Opcode ID: fdeefa71cbd510c9f59a1e349036704e05720a3af481b0b2ab6a3a4c4a667c53
Instruction ID: 180a319158901cc6b887201ed0a7ab246a3c7714ab4f163cba5c595d83d5b0cb
Opcode Fuzzy Hash: fdeefa71cbd510c9f59a1e349036704e05720a3af481b0b2ab6a3a4c4a667c53
Instruction Fuzzy Hash: DB617B71208245AFD714DF24C890F2ABBE5BF84348F14895CF5998B2A2DB35ED45CB92

Function 00758BB0 Relevance: 7.7, APIs: 5, Instructions: 159COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 00758BCD
VariantClear.OLEAUT32 ref: 00758C3E
VariantClear.OLEAUT32 ref: 00758C9D
VariantClear.OLEAUT32(?), ref: 00758D10
VariantChangeType.OLEAUT32(?,?,00000000,00000013), ref: 00758D3B

Memory Dump Source

Source File: 00000000.00000002.1465363834.00000000006F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006F0000, based on PE: true

Associated: 00000000.00000002.1465335232.00000000006F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465500901.000000000078C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465500901.00000000007B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465599093.00000000007BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465630010.00000000007C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6f0000_file.jbxd

Similarity

API ID: Variant$Clear$ChangeInitType
String ID:
API String ID: 4136290138-0
Opcode ID: 827e5ca6c9303bc6ff938af0834c0ed8f7834f7312fe22adfbcd861f602fe01a
Instruction ID: 9ec384a3ebeb576dd78fafd3995fc531b8c8ddff02c3c5102520af8f53d90cbd
Opcode Fuzzy Hash: 827e5ca6c9303bc6ff938af0834c0ed8f7834f7312fe22adfbcd861f602fe01a
Instruction Fuzzy Hash: E1516BB5A00219DFCB10CF68C884AAAB7F4FF8D310B158559E919EB350E774E911CBA0

Function 00768AFB Relevance: 7.6, APIs: 5, Instructions: 143COMMON

Download Yara Rule

APIs

GetPrivateProfileSectionW.KERNEL32(00000003,?,00007FFF,?), ref: 00768BAE
GetPrivateProfileSectionW.KERNEL32(?,00000003,00000003,?), ref: 00768BDA
WritePrivateProfileSectionW.KERNEL32(?,?,?), ref: 00768C32
WritePrivateProfileStringW.KERNEL32(00000003,00000000,00000000,?), ref: 00768C57
WritePrivateProfileStringW.KERNEL32(00000000,00000000,00000000,?), ref: 00768C5F

Memory Dump Source

Source File: 00000000.00000002.1465363834.00000000006F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006F0000, based on PE: true

Associated: 00000000.00000002.1465335232.00000000006F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465500901.000000000078C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465500901.00000000007B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465599093.00000000007BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465630010.00000000007C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6f0000_file.jbxd

Similarity

API ID: PrivateProfile$SectionWrite$String
String ID:
API String ID: 2832842796-0
Opcode ID: be51b7afa88d5b40925e16bdb19beb7f80deb719040369159d9926a4fbb94ca6
Instruction ID: bb1f000437b6d7d6a1c8e6b4ce13c8c0900fcb92550ea5b55f74cd204fe26df1
Opcode Fuzzy Hash: be51b7afa88d5b40925e16bdb19beb7f80deb719040369159d9926a4fbb94ca6
Instruction Fuzzy Hash: 7C515F35A00219DFCB15DF54C880E69BBF5FF48314F088498E94AAB3A2CB35ED45CBA5

Function 00778EE4 Relevance: 7.6, APIs: 5, Instructions: 143libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryW.KERNEL32(?,00000000,?), ref: 00778F40
GetProcAddress.KERNEL32(00000000,?), ref: 00778FD0
GetProcAddress.KERNEL32(00000000,00000000), ref: 00778FEC
GetProcAddress.KERNEL32(00000000,?), ref: 00779032
FreeLibrary.KERNEL32(00000000), ref: 00779052

Part of subcall function 0070F6C9: WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,00000000,00000000,00000000,?,00000000,?,?,?,00761043,?,7735E610), ref: 0070F6E6
Part of subcall function 0070F6C9: WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,0074FA64,00000000,00000000,?,?,00761043,?,7735E610,?,0074FA64), ref: 0070F70D

Memory Dump Source

Source File: 00000000.00000002.1465363834.00000000006F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006F0000, based on PE: true

Associated: 00000000.00000002.1465335232.00000000006F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465500901.000000000078C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465500901.00000000007B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465599093.00000000007BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465630010.00000000007C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6f0000_file.jbxd

Similarity

API ID: AddressProc$ByteCharLibraryMultiWide$FreeLoad
String ID:
API String ID: 666041331-0
Opcode ID: 78c7c127ac93ef0e959e86cc62112db23503adabf75a89f856e4092445a81b50
Instruction ID: daf503ba6ce7d2a2e22cc7d281fa6dbe63fe805db4de97f9814f07323b0cfe61
Opcode Fuzzy Hash: 78c7c127ac93ef0e959e86cc62112db23503adabf75a89f856e4092445a81b50
Instruction Fuzzy Hash: 48515934605209DFCB55DF58C4948ADBBF2FF49354B08C0A8E90AAB362DB35ED85CB91

Function 00786B76 Relevance: 7.6, APIs: 5, Instructions: 131windowCOMMON

Download Yara Rule

APIs

SetWindowLongW.USER32(00000002,000000F0,?), ref: 00786C33
SetWindowLongW.USER32(?,000000EC,?), ref: 00786C4A
SendMessageW.USER32(00000002,00001036,00000000,?), ref: 00786C73
ShowWindow.USER32(00000002,00000000,00000002,00000002,?,?,?,?,?,?,?,0076AB79,00000000,00000000), ref: 00786C98
SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000027,00000002,?,00000001,00000002,00000002,?,?,?), ref: 00786CC7

Memory Dump Source

Source File: 00000000.00000002.1465363834.00000000006F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006F0000, based on PE: true

Associated: 00000000.00000002.1465335232.00000000006F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465500901.000000000078C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465500901.00000000007B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465599093.00000000007BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465630010.00000000007C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6f0000_file.jbxd

Similarity

API ID: Window$Long$MessageSendShow
String ID:
API String ID: 3688381893-0
Opcode ID: 570d964345d0e9ee78d61599833e15da5b42918fd3df31b23b2735bfcef1becf
Instruction ID: b600c1ba8ce794ed79b74f3f1d3ee1e094dc26ac68c43cdaeabf61ffe3d55bad
Opcode Fuzzy Hash: 570d964345d0e9ee78d61599833e15da5b42918fd3df31b23b2735bfcef1becf
Instruction Fuzzy Hash: 1541D275680104BFDB25EF28CC58FA97BA5EB09350F254268F895A72E0D379FD40CB60

Function 00722051 Relevance: 7.6, APIs: 5, Instructions: 129COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 007220C3
_free.LIBCMT ref: 007220E3

Memory Dump Source

Source File: 00000000.00000002.1465363834.00000000006F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006F0000, based on PE: true

Associated: 00000000.00000002.1465335232.00000000006F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465500901.000000000078C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465500901.00000000007B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465599093.00000000007BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465630010.00000000007C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6f0000_file.jbxd

Similarity

API ID: _free
String ID:
API String ID: 269201875-0
Opcode ID: c0d31bad15f9bad9e99ccaa0e6b069159d30ba9f7f092f3c6dec66b7f24f04a4
Instruction ID: 95fa276194453b7b90ec21f256ff017b3896bcc17e389a3952cc418322c71436
Opcode Fuzzy Hash: c0d31bad15f9bad9e99ccaa0e6b069159d30ba9f7f092f3c6dec66b7f24f04a4
Instruction Fuzzy Hash: 7041E432A00214EFCB20DF78D884A5DB3E5EF88310F1585A8E515EB392EB35ED02CB81

Function 0070912D Relevance: 7.6, APIs: 5, Instructions: 121keyboardCOMMON

Download Yara Rule

APIs

GetCursorPos.USER32(?), ref: 00709141
ScreenToClient.USER32(00000000,?), ref: 0070915E
GetAsyncKeyState.USER32(00000001), ref: 00709183
GetAsyncKeyState.USER32(00000002), ref: 0070919D

Memory Dump Source

Source File: 00000000.00000002.1465363834.00000000006F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006F0000, based on PE: true

Associated: 00000000.00000002.1465335232.00000000006F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465500901.000000000078C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465500901.00000000007B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465599093.00000000007BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465630010.00000000007C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6f0000_file.jbxd

Similarity

API ID: AsyncState$ClientCursorScreen
String ID:
API String ID: 4210589936-0
Opcode ID: baedbb6c707e81f98bb3990d3258366c675dc0a190f4e33f0094e562dd9f9ccc
Instruction ID: e9213fea1769e78e6fc9cd66de0c5f2532318e194d5f80dbf54e35989c9354c5
Opcode Fuzzy Hash: baedbb6c707e81f98bb3990d3258366c675dc0a190f4e33f0094e562dd9f9ccc
Instruction Fuzzy Hash: F8415E71A0860AFBDF199F68C848BEEB7B5FF45320F208315E525A62D1D7386950CBA1

Function 00763874 Relevance: 7.6, APIs: 5, Instructions: 101windowCOMMON

Download Yara Rule

APIs

GetInputState.USER32 ref: 007638CB
TranslateAcceleratorW.USER32(?,00000000,?), ref: 00763922
TranslateMessage.USER32(?), ref: 0076394B
DispatchMessageW.USER32(?), ref: 00763955
PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00763966

Memory Dump Source

Source File: 00000000.00000002.1465363834.00000000006F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006F0000, based on PE: true

Associated: 00000000.00000002.1465335232.00000000006F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465500901.000000000078C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465500901.00000000007B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465599093.00000000007BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465630010.00000000007C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6f0000_file.jbxd

Similarity

API ID: Message$Translate$AcceleratorDispatchInputPeekState
String ID:
API String ID: 2256411358-0
Opcode ID: b6e124582e8e73429cdc7738c4e348e68d350e54f221fc64bfb5746f4c09f09e
Instruction ID: 571e39b3d88a727d062486987327a818e76e959599fbc74a716f029654be1437
Opcode Fuzzy Hash: b6e124582e8e73429cdc7738c4e348e68d350e54f221fc64bfb5746f4c09f09e
Instruction Fuzzy Hash: EC3186705043829EEB25CB34D848FB637A8EB06308F54456DE867C21A1E7BCBA85CF25

Function 0076CF1A Relevance: 7.6, APIs: 5, Instructions: 93networkfileCOMMON

Download Yara Rule

APIs

InternetQueryDataAvailable.WININET(?,?,00000000,00000000,00000000,?,00000000,?,?,?,0076C21E,00000000), ref: 0076CF38
InternetReadFile.WININET(?,00000000,?,?), ref: 0076CF6F
GetLastError.KERNEL32(?,00000000,?,?,?,0076C21E,00000000), ref: 0076CFB4
SetEvent.KERNEL32(?,?,00000000,?,?,?,0076C21E,00000000), ref: 0076CFC8
SetEvent.KERNEL32(?,?,00000000,?,?,?,0076C21E,00000000), ref: 0076CFF2

Memory Dump Source

Source File: 00000000.00000002.1465363834.00000000006F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006F0000, based on PE: true

Associated: 00000000.00000002.1465335232.00000000006F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465500901.000000000078C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465500901.00000000007B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465599093.00000000007BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465630010.00000000007C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6f0000_file.jbxd

Similarity

API ID: EventInternet$AvailableDataErrorFileLastQueryRead
String ID:
API String ID: 3191363074-0
Opcode ID: 253da33e935e2390e50baf4316ad58288ef3f7eb5fc1210eec9a9cc560043a23
Instruction ID: 41ceedf7a1d78b841907613ad301eeac87a939e5a20c2c3c7c40a2af6d379baa
Opcode Fuzzy Hash: 253da33e935e2390e50baf4316ad58288ef3f7eb5fc1210eec9a9cc560043a23
Instruction Fuzzy Hash: 49315072600205EFDB21DFA5D8889BBBBF9EB14350B10842EF957D2541D738AE41DBA0

Function 00751901 Relevance: 7.6, APIs: 5, Instructions: 93sleepwindowCOMMON

Download Yara Rule

APIs

GetWindowRect.USER32(?,?), ref: 00751915
PostMessageW.USER32(00000001,00000201,00000001), ref: 007519C1
Sleep.KERNEL32(00000000,?,?,?), ref: 007519C9
PostMessageW.USER32(00000001,00000202,00000000), ref: 007519DA
Sleep.KERNEL32(00000000,?,?,?,?), ref: 007519E2

Memory Dump Source

Source File: 00000000.00000002.1465363834.00000000006F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006F0000, based on PE: true

Associated: 00000000.00000002.1465335232.00000000006F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465500901.000000000078C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465500901.00000000007B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465599093.00000000007BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465630010.00000000007C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6f0000_file.jbxd

Similarity

API ID: MessagePostSleep$RectWindow
String ID:
API String ID: 3382505437-0
Opcode ID: 40d0b1e3f0f090d47fdb9dc7fc3a058bf106a41f7e268f233033fda1744c3c12
Instruction ID: 2e12bc3336e2ac851d1299ec6147be4c5cdf95e5dc503a4e11d77a1fa1853d4c
Opcode Fuzzy Hash: 40d0b1e3f0f090d47fdb9dc7fc3a058bf106a41f7e268f233033fda1744c3c12
Instruction Fuzzy Hash: CD31A171A00259EFCB00CFA8C999BDE7BB5EB44316F108225FD21A72D1C7B4AD48CB90

Function 00785706 Relevance: 7.6, APIs: 5, Instructions: 82windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00001053,000000FF,?), ref: 00785745
SendMessageW.USER32(?,00001074,?,00000001), ref: 0078579D
_wcslen.LIBCMT ref: 007857AF
_wcslen.LIBCMT ref: 007857BA
SendMessageW.USER32(?,00001002,00000000,?), ref: 00785816

Memory Dump Source

Source File: 00000000.00000002.1465363834.00000000006F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006F0000, based on PE: true

Associated: 00000000.00000002.1465335232.00000000006F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465500901.000000000078C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465500901.00000000007B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465599093.00000000007BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465630010.00000000007C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6f0000_file.jbxd

Similarity

API ID: MessageSend$_wcslen
String ID:
API String ID: 763830540-0
Opcode ID: d57dc7572de03f6cdc492adbb04bc2717514d7928b702cea6f8d9e97245efff7
Instruction ID: be1178a80e458a69cfbd90ef8ae3c400a3c55ba75e58b52c668a9cfe1e1cffac
Opcode Fuzzy Hash: d57dc7572de03f6cdc492adbb04bc2717514d7928b702cea6f8d9e97245efff7
Instruction Fuzzy Hash: 3921A571944618DADB21AF64CC84EEDB7B8FF04320F108266E929EA1D0D7789985CF50

Function 00770930 Relevance: 7.6, APIs: 5, Instructions: 69COMMON

Download Yara Rule

APIs

IsWindow.USER32(00000000), ref: 00770951
GetForegroundWindow.USER32 ref: 00770968
GetDC.USER32(00000000), ref: 007709A4
GetPixel.GDI32(00000000,?,00000003), ref: 007709B0
ReleaseDC.USER32(00000000,00000003), ref: 007709E8

Memory Dump Source

Source File: 00000000.00000002.1465363834.00000000006F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006F0000, based on PE: true

Associated: 00000000.00000002.1465335232.00000000006F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465500901.000000000078C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465500901.00000000007B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465599093.00000000007BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465630010.00000000007C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6f0000_file.jbxd

Similarity

API ID: Window$ForegroundPixelRelease
String ID:
API String ID: 4156661090-0
Opcode ID: ae3f89a5f5fb987fbb4f851b9baca70e3e7e9ba77947a53773447b18a9a7a56e
Instruction ID: 46b22ed17009eace5f1c843f2247ca18665c1d62205c75fb32093d827ac457f4
Opcode Fuzzy Hash: ae3f89a5f5fb987fbb4f851b9baca70e3e7e9ba77947a53773447b18a9a7a56e
Instruction Fuzzy Hash: 40216F39600204EFD704EF65D988AAEBBE5EF44744F14C06CE94A97352DB38AC04CBA0

Function 0072CDBD Relevance: 7.6, APIs: 5, Instructions: 68COMMON

Download Yara Rule

APIs

GetEnvironmentStringsW.KERNEL32 ref: 0072CDC6
WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 0072CDE9

Part of subcall function 00723820: RtlAllocateHeap.NTDLL(00000000,?,007C1444,?,0070FDF5,?,?,006FA976,00000010,007C1440,006F13FC,?,006F13C6,?,006F1129), ref: 00723852

WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,00000000,00000000), ref: 0072CE0F
_free.LIBCMT ref: 0072CE22
FreeEnvironmentStringsW.KERNEL32(00000000), ref: 0072CE31

Memory Dump Source

Source File: 00000000.00000002.1465363834.00000000006F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006F0000, based on PE: true

Associated: 00000000.00000002.1465335232.00000000006F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465500901.000000000078C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465500901.00000000007B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465599093.00000000007BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465630010.00000000007C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6f0000_file.jbxd

Similarity

API ID: ByteCharEnvironmentMultiStringsWide$AllocateFreeHeap_free
String ID:
API String ID: 336800556-0
Opcode ID: 04e736fdd48ce85d67f75971aa359adc5a80c0dda04e653d6e5e3dced8edc837
Instruction ID: 429be7a7b10b525c4b1a50f417c68443c5c004576569970513e86a45abde40de
Opcode Fuzzy Hash: 04e736fdd48ce85d67f75971aa359adc5a80c0dda04e653d6e5e3dced8edc837
Instruction Fuzzy Hash: E701D472E012357F232316B67C8CC7F696DDED6BA1326412DF905C7201EA798D0282B5

Function 00709639 Relevance: 7.6, APIs: 5, Instructions: 66COMMON

Download Yara Rule

APIs

ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 00709693
SelectObject.GDI32(?,00000000), ref: 007096A2
BeginPath.GDI32(?), ref: 007096B9
SelectObject.GDI32(?,00000000), ref: 007096E2

Memory Dump Source

Source File: 00000000.00000002.1465363834.00000000006F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006F0000, based on PE: true

Associated: 00000000.00000002.1465335232.00000000006F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465500901.000000000078C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465500901.00000000007B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465599093.00000000007BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465630010.00000000007C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6f0000_file.jbxd

Similarity

API ID: ObjectSelect$BeginCreatePath
String ID:
API String ID: 3225163088-0
Opcode ID: 319581ca85bbb853d66ec6bac3bb432b192d21fcc18ff3809be4e09fd00ea61a
Instruction ID: dbaa2de2946830646b12492c498905508abb6eeadac6bf8d07c5c0fcb0af8f4c
Opcode Fuzzy Hash: 319581ca85bbb853d66ec6bac3bb432b192d21fcc18ff3809be4e09fd00ea61a
Instruction Fuzzy Hash: 45218370801345EBDB119F24EC08BA93BB4BB41755F608329F510971F2D37DA851CF98

Function 00755711 Relevance: 7.6, APIs: 5, Instructions: 61COMMON

Download Yara Rule

APIs

_memcmp.LIBVCRUNTIME ref: 00755726
_memcmp.LIBVCRUNTIME ref: 00755744
_memcmp.LIBVCRUNTIME ref: 00755757
_memcmp.LIBVCRUNTIME ref: 0075576F
_memcmp.LIBVCRUNTIME ref: 00755787

Memory Dump Source

Source File: 00000000.00000002.1465363834.00000000006F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006F0000, based on PE: true

Associated: 00000000.00000002.1465335232.00000000006F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465500901.000000000078C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465500901.00000000007B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465599093.00000000007BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465630010.00000000007C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6f0000_file.jbxd

Similarity

API ID: _memcmp
String ID:
API String ID: 2931989736-0
Opcode ID: be4ec958db2b1b73afdf5dd29b6e7982a7cf521faa86df6a68f17288d42e8073
Instruction ID: 89da64c04fe0499e7c0684927d944087d75f3ebc25e17248f5450bdb8cff6cdc
Opcode Fuzzy Hash: be4ec958db2b1b73afdf5dd29b6e7982a7cf521faa86df6a68f17288d42e8073
Instruction Fuzzy Hash: 8901B5A1681A0DFBE30865259D92FFB735D9B25396F504420FE149E281F7ACEE5483B0

Function 0075000E Relevance: 7.5, APIs: 5, Instructions: 47stringCOMMON

Download Yara Rule

APIs

CLSIDFromProgID.OLE32(?,?,?,00000000,?,?,?,-C000001E,00000001,?,0074FF41,80070057,?,?,?,0075035E), ref: 0075002B
ProgIDFromCLSID.OLE32(?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,0074FF41,80070057,?,?), ref: 00750046
lstrcmpiW.KERNEL32(?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,0074FF41,80070057,?,?), ref: 00750054
CoTaskMemFree.OLE32(00000000,?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,0074FF41,80070057,?), ref: 00750064
CLSIDFromString.OLE32(?,?,?,?,?,00000000,?,?,?,-C000001E,00000001,?,0074FF41,80070057,?,?), ref: 00750070

Memory Dump Source

Source File: 00000000.00000002.1465363834.00000000006F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006F0000, based on PE: true

Associated: 00000000.00000002.1465335232.00000000006F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465500901.000000000078C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465500901.00000000007B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465599093.00000000007BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465630010.00000000007C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6f0000_file.jbxd

Similarity

API ID: From$Prog$FreeStringTasklstrcmpi
String ID:
API String ID: 3897988419-0
Opcode ID: 6a71fe5a7dbd12d2449a77b5ad2e49aad6949dbb5ec19bdc2085300b2c5145ff
Instruction ID: 6d98501bedabb0951514f29a081336ffe88acee2030566fe601b0126d5205fd6
Opcode Fuzzy Hash: 6a71fe5a7dbd12d2449a77b5ad2e49aad6949dbb5ec19bdc2085300b2c5145ff
Instruction Fuzzy Hash: F201A276640204BFDB114F68DC08BEA7AEDEF44762F248124FD09D6250D7B9DD449BA0

Function 0075E97B Relevance: 7.5, APIs: 5, Instructions: 47sleepCOMMON

Download Yara Rule

APIs

QueryPerformanceCounter.KERNEL32(?), ref: 0075E997
QueryPerformanceFrequency.KERNEL32(?), ref: 0075E9A5
Sleep.KERNEL32(00000000), ref: 0075E9AD
QueryPerformanceCounter.KERNEL32(?), ref: 0075E9B7
Sleep.KERNEL32 ref: 0075E9F3

Memory Dump Source

Source File: 00000000.00000002.1465363834.00000000006F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006F0000, based on PE: true

Associated: 00000000.00000002.1465335232.00000000006F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465500901.000000000078C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465500901.00000000007B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465599093.00000000007BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465630010.00000000007C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6f0000_file.jbxd

Similarity

API ID: PerformanceQuery$CounterSleep$Frequency
String ID:
API String ID: 2833360925-0
Opcode ID: da69d74ec819d549aafb6adab8aa10aa576cb458c50019564a38b95bd8456e4c
Instruction ID: dbc586b762befd960b3f5954412ff26c51b9b0b9476d538485e396270321c3df
Opcode Fuzzy Hash: da69d74ec819d549aafb6adab8aa10aa576cb458c50019564a38b95bd8456e4c
Instruction Fuzzy Hash: C5018B71C0052DDBCF059BE4D8896DDBB78BB08302F004506E812B2141DB78A649C766

Function 007510F9 Relevance: 7.5, APIs: 5, Instructions: 46memoryCOMMON

Download Yara Rule

APIs

GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 00751114
GetLastError.KERNEL32(?,00000000,00000000,?,?,00750B9B,?,?,?), ref: 00751120
GetProcessHeap.KERNEL32(00000008,?,?,00000000,00000000,?,?,00750B9B,?,?,?), ref: 0075112F
HeapAlloc.KERNEL32(00000000,?,00000000,00000000,?,?,00750B9B,?,?,?), ref: 00751136
GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 0075114D

Memory Dump Source

Source File: 00000000.00000002.1465363834.00000000006F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006F0000, based on PE: true

Associated: 00000000.00000002.1465335232.00000000006F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465500901.000000000078C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465500901.00000000007B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465599093.00000000007BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465630010.00000000007C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6f0000_file.jbxd

Similarity

API ID: HeapObjectSecurityUser$AllocErrorLastProcess
String ID:
API String ID: 842720411-0
Opcode ID: 027c83c30e62edc131cc52a07d036a6af1528d0267636e51374ee90d453bb078
Instruction ID: 53f35cb447c4aa76cf2f1c5857e00bb808308d134cf807bb4cd902466a7276bf
Opcode Fuzzy Hash: 027c83c30e62edc131cc52a07d036a6af1528d0267636e51374ee90d453bb078
Instruction Fuzzy Hash: 6F016D75540609BFDB124FA8EC4DAAA3B6EEF85361B214454FA41C3350DB75DC008F70

Function 00750FB4 Relevance: 7.5, APIs: 5, Instructions: 43memoryCOMMON

Download Yara Rule

APIs

GetTokenInformation.ADVAPI32(?,00000002,?,00000000,?), ref: 00750FCA
GetLastError.KERNEL32(?,00000002,?,00000000,?), ref: 00750FD6
GetProcessHeap.KERNEL32(00000008,?,?,00000002,?,00000000,?), ref: 00750FE5
HeapAlloc.KERNEL32(00000000,?,00000002,?,00000000,?), ref: 00750FEC
GetTokenInformation.ADVAPI32(?,00000002,00000000,?,?,?,00000002,?,00000000,?), ref: 00751002

Memory Dump Source

Source File: 00000000.00000002.1465363834.00000000006F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006F0000, based on PE: true

Associated: 00000000.00000002.1465335232.00000000006F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465500901.000000000078C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465500901.00000000007B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465599093.00000000007BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465630010.00000000007C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6f0000_file.jbxd

Similarity

API ID: HeapInformationToken$AllocErrorLastProcess
String ID:
API String ID: 44706859-0
Opcode ID: 792d86305c0a898eb348a4211e10abe19a86dbb6934e751ffc7e7e27204cbc22
Instruction ID: 9e16706a3b0b564c0d1c33dc6e54cf227664d53a55c6879e0b16a6bdc00becfd
Opcode Fuzzy Hash: 792d86305c0a898eb348a4211e10abe19a86dbb6934e751ffc7e7e27204cbc22
Instruction Fuzzy Hash: 98F04F75241315ABD7224FA4AC8DF963BADEF89762F608414F949C6291CA78DC408B70

Function 00751014 Relevance: 7.5, APIs: 5, Instructions: 43memoryCOMMON

Download Yara Rule

APIs

GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),?,00000000,?), ref: 0075102A
GetLastError.KERNEL32(?,TokenIntegrityLevel,?,00000000,?), ref: 00751036
GetProcessHeap.KERNEL32(00000008,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00751045
HeapAlloc.KERNEL32(00000000,?,TokenIntegrityLevel,?,00000000,?), ref: 0075104C
GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),00000000,?,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00751062

Memory Dump Source

Source File: 00000000.00000002.1465363834.00000000006F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006F0000, based on PE: true

Associated: 00000000.00000002.1465335232.00000000006F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465500901.000000000078C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465500901.00000000007B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465599093.00000000007BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465630010.00000000007C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6f0000_file.jbxd

Similarity

API ID: HeapInformationToken$AllocErrorLastProcess
String ID:
API String ID: 44706859-0
Opcode ID: 8c7ae80109870416e325e9f00719f9fab46d8f4095a1189bcd047c4bdaa9e84a
Instruction ID: a2c81df7585a0fb59d7d991e49399016db6aa6188ea636909bcb2000e7d389aa
Opcode Fuzzy Hash: 8c7ae80109870416e325e9f00719f9fab46d8f4095a1189bcd047c4bdaa9e84a
Instruction Fuzzy Hash: EFF04975240355ABDB225FA4EC89F963BADEF89762F604414FA49CA290CA78DC408B70

Function 0076030F Relevance: 7.5, APIs: 6, Instructions: 41COMMON

Download Yara Rule

APIs

CloseHandle.KERNEL32(?,?,?,?,0076017D,?,007632FC,?,00000001,00732592,?), ref: 00760324
CloseHandle.KERNEL32(?,?,?,?,0076017D,?,007632FC,?,00000001,00732592,?), ref: 00760331
CloseHandle.KERNEL32(?,?,?,?,0076017D,?,007632FC,?,00000001,00732592,?), ref: 0076033E
CloseHandle.KERNEL32(?,?,?,?,0076017D,?,007632FC,?,00000001,00732592,?), ref: 0076034B
CloseHandle.KERNEL32(?,?,?,?,0076017D,?,007632FC,?,00000001,00732592,?), ref: 00760358
CloseHandle.KERNEL32(?,?,?,?,0076017D,?,007632FC,?,00000001,00732592,?), ref: 00760365

Memory Dump Source

Source File: 00000000.00000002.1465363834.00000000006F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006F0000, based on PE: true

Associated: 00000000.00000002.1465335232.00000000006F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465500901.000000000078C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465500901.00000000007B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465599093.00000000007BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465630010.00000000007C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6f0000_file.jbxd

Similarity

API ID: CloseHandle
String ID:
API String ID: 2962429428-0
Opcode ID: 06aa895cf8245d74e6d10aad370a2bf67acb0d637be2b5283b4069b0381a4559
Instruction ID: 8ba5bc33c34986b5d0abb86cb76ecdad7073291687e3a187e96d3cbd4d96ac9e
Opcode Fuzzy Hash: 06aa895cf8245d74e6d10aad370a2bf67acb0d637be2b5283b4069b0381a4559
Instruction Fuzzy Hash: 7C019872800B159FCB31AF66D880813FBF9BE602163158A3ED19752A31C3B5A999DF80

Function 0072D73A Relevance: 7.5, APIs: 5, Instructions: 40COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 0072D752

Part of subcall function 007229C8: RtlFreeHeap.NTDLL(00000000,00000000,?,0072D7D1,00000000,00000000,00000000,00000000,?,0072D7F8,00000000,00000007,00000000,?,0072DBF5,00000000), ref: 007229DE
Part of subcall function 007229C8: GetLastError.KERNEL32(00000000,?,0072D7D1,00000000,00000000,00000000,00000000,?,0072D7F8,00000000,00000007,00000000,?,0072DBF5,00000000,00000000), ref: 007229F0

_free.LIBCMT ref: 0072D764
_free.LIBCMT ref: 0072D776
_free.LIBCMT ref: 0072D788
_free.LIBCMT ref: 0072D79A

Memory Dump Source

Source File: 00000000.00000002.1465363834.00000000006F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006F0000, based on PE: true

Associated: 00000000.00000002.1465335232.00000000006F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465500901.000000000078C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465500901.00000000007B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465599093.00000000007BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465630010.00000000007C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6f0000_file.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: 1a0089d72e3c18a34f1913cc637b259a0b371c3bcd465a2ca001a19ae5e0449a
Instruction ID: c9c0cdcc947640fd95711c479a114dbc6050bd9d8c3aec323f24e75e81960dfe
Opcode Fuzzy Hash: 1a0089d72e3c18a34f1913cc637b259a0b371c3bcd465a2ca001a19ae5e0449a
Instruction Fuzzy Hash: 49F01232544224BB9632EB64F9C5D1677DDBB48710BE58D05F088E7612C73CFCC08A64

Function 00755C44 Relevance: 7.5, APIs: 5, Instructions: 40windowtimeCOMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,000003E9), ref: 00755C58
GetWindowTextW.USER32(00000000,?,00000100), ref: 00755C6F
MessageBeep.USER32(00000000), ref: 00755C87
KillTimer.USER32(?,0000040A), ref: 00755CA3
EndDialog.USER32(?,00000001), ref: 00755CBD

Memory Dump Source

Source File: 00000000.00000002.1465363834.00000000006F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006F0000, based on PE: true

Associated: 00000000.00000002.1465335232.00000000006F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465500901.000000000078C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465500901.00000000007B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465599093.00000000007BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465630010.00000000007C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6f0000_file.jbxd

Similarity

API ID: BeepDialogItemKillMessageTextTimerWindow
String ID:
API String ID: 3741023627-0
Opcode ID: 9edb934599650149ef436f4bfad229385ad0386f78e8442a8c4286737cee4634
Instruction ID: e859462549c650e0fe9757c4e1e1a20ee326ac4c77387fe88b005c06c63d858e
Opcode Fuzzy Hash: 9edb934599650149ef436f4bfad229385ad0386f78e8442a8c4286737cee4634
Instruction Fuzzy Hash: C601AE306407059BFB215B10DD5EFE577B8BF00706F005569B553614E1DBF85948CB74

Function 007222A0 Relevance: 7.5, APIs: 5, Instructions: 30COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 007222BE

Part of subcall function 007229C8: RtlFreeHeap.NTDLL(00000000,00000000,?,0072D7D1,00000000,00000000,00000000,00000000,?,0072D7F8,00000000,00000007,00000000,?,0072DBF5,00000000), ref: 007229DE
Part of subcall function 007229C8: GetLastError.KERNEL32(00000000,?,0072D7D1,00000000,00000000,00000000,00000000,?,0072D7F8,00000000,00000007,00000000,?,0072DBF5,00000000,00000000), ref: 007229F0

_free.LIBCMT ref: 007222D0
_free.LIBCMT ref: 007222E3
_free.LIBCMT ref: 007222F4
_free.LIBCMT ref: 00722305

Memory Dump Source

Source File: 00000000.00000002.1465363834.00000000006F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006F0000, based on PE: true

Associated: 00000000.00000002.1465335232.00000000006F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465500901.000000000078C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465500901.00000000007B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465599093.00000000007BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465630010.00000000007C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6f0000_file.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: 34c9ccac74af82ff70d6e05c914ba80932fa77bdc7c8774150ccfa3e10fab61b
Instruction ID: 31e8528c0303bf53be00e64402bf2569d2e03908e681415acb510d7fe82c3619
Opcode Fuzzy Hash: 34c9ccac74af82ff70d6e05c914ba80932fa77bdc7c8774150ccfa3e10fab61b
Instruction Fuzzy Hash: 92F03A74900131EB8613AF54BC05D483BA4FB19761781C61EF460E22B3C73D9892AFEC

Function 007095C5 Relevance: 7.5, APIs: 5, Instructions: 29COMMON

Download Yara Rule

APIs

EndPath.GDI32(?), ref: 007095D4
StrokeAndFillPath.GDI32(?,?,007471F7,00000000,?,?,?), ref: 007095F0
SelectObject.GDI32(?,00000000), ref: 00709603
DeleteObject.GDI32 ref: 00709616
StrokePath.GDI32(?), ref: 00709631

Memory Dump Source

Source File: 00000000.00000002.1465363834.00000000006F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006F0000, based on PE: true

Associated: 00000000.00000002.1465335232.00000000006F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465500901.000000000078C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465500901.00000000007B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465599093.00000000007BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465630010.00000000007C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6f0000_file.jbxd

Similarity

API ID: Path$ObjectStroke$DeleteFillSelect
String ID:
API String ID: 2625713937-0
Opcode ID: 2b2f7107f4f468c25147668410bce32c31e2ffaaa5da3a4237382462abf3a9f9
Instruction ID: e5cfd3d133caea795d15c878c0025346cb68520d4a087c7d6454f0e3e881d181
Opcode Fuzzy Hash: 2b2f7107f4f468c25147668410bce32c31e2ffaaa5da3a4237382462abf3a9f9
Instruction Fuzzy Hash: 26F03C30045648EBDB525F65ED1CBA43BA1AB02362F54C328F525590F2D73D99A1DF28

Function 00720F47 Relevance: 7.4, APIs: 2, Strings: 2, Instructions: 389COMMONLIBRARYCODE

Download Yara Rule

APIs

__freea.LIBCMT ref: 007210F9
__freea.LIBCMT ref: 00721117

Part of subcall function 00721537: _free.LIBCMT ref: 0072154F

Strings

a/p, xrefs: 007211DE
am/pm, xrefs: 0072117A

Memory Dump Source

Source File: 00000000.00000002.1465363834.00000000006F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006F0000, based on PE: true

Associated: 00000000.00000002.1465335232.00000000006F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465500901.000000000078C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465500901.00000000007B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465599093.00000000007BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465630010.00000000007C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6f0000_file.jbxd

Similarity

API ID: __freea$_free
String ID: a/p$am/pm
API String ID: 3432400110-3206640213
Opcode ID: 3f98eb05d10c0ee0f2f7d74edb439dfe9f84215c41893436f32d3d0388f84700
Instruction ID: 88de4a0d9edb792b33ce053d2d9583a69f88ee557fb6997f50ca72320038290a
Opcode Fuzzy Hash: 3f98eb05d10c0ee0f2f7d74edb439dfe9f84215c41893436f32d3d0388f84700
Instruction Fuzzy Hash: 2ED13931E0022ADACB24DF68E855BFEB7B2FF25310FA44159E5019B652D33D9E81CB91

Function 007761D0 Relevance: 7.3, APIs: 1, Strings: 3, Instructions: 324COMMON

Download Yara Rule

APIs

Part of subcall function 00710242: EnterCriticalSection.KERNEL32(007C070C,007C1884,?,?,0070198B,007C2518,?,?,?,006F12F9,00000000), ref: 0071024D
Part of subcall function 00710242: LeaveCriticalSection.KERNEL32(007C070C,?,0070198B,007C2518,?,?,?,006F12F9,00000000), ref: 0071028A

Part of subcall function 007100A3: __onexit.LIBCMT ref: 007100A9

__Init_thread_footer.LIBCMT ref: 00776238

Part of subcall function 007101F8: EnterCriticalSection.KERNEL32(007C070C,?,?,00708747,007C2514), ref: 00710202
Part of subcall function 007101F8: LeaveCriticalSection.KERNEL32(007C070C,?,00708747,007C2514), ref: 00710235

Part of subcall function 0076359C: LoadStringW.USER32(00000066,?,00000FFF,00000000), ref: 007635E4
Part of subcall function 0076359C: LoadStringW.USER32(007C2390,?,00000FFF,?), ref: 0076360A

Strings

x#|, xrefs: 0077636F
x#|, xrefs: 00776353
x#|, xrefs: 0077633A

Memory Dump Source

Source File: 00000000.00000002.1465363834.00000000006F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006F0000, based on PE: true

Associated: 00000000.00000002.1465335232.00000000006F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465500901.000000000078C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465500901.00000000007B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465599093.00000000007BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465630010.00000000007C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6f0000_file.jbxd

Similarity

API ID: CriticalSection$EnterLeaveLoadString$Init_thread_footer__onexit
String ID: x#|$x#|$x#|
API String ID: 1072379062-278022409
Opcode ID: 137e2ff5dc91d4a20b37b081e373fe7d4b2a6c2d0997678cd769b8142a330844
Instruction ID: 1d4789f35e981a2f965baec6ed6232159f3925f56a8e03f90c6512b4a68ef645
Opcode Fuzzy Hash: 137e2ff5dc91d4a20b37b081e373fe7d4b2a6c2d0997678cd769b8142a330844
Instruction Fuzzy Hash: 1CC18D71A00509EFCF14DF58C894EBAB7B9FF48340F148069EA099B296DB78ED55CB90

Function 00725AA9 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 186COMMONLIBRARYCODE

Download Yara Rule

Strings

JOo, xrefs: 00725BA8, 00725C6C

Memory Dump Source

Source File: 00000000.00000002.1465363834.00000000006F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006F0000, based on PE: true

Associated: 00000000.00000002.1465335232.00000000006F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465500901.000000000078C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465500901.00000000007B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465599093.00000000007BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465630010.00000000007C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6f0000_file.jbxd

Similarity

API ID:
String ID: JOo
API String ID: 0-681639431
Opcode ID: f82180777fa3b4b7c688f586a334411cf525c6db7ed69fc619db4395136ed896
Instruction ID: ca6690c209f3f8fb4718815a0cb6a8824bd28b4ac10d0b2378ede41cd23b57bc
Opcode Fuzzy Hash: f82180777fa3b4b7c688f586a334411cf525c6db7ed69fc619db4395136ed896
Instruction Fuzzy Hash: 7451B6B1D0062ADFCB219FA8E849FEE7BB4AF45310F140159F405A7291E77D9981CB71

Function 00728A61 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 124COMMONLIBRARYCODE

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(0000FDE9,00000000,?,00000002,00000000,?,?,?,00000000,?,?,?,?), ref: 00728B6E
GetLastError.KERNEL32(?,?,00000000,?,?,?,?,?,?,?,?,00000000,00001000,?), ref: 00728B7A
__dosmaperr.LIBCMT ref: 00728B81

Strings

.q, xrefs: 00728A63

Memory Dump Source

Source File: 00000000.00000002.1465363834.00000000006F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006F0000, based on PE: true

Associated: 00000000.00000002.1465335232.00000000006F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465500901.000000000078C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465500901.00000000007B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465599093.00000000007BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465630010.00000000007C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6f0000_file.jbxd

Similarity

API ID: ByteCharErrorLastMultiWide__dosmaperr
String ID: .q
API String ID: 2434981716-2393120612
Opcode ID: 976529eed97753042a92475f639cbd420359c2e3d7c9ae46cb68cde7905703ab
Instruction ID: fe20779c9d955d720e652727cd9c08a5612696098fe7e133be87328e067ca425
Opcode Fuzzy Hash: 976529eed97753042a92475f639cbd420359c2e3d7c9ae46cb68cde7905703ab
Instruction Fuzzy Hash: 5A41AEF0605065AFD7659F24E884E7D3FA5EB45300F28C1ADF4558B642DE3ECC028795

Function 00752716 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 121windowCOMMON

Download Yara Rule

APIs

Part of subcall function 0075B403: WriteProcessMemory.KERNEL32(?,?,?,00000000,00000000,00000000,?,007521D0,?,?,00000034,00000800,?,00000034), ref: 0075B42D

SendMessageW.USER32(?,00001104,00000000,00000000), ref: 00752760

Part of subcall function 0075B3CE: ReadProcessMemory.KERNEL32(?,?,?,00000000,00000000,00000000,?,007521FF,?,?,00000800,?,00001073,00000000,?,?), ref: 0075B3F8

Part of subcall function 0075B32A: GetWindowThreadProcessId.USER32(?,?), ref: 0075B355
Part of subcall function 0075B32A: OpenProcess.KERNEL32(00000438,00000000,?,?,?,00752194,00000034,?,?,00001004,00000000,00000000), ref: 0075B365
Part of subcall function 0075B32A: VirtualAllocEx.KERNEL32(00000000,00000000,?,00001000,00000004,?,?,00752194,00000034,?,?,00001004,00000000,00000000), ref: 0075B37B

SendMessageW.USER32(?,00001111,00000000,00000000), ref: 007527CD
SendMessageW.USER32(?,00001111,00000000,00000000), ref: 0075281A

Strings

@, xrefs: 00752832

Memory Dump Source

Source File: 00000000.00000002.1465363834.00000000006F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006F0000, based on PE: true

Associated: 00000000.00000002.1465335232.00000000006F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465500901.000000000078C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465500901.00000000007B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465599093.00000000007BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465630010.00000000007C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6f0000_file.jbxd

Similarity

API ID: Process$MessageSend$Memory$AllocOpenReadThreadVirtualWindowWrite
String ID: @
API String ID: 4150878124-2766056989
Opcode ID: e7948eee2ee038e5f5f26b654bf1c46ac40f9aa439bd5473ae934e96a50e5c55
Instruction ID: ce0d9431da33d5e7de13c70b96ec9f9c9099214f863a4e887082a2f43454c5a6
Opcode Fuzzy Hash: e7948eee2ee038e5f5f26b654bf1c46ac40f9aa439bd5473ae934e96a50e5c55
Instruction Fuzzy Hash: 0F412072900218BFDB10DFA4CD85AEEBBB8EF09700F104095FA55B7181DBB56E49CB61

Function 0072172E Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 115COMMON

Download Yara Rule

APIs

GetModuleFileNameW.KERNEL32(00000000,C:\Users\user\Desktop\file.exe,00000104), ref: 00721769
_free.LIBCMT ref: 00721834
_free.LIBCMT ref: 0072183E

Strings

C:\Users\user\Desktop\file.exe, xrefs: 00721760, 00721767, 00721796, 007217CE

Memory Dump Source

Source File: 00000000.00000002.1465363834.00000000006F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006F0000, based on PE: true

Associated: 00000000.00000002.1465335232.00000000006F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465500901.000000000078C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465500901.00000000007B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465599093.00000000007BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465630010.00000000007C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6f0000_file.jbxd

Similarity

API ID: _free$FileModuleName
String ID: C:\Users\user\Desktop\file.exe
API String ID: 2506810119-3587028468
Opcode ID: 8c0599b914c60358fc3fd3070da68e1e62826c72ba7fdbb73094c61dcf9c1860
Instruction ID: 4b527e74e2919657ee52aad59b62369151085a38d9b1ed6f157d844fdee16423
Opcode Fuzzy Hash: 8c0599b914c60358fc3fd3070da68e1e62826c72ba7fdbb73094c61dcf9c1860
Instruction Fuzzy Hash: 9F315275A00268FFDB21DF99A885D9EBBFCFBA5310F94416AF80497211D6789E40CB90

Function 0075C27D Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 114windowCOMMON

Download Yara Rule

APIs

GetMenuItemInfoW.USER32(00000004,00000000,00000000,?), ref: 0075C306
DeleteMenu.USER32(?,00000007,00000000), ref: 0075C34C
DeleteMenu.USER32(?,00000000,00000000,?,00000000,00000000,007C1990,00C355D0), ref: 0075C395

Strings

0, xrefs: 0075C2DF

Memory Dump Source

Source File: 00000000.00000002.1465363834.00000000006F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006F0000, based on PE: true

Associated: 00000000.00000002.1465335232.00000000006F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465500901.000000000078C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465500901.00000000007B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465599093.00000000007BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465630010.00000000007C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6f0000_file.jbxd

Similarity

API ID: Menu$Delete$InfoItem
String ID: 0
API String ID: 135850232-4108050209
Opcode ID: 4a4e80df45833f6dc46ebfaf8b0808ad3c760871c05b06c9b8cd4b5fda9e17a5
Instruction ID: 2cb8da557222e36dcab090aae45686bcb77b8a628e43098ef4af9d4822761157
Opcode Fuzzy Hash: 4a4e80df45833f6dc46ebfaf8b0808ad3c760871c05b06c9b8cd4b5fda9e17a5
Instruction Fuzzy Hash: 5A41A0312043059FD721DF24D885BAABBE4AF85321F10861DFDA5972D1D7B8A908CB62

Function 00784416 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 106COMMON

Download Yara Rule

APIs

SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000013,?,?,SysTreeView32,0078CC08,00000000,?,?,?,?), ref: 007844AA
GetWindowLongW.USER32 ref: 007844C7
SetWindowLongW.USER32(?,000000F0,00000000), ref: 007844D7

Strings

SysTreeView32, xrefs: 0078447C

Memory Dump Source

Source File: 00000000.00000002.1465363834.00000000006F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006F0000, based on PE: true

Associated: 00000000.00000002.1465335232.00000000006F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465500901.000000000078C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465500901.00000000007B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465599093.00000000007BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465630010.00000000007C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6f0000_file.jbxd

Similarity

API ID: Window$Long
String ID: SysTreeView32
API String ID: 847901565-1698111956
Opcode ID: 269306946a2563f6d9101f9f561dd08f5ff71cc9bd61eec4e00af1a8acdfeac5
Instruction ID: 45a482801baa64e691e265f8adb48f654a95e0114970576e94007a9a080f6155
Opcode Fuzzy Hash: 269306946a2563f6d9101f9f561dd08f5ff71cc9bd61eec4e00af1a8acdfeac5
Instruction Fuzzy Hash: 0931B071250246AFDF21AE78DC45FEA77A9EB08334F204725F979921D0D7B8EC509760

Function 00756E71 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 92memoryCOMMON

Download Yara Rule

APIs

SysReAllocString.OLEAUT32(?,?), ref: 00756EED
VariantCopyInd.OLEAUT32(?,?), ref: 00756F08
VariantClear.OLEAUT32(?), ref: 00756F12

Strings

*ju, xrefs: 00756E8B, 00756E90, 00756EF8

Memory Dump Source

Source File: 00000000.00000002.1465363834.00000000006F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006F0000, based on PE: true

Associated: 00000000.00000002.1465335232.00000000006F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465500901.000000000078C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465500901.00000000007B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465599093.00000000007BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465630010.00000000007C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6f0000_file.jbxd

Similarity

API ID: Variant$AllocClearCopyString
String ID: *ju
API String ID: 2173805711-1978014906
Opcode ID: a00898ec51168f60ca226b3be4beff06c03c262afcc0dadf9817fe9edfba581e
Instruction ID: c92749b3179bbcb27f7f3e26dc098ddf8970e600958b0334f45d3d0835eac328
Opcode Fuzzy Hash: a00898ec51168f60ca226b3be4beff06c03c262afcc0dadf9817fe9edfba581e
Instruction Fuzzy Hash: 5131D372A04249DFDB05AFA4E8519FD37B6FF41701B500498F9029B2E1CB789D15CBA4

Function 0077304E Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 90networkCOMMON

Download Yara Rule

APIs

Part of subcall function 0077335B: WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,00000000,00000000,00000000,?,?,?,?,?,00773077,?,?), ref: 00773378

inet_addr.WSOCK32(?,?,?,?,?,00000000), ref: 0077307A
_wcslen.LIBCMT ref: 0077309B
htons.WSOCK32(00000000,?,?,00000000), ref: 00773106

Strings

255.255.255.255, xrefs: 00773095, 0077309A

Memory Dump Source

Source File: 00000000.00000002.1465363834.00000000006F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006F0000, based on PE: true

Associated: 00000000.00000002.1465335232.00000000006F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465500901.000000000078C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465500901.00000000007B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465599093.00000000007BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465630010.00000000007C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6f0000_file.jbxd

Similarity

API ID: ByteCharMultiWide_wcslenhtonsinet_addr
String ID: 255.255.255.255
API String ID: 946324512-2422070025
Opcode ID: 91286d521548341714790c3501999339f64f0b94e170ad3be460fa5ac05f79ec
Instruction ID: 9a8f390b125d6f6d18983749af514b8aab2454686157814772277d077dae44f6
Opcode Fuzzy Hash: 91286d521548341714790c3501999339f64f0b94e170ad3be460fa5ac05f79ec
Instruction Fuzzy Hash: C731D339204209DFCF20CF28C485EAA77E1EF14398F64C459E9198B392DB3AEE41D760

Function 00783EB8 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 89windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00001009,00000000,?), ref: 00783F40
SetWindowPos.USER32(?,00000000,?,?,?,?,00000004), ref: 00783F54
SendMessageW.USER32(?,00001002,00000000,?), ref: 00783F78

Strings

SysMonthCal32, xrefs: 00783F0B

Memory Dump Source

Source File: 00000000.00000002.1465363834.00000000006F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006F0000, based on PE: true

Associated: 00000000.00000002.1465335232.00000000006F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465500901.000000000078C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465500901.00000000007B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465599093.00000000007BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465630010.00000000007C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6f0000_file.jbxd

Similarity

API ID: MessageSend$Window
String ID: SysMonthCal32
API String ID: 2326795674-1439706946
Opcode ID: dd80b6f2b9e3751c3bcbd98a9d4d5bc5437c0a4ab975a0d04f3398a328ff1e41
Instruction ID: f7db6e0b90ca82f9ab6ae010ebfe571041cf66f57526e7342256ca889f08dfeb
Opcode Fuzzy Hash: dd80b6f2b9e3751c3bcbd98a9d4d5bc5437c0a4ab975a0d04f3398a328ff1e41
Instruction Fuzzy Hash: D021BF32650219BBDF159F54CC46FEA3B75EF48714F110214FE15AB1D0D6B9A950CBA0

Function 00784653 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 87windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000469,?,00000000), ref: 00784705
SendMessageW.USER32(00000000,00000465,00000000,80017FFF), ref: 00784713
DestroyWindow.USER32(00000000,00000000,?,?,?,00000000,msctls_updown32,00000000,00000000,00000000,00000000,00000000,00000000,?,?,00000000), ref: 0078471A

Strings

msctls_updown32, xrefs: 00784684

Memory Dump Source

Source File: 00000000.00000002.1465363834.00000000006F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006F0000, based on PE: true

Associated: 00000000.00000002.1465335232.00000000006F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465500901.000000000078C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465500901.00000000007B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465599093.00000000007BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465630010.00000000007C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6f0000_file.jbxd

Similarity

API ID: MessageSend$DestroyWindow
String ID: msctls_updown32
API String ID: 4014797782-2298589950
Opcode ID: 182281b92dad498b6b7f977e5efe9a16a9882ebad2a4cbfdec53fc09b50ee180
Instruction ID: c419f383d0b7d3855560e6dcb3bc263620c59bece1b296f0e43b8feb4e36c66d
Opcode Fuzzy Hash: 182281b92dad498b6b7f977e5efe9a16a9882ebad2a4cbfdec53fc09b50ee180
Instruction Fuzzy Hash: 4C2171B5640209AFDB11EF68DCC5DB737ADEF4A398B140059FA009B251DB74EC11CB64

Function 007595AD Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 85COMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 0075961D

Strings

#requireadmin, xrefs: 007595D9
#OnAutoItStartRegister, xrefs: 007595F3
#notrayicon, xrefs: 007595B7

Memory Dump Source

Source File: 00000000.00000002.1465363834.00000000006F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006F0000, based on PE: true

Associated: 00000000.00000002.1465335232.00000000006F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465500901.000000000078C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465500901.00000000007B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465599093.00000000007BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465630010.00000000007C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6f0000_file.jbxd

Similarity

API ID: _wcslen
String ID: #OnAutoItStartRegister$#notrayicon$#requireadmin
API String ID: 176396367-2734436370
Opcode ID: 3056930bde1e3505fad95dbc9230604fd32ce3e3022c8cd9fb9203e329fdb534
Instruction ID: 6972f0aa822ece39bbf303b87b2665cb3c29e22fea81b31966d0ab54505a91e3
Opcode Fuzzy Hash: 3056930bde1e3505fad95dbc9230604fd32ce3e3022c8cd9fb9203e329fdb534
Instruction Fuzzy Hash: BC213172204210E6C731AA289806EFB7398EF91311F40402AFE4996081EB98ADADC2A5

Function 007837B7 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 84windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000180,00000000,?), ref: 00783840
SendMessageW.USER32(?,00000186,00000000,00000000), ref: 00783850
MoveWindow.USER32(00000000,?,?,?,?,00000000,?,?,Listbox,00000000,00000000,?,?,?,?,?), ref: 00783876

Strings

Listbox, xrefs: 0078380F

Memory Dump Source

Source File: 00000000.00000002.1465363834.00000000006F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006F0000, based on PE: true

Associated: 00000000.00000002.1465335232.00000000006F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465500901.000000000078C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465500901.00000000007B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465599093.00000000007BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465630010.00000000007C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6f0000_file.jbxd

Similarity

API ID: MessageSend$MoveWindow
String ID: Listbox
API String ID: 3315199576-2633736733
Opcode ID: 5acfcc9d94b9597c29689c7c34afb0331de29fb6096ebb372fc6346a1029ef7b
Instruction ID: 4640f91be54a9d81ed2353836670d898e3cbdf8cc3864d541c0b02d288eeb425
Opcode Fuzzy Hash: 5acfcc9d94b9597c29689c7c34afb0331de29fb6096ebb372fc6346a1029ef7b
Instruction Fuzzy Hash: 0D21A472650118BBEF119F58CC85FBB376EEF89B60F118124F9049B190CA79DC5287A0

Function 007649F4 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 78COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 00764A08
GetVolumeInformationW.KERNEL32(?,?,00007FFF,?,00000000,00000000,00000000,00000000), ref: 00764A5C
SetErrorMode.KERNEL32(00000000,?,?,0078CC08), ref: 00764AD0

Strings

%lu, xrefs: 00764A6F

Memory Dump Source

Source File: 00000000.00000002.1465363834.00000000006F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006F0000, based on PE: true

Associated: 00000000.00000002.1465335232.00000000006F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465500901.000000000078C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465500901.00000000007B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465599093.00000000007BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465630010.00000000007C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6f0000_file.jbxd

Similarity

API ID: ErrorMode$InformationVolume
String ID: %lu
API String ID: 2507767853-685833217
Opcode ID: 4f3a8f26f3e082323744c48c7f3625b1dc8291e086aabc831b577640f21ba952
Instruction ID: bb4bc1bcae10bb13039c236c20c1580da9ef08f85b3af3ade75e621b5fc12892
Opcode Fuzzy Hash: 4f3a8f26f3e082323744c48c7f3625b1dc8291e086aabc831b577640f21ba952
Instruction Fuzzy Hash: 81316D71A00109AFDB11DF64C885EAA7BF9EF08308F1480A9F909DB252DB75EE45CB71

Function 007841EB Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 67windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000405,00000000,00000000), ref: 0078424F
SendMessageW.USER32(?,00000406,00000000,00640000), ref: 00784264
SendMessageW.USER32(?,00000414,0000000A,00000000), ref: 00784271

Strings

msctls_trackbar32, xrefs: 00784226

Memory Dump Source

Source File: 00000000.00000002.1465363834.00000000006F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006F0000, based on PE: true

Associated: 00000000.00000002.1465335232.00000000006F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465500901.000000000078C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465500901.00000000007B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465599093.00000000007BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465630010.00000000007C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6f0000_file.jbxd

Similarity

API ID: MessageSend
String ID: msctls_trackbar32
API String ID: 3850602802-1010561917
Opcode ID: c1984d2438aad8fd17435b332b1baac354da215e64d6d4ea8b49495506e65a96
Instruction ID: cb98fb98040ec2ffaa304b60a43d5097e0bc8fd1a38ec8d26a68db38e8754f2a
Opcode Fuzzy Hash: c1984d2438aad8fd17435b332b1baac354da215e64d6d4ea8b49495506e65a96
Instruction Fuzzy Hash: 4D11E731284209BEEF20AF24CC05FAB37ACFF95754F114124FA55E2090D6B5D8119714

Function 00752F52 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 67windowCOMMON

Download Yara Rule

APIs

Part of subcall function 006F6B57: _wcslen.LIBCMT ref: 006F6B6A

Part of subcall function 00752DA7: SendMessageTimeoutW.USER32(?,00000000,00000000,00000000,00000002,00001388,?), ref: 00752DC5
Part of subcall function 00752DA7: GetWindowThreadProcessId.USER32(?,00000000), ref: 00752DD6
Part of subcall function 00752DA7: GetCurrentThreadId.KERNEL32 ref: 00752DDD
Part of subcall function 00752DA7: AttachThreadInput.USER32(00000000,?,00000000,00000000), ref: 00752DE4

GetFocus.USER32 ref: 00752F78

Part of subcall function 00752DEE: GetParent.USER32(00000000), ref: 00752DF9

GetClassNameW.USER32(?,?,00000100), ref: 00752FC3
EnumChildWindows.USER32(?,0075303B), ref: 00752FEB

Strings

%s%d, xrefs: 00752FFF

Memory Dump Source

Source File: 00000000.00000002.1465363834.00000000006F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006F0000, based on PE: true

Associated: 00000000.00000002.1465335232.00000000006F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465500901.000000000078C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465500901.00000000007B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465599093.00000000007BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465630010.00000000007C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6f0000_file.jbxd

Similarity

API ID: Thread$AttachChildClassCurrentEnumFocusInputMessageNameParentProcessSendTimeoutWindowWindows_wcslen
String ID: %s%d
API String ID: 1272988791-1110647743
Opcode ID: a87579254928b406245b15e84c40358b31ba3587b91c1839053b4cf622617b4f
Instruction ID: d43e99d04cdd973f6cf3e088b893c913e021826e91f875c0ca4406fb826a5a40
Opcode Fuzzy Hash: a87579254928b406245b15e84c40358b31ba3587b91c1839053b4cf622617b4f
Instruction Fuzzy Hash: 3E1193B1700209ABCF557F64CC89EED376BAF84305F048079BD099B292DE7959498B70

Function 00785882 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 47windowCOMMON

Download Yara Rule

APIs

GetMenuItemInfoW.USER32(?,?,?,00000030), ref: 007858C1
SetMenuItemInfoW.USER32(?,?,?,00000030), ref: 007858EE
DrawMenuBar.USER32(?), ref: 007858FD

Strings

0, xrefs: 0078588F

Memory Dump Source

Source File: 00000000.00000002.1465363834.00000000006F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006F0000, based on PE: true

Associated: 00000000.00000002.1465335232.00000000006F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465500901.000000000078C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465500901.00000000007B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465599093.00000000007BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465630010.00000000007C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6f0000_file.jbxd

Similarity

API ID: Menu$InfoItem$Draw
String ID: 0
API String ID: 3227129158-4108050209
Opcode ID: fe86c1c3d393ffba73449a8ab356276d765769039ca78717ed3e363e041cfcae
Instruction ID: 49c3e4c905777c72d1ee21f53c844e689dd2312e1a8cf853687978c26039a3e4
Opcode Fuzzy Hash: fe86c1c3d393ffba73449a8ab356276d765769039ca78717ed3e363e041cfcae
Instruction Fuzzy Hash: 09012131540218EFDB21AF11DC48BAEBBB4FB45361F108099E849D6151DB389A94DF31

Function 0075007F Relevance: 6.3, APIs: 4, Instructions: 322COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1465363834.00000000006F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006F0000, based on PE: true

Associated: 00000000.00000002.1465335232.00000000006F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465500901.000000000078C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465500901.00000000007B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465599093.00000000007BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465630010.00000000007C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6f0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6e6ec9040b08522eba8c5e8ddbc4a93330fc4bb72dc67bee04ff19b0b13f0bbe
Instruction ID: 431a079e46a80d73f1a9d4a408c3a6c1e3e0304ea7d081681ed7d9b116d27632
Opcode Fuzzy Hash: 6e6ec9040b08522eba8c5e8ddbc4a93330fc4bb72dc67bee04ff19b0b13f0bbe
Instruction Fuzzy Hash: 5CC18C75A0020AEFCB14CFA4C898EAEB7B5FF48315F208598E905EB251D775ED45CB90

Function 0077342E Relevance: 6.3, APIs: 4, Instructions: 257COMMON

Download Yara Rule

APIs

CoInitialize.OLE32(00000000), ref: 00773459
CoUninitialize.OLE32 ref: 00773463
VariantInit.OLEAUT32(?), ref: 0077346E
VariantClear.OLEAUT32(?), ref: 0077371B

Memory Dump Source

Source File: 00000000.00000002.1465363834.00000000006F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006F0000, based on PE: true

Associated: 00000000.00000002.1465335232.00000000006F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465500901.000000000078C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465500901.00000000007B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465599093.00000000007BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465630010.00000000007C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6f0000_file.jbxd

Similarity

API ID: Variant$ClearInitInitializeUninitialize
String ID:
API String ID: 1998397398-0
Opcode ID: 4dc2c401fd4722d89d67d88dc941df5c256fa9b860d4936b2c9733455e31459c
Instruction ID: 7839bfc3ae2651e83899ef4090b360fda1c2d3925f4362d5e4eed2160ae297b2
Opcode Fuzzy Hash: 4dc2c401fd4722d89d67d88dc941df5c256fa9b860d4936b2c9733455e31459c
Instruction Fuzzy Hash: A1A13775204204DFCB10DF28C485A2AB7E5FF88764F04885DF98A9B362DB74EE05DB96

Function 00750436 Relevance: 6.2, APIs: 4, Instructions: 230COMMON

Download Yara Rule

APIs

ProgIDFromCLSID.OLE32(?,00000000,?,00000000,00000800,00000000,?,0078FC08,?), ref: 007505F0
CoTaskMemFree.OLE32(00000000,00000000,?,00000000,00000800,00000000,?,0078FC08,?), ref: 00750608
CLSIDFromProgID.OLE32(?,?,00000000,0078CC40,000000FF,?,00000000,00000800,00000000,?,0078FC08,?), ref: 0075062D
_memcmp.LIBVCRUNTIME ref: 0075064E

Memory Dump Source

Source File: 00000000.00000002.1465363834.00000000006F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006F0000, based on PE: true

Associated: 00000000.00000002.1465335232.00000000006F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465500901.000000000078C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465500901.00000000007B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465599093.00000000007BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465630010.00000000007C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6f0000_file.jbxd

Similarity

API ID: FromProg$FreeTask_memcmp
String ID:
API String ID: 314563124-0
Opcode ID: 7cd24c2d37cd3b0922fead89ce9d3f7f91183708100d3f4e3d5031340d24d750
Instruction ID: 0c8c0bad1a983f0b0213bd27aacb8bfc6c4e968d3f56c936660cca3cccdbb1f0
Opcode Fuzzy Hash: 7cd24c2d37cd3b0922fead89ce9d3f7f91183708100d3f4e3d5031340d24d750
Instruction Fuzzy Hash: BD810F75A00109EFCB04DF94C984DEEB7B9FF89315F204558F916AB250DB75AE0ACBA0

Function 0077A67C Relevance: 6.2, APIs: 4, Instructions: 175processCOMMON

Download Yara Rule

APIs

CreateToolhelp32Snapshot.KERNEL32 ref: 0077A6AC
Process32FirstW.KERNEL32(00000000,?), ref: 0077A6BA

Part of subcall function 006F9CB3: _wcslen.LIBCMT ref: 006F9CBD

Process32NextW.KERNEL32(00000000,?), ref: 0077A79C
CloseHandle.KERNEL32(00000000), ref: 0077A7AB

Part of subcall function 0070CE60: CompareStringW.KERNEL32(00000409,00000001,?,00000000,00000000,?,?,00000000,?,00733303,?), ref: 0070CE8A

Memory Dump Source

Source File: 00000000.00000002.1465363834.00000000006F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006F0000, based on PE: true

Associated: 00000000.00000002.1465335232.00000000006F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465500901.000000000078C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465500901.00000000007B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465599093.00000000007BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465630010.00000000007C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6f0000_file.jbxd

Similarity

API ID: Process32$CloseCompareCreateFirstHandleNextSnapshotStringToolhelp32_wcslen
String ID:
API String ID: 1991900642-0
Opcode ID: 3913d785bb2f8f8560ed273ce1d7886c16b198d5d7fd18a2ba2da31410cbd072
Instruction ID: 0a4e5afe323936c47d33e8e5b58b0e28b1ba3142daede14c4763f9ef1b90379e
Opcode Fuzzy Hash: 3913d785bb2f8f8560ed273ce1d7886c16b198d5d7fd18a2ba2da31410cbd072
Instruction Fuzzy Hash: 9C517E71508304AFD754DF24C886A6FBBE8FF89754F00892DF58997291EB34D904CBA6

Function 00731391 Relevance: 6.2, APIs: 4, Instructions: 152COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 007314C0

Memory Dump Source

Source File: 00000000.00000002.1465363834.00000000006F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006F0000, based on PE: true

Associated: 00000000.00000002.1465335232.00000000006F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465500901.000000000078C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465500901.00000000007B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465599093.00000000007BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465630010.00000000007C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6f0000_file.jbxd

Similarity

API ID: _free
String ID:
API String ID: 269201875-0
Opcode ID: a0f3a31e8570ad493d8935ac77406a1ffe1bb7143fa4c773ebfaa6eff42c5b12
Instruction ID: 8f414d17bcd0175247f649ef1d8fd032a5eba0e3db79f2e780d0ca9cf81c8019
Opcode Fuzzy Hash: a0f3a31e8570ad493d8935ac77406a1ffe1bb7143fa4c773ebfaa6eff42c5b12
Instruction Fuzzy Hash: EE410B32A00550EBFB217BBD9C4AAEE3BA5FF41370F544225F419D61D3E63C88815761

Function 00786278 Relevance: 6.1, APIs: 4, Instructions: 138COMMON

Download Yara Rule

APIs

GetWindowRect.USER32(?,?), ref: 007862E2
ScreenToClient.USER32(?,?), ref: 00786315
MoveWindow.USER32(?,?,?,?,000000FF,00000001,?,?,?,?,?), ref: 00786382

Memory Dump Source

Source File: 00000000.00000002.1465363834.00000000006F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006F0000, based on PE: true

Associated: 00000000.00000002.1465335232.00000000006F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465500901.000000000078C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465500901.00000000007B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465599093.00000000007BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465630010.00000000007C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6f0000_file.jbxd

Similarity

API ID: Window$ClientMoveRectScreen
String ID:
API String ID: 3880355969-0
Opcode ID: 7bca6a6e8f80011a57f45f3997bd4c2953fd2874bc131a1980e7236731785dc8
Instruction ID: 87dc0b852e28d56d271e801730911f9c4ca36857c98732ef059cadfd8cbbb7c5
Opcode Fuzzy Hash: 7bca6a6e8f80011a57f45f3997bd4c2953fd2874bc131a1980e7236731785dc8
Instruction Fuzzy Hash: 5D515D75A40249EFDF10EF68D880AAE7BB6FF45360F208169F9159B6A0D734ED81CB50

Function 00771AD6 Relevance: 6.1, APIs: 4, Instructions: 138networkCOMMON

Download Yara Rule

APIs

socket.WSOCK32(00000002,00000002,00000011), ref: 00771AFD
WSAGetLastError.WSOCK32 ref: 00771B0B
#21.WSOCK32(?,0000FFFF,00000020,00000002,00000004), ref: 00771B8A
WSAGetLastError.WSOCK32 ref: 00771B94

Memory Dump Source

Source File: 00000000.00000002.1465363834.00000000006F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006F0000, based on PE: true

Associated: 00000000.00000002.1465335232.00000000006F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465500901.000000000078C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465500901.00000000007B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465599093.00000000007BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465630010.00000000007C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6f0000_file.jbxd

Similarity

API ID: ErrorLast$socket
String ID:
API String ID: 1881357543-0
Opcode ID: 6f730f023631e9c9da43f3243a0c296ca14e11a17447717bfc420f70a67976c8
Instruction ID: 0ec666044a26d78160548ca81de3fb847b4c03903057d021d62e3130fa91b486
Opcode Fuzzy Hash: 6f730f023631e9c9da43f3243a0c296ca14e11a17447717bfc420f70a67976c8
Instruction Fuzzy Hash: 43419F74640200AFEB20AF24C886F3977E5AB45718F54C54CFA1A9F2D3D776DD418B94

Function 0072B41F Relevance: 6.1, APIs: 4, Instructions: 133COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1465363834.00000000006F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006F0000, based on PE: true

Associated: 00000000.00000002.1465335232.00000000006F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465500901.000000000078C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465500901.00000000007B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465599093.00000000007BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465630010.00000000007C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6f0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9958f815267fdd8253084730f23cceff9ee29f9e653cbe25d79b5be22a9aa195
Instruction ID: 1b5179fd2918e3e4d5b7dd6381921ab687a94490e85bd180172198250a1fadde
Opcode Fuzzy Hash: 9958f815267fdd8253084730f23cceff9ee29f9e653cbe25d79b5be22a9aa195
Instruction Fuzzy Hash: 6F411972A00764FFD724AF38DC45BAABBE9EB88710F10452EF541DB282D779A9418780

Function 007656D9 Relevance: 6.1, APIs: 4, Instructions: 110fileCOMMON

Download Yara Rule

APIs

CreateHardLinkW.KERNEL32(00000002,?,00000000), ref: 00765783
GetLastError.KERNEL32(?,00000000), ref: 007657A9
DeleteFileW.KERNEL32(00000002,?,00000000), ref: 007657CE
CreateHardLinkW.KERNEL32(00000002,?,00000000,?,00000000), ref: 007657FA

Memory Dump Source

Source File: 00000000.00000002.1465363834.00000000006F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006F0000, based on PE: true

Associated: 00000000.00000002.1465335232.00000000006F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465500901.000000000078C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465500901.00000000007B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465599093.00000000007BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465630010.00000000007C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6f0000_file.jbxd

Similarity

API ID: CreateHardLink$DeleteErrorFileLast
String ID:
API String ID: 3321077145-0
Opcode ID: 12813c70534475150bb93372330311b0adb51db8612a7451a41e8cd0828c40de
Instruction ID: f7a8f14ff1771a03a4b04f031de0565da1aada420834d0be48fca3c4cfaeedeb
Opcode Fuzzy Hash: 12813c70534475150bb93372330311b0adb51db8612a7451a41e8cd0828c40de
Instruction Fuzzy Hash: 93413D35600615DFCB11DF15C544A6EBBE2EF89320B18C488ED4AAB362CB78FD04DB95

Function 0072D8C3 Relevance: 6.1, APIs: 4, Instructions: 110COMMONLIBRARYCODE

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(?,00000000,?,00716D71,00000000,00000000,007182D9,?,007182D9,?,00000001,00716D71,?,00000001,007182D9,007182D9), ref: 0072D910
MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 0072D999
GetStringTypeW.KERNEL32(?,00000000,00000000,?), ref: 0072D9AB
__freea.LIBCMT ref: 0072D9B4

Part of subcall function 00723820: RtlAllocateHeap.NTDLL(00000000,?,007C1444,?,0070FDF5,?,?,006FA976,00000010,007C1440,006F13FC,?,006F13C6,?,006F1129), ref: 00723852

Memory Dump Source

Source File: 00000000.00000002.1465363834.00000000006F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006F0000, based on PE: true

Associated: 00000000.00000002.1465335232.00000000006F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465500901.000000000078C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465500901.00000000007B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465599093.00000000007BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465630010.00000000007C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6f0000_file.jbxd

Similarity

API ID: ByteCharMultiWide$AllocateHeapStringType__freea
String ID:
API String ID: 2652629310-0
Opcode ID: f3e53d62f5053dee805ae30722829f664be73d72866e7324918ef98dec5d1420
Instruction ID: 5eb8125fc9ec0252ca648dba69a9e7127912a83b4274c4bc5df6cdeb2726a070
Opcode Fuzzy Hash: f3e53d62f5053dee805ae30722829f664be73d72866e7324918ef98dec5d1420
Instruction Fuzzy Hash: E431D272A0022AABDF25DF64EC85EAE7BA5EB40310F154168FC44D7251E739DD90CBA0

Function 007852C1 Relevance: 6.1, APIs: 4, Instructions: 104windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00001024,00000000,?), ref: 00785352
GetWindowLongW.USER32(?,000000F0), ref: 00785375
SetWindowLongW.USER32(?,000000F0,00000000), ref: 00785382
InvalidateRect.USER32(?,00000000,00000001,?,?,?), ref: 007853A8

Memory Dump Source

Source File: 00000000.00000002.1465363834.00000000006F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006F0000, based on PE: true

Associated: 00000000.00000002.1465335232.00000000006F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465500901.000000000078C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465500901.00000000007B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465599093.00000000007BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465630010.00000000007C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6f0000_file.jbxd

Similarity

API ID: LongWindow$InvalidateMessageRectSend
String ID:
API String ID: 3340791633-0
Opcode ID: 3545b93e875afb8efbfbbfd293a7c22f00dcc3ba0a177da2f935eb39f502263a
Instruction ID: 5ff7c37a3361df2b3ea55eed432de1ee0310043cd5a6f2b01151785e35ab83d9
Opcode Fuzzy Hash: 3545b93e875afb8efbfbbfd293a7c22f00dcc3ba0a177da2f935eb39f502263a
Instruction Fuzzy Hash: 2331E230AD5A08FFEB31AA14CC05FE83762AB05399F984111FA10969E1C7BCAE40DB51

Function 0075AB9C Relevance: 6.1, APIs: 4, Instructions: 103keyboardwindowCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?,76C1C0D0,?,00008000), ref: 0075ABF1
SetKeyboardState.USER32(00000080,?,00008000), ref: 0075AC0D
PostMessageW.USER32(00000000,00000101,00000000), ref: 0075AC74
SendInput.USER32(00000001,?,0000001C,76C1C0D0,?,00008000), ref: 0075ACC6

Memory Dump Source

Source File: 00000000.00000002.1465363834.00000000006F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006F0000, based on PE: true

Associated: 00000000.00000002.1465335232.00000000006F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465500901.000000000078C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465500901.00000000007B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465599093.00000000007BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465630010.00000000007C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6f0000_file.jbxd

Similarity

API ID: KeyboardState$InputMessagePostSend
String ID:
API String ID: 432972143-0
Opcode ID: 309841f5b7e108ec087205e7b4da54b30e3487caa2611a249a8b71e438991525
Instruction ID: 86d1e761ac69f01c5d49fe0aa9fec1c772cad49324bd372209d35ee0349d7ff2
Opcode Fuzzy Hash: 309841f5b7e108ec087205e7b4da54b30e3487caa2611a249a8b71e438991525
Instruction Fuzzy Hash: 9E312830A40258BFFF35CB648C09BFA7BA5AB45312F14433AE885561D0D3BD89898772

Function 00787674 Relevance: 6.1, APIs: 4, Instructions: 102windowCOMMON

Download Yara Rule

APIs

ClientToScreen.USER32(?,?), ref: 0078769A
GetWindowRect.USER32(?,?), ref: 00787710
PtInRect.USER32(?,?,00788B89), ref: 00787720
MessageBeep.USER32(00000000), ref: 0078778C

Memory Dump Source

Source File: 00000000.00000002.1465363834.00000000006F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006F0000, based on PE: true

Associated: 00000000.00000002.1465335232.00000000006F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465500901.000000000078C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465500901.00000000007B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465599093.00000000007BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465630010.00000000007C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6f0000_file.jbxd

Similarity

API ID: Rect$BeepClientMessageScreenWindow
String ID:
API String ID: 1352109105-0
Opcode ID: 61c364a29707985c7d32e5788469a1d3a5fc50d65ef1743a07585604a733412f
Instruction ID: d91ca01fc6d240100f911c4362f14800cbbfa14ae2fea32c1faa27abe77a1a26
Opcode Fuzzy Hash: 61c364a29707985c7d32e5788469a1d3a5fc50d65ef1743a07585604a733412f
Instruction Fuzzy Hash: 4641BD34A45254DFCB09EF58C894EA9B7F4FF4A310F6980A8E816DB261D338E941CF90

Function 007816DA Relevance: 6.1, APIs: 4, Instructions: 101COMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32 ref: 007816EB

Part of subcall function 00753A3D: GetWindowThreadProcessId.USER32(?,00000000), ref: 00753A57
Part of subcall function 00753A3D: GetCurrentThreadId.KERNEL32 ref: 00753A5E
Part of subcall function 00753A3D: AttachThreadInput.USER32(00000000,?,00000000,00000000,?,007525B3), ref: 00753A65

GetCaretPos.USER32(?), ref: 007816FF
ClientToScreen.USER32(00000000,?), ref: 0078174C
GetForegroundWindow.USER32 ref: 00781752

Memory Dump Source

Source File: 00000000.00000002.1465363834.00000000006F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006F0000, based on PE: true

Associated: 00000000.00000002.1465335232.00000000006F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465500901.000000000078C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465500901.00000000007B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465599093.00000000007BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465630010.00000000007C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6f0000_file.jbxd

Similarity

API ID: ThreadWindow$Foreground$AttachCaretClientCurrentInputProcessScreen
String ID:
API String ID: 2759813231-0
Opcode ID: 7b2fd5ae4ded9da36dc0b362641f06f776533ad81a691cd8f49558cb75e00636
Instruction ID: 00ad1d572a144d61433844798911821e88520df2afb897644a656559f45c07ac
Opcode Fuzzy Hash: 7b2fd5ae4ded9da36dc0b362641f06f776533ad81a691cd8f49558cb75e00636
Instruction Fuzzy Hash: 86312F75D00149AFCB00EFA9C985CAEBBFDEF88304B5480ADE515E7211DB359E45CBA4

Function 00788FC9 Relevance: 6.1, APIs: 4, Instructions: 78windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00709BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00709BB2

GetCursorPos.USER32(?), ref: 00789001
TrackPopupMenuEx.USER32(?,00000000,?,?,?,00000000,?,00747711,?,?,?,?,?), ref: 00789016
GetCursorPos.USER32(?), ref: 0078905E
DefDlgProcW.USER32(?,0000007B,?,?,?,?,?,?,?,?,?,?,00747711,?,?,?), ref: 00789094

Memory Dump Source

Source File: 00000000.00000002.1465363834.00000000006F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006F0000, based on PE: true

Associated: 00000000.00000002.1465335232.00000000006F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465500901.000000000078C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465500901.00000000007B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465599093.00000000007BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465630010.00000000007C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6f0000_file.jbxd

Similarity

API ID: Cursor$LongMenuPopupProcTrackWindow
String ID:
API String ID: 2864067406-0
Opcode ID: e43b81fcfbf480eb0b3bfe085a53fed04a6ec2c88b37ea6a4bd7853dc901825e
Instruction ID: 3e083a3d84baa744aa380cf1ce58de19a66d2436346eef735bed078f716347d5
Opcode Fuzzy Hash: e43b81fcfbf480eb0b3bfe085a53fed04a6ec2c88b37ea6a4bd7853dc901825e
Instruction Fuzzy Hash: 2421B535640018EFCB169F94CC58EFA7BB9EF4A360F284169FA0657161D339AD50DB60

Function 0075D2C1 Relevance: 6.1, APIs: 4, Instructions: 78COMMON

Download Yara Rule

APIs

GetFileAttributesW.KERNEL32(?,0078CB68), ref: 0075D2FB
GetLastError.KERNEL32 ref: 0075D30A
CreateDirectoryW.KERNEL32(?,00000000), ref: 0075D319
CreateDirectoryW.KERNEL32(?,00000000,00000000,000000FF,0078CB68), ref: 0075D376

Memory Dump Source

Source File: 00000000.00000002.1465363834.00000000006F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006F0000, based on PE: true

Associated: 00000000.00000002.1465335232.00000000006F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465500901.000000000078C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465500901.00000000007B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465599093.00000000007BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465630010.00000000007C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6f0000_file.jbxd

Similarity

API ID: CreateDirectory$AttributesErrorFileLast
String ID:
API String ID: 2267087916-0
Opcode ID: acb0f251e594dd0949d1b357dedf75f4d2899d403254ae5cc5a4ab70794fff3a
Instruction ID: 44cb0ba6a8f67ec93c3de6bb1f8b923378372b743e779906ab1757e889dcc886
Opcode Fuzzy Hash: acb0f251e594dd0949d1b357dedf75f4d2899d403254ae5cc5a4ab70794fff3a
Instruction Fuzzy Hash: 58219170509201DF8720DF24C8818AAB7E4AE55365F104A1DF899C72A1E775DD49CBA7

Function 00751571 Relevance: 6.1, APIs: 4, Instructions: 78memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 00751014: GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),?,00000000,?), ref: 0075102A
Part of subcall function 00751014: GetLastError.KERNEL32(?,TokenIntegrityLevel,?,00000000,?), ref: 00751036
Part of subcall function 00751014: GetProcessHeap.KERNEL32(00000008,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00751045
Part of subcall function 00751014: HeapAlloc.KERNEL32(00000000,?,TokenIntegrityLevel,?,00000000,?), ref: 0075104C
Part of subcall function 00751014: GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),00000000,?,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00751062

LookupPrivilegeValueW.ADVAPI32(00000000,?,?), ref: 007515BE
_memcmp.LIBVCRUNTIME ref: 007515E1
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00751617
HeapFree.KERNEL32(00000000), ref: 0075161E

Memory Dump Source

Source File: 00000000.00000002.1465363834.00000000006F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006F0000, based on PE: true

Associated: 00000000.00000002.1465335232.00000000006F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465500901.000000000078C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465500901.00000000007B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465599093.00000000007BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465630010.00000000007C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6f0000_file.jbxd

Similarity

API ID: Heap$InformationProcessToken$AllocErrorFreeLastLookupPrivilegeValue_memcmp
String ID:
API String ID: 1592001646-0
Opcode ID: b1723950eb9573ae058ed65e78720f77251a3b9e8f852fb7b2952994cb309738
Instruction ID: 03e27e1cc36eeedd6de6fadb2cc625aa3b5cc8ac41d85c5dffc7705440baccbb
Opcode Fuzzy Hash: b1723950eb9573ae058ed65e78720f77251a3b9e8f852fb7b2952994cb309738
Instruction Fuzzy Hash: A421B671D40108EFDF00DFA4C949BEEB7B4EF44346F598459E851A7241E778AE09CBA0

Function 00782782 Relevance: 6.1, APIs: 4, Instructions: 75COMMON

Download Yara Rule

APIs

GetWindowLongW.USER32(?,000000EC), ref: 0078280A
SetWindowLongW.USER32(?,000000EC,00000000), ref: 00782824
SetWindowLongW.USER32(?,000000EC,00000000), ref: 00782832
SetLayeredWindowAttributes.USER32(?,00000000,?,00000002), ref: 00782840

Memory Dump Source

Source File: 00000000.00000002.1465363834.00000000006F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006F0000, based on PE: true

Associated: 00000000.00000002.1465335232.00000000006F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465500901.000000000078C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465500901.00000000007B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465599093.00000000007BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465630010.00000000007C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6f0000_file.jbxd

Similarity

API ID: Window$Long$AttributesLayered
String ID:
API String ID: 2169480361-0
Opcode ID: a55fe8e7d1322c9b14bf6eab27133712bc04ae4fd2d741d0bcd73b809a029a4a
Instruction ID: 87e31613947ced55257bb62719568c56d29bc7fc757c4f16cb487eb582c16901
Opcode Fuzzy Hash: a55fe8e7d1322c9b14bf6eab27133712bc04ae4fd2d741d0bcd73b809a029a4a
Instruction Fuzzy Hash: 0B210331244111AFDB14AB24C844FAA7B96EF85325F248158F9268B6E3CB79FC42C790

Function 007578F5 Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 71stringCOMMON

Download Yara Rule

APIs

Part of subcall function 00758D7D: lstrlenW.KERNEL32(?,00000002,000000FF,?,?,?,0075790A,?,000000FF,?,00758754,00000000,?,0000001C,?,?), ref: 00758D8C
Part of subcall function 00758D7D: lstrcpyW.KERNEL32(00000000,?,?,0075790A,?,000000FF,?,00758754,00000000,?,0000001C,?,?,00000000), ref: 00758DB2
Part of subcall function 00758D7D: lstrcmpiW.KERNEL32(00000000,?,0075790A,?,000000FF,?,00758754,00000000,?,0000001C,?,?), ref: 00758DE3

lstrlenW.KERNEL32(?,00000002,000000FF,?,000000FF,?,00758754,00000000,?,0000001C,?,?,00000000), ref: 00757923
lstrcpyW.KERNEL32(00000000,?,?,00758754,00000000,?,0000001C,?,?,00000000), ref: 00757949
lstrcmpiW.KERNEL32(00000002,cdecl,?,00758754,00000000,?,0000001C,?,?,00000000), ref: 00757984

Strings

cdecl, xrefs: 0075797B

Memory Dump Source

Source File: 00000000.00000002.1465363834.00000000006F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006F0000, based on PE: true

Associated: 00000000.00000002.1465335232.00000000006F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465500901.000000000078C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465500901.00000000007B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465599093.00000000007BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465630010.00000000007C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6f0000_file.jbxd

Similarity

API ID: lstrcmpilstrcpylstrlen
String ID: cdecl
API String ID: 4031866154-3896280584
Opcode ID: 18ea673085770cf707bcff7c562744d96476846485e7596ff2493edcaf30f05c
Instruction ID: 5ff49e2dbab2aa342a3d6fef28945c2bbba55a32c379b0adc74225efa94d658b
Opcode Fuzzy Hash: 18ea673085770cf707bcff7c562744d96476846485e7596ff2493edcaf30f05c
Instruction Fuzzy Hash: 9011067A200341ABCB159F35D848EBA77E9FF85351B10802AFD42C72A4EF799805C761

Function 00787CC2 Relevance: 6.1, APIs: 4, Instructions: 70COMMON

Download Yara Rule

APIs

GetWindowLongW.USER32(?,000000F0), ref: 00787D0B
SetWindowLongW.USER32(00000000,000000F0,?), ref: 00787D2A
SetWindowLongW.USER32(00000000,000000EC,000000FF), ref: 00787D42
SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,?,?,?,?,?,?,?,?,0076B7AD,00000000), ref: 00787D6B

Part of subcall function 00709BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00709BB2

Memory Dump Source

Source File: 00000000.00000002.1465363834.00000000006F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006F0000, based on PE: true

Associated: 00000000.00000002.1465335232.00000000006F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465500901.000000000078C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465500901.00000000007B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465599093.00000000007BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465630010.00000000007C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6f0000_file.jbxd

Similarity

API ID: Window$Long
String ID:
API String ID: 847901565-0
Opcode ID: 2c3ba8409381a1cf1ad9027184b6b3bd962460b1fc35db3d598597fc823232f2
Instruction ID: 43a8f396fd760dccfafccad827f87ec50173415a6d7a77cf638fdde4472bc817
Opcode Fuzzy Hash: 2c3ba8409381a1cf1ad9027184b6b3bd962460b1fc35db3d598597fc823232f2
Instruction Fuzzy Hash: 3611D5312446149FCB15AF28CC04E663BA4AF463A0B358728F836DB1F0E738D910DB60

Function 00785660 Relevance: 6.1, APIs: 4, Instructions: 67windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00001060,?,00000004), ref: 007856BB
_wcslen.LIBCMT ref: 007856CD
_wcslen.LIBCMT ref: 007856D8
SendMessageW.USER32(?,00001002,00000000,?), ref: 00785816

Memory Dump Source

Source File: 00000000.00000002.1465363834.00000000006F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006F0000, based on PE: true

Associated: 00000000.00000002.1465335232.00000000006F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465500901.000000000078C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465500901.00000000007B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465599093.00000000007BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465630010.00000000007C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6f0000_file.jbxd

Similarity

API ID: MessageSend_wcslen
String ID:
API String ID: 455545452-0
Opcode ID: b6627942f31b925df62d3d5446ff353e830e843c7ff6a2b32436a60ddd34f0e1
Instruction ID: 2be81b405a793be1b70784bf413d459981ad9ee484a43968fe8b832c6829c129
Opcode Fuzzy Hash: b6627942f31b925df62d3d5446ff353e830e843c7ff6a2b32436a60ddd34f0e1
Instruction Fuzzy Hash: 9211D375680608E6DF20AF65CC85EEE77ACEF11760B50806AF919D6081EB7CDA84CB64

Function 00721D09 Relevance: 6.1, APIs: 4, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1465363834.00000000006F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006F0000, based on PE: true

Associated: 00000000.00000002.1465335232.00000000006F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465500901.000000000078C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465500901.00000000007B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465599093.00000000007BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465630010.00000000007C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6f0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: da1071ff4c861b28aacd2d7c9fe9374c387e54125d25bf6568b192a507ac6ac5
Instruction ID: 8c6f4d8a2747fb520198841afdae24d57720cec023d1e33c1938f09d729afb71
Opcode Fuzzy Hash: da1071ff4c861b28aacd2d7c9fe9374c387e54125d25bf6568b192a507ac6ac5
Instruction Fuzzy Hash: A301ADB270962ABEF62126787CC4F27661CEF613B8F750329F521A11D2DB789C414270

Function 00751A27 Relevance: 6.1, APIs: 4, Instructions: 56windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,000000B0,?,?), ref: 00751A47
SendMessageW.USER32(?,000000C9,?,00000000), ref: 00751A59
SendMessageW.USER32(?,000000C9,?,00000000), ref: 00751A6F
SendMessageW.USER32(?,000000C9,?,00000000), ref: 00751A8A

Memory Dump Source

Source File: 00000000.00000002.1465363834.00000000006F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006F0000, based on PE: true

Associated: 00000000.00000002.1465335232.00000000006F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465500901.000000000078C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465500901.00000000007B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465599093.00000000007BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465630010.00000000007C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6f0000_file.jbxd

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: ef05b518b8867575bb346e6c294ad4ec1972ebaed688cc29f6d0486c73c28d89
Instruction ID: af5a2c52cc8e159807f09e9245f4ad2b86f27c246c79a99381aafa01e2ccca38
Opcode Fuzzy Hash: ef05b518b8867575bb346e6c294ad4ec1972ebaed688cc29f6d0486c73c28d89
Instruction Fuzzy Hash: 7C11393AD01219FFEB11DBA4CD85FEDBB78EB08751F2040A1EA00B7290D6B16E50DB94

Function 0075E1D6 Relevance: 6.1, APIs: 4, Instructions: 55synchronizationthreadwindowCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 0075E1FD
MessageBoxW.USER32(?,?,?,?), ref: 0075E230
WaitForSingleObject.KERNEL32(00000000,000000FF,?,?,?,?), ref: 0075E246
CloseHandle.KERNEL32(00000000,?,?,?,?), ref: 0075E24D

Memory Dump Source

Source File: 00000000.00000002.1465363834.00000000006F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006F0000, based on PE: true

Associated: 00000000.00000002.1465335232.00000000006F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465500901.000000000078C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465500901.00000000007B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465599093.00000000007BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465630010.00000000007C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6f0000_file.jbxd

Similarity

API ID: CloseCurrentHandleMessageObjectSingleThreadWait
String ID:
API String ID: 2880819207-0
Opcode ID: 8776b3630f413d5b09ca3d2777935fb93d46cae1737e16e9848e853ed4691001
Instruction ID: 304f99212652fcc4ea62f516679d06d014ceee0f83f8ef4cc2a5a3403ce978cb
Opcode Fuzzy Hash: 8776b3630f413d5b09ca3d2777935fb93d46cae1737e16e9848e853ed4691001
Instruction Fuzzy Hash: A2112B72D04258BBC7069FA8AC09EDE7FACEB45315F108269F824D3291D6BCCE0487B4

Function 0071D1CC Relevance: 6.1, APIs: 4, Instructions: 55threadCOMMON

Download Yara Rule

APIs

CreateThread.KERNEL32(00000000,?,0071CFF9,00000000,00000004,00000000), ref: 0071D218
GetLastError.KERNEL32 ref: 0071D224
__dosmaperr.LIBCMT ref: 0071D22B
ResumeThread.KERNEL32(00000000), ref: 0071D249

Memory Dump Source

Source File: 00000000.00000002.1465363834.00000000006F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006F0000, based on PE: true

Associated: 00000000.00000002.1465335232.00000000006F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465500901.000000000078C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465500901.00000000007B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465599093.00000000007BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465630010.00000000007C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6f0000_file.jbxd

Similarity

API ID: Thread$CreateErrorLastResume__dosmaperr
String ID:
API String ID: 173952441-0
Opcode ID: 5189e154abd4f66573b33ebb79c8bcb8721f10cfc2117d27e2ba749fd0186123
Instruction ID: ccaf17442de9a497717cac03095dc00cb490307e6eb8505ae2efb2dcf3cf0f29
Opcode Fuzzy Hash: 5189e154abd4f66573b33ebb79c8bcb8721f10cfc2117d27e2ba749fd0186123
Instruction Fuzzy Hash: 6D01C476805108BBC7225BA9DC09AEE7A69EF85730F204219F925921D0DB79CD818BA1

Function 00789EF3 Relevance: 6.1, APIs: 4, Instructions: 55COMMON

Download Yara Rule

APIs

Part of subcall function 00709BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00709BB2

GetClientRect.USER32(?,?), ref: 00789F31
GetCursorPos.USER32(?), ref: 00789F3B
ScreenToClient.USER32(?,?), ref: 00789F46
DefDlgProcW.USER32(?,00000020,?,00000000,?,?,?), ref: 00789F7A

Memory Dump Source

Source File: 00000000.00000002.1465363834.00000000006F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006F0000, based on PE: true

Associated: 00000000.00000002.1465335232.00000000006F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465500901.000000000078C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465500901.00000000007B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465599093.00000000007BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465630010.00000000007C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6f0000_file.jbxd

Similarity

API ID: Client$CursorLongProcRectScreenWindow
String ID:
API String ID: 4127811313-0
Opcode ID: 304a169a470ff309b5ec3631301b09fde8074b9da684a7f4fd240e678c886ecd
Instruction ID: 7d734d11a873d61fa75190eb1570077520c78b08ee7418eff9f88581a5db30f8
Opcode Fuzzy Hash: 304a169a470ff309b5ec3631301b09fde8074b9da684a7f4fd240e678c886ecd
Instruction Fuzzy Hash: CA11663294011AEBDB06EFA8C8499FE77B8EB05311F244465FA02E3041D338BA81CBA5

Function 006F600E Relevance: 6.1, APIs: 4, Instructions: 53windowCOMMON

Download Yara Rule

APIs

CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 006F604C
GetStockObject.GDI32(00000011), ref: 006F6060
SendMessageW.USER32(00000000,00000030,00000000), ref: 006F606A

Memory Dump Source

Source File: 00000000.00000002.1465363834.00000000006F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006F0000, based on PE: true

Associated: 00000000.00000002.1465335232.00000000006F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465500901.000000000078C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465500901.00000000007B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465599093.00000000007BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465630010.00000000007C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6f0000_file.jbxd

Similarity

API ID: CreateMessageObjectSendStockWindow
String ID:
API String ID: 3970641297-0
Opcode ID: 44608ea8bd92b73afaea6dc24602e9b4141a004e35fbcfced2e8ff29ed5d0b6b
Instruction ID: b6c85bf739246e5d067f71194d81bf259657181f035cb94cc9481683f89f61bb
Opcode Fuzzy Hash: 44608ea8bd92b73afaea6dc24602e9b4141a004e35fbcfced2e8ff29ed5d0b6b
Instruction Fuzzy Hash: 24116D7250154CBFEF124FA4DD44EFABB6AEF093A4F244215FB1552120DB36AC60DBA4

Function 00713B3C Relevance: 6.1, APIs: 4, Instructions: 53COMMONLIBRARYCODE

Download Yara Rule

APIs

___BuildCatchObject.LIBVCRUNTIME ref: 00713B56

Part of subcall function 00713AA3: BuildCatchObjectHelperInternal.LIBVCRUNTIME ref: 00713AD2
Part of subcall function 00713AA3: ___AdjustPointer.LIBCMT ref: 00713AED

_UnwindNestedFrames.LIBCMT ref: 00713B6B
__FrameHandler3::FrameUnwindToState.LIBVCRUNTIME ref: 00713B7C
CallCatchBlock.LIBVCRUNTIME ref: 00713BA4

Memory Dump Source

Source File: 00000000.00000002.1465363834.00000000006F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006F0000, based on PE: true

Associated: 00000000.00000002.1465335232.00000000006F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465500901.000000000078C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465500901.00000000007B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465599093.00000000007BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465630010.00000000007C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6f0000_file.jbxd

Similarity

API ID: Catch$BuildFrameObjectUnwind$AdjustBlockCallFramesHandler3::HelperInternalNestedPointerState
String ID:
API String ID: 737400349-0
Opcode ID: 12ea49abee573113f57dbd3ec3a577afcc9c348439d29e6cbe32e78011ac24d3
Instruction ID: e330a0ce04d16a86dde7fc47603fdfc785dda7154b2c0e26658552db3fd92dd4
Opcode Fuzzy Hash: 12ea49abee573113f57dbd3ec3a577afcc9c348439d29e6cbe32e78011ac24d3
Instruction Fuzzy Hash: D3012972100148BBDF125E99CC46EEB3B7AEF48754F044014FE4856161D73AE9A1DBA0

Function 00723073 Relevance: 6.1, APIs: 4, Instructions: 52libraryCOMMONLIBRARYCODE

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32(00000000,00000000,00000800,006F13C6,00000000,00000000,?,0072301A,006F13C6,00000000,00000000,00000000,?,0072328B,00000006,FlsSetValue), ref: 007230A5
GetLastError.KERNEL32(?,0072301A,006F13C6,00000000,00000000,00000000,?,0072328B,00000006,FlsSetValue,00792290,FlsSetValue,00000000,00000364,?,00722E46), ref: 007230B1
LoadLibraryExW.KERNEL32(00000000,00000000,00000000,?,0072301A,006F13C6,00000000,00000000,00000000,?,0072328B,00000006,FlsSetValue,00792290,FlsSetValue,00000000), ref: 007230BF

Memory Dump Source

Source File: 00000000.00000002.1465363834.00000000006F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006F0000, based on PE: true

Associated: 00000000.00000002.1465335232.00000000006F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465500901.000000000078C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465500901.00000000007B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465599093.00000000007BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465630010.00000000007C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6f0000_file.jbxd

Similarity

API ID: LibraryLoad$ErrorLast
String ID:
API String ID: 3177248105-0
Opcode ID: 5b9fc3981b6cabdb5e86aadd45fdefb6c95c500d6a8146406cc2ed8285de2ee0
Instruction ID: 6b59bb926341b039240141048fb239854f2a39b912506118a589008b3630b35a
Opcode Fuzzy Hash: 5b9fc3981b6cabdb5e86aadd45fdefb6c95c500d6a8146406cc2ed8285de2ee0
Instruction Fuzzy Hash: 2401F732741236ABCB314B78BC44A577B9AAF05B61B204724F905E3180C73DD901C7F4

Function 00757464 Relevance: 6.1, APIs: 4, Instructions: 51registryCOMMON

Download Yara Rule

APIs

GetModuleFileNameW.KERNEL32(?,?,00000104,00000000), ref: 0075747F
LoadTypeLibEx.OLEAUT32(?,00000002,?), ref: 00757497
RegisterTypeLib.OLEAUT32(?,?,00000000), ref: 007574AC
RegisterTypeLibForUser.OLEAUT32(?,?,00000000), ref: 007574CA

Memory Dump Source

Source File: 00000000.00000002.1465363834.00000000006F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006F0000, based on PE: true

Associated: 00000000.00000002.1465335232.00000000006F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465500901.000000000078C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465500901.00000000007B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465599093.00000000007BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465630010.00000000007C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6f0000_file.jbxd

Similarity

API ID: Type$Register$FileLoadModuleNameUser
String ID:
API String ID: 1352324309-0
Opcode ID: e1e81a9f9a63251125aea3a759be7b5b5955b3ecea3fa7a533d51ca5f7d7d603
Instruction ID: ea7ba2e04fdcba9ed86b73dd06867fc315951752134a6979e9dc5b8ba65f1438
Opcode Fuzzy Hash: e1e81a9f9a63251125aea3a759be7b5b5955b3ecea3fa7a533d51ca5f7d7d603
Instruction Fuzzy Hash: CC11ADB1245354ABE7208F64EC08FD27FFCEB00B11F20856DAE1AD6191D7B8E948DB61

Function 0075B0A8 Relevance: 6.0, APIs: 4, Instructions: 50sleepCOMMON

Download Yara Rule

APIs

QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,?,?,0075ACD3,?,00008000), ref: 0075B0C4
Sleep.KERNEL32(00000000,?,?,?,?,?,?,?,?,0075ACD3,?,00008000), ref: 0075B0E9
QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,?,?,0075ACD3,?,00008000), ref: 0075B0F3
Sleep.KERNEL32(00000000,?,?,?,?,?,?,?,?,0075ACD3,?,00008000), ref: 0075B126

Memory Dump Source

Source File: 00000000.00000002.1465363834.00000000006F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006F0000, based on PE: true

Associated: 00000000.00000002.1465335232.00000000006F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465500901.000000000078C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465500901.00000000007B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465599093.00000000007BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465630010.00000000007C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6f0000_file.jbxd

Similarity

API ID: CounterPerformanceQuerySleep
String ID:
API String ID: 2875609808-0
Opcode ID: b027597f82e9a64ec3c7f6c0088e78ecb1585437c4e97bb2b7986eeedbae20b4
Instruction ID: 5d2045d5d5d4a3266daaac6ba9d2f20cc8129f921701c0efc372af23108ba61a
Opcode Fuzzy Hash: b027597f82e9a64ec3c7f6c0088e78ecb1585437c4e97bb2b7986eeedbae20b4
Instruction Fuzzy Hash: 5F115E71C0191CD7CF00AFE5D9996FEFB78FF09712F108485D941B2185CB7859548B65

Function 00787E14 Relevance: 6.0, APIs: 4, Instructions: 46COMMON

Download Yara Rule

APIs

GetWindowRect.USER32(?,?), ref: 00787E33
ScreenToClient.USER32(?,?), ref: 00787E4B
ScreenToClient.USER32(?,?), ref: 00787E6F
InvalidateRect.USER32(?,?,?,?,?,?,?,?,?,?,?,?), ref: 00787E8A

Memory Dump Source

Source File: 00000000.00000002.1465363834.00000000006F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006F0000, based on PE: true

Associated: 00000000.00000002.1465335232.00000000006F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465500901.000000000078C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465500901.00000000007B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465599093.00000000007BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465630010.00000000007C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6f0000_file.jbxd

Similarity

API ID: ClientRectScreen$InvalidateWindow
String ID:
API String ID: 357397906-0
Opcode ID: 273b1a41405d2dc12d11bd39cd0512bbaaa05d995fa4b61d01eabc71b9df9387
Instruction ID: e5064b12436316ac91fe12d8d39b7cef09e4715eca08047c72d455afb0bcee6b
Opcode Fuzzy Hash: 273b1a41405d2dc12d11bd39cd0512bbaaa05d995fa4b61d01eabc71b9df9387
Instruction Fuzzy Hash: 9B1156B9D4020AAFDB41DF98C884AEEBBF5FF08310F509066E925E3210D735AA54CF64

Function 00752DA7 Relevance: 6.0, APIs: 4, Instructions: 34threadwindowtimeCOMMON

Download Yara Rule

APIs

SendMessageTimeoutW.USER32(?,00000000,00000000,00000000,00000002,00001388,?), ref: 00752DC5
GetWindowThreadProcessId.USER32(?,00000000), ref: 00752DD6
GetCurrentThreadId.KERNEL32 ref: 00752DDD
AttachThreadInput.USER32(00000000,?,00000000,00000000), ref: 00752DE4

Memory Dump Source

Source File: 00000000.00000002.1465363834.00000000006F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006F0000, based on PE: true

Associated: 00000000.00000002.1465335232.00000000006F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465500901.000000000078C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465500901.00000000007B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465599093.00000000007BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465630010.00000000007C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6f0000_file.jbxd

Similarity

API ID: Thread$AttachCurrentInputMessageProcessSendTimeoutWindow
String ID:
API String ID: 2710830443-0
Opcode ID: 3b25bfb77ac10cdd46b5295eb4a09ed51b4f85a20b665f19002c13f18db81901
Instruction ID: 69f8fb2c72b36ec55fd624ea9a50d7efff5b1cfb79804acfe02a7ce8aa57fcc6
Opcode Fuzzy Hash: 3b25bfb77ac10cdd46b5295eb4a09ed51b4f85a20b665f19002c13f18db81901
Instruction Fuzzy Hash: FAE06D717412247AD7211B62AC0EEEB3E6CEB43BA2F104129B905D1081AAA88845C7B0

Function 00788863 Relevance: 6.0, APIs: 4, Instructions: 31COMMON

Download Yara Rule

APIs

Part of subcall function 00709639: ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 00709693
Part of subcall function 00709639: SelectObject.GDI32(?,00000000), ref: 007096A2
Part of subcall function 00709639: BeginPath.GDI32(?), ref: 007096B9
Part of subcall function 00709639: SelectObject.GDI32(?,00000000), ref: 007096E2

MoveToEx.GDI32(?,00000000,00000000,00000000), ref: 00788887
LineTo.GDI32(?,?,?), ref: 00788894
EndPath.GDI32(?), ref: 007888A4
StrokePath.GDI32(?), ref: 007888B2

Memory Dump Source

Source File: 00000000.00000002.1465363834.00000000006F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006F0000, based on PE: true

Associated: 00000000.00000002.1465335232.00000000006F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465500901.000000000078C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465500901.00000000007B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465599093.00000000007BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465630010.00000000007C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6f0000_file.jbxd

Similarity

API ID: Path$ObjectSelect$BeginCreateLineMoveStroke
String ID:
API String ID: 1539411459-0
Opcode ID: cf4b0c09a2ee47a0a9aa2d25f423ad98db07257fa899a5ec2a49d707814d3c48
Instruction ID: d4a57d03e518349938dab92611434c85751988583d17f85b15c00e0988fc838e
Opcode Fuzzy Hash: cf4b0c09a2ee47a0a9aa2d25f423ad98db07257fa899a5ec2a49d707814d3c48
Instruction Fuzzy Hash: 8DF03A36081258FADB136F94AC0DFCA3B59AF06310F54C100FA11651E2C7BD5511CBAA

Function 007098B0 Relevance: 6.0, APIs: 4, Instructions: 23COMMON

Download Yara Rule

APIs

GetSysColor.USER32(00000008), ref: 007098CC
SetTextColor.GDI32(?,?), ref: 007098D6
SetBkMode.GDI32(?,00000001), ref: 007098E9
GetStockObject.GDI32(00000005), ref: 007098F1

Memory Dump Source

Source File: 00000000.00000002.1465363834.00000000006F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006F0000, based on PE: true

Associated: 00000000.00000002.1465335232.00000000006F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465500901.000000000078C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465500901.00000000007B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465599093.00000000007BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465630010.00000000007C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6f0000_file.jbxd

Similarity

API ID: Color$ModeObjectStockText
String ID:
API String ID: 4037423528-0
Opcode ID: dcf42aa885ce6f6e31261f4dbc348c8345ccaa9cde90f9ba86a7f5719530cdc8
Instruction ID: 2d44e467c294ca82ff32dce8ccd5c6483c2c7bc153ed6dafed0c869fa10476d9
Opcode Fuzzy Hash: dcf42aa885ce6f6e31261f4dbc348c8345ccaa9cde90f9ba86a7f5719530cdc8
Instruction Fuzzy Hash: 73E06531684284AEDB225B74BC0DBE83F50AB51335F24C21AF6F5580E1C3795650DB20

Function 0075162B Relevance: 6.0, APIs: 4, Instructions: 22threadCOMMON

Download Yara Rule

APIs

GetCurrentThread.KERNEL32 ref: 00751634
OpenThreadToken.ADVAPI32(00000000,?,?,?,007511D9), ref: 0075163B
GetCurrentProcess.KERNEL32(00000028,?,?,?,?,007511D9), ref: 00751648
OpenProcessToken.ADVAPI32(00000000,?,?,?,007511D9), ref: 0075164F

Memory Dump Source

Source File: 00000000.00000002.1465363834.00000000006F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006F0000, based on PE: true

Associated: 00000000.00000002.1465335232.00000000006F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465500901.000000000078C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465500901.00000000007B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465599093.00000000007BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465630010.00000000007C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6f0000_file.jbxd

Similarity

API ID: CurrentOpenProcessThreadToken
String ID:
API String ID: 3974789173-0
Opcode ID: d30c35ce191b1d8c4d15bd5001bc5868e14d8048c938605e71d14d9140120230
Instruction ID: d5c745ec970576229feb63880fa658f9395888e111579d40669378b632b0fe26
Opcode Fuzzy Hash: d30c35ce191b1d8c4d15bd5001bc5868e14d8048c938605e71d14d9140120230
Instruction Fuzzy Hash: 50E04632682211ABD7201BB0AE0DB863B68EF45792F258808F645C9080EA7C84458B68

Function 0074D858 Relevance: 6.0, APIs: 4, Instructions: 19COMMON

Download Yara Rule

APIs

GetDesktopWindow.USER32 ref: 0074D858
GetDC.USER32(00000000), ref: 0074D862
GetDeviceCaps.GDI32(00000000,0000000C), ref: 0074D882
ReleaseDC.USER32(?), ref: 0074D8A3

Memory Dump Source

Source File: 00000000.00000002.1465363834.00000000006F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006F0000, based on PE: true

Associated: 00000000.00000002.1465335232.00000000006F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465500901.000000000078C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465500901.00000000007B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465599093.00000000007BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465630010.00000000007C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6f0000_file.jbxd

Similarity

API ID: CapsDesktopDeviceReleaseWindow
String ID:
API String ID: 2889604237-0
Opcode ID: 3255e7e443eea519cb39a1cc242ea1e7bd93a1b7068f4d644cdcb34db8883c10
Instruction ID: 56f5a30472aae1272f1ebe147607e402c867ded5498c3124b3651fe35ca56779
Opcode Fuzzy Hash: 3255e7e443eea519cb39a1cc242ea1e7bd93a1b7068f4d644cdcb34db8883c10
Instruction Fuzzy Hash: 39E0E5B4940205DFCB529FA0990866DBBB6AB48310B208019E946E7250D73C8941AF64

Function 0074D86C Relevance: 6.0, APIs: 4, Instructions: 18COMMON

Download Yara Rule

APIs

GetDesktopWindow.USER32 ref: 0074D86C
GetDC.USER32(00000000), ref: 0074D876
GetDeviceCaps.GDI32(00000000,0000000C), ref: 0074D882
ReleaseDC.USER32(?), ref: 0074D8A3

Memory Dump Source

Source File: 00000000.00000002.1465363834.00000000006F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006F0000, based on PE: true

Associated: 00000000.00000002.1465335232.00000000006F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465500901.000000000078C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465500901.00000000007B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465599093.00000000007BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465630010.00000000007C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6f0000_file.jbxd

Similarity

API ID: CapsDesktopDeviceReleaseWindow
String ID:
API String ID: 2889604237-0
Opcode ID: ea56c4c0e4aeedb9c11374d5b412bd79ad65010534a3ee79a146edc52259039f
Instruction ID: 4643a37c0bc07ca13512a55016dd2464aa990dc81c05aecdfe1cfc970f13e1ac
Opcode Fuzzy Hash: ea56c4c0e4aeedb9c11374d5b412bd79ad65010534a3ee79a146edc52259039f
Instruction Fuzzy Hash: 9CE01A74940204DFCB529FB0D80C66DBBB1BF48310B208018E90AE7250D73C5901AF64

Function 00764D87 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 230shareCOMMON

Download Yara Rule

APIs

Part of subcall function 006F7620: _wcslen.LIBCMT ref: 006F7625

WNetUseConnectionW.MPR(00000000,?,0000002A,00000000,?,?,0000002A,?), ref: 00764ED4

Strings

*, xrefs: 00764E10
LPT, xrefs: 00764DFB

Memory Dump Source

Source File: 00000000.00000002.1465363834.00000000006F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006F0000, based on PE: true

Associated: 00000000.00000002.1465335232.00000000006F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465500901.000000000078C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465500901.00000000007B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465599093.00000000007BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465630010.00000000007C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6f0000_file.jbxd

Similarity

API ID: Connection_wcslen
String ID: *$LPT
API String ID: 1725874428-3443410124
Opcode ID: 4d944096f778cfe10f01135dc0e51fa373a5936b16d0e17105b80e2bce5444a9
Instruction ID: d383e2fe538a24a4c1d5d2249b273548a26fc82ae679d0f33c6229738d650efb
Opcode Fuzzy Hash: 4d944096f778cfe10f01135dc0e51fa373a5936b16d0e17105b80e2bce5444a9
Instruction Fuzzy Hash: A4915F75A00204EFCB15DF58C484EAABBF1BF44304F198099E80A9F7A2D779ED85CB91

Function 0071E27D Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 189COMMON

Download Yara Rule

APIs

__startOneArgErrorHandling.LIBCMT ref: 0071E30D

Strings

pow, xrefs: 0071E2E5, 0071E302

Memory Dump Source

Source File: 00000000.00000002.1465363834.00000000006F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006F0000, based on PE: true

Associated: 00000000.00000002.1465335232.00000000006F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465500901.000000000078C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465500901.00000000007B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465599093.00000000007BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465630010.00000000007C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6f0000_file.jbxd

Similarity

API ID: ErrorHandling__start
String ID: pow
API String ID: 3213639722-2276729525
Opcode ID: b42a4ecd2aabf9cea015c29ddee2e7de089606cd43d7e6c48305691733360a1c
Instruction ID: 91167cbfd3a463042467c8fda818d589fb533292bd455fc2292a0536138d58fb
Opcode Fuzzy Hash: b42a4ecd2aabf9cea015c29ddee2e7de089606cd43d7e6c48305691733360a1c
Instruction Fuzzy Hash: 75518E71E0C11296CB19772CDE453FA3BA4AB40740F348999F8E5422E9DB3C8CD6DA46

Function 00777771 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 189COMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(0074569E,00000000,?,0078CC08,?,00000000,00000000), ref: 007778DD

Part of subcall function 006F6B57: _wcslen.LIBCMT ref: 006F6B6A

CharUpperBuffW.USER32(0074569E,00000000,?,0078CC08,00000000,?,00000000,00000000), ref: 0077783B

Strings

<s{, xrefs: 007777C8

Memory Dump Source

Source File: 00000000.00000002.1465363834.00000000006F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006F0000, based on PE: true

Associated: 00000000.00000002.1465335232.00000000006F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465500901.000000000078C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465500901.00000000007B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465599093.00000000007BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465630010.00000000007C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6f0000_file.jbxd

Similarity

API ID: BuffCharUpper$_wcslen
String ID: <s{
API String ID: 3544283678-301287271
Opcode ID: 6719f870636f53a3c6e272fc7290de26718f972dd7d508b2d20b451f2b5753d9
Instruction ID: e483a468d747201b1b3baae5540988588b72a628f9d4dd3fdebdc62204fce7b4
Opcode Fuzzy Hash: 6719f870636f53a3c6e272fc7290de26718f972dd7d508b2d20b451f2b5753d9
Instruction Fuzzy Hash: 7F618E7291412DEACF49EBE4CC91DFDB3B9BF14340B448129F646A3191EF786A05CBA4

Function 0070E187 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 184COMMON

Download Yara Rule

Strings

#, xrefs: 0070E1B1

Memory Dump Source

Source File: 00000000.00000002.1465363834.00000000006F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006F0000, based on PE: true

Associated: 00000000.00000002.1465335232.00000000006F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465500901.000000000078C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465500901.00000000007B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465599093.00000000007BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465630010.00000000007C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6f0000_file.jbxd

Similarity

API ID:
String ID: #
API String ID: 0-1885708031
Opcode ID: 49d3492254f016313b93ce9be4060c8f30d83c519899b90b617336ac0c4c50b6
Instruction ID: 0410a97a82fd05092d3171cff1e694c284727fd56b00374382e8dc45164c8898
Opcode Fuzzy Hash: 49d3492254f016313b93ce9be4060c8f30d83c519899b90b617336ac0c4c50b6
Instruction Fuzzy Hash: AC513435504246DFDB16DF28C481ABA7BA9FF56330F248569E8919B2D0D7389D42CBA0

Function 0070F291 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 144sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNEL32(00000000), ref: 0070F2A2
GlobalMemoryStatusEx.KERNEL32(?), ref: 0070F2BB

Strings

@, xrefs: 0070F2AF

Memory Dump Source

Source File: 00000000.00000002.1465363834.00000000006F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006F0000, based on PE: true

Associated: 00000000.00000002.1465335232.00000000006F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465500901.000000000078C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465500901.00000000007B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465599093.00000000007BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465630010.00000000007C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6f0000_file.jbxd

Similarity

API ID: GlobalMemorySleepStatus
String ID: @
API String ID: 2783356886-2766056989
Opcode ID: c883d120f5e57437ac7df5c652845beb63cc2d7d0311a0155d5c734de9acddc5
Instruction ID: 66ef7ae9b329c51ea612c22491c379b0f4d6b99de9102c6666f20d956c379886
Opcode Fuzzy Hash: c883d120f5e57437ac7df5c652845beb63cc2d7d0311a0155d5c734de9acddc5
Instruction Fuzzy Hash: 2B5159724087499BD360AF14D886BABB7F9FFC5310F81884CF29941195EB309929CB6B

Function 00775745 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 125COMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?,?,00000003,?,?), ref: 007757E0
_wcslen.LIBCMT ref: 007757EC

Strings

CALLARGARRAY, xrefs: 007757E6, 007757EB

Memory Dump Source

Source File: 00000000.00000002.1465363834.00000000006F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006F0000, based on PE: true

Associated: 00000000.00000002.1465335232.00000000006F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465500901.000000000078C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465500901.00000000007B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465599093.00000000007BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465630010.00000000007C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6f0000_file.jbxd

Similarity

API ID: BuffCharUpper_wcslen
String ID: CALLARGARRAY
API String ID: 157775604-1150593374
Opcode ID: b037e98b08e344c9c933d6bcb8bc7829c8085e9a6cb3070a238d5af8fb4eb174
Instruction ID: 7ff0f57b164704633ed4e64aa35c8140ef7df73f00a9e0bd4d1d21ca5377a551
Opcode Fuzzy Hash: b037e98b08e344c9c933d6bcb8bc7829c8085e9a6cb3070a238d5af8fb4eb174
Instruction Fuzzy Hash: 3D41AE31A00109DFCF04DFA9C8859BEBBF5EF59360F10812DE509A7291E7B89D81CBA1

Function 0076D0F4 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 98networkCOMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 0076D130
InternetCrackUrlW.WININET(?,00000000,00000000,0000007C), ref: 0076D13A

Strings

|, xrefs: 0076D10B

Memory Dump Source

Source File: 00000000.00000002.1465363834.00000000006F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006F0000, based on PE: true

Associated: 00000000.00000002.1465335232.00000000006F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465500901.000000000078C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465500901.00000000007B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465599093.00000000007BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465630010.00000000007C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6f0000_file.jbxd

Similarity

API ID: CrackInternet_wcslen
String ID: |
API String ID: 596671847-2343686810
Opcode ID: d3080ff34bcb481abb6b84613b94076541950a783c3dcfbc6f757b85f1b8356a
Instruction ID: 8d6c4078c6ef35019dc2f122fa3f68e527fa4f782b3de6a61e6082c658812a0c
Opcode Fuzzy Hash: d3080ff34bcb481abb6b84613b94076541950a783c3dcfbc6f757b85f1b8356a
Instruction Fuzzy Hash: 7C315D71D0020DABCF15EFA4CC85AEEBFBAFF05304F000019F915A6166E775AA46CB64

Function 0078356C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 96COMMON

Download Yara Rule

APIs

DestroyWindow.USER32(?,?,?,?), ref: 00783621
MoveWindow.USER32(?,?,?,?,?,00000001,?,?,?), ref: 0078365C

Strings

static, xrefs: 007835BC

Memory Dump Source

Source File: 00000000.00000002.1465363834.00000000006F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006F0000, based on PE: true

Associated: 00000000.00000002.1465335232.00000000006F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465500901.000000000078C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465500901.00000000007B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465599093.00000000007BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465630010.00000000007C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6f0000_file.jbxd

Similarity

API ID: Window$DestroyMove
String ID: static
API String ID: 2139405536-2160076837
Opcode ID: c2f30d4cabf23b14f7f7fcf373cc4a95c5faee7eea18b8a86a47c1dfde7bb958
Instruction ID: c3976b93149dc125e4aee49a041253abcf105fc0cdb2454945df15241d77a5f7
Opcode Fuzzy Hash: c2f30d4cabf23b14f7f7fcf373cc4a95c5faee7eea18b8a86a47c1dfde7bb958
Instruction Fuzzy Hash: ED319071250604AEDB10EF38DC40EFB73A9FF88B24F10961DF9A597280DA38AD91C764

Function 00784537 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 95windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000027,00001132,00000000,?), ref: 0078461F
SendMessageW.USER32(?,00001105,00000000,00000000), ref: 00784634

Strings

', xrefs: 0078458E

Memory Dump Source

Source File: 00000000.00000002.1465363834.00000000006F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006F0000, based on PE: true

Associated: 00000000.00000002.1465335232.00000000006F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465500901.000000000078C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465500901.00000000007B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465599093.00000000007BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465630010.00000000007C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6f0000_file.jbxd

Similarity

API ID: MessageSend
String ID: '
API String ID: 3850602802-1997036262
Opcode ID: 658b9ff75a239a4643c11bdfc031616327a25b5d21ecd856e520122db5712c20
Instruction ID: 2dcbd0c393df0b1bfc2597b2ef4031e9df6af9f24593fc3373ed96ac4dd1660c
Opcode Fuzzy Hash: 658b9ff75a239a4643c11bdfc031616327a25b5d21ecd856e520122db5712c20
Instruction Fuzzy Hash: EC312774A4030A9FDB14DFA9C980BDE7BB5FF09300F10406AE904AB341E7B4A951CF90

Function 007831EF Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 72windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000143,00000000,?), ref: 0078327C
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 00783287

Strings

Combobox, xrefs: 00783249

Memory Dump Source

Source File: 00000000.00000002.1465363834.00000000006F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006F0000, based on PE: true

Associated: 00000000.00000002.1465335232.00000000006F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465500901.000000000078C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465500901.00000000007B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465599093.00000000007BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465630010.00000000007C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6f0000_file.jbxd

Similarity

API ID: MessageSend
String ID: Combobox
API String ID: 3850602802-2096851135
Opcode ID: 6b87a1649fd9727f1afe3267e7f016c29647d5c9c6967b29feecc4de6c7512b5
Instruction ID: 99a8914bad8c50bad32b98e5f18d604d2b14637ca974e9c2777e7c1b926749b8
Opcode Fuzzy Hash: 6b87a1649fd9727f1afe3267e7f016c29647d5c9c6967b29feecc4de6c7512b5
Instruction Fuzzy Hash: 8D11B271340208BFEF25AE58DC84EBB376AFB94764F104128F91897291D6799D518760

Function 00783710 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 67COMMON

Download Yara Rule

APIs

Part of subcall function 006F600E: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 006F604C
Part of subcall function 006F600E: GetStockObject.GDI32(00000011), ref: 006F6060
Part of subcall function 006F600E: SendMessageW.USER32(00000000,00000030,00000000), ref: 006F606A

GetWindowRect.USER32(00000000,?), ref: 0078377A
GetSysColor.USER32(00000012), ref: 00783794

Strings

static, xrefs: 00783757

Memory Dump Source

Source File: 00000000.00000002.1465363834.00000000006F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006F0000, based on PE: true

Associated: 00000000.00000002.1465335232.00000000006F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465500901.000000000078C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465500901.00000000007B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465599093.00000000007BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465630010.00000000007C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6f0000_file.jbxd

Similarity

API ID: Window$ColorCreateMessageObjectRectSendStock
String ID: static
API String ID: 1983116058-2160076837
Opcode ID: 06e2fdaa1422d8d5c2b205f930648e98db9f1ab19e17d82af2c65c8c7be4f162
Instruction ID: 9f5357150616abc03d2e5765ec316f314ab26ffd469303633ce635ec71e54dae
Opcode Fuzzy Hash: 06e2fdaa1422d8d5c2b205f930648e98db9f1ab19e17d82af2c65c8c7be4f162
Instruction Fuzzy Hash: 3E1129B2650209AFDF01EFA8CC45EEA7BB8EB08714F104529FD55E2250E739E8619B60

Function 0076CD1E Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 66networkCOMMON

Download Yara Rule

APIs

InternetOpenW.WININET(?,00000000,00000000,00000000,00000000), ref: 0076CD7D
InternetSetOptionW.WININET(00000000,00000032,?,00000008), ref: 0076CDA6

Strings

<local>, xrefs: 0076CD66

Memory Dump Source

Source File: 00000000.00000002.1465363834.00000000006F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006F0000, based on PE: true

Associated: 00000000.00000002.1465335232.00000000006F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465500901.000000000078C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465500901.00000000007B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465599093.00000000007BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465630010.00000000007C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6f0000_file.jbxd

Similarity

API ID: Internet$OpenOption
String ID: <local>
API String ID: 942729171-4266983199
Opcode ID: 0b55d7701ecca1ef2914678d3a075c5bc2cd2822ae712453bd9e7b50944e9205
Instruction ID: 67bd6136b752a70edd36401d3e80f8dd6a237814fef0f416e742a7c067b4d473
Opcode Fuzzy Hash: 0b55d7701ecca1ef2914678d3a075c5bc2cd2822ae712453bd9e7b50944e9205
Instruction Fuzzy Hash: 1D11C6713456317AD7365B66CC45FF7BE6CEF127A4F104226B98A83180D7789844D6F0

Function 00783429 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 64windowCOMMON

Download Yara Rule

APIs

GetWindowTextLengthW.USER32(00000000), ref: 007834AB
SendMessageW.USER32(?,000000B1,00000000,00000000), ref: 007834BA

Strings

edit, xrefs: 0078348F

Memory Dump Source

Source File: 00000000.00000002.1465363834.00000000006F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006F0000, based on PE: true

Associated: 00000000.00000002.1465335232.00000000006F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465500901.000000000078C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465500901.00000000007B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465599093.00000000007BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465630010.00000000007C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6f0000_file.jbxd

Similarity

API ID: LengthMessageSendTextWindow
String ID: edit
API String ID: 2978978980-2167791130
Opcode ID: e389512837dd767b1b972fd0149bba8ff70a9b1046c65f68a1e25d8e21065130
Instruction ID: 7141d69cf47c511868b448d363e23210d397a8bd89dedb18fe758bbfc44c46e4
Opcode Fuzzy Hash: e389512837dd767b1b972fd0149bba8ff70a9b1046c65f68a1e25d8e21065130
Instruction Fuzzy Hash: 0D11BF71140148ABEF12AE68DC44EBB376AEF05B74F604324F969931D0C779DC519764

Function 00756C86 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 56COMMON

Download Yara Rule

APIs

Part of subcall function 006F9CB3: _wcslen.LIBCMT ref: 006F9CBD

CharUpperBuffW.USER32(?,?,?), ref: 00756CB6
_wcslen.LIBCMT ref: 00756CC2

Strings

STOP, xrefs: 00756CBC, 00756CC1

Memory Dump Source

Source File: 00000000.00000002.1465363834.00000000006F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006F0000, based on PE: true

Associated: 00000000.00000002.1465335232.00000000006F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465500901.000000000078C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465500901.00000000007B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465599093.00000000007BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465630010.00000000007C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6f0000_file.jbxd

Similarity

API ID: _wcslen$BuffCharUpper
String ID: STOP
API String ID: 1256254125-2411985666
Opcode ID: 1e48383b53c833ce5f19963ab48e2fe49b2cb56ded1fdc9ed15b55c0ef4e27e0
Instruction ID: 13b603b1187050a0d659314a4e1452284de9a49996a55b8cde78962689b384e4
Opcode Fuzzy Hash: 1e48383b53c833ce5f19963ab48e2fe49b2cb56ded1fdc9ed15b55c0ef4e27e0
Instruction Fuzzy Hash: 2A01C8327005268ACB11AFBDDC909FF77B5EA617117900938ED5297190FA79E948C660

Function 00751CDE Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 52windowCOMMON

Download Yara Rule

APIs

Part of subcall function 006F9CB3: _wcslen.LIBCMT ref: 006F9CBD

Part of subcall function 00753CA7: GetClassNameW.USER32(?,?,000000FF), ref: 00753CCA

SendMessageW.USER32(?,000001A2,000000FF,?), ref: 00751D4C

Strings

ComboBox, xrefs: 00751CEB
ListBox, xrefs: 00751D16

Memory Dump Source

Source File: 00000000.00000002.1465363834.00000000006F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006F0000, based on PE: true

Associated: 00000000.00000002.1465335232.00000000006F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465500901.000000000078C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465500901.00000000007B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465599093.00000000007BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465630010.00000000007C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6f0000_file.jbxd

Similarity

API ID: ClassMessageNameSend_wcslen
String ID: ComboBox$ListBox
API String ID: 624084870-1403004172
Opcode ID: ef4c1721e1cc7ba1fecf84831474a3139decb0f6acdf048ec6a6c1ad627bc7a2
Instruction ID: 1243e8a75853b7085b90d1d093c14b6b50bc85f5642c5feba2ff5ee4c0bce514
Opcode Fuzzy Hash: ef4c1721e1cc7ba1fecf84831474a3139decb0f6acdf048ec6a6c1ad627bc7a2
Instruction Fuzzy Hash: E501F571700218AB8B08EFA0CC15EFE7379EB02391B440919EC32572D1EAB9590C8770

Function 00751BD8 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 50windowCOMMON

Download Yara Rule

APIs

Part of subcall function 006F9CB3: _wcslen.LIBCMT ref: 006F9CBD

Part of subcall function 00753CA7: GetClassNameW.USER32(?,?,000000FF), ref: 00753CCA

SendMessageW.USER32(?,00000180,00000000,?), ref: 00751C46

Strings

ComboBox, xrefs: 00751BE5
ListBox, xrefs: 00751C10

Memory Dump Source

Source File: 00000000.00000002.1465363834.00000000006F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006F0000, based on PE: true

Associated: 00000000.00000002.1465335232.00000000006F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465500901.000000000078C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465500901.00000000007B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465599093.00000000007BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465630010.00000000007C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6f0000_file.jbxd

Similarity

API ID: ClassMessageNameSend_wcslen
String ID: ComboBox$ListBox
API String ID: 624084870-1403004172
Opcode ID: b0c0dd4e83c6db74a1ea21d513fe1bc5eb5bfb3f538197c51ede744f20e1dcf7
Instruction ID: 7c88677a5f12c0ff4e2275a8397d32a60535798ed7eae981bf3976d84561d2c8
Opcode Fuzzy Hash: b0c0dd4e83c6db74a1ea21d513fe1bc5eb5bfb3f538197c51ede744f20e1dcf7
Instruction Fuzzy Hash: 3F01F7B178010866CB08EB90C951FFF77A99F11381F540419ED16632C1EA699E0CC7B5

Function 00751C5C Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 49windowCOMMON

Download Yara Rule

APIs

Part of subcall function 006F9CB3: _wcslen.LIBCMT ref: 006F9CBD

Part of subcall function 00753CA7: GetClassNameW.USER32(?,?,000000FF), ref: 00753CCA

SendMessageW.USER32(?,00000182,?,00000000), ref: 00751CC8

Strings

ComboBox, xrefs: 00751C69
ListBox, xrefs: 00751C94

Memory Dump Source

Source File: 00000000.00000002.1465363834.00000000006F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006F0000, based on PE: true

Associated: 00000000.00000002.1465335232.00000000006F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465500901.000000000078C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465500901.00000000007B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465599093.00000000007BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465630010.00000000007C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6f0000_file.jbxd

Similarity

API ID: ClassMessageNameSend_wcslen
String ID: ComboBox$ListBox
API String ID: 624084870-1403004172
Opcode ID: 99f99da586f160a5e9acda3c5638dca7fee63a28026bdbc6e87258bf2e85adc3
Instruction ID: dece8c5489ca8dfcae47e106f26f7934f48cdfda77a362464623f77ef50a452a
Opcode Fuzzy Hash: 99f99da586f160a5e9acda3c5638dca7fee63a28026bdbc6e87258bf2e85adc3
Instruction Fuzzy Hash: FE01D6B178011867CB04EBA0CA01FFF77A99B11382F540419BD12B3281EAAA9F0CC675

Function 0070A4D6 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 47COMMON

Download Yara Rule

APIs

__Init_thread_footer.LIBCMT ref: 0070A529

Part of subcall function 006F9CB3: _wcslen.LIBCMT ref: 006F9CBD

Strings

3yt, xrefs: 0070A545, 0070A54D, 0070A552
,%|, xrefs: 0070A509

Memory Dump Source

Source File: 00000000.00000002.1465363834.00000000006F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006F0000, based on PE: true

Associated: 00000000.00000002.1465335232.00000000006F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465500901.000000000078C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465500901.00000000007B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465599093.00000000007BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465630010.00000000007C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6f0000_file.jbxd

Similarity

API ID: Init_thread_footer_wcslen
String ID: ,%|$3yt
API String ID: 2551934079-1591345639
Opcode ID: 789fba31d43808a9438e07c0edcc13d8bfdf659a3c6ab62208efb23251899907
Instruction ID: 3768b4f49599296e34803b94261fc9612887b597df9df3b82a02bc598b678fa0
Opcode Fuzzy Hash: 789fba31d43808a9438e07c0edcc13d8bfdf659a3c6ab62208efb23251899907
Instruction Fuzzy Hash: 4401F731600714EBC604F76CAC1BFAD3394AB05710F40416CF601971C3EE9C5D5286EB

Function 00751D68 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 46windowCOMMON

Download Yara Rule

APIs

Part of subcall function 006F9CB3: _wcslen.LIBCMT ref: 006F9CBD

Part of subcall function 00753CA7: GetClassNameW.USER32(?,?,000000FF), ref: 00753CCA

SendMessageW.USER32(?,0000018B,00000000,00000000), ref: 00751DD3

Strings

ComboBox, xrefs: 00751D75
ListBox, xrefs: 00751DA0

Memory Dump Source

Source File: 00000000.00000002.1465363834.00000000006F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006F0000, based on PE: true

Associated: 00000000.00000002.1465335232.00000000006F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465500901.000000000078C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465500901.00000000007B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465599093.00000000007BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465630010.00000000007C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6f0000_file.jbxd

Similarity

API ID: ClassMessageNameSend_wcslen
String ID: ComboBox$ListBox
API String ID: 624084870-1403004172
Opcode ID: e8a45ec233144292f552c917e4b77eb8697a254143ad8cfed4d41f88c8c80e21
Instruction ID: 61924066aaa9245fc29dd5f40e6b493fe6e64aa6756ec28eb61dd4537eba5568
Opcode Fuzzy Hash: e8a45ec233144292f552c917e4b77eb8697a254143ad8cfed4d41f88c8c80e21
Instruction Fuzzy Hash: 46F081B1B4121866DB08ABA4CC56BFF7779AB01391F440D19B922A32C1EAB8590C8274

Function 00788172 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 40processCOMMON

Download Yara Rule

APIs

CreateProcessW.KERNEL32(00000000,?,00000000,00000000,00000000,00000020,00000000,00000000,007C3018,007C305C), ref: 007881BF
CloseHandle.KERNEL32 ref: 007881D1

Strings

\0|, xrefs: 0078818A

Memory Dump Source

Source File: 00000000.00000002.1465363834.00000000006F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006F0000, based on PE: true

Associated: 00000000.00000002.1465335232.00000000006F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465500901.000000000078C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465500901.00000000007B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465599093.00000000007BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465630010.00000000007C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6f0000_file.jbxd

Similarity

API ID: CloseCreateHandleProcess
String ID: \0|
API String ID: 3712363035-470943010
Opcode ID: 6ab5b54c3bec86a7619f093e2609d8ac4c67657ac015ef7f8e9169ed884786b4
Instruction ID: aa65a3927f2667dcc8ac90ecc3e8b8751875e79f2d03ecdc48b44725a8acb87f
Opcode Fuzzy Hash: 6ab5b54c3bec86a7619f093e2609d8ac4c67657ac015ef7f8e9169ed884786b4
Instruction Fuzzy Hash: 0CF05EB2680304BAF3206765AC49FB77B5DEB04750F00C42ABB08D51A2D67D8A9193BD

Function 0077747E Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 36COMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 00777493
_wcslen.LIBCMT ref: 007774B9

Strings

3, 3, 16, 1, xrefs: 00777483

Memory Dump Source

Source File: 00000000.00000002.1465363834.00000000006F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006F0000, based on PE: true

Associated: 00000000.00000002.1465335232.00000000006F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465500901.000000000078C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465500901.00000000007B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465599093.00000000007BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465630010.00000000007C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6f0000_file.jbxd

Similarity

API ID: _wcslen
String ID: 3, 3, 16, 1
API String ID: 176396367-3042988571
Opcode ID: 7fa269c251b996290601bfb87b49826693274def5a30accb7a2248093b5115ec
Instruction ID: 0cb12d338ba3f6a1fa8e00480540d7c9835fb195bce548dead3605ffb9bd5292
Opcode Fuzzy Hash: 7fa269c251b996290601bfb87b49826693274def5a30accb7a2248093b5115ec
Instruction Fuzzy Hash: C7E02B422043A060D739127E9CC5ABF56C9DFC67D0714182BF989C22B6EA9C9DD1D3A0

Function 00750B15 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 28windowCOMMON

Download Yara Rule

APIs

MessageBoxW.USER32(00000000,Error allocating memory.,AutoIt,00000010), ref: 00750B23

Strings

Error allocating memory., xrefs: 00750B1C
AutoIt, xrefs: 00750B17

Memory Dump Source

Source File: 00000000.00000002.1465363834.00000000006F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006F0000, based on PE: true

Associated: 00000000.00000002.1465335232.00000000006F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465500901.000000000078C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465500901.00000000007B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465599093.00000000007BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465630010.00000000007C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6f0000_file.jbxd

Similarity

API ID: Message
String ID: AutoIt$Error allocating memory.
API String ID: 2030045667-4017498283
Opcode ID: 34a3503be552c8adfca50bdacb5b86ff13432a608cfbce3c6194d39fa72aff8c
Instruction ID: 6b6871812618797b7cb7562406240b5568663a3c2b0ae4c831d3c1843fcaf6c4
Opcode Fuzzy Hash: 34a3503be552c8adfca50bdacb5b86ff13432a608cfbce3c6194d39fa72aff8c
Instruction Fuzzy Hash: 87E0D831284308A6D2213754BC07FC97AC48F05B11F10046AFB58555C38AF9349007FD

Function 00710D42 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 22COMMON

Download Yara Rule

APIs

Part of subcall function 0070F7C9: InitializeCriticalSectionAndSpinCount.KERNEL32(?,00000000,?,00710D71,?,?,?,006F100A), ref: 0070F7CE

IsDebuggerPresent.KERNEL32(?,?,?,006F100A), ref: 00710D75
OutputDebugStringW.KERNEL32(ERROR : Unable to initialize critical section in CAtlBaseModule,?,?,?,006F100A), ref: 00710D84

Strings

ERROR : Unable to initialize critical section in CAtlBaseModule, xrefs: 00710D7F

Memory Dump Source

Source File: 00000000.00000002.1465363834.00000000006F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006F0000, based on PE: true

Associated: 00000000.00000002.1465335232.00000000006F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465500901.000000000078C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465500901.00000000007B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465599093.00000000007BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465630010.00000000007C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6f0000_file.jbxd

Similarity

API ID: CountCriticalDebugDebuggerInitializeOutputPresentSectionSpinString
String ID: ERROR : Unable to initialize critical section in CAtlBaseModule
API String ID: 55579361-631824599
Opcode ID: 5d35166e9283a77e5ec1727a5f97d12b23f8f7ac17581a158b6cb4a3e6e9e35a
Instruction ID: 4f13f48cd4a90567d8cdb55e92d644a0565f38c9e48c4aff408d1d0292f2742b
Opcode Fuzzy Hash: 5d35166e9283a77e5ec1727a5f97d12b23f8f7ac17581a158b6cb4a3e6e9e35a
Instruction Fuzzy Hash: 64E0ED742407518BD371AFBCE8087967BE4BB04754F40893DE486C6696DBFDE4848BE1

Function 0070E398 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 21COMMON

Download Yara Rule

APIs

__Init_thread_footer.LIBCMT ref: 0070E3D5

Strings

0%|, xrefs: 0070E3B5
8%|, xrefs: 0070E3CA

Memory Dump Source

Source File: 00000000.00000002.1465363834.00000000006F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006F0000, based on PE: true

Associated: 00000000.00000002.1465335232.00000000006F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465500901.000000000078C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465500901.00000000007B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465599093.00000000007BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465630010.00000000007C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6f0000_file.jbxd

Similarity

API ID: Init_thread_footer
String ID: 0%|$8%|
API String ID: 1385522511-3928261334
Opcode ID: 55bff640fe5a1e6e9e1e694bf3e3efe16dd808021726ad50c557c75a1ce1f7c8
Instruction ID: c6d4a37fa0425a0ebfae5eaeafbd3433dbde2f85a7451e4d7de3cea8fc2f6aa1
Opcode Fuzzy Hash: 55bff640fe5a1e6e9e1e694bf3e3efe16dd808021726ad50c557c75a1ce1f7c8
Instruction Fuzzy Hash: 51E0863141CD24CBC704971CB859E8AB795AB05320B5056FDE5128B1D3DF7C68939699

Function 00763017 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 18COMMON

Download Yara Rule

APIs

GetTempPathW.KERNEL32(00000104,?,00000001), ref: 0076302F
GetTempFileNameW.KERNEL32(?,aut,00000000,?), ref: 00763044

Strings

aut, xrefs: 00763038

Memory Dump Source

Source File: 00000000.00000002.1465363834.00000000006F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006F0000, based on PE: true

Associated: 00000000.00000002.1465335232.00000000006F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465500901.000000000078C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465500901.00000000007B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465599093.00000000007BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465630010.00000000007C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6f0000_file.jbxd

Similarity

API ID: Temp$FileNamePath
String ID: aut
API String ID: 3285503233-3010740371
Opcode ID: 388c00feb5ca1c5320decb6d079f9dc6da30c6788a9d15babce374b143e695b1
Instruction ID: 33bacde795180c024392a8a37cd13a8db337cd1044f3cd63bfb9c697224baad4
Opcode Fuzzy Hash: 388c00feb5ca1c5320decb6d079f9dc6da30c6788a9d15babce374b143e695b1
Instruction Fuzzy Hash: 40D05EB254032867DA20A7A4AC0EFCB3A6CEB04750F0042A1B655E60D1DAB89984CBE4

Function 0074D21C Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 17timeCOMMON

Download Yara Rule

APIs

GetLocalTime.KERNEL32(?), ref: 0074D220

Strings

X64, xrefs: 0074D2A8
%.3d, xrefs: 0074D22B

Memory Dump Source

Source File: 00000000.00000002.1465363834.00000000006F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006F0000, based on PE: true

Associated: 00000000.00000002.1465335232.00000000006F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465500901.000000000078C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465500901.00000000007B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465599093.00000000007BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465630010.00000000007C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6f0000_file.jbxd

Similarity

API ID: LocalTime
String ID: %.3d$X64
API String ID: 481472006-1077770165
Opcode ID: 6a231facb3843b8d589d8ce19a057fb9ffe84698279d9c04f7db43dc8f84c914
Instruction ID: 0de362657688f016c366f9bc15a50280d84dd782c9030731a775ac7e45e68a87
Opcode Fuzzy Hash: 6a231facb3843b8d589d8ce19a057fb9ffe84698279d9c04f7db43dc8f84c914
Instruction Fuzzy Hash: 5ED012B1848109EACBB096E0CC499B9B3BCBB08301F608452F946D2080D77CCD08AB61

Function 00782356 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15windowCOMMON

Download Yara Rule

APIs

FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 0078236C
PostMessageW.USER32(00000000), ref: 00782373

Part of subcall function 0075E97B: Sleep.KERNEL32 ref: 0075E9F3

Strings

Shell_TrayWnd, xrefs: 00782365

Memory Dump Source

Source File: 00000000.00000002.1465363834.00000000006F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006F0000, based on PE: true

Associated: 00000000.00000002.1465335232.00000000006F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465500901.000000000078C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465500901.00000000007B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465599093.00000000007BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465630010.00000000007C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6f0000_file.jbxd

Similarity

API ID: FindMessagePostSleepWindow
String ID: Shell_TrayWnd
API String ID: 529655941-2988720461
Opcode ID: 7918eddf8ddc1e6ae2bdfd5101d47f23381fb99fe38c727f1c64d7dbf0ba3112
Instruction ID: 71eaa579474b2401ca21985e2e4f73b2df15fa84576313957bbb72439ff76ea2
Opcode Fuzzy Hash: 7918eddf8ddc1e6ae2bdfd5101d47f23381fb99fe38c727f1c64d7dbf0ba3112
Instruction Fuzzy Hash: E6D0C9723C1310BAE669A7709C0FFC666159B05B11F2089667745AA1D1D9F8B8058B68

Function 00782322 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15windowCOMMON

Download Yara Rule

APIs

FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 0078232C
PostMessageW.USER32(00000000,00000111,00000197,00000000), ref: 0078233F

Part of subcall function 0075E97B: Sleep.KERNEL32 ref: 0075E9F3

Strings

Shell_TrayWnd, xrefs: 00782325

Memory Dump Source

Source File: 00000000.00000002.1465363834.00000000006F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006F0000, based on PE: true

Associated: 00000000.00000002.1465335232.00000000006F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465500901.000000000078C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465500901.00000000007B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465599093.00000000007BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465630010.00000000007C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6f0000_file.jbxd

Similarity

API ID: FindMessagePostSleepWindow
String ID: Shell_TrayWnd
API String ID: 529655941-2988720461
Opcode ID: fed24e6dfb4d65d3aa564f062a5950afeefe86a92e971ea8ed4851eb7069e19f
Instruction ID: 84f4b904db9a54796ee05e59dc96ccaa7df417918b0bd68d6baef7b94ab387a9
Opcode Fuzzy Hash: fed24e6dfb4d65d3aa564f062a5950afeefe86a92e971ea8ed4851eb7069e19f
Instruction Fuzzy Hash: 1DD012763D4310B7E668B770DC1FFC67A159B00B11F2089667745AA1D1D9FCB805CB68

Function 0072BDFD Relevance: 5.1, APIs: 4, Instructions: 139COMMONLIBRARYCODE

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(?,00000009,?,00000000,00000000,?,?,?,00000000,?,?,?,?,?,00000000,?), ref: 0072BE93
GetLastError.KERNEL32 ref: 0072BEA1
MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 0072BEFC

Memory Dump Source

Source File: 00000000.00000002.1465363834.00000000006F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006F0000, based on PE: true

Associated: 00000000.00000002.1465335232.00000000006F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465500901.000000000078C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465500901.00000000007B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465599093.00000000007BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1465630010.00000000007C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6f0000_file.jbxd

Similarity

API ID: ByteCharMultiWide$ErrorLast
String ID:
API String ID: 1717984340-0
Opcode ID: 23620dc3265a691af2eaa83414b5d0a6ed95ffcde37288324160b8dadb05b186
Instruction ID: f1e991aa2af569d0ee693de2440ef7f69c78bbac431be9bf4b8ac43f20e10afe
Opcode Fuzzy Hash: 23620dc3265a691af2eaa83414b5d0a6ed95ffcde37288324160b8dadb05b186
Instruction Fuzzy Hash: 60412D35A00226EFCF218F64ED88AFA7BA5EF41320F25416DF959571E1DB388D01CB61

Source: Joe Sandbox View	IP Address: 34.149.100.209 34.149.100.209
Source: Joe Sandbox View	IP Address: 151.101.129.91 151.101.129.91
Source: Joe Sandbox View	IP Address: 34.117.188.166 34.117.188.166
Source: Joe Sandbox View	IP Address: 34.160.144.191 34.160.144.191

Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache

Source: firefox.exe, 0000000E.00000003.1626441704.000002649939B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: ://www.facebook.com/ equals www.facebook.com (Facebook)
Source: firefox.exe, 0000000E.00000003.1625757893.000002649A615000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: ://www.youtube.com/ equals www.youtube.com (Youtube)
Source: firefox.exe, 0000000E.00000003.1607355105.0000026499681000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1606979596.00000264996A0000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1508489605.0000026498D7D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: 8https://www.facebook.com/ equals www.facebook.com (Facebook)
Source: firefox.exe, 0000000E.00000003.1607355105.0000026499681000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1508489605.0000026498D7D000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1618722071.000002649BB42000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: 8https://www.youtube.com/ equals www.youtube.com (Youtube)
Source: firefox.exe, 0000000E.00000003.1647806818.0000026499D87000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://vk.com/,https://www.youtube.com/,https://ok.ru/,https://www.avito.ru/,https://www.aliexpress.com/,https://www.wikipedia.org/ equals www.youtube.com (Youtube)
Source: firefox.exe, 0000000E.00000003.1607355105.0000026499681000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1606979596.00000264996A0000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1508489605.0000026498D7D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.facebook.com/ equals www.facebook.com (Facebook)
Source: firefox.exe, 0000000E.00000003.1607355105.0000026499681000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1508489605.0000026498D7D000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1618722071.000002649BB42000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/ equals www.youtube.com (Youtube)
Source: firefox.exe, 0000000E.00000003.1647806818.0000026499D87000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://allegro.pl/,https://www.wikipedia.org/,https://www.olx.pl/,https://www.wykop.pl/ equals www.facebook.com (Facebook)
Source: firefox.exe, 0000000E.00000003.1647806818.0000026499D87000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://allegro.pl/,https://www.wikipedia.org/,https://www.olx.pl/,https://www.wykop.pl/ equals www.youtube.com (Youtube)
Source: firefox.exe, 0000000E.00000003.1647806818.0000026499D87000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.amazon.com/,https://www.reddit.com/,https://www.wikipedia.org/,https://twitter.com/ equals www.facebook.com (Facebook)
Source: firefox.exe, 0000000E.00000003.1647806818.0000026499D87000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.amazon.com/,https://www.reddit.com/,https://www.wikipedia.org/,https://twitter.com/ equals www.twitter.com (Twitter)
Source: firefox.exe, 0000000E.00000003.1647806818.0000026499D87000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.amazon.com/,https://www.reddit.com/,https://www.wikipedia.org/,https://twitter.com/ equals www.youtube.com (Youtube)
Source: firefox.exe, 0000000E.00000003.1647806818.0000026499D87000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.amazon.de/,https://www.ebay.de/,https://www.wikipedia.org/,https://www.reddit.com/ equals www.facebook.com (Facebook)
Source: firefox.exe, 0000000E.00000003.1647806818.0000026499D87000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.amazon.de/,https://www.ebay.de/,https://www.wikipedia.org/,https://www.reddit.com/ equals www.youtube.com (Youtube)
Source: firefox.exe, 0000000E.00000003.1647806818.0000026499D87000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.reddit.com/,https://www.amazon.co.uk/,https://www.bbc.co.uk/,https://www.ebay.co.uk/ equals www.facebook.com (Facebook)
Source: firefox.exe, 0000000E.00000003.1647806818.0000026499D87000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.reddit.com/,https://www.amazon.co.uk/,https://www.bbc.co.uk/,https://www.ebay.co.uk/ equals www.youtube.com (Youtube)
Source: firefox.exe, 0000000E.00000003.1647806818.0000026499D87000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.reddit.com/,https://www.wikipedia.org/,https://www.amazon.ca/,https://twitter.com/ equals www.facebook.com (Facebook)
Source: firefox.exe, 0000000E.00000003.1647806818.0000026499D87000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.reddit.com/,https://www.wikipedia.org/,https://www.amazon.ca/,https://twitter.com/ equals www.twitter.com (Twitter)
Source: firefox.exe, 0000000E.00000003.1647806818.0000026499D87000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.reddit.com/,https://www.wikipedia.org/,https://www.amazon.ca/,https://twitter.com/ equals www.youtube.com (Youtube)
Source: firefox.exe, 0000000E.00000003.1647806818.0000026499D87000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.wikipedia.org/,https://www.amazon.fr/,https://www.leboncoin.fr/,https://twitter.com/ equals www.facebook.com (Facebook)
Source: firefox.exe, 0000000E.00000003.1647806818.0000026499D87000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.wikipedia.org/,https://www.amazon.fr/,https://www.leboncoin.fr/,https://twitter.com/ equals www.twitter.com (Twitter)
Source: firefox.exe, 0000000E.00000003.1647806818.0000026499D87000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.wikipedia.org/,https://www.amazon.fr/,https://www.leboncoin.fr/,https://twitter.com/ equals www.youtube.com (Youtube)
Source: firefox.exe, 0000000E.00000003.1647806818.0000026499D87000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.wikipedia.org/,https://www.amazon.fr/,https://www.leboncoin.fr/,https://twitter.com/L equals www.facebook.com (Facebook)
Source: firefox.exe, 0000000E.00000003.1647806818.0000026499D87000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.wikipedia.org/,https://www.amazon.fr/,https://www.leboncoin.fr/,https://twitter.com/L equals www.twitter.com (Twitter)
Source: firefox.exe, 0000000E.00000003.1647806818.0000026499D87000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.wikipedia.org/,https://www.amazon.fr/,https://www.leboncoin.fr/,https://twitter.com/L equals www.youtube.com (Youtube)
Source: firefox.exe, 0000000E.00000003.1647806818.0000026499D87000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000012.00000002.3269895186.000001C6E5003000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000014.00000002.3270532691.0000018169D0C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.wikipedia.org/,https://www.reddit.com/,https://www.amazon.com/,https://twitter.com/ equals www.facebook.com (Facebook)
Source: firefox.exe, 0000000E.00000003.1647806818.0000026499D87000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000012.00000002.3269895186.000001C6E5003000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000014.00000002.3270532691.0000018169D0C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.wikipedia.org/,https://www.reddit.com/,https://www.amazon.com/,https://twitter.com/ equals www.twitter.com (Twitter)
Source: firefox.exe, 0000000E.00000003.1647806818.0000026499D87000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000012.00000002.3269895186.000001C6E5003000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000014.00000002.3270532691.0000018169D0C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.wikipedia.org/,https://www.reddit.com/,https://www.amazon.com/,https://twitter.com/ equals www.youtube.com (Youtube)
Source: firefox.exe, 0000000E.00000003.1625757893.000002649A615000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: moz-extension://89c83477-7a1a-4f5a-bda8-ef3858d4c7d0/injections/js/bug1842437-www.youtube.com-performance-now-precision.js equals www.youtube.com (Youtube)
Source: firefox.exe, 0000000E.00000003.1648866892.00000264996A0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: www.facebook.com equals www.facebook.com (Facebook)
Source: firefox.exe, 0000000E.00000003.1648866892.00000264996A0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: www.youtube.com- equals www.youtube.com (Youtube)

Source: global traffic	DNS traffic detected: DNS query: youtube.com
Source: global traffic	DNS traffic detected: DNS query: detectportal.firefox.com
Source: global traffic	DNS traffic detected: DNS query: prod.detectportal.prod.cloudops.mozgcp.net
Source: global traffic	DNS traffic detected: DNS query: prod.classify-client.prod.webservices.mozgcp.net
Source: global traffic	DNS traffic detected: DNS query: contile.services.mozilla.com
Source: global traffic	DNS traffic detected: DNS query: spocs.getpocket.com
Source: global traffic	DNS traffic detected: DNS query: prod.ads.prod.webservices.mozgcp.net
Source: global traffic	DNS traffic detected: DNS query: prod.balrog.prod.cloudops.mozgcp.net
Source: global traffic	DNS traffic detected: DNS query: content-signature-2.cdn.mozilla.net
Source: global traffic	DNS traffic detected: DNS query: prod.content-signature-chains.prod.webservices.mozgcp.net
Source: global traffic	DNS traffic detected: DNS query: example.org
Source: global traffic	DNS traffic detected: DNS query: ipv4only.arpa
Source: global traffic	DNS traffic detected: DNS query: support.mozilla.org
Source: global traffic	DNS traffic detected: DNS query: us-west1.prod.sumo.prod.webservices.mozgcp.net
Source: global traffic	DNS traffic detected: DNS query: shavar.services.mozilla.com
Source: global traffic	DNS traffic detected: DNS query: push.services.mozilla.com
Source: global traffic	DNS traffic detected: DNS query: telemetry-incoming.r53-2.services.mozilla.com
Source: global traffic	DNS traffic detected: DNS query: firefox.settings.services.mozilla.com
Source: global traffic	DNS traffic detected: DNS query: prod.remote-settings.prod.webservices.mozgcp.net
Source: global traffic	DNS traffic detected: DNS query: www.youtube.com
Source: global traffic	DNS traffic detected: DNS query: www.facebook.com
Source: global traffic	DNS traffic detected: DNS query: www.wikipedia.org
Source: global traffic	DNS traffic detected: DNS query: youtube-ui.l.google.com
Source: global traffic	DNS traffic detected: DNS query: star-mini.c10r.facebook.com
Source: global traffic	DNS traffic detected: DNS query: dyna.wikimedia.org
Source: global traffic	DNS traffic detected: DNS query: www.reddit.com
Source: global traffic	DNS traffic detected: DNS query: twitter.com
Source: global traffic	DNS traffic detected: DNS query: reddit.map.fastly.net
Source: global traffic	DNS traffic detected: DNS query: services.addons.mozilla.org
Source: global traffic	DNS traffic detected: DNS query: normandy.cdn.mozilla.net
Source: global traffic	DNS traffic detected: DNS query: normandy-cdn.services.mozilla.com

Source: unknown	HTTPS traffic detected: 35.244.181.201:443 -> 192.168.2.8:49719 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.160.144.191:443 -> 192.168.2.8:49722 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 35.244.181.201:443 -> 192.168.2.8:49732 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.149.100.209:443 -> 192.168.2.8:49736 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.120.208.123:443 -> 192.168.2.8:49742 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.120.208.123:443 -> 192.168.2.8:49740 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.120.208.123:443 -> 192.168.2.8:49743 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.120.208.123:443 -> 192.168.2.8:49741 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.149.100.209:443 -> 192.168.2.8:49745 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 35.244.181.201:443 -> 192.168.2.8:49747 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 151.101.129.91:443 -> 192.168.2.8:49749 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.149.100.209:443 -> 192.168.2.8:49751 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 35.244.181.201:443 -> 192.168.2.8:49752 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 35.244.181.201:443 -> 192.168.2.8:49753 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 35.244.181.201:443 -> 192.168.2.8:49754 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.120.208.123:443 -> 192.168.2.8:49758 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.120.208.123:443 -> 192.168.2.8:49762 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.120.208.123:443 -> 192.168.2.8:49759 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.120.208.123:443 -> 192.168.2.8:49761 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.120.208.123:443 -> 192.168.2.8:49760 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.120.208.123:443 -> 192.168.2.8:49763 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.120.208.123:443 -> 192.168.2.8:49765 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.120.208.123:443 -> 192.168.2.8:49764 version: TLS 1.2

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: unknown	Network traffic detected: HTTP traffic on port 49733 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49743
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49742
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49741
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49740
Source: unknown	Network traffic detected: HTTP traffic on port 49766 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49743 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49762 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49746 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49720 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49713 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49739
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49738
Source: unknown	Network traffic detected: HTTP traffic on port 49717 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49736 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49737
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49736
Source: unknown	Network traffic detected: HTTP traffic on port 49759 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49735
Source: unknown	Network traffic detected: HTTP traffic on port 49753 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49734
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49733
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49732
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49731
Source: unknown	Network traffic detected: HTTP traffic on port 49732 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49742 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49767 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49749 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49763 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49752 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49714 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49726
Source: unknown	Network traffic detected: HTTP traffic on port 49718 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49735 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49739 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49723
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49767
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49722
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49766
Source: unknown	Network traffic detected: HTTP traffic on port 49758 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49765
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49720
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49764
Source: unknown	Network traffic detected: HTTP traffic on port 49731 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49763
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49762
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49761
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49760
Source: unknown	Network traffic detected: HTTP traffic on port 49741 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49748 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49760 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49764 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49745 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49719 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49722 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49719
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49718
Source: unknown	Network traffic detected: HTTP traffic on port 49751 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49717
Source: unknown	Network traffic detected: HTTP traffic on port 49715 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49715
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49759
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49714
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49758
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49713
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49757
Source: unknown	Network traffic detected: HTTP traffic on port 49738 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49757 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49734 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49754
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49753
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49752
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49751
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49750
Source: unknown	Network traffic detected: HTTP traffic on port 49726 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49740 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49761 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49765 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49747 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49723 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49750 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49749
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49748
Source: unknown	Network traffic detected: HTTP traffic on port 49754 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49747
Source: unknown	Network traffic detected: HTTP traffic on port 49737 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49746
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49745

Description:	Adversaries may obtain and abuse credentials of existing accounts as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion. Compromised credentials may be used to bypass access controls placed on various resources on systems within the network and may even be used for persistent access to remote systems and externally available services, such as VPNs, Outlook Web Access, network devices, and remote desktop.Compromised credentials may also grant an adversary increased privilege to specific systems or access to restricted areas of the network. Adversaries may choose not to use malware or tools in conjunction with the legitimate access those credentials provide to make it harder to detect their presence.
Tactics:	Defense Evasion, Initial Access, Persistence, Privilege Escalation
Data Sources:	Logon Session: Logon Session Creation, Logon Session: Logon Session Metadata, User Account: User Account Authentication
Platforms:	Azure AD, Containers, Google Workspace, IaaS, Linux, macOS, Network, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to execute malicious commands and payloads. WMI is an administration feature that provides a uniform environment to access Windows system components. The WMI service enables both local and remote access, though the latter is facilitated by Remote Services such as Distributed Component Object Model (DCOM) and Windows Remote Management (WinRM).Remote WMI over DCOM operates using port 135, whereas WMI over WinRM operates over port 5985 when using HTTP and 5986 for HTTPS.
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Connection Creation, Process: Process Creation, WMI: WMI Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may exploit software vulnerabilities in an attempt to elevate privileges. Exploitation of a software vulnerability occurs when an adversary takes advantage of a programming error in a program, service, or within the operating system software or kernel itself to execute adversary-controlled code. Security constructs such as permission levels will often hinder access to information and use of certain techniques, so adversaries will likely need to perform privilege escalation to include use of software exploitation to circumvent those restrictions.
Tactics:	Privilege Escalation
Data Sources:	Driver: Driver Load, Process: Process Creation
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject malicious code into process via Extra Window Memory (EWM) in order to evade process-based defenses as well as possibly elevate privileges. EWM injection is a method of executing arbitrary code in the address space of a separate live process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Process: OS API Execution
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify access tokens to operate under a different user or system security context to perform actions and bypass access controls. Windows uses access tokens to determine the ownership of a running process. A user can manipulate access tokens to make a running process appear as though it is the child of a different process or belongs to someone other than the user that started the process. When this occurs, the process also takes on the security context associated with the new token.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Active Directory: Active Directory Object Modification, Command: Command Execution, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, User Account: User Account Metadata
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	Driver: Driver Load, File: File Modification, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Windows Registry: Windows Registry Key Modification
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of valid accounts, usernames, or email addresses on a system or within a compromised environment. This information can help adversaries determine which accounts exist, which can aid in follow-on behavior such as brute-forcing, spear-phishing attacks, or account takeovers (e.g., Valid Accounts ).
Tactics:	Discovery
Data Sources:	Command: Command Execution, File: File Access, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report file.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Memory Dumps

Sigma Signatures

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Spreading

Software Vulnerabilities

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

Private

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\ProgramData\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\uninstall_ping_308046B0AF4A39CB_efcf6b67-e024-4947-aab9-07095241970c.json (copy)

C:\ProgramData\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\uninstall_ping_308046B0AF4A39CB_efcf6b67-e024-4947-aab9-07095241970c.json.tmp

C:\Users\user\AppData\Local\Temp\mozilla-temp-files\mozilla-temp-41

C:\Users\user\AppData\Local\Temp\tmpaddon

C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\40371339ad31a7e6.customDestinations-ms (copy)

C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\6824f4a902c78fbd.customDestinations-ms (copy)

C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\9Q4ZY7ZCY6QEXJRRCFZG.temp

C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\AK6T8FNAI3R5LJ82937N.temp

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\24a4ohrz.default-release\ExperimentStoreData.json (copy)

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\24a4ohrz.default-release\ExperimentStoreData.json.tmp

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\24a4ohrz.default-release\addonStartup.json.lz4 (copy)

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\24a4ohrz.default-release\addonStartup.json.lz4.tmp

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\24a4ohrz.default-release\addons.json (copy)

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\24a4ohrz.default-release\addons.json.tmp

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\24a4ohrz.default-release\content-prefs.sqlite

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\24a4ohrz.default-release\crashes\store.json.mozlz4 (copy)

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\24a4ohrz.default-release\crashes\store.json.mozlz4.tmp

Windows Analysis Report
file.exe

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to identify the primary user, currently logged in user, set of users that commonly uses a system, or whether a user is actively using the system. They may do this, for example, by retrieving account usernames or by using OS Credential Dumping . The information may be collected in a number of different ways using other Discovery techniques, because user and username details are prevalent throughout a system and include running process ownership, file/directory ownership, session information, and system logs. Adversaries may use the information from [System Owner/User Discovery](https://attack.mitre.org/techniques/T1033) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may collect data stored in the clipboard from users copying information within or between applications.
Tactics:	Collection
Data Sources:	Command: Command Execution, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may shutdown/reboot systems to interrupt access to, or aid in the destruction of, those systems. Operating systems may contain commands to initiate a shutdown/reboot of a machine or network device. In some cases, these commands may also be used to initiate a shutdown/reboot of a remote computer or network device via Network Device CLI (e.g. `reload` ).
Tactics:	Impact
Data Sources:	Command: Command Execution, Process: Process Creation, Sensor Health: Host Status
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre