Edit tour

Windows Analysis Report
file.exe

Overview

General Information

Sample name:	file.exe
Analysis ID:	1529184
MD5:	d921fe1b8e5b0fb7ae7cc505361ee284
SHA1:	5505cc71945c1c5e063258e00477682cf88de9f4
SHA256:	5fce332f5572c8ee802b8efdc97ffa9b43bcd175767efb954dbafc054b036851
Tags:	exeuser-Bitsight
Infos:

Detection

Credential Flusher

Score:	64
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Yara detected Credential Flusher

AI detected suspicious sample

Binary is likely a compiled AutoIt script file

Found API chain indicative of sandbox detection

Machine Learning detection for sample

Connects to many different domains

Contains functionality for execution timing, often used to detect debuggers

Contains functionality for read data from the clipboard

Contains functionality to block mouse and keyboard input (often used to hinder debugging)

Contains functionality to call native functions

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to check if a window is minimized (may be used to check if an application is visible)

Contains functionality to communicate with device drivers

Contains functionality to dynamically determine API calls

Contains functionality to execute programs as a different user

Contains functionality to launch a process as a different user

Contains functionality to launch a program with higher privileges

Contains functionality to modify clipboard data

Contains functionality to open a port and listen for incoming connection (possibly a backdoor)

Contains functionality to query CPU information (cpuid)

Contains functionality to read the PEB

Contains functionality to read the clipboard data

Contains functionality to retrieve information about pressed keystrokes

Contains functionality to shutdown / reboot the system

Contains functionality to simulate keystroke presses

Contains functionality to simulate mouse events

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Detected potential crypto function

Drops PE files

Found large amount of non-executed APIs

Found potential string decryption / allocating functions

IP address seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

OS version to string mapping found (often used in BOTs)

PE file contains sections with non-standard names

Potential key logger detected (key state polling based)

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

System is w10x64

file.exe (PID: 7272 cmdline: "C:\Users\user\Desktop\file.exe" MD5: D921FE1B8E5B0FB7AE7CC505361EE284)

firefox.exe (PID: 7288 cmdline: "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk "https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd" --no-default-browser-check --disable-popup-blocking MD5: C86B1BE9ED6496FE0E0CBE73F81D8045)

firefox.exe (PID: 7320 cmdline: "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd --no-default-browser-check --disable-popup-blocking --attempting-deelevation MD5: C86B1BE9ED6496FE0E0CBE73F81D8045)

firefox.exe (PID: 7336 cmdline: "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd --no-default-browser-check --disable-popup-blocking MD5: C86B1BE9ED6496FE0E0CBE73F81D8045)

firefox.exe (PID: 7584 cmdline: "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2296 -parentBuildID 20230927232528 -prefsHandle 2240 -prefMapHandle 2232 -prefsLen 25359 -prefMapSize 237879 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {c0a74e00-7b41-43bf-a354-618a0db3d180} 7336 "\\.\pipe\gecko-crash-server-pipe.7336" 1e8a2471110 socket MD5: C86B1BE9ED6496FE0E0CBE73F81D8045)

firefox.exe (PID: 8100 cmdline: "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4132 -parentBuildID 20230927232528 -prefsHandle 3864 -prefMapHandle 3636 -prefsLen 26374 -prefMapSize 237879 -appDir "C:\Program Files\Mozilla Firefox\browser" - {471a8284-9a89-43a1-b4f0-a535a59985d3} 7336 "\\.\pipe\gecko-crash-server-pipe.7336" 1e8b3b5ce10 rdd MD5: C86B1BE9ED6496FE0E0CBE73F81D8045)

firefox.exe (PID: 7676 cmdline: "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5180 -parentBuildID 20230927232528 -sandboxingKind 0 -prefsHandle 5140 -prefMapHandle 5136 -prefsLen 33185 -prefMapSize 237879 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {5561797f-130c-4525-aaaa-e8630c60aa02} 7336 "\\.\pipe\gecko-crash-server-pipe.7336" 1e8be1ce910 utility MD5: C86B1BE9ED6496FE0E0CBE73F81D8045)

cleanup

Yara Signatures

Memory Dumps

Source	Rule	Description	Author	Strings
Process Memory Space: file.exe PID: 7272	JoeSecurity_CredentialFlusher	Yara detected Credential Flusher	Joe Security

Code function: 0_2_0085EAFF OpenClipboard,IsClipboardFormatAvailable,IsClipboardFormatAvailable,GetClipboardData,CloseClipboard,GlobalLock,CloseClipboard,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,DragQueryFileW,DragQueryFileW,DragQueryFileW,GlobalUnlock,CountClipboardFormats,CloseClipboard,

0_2_0085EAFF

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_0085ED6A OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,

0_2_0085ED6A

Source: C:\Users\user\Desktop\file.exe

0_2_0085EAFF

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_0084AA57 GetKeyboardState,SetKeyboardState,PostMessageW,SendInput,

0_2_0084AA57

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00879576 DefDlgProcW,SendMessageW,GetWindowLongW,SendMessageW,SendMessageW,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,SendMessageW,SendMessageW,SendMessageW,ImageList_SetDragCursorImage,ImageList_BeginDrag,SetCapture,ClientToScreen,ImageList_DragEnter,InvalidateRect,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW,

0_2_00879576

System Summary

Binary is likely a compiled AutoIt script file

Source: file.exe	String found in binary or memory: This is a third-party compiled AutoIt script.
Source: file.exe, 00000000.00000002.1750122745.00000000008A2000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: This is a third-party compiled AutoIt script.	memstr_dce75689-f
Source: file.exe, 00000000.00000002.1750122745.00000000008A2000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: AnyArabicArmenianAvestanBalineseBamumBassa_VahBatakBengaliBopomofoBrahmiBrailleBugineseBuhidCCanadian_AboriginalCarianCaucasian_AlbanianCcCfChakmaChamCherokeeCnCoCommonCopticCsCuneiformCypriotCyrillicDeseretDevanagariDuployanEgyptian_HieroglyphsElbasanEthiopicGeorgianGlagoliticGothicGranthaGreekGujaratiGurmukhiHanHangulHanunooHebrewHiraganaImperial_AramaicInheritedInscriptional_PahlaviInscriptional_ParthianJavaneseKaithiKannadaKatakanaKayah_LiKharoshthiKhmerKhojkiKhudawadiLL&LaoLatinLepchaLimbuLinear_ALinear_BLisuLlLmLoLtLuLycianLydianMMahajaniMalayalamMandaicManichaeanMcMeMeetei_MayekMende_KikakuiMeroitic_CursiveMeroitic_HieroglyphsMiaoMnModiMongolianMroMyanmarNNabataeanNdNew_Tai_LueNkoNlNoOghamOl_ChikiOld_ItalicOld_North_ArabianOld_PermicOld_PersianOld_South_ArabianOld_TurkicOriyaOsmanyaPPahawh_HmongPalmyrenePau_Cin_HauPcPdPePfPhags_PaPhoenicianPiPoPsPsalter_PahlaviRejangRunicSSamaritanSaurashtraScSharadaShavianSiddhamSinhalaSkSmSoSora_SompengSundaneseSyloti_NagriSyriacTagalogTagbanwaTai_LeTai_ThamTai_VietTakriTamilTeluguThaanaThaiTibetanTifinaghTirhutaUgariticVaiWarang_CitiXanXpsXspXucXwdYiZZlZpZsSDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBoxSHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer	memstr_7f551199-5
Source: file.exe	String found in binary or memory: This is a third-party compiled AutoIt script.	memstr_41652c60-0
Source: file.exe	String found in binary or memory: AnyArabicArmenianAvestanBalineseBamumBassa_VahBatakBengaliBopomofoBrahmiBrailleBugineseBuhidCCanadian_AboriginalCarianCaucasian_AlbanianCcCfChakmaChamCherokeeCnCoCommonCopticCsCuneiformCypriotCyrillicDeseretDevanagariDuployanEgyptian_HieroglyphsElbasanEthiopicGeorgianGlagoliticGothicGranthaGreekGujaratiGurmukhiHanHangulHanunooHebrewHiraganaImperial_AramaicInheritedInscriptional_PahlaviInscriptional_ParthianJavaneseKaithiKannadaKatakanaKayah_LiKharoshthiKhmerKhojkiKhudawadiLL&LaoLatinLepchaLimbuLinear_ALinear_BLisuLlLmLoLtLuLycianLydianMMahajaniMalayalamMandaicManichaeanMcMeMeetei_MayekMende_KikakuiMeroitic_CursiveMeroitic_HieroglyphsMiaoMnModiMongolianMroMyanmarNNabataeanNdNew_Tai_LueNkoNlNoOghamOl_ChikiOld_ItalicOld_North_ArabianOld_PermicOld_PersianOld_South_ArabianOld_TurkicOriyaOsmanyaPPahawh_HmongPalmyrenePau_Cin_HauPcPdPePfPhags_PaPhoenicianPiPoPsPsalter_PahlaviRejangRunicSSamaritanSaurashtraScSharadaShavianSiddhamSinhalaSkSmSoSora_SompengSundaneseSyloti_NagriSyriacTagalogTagbanwaTai_LeTai_ThamTai_VietTakriTamilTeluguThaanaThaiTibetanTifinaghTirhutaUgariticVaiWarang_CitiXanXpsXspXucXwdYiZZlZpZsSDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBoxSHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer	memstr_067924c1-6

Source: C:\Program Files\Mozilla Firefox\firefox.exe	Code function: 6_2_000002093292ABB7 NtQuerySystemInformation,		6_2_000002093292ABB7
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Code function: 6_2_0000020932944DB2 NtQuerySystemInformation,		6_2_0000020932944DB2

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_0084D5EB: CreateFileW,DeviceIoControl,CloseHandle,

0_2_0084D5EB

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00841201 LogonUserW,DuplicateTokenEx,CloseHandle,OpenWindowStationW,GetProcessWindowStation,SetProcessWindowStation,OpenDesktopW,_wcslen,LoadUserProfileW,CreateEnvironmentBlock,CreateProcessAsUserW,UnloadUserProfile,GetProcessHeap,HeapFree,CloseWindowStation,CloseDesktop,SetProcessWindowStation,CloseHandle,DestroyEnvironmentBlock,

0_2_00841201

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_0084E8F6 ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState,

0_2_0084E8F6

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_007E8060	0_2_007E8060
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00852046	0_2_00852046
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00848298	0_2_00848298
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0081E4FF	0_2_0081E4FF
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0081676B	0_2_0081676B
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00874873	0_2_00874873
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0080CAA0	0_2_0080CAA0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_007ECAF0	0_2_007ECAF0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_007FCC39	0_2_007FCC39
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00816DD9	0_2_00816DD9
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_007FB119	0_2_007FB119
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_007E91C0	0_2_007E91C0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00801394	0_2_00801394
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00801706	0_2_00801706
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0080781B	0_2_0080781B
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_007F997D	0_2_007F997D
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_008019B0	0_2_008019B0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_007E7920	0_2_007E7920
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00807A4A	0_2_00807A4A
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00807CA7	0_2_00807CA7
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00801C77	0_2_00801C77
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00819EEE	0_2_00819EEE
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0086BE44	0_2_0086BE44
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00801F32	0_2_00801F32
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Code function: 6_2_000002093292ABB7	6_2_000002093292ABB7
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Code function: 6_2_0000020932944DB2	6_2_0000020932944DB2
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Code function: 6_2_00000209329454DC	6_2_00000209329454DC
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Code function: 6_2_0000020932944DF2	6_2_0000020932944DF2

Source: C:\Users\user\Desktop\file.exe	Code function: String function: 007FF9F2 appears 31 times
Source: C:\Users\user\Desktop\file.exe	Code function: String function: 00800A30 appears 46 times

Source: file.exe

Static PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE

Source: classification engine

Classification label: mal64.troj.evad.winEXE@19/34@65/12

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_008537B5 GetLastError,FormatMessageW,

0_2_008537B5

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_008410BF AdjustTokenPrivileges,CloseHandle,		0_2_008410BF
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_008416C3 LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,		0_2_008416C3

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_008551CD SetErrorMode,GetDiskFreeSpaceExW,SetErrorMode,

0_2_008551CD

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_0084D4DC CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,CloseHandle,

0_2_0084D4DC

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_0085648E _wcslen,CoInitialize,CoCreateInstance,CoUninitialize,

0_2_0085648E

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_007E42A2 CreateStreamOnHGlobal,FindResourceExW,LoadResource,SizeofResource,LockResource,

0_2_007E42A2

Source: C:\Program Files\Mozilla Firefox\firefox.exe

File created: C:\Users\user\AppData\Local\Mozilla\Firefox\SkeletonUILock-c388d246

Jump to behavior

Source: C:\Program Files\Mozilla Firefox\firefox.exe

File created: C:\Users\user\AppData\Local\Temp\firefox

Jump to behavior

Source: file.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Program Files\Mozilla Firefox\firefox.exe

File read: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini

Jump to behavior

Source: C:\Users\user\Desktop\file.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: firefox.exe, 00000003.00000003.1935626126.000001E8BE153000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000003.00000003.1882256535.000001E8BE152000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000003.00000003.1896163931.000001E8BE152000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000003.00000003.1840502933.000001E8BE152000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: SELECT * FROM events WHERE timestamp BETWEEN date(:dateFrom) AND date(:dateTo);
Source: firefox.exe, 00000003.00000003.1935626126.000001E8BE153000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000003.00000003.1882256535.000001E8BE152000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000003.00000003.1896163931.000001E8BE152000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000003.00000003.1840502933.000001E8BE152000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: CREATE TABLE events (id INTEGER PRIMARY KEY, type INTEGER NOT NULL, count INTEGER NOT NULL, timestamp DATE );
Source: firefox.exe, 00000003.00000003.1935626126.000001E8BE153000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000003.00000003.1882256535.000001E8BE152000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000003.00000003.1896163931.000001E8BE152000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000003.00000003.1840502933.000001E8BE152000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: INSERT INTO events (type, count, timestamp) VALUES (:type, 1, date(:date));
Source: firefox.exe, 00000003.00000003.1935626126.000001E8BE153000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000003.00000003.1882256535.000001E8BE152000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000003.00000003.1896163931.000001E8BE152000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000003.00000003.1840502933.000001E8BE152000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: SELECT timestamp FROM events ORDER BY timestamp ASC LIMIT 1;;
Source: firefox.exe, 00000003.00000003.1883570950.000001E8BBA8B000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: SELECT sum(count) FROM events;
Source: firefox.exe, 00000003.00000003.1935626126.000001E8BE153000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000003.00000003.1882256535.000001E8BE152000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000003.00000003.1896163931.000001E8BE152000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000003.00000003.1840502933.000001E8BE152000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: SELECT timestamp FROM events ORDER BY timestamp ASC LIMIT 1;;Fy6
Source: firefox.exe, 00000003.00000003.1935626126.000001E8BE153000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000003.00000003.1882256535.000001E8BE152000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000003.00000003.1896163931.000001E8BE152000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000003.00000003.1840502933.000001E8BE152000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: UPDATE events SET count = count + 1 WHERE id = :id;-
Source: firefox.exe, 00000003.00000003.1935626126.000001E8BE153000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000003.00000003.1882256535.000001E8BE152000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000003.00000003.1896163931.000001E8BE152000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000003.00000003.1840502933.000001E8BE152000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: SELECT sum(count) FROM events;9'
Source: firefox.exe, 00000003.00000003.1935626126.000001E8BE153000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000003.00000003.1882256535.000001E8BE152000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000003.00000003.1896163931.000001E8BE152000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000003.00000003.1840502933.000001E8BE152000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: SELECT sum(count) FROM events;9
Source: firefox.exe, 00000003.00000003.1935626126.000001E8BE153000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000003.00000003.1882256535.000001E8BE152000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000003.00000003.1896163931.000001E8BE152000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000003.00000003.1840502933.000001E8BE152000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: SELECT * FROM events WHERE type = :type AND timestamp = date(:date);

Source: unknown	Process created: C:\Users\user\Desktop\file.exe "C:\Users\user\Desktop\file.exe"
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk "https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd" --no-default-browser-check --disable-popup-blocking
Source: unknown	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd --no-default-browser-check --disable-popup-blocking --attempting-deelevation
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd --no-default-browser-check --disable-popup-blocking
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2296 -parentBuildID 20230927232528 -prefsHandle 2240 -prefMapHandle 2232 -prefsLen 25359 -prefMapSize 237879 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {c0a74e00-7b41-43bf-a354-618a0db3d180} 7336 "\\.\pipe\gecko-crash-server-pipe.7336" 1e8a2471110 socket
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4132 -parentBuildID 20230927232528 -prefsHandle 3864 -prefMapHandle 3636 -prefsLen 26374 -prefMapSize 237879 -appDir "C:\Program Files\Mozilla Firefox\browser" - {471a8284-9a89-43a1-b4f0-a535a59985d3} 7336 "\\.\pipe\gecko-crash-server-pipe.7336" 1e8b3b5ce10 rdd
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5180 -parentBuildID 20230927232528 -sandboxingKind 0 -prefsHandle 5140 -prefMapHandle 5136 -prefsLen 33185 -prefMapSize 237879 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {5561797f-130c-4525-aaaa-e8630c60aa02} 7336 "\\.\pipe\gecko-crash-server-pipe.7336" 1e8be1ce910 utility
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk "https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd" --no-default-browser-check --disable-popup-blocking	Jump to behavior
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd --no-default-browser-check --disable-popup-blocking	Jump to behavior
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2296 -parentBuildID 20230927232528 -prefsHandle 2240 -prefMapHandle 2232 -prefsLen 25359 -prefMapSize 237879 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {c0a74e00-7b41-43bf-a354-618a0db3d180} 7336 "\\.\pipe\gecko-crash-server-pipe.7336" 1e8a2471110 socket	Jump to behavior
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4132 -parentBuildID 20230927232528 -prefsHandle 3864 -prefMapHandle 3636 -prefsLen 26374 -prefMapSize 237879 -appDir "C:\Program Files\Mozilla Firefox\browser" - {471a8284-9a89-43a1-b4f0-a535a59985d3} 7336 "\\.\pipe\gecko-crash-server-pipe.7336" 1e8b3b5ce10 rdd	Jump to behavior
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5180 -parentBuildID 20230927232528 -sandboxingKind 0 -prefsHandle 5140 -prefMapHandle 5136 -prefsLen 33185 -prefMapSize 237879 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {5561797f-130c-4525-aaaa-e8630c60aa02} 7336 "\\.\pipe\gecko-crash-server-pipe.7336" 1e8be1ce910 utility	Jump to behavior
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: unknown unknown	Jump to behavior

Source: C:\Users\user\Desktop\file.exe	Section loaded: wsock32.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: wldp.dll	Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: file.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: file.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: file.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: file.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: file.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: file.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT

Source: file.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: z:\task_1551543573\build\openh264\gmpopenh264.pdbV source: gmpopenh264.dll.tmp.3.dr
Source:	Binary string: wshbth.pdbGCTL source: firefox.exe, 00000003.00000003.1919370268.000001E8AFAC2000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: NapiNSP.pdbUGP source: firefox.exe, 00000003.00000003.1916132629.000001E8AFAC4000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: wshbth.pdb source: firefox.exe, 00000003.00000003.1919370268.000001E8AFAC2000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: pnrpnsp.pdb source: firefox.exe, 00000003.00000003.1919370268.000001E8AFAC2000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: NapiNSP.pdb source: firefox.exe, 00000003.00000003.1916132629.000001E8AFAC4000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: netprofm.pdb source: firefox.exe, 00000003.00000003.1917446381.000001E8BBB03000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: z:\task_1551543573\build\openh264\gmpopenh264.pdb source: gmpopenh264.dll.tmp.3.dr
Source:	Binary string: pnrpnsp.pdbUGP source: firefox.exe, 00000003.00000003.1919370268.000001E8AFAC2000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: netprofm.pdbUGP source: firefox.exe, 00000003.00000003.1917446381.000001E8BBB03000.00000004.00000020.00020000.00000000.sdmp

Source: file.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: file.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: file.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: file.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: file.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_007E42DE GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

0_2_007E42DE

Source: gmpopenh264.dll.tmp.3.dr

Static PE information: section name: .rodata

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00800A76 push ecx; ret

0_2_00800A89

Source: C:\Program Files\Mozilla Firefox\firefox.exe	File created: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll.tmp			Jump to dropped file
Source: C:\Program Files\Mozilla Firefox\firefox.exe	File created: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll (copy)			Jump to dropped file

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_007FF98E GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,		0_2_007FF98E
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00871C41 IsWindowVisible,IsWindowEnabled,GetForegroundWindow,IsIconic,IsZoomed,		0_2_00871C41

Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior

Malware Analysis System Evasion

Found API chain indicative of sandbox detection

Source: C:\Users\user\Desktop\file.exe

Sandbox detection routine: GetForegroundWindow, DecisionNode, Sleep

graph_0-95354

Source: C:\Program Files\Mozilla Firefox\firefox.exe

Code function: 6_2_000002093292ABB7 rdtsc

6_2_000002093292ABB7

Source: C:\Users\user\Desktop\file.exe

API coverage: 3.5 %

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0084DBBE lstrlenW,GetFileAttributesW,FindFirstFileW,FindClose,	0_2_0084DBBE
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_008568EE FindFirstFileW,FindClose,	0_2_008568EE
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0085698F FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,FileTimeToSystemTime,FileTimeToSystemTime,	0_2_0085698F
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0084D076 FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	0_2_0084D076
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0084D3A9 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	0_2_0084D3A9
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00859642 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	0_2_00859642
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0085979D SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	0_2_0085979D
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00859B2B FindFirstFileW,Sleep,FindNextFileW,FindClose,	0_2_00859B2B
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00855C97 FindFirstFileW,FindNextFileW,FindClose,	0_2_00855C97

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_007E42DE GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

0_2_007E42DE

Source: firefox.exe, 00000006.00000002.2999530718.000002093202A000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW b
Source: firefox.exe, 00000006.00000002.3003391426.0000020932810000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll<
Source: firefox.exe, 00000005.00000002.3005050328.000001E7C6840000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dlln
Source: firefox.exe, 00000005.00000002.2999975940.000001E7C600A000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 00000006.00000002.3003391426.0000020932810000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 00000007.00000002.3003455670.00000210A5F00000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: firefox.exe, 00000005.00000002.3004425385.000001E7C641B000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW : 2 : 34 : 1 : 1 : 0x20026 : 0x8 : %SystemRoot%\system32\mswsock.dll : : 1234191b-4bf7-4ca7-86e0-dfd7c32b5445
Source: firefox.exe, 00000007.00000002.2998719681.00000210A5A9A000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW`
Source: firefox.exe, 00000005.00000002.3005050328.000001E7C6840000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllh6uC
Source: firefox.exe, 00000005.00000002.2999975940.000001E7C600A000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 00000006.00000002.3003391426.0000020932810000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

Source: C:\Users\user\Desktop\file.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Program Files\Mozilla Firefox\firefox.exe

Code function: 6_2_000002093292ABB7 rdtsc

6_2_000002093292ABB7

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_0085EAA2 BlockInput,

0_2_0085EAA2

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00812622 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

0_2_00812622

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_007E42DE GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

0_2_007E42DE

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00804CE8 mov eax, dword ptr fs:[00000030h]

0_2_00804CE8

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00840B62 GetSecurityDescriptorDacl,GetAclInformation,GetLengthSid,GetLengthSid,GetAce,AddAce,GetLengthSid,GetProcessHeap,HeapAlloc,GetLengthSid,CopySid,AddAce,SetSecurityDescriptorDacl,SetUserObjectSecurity,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,

0_2_00840B62

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00812622 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_00812622
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0080083F IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_0080083F
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_008009D5 SetUnhandledExceptionFilter,	0_2_008009D5
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00800C21 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	0_2_00800C21

Source: C:\Users\user\Desktop\file.exe

0_2_00841201

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00822BA5 KiUserCallbackDispatcher,SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW,

0_2_00822BA5

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_0084B226 SendInput,keybd_event,

0_2_0084B226

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_008622DA GetForegroundWindow,GetDesktopWindow,GetWindowRect,mouse_event,GetCursorPos,mouse_event,

0_2_008622DA

Source: C:\Users\user\Desktop\file.exe

0_2_00840B62

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00841663 AllocateAndInitializeSid,CheckTokenMembership,FreeSid,

0_2_00841663

Source: file.exe	Binary or memory string: Run Script:AutoIt script files (.au3, .a3x).au3;.a3xAll files (.).au3#include depth exceeded. Make sure there are no recursive includesError opening the file>>>AUTOIT SCRIPT<<<Bad directive syntax errorUnterminated stringCannot parse #includeUnterminated group of commentsONOFF0%d%dShell_TrayWndREMOVEKEYSEXISTSAPPENDblankinfoquestionstopwarning
Source: file.exe	Binary or memory string: Shell_TrayWnd

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00800698 cpuid

0_2_00800698

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00858195 GetLocalTime,SystemTimeToFileTime,LocalFileTimeToFileTime,GetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,

0_2_00858195

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_0083D27A GetUserNameW,

0_2_0083D27A

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_0081BB6F _free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,

0_2_0081BB6F

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_007E42DE GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

0_2_007E42DE

Stealing of Sensitive Information

Yara detected Credential Flusher

Source: Yara match

File source: Process Memory Space: file.exe PID: 7272, type: MEMORYSTR

Source: file.exe	Binary or memory string: WIN_81
Source: file.exe	Binary or memory string: WIN_XP
Source: file.exe	Binary or memory string: %.3d%S%M%H%m%Y%jX86IA64X64WIN32_NTWIN_11WIN_10WIN_2022WIN_2019WIN_2016WIN_81WIN_2012R2WIN_2012WIN_8WIN_2008R2WIN_7WIN_2008WIN_VISTAWIN_2003WIN_XPeWIN_XPInstallLanguageSYSTEM\CurrentControlSet\Control\Nls\LanguageSchemeLangIDControl Panel\AppearanceUSERPROFILEUSERDOMAINUSERDNSDOMAINGetSystemWow64DirectoryWSeDebugPrivilege:winapistdcallubyte64HKEY_LOCAL_MACHINEHKLMHKEY_CLASSES_ROOTHKCRHKEY_CURRENT_CONFIGHKCCHKEY_CURRENT_USERHKCUHKEY_USERSHKUREG_EXPAND_SZREG_SZREG_MULTI_SZREG_DWORDREG_QWORDREG_BINARYRegDeleteKeyExWadvapi32.dll+.-.\\[\\nrt]\|%%\|%[-+ 0#]?([0-9]\|\)?(\.[0-9]\|\.\)?[hlL]?[diouxXeEfgGs](*UCP)\XISVISIBLEISENABLEDTABLEFTTABRIGHTCURRENTTABSHOWDROPDOWNHIDEDROPDOWNADDSTRINGDELSTRINGFINDSTRINGGETCOUNTSETCURRENTSELECTIONGETCURRENTSELECTIONSELECTSTRINGISCHECKEDCHECKUNCHECKGETSELECTEDGETLINECOUNTGETCURRENTLINEGETCURRENTCOLEDITPASTEGETLINESENDCOMMANDIDGETITEMCOUNTGETSUBITEMCOUNTGETTEXTGETSELECTEDCOUNTISSELECTEDSELECTALLSELECTCLEARSELECTINVERTDESELECTFINDITEMVIEWCHANGEGETTOTALCOUNTCOLLAPSEEXPANDmsctls_statusbar321tooltips_class32%d/%02d/%02dbuttonComboboxListboxSysDateTimePick32SysMonthCal32.icl.exe.dllMsctls_Progress32msctls_trackbar32SysAnimate32msctls_updown32SysTabControl32SysTreeView32SysListView32-----@GUI_DRAGID@GUI_DROPID@GUI_DRAGFILEError text not found (please report)Q\EDEFINEUTF16)UTF)UCP)NO_AUTO_POSSESS)NO_START_OPT)LIMIT_MATCH=LIMIT_RECURSION=CR)LF)CRLF)ANY)ANYCRLF)BSR_ANYCRLF)BSR_UNICODE)argument is not a compiled regular expressionargument not compiled in 16 bit modeinternal error: opcode not recognizedinternal error: missing capturing bracketfailed to get memory
Source: file.exe	Binary or memory string: WIN_XPe
Source: file.exe	Binary or memory string: WIN_VISTA
Source: file.exe	Binary or memory string: WIN_7
Source: file.exe	Binary or memory string: WIN_8

Remote Access Functionality

Yara detected Credential Flusher

Source: Yara match

File source: Process Memory Space: file.exe PID: 7272, type: MEMORYSTR

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00861204 socket,WSAGetLastError,bind,WSAGetLastError,closesocket,listen,WSAGetLastError,closesocket,		0_2_00861204
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00861806 socket,WSAGetLastError,bind,WSAGetLastError,closesocket,		0_2_00861806

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	2 Valid Accounts	1 Native API	1 DLL Side-Loading	1 Exploitation for Privilege Escalation	1 Disable or Modify Tools	21 Input Capture	2 System Time Discovery	Remote Services	1 Archive Collected Data	2 Ingress Tool Transfer	Exfiltration Over Other Network Medium	1 System Shutdown/Reboot
Credentials	Domains	Default Accounts	Scheduled Task/Job	2 Valid Accounts	1 DLL Side-Loading	1 Deobfuscate/Decode Files or Information	LSASS Memory	1 Account Discovery	Remote Desktop Protocol	21 Input Capture	12 Encrypted Channel	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	1 Extra Window Memory Injection	2 Obfuscated Files or Information	Security Account Manager	2 File and Directory Discovery	SMB/Windows Admin Shares	3 Clipboard Data	2 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	2 Valid Accounts	1 DLL Side-Loading	NTDS	15 System Information Discovery	Distributed Component Object Model	Input Capture	3 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	21 Access Token Manipulation	1 Extra Window Memory Injection	LSA Secrets	131 Security Software Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	2 Process Injection	1 Masquerading	Cached Domain Credentials	1 Virtualization/Sandbox Evasion	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	2 Valid Accounts	DCSync	3 Process Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	1 Virtualization/Sandbox Evasion	Proc Filesystem	1 Application Window Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement
Network Topology	Malvertising	Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	21 Access Token Manipulation	/etc/passwd and /etc/shadow	1 System Owner/User Discovery	Direct Cloud VM Connections	Data Staged	Web Protocols	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Internal Defacement
IP Addresses	Compromise Infrastructure	Supply Chain Compromise	PowerShell	Cron	Cron	2 Process Injection	Network Sniffing	Network Service Discovery	Shared Webroot	Local Data Staging	File Transfer Protocols	Exfiltration Over Asymmetric Encrypted Non-C2 Protocol	External Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
file.exe	100%	Joe Sandbox ML

Dropped Files

Source	Detection	Scanner	Label	Link
C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll (copy)	0%	ReversingLabs
C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll.tmp	0%	ReversingLabs

Source	Detection	Scanner	Label
https://bridge.lga1.admarketplace.net/ctp?version=16.0.0&key=1696332238301000001.2&ci=1696332238417.	0%	URL Reputation	safe
https://login.microsoftonline.com	0%	URL Reputation	safe
http://crl.thawte.com/ThawteTimestampingCA.crl0	0%	URL Reputation	safe
http://x1.c.lencr.org/0	0%	URL Reputation	safe
http://x1.i.lencr.org/0	0%	URL Reputation	safe
https://contile-images.services.mozilla.com/0TegrVVRalreHILhR2WvtD_CFzj13HCDcLqqpvXSOuY.10862.jpg	0%	URL Reputation	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Reputation
example.org	93.184.215.14	true	false	unknown
star-mini.c10r.facebook.com	157.240.251.35	true	false	unknown
prod.classify-client.prod.webservices.mozgcp.net	35.190.72.216	true	false	unknown
prod.balrog.prod.cloudops.mozgcp.net	35.244.181.201	true	false	unknown
twitter.com	104.244.42.129	true	false	unknown
prod.detectportal.prod.cloudops.mozgcp.net	34.107.221.82	true	false	unknown
services.addons.mozilla.org	52.222.236.48	true	false	unknown
dyna.wikimedia.org	185.15.59.224	true	false	unknown
prod.remote-settings.prod.webservices.mozgcp.net	34.149.100.209	true	false	unknown
contile.services.mozilla.com	34.117.188.166	true	false	unknown
youtube.com	216.58.206.78	true	false	unknown
prod.content-signature-chains.prod.webservices.mozgcp.net	34.160.144.191	true	false	unknown
youtube-ui.l.google.com	142.250.186.78	true	false	unknown
us-west1.prod.sumo.prod.webservices.mozgcp.net	34.149.128.2	true	false	unknown
reddit.map.fastly.net	151.101.65.140	true	false	unknown
ipv4only.arpa	192.0.0.171	true	false	unknown
prod.ads.prod.webservices.mozgcp.net	34.117.188.166	true	false	unknown
push.services.mozilla.com	34.107.243.93	true	false	unknown
normandy-cdn.services.mozilla.com	35.201.103.21	true	false	unknown
telemetry-incoming.r53-2.services.mozilla.com	34.120.208.123	true	false	unknown
www.reddit.com	unknown	unknown	false	unknown
spocs.getpocket.com	unknown	unknown	false	unknown
content-signature-2.cdn.mozilla.net	unknown	unknown	false	unknown
support.mozilla.org	unknown	unknown	false	unknown
firefox.settings.services.mozilla.com	unknown	unknown	false	unknown
www.youtube.com	unknown	unknown	false	unknown
www.facebook.com	unknown	unknown	false	unknown
detectportal.firefox.com	unknown	unknown	false	unknown
normandy.cdn.mozilla.net	unknown	unknown	false	unknown
shavar.services.mozilla.com	unknown	unknown	false	unknown
www.wikipedia.org	unknown	unknown	false	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://play.google.com/store/apps/details?id=org.mozilla.firefox.vpn&referrer=utm_source%3Dfirefox-	firefox.exe, 00000005.00000002.3004187387.000001E7C6300000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000006.00000002.3003174708.00000209327C0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000007.00000002.3000440451.00000210A5C90000.00000002.10000000.00040000.00000000.sdmp	false		unknown
https://getpocket.cdn.mozilla.net/v3/firefox/trending-topics?version=2&consumer_key=$apiKey&locale_l	firefox.exe, 00000006.00000002.3000028757.00000209323C4000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000007.00000002.3000852968.00000210A5EC3000.00000004.00000800.00020000.00000000.sdmp	false		unknown
http://detectportal.firefox.com/	firefox.exe, 00000003.00000003.1941777175.000001E8B57D6000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://services.addons.mozilla.org/api/v5/addons/browser-mappings/?browser=%BROWSER%	firefox.exe, 00000005.00000002.3004187387.000001E7C6300000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000006.00000002.3003174708.00000209327C0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000007.00000002.3000440451.00000210A5C90000.00000002.10000000.00040000.00000000.sdmp	false		unknown
https://datastudio.google.com/embed/reporting/	firefox.exe, 00000003.00000003.1950008011.000001E8BC159000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000003.00000003.1927207794.000001E8BC152000.00000004.00000800.00020000.00000000.sdmp	false		unknown
http://www.mozilla.com0	gmpopenh264.dll.tmp.3.dr	false		unknown
https://bridge.lga1.admarketplace.net/ctp?version=16.0.0&key=1696332238301000001.2&ci=1696332238417.	firefox.exe, 00000005.00000002.3001702834.000001E7C62BA000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000006.00000002.3000028757.00000209323E9000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000007.00000002.3003613361.00000210A6003000.00000004.00000800.00020000.00000000.sdmp, prefs-1.js.3.dr	false	URL Reputation: safe	unknown
https://developer.mozilla.org/en-US/docs/Web/Web_Components/Using_custom_elements#using_the_lifecycl	firefox.exe, 00000003.00000003.1789518548.000001E8BA239000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000003.00000003.1787564314.000001E8BA239000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://merino.services.mozilla.com/api/v1/suggest	firefox.exe, 00000007.00000002.3000852968.00000210A5E8E000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://json-schema.org/draft/2019-09/schema.	firefox.exe, 00000003.00000003.1946747044.000001E8B34AF000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://monitor.firefox.com/oauth/init?entrypoint=protection_report_monitor&utm_source=about-protect	firefox.exe, 00000005.00000002.3004187387.000001E7C6300000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000006.00000002.3003174708.00000209327C0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000007.00000002.3000440451.00000210A5C90000.00000002.10000000.00040000.00000000.sdmp	false		unknown
https://www.leboncoin.fr/	firefox.exe, 00000003.00000003.1897978118.000001E8BA684000.00000004.00000800.00020000.00000000.sdmp	false		unknown
http://mozilla.o	firefox.exe, 00000003.00000003.1894928746.000001E8B3870000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000003.00000003.1866555550.000001E8B3D0A000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000003.00000003.1879179580.000001E8B3870000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://spocs.getpocket.com/spocs	firefox.exe, 00000003.00000003.1922894121.000001E8BA1D5000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://completion.amazon.com/search/complete?q=	firefox.exe, 00000003.00000003.1744904926.000001E8B233C000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000003.00000003.1745809341.000001E8B2377000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000003.00000003.1744437940.000001E8B231F000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000003.00000003.1744072974.000001E8B2100000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000003.00000003.1745523096.000001E8B235A000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/social-media-tracking-report	firefox.exe, 00000005.00000002.3004187387.000001E7C6300000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000006.00000002.3003174708.00000209327C0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000007.00000002.3000440451.00000210A5C90000.00000002.10000000.00040000.00000000.sdmp	false		unknown
https://identity.mozilla.com/ids/ecosystem_telemetryU	firefox.exe, 00000003.00000003.1926767590.000001E8BE13C000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000003.00000003.1882595951.000001E8BE13C000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000003.00000003.1896274565.000001E8BE13C000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000003.00000003.1840502933.000001E8BE13C000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/send-tab	firefox.exe, 00000005.00000002.3004187387.000001E7C6300000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000006.00000002.3003174708.00000209327C0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000007.00000002.3000440451.00000210A5C90000.00000002.10000000.00040000.00000000.sdmp	false		unknown
https://monitor.firefox.com/breach-details/	firefox.exe, 00000005.00000002.3004187387.000001E7C6300000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000006.00000002.3003174708.00000209327C0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000007.00000002.3000440451.00000210A5C90000.00000002.10000000.00040000.00000000.sdmp	false		unknown
https://github.com/w3c/csswg-drafts/issues/4650	firefox.exe, 00000003.00000003.1899832959.000001E8BA186000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000003.00000003.1812977700.000001E8BA186000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://versioncheck-bg.addons.mozilla.org/update/VersionCheck.php?reqVersion=%REQ_VERSION%&id=%ITEM	firefox.exe, 00000005.00000002.3004187387.000001E7C6300000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000006.00000002.3003174708.00000209327C0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000007.00000002.3000440451.00000210A5C90000.00000002.10000000.00040000.00000000.sdmp	false		unknown
https://xhr.spec.whatwg.org/#sync-warning	firefox.exe, 00000003.00000003.1839099827.000001E8BE290000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://www.amazon.com/exec/obidos/external-search/	firefox.exe, 00000003.00000003.1802760390.000001E8B22AC000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000003.00000003.1745523096.000001E8B235A000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000003.00000003.1945583994.000001E8B35E0000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://www.msn.com	firefox.exe, 00000003.00000003.1908127691.000001E8B5776000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://github.com/mozilla-services/screenshots	firefox.exe, 00000003.00000003.1744904926.000001E8B233C000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000003.00000003.1745809341.000001E8B2377000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000003.00000003.1744437940.000001E8B231F000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000003.00000003.1744072974.000001E8B2100000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000003.00000003.1745523096.000001E8B235A000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://services.addons.mozilla.org/api/v4/addons/addon/	firefox.exe, 00000005.00000002.3004187387.000001E7C6300000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000006.00000002.3003174708.00000209327C0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000007.00000002.3000440451.00000210A5C90000.00000002.10000000.00040000.00000000.sdmp	false		unknown
https://tracking-protection-issues.herokuapp.com/new	firefox.exe, 00000005.00000002.3004187387.000001E7C6300000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000006.00000002.3003174708.00000209327C0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000007.00000002.3000440451.00000210A5C90000.00000002.10000000.00040000.00000000.sdmp	false		unknown
https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/password-manager-report	firefox.exe, 00000005.00000002.3004187387.000001E7C6300000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000006.00000002.3003174708.00000209327C0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000007.00000002.3000440451.00000210A5C90000.00000002.10000000.00040000.00000000.sdmp	false		unknown
https://youtube.com/	firefox.exe, 00000003.00000003.1908127691.000001E8B5776000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000003.00000003.1883570950.000001E8BBAA6000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000003.00000003.1812349783.000001E8BBA8B000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000003.00000003.1907597399.000001E8B5AE3000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://content-signature-2.cdn.mozilla.net/	firefox.exe, 00000003.00000003.1938927315.000001E8BA123000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://json-schema.org/draft/2020-12/schema/=	firefox.exe, 00000003.00000003.1946747044.000001E8B34AF000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://www.amazon.com/?tag=admarketus-20&ref=pd_sl_7548d4575af019e4c148ccf1a78112802e66a0816a72fc94	firefox.exe, 00000005.00000002.3001702834.000001E7C62BA000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000006.00000002.3000028757.00000209323E9000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000007.00000002.3003613361.00000210A6003000.00000004.00000800.00020000.00000000.sdmp, prefs-1.js.3.dr	false		unknown
https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/fingerprinters-report	firefox.exe, 00000005.00000002.3004187387.000001E7C6300000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000006.00000002.3003174708.00000209327C0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000007.00000002.3000440451.00000210A5C90000.00000002.10000000.00040000.00000000.sdmp	false		unknown
https://api.accounts.firefox.com/v1	firefox.exe, 00000005.00000002.3004187387.000001E7C6300000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000006.00000002.3003174708.00000209327C0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000007.00000002.3000440451.00000210A5C90000.00000002.10000000.00040000.00000000.sdmp	false		unknown
https://ok.ru/	firefox.exe, 00000003.00000003.1943091565.000001E8B4386000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://www.amazon.com/	firefox.exe, 00000003.00000003.1907597399.000001E8B5AE3000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://addons.mozilla.org/%LOCALE%/%APP%/blocked-addon/%addonID%/%addonVersion%/	firefox.exe, 00000005.00000002.3004187387.000001E7C6300000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000006.00000002.3003174708.00000209327C0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000007.00000002.3000440451.00000210A5C90000.00000002.10000000.00040000.00000000.sdmp	false		unknown
https://developer.mozilla.org/docs/Mozilla/Add-ons/WebExtensions/API/tabs/captureTabMozRequestFullSc	firefox.exe, 00000003.00000003.1839099827.000001E8BE290000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://monitor.firefox.com/?entrypoint=protection_report_monitor&utm_source=about-protections	firefox.exe, 00000005.00000002.3004187387.000001E7C6300000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000006.00000002.3003174708.00000209327C0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000007.00000002.3000440451.00000210A5C90000.00000002.10000000.00040000.00000000.sdmp	false		unknown
https://bridge.lga1.ap01.net/ctp?version=16.0.0&key=1696332238301000001.1&ci=1696332238417.12791&cta	firefox.exe, 00000005.00000002.3001702834.000001E7C62BA000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000006.00000002.3000028757.00000209323E9000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000007.00000002.3003613361.00000210A6003000.00000004.00000800.00020000.00000000.sdmp, prefs-1.js.3.dr	false		unknown
https://www.youtube.com/	firefox.exe, 00000003.00000003.1907597399.000001E8B5AE3000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000006.00000002.3000028757.000002093230A000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000007.00000002.3000852968.00000210A5E0C000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://bugzilla.mozilla.org/show_bug.cgi?id=1283601	firefox.exe, 00000003.00000003.1829022731.000001E8B2BA3000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000003.00000003.1826431343.000001E8B2B90000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000003.00000003.1828905713.000001E8B2B9F000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/shield	firefox.exe, 00000005.00000002.3004187387.000001E7C6300000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000006.00000002.3003174708.00000209327C0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000007.00000002.3000440451.00000210A5C90000.00000002.10000000.00040000.00000000.sdmp	false		unknown
https://www.bbc.co.uk/	firefox.exe, 00000003.00000003.1897978118.000001E8BA684000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://getpocket.cdn.mozilla.net/v3/firefox/global-recs?version=3&consumer_key=$apiKey&locale_lang=	firefox.exe, 00000006.00000002.3000028757.00000209323C4000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000007.00000002.3000852968.00000210A5EC3000.00000004.00000800.00020000.00000000.sdmp	false		unknown
http://127.0.0.1:	firefox.exe, 00000003.00000003.1949272743.000001E8B2EE4000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000005.00000002.3004187387.000001E7C6300000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000006.00000002.3003174708.00000209327C0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000007.00000002.3000440451.00000210A5C90000.00000002.10000000.00040000.00000000.sdmp	false		unknown
https://bugzilla.mozilla.org/show_bug.cgi?id=1266220	firefox.exe, 00000003.00000003.1827251097.000001E8B2B6D000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://searchfox.org/mozilla-central/source/toolkit/components/search/SearchUtils.jsm#145-152	firefox.exe, 00000003.00000003.1851518665.000001E8B37DA000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://bugzilla.mo	firefox.exe, 00000003.00000003.1920057059.000001E8BC1AE000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://mitmdetection.services.mozilla.com/	firefox.exe, 00000005.00000002.3004187387.000001E7C6300000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000006.00000002.3003174708.00000209327C0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000007.00000002.3000440451.00000210A5C90000.00000002.10000000.00040000.00000000.sdmp	false		unknown
http://detectportal.firefox.comP	firefox.exe, 00000003.00000003.1936063863.000001E8BC798000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://youtube.com/account?=	recovery.jsonlz4.tmp.3.dr	false		unknown
https://shavar.services.mozilla.com/	firefox.exe, 00000003.00000003.1941777175.000001E8B57D6000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://developer.mozilla.org/docs/Web/API/Element/releasePointerCapture	firefox.exe, 00000003.00000003.1839099827.000001E8BE290000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://spocs.getpocket.com/	firefox.exe, 00000007.00000002.3000852968.00000210A5E13000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://services.addons.mozilla.org/api/v4/abuse/report/addon/	firefox.exe, 00000005.00000002.3004187387.000001E7C6300000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000006.00000002.3003174708.00000209327C0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000007.00000002.3000440451.00000210A5C90000.00000002.10000000.00040000.00000000.sdmp	false		unknown
https://services.addons.mozilla.org/api/v4/addons/search/?guid=%IDS%&lang=%LOCALE%	firefox.exe, 00000005.00000002.3004187387.000001E7C6300000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000006.00000002.3003174708.00000209327C0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000007.00000002.3000440451.00000210A5C90000.00000002.10000000.00040000.00000000.sdmp	false		unknown
https://color.firefox.com/?utm_source=firefox-browser&utm_medium=firefox-browser&utm_content=theme-f	firefox.exe, 00000005.00000002.3004187387.000001E7C6300000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000006.00000002.3003174708.00000209327C0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000007.00000002.3000440451.00000210A5C90000.00000002.10000000.00040000.00000000.sdmp	false		unknown
https://www.iqiyi.com/	firefox.exe, 00000003.00000003.1943091565.000001E8B4386000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000003.00000003.1897978118.000001E8BA684000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://play.google.com/store/apps/details?id=org.mozilla.firefox&referrer=utm_source%3Dprotection_r	firefox.exe, 00000005.00000002.3004187387.000001E7C6300000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000006.00000002.3003174708.00000209327C0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000007.00000002.3000440451.00000210A5C90000.00000002.10000000.00040000.00000000.sdmp	false		unknown
https://monitor.firefox.com/user/breach-stats?includeResolved=true	firefox.exe, 00000005.00000002.3004187387.000001E7C6300000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000006.00000002.3003174708.00000209327C0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000007.00000002.3000440451.00000210A5C90000.00000002.10000000.00040000.00000000.sdmp	false		unknown
https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/cross-site-tracking-report	firefox.exe, 00000005.00000002.3004187387.000001E7C6300000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000006.00000002.3003174708.00000209327C0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000007.00000002.3000440451.00000210A5C90000.00000002.10000000.00040000.00000000.sdmp	false		unknown
https://bugzilla.mozilla.org/show_bug.cgi?id=1584464	firefox.exe, 00000003.00000003.1899832959.000001E8BA186000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000003.00000003.1812977700.000001E8BA186000.00000004.00000800.00020000.00000000.sdmp	false		unknown
http://a9.com/-/spec/opensearch/1.0/	firefox.exe, 00000003.00000003.1937325455.000001E8BA6E1000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000003.00000003.1797440885.000001E8BA6D6000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000003.00000003.1897978118.000001E8BA6D6000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://safebrowsing.google.com/safebrowsing/diagnostic?site=	firefox.exe, 00000005.00000002.3004187387.000001E7C6300000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000006.00000002.3003174708.00000209327C0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000007.00000002.3000440451.00000210A5C90000.00000002.10000000.00040000.00000000.sdmp	false		unknown
https://monitor.firefox.com/user/dashboard	firefox.exe, 00000005.00000002.3004187387.000001E7C6300000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000006.00000002.3003174708.00000209327C0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000007.00000002.3000440451.00000210A5C90000.00000002.10000000.00040000.00000000.sdmp	false		unknown
https://bugzilla.mozilla.org/show_bug.cgi?id=1170143	firefox.exe, 00000003.00000003.1827251097.000001E8B2B6D000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://versioncheck.addons.mozilla.org/update/VersionCheck.php?reqVersion=%REQ_VERSION%&id=%ITEM_ID	firefox.exe, 00000005.00000002.3004187387.000001E7C6300000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000006.00000002.3003174708.00000209327C0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000007.00000002.3000440451.00000210A5C90000.00000002.10000000.00040000.00000000.sdmp	false		unknown
https://monitor.firefox.com/about	firefox.exe, 00000005.00000002.3004187387.000001E7C6300000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000006.00000002.3003174708.00000209327C0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000007.00000002.3000440451.00000210A5C90000.00000002.10000000.00040000.00000000.sdmp	false		unknown
http://mozilla.org/MPL/2.0/.	firefox.exe, 00000003.00000003.1851518665.000001E8B37DA000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000003.00000003.1930170520.000001E8B45A3000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000003.00000003.1832818135.000001E8B2F89000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000003.00000003.1912442243.000001E8B3CBD000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000003.00000003.1909854340.000001E8B5746000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000003.00000003.1911665729.000001E8B4D84000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000003.00000003.1916535260.000001E8BB231000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000003.00000003.1908127691.000001E8B576C000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000003.00000003.1911665729.000001E8B4D7C000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000003.00000003.1819748446.000001E8BB313000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000003.00000003.1877055068.000001E8BB233000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000003.00000003.1867650978.000001E8BB252000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000003.00000003.1831800993.000001E8B2BBF000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000003.00000003.1821673590.000001E8B2CE1000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000003.00000003.1812977700.000001E8BA16C000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000003.00000003.1838934405.000001E8BB252000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000003.00000003.1790637653.000001E8BA414000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000003.00000003.1918325868.000001E8B2BCB000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000003.00000003.1760129891.000001E8B2CE1000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000003.00000003.1847980813.000001E8B5BE5000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000003.00000003.1836867147.000001E8B37E9000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://account.bellmedia.c	firefox.exe, 00000003.00000003.1908127691.000001E8B5776000.00000004.00000800.00020000.00000000.sdmp	false		unknown
http://youtube.com/	firefox.exe, 00000003.00000003.1802760390.000001E8B22AC000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://login.microsoftonline.com	firefox.exe, 00000003.00000003.1908127691.000001E8B5776000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000003.00000003.1912368925.000001E8B4D33000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://coverage.mozilla.org	firefox.exe, 00000005.00000002.3004187387.000001E7C6300000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000006.00000002.3003174708.00000209327C0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000007.00000002.3000440451.00000210A5C90000.00000002.10000000.00040000.00000000.sdmp	false		unknown
http://crl.thawte.com/ThawteTimestampingCA.crl0	gmpopenh264.dll.tmp.3.dr	false	URL Reputation: safe	unknown
https://www.zhihu.com/	firefox.exe, 00000003.00000003.1899832959.000001E8BA186000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000003.00000003.1812977700.000001E8BA186000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000003.00000003.1943091565.000001E8B4386000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000003.00000003.1922894121.000001E8BA196000.00000004.00000800.00020000.00000000.sdmp	false		unknown
http://x1.c.lencr.org/0	firefox.exe, 00000003.00000003.1812977700.000001E8BA1F5000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://x1.i.lencr.org/0	firefox.exe, 00000003.00000003.1812977700.000001E8BA1F5000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://a9.com/-/spec/opensearch/1.1/	firefox.exe, 00000003.00000003.1937325455.000001E8BA6E1000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000003.00000003.1797440885.000001E8BA6D6000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000003.00000003.1897978118.000001E8BA6D6000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://infra.spec.whatwg.org/#ascii-whitespace	firefox.exe, 00000003.00000003.1789518548.000001E8BA239000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://blocked.cdn.mozilla.net/	firefox.exe, 00000005.00000002.3004187387.000001E7C6300000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000006.00000002.3003174708.00000209327C0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000007.00000002.3000440451.00000210A5C90000.00000002.10000000.00040000.00000000.sdmp	false		unknown
https://developer.mozilla.org/en-US/docs/Glossary/speculative_parsingDocumentWriteIgnored	firefox.exe, 00000003.00000003.1899832959.000001E8BA15E000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://json-schema.org/draft/2019-09/schema	firefox.exe, 00000003.00000003.1937621933.000001E8BA6B0000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000003.00000003.1792002781.000001E8BA6BF000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000003.00000003.1897978118.000001E8BA6BD000.00000004.00000800.00020000.00000000.sdmp	false		unknown
http://developer.mozilla.org/en/docs/DOM:element.addEventListener	firefox.exe, 00000003.00000003.1881712420.000001E8BE28C000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://duckduckgo.com/?t=ffab&q=	firefox.exe, 00000003.00000003.1802760390.000001E8B22A2000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://profiler.firefox.com	firefox.exe, 00000005.00000002.3004187387.000001E7C6300000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000006.00000002.3003174708.00000209327C0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000007.00000002.3000440451.00000210A5C90000.00000002.10000000.00040000.00000000.sdmp	false		unknown
https://outlook.live.com/default.aspx?rru=compose&to=%s	firefox.exe, 00000003.00000003.1752373968.000001E8B0133000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://bugzilla.mozilla.org/show_bug.cgi?id=793869	firefox.exe, 00000003.00000003.1827251097.000001E8B2B6D000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://identity.mozilla.com/apps/relay	firefox.exe, 00000003.00000003.1932793743.000001E8B39B6000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000003.00000003.1924220064.000001E8B39B6000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000003.00000003.1945337077.000001E8B39B7000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://mozilla.cloudflare-dns.com/dns-query	firefox.exe, 00000005.00000002.3004187387.000001E7C6300000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000006.00000002.3003174708.00000209327C0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000007.00000002.3000440451.00000210A5C90000.00000002.10000000.00040000.00000000.sdmp	false		unknown
https://support.mozilla.org/kb/refresh-firefox-reset-add-ons-and-settings2	firefox.exe, 00000003.00000003.1908127691.000001E8B577C000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000003.00000003.1942464088.000001E8B578A000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000003.00000003.1929411474.000001E8B577E000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://bugzilla.mozilla.org/show_bug.cgi?id=1678448	firefox.exe, 00000003.00000003.1829022731.000001E8B2BA3000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000003.00000003.1826431343.000001E8B2B90000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000003.00000003.1827251097.000001E8B2B6D000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000003.00000003.1828905713.000001E8B2B9F000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://mail.yahoo.co.jp/compose/?To=%s	firefox.exe, 00000003.00000003.1752373968.000001E8B0133000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://contile-images.services.mozilla.com/0TegrVVRalreHILhR2WvtD_CFzj13HCDcLqqpvXSOuY.10862.jpg	firefox.exe, 00000005.00000002.3001702834.000001E7C62BA000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000006.00000002.3000028757.00000209323E9000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000007.00000002.3003613361.00000210A6003000.00000004.00000800.00020000.00000000.sdmp, prefs-1.js.3.dr	false	URL Reputation: safe	unknown
https://contile.services.mozilla.com/v1/tiles	firefox.exe, 00000003.00000003.1906039416.000001E8BA344000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000005.00000002.3004187387.000001E7C6300000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000006.00000002.3003174708.00000209327C0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000007.00000002.3000440451.00000210A5C90000.00000002.10000000.00040000.00000000.sdmp	false		unknown
https://www.amazon.co.uk/	firefox.exe, 00000003.00000003.1897978118.000001E8BA684000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://firefox.settings.services.mozilla.com/v1/buckets/main/collections/ms-language-packs/records/	firefox.exe, 00000003.00000003.1905281077.000001E8BE097000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://monitor.firefox.com/user/preferences	firefox.exe, 00000005.00000002.3004187387.000001E7C6300000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000006.00000002.3003174708.00000209327C0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000007.00000002.3000440451.00000210A5C90000.00000002.10000000.00040000.00000000.sdmp	false		unknown
https://screenshots.firefox.com/	firefox.exe, 00000003.00000003.1745523096.000001E8B235A000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://www.google.com/search	firefox.exe, 00000003.00000003.1802760390.000001E8B22C0000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000003.00000003.1745523096.000001E8B235A000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000003.00000003.1945583994.000001E8B35E0000.00000004.00000800.00020000.00000000.sdmp	false		unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
216.58.206.78	youtube.com	United States	15169	GOOGLEUS	false
34.149.100.209	prod.remote-settings.prod.webservices.mozgcp.net	United States	2686	ATGS-MMD-ASUS	false
34.107.243.93	push.services.mozilla.com	United States	15169	GOOGLEUS	false
34.107.221.82	prod.detectportal.prod.cloudops.mozgcp.net	United States	15169	GOOGLEUS	false
35.244.181.201	prod.balrog.prod.cloudops.mozgcp.net	United States	15169	GOOGLEUS	false
34.117.188.166	contile.services.mozilla.com	United States	139070	GOOGLE-AS-APGoogleAsiaPacificPteLtdSG	false
35.201.103.21	normandy-cdn.services.mozilla.com	United States	15169	GOOGLEUS	false
35.190.72.216	prod.classify-client.prod.webservices.mozgcp.net	United States	15169	GOOGLEUS	false
34.160.144.191	prod.content-signature-chains.prod.webservices.mozgcp.net	United States	2686	ATGS-MMD-ASUS	false
34.120.208.123	telemetry-incoming.r53-2.services.mozilla.com	United States	15169	GOOGLEUS	false
52.222.236.48	services.addons.mozilla.org	United States	16509	AMAZON-02US	false

Private

IP
127.0.0.1

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1529184
Start date and time:	2024-10-08 18:20:08 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 6m 49s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	12
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	file.exe
Detection:	MAL
Classification:	mal64.troj.evad.winEXE@19/34@65/12
EGA Information:	Successful, ratio: 40%
HCA Information:	Successful, ratio: 97% Number of executed functions: 39 Number of non-executed functions: 309
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, svchost.exe
Excluded IPs from analysis (whitelisted): 44.238.148.23, 44.224.63.42, 44.242.27.108, 142.250.185.202, 142.250.185.138, 2.22.61.59, 2.22.61.56, 142.250.185.238, 142.250.186.174
Excluded domains from analysis (whitelisted): fs.microsoft.com, shavar.prod.mozaws.net, ciscobinary.openh264.org, slscr.update.microsoft.com, otelrules.azureedge.net, incoming.telemetry.mozilla.org, ctldl.windowsupdate.com, a17.rackcdn.com.mdc.edgesuite.net, detectportal.prod.mozaws.net, aus5.mozilla.org, fe3cr.delivery.mp.microsoft.com, a19.dscg10.akamai.net, ocsp.digicert.com, redirector.gvt1.com, safebrowsing.googleapis.com, location.services.mozilla.com
Execution Graph export aborted for target firefox.exe, PID 7336 because there are no executed function
Not all processes where analyzed, report is missing behavior information
Report size exceeded maximum capacity and may have missing disassembly code.
Report size getting too big, too many NtCreateFile calls found.
Report size getting too big, too many NtOpenFile calls found.
VT rate limit hit for: file.exe

Simulations

Behavior and APIs

Time	Type	Description
12:21:14	API Interceptor	1x Sleep call for process: firefox.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
34.117.188.166	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
34.149.100.209	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
34.160.144.191	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
52.222.236.48	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	https://issuu.com/smart_media/docs/die_welt_wirtschaft/19	Get hash	malicious	Unknown	Browse
	moba-24.2-installer_M64ZB-1.exe	Get hash	malicious	PureLog Stealer	Browse
	moba-24.2-installer_M64ZB-1.exe	Get hash	malicious	PureLog Stealer	Browse
	darkreader-chrome.zip	Get hash	malicious	HTMLPhisher	Browse
	MDE_File_Sample_c96cae8039920b2165d2fcc46a2004b884869760.zip	Get hash	malicious	Unknown	Browse
	pud8g3zixE.exe	Get hash	malicious	Amadey, Stealc	Browse
	file.exe	Get hash	malicious	Unknown	Browse

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
example.org	file.exe	Get hash	malicious	Credential Flusher	Browse	93.184.215.14
	file.exe	Get hash	malicious	Credential Flusher	Browse	93.184.215.14
	file.exe	Get hash	malicious	Credential Flusher	Browse	93.184.215.14
	file.exe	Get hash	malicious	Credential Flusher	Browse	93.184.215.14
	file.exe	Get hash	malicious	Credential Flusher	Browse	93.184.215.14
	file.exe	Get hash	malicious	Credential Flusher	Browse	93.184.215.14
	file.exe	Get hash	malicious	Credential Flusher	Browse	93.184.215.14
	file.exe	Get hash	malicious	Credential Flusher	Browse	93.184.215.14
	file.exe	Get hash	malicious	Credential Flusher	Browse	93.184.215.14
	file.exe	Get hash	malicious	Credential Flusher	Browse	93.184.215.14
star-mini.c10r.facebook.com	https://1drv.ms/w/c/3e7c84f1a590a3e6/IQStDJr3bMEwQZDK5oU6uNI1AXa25ZxVanY0bWjgRrRk-d4	Get hash	malicious	Unknown	Browse	157.240.253.35
	Experiencehub.com_Report_53158.pdf	Get hash	malicious	Unknown	Browse	157.240.0.35
	file.exe	Get hash	malicious	Credential Flusher	Browse	157.240.253.35
	https://yourferguson.org/court-watch-october-30-2023/?fbclid=IwZXh0bgNhZW0CMTEAAR3dOwpQMI1HpEJMcLfneo2Ce-TuuXHtVI8-78YDrHW9adORVlMEABT0ELU_aem_CL7dDvEuGMkB8YFGhVQWUg	Get hash	malicious	Unknown	Browse	157.240.253.35
	https://www.google.com.bo/url?url=https://coqjcqixwpeuzndc&hpj=jguragr&fwbtzg=qoe&ffzzf=olnshn&aes=fvotjnl&garqe=txbrxc&emrj=ycbtmrgd&uwzlcgsurn=eygnbnharg&q=amp/jhjn24u.v%C2%ADvg%C2%ADzy%C2%ADnp%C2%ADe%C2%ADw%C2%ADl%C2%ADkkukl.com%E2%80%8B/4b3puorbt&vijx=zlglfoj&qcobrch=pupf&cjaim=omgedz&guneqiu=xqm&d=DwMFAg	Get hash	malicious	Unknown	Browse	157.240.252.35
	file.exe	Get hash	malicious	Credential Flusher	Browse	157.240.253.35
	Remittance_Raveis.htm	Get hash	malicious	Unknown	Browse	157.240.253.35
	file.exe	Get hash	malicious	Credential Flusher	Browse	157.240.253.35
	https://simpleinvoices.io/invoices/gvexd57Lej7	Get hash	malicious	Unknown	Browse	157.240.251.35
	file.exe	Get hash	malicious	Credential Flusher	Browse	157.240.251.35
services.addons.mozilla.org	file.exe	Get hash	malicious	Credential Flusher	Browse	52.222.236.120
	file.exe	Get hash	malicious	Credential Flusher	Browse	52.222.236.80
	file.exe	Get hash	malicious	Credential Flusher	Browse	52.222.236.120
	file.exe	Get hash	malicious	Credential Flusher	Browse	52.222.236.120
	file.exe	Get hash	malicious	Credential Flusher	Browse	52.222.236.23
	file.exe	Get hash	malicious	Credential Flusher	Browse	52.222.236.80
	file.exe	Get hash	malicious	Credential Flusher	Browse	52.222.236.23
	file.exe	Get hash	malicious	Credential Flusher	Browse	52.222.236.23
	file.exe	Get hash	malicious	Credential Flusher	Browse	52.222.236.80
	file.exe	Get hash	malicious	Credential Flusher	Browse	52.222.236.80
twitter.com	file.exe	Get hash	malicious	Credential Flusher	Browse	104.244.42.65
	file.exe	Get hash	malicious	Credential Flusher	Browse	104.244.42.65
	file.exe	Get hash	malicious	Credential Flusher	Browse	104.244.42.129
	file.exe	Get hash	malicious	Credential Flusher	Browse	104.244.42.65
	file.exe	Get hash	malicious	Credential Flusher	Browse	104.244.42.65
	file.exe	Get hash	malicious	Credential Flusher	Browse	104.244.42.193
	file.exe	Get hash	malicious	Credential Flusher	Browse	104.244.42.129
	file.exe	Get hash	malicious	Credential Flusher	Browse	104.244.42.1

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
GOOGLE-AS-APGoogleAsiaPacificPteLtdSG	file.exe	Get hash	malicious	Credential Flusher	Browse	34.117.188.166
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.117.188.166
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.117.188.166
	UjbjOP.ps1	Get hash	malicious	Unknown	Browse	34.117.59.81
	I9xuKI2p2B.ps1	Get hash	malicious	Unknown	Browse	34.117.59.81
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.117.188.166
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.117.188.166
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.117.188.166
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.117.188.166
	na.elf	Get hash	malicious	Mirai	Browse	34.116.12.112
ATGS-MMD-ASUS	file.exe	Get hash	malicious	Credential Flusher	Browse	34.160.144.191
	https://www.google.com.bo/url?url=https://coqjcqixwpeuzndc&hpj=jguragr&fwbtzg=qoe&ffzzf=olnshn&aes=fvotjnl&garqe=txbrxc&emrj=ycbtmrgd&uwzlcgsurn=eygnbnharg&q=amp/jhjn24u.v%C2%ADvg%C2%ADzy%C2%ADnp%C2%ADe%C2%ADw%C2%ADl%C2%ADkkukl.com%E2%80%8B/4b3puorbt&vijx=zlglfoj&qcobrch=pupf&cjaim=omgedz&guneqiu=xqm&d=DwMFAg	Get hash	malicious	Unknown	Browse	34.49.241.189
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.160.144.191
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.160.144.191
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.160.144.191
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.160.144.191
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.160.144.191
	http://nbxvavlbbnks0ockyfxgnbxva.feedbackfusion.site/4nbXVA123415bxwz821wfgqkoqbno9030GRUYZVSMVMDWDTG236348/3210Y21	Get hash	malicious	Unknown	Browse	34.36.216.150
	na.elf	Get hash	malicious	Unknown	Browse	48.220.44.241
	na.elf	Get hash	malicious	Unknown	Browse	51.220.146.192
ATGS-MMD-ASUS	file.exe	Get hash	malicious	Credential Flusher	Browse	34.160.144.191
	https://www.google.com.bo/url?url=https://coqjcqixwpeuzndc&hpj=jguragr&fwbtzg=qoe&ffzzf=olnshn&aes=fvotjnl&garqe=txbrxc&emrj=ycbtmrgd&uwzlcgsurn=eygnbnharg&q=amp/jhjn24u.v%C2%ADvg%C2%ADzy%C2%ADnp%C2%ADe%C2%ADw%C2%ADl%C2%ADkkukl.com%E2%80%8B/4b3puorbt&vijx=zlglfoj&qcobrch=pupf&cjaim=omgedz&guneqiu=xqm&d=DwMFAg	Get hash	malicious	Unknown	Browse	34.49.241.189
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.160.144.191
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.160.144.191
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.160.144.191
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.160.144.191
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.160.144.191
	http://nbxvavlbbnks0ockyfxgnbxva.feedbackfusion.site/4nbXVA123415bxwz821wfgqkoqbno9030GRUYZVSMVMDWDTG236348/3210Y21	Get hash	malicious	Unknown	Browse	34.36.216.150
	na.elf	Get hash	malicious	Unknown	Browse	48.220.44.241
	na.elf	Get hash	malicious	Unknown	Browse	51.220.146.192

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
fb0aa01abe9d8e4037eb3473ca6e2dca	file.exe	Get hash	malicious	Credential Flusher	Browse	35.244.181.201 34.149.100.209 34.160.144.191 34.120.208.123 52.222.236.48
	file.exe	Get hash	malicious	Credential Flusher	Browse	35.244.181.201 34.149.100.209 34.160.144.191 34.120.208.123 52.222.236.48
	file.exe	Get hash	malicious	Credential Flusher	Browse	35.244.181.201 34.149.100.209 34.160.144.191 34.120.208.123 52.222.236.48
	file.exe	Get hash	malicious	Credential Flusher	Browse	35.244.181.201 34.149.100.209 34.160.144.191 34.120.208.123 52.222.236.48
	file.exe	Get hash	malicious	Credential Flusher	Browse	35.244.181.201 34.149.100.209 34.160.144.191 34.120.208.123 52.222.236.48
	file.exe	Get hash	malicious	Credential Flusher	Browse	35.244.181.201 34.149.100.209 34.160.144.191 34.120.208.123 52.222.236.48
	file.exe	Get hash	malicious	Credential Flusher	Browse	35.244.181.201 34.149.100.209 34.160.144.191 34.120.208.123 52.222.236.48
	file.exe	Get hash	malicious	Credential Flusher	Browse	35.244.181.201 34.149.100.209 34.160.144.191 34.120.208.123 52.222.236.48
	file.exe	Get hash	malicious	Credential Flusher	Browse	35.244.181.201 34.149.100.209 34.160.144.191 34.120.208.123 52.222.236.48
	file.exe	Get hash	malicious	Credential Flusher	Browse	35.244.181.201 34.149.100.209 34.160.144.191 34.120.208.123 52.222.236.48

Dropped Files

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll (copy)	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse

Created / dropped Files

C:\ProgramData\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\uninstall_ping_308046B0AF4A39CB_73fb8d8e-e288-46e4-b359-ffe2b7aea558.json (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	7813
Entropy (8bit):	5.182370818881214
Encrypted:	false
SSDEEP:	192:LMjMXdpqcbhbVbTbfbRbObtbyEl7nIrbJA6WnSrDtTUd/SkDrw:LMYacNhnzFSJorSBnSrDhUd/6
MD5:	9F5928425324331ACABE96739341AEDE
SHA1:	25B16CFB05F7F2850F3CFF7AD149407DE5319E03
SHA-256:	28EBBC87E68A9FDF85DC5B9F9CF43193EA9D9D2607F411D03073FE4DB78294A4
SHA-512:	031A8885E918DA75B7424256916EEBD2A9BA9A482383EDE9561558D84758DED577D64924AA210AB20F448D3433AD21CEAED0069145870ED6B823A96D39659855
Malicious:	false
Reputation:	low
Preview:	{"type":"uninstall","id":"73fb8d8e-e288-46e4-b359-ffe2b7aea558","creationDate":"2024-10-08T17:46:09.053Z","version":4,"application":{"architecture":"x86-64","buildId":"20230927232528","name":"Firefox","version":"118.0.1","displayVersion":"118.0.1","vendor":"Mozilla","platformVersion":"118.0.1","xpcomAbi":"x86_64-msvc","channel":"release"},"payload":{"otherInstalls":0},"clientId":"65e71c9e-6ac3-4903-9066-b134350de32c","environment":{"build":{"applicationId":"{ec8030f7-c20a-464f-9b0e-13a3a9e97384}","applicationName":"Firefox","architecture":"x86-64","buildId":"20230927232528","version":"118.0.1","vendor":"Mozilla","displayVersion":"118.0.1","platformVersion":"118.0.1","xpcomAbi":"x86_64-msvc","updaterAvailable":true},"partner":{"distributionId":null,"distributionVersion":null,"partnerId":null,"distributor":null,"distributorChannel":null,"partnerNames":[]},"system":{"memoryMB":8191,"virtualMaxMB":134217728,"cpu":{"isWindowsSMode":false,"count":4,"cores":2,"vendor":"GenuineIntel","name":"I

C:\ProgramData\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\uninstall_ping_308046B0AF4A39CB_73fb8d8e-e288-46e4-b359-ffe2b7aea558.json.tmp

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	7813
Entropy (8bit):	5.182370818881214
Encrypted:	false
SSDEEP:	192:LMjMXdpqcbhbVbTbfbRbObtbyEl7nIrbJA6WnSrDtTUd/SkDrw:LMYacNhnzFSJorSBnSrDhUd/6
MD5:	9F5928425324331ACABE96739341AEDE
SHA1:	25B16CFB05F7F2850F3CFF7AD149407DE5319E03
SHA-256:	28EBBC87E68A9FDF85DC5B9F9CF43193EA9D9D2607F411D03073FE4DB78294A4
SHA-512:	031A8885E918DA75B7424256916EEBD2A9BA9A482383EDE9561558D84758DED577D64924AA210AB20F448D3433AD21CEAED0069145870ED6B823A96D39659855
Malicious:	false
Reputation:	low
Preview:	{"type":"uninstall","id":"73fb8d8e-e288-46e4-b359-ffe2b7aea558","creationDate":"2024-10-08T17:46:09.053Z","version":4,"application":{"architecture":"x86-64","buildId":"20230927232528","name":"Firefox","version":"118.0.1","displayVersion":"118.0.1","vendor":"Mozilla","platformVersion":"118.0.1","xpcomAbi":"x86_64-msvc","channel":"release"},"payload":{"otherInstalls":0},"clientId":"65e71c9e-6ac3-4903-9066-b134350de32c","environment":{"build":{"applicationId":"{ec8030f7-c20a-464f-9b0e-13a3a9e97384}","applicationName":"Firefox","architecture":"x86-64","buildId":"20230927232528","version":"118.0.1","vendor":"Mozilla","displayVersion":"118.0.1","platformVersion":"118.0.1","xpcomAbi":"x86_64-msvc","updaterAvailable":true},"partner":{"distributionId":null,"distributionVersion":null,"partnerId":null,"distributor":null,"distributorChannel":null,"partnerNames":[]},"system":{"memoryMB":8191,"virtualMaxMB":134217728,"cpu":{"isWindowsSMode":false,"count":4,"cores":2,"vendor":"GenuineIntel","name":"I

C:\Users\user\AppData\Local\Temp\mozilla-temp-files\mozilla-temp-41

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	ISO Media, MP4 Base Media v1 [ISO 14496-12:2003]
Category:	dropped
Size (bytes):	32768
Entropy (8bit):	0.4593089050301797
Encrypted:	false
SSDEEP:	48:9SP0nUgwyZXYI65yFRX2D3GNTTfyn0Mk1iA:9SDKaIjo3UzyE1L
MD5:	D910AD167F0217587501FDCDB33CC544
SHA1:	2F57441CEFDC781011B53C1C5D29AC54835AFC1D
SHA-256:	E3699D9404A3FFC1AFF0CA8A3972DC0EF38BDAB927741E9F627C7C55CEA42E81
SHA-512:	F1871BF28FF25EE52BDB99C7A80AB715C7CAC164DCD2FD87E681168EE927FD2C5E80E03C91BB638D955A4627213BF575FF4D9EECAEDA7718C128CF2CE8F7CB3D
Malicious:	false
Reputation:	high, very likely benign file
Preview:	... ftypisom....isomiso2avc1mp41....free....mdat..........E...H..,. .#..x264 - core 152 r2851 ba24899 - H.264/MPEG-4 AVC codec - Copyleft 2003-2017 - http://www.videolan.org/x264.html - options: cabac=1 ref=3 deblock=1:0:0 analyse=0x3:0x113 me=hex subme=7 psy=1 psy_rd=1.00:0.00 mixed_ref=1 me_range=16 chroma_me=1 trellis=1 8x8dct=1 cqm=0 deadzone=21,11 fast_pskip=1 chroma_qp_offset=-2 threads=4 lookahead_threads=1 sliced_threads=0 nr=0 decimate=1 interlaced=0 bluray_compat=0 constrained_intra=0 bframes=3 b_pyramid=2 b_adapt=1 b_bias=0 direct=1 weightb=1 open_gop=0 weightp=2 keyint=250 keyint_min=25 scenecut=40 intra_refresh=0 rc_lookahead=40 rc=crf mbtree=1 crf=23.0 qcomp=0.60 qpmin=0 qpmax=69 qpstep=4 ip_ratio=1.40 aq=1:1.00......e...+...s\|.kG3...'.u.."...,J.w.~.d\..(K....!.+..;....h....(.T.*...M......0..~L..8..B..A.y..R..,.zBP.';j.@.].w..........c......C=.'f....gI.$^.......m5V.L...{U..%V[....8......B..i..^,....:...,..5.m.%dA....moov...lmvhd...................(...........

C:\Users\user\AppData\Local\Temp\tmpaddon

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	Zip archive data, at least v2.0 to extract, compression method=deflate
Category:	dropped
Size (bytes):	453023
Entropy (8bit):	7.997718157581587
Encrypted:	true
SSDEEP:	12288:tESTeqTI2r4ZbCgUKWKNeRcPMb6qlV7hVZe3:tEsed2Xh9/bdzZe3
MD5:	85430BAED3398695717B0263807CF97C
SHA1:	FFFBEE923CEA216F50FCE5D54219A188A5100F41
SHA-256:	A9F4281F82B3579581C389E8583DC9F477C7FD0E20C9DFC91A2E611E21E3407E
SHA-512:	06511F1F6C6D44D076B3C593528C26A602348D9C41689DBF5FF716B671C3CA5756B12CB2E5869F836DEDCE27B1A5CFE79B93C707FD01F8E84B620923BB61B5F1
Malicious:	false
Reputation:	high, very likely benign file
Preview:	PK.........bN...R..........gmpopenh264.dll..\|.E.0.=..I.....1....4f1q.`.........q.....'+....hm{.z..o_.{w........$..($A!...\|L...B&A2.s.{..Dd......c.U.U..9u.S...K.l`...../.d.-....\|.....&....9......wn..x......i.#O.+.Y.l......+....,3.3f..\..c.SSS,............N...GG...F.'.&.:'.K.Z&.>.@.g..M...M.`............ZR....^jg.G.Kb.o~va.....<Z..1.#.O.e.....D..X..i..$imBW..Q&.......P.....,M.,..:.c...-...\...........-i.K.I..4.a..6.....Ov=...W..F.CH.>...a.'.x...#@f...d..u.1....OV.1o}....g.5.._.3.J.Hi.Z.ipM....b.Z....%.G..F................/..3.q..J.....o...%.g.N..}..).3.N%.!..q........^I.m..~...6.#.~+.....A...I]r...x...<IYj....p0..`S.M@.E..f.=.;!.@.....E..E....... .0.n....Jd..d......uM.-.qI.lR..z..=}..r.D.XLZ....x.$..\|c.1.cUkM.&.Qn]..a]t.h...!.6 7..Jd.DvKJ"Wgd*%n...w...Jni.inmr.@M.$'Z.s....#)%..Rs..:.h....R....\..t.6..'.g.........Uj+F.cr:\|..!..K.W.Y...17......,....r.....>.N..3.R.Y.._\...Ir.DNJdM... .k...&V-....z.%...-...D..i..&...6....7.2T).>..0..%.&.

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\ExperimentStoreData.json (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	3621
Entropy (8bit):	4.92749110508841
Encrypted:	false
SSDEEP:	48:YnSwkmrOfJNmPUFpOdwNIOdoWLEWLtkDLuuukx5FBvipA6kbbXjQthvLuhakNc9r:8S+OfJQPUFpOdwNIOdYVjvYcXaNLvg8P
MD5:	E4DEA963BB9427C04A26A535098ECAD8
SHA1:	BA346FE0AA6EA9665973B9B5820785486B0A6300
SHA-256:	BD515DE4DA1F3499AAB6C8091BEE1914BED18FCAF2F1117DCAC52E3ED6B4C796
SHA-512:	666E9A7AC506322C9E157A3F12624CF3D6D030A64091B2B7624DAEDFE392BA48DBFFB8092277A72707751164C3D81E21F659AB737E88E0FE340968370A8E4F38
Malicious:	false
Preview:	{"csv-import-release-rollout":{"slug":"csv-import-release-rollout","branch":{"slug":"enable-csv-import","ratio":1,"feature":{"value":{},"enabled":false,"featureId":"this-is-included-for-desktop-pre-95-support"},"features":[{"value":{"csvImport":true},"enabled":true,"featureId":"cm-csv-import"}]},"active":true,"enrollmentId":"c5d95379-f4ee-4629-a507-6f15a0e93cd4","experimentType":"rollout","source":"rs-loader","userFacingName":"CSV Import (Release Rollout)","userFacingDescription":"This rollout enables users to import logins from a CSV file from the about:logins page.","lastSeen":"2023-10-03T11:50:29.548Z","featureIds":["cm-csv-import"],"prefs":[{"name":"signon.management.page.fileImport.enabled","branch":"default","featureId":"cm-csv-import","variable":"csvImport","originalValue":false}],"isRollout":true},"serp-ad-telemetry-rollout":{"slug":"serp-ad-telemetry-rollout","branch":{"slug":"control","ratio":1,"feature":{"value":{},"enabled":false,"featureId":"this-is-included-for-desktop-pr

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\ExperimentStoreData.json.tmp

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	3621
Entropy (8bit):	4.92749110508841
Encrypted:	false
SSDEEP:	48:YnSwkmrOfJNmPUFpOdwNIOdoWLEWLtkDLuuukx5FBvipA6kbbXjQthvLuhakNc9r:8S+OfJQPUFpOdwNIOdYVjvYcXaNLvg8P
MD5:	E4DEA963BB9427C04A26A535098ECAD8
SHA1:	BA346FE0AA6EA9665973B9B5820785486B0A6300
SHA-256:	BD515DE4DA1F3499AAB6C8091BEE1914BED18FCAF2F1117DCAC52E3ED6B4C796
SHA-512:	666E9A7AC506322C9E157A3F12624CF3D6D030A64091B2B7624DAEDFE392BA48DBFFB8092277A72707751164C3D81E21F659AB737E88E0FE340968370A8E4F38
Malicious:	false
Preview:	{"csv-import-release-rollout":{"slug":"csv-import-release-rollout","branch":{"slug":"enable-csv-import","ratio":1,"feature":{"value":{},"enabled":false,"featureId":"this-is-included-for-desktop-pre-95-support"},"features":[{"value":{"csvImport":true},"enabled":true,"featureId":"cm-csv-import"}]},"active":true,"enrollmentId":"c5d95379-f4ee-4629-a507-6f15a0e93cd4","experimentType":"rollout","source":"rs-loader","userFacingName":"CSV Import (Release Rollout)","userFacingDescription":"This rollout enables users to import logins from a CSV file from the about:logins page.","lastSeen":"2023-10-03T11:50:29.548Z","featureIds":["cm-csv-import"],"prefs":[{"name":"signon.management.page.fileImport.enabled","branch":"default","featureId":"cm-csv-import","variable":"csvImport","originalValue":false}],"isRollout":true},"serp-ad-telemetry-rollout":{"slug":"serp-ad-telemetry-rollout","branch":{"slug":"control","ratio":1,"feature":{"value":{},"enabled":false,"featureId":"this-is-included-for-desktop-pr

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\addonStartup.json.lz4 (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	Mozilla lz4 compressed data, originally 23432 bytes
Category:	dropped
Size (bytes):	5312
Entropy (8bit):	6.615424734763731
Encrypted:	false
SSDEEP:	96:V2YbKsKNU2xWrp327tGmD4wBON6h6cHaJVJuZMd0JGkkrw2D:VTx2x2t0FDJ4NpwZMd0EJws
MD5:	1B9C8056D3619CE5A8C59B0C09873F17
SHA1:	1015C630E1937AA63F6AB31743782ECB5D78CCD8
SHA-256:	A6AE5DE0733FED050AB570AD9374FF4593D554F695B5AE4E2495871D171D34A3
SHA-512:	B1DC9CC675D5476C270A2D5B214D3DF2B3856576ED7EFE92D9A606C2D9D34E781018902AE75CE9C1E25007BB7F8D8F7B52997E6F05B845EF44BAF22F614FE899
Malicious:	false
Preview:	mozLz40..[....{"app-system-defaults":{"addon....formautofill@mozilla.org&..Gdependencies":[],"enabled":true,"lastModifiedTime":1695865283000,"loader":null,"path":s.....xpi","recommendationStateA...rootURI":"jar:file:///C:/Program%20Files/M.......refox/browser/features/...... !/...unInSafeMode..wsignedD...telemetryKey..7%40R...:1.0.1","version":"..`},"pic..#in.....T.n..w...........S.......(.[......0....0"},"screenshots..T.r.....[.......(.V....-39.......},"webcompat-reporter...Ofals..&.z.....[.......(.]....=1.5.............<.)....p....d......1.z.!18...5.....startupData...pX.astentL..!er...webRequest%..onBefore...[[{"incognitoi.UtabId..!yp...."main_frame"],"url...."://login.microsoftonline.com/","..@us/L.dwindows...},["blocking"]],...Iimag...https://smartT.".f.....etp/facebook.svg",...Aplay....8`script...P.....-....-testbed.herokuapp\.`shims_..3.jsh.bexampl\|.......Pexten{..Q../?..s...S.J/_2..@&_3U..s7.addthis . ic...officialK......-angularjs/current/dist(..t.min.js...track.adB...net/s

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\addonStartup.json.lz4.tmp

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	Mozilla lz4 compressed data, originally 23432 bytes
Category:	dropped
Size (bytes):	5312
Entropy (8bit):	6.615424734763731
Encrypted:	false
SSDEEP:	96:V2YbKsKNU2xWrp327tGmD4wBON6h6cHaJVJuZMd0JGkkrw2D:VTx2x2t0FDJ4NpwZMd0EJws
MD5:	1B9C8056D3619CE5A8C59B0C09873F17
SHA1:	1015C630E1937AA63F6AB31743782ECB5D78CCD8
SHA-256:	A6AE5DE0733FED050AB570AD9374FF4593D554F695B5AE4E2495871D171D34A3
SHA-512:	B1DC9CC675D5476C270A2D5B214D3DF2B3856576ED7EFE92D9A606C2D9D34E781018902AE75CE9C1E25007BB7F8D8F7B52997E6F05B845EF44BAF22F614FE899
Malicious:	false
Preview:	mozLz40..[....{"app-system-defaults":{"addon....formautofill@mozilla.org&..Gdependencies":[],"enabled":true,"lastModifiedTime":1695865283000,"loader":null,"path":s.....xpi","recommendationStateA...rootURI":"jar:file:///C:/Program%20Files/M.......refox/browser/features/...... !/...unInSafeMode..wsignedD...telemetryKey..7%40R...:1.0.1","version":"..`},"pic..#in.....T.n..w...........S.......(.[......0....0"},"screenshots..T.r.....[.......(.V....-39.......},"webcompat-reporter...Ofals..&.z.....[.......(.]....=1.5.............<.)....p....d......1.z.!18...5.....startupData...pX.astentL..!er...webRequest%..onBefore...[[{"incognitoi.UtabId..!yp...."main_frame"],"url...."://login.microsoftonline.com/","..@us/L.dwindows...},["blocking"]],...Iimag...https://smartT.".f.....etp/facebook.svg",...Aplay....8`script...P.....-....-testbed.herokuapp\.`shims_..3.jsh.bexampl\|.......Pexten{..Q../?..s...S.J/_2..@&_3U..s7.addthis . ic...officialK......-angularjs/current/dist(..t.min.js...track.adB...net/s

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\addons.json (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	24
Entropy (8bit):	3.91829583405449
Encrypted:	false
SSDEEP:	3:YWGifTJE6iHQ:YWGif9EE
MD5:	3088F0272D29FAA42ED452C5E8120B08
SHA1:	C72AA542EF60AFA3DF5DFE1F9FCC06C0B135BE23
SHA-256:	D587CEC944023447DC91BC5F71E2291711BA5ADD337464837909A26F34BC5A06
SHA-512:	B662414EDD6DEF8589304904263584847586ECCA0B0E6296FB3ADB2192D92FB48697C99BD27C4375D192150E3F99102702AF2391117FFF50A9763C74C193D798
Malicious:	false
Preview:	{"schema":6,"addons":[]}

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\addons.json.tmp

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	24
Entropy (8bit):	3.91829583405449
Encrypted:	false
SSDEEP:	3:YWGifTJE6iHQ:YWGif9EE
MD5:	3088F0272D29FAA42ED452C5E8120B08
SHA1:	C72AA542EF60AFA3DF5DFE1F9FCC06C0B135BE23
SHA-256:	D587CEC944023447DC91BC5F71E2291711BA5ADD337464837909A26F34BC5A06
SHA-512:	B662414EDD6DEF8589304904263584847586ECCA0B0E6296FB3ADB2192D92FB48697C99BD27C4375D192150E3F99102702AF2391117FFF50A9763C74C193D798
Malicious:	false
Preview:	{"schema":6,"addons":[]}

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\content-prefs.sqlite

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	SQLite 3.x database, user version 5, last written using SQLite version 3042000, page size 32768, file counter 5, database pages 8, cookie 0x6, schema 4, largest root page 8, UTF-8, vacuum mode 1, version-valid-for 5
Category:	dropped
Size (bytes):	262144
Entropy (8bit):	0.04905391753567332
Encrypted:	false
SSDEEP:	24:DLivwae+Q8Uu50xj0aWe9LxYkKA25Q5tvAA:D6wae+QtMImelekKDa5
MD5:	DD9D28E87ED57D16E65B14501B4E54D1
SHA1:	793839B47326441BE2D1336BA9A61C9B948C578D
SHA-256:	BB4E6C58C50BD6399ED70468C02B584595C29F010B66F864CD4D6B427FA365BC
SHA-512:	A2626F6A3CBADE62E38DA5987729D99830D0C6AA134D4A9E615026A5F18ACBB11A2C3C80917DAD76DA90ED5BAA9B0454D4A3C2DD04436735E78C974BA1D035B1
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j......\|....~.}.}z}-\|.................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\crashes\store.json.mozlz4 (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	Mozilla lz4 compressed data, originally 56 bytes
Category:	dropped
Size (bytes):	66
Entropy (8bit):	4.837595020998689
Encrypted:	false
SSDEEP:	3:3fX/xH8IXl/I3v0lb7iioW:vXpH1RPXt
MD5:	A6338865EB252D0EF8FCF11FA9AF3F0D
SHA1:	CECDD4C4DCAE10C2FFC8EB938121B6231DE48CD3
SHA-256:	078648C042B9B08483CE246B7F01371072541A2E90D1BEB0C8009A6118CBD965
SHA-512:	D950227AC83F4E8246D73F9F35C19E88CE65D0CA5F1EF8CCBB02ED6EFC66B1B7E683E2BA0200279D7CA4B49831FD8C3CEB0584265B10ACCFF2611EC1CA8C0C6C
Malicious:	false
Preview:	mozLz40.8.....{"v":1,"crashes":{},"countsByDay....rruptDate":null}

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\crashes\store.json.mozlz4.tmp

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	Mozilla lz4 compressed data, originally 56 bytes
Category:	dropped
Size (bytes):	66
Entropy (8bit):	4.837595020998689
Encrypted:	false
SSDEEP:	3:3fX/xH8IXl/I3v0lb7iioW:vXpH1RPXt
MD5:	A6338865EB252D0EF8FCF11FA9AF3F0D
SHA1:	CECDD4C4DCAE10C2FFC8EB938121B6231DE48CD3
SHA-256:	078648C042B9B08483CE246B7F01371072541A2E90D1BEB0C8009A6118CBD965
SHA-512:	D950227AC83F4E8246D73F9F35C19E88CE65D0CA5F1EF8CCBB02ED6EFC66B1B7E683E2BA0200279D7CA4B49831FD8C3CEB0584265B10ACCFF2611EC1CA8C0C6C
Malicious:	false
Preview:	mozLz40.8.....{"v":1,"crashes":{},"countsByDay....rruptDate":null}

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\extensions.json (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	36830
Entropy (8bit):	5.185924656884556
Encrypted:	false
SSDEEP:	768:wI43DvfWXf4E6C4p4EC4Y4QfEWvM4B4QS4z4444XQ4U:wUfdvk
MD5:	5656BA69BD2966108A461AAE35F60226
SHA1:	9C2E5AE52D82CEA43C4A5FFF205A7700CF54D61C
SHA-256:	587596712960B26EAC18CB354CCD633FFDB218E374A9D59EFEA843914D7AB299
SHA-512:	38F715AD9156558B5D57CA2E75FB0FFE0C5C6728BD94484B8F15E090120DDD02DCE42DBC9CC7143AD6552460A5F3A40E577FAF1D76D5D40B25CDBE636F250054
Malicious:	false
Preview:	{"schemaVersion":35,"addons":[{"id":"formautofill@mozilla.org","syncGUID":"{60024e8e-cfd0-41e5-965d-7128c7dcf0e8}","version":"1.0.1","type":"extension","loader":null,"updateURL":null,"installOrigins":null,"manifestVersion":2,"optionsURL":null,"optionsType":null,"optionsBrowserStyle":true,"aboutURL":null,"defaultLocale":{"name":"Form Autofill","creator":null,"developers":null,"translators":null,"contributors":null},"visible":true,"active":true,"userDisabled":false,"appDisabled":false,"embedderDisabled":false,"installDate":1695865283000,"updateDate":1695865283000,"applyBackgroundUpdates":1,"path":"C:\\Program Files\\Mozilla Firefox\\browser\\features\\formautofill@mozilla.org.xpi","skinnable":false,"sourceURI":null,"releaseNotesURI":null,"softDisabled":false,"foreignInstall":false,"strictCompatibility":true,"locales":[],"targetApplications":[{"id":"toolkit@mozilla.org","minVersion":null,"maxVersion":null}],"targetPlatforms":[],"signedDate":null,"seen":true,"dependencies":[],"incognito":"

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\extensions.json.tmp

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	36830
Entropy (8bit):	5.185924656884556
Encrypted:	false
SSDEEP:	768:wI43DvfWXf4E6C4p4EC4Y4QfEWvM4B4QS4z4444XQ4U:wUfdvk
MD5:	5656BA69BD2966108A461AAE35F60226
SHA1:	9C2E5AE52D82CEA43C4A5FFF205A7700CF54D61C
SHA-256:	587596712960B26EAC18CB354CCD633FFDB218E374A9D59EFEA843914D7AB299
SHA-512:	38F715AD9156558B5D57CA2E75FB0FFE0C5C6728BD94484B8F15E090120DDD02DCE42DBC9CC7143AD6552460A5F3A40E577FAF1D76D5D40B25CDBE636F250054
Malicious:	false
Preview:	{"schemaVersion":35,"addons":[{"id":"formautofill@mozilla.org","syncGUID":"{60024e8e-cfd0-41e5-965d-7128c7dcf0e8}","version":"1.0.1","type":"extension","loader":null,"updateURL":null,"installOrigins":null,"manifestVersion":2,"optionsURL":null,"optionsType":null,"optionsBrowserStyle":true,"aboutURL":null,"defaultLocale":{"name":"Form Autofill","creator":null,"developers":null,"translators":null,"contributors":null},"visible":true,"active":true,"userDisabled":false,"appDisabled":false,"embedderDisabled":false,"installDate":1695865283000,"updateDate":1695865283000,"applyBackgroundUpdates":1,"path":"C:\\Program Files\\Mozilla Firefox\\browser\\features\\formautofill@mozilla.org.xpi","skinnable":false,"sourceURI":null,"releaseNotesURI":null,"softDisabled":false,"foreignInstall":false,"strictCompatibility":true,"locales":[],"targetApplications":[{"id":"toolkit@mozilla.org","minVersion":null,"maxVersion":null}],"targetPlatforms":[],"signedDate":null,"seen":true,"dependencies":[],"incognito":"

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\favicons.sqlite-shm

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	data
Category:	dropped
Size (bytes):	32768
Entropy (8bit):	0.017262956703125623
Encrypted:	false
SSDEEP:	3:G8lQs2TSlElQs2TtPRp//:G0QjSaQjrpX
MD5:	B7C14EC6110FA820CA6B65F5AEC85911
SHA1:	608EEB7488042453C9CA40F7E1398FC1A270F3F4
SHA-256:	FD4C9FDA9CD3F9AE7C962B0DDF37232294D55580E1AA165AA06129B8549389EB
SHA-512:	D8D75760F29B1E27AC9430BC4F4FFCEC39F1590BE5AEF2BFB5A535850302E067C288EF59CF3B2C5751009A22A6957733F9F80FA18F2B0D33D90C068A3F08F3B0
Malicious:	false
Preview:	..-.....................................8...5.....-.....................................8...5...........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	1021904
Entropy (8bit):	6.648417932394748
Encrypted:	false
SSDEEP:	12288:vYLdTfFKbNSjv92eFN+3wH+NYriA0Iq6lh6VawYIpAvwHN/Uf1h47HAfg1oet:vYLdTZ923NYrjwNpgwef1hzfg1x
MD5:	FE3355639648C417E8307C6D051E3E37
SHA1:	F54602D4B4778DA21BC97C7238FC66AA68C8EE34
SHA-256:	1ED7877024BE63A049DA98733FD282C16BD620530A4FB580DACEC3A78ACE914E
SHA-512:	8F4030BB2464B98ECCBEA6F06EB186D7216932702D94F6B84C56419E9CF65A18309711AB342D1513BF85AED402BC3535A70DB4395874828F0D35C278DD2EAC9C
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Joe Sandbox View:	Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......NH...)...)...)..eM...)..eM...)..eM..)..eM...)...)..i)..XA...)..XA..;)..XA...)...)..g)..cA...)..cA...)..Rich.)..........PE..d....z\.........." .....t................................................................`.........................................P...,...\|...(............P...H...z.................T...........................0...................p............................text...$s.......t.................. ..`.rdata...~...........x..............@..@.data....3..........................@....pdata...H...P...J..................@..@.rodata..............^..............@..@.reloc...............j..............@..B........................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll.tmp

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	1021904
Entropy (8bit):	6.648417932394748
Encrypted:	false
SSDEEP:	12288:vYLdTfFKbNSjv92eFN+3wH+NYriA0Iq6lh6VawYIpAvwHN/Uf1h47HAfg1oet:vYLdTZ923NYrjwNpgwef1hzfg1x
MD5:	FE3355639648C417E8307C6D051E3E37
SHA1:	F54602D4B4778DA21BC97C7238FC66AA68C8EE34
SHA-256:	1ED7877024BE63A049DA98733FD282C16BD620530A4FB580DACEC3A78ACE914E
SHA-512:	8F4030BB2464B98ECCBEA6F06EB186D7216932702D94F6B84C56419E9CF65A18309711AB342D1513BF85AED402BC3535A70DB4395874828F0D35C278DD2EAC9C
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......NH...)...)...)..eM...)..eM...)..eM..)..eM...)...)..i)..XA...)..XA..;)..XA...)...)..g)..cA...)..cA...)..Rich.)..........PE..d....z\.........." .....t................................................................`.........................................P...,...\|...(............P...H...z.................T...........................0...................p............................text...$s.......t.................. ..`.rdata...~...........x..............@..@.data....3..........................@....pdata...H...P...J..................@..@.rodata..............^..............@..@.reloc...............j..............@..B........................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.info (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	116
Entropy (8bit):	4.968220104601006
Encrypted:	false
SSDEEP:	3:C3OuN9RAM7VDXcEzq+rEakOvTMBv+FdBAIABv+FEn:0BDUmHlvAWeWEn
MD5:	3D33CDC0B3D281E67DD52E14435DD04F
SHA1:	4DB88689282FD4F9E9E6AB95FCBB23DF6E6485DB
SHA-256:	F526E9F98841D987606EFEAFF7F3E017BA9FD516C4BE83890C7F9A093EA4C47B
SHA-512:	A4A96743332CC8EF0F86BC2E6122618BFC75ED46781DADBAC9E580CD73DF89E74738638A2CCCB4CAA4CBBF393D771D7F2C73F825737CDB247362450A0D4A4BC1
Malicious:	false
Preview:	Name: gmpopenh264.Description: GMP Plugin for OpenH264..Version: 1.8.1.APIs: encode-video[h264], decode-video[h264].

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.info.tmp

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	116
Entropy (8bit):	4.968220104601006
Encrypted:	false
SSDEEP:	3:C3OuN9RAM7VDXcEzq+rEakOvTMBv+FdBAIABv+FEn:0BDUmHlvAWeWEn
MD5:	3D33CDC0B3D281E67DD52E14435DD04F
SHA1:	4DB88689282FD4F9E9E6AB95FCBB23DF6E6485DB
SHA-256:	F526E9F98841D987606EFEAFF7F3E017BA9FD516C4BE83890C7F9A093EA4C47B
SHA-512:	A4A96743332CC8EF0F86BC2E6122618BFC75ED46781DADBAC9E580CD73DF89E74738638A2CCCB4CAA4CBBF393D771D7F2C73F825737CDB247362450A0D4A4BC1
Malicious:	false
Preview:	Name: gmpopenh264.Description: GMP Plugin for OpenH264..Version: 1.8.1.APIs: encode-video[h264], decode-video[h264].

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\permissions.sqlite

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	SQLite 3.x database, user version 12, last written using SQLite version 3042000, page size 32768, file counter 4, database pages 3, cookie 0x2, schema 4, UTF-8, version-valid-for 4
Category:	dropped
Size (bytes):	98304
Entropy (8bit):	0.0731793812661075
Encrypted:	false
SSDEEP:	12:DBl/A0OWla0mwPxRymgObsCVR45wcYR4fmnsCVR4zkiX:DLhesh7Owd4+ji
MD5:	62C4AA70DABDBD809090E117BFDF8A55
SHA1:	EFDB14AD6865FE0CA7B05D29AFB4D76A3C161261
SHA-256:	705772CF36342CA49C084601D991AE72A7624020FDC9BECBD463E2C640CD9EAA
SHA-512:	43C78F643451C1ABBEB70B385A76B1E2FD55D2AEE62BD9BAFAE423B5417BAA4D4D879C464A2FD159077A37E1C756270E59C3DBC7206913BDD3E7A4FDDB6621F3
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j......~s..F~s........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\places.sqlite-shm

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	data
Category:	dropped
Size (bytes):	32768
Entropy (8bit):	0.035577876577226504
Encrypted:	false
SSDEEP:	3:GtlstFVCIZt2dMmY89HIPlstFVCIZt2dMmY8lll/lT89//alEl:GtWtSITEMmRyWtSITEMmRt/J89XuM
MD5:	4A716B6F775D6253D02396D67262C050
SHA1:	9D61509B033EBC58C7A5883B99B0903CC7034619
SHA-256:	576DDF5BED0848BF54CBDCE6320F37A5C28FF0DD238B1E266D3F15A645FD0E72
SHA-512:	F68578DD0CCB946924B263EB0E0903DEE071AF69235BADDE53ED4D33573DC373AAA35DCBBCF09D225D40C5BC97A59724381E03A1132AA559540390AB775B40E8
Malicious:	false
Preview:	..-......................g..@K<..kw1...b.<W...Y..-......................g..@K<..kw1...b.<W...Y........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\places.sqlite-wal

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	SQLite Write-Ahead Log, version 3007000
Category:	dropped
Size (bytes):	32824
Entropy (8bit):	0.039859322236019214
Encrypted:	false
SSDEEP:	3:Ol1U5WVLlNR9rPudqQlLl8rEXsxdwhml8XW3R2:KrhV6qQFl8dMhm93w
MD5:	C66DA15F1F51DFB5DCFC454EC51E7F61
SHA1:	9F08AE6DECF6E4695B7C4B92B54DCBE2683C53E0
SHA-256:	A440E9E30275C8C862F0F09B81DF1C693F565F57B580BBCD465CB4521319ECC4
SHA-512:	47C5D814586E0D9E32BEC75F0AC8A81689AA5F1C0B29BECEAABDB8696B5BDEA9C89168B93FD12C8A07A0AD14B454844CA95A508C8BB84D716151E3A7496419AE
Malicious:	false
Preview:	7....-...........kw1....>o..!0..........kw1.....g..<K@................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\prefs-1.js

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	ASCII text, with very long lines (1809), with CRLF line terminators
Category:	modified
Size (bytes):	13254
Entropy (8bit):	5.495837667538072
Encrypted:	false
SSDEEP:	192:ZnaRtLYbBp60hj4qyaaXS6KIaNnz5RfGNBw8dgSl:EeWq6HWPcw70
MD5:	E8EC86A0E66B5A7DEC22DD29F513AAE5
SHA1:	7CD00E933BE9619E6617FDEC6A7A5C2470AAD51E
SHA-256:	68D090C52800C65ACD23A00B0212A7CD016BBCA0672372ED2A7A4A3BF1739512
SHA-512:	8C636656464A05B216158E3CDFB1EC89E0B8F8B95DF28EFE71460942DD806F12D6EC125FEC4592B377D6B51A7827A6F9A912F5BD2E08CC9D6B0A403B64E38019
Malicious:	false
Preview:	// Mozilla User Preferences....// DO NOT EDIT THIS FILE...//..// If you make changes to this file while the application is running,..// the changes will be overwritten when the application exits...//..// To change a preference value, you can either:..// - modify it via the UI (e.g. via about:config in the browser); or..// - set it within a user.js file in your profile.....user_pref("app.normandy.first_run", false);..user_pref("app.normandy.migrationsApplied", 12);..user_pref("app.normandy.user_id", "57f16a19-e119-4073-bf01-28f88011f783");..user_pref("app.update.auto.migrated", true);..user_pref("app.update.background.rolledout", true);..user_pref("app.update.backgroundErrors", 2);..user_pref("app.update.lastUpdateTime.addon-background-update-timer", 1728409539);..user_pref("app.update.lastUpdateTime.background-update-timer", 1728409539);..user_pref("app.update.lastUpdateTime.browser-cleanup-thumbnails", 1728409539);..user_pref("app.update.lastUpdateTime.recipe-client-addon-run", 172840

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\prefs.js (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	ASCII text, with very long lines (1809), with CRLF line terminators
Category:	dropped
Size (bytes):	13254
Entropy (8bit):	5.495837667538072
Encrypted:	false
SSDEEP:	192:ZnaRtLYbBp60hj4qyaaXS6KIaNnz5RfGNBw8dgSl:EeWq6HWPcw70
MD5:	E8EC86A0E66B5A7DEC22DD29F513AAE5
SHA1:	7CD00E933BE9619E6617FDEC6A7A5C2470AAD51E
SHA-256:	68D090C52800C65ACD23A00B0212A7CD016BBCA0672372ED2A7A4A3BF1739512
SHA-512:	8C636656464A05B216158E3CDFB1EC89E0B8F8B95DF28EFE71460942DD806F12D6EC125FEC4592B377D6B51A7827A6F9A912F5BD2E08CC9D6B0A403B64E38019
Malicious:	false
Preview:	// Mozilla User Preferences....// DO NOT EDIT THIS FILE...//..// If you make changes to this file while the application is running,..// the changes will be overwritten when the application exits...//..// To change a preference value, you can either:..// - modify it via the UI (e.g. via about:config in the browser); or..// - set it within a user.js file in your profile.....user_pref("app.normandy.first_run", false);..user_pref("app.normandy.migrationsApplied", 12);..user_pref("app.normandy.user_id", "57f16a19-e119-4073-bf01-28f88011f783");..user_pref("app.update.auto.migrated", true);..user_pref("app.update.background.rolledout", true);..user_pref("app.update.backgroundErrors", 2);..user_pref("app.update.lastUpdateTime.addon-background-update-timer", 1728409539);..user_pref("app.update.lastUpdateTime.background-update-timer", 1728409539);..user_pref("app.update.lastUpdateTime.browser-cleanup-thumbnails", 1728409539);..user_pref("app.update.lastUpdateTime.recipe-client-addon-run", 172840

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\protections.sqlite

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	SQLite 3.x database, user version 1, last written using SQLite version 3042000, page size 32768, file counter 5, database pages 2, cookie 0x1, schema 4, UTF-8, version-valid-for 5
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	0.04062825861060003
Encrypted:	false
SSDEEP:	6:ltBl/l4/WN1h4BEJYqWvLue3FMOrMZ0l:DBl/WuntfJiFxMZO
MD5:	18F65713B07CB441E6A98655B726D098
SHA1:	2CEFA32BC26B25BE81C411B60C9925CB0F1F8F88
SHA-256:	B6C268E48546B113551A5AF9CA86BB6A462A512DE6C9289315E125CEB0FD8621
SHA-512:	A6871076C7D7ED53B630F9F144ED04303AD54A2E60B94ECA2AA96964D1AB375EEFDCA86CE0D3EB0E9DBB81470C6BD159877125A080C95EB17E54A52427F805FB
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j.......x..x..........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\sessionCheckpoints.json (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	90
Entropy (8bit):	4.194538242412464
Encrypted:	false
SSDEEP:	3:YVXKQJAyiVLQwJtJDBA+AJ2LKZXJ3YFwHY:Y9KQOy6Lb1BA+m2L69Yr
MD5:	C4AB2EE59CA41B6D6A6EA911F35BDC00
SHA1:	5942CD6505FC8A9DABA403B082067E1CDEFDFBC4
SHA-256:	00AD9799527C3FD21F3A85012565EAE817490F3E0D417413BF9567BB5909F6A2
SHA-512:	71EA16900479E6AF161E0AAD08C8D1E9DED5868A8D848E7647272F3002E2F2013E16382B677ABE3C6F17792A26293B9E27EC78E16F00BD24BA3D21072BD1CAE2
Malicious:	false
Preview:	{"profile-after-change":true,"final-ui-startup":true,"sessionstore-windows-restored":true}

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\sessionCheckpoints.json.tmp

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	90
Entropy (8bit):	4.194538242412464
Encrypted:	false
SSDEEP:	3:YVXKQJAyiVLQwJtJDBA+AJ2LKZXJ3YFwHY:Y9KQOy6Lb1BA+m2L69Yr
MD5:	C4AB2EE59CA41B6D6A6EA911F35BDC00
SHA1:	5942CD6505FC8A9DABA403B082067E1CDEFDFBC4
SHA-256:	00AD9799527C3FD21F3A85012565EAE817490F3E0D417413BF9567BB5909F6A2
SHA-512:	71EA16900479E6AF161E0AAD08C8D1E9DED5868A8D848E7647272F3002E2F2013E16382B677ABE3C6F17792A26293B9E27EC78E16F00BD24BA3D21072BD1CAE2
Malicious:	false
Preview:	{"profile-after-change":true,"final-ui-startup":true,"sessionstore-windows-restored":true}

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\sessionstore-backups\recovery.baklz4 (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	Mozilla lz4 compressed data, originally 5861 bytes
Category:	dropped
Size (bytes):	1573
Entropy (8bit):	6.331411586459292
Encrypted:	false
SSDEEP:	24:v+USUGlcAxSH2LXnIgLD/pnxQwRlszT5sKt0Lp3eHVQj6TiamhujJlOsIomNVr0l:GUpOxnBnR6c3eHTi4JlIquR4
MD5:	8F4D5DFD212268B118FEC0B8A6399280
SHA1:	1A55DDD8E6AD185F3ADF3ECB2FA58F25EB048A59
SHA-256:	0549DF016AA20BE7B9CE3C9DFE90FE4A16F2EB71D25FF591AAC1087F18C2C50B
SHA-512:	ABB67190801F27B9CD8D9DAD647533538667052E7C8D76CFDC2F9694FA013B61D6DD5B4D7940965FEC83F4A30C9F6DDC14ADF7F451AFA9D13796392B806A14B7
Malicious:	false
Preview:	mozLz40.......{"version":["ses....restore",1],"windows":[{"tab..bentrie....url":"https://youtube.com/account?=.....rs.googl%...v3/signin/challenge/pwd","title[.C..cacheKey":0,"ID":6,"docshellUU...D"{17fc8c9e-5da9-48ae-938c-b726d54fec08}","resultPrincipalURI":null,"hasUserInteracte...true,"triggering8.p_base64z..\"3\":{}^...docIdentifier":7,"persistK..+}],"lastAccessed":1728409545452,"hidden":false,"searchMode...userContextId...attribut...{},"index":1...questedI..p0,"imag....chrome://global/skin/icons/warning.svg"..aselect...,"_closedTZ.@],"_...C..`GroupCF..":-1,"busy...t...Flags":2167541758....dth":1164,"height":891,"screenX":4...Y..Aizem..."maximize......BeforeMin...&..workspace9...1a5ccf63-1000-409f-b5c1-afec7f75d4d9","zD..1...Wm..l........j..:....1":{..jUpdate...3,"startTim..P09017...centCrash..B0},".....Dcook.. hoc..."addons.mozilla.org","valu...A8bad2467092e6ddeb0dfa9e5ea54d86d26790ca7ba2ce88d10cb4604fe726755","path":"/","na..a"taarI\|.Recure...,`.Donly..fexpiry...17026,"originA...

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\sessionstore-backups\recovery.jsonlz4 (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	Mozilla lz4 compressed data, originally 5861 bytes
Category:	dropped
Size (bytes):	1573
Entropy (8bit):	6.331411586459292
Encrypted:	false
SSDEEP:	24:v+USUGlcAxSH2LXnIgLD/pnxQwRlszT5sKt0Lp3eHVQj6TiamhujJlOsIomNVr0l:GUpOxnBnR6c3eHTi4JlIquR4
MD5:	8F4D5DFD212268B118FEC0B8A6399280
SHA1:	1A55DDD8E6AD185F3ADF3ECB2FA58F25EB048A59
SHA-256:	0549DF016AA20BE7B9CE3C9DFE90FE4A16F2EB71D25FF591AAC1087F18C2C50B
SHA-512:	ABB67190801F27B9CD8D9DAD647533538667052E7C8D76CFDC2F9694FA013B61D6DD5B4D7940965FEC83F4A30C9F6DDC14ADF7F451AFA9D13796392B806A14B7
Malicious:	false
Preview:	mozLz40.......{"version":["ses....restore",1],"windows":[{"tab..bentrie....url":"https://youtube.com/account?=.....rs.googl%...v3/signin/challenge/pwd","title[.C..cacheKey":0,"ID":6,"docshellUU...D"{17fc8c9e-5da9-48ae-938c-b726d54fec08}","resultPrincipalURI":null,"hasUserInteracte...true,"triggering8.p_base64z..\"3\":{}^...docIdentifier":7,"persistK..+}],"lastAccessed":1728409545452,"hidden":false,"searchMode...userContextId...attribut...{},"index":1...questedI..p0,"imag....chrome://global/skin/icons/warning.svg"..aselect...,"_closedTZ.@],"_...C..`GroupCF..":-1,"busy...t...Flags":2167541758....dth":1164,"height":891,"screenX":4...Y..Aizem..."maximize......BeforeMin...&..workspace9...1a5ccf63-1000-409f-b5c1-afec7f75d4d9","zD..1...Wm..l........j..:....1":{..jUpdate...3,"startTim..P09017...centCrash..B0},".....Dcook.. hoc..."addons.mozilla.org","valu...A8bad2467092e6ddeb0dfa9e5ea54d86d26790ca7ba2ce88d10cb4604fe726755","path":"/","na..a"taarI\|.Recure...,`.Donly..fexpiry...17026,"originA...

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\sessionstore-backups\recovery.jsonlz4.tmp

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	Mozilla lz4 compressed data, originally 5861 bytes
Category:	dropped
Size (bytes):	1573
Entropy (8bit):	6.331411586459292
Encrypted:	false
SSDEEP:	24:v+USUGlcAxSH2LXnIgLD/pnxQwRlszT5sKt0Lp3eHVQj6TiamhujJlOsIomNVr0l:GUpOxnBnR6c3eHTi4JlIquR4
MD5:	8F4D5DFD212268B118FEC0B8A6399280
SHA1:	1A55DDD8E6AD185F3ADF3ECB2FA58F25EB048A59
SHA-256:	0549DF016AA20BE7B9CE3C9DFE90FE4A16F2EB71D25FF591AAC1087F18C2C50B
SHA-512:	ABB67190801F27B9CD8D9DAD647533538667052E7C8D76CFDC2F9694FA013B61D6DD5B4D7940965FEC83F4A30C9F6DDC14ADF7F451AFA9D13796392B806A14B7
Malicious:	false
Preview:	mozLz40.......{"version":["ses....restore",1],"windows":[{"tab..bentrie....url":"https://youtube.com/account?=.....rs.googl%...v3/signin/challenge/pwd","title[.C..cacheKey":0,"ID":6,"docshellUU...D"{17fc8c9e-5da9-48ae-938c-b726d54fec08}","resultPrincipalURI":null,"hasUserInteracte...true,"triggering8.p_base64z..\"3\":{}^...docIdentifier":7,"persistK..+}],"lastAccessed":1728409545452,"hidden":false,"searchMode...userContextId...attribut...{},"index":1...questedI..p0,"imag....chrome://global/skin/icons/warning.svg"..aselect...,"_closedTZ.@],"_...C..`GroupCF..":-1,"busy...t...Flags":2167541758....dth":1164,"height":891,"screenX":4...Y..Aizem..."maximize......BeforeMin...&..workspace9...1a5ccf63-1000-409f-b5c1-afec7f75d4d9","zD..1...Wm..l........j..:....1":{..jUpdate...3,"startTim..P09017...centCrash..B0},".....Dcook.. hoc..."addons.mozilla.org","valu...A8bad2467092e6ddeb0dfa9e5ea54d86d26790ca7ba2ce88d10cb4604fe726755","path":"/","na..a"taarI\|.Recure...,`.Donly..fexpiry...17026,"originA...

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\storage.sqlite

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	SQLite 3.x database, user version 131075, last written using SQLite version 3042000, page size 512, file counter 6, database pages 8, cookie 0x4, schema 4, UTF-8, version-valid-for 6
Category:	dropped
Size (bytes):	4096
Entropy (8bit):	2.0836444556178684
Encrypted:	false
SSDEEP:	24:JBwdh/cEUcR9PzNFPFHx/GJRBdkOrDcRB1trwDeAq2gRMyxr3:jnEUo9LXtR+JdkOnohYsl
MD5:	8B40B1534FF0F4B533AF767EB5639A05
SHA1:	63EDB539EA39AD09D701A36B535C4C087AE08CC9
SHA-256:	AF275A19A5C2C682139266065D90C237282274D11C5619A121B7BDBDB252861B
SHA-512:	54AF707698CED33C206B1B193DA414D630901762E88E37E99885A50D4D5F8DDC28367C9B401DFE251CF0552B4FA446EE28F78A97C9096AFB0F2898BFBB673B53
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\targeting.snapshot.json (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	4537
Entropy (8bit):	5.034872965151495
Encrypted:	false
SSDEEP:	48:YrSAYW/6UQZpExB1+anOsW4Vh351VxWRzzc8eYMsku7f86SLAVL7if5FtsfAcbyk:ycCyTEr5QFRzzcMvbw6KkCrrc2Rn27
MD5:	55E978755AB43F8F7B209BEA2A8FB7A8
SHA1:	769D5DA79A11D9172D0151CB6E411D34E3E32F8D
SHA-256:	E863FB953773792B1394728A6F1576E8B1B87F3C0C194B2453DA778AB3565B11
SHA-512:	5EB02179688B5E9147F4C28FDB6855C6EF82076B5225618233413A4CCA4D81F00D93A88847E0B2B4A2E5B2039382A3A44EE4E026A98ABA6540359DC2AB65398E
Malicious:	false
Preview:	{"environment":{"locale":"en-US","localeLanguageCode":"en","browserSettings":{"update":{"channel":"release","enabled":true,"autoDownload":true,"background":true}},"attributionData":{"campaign":"%2528not%2Bset%2529","content":"%2528not%2Bset%2529","dlsource":"mozorg","dltoken":"cd09ae95-e2cf-4b8b-8929-791b0dd48cdd","experiment":"%2528not%2Bset%2529","medium":"referral","source":"www.google.com","ua":"chrome","variation":"%2528not%2Bset%2529"},"currentDate":"2024-10-08T17:45:26.485Z","profileAgeCreated":1696333826043,"usesFirefoxSync":false,"isFxAEnabled":true,"isFxASignedIn":false,"sync":{"desktopDevices":0,"mobileDevices":0,"totalDevices":0},"xpinstallEnabled":true,"addonsInfo":{"addons":{"formautofill@mozilla.org":{"version":"1.0.1","type":"extension","isSystem":true,"isWebExtension":true,"name":"Form Autofill","userDisabled":false,"installDate":"2023-09-28T01:41:23.000Z"},"pictureinpicture@mozilla.org":{"version":"1.0.0","type":"extension","isSystem":true,"isWebExtension":true,"name"

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\targeting.snapshot.json.tmp

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	4537
Entropy (8bit):	5.034872965151495
Encrypted:	false
SSDEEP:	48:YrSAYW/6UQZpExB1+anOsW4Vh351VxWRzzc8eYMsku7f86SLAVL7if5FtsfAcbyk:ycCyTEr5QFRzzcMvbw6KkCrrc2Rn27
MD5:	55E978755AB43F8F7B209BEA2A8FB7A8
SHA1:	769D5DA79A11D9172D0151CB6E411D34E3E32F8D
SHA-256:	E863FB953773792B1394728A6F1576E8B1B87F3C0C194B2453DA778AB3565B11
SHA-512:	5EB02179688B5E9147F4C28FDB6855C6EF82076B5225618233413A4CCA4D81F00D93A88847E0B2B4A2E5B2039382A3A44EE4E026A98ABA6540359DC2AB65398E
Malicious:	false
Preview:	{"environment":{"locale":"en-US","localeLanguageCode":"en","browserSettings":{"update":{"channel":"release","enabled":true,"autoDownload":true,"background":true}},"attributionData":{"campaign":"%2528not%2Bset%2529","content":"%2528not%2Bset%2529","dlsource":"mozorg","dltoken":"cd09ae95-e2cf-4b8b-8929-791b0dd48cdd","experiment":"%2528not%2Bset%2529","medium":"referral","source":"www.google.com","ua":"chrome","variation":"%2528not%2Bset%2529"},"currentDate":"2024-10-08T17:45:26.485Z","profileAgeCreated":1696333826043,"usesFirefoxSync":false,"isFxAEnabled":true,"isFxASignedIn":false,"sync":{"desktopDevices":0,"mobileDevices":0,"totalDevices":0},"xpinstallEnabled":true,"addonsInfo":{"addons":{"formautofill@mozilla.org":{"version":"1.0.1","type":"extension","isSystem":true,"isWebExtension":true,"name":"Form Autofill","userDisabled":false,"installDate":"2023-09-28T01:41:23.000Z"},"pictureinpicture@mozilla.org":{"version":"1.0.0","type":"extension","isSystem":true,"isWebExtension":true,"name"

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	6.583729572885454
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	file.exe
File size:	919'040 bytes
MD5:	d921fe1b8e5b0fb7ae7cc505361ee284
SHA1:	5505cc71945c1c5e063258e00477682cf88de9f4
SHA256:	5fce332f5572c8ee802b8efdc97ffa9b43bcd175767efb954dbafc054b036851
SHA512:	7908a15ce48c7b881d272546c41abbd587c735c2c4a528ff0bcbdbbce6cbb8c2e7681b6c64d4336c6ec32c664e12c27349dd5543085f25791634c0bbeecfc7a6
SSDEEP:	12288:HqDEvFo+yo4DdbbMWu/jrQu4M9lBAlKhQcDGB3cuBNGE6iOrpfe4JdaDga3Tm:HqDEvCTbMWu7rQYlBQcBiT6rprG8ajm
TLSH:	1B159E0273D1C062FFAB92334B5AF6515BBC69260123E61F13981DB9BE701B1563E7A3
File Content Preview:	MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$.......................j:......j:..C...j:......@.*...............................n.......~.............{.......{.......{.........z....

File Icon


Icon Hash:	aaf3e3e3938382a0

Static PE Info

General

Entrypoint:	0x420577
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, TERMINAL_SERVER_AWARE
Time Stamp:	0x67055B7E [Tue Oct 8 16:19:10 2024 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	5
OS Version Minor:	1
File Version Major:	5
File Version Minor:	1
Subsystem Version Major:	5
Subsystem Version Minor:	1
Import Hash:	948cc502fe9226992dce9417f952fce3

Entrypoint Preview

Instruction
call 00007FC2015160F3h
jmp 00007FC2015159FFh
push ebp
mov ebp, esp
push esi
push dword ptr [ebp+08h]
mov esi, ecx
call 00007FC201515BDDh
mov dword ptr [esi], 0049FDF0h
mov eax, esi
pop esi
pop ebp
retn 0004h
and dword ptr [ecx+04h], 00000000h
mov eax, ecx
and dword ptr [ecx+08h], 00000000h
mov dword ptr [ecx+04h], 0049FDF8h
mov dword ptr [ecx], 0049FDF0h
ret
push ebp
mov ebp, esp
push esi
push dword ptr [ebp+08h]
mov esi, ecx
call 00007FC201515BAAh
mov dword ptr [esi], 0049FE0Ch
mov eax, esi
pop esi
pop ebp
retn 0004h
and dword ptr [ecx+04h], 00000000h
mov eax, ecx
and dword ptr [ecx+08h], 00000000h
mov dword ptr [ecx+04h], 0049FE14h
mov dword ptr [ecx], 0049FE0Ch
ret
push ebp
mov ebp, esp
push esi
mov esi, ecx
lea eax, dword ptr [esi+04h]
mov dword ptr [esi], 0049FDD0h
and dword ptr [eax], 00000000h
and dword ptr [eax+04h], 00000000h
push eax
mov eax, dword ptr [ebp+08h]
add eax, 04h
push eax
call 00007FC20151879Dh
pop ecx
pop ecx
mov eax, esi
pop esi
pop ebp
retn 0004h
lea eax, dword ptr [ecx+04h]
mov dword ptr [ecx], 0049FDD0h
push eax
call 00007FC2015187E8h
pop ecx
ret
push ebp
mov ebp, esp
push esi
mov esi, ecx
lea eax, dword ptr [esi+04h]
mov dword ptr [esi], 0049FDD0h
push eax
call 00007FC2015187D1h
test byte ptr [ebp+08h], 00000001h
pop ecx

Rich Headers

Programming Language:

[ C ] VS2008 SP1 build 30729
[IMP] VS2008 SP1 build 30729

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0xc8e64	0x17c	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0xd4000	0x9bd0	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0xde000	0x7594	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0xb0ff0	0x1c	.rdata
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0xc3400	0x18	.rdata
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0xb1010	0x40	.rdata
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x9c000	0x894	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x9ab1d	0x9ac00	0a1473f3064dcbc32ef93c5c8a90f3a6	False	0.565500681542811	data	6.668273581389308	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x9c000	0x2fb82	0x2fc00	c9cf2468b60bf4f80f136ed54b3989fb	False	0.35289185209424084	data	5.691811547483722	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0xcc000	0x706c	0x4800	53b9025d545d65e23295e30afdbd16d9	False	0.04356553819444445	DOS executable (block device driver @\273\)	0.5846666986982398	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0xd4000	0x9bd0	0x9c00	4e659381785b3bd675d3fc2200610b66	False	0.31725761217948717	data	5.330516971805599	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0xde000	0x7594	0x7600	c68ee8931a32d45eb82dc450ee40efc3	False	0.7628111758474576	data	6.7972128181359786	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_ICON	0xd45a8	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 192	English	Great Britain	0.7466216216216216
RT_ICON	0xd46d0	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 128, 16 important colors	English	Great Britain	0.3277027027027027
RT_ICON	0xd47f8	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 192	English	Great Britain	0.3885135135135135
RT_ICON	0xd4920	0x2e8	Device independent bitmap graphic, 32 x 64 x 4, image size 0	English	Great Britain	0.3333333333333333
RT_ICON	0xd4c08	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 0	English	Great Britain	0.5
RT_ICON	0xd4d30	0xea8	Device independent bitmap graphic, 48 x 96 x 8, image size 0	English	Great Britain	0.2835820895522388
RT_ICON	0xd5bd8	0x8a8	Device independent bitmap graphic, 32 x 64 x 8, image size 0	English	Great Britain	0.37906137184115524
RT_ICON	0xd6480	0x568	Device independent bitmap graphic, 16 x 32 x 8, image size 0	English	Great Britain	0.23699421965317918
RT_ICON	0xd69e8	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 0	English	Great Britain	0.13858921161825727
RT_ICON	0xd8f90	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 0	English	Great Britain	0.25070356472795496
RT_ICON	0xda038	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 0	English	Great Britain	0.3173758865248227
RT_MENU	0xda4a0	0x50	data	English	Great Britain	0.9
RT_STRING	0xda4f0	0x594	data	English	Great Britain	0.3333333333333333
RT_STRING	0xdaa84	0x68a	data	English	Great Britain	0.2735961768219833
RT_STRING	0xdb110	0x490	data	English	Great Britain	0.3715753424657534
RT_STRING	0xdb5a0	0x5fc	data	English	Great Britain	0.3087467362924282
RT_STRING	0xdbb9c	0x65c	data	English	Great Britain	0.34336609336609336
RT_STRING	0xdc1f8	0x466	data	English	Great Britain	0.3605683836589698
RT_STRING	0xdc660	0x158	Matlab v4 mat-file (little endian) n, numeric, rows 0, columns 0	English	Great Britain	0.502906976744186
RT_RCDATA	0xdc7b8	0xe96	data			1.0029459025174077
RT_GROUP_ICON	0xdd650	0x76	data	English	Great Britain	0.6610169491525424
RT_GROUP_ICON	0xdd6c8	0x14	data	English	Great Britain	1.25
RT_GROUP_ICON	0xdd6dc	0x14	data	English	Great Britain	1.15
RT_GROUP_ICON	0xdd6f0	0x14	data	English	Great Britain	1.25
RT_VERSION	0xdd704	0xdc	data	English	Great Britain	0.6181818181818182
RT_MANIFEST	0xdd7e0	0x3ef	ASCII text, with CRLF line terminators	English	Great Britain	0.5074478649453823

Imports

DLL	Import
WSOCK32.dll	gethostbyname, recv, send, socket, inet_ntoa, setsockopt, ntohs, WSACleanup, WSAStartup, sendto, htons, __WSAFDIsSet, select, accept, listen, bind, inet_addr, ioctlsocket, recvfrom, WSAGetLastError, closesocket, gethostname, connect
VERSION.dll	GetFileVersionInfoW, VerQueryValueW, GetFileVersionInfoSizeW
WINMM.dll	timeGetTime, waveOutSetVolume, mciSendStringW
COMCTL32.dll	ImageList_ReplaceIcon, ImageList_Destroy, ImageList_Remove, ImageList_SetDragCursorImage, ImageList_BeginDrag, ImageList_DragEnter, ImageList_DragLeave, ImageList_EndDrag, ImageList_DragMove, InitCommonControlsEx, ImageList_Create
MPR.dll	WNetGetConnectionW, WNetCancelConnection2W, WNetUseConnectionW, WNetAddConnection2W
WININET.dll	HttpOpenRequestW, InternetCloseHandle, InternetOpenW, InternetSetOptionW, InternetCrackUrlW, HttpQueryInfoW, InternetQueryOptionW, InternetConnectW, HttpSendRequestW, FtpOpenFileW, FtpGetFileSize, InternetOpenUrlW, InternetReadFile, InternetQueryDataAvailable
PSAPI.DLL	GetProcessMemoryInfo
IPHLPAPI.DLL	IcmpSendEcho, IcmpCloseHandle, IcmpCreateFile
USERENV.dll	DestroyEnvironmentBlock, LoadUserProfileW, CreateEnvironmentBlock, UnloadUserProfile
UxTheme.dll	IsThemeActive
KERNEL32.dll	DuplicateHandle, CreateThread, WaitForSingleObject, HeapAlloc, GetProcessHeap, HeapFree, Sleep, GetCurrentThreadId, MultiByteToWideChar, MulDiv, GetVersionExW, IsWow64Process, GetSystemInfo, FreeLibrary, LoadLibraryA, GetProcAddress, SetErrorMode, GetModuleFileNameW, WideCharToMultiByte, lstrcpyW, lstrlenW, GetModuleHandleW, QueryPerformanceCounter, VirtualFreeEx, OpenProcess, VirtualAllocEx, WriteProcessMemory, ReadProcessMemory, CreateFileW, SetFilePointerEx, SetEndOfFile, ReadFile, WriteFile, FlushFileBuffers, TerminateProcess, CreateToolhelp32Snapshot, Process32FirstW, Process32NextW, SetFileTime, GetFileAttributesW, FindFirstFileW, FindClose, GetLongPathNameW, GetShortPathNameW, DeleteFileW, IsDebuggerPresent, CopyFileExW, MoveFileW, CreateDirectoryW, RemoveDirectoryW, SetSystemPowerState, QueryPerformanceFrequency, LoadResource, LockResource, SizeofResource, OutputDebugStringW, GetTempPathW, GetTempFileNameW, DeviceIoControl, LoadLibraryW, GetLocalTime, CompareStringW, GetCurrentThread, EnterCriticalSection, LeaveCriticalSection, GetStdHandle, CreatePipe, InterlockedExchange, TerminateThread, LoadLibraryExW, FindResourceExW, CopyFileW, VirtualFree, FormatMessageW, GetExitCodeProcess, GetPrivateProfileStringW, WritePrivateProfileStringW, GetPrivateProfileSectionW, WritePrivateProfileSectionW, GetPrivateProfileSectionNamesW, FileTimeToLocalFileTime, FileTimeToSystemTime, SystemTimeToFileTime, LocalFileTimeToFileTime, GetDriveTypeW, GetDiskFreeSpaceExW, GetDiskFreeSpaceW, GetVolumeInformationW, SetVolumeLabelW, CreateHardLinkW, SetFileAttributesW, CreateEventW, SetEvent, GetEnvironmentVariableW, SetEnvironmentVariableW, GlobalLock, GlobalUnlock, GlobalAlloc, GetFileSize, GlobalFree, GlobalMemoryStatusEx, Beep, GetSystemDirectoryW, HeapReAlloc, HeapSize, GetComputerNameW, GetWindowsDirectoryW, GetCurrentProcessId, GetProcessIoCounters, CreateProcessW, GetProcessId, SetPriorityClass, VirtualAlloc, GetCurrentDirectoryW, lstrcmpiW, DecodePointer, GetLastError, RaiseException, InitializeCriticalSectionAndSpinCount, DeleteCriticalSection, InterlockedDecrement, InterlockedIncrement, ResetEvent, WaitForSingleObjectEx, IsProcessorFeaturePresent, UnhandledExceptionFilter, SetUnhandledExceptionFilter, GetCurrentProcess, CloseHandle, GetFullPathNameW, GetStartupInfoW, GetSystemTimeAsFileTime, InitializeSListHead, RtlUnwind, SetLastError, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, EncodePointer, ExitProcess, GetModuleHandleExW, ExitThread, ResumeThread, FreeLibraryAndExitThread, GetACP, GetDateFormatW, GetTimeFormatW, LCMapStringW, GetStringTypeW, GetFileType, SetStdHandle, GetConsoleCP, GetConsoleMode, ReadConsoleW, GetTimeZoneInformation, FindFirstFileExW, IsValidCodePage, GetOEMCP, GetCPInfo, GetCommandLineA, GetCommandLineW, GetEnvironmentStringsW, FreeEnvironmentStringsW, SetEnvironmentVariableA, SetCurrentDirectoryW, FindNextFileW, WriteConsoleW
USER32.dll	GetKeyboardLayoutNameW, IsCharAlphaW, IsCharAlphaNumericW, IsCharLowerW, IsCharUpperW, GetMenuStringW, GetSubMenu, GetCaretPos, IsZoomed, GetMonitorInfoW, SetWindowLongW, SetLayeredWindowAttributes, FlashWindow, GetClassLongW, TranslateAcceleratorW, IsDialogMessageW, GetSysColor, InflateRect, DrawFocusRect, DrawTextW, FrameRect, DrawFrameControl, FillRect, PtInRect, DestroyAcceleratorTable, CreateAcceleratorTableW, SetCursor, GetWindowDC, GetSystemMetrics, GetActiveWindow, CharNextW, wsprintfW, RedrawWindow, DrawMenuBar, DestroyMenu, SetMenu, GetWindowTextLengthW, CreateMenu, IsDlgButtonChecked, DefDlgProcW, CallWindowProcW, ReleaseCapture, SetCapture, PeekMessageW, GetInputState, UnregisterHotKey, CharLowerBuffW, MonitorFromPoint, MonitorFromRect, LoadImageW, mouse_event, ExitWindowsEx, SetActiveWindow, FindWindowExW, EnumThreadWindows, SetMenuDefaultItem, InsertMenuItemW, IsMenu, ClientToScreen, GetCursorPos, DeleteMenu, CheckMenuRadioItem, GetMenuItemID, GetMenuItemCount, SetMenuItemInfoW, GetMenuItemInfoW, SetForegroundWindow, IsIconic, FindWindowW, SystemParametersInfoW, LockWindowUpdate, SendInput, GetAsyncKeyState, SetKeyboardState, GetKeyboardState, GetKeyState, VkKeyScanW, LoadStringW, DialogBoxParamW, MessageBeep, EndDialog, SendDlgItemMessageW, GetDlgItem, SetWindowTextW, CopyRect, ReleaseDC, GetDC, EndPaint, BeginPaint, GetClientRect, GetMenu, DestroyWindow, EnumWindows, GetDesktopWindow, IsWindow, IsWindowEnabled, IsWindowVisible, EnableWindow, InvalidateRect, GetWindowLongW, GetWindowThreadProcessId, AttachThreadInput, GetFocus, GetWindowTextW, SendMessageTimeoutW, EnumChildWindows, CharUpperBuffW, GetClassNameW, GetParent, GetDlgCtrlID, SendMessageW, MapVirtualKeyW, PostMessageW, GetWindowRect, SetUserObjectSecurity, CloseDesktop, CloseWindowStation, OpenDesktopW, RegisterHotKey, GetCursorInfo, SetWindowPos, CopyImage, AdjustWindowRectEx, SetRect, SetClipboardData, EmptyClipboard, CountClipboardFormats, CloseClipboard, GetClipboardData, IsClipboardFormatAvailable, OpenClipboard, BlockInput, TrackPopupMenuEx, GetMessageW, SetProcessWindowStation, GetProcessWindowStation, OpenWindowStationW, GetUserObjectSecurity, MessageBoxW, DefWindowProcW, MoveWindow, SetFocus, PostQuitMessage, KillTimer, CreatePopupMenu, RegisterWindowMessageW, SetTimer, ShowWindow, CreateWindowExW, RegisterClassExW, LoadIconW, LoadCursorW, GetSysColorBrush, GetForegroundWindow, MessageBoxA, DestroyIcon, DispatchMessageW, keybd_event, TranslateMessage, ScreenToClient
GDI32.dll	EndPath, DeleteObject, GetTextExtentPoint32W, ExtCreatePen, StrokeAndFillPath, GetDeviceCaps, SetPixel, CloseFigure, LineTo, AngleArc, MoveToEx, Ellipse, CreateCompatibleBitmap, CreateCompatibleDC, PolyDraw, BeginPath, Rectangle, SetViewportOrgEx, GetObjectW, SetBkMode, RoundRect, SetBkColor, CreatePen, SelectObject, StretchBlt, CreateSolidBrush, SetTextColor, CreateFontW, GetTextFaceW, GetStockObject, CreateDCW, GetPixel, DeleteDC, GetDIBits, StrokePath
COMDLG32.dll	GetSaveFileNameW, GetOpenFileNameW
ADVAPI32.dll	GetAce, RegEnumValueW, RegDeleteValueW, RegDeleteKeyW, RegEnumKeyExW, RegSetValueExW, RegOpenKeyExW, RegCloseKey, RegQueryValueExW, RegConnectRegistryW, InitializeSecurityDescriptor, InitializeAcl, AdjustTokenPrivileges, OpenThreadToken, OpenProcessToken, LookupPrivilegeValueW, DuplicateTokenEx, CreateProcessAsUserW, CreateProcessWithLogonW, GetLengthSid, CopySid, LogonUserW, AllocateAndInitializeSid, CheckTokenMembership, FreeSid, GetTokenInformation, RegCreateKeyExW, GetSecurityDescriptorDacl, GetAclInformation, GetUserNameW, AddAce, SetSecurityDescriptorDacl, InitiateSystemShutdownExW
SHELL32.dll	DragFinish, DragQueryPoint, ShellExecuteExW, DragQueryFileW, SHEmptyRecycleBinW, SHGetPathFromIDListW, SHBrowseForFolderW, SHCreateShellItem, SHGetDesktopFolder, SHGetSpecialFolderLocation, SHGetFolderPathW, SHFileOperationW, ExtractIconExW, Shell_NotifyIconW, ShellExecuteW
ole32.dll	CoTaskMemAlloc, CoTaskMemFree, CLSIDFromString, ProgIDFromCLSID, CLSIDFromProgID, OleSetMenuDescriptor, MkParseDisplayName, OleSetContainedObject, CoCreateInstance, IIDFromString, StringFromGUID2, CreateStreamOnHGlobal, OleInitialize, OleUninitialize, CoInitialize, CoUninitialize, GetRunningObjectTable, CoGetInstanceFromFile, CoGetObject, CoInitializeSecurity, CoCreateInstanceEx, CoSetProxyBlanket
OLEAUT32.dll	CreateStdDispatch, CreateDispTypeInfo, UnRegisterTypeLib, UnRegisterTypeLibForUser, RegisterTypeLibForUser, RegisterTypeLib, LoadTypeLibEx, VariantCopyInd, SysReAllocString, SysFreeString, VariantChangeType, SafeArrayDestroyData, SafeArrayUnaccessData, SafeArrayAccessData, SafeArrayAllocData, SafeArrayAllocDescriptorEx, SafeArrayCreateVector, SysStringLen, QueryPathOfRegTypeLib, SysAllocString, VariantInit, VariantClear, DispCallFunc, VariantTimeToSystemTime, VarR8FromDec, SafeArrayGetVartype, SafeArrayDestroyDescriptor, VariantCopy, OleLoadPicture

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	Great Britain

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Oct 8, 2024 18:21:09.616820097 CEST	49736	443	192.168.2.4	35.190.72.216
Oct 8, 2024 18:21:09.616866112 CEST	443	49736	35.190.72.216	192.168.2.4
Oct 8, 2024 18:21:09.616964102 CEST	49736	443	192.168.2.4	35.190.72.216
Oct 8, 2024 18:21:09.622833014 CEST	49736	443	192.168.2.4	35.190.72.216
Oct 8, 2024 18:21:09.622848988 CEST	443	49736	35.190.72.216	192.168.2.4
Oct 8, 2024 18:21:10.121532917 CEST	443	49736	35.190.72.216	192.168.2.4
Oct 8, 2024 18:21:10.121625900 CEST	49736	443	192.168.2.4	35.190.72.216
Oct 8, 2024 18:21:10.142138004 CEST	49736	443	192.168.2.4	35.190.72.216
Oct 8, 2024 18:21:10.142138004 CEST	49736	443	192.168.2.4	35.190.72.216
Oct 8, 2024 18:21:10.142165899 CEST	443	49736	35.190.72.216	192.168.2.4
Oct 8, 2024 18:21:10.142712116 CEST	443	49736	35.190.72.216	192.168.2.4
Oct 8, 2024 18:21:10.143416882 CEST	49736	443	192.168.2.4	35.190.72.216
Oct 8, 2024 18:21:11.810805082 CEST	49738	443	192.168.2.4	216.58.206.78
Oct 8, 2024 18:21:11.810904026 CEST	443	49738	216.58.206.78	192.168.2.4
Oct 8, 2024 18:21:11.811353922 CEST	49738	443	192.168.2.4	216.58.206.78
Oct 8, 2024 18:21:11.812661886 CEST	49738	443	192.168.2.4	216.58.206.78
Oct 8, 2024 18:21:11.812702894 CEST	443	49738	216.58.206.78	192.168.2.4
Oct 8, 2024 18:21:12.020762920 CEST	49739	80	192.168.2.4	34.107.221.82
Oct 8, 2024 18:21:12.026312113 CEST	80	49739	34.107.221.82	192.168.2.4
Oct 8, 2024 18:21:12.028611898 CEST	49739	80	192.168.2.4	34.107.221.82
Oct 8, 2024 18:21:12.028778076 CEST	49739	80	192.168.2.4	34.107.221.82
Oct 8, 2024 18:21:12.032054901 CEST	49740	443	192.168.2.4	216.58.206.78
Oct 8, 2024 18:21:12.032136917 CEST	443	49740	216.58.206.78	192.168.2.4
Oct 8, 2024 18:21:12.032350063 CEST	49740	443	192.168.2.4	216.58.206.78
Oct 8, 2024 18:21:12.034203053 CEST	80	49739	34.107.221.82	192.168.2.4
Oct 8, 2024 18:21:12.034986973 CEST	49740	443	192.168.2.4	216.58.206.78
Oct 8, 2024 18:21:12.035044909 CEST	443	49740	216.58.206.78	192.168.2.4
Oct 8, 2024 18:21:12.448015928 CEST	49742	443	192.168.2.4	34.117.188.166
Oct 8, 2024 18:21:12.448077917 CEST	443	49742	34.117.188.166	192.168.2.4
Oct 8, 2024 18:21:12.448710918 CEST	49742	443	192.168.2.4	34.117.188.166
Oct 8, 2024 18:21:12.450223923 CEST	49742	443	192.168.2.4	34.117.188.166
Oct 8, 2024 18:21:12.450257063 CEST	443	49742	34.117.188.166	192.168.2.4
Oct 8, 2024 18:21:12.465780973 CEST	49743	443	192.168.2.4	34.117.188.166
Oct 8, 2024 18:21:12.465857029 CEST	443	49743	34.117.188.166	192.168.2.4
Oct 8, 2024 18:21:12.466540098 CEST	49743	443	192.168.2.4	34.117.188.166
Oct 8, 2024 18:21:12.467823029 CEST	49743	443	192.168.2.4	34.117.188.166
Oct 8, 2024 18:21:12.467859030 CEST	443	49743	34.117.188.166	192.168.2.4
Oct 8, 2024 18:21:12.486759901 CEST	80	49739	34.107.221.82	192.168.2.4
Oct 8, 2024 18:21:12.533752918 CEST	49739	80	192.168.2.4	34.107.221.82
Oct 8, 2024 18:21:12.568744898 CEST	443	49738	216.58.206.78	192.168.2.4
Oct 8, 2024 18:21:12.568826914 CEST	49738	443	192.168.2.4	216.58.206.78
Oct 8, 2024 18:21:12.569747925 CEST	443	49738	216.58.206.78	192.168.2.4
Oct 8, 2024 18:21:12.569808006 CEST	49738	443	192.168.2.4	216.58.206.78
Oct 8, 2024 18:21:12.723145008 CEST	443	49740	216.58.206.78	192.168.2.4
Oct 8, 2024 18:21:12.723229885 CEST	49740	443	192.168.2.4	216.58.206.78
Oct 8, 2024 18:21:12.724592924 CEST	443	49740	216.58.206.78	192.168.2.4
Oct 8, 2024 18:21:12.724656105 CEST	49740	443	192.168.2.4	216.58.206.78
Oct 8, 2024 18:21:12.775773048 CEST	49738	443	192.168.2.4	216.58.206.78
Oct 8, 2024 18:21:12.775836945 CEST	443	49738	216.58.206.78	192.168.2.4
Oct 8, 2024 18:21:12.775998116 CEST	49738	443	192.168.2.4	216.58.206.78
Oct 8, 2024 18:21:12.776463032 CEST	443	49738	216.58.206.78	192.168.2.4
Oct 8, 2024 18:21:12.777781963 CEST	49740	443	192.168.2.4	216.58.206.78
Oct 8, 2024 18:21:12.777781963 CEST	49740	443	192.168.2.4	216.58.206.78
Oct 8, 2024 18:21:12.777838945 CEST	443	49740	216.58.206.78	192.168.2.4
Oct 8, 2024 18:21:12.778074980 CEST	49744	443	192.168.2.4	216.58.206.78
Oct 8, 2024 18:21:12.778126955 CEST	443	49744	216.58.206.78	192.168.2.4
Oct 8, 2024 18:21:12.778129101 CEST	49738	443	192.168.2.4	216.58.206.78
Oct 8, 2024 18:21:12.778506041 CEST	443	49740	216.58.206.78	192.168.2.4
Oct 8, 2024 18:21:12.778717041 CEST	49745	443	192.168.2.4	35.244.181.201
Oct 8, 2024 18:21:12.778769016 CEST	443	49745	35.244.181.201	192.168.2.4
Oct 8, 2024 18:21:12.779256105 CEST	49740	443	192.168.2.4	216.58.206.78
Oct 8, 2024 18:21:12.779273033 CEST	49744	443	192.168.2.4	216.58.206.78
Oct 8, 2024 18:21:12.779285908 CEST	49745	443	192.168.2.4	35.244.181.201
Oct 8, 2024 18:21:12.780457020 CEST	49744	443	192.168.2.4	216.58.206.78
Oct 8, 2024 18:21:12.780474901 CEST	443	49744	216.58.206.78	192.168.2.4
Oct 8, 2024 18:21:12.780586004 CEST	49745	443	192.168.2.4	35.244.181.201
Oct 8, 2024 18:21:12.780615091 CEST	443	49745	35.244.181.201	192.168.2.4
Oct 8, 2024 18:21:12.827117920 CEST	49746	80	192.168.2.4	34.107.221.82
Oct 8, 2024 18:21:12.828505993 CEST	49747	443	192.168.2.4	34.160.144.191
Oct 8, 2024 18:21:12.828564882 CEST	443	49747	34.160.144.191	192.168.2.4
Oct 8, 2024 18:21:12.829308987 CEST	49747	443	192.168.2.4	34.160.144.191
Oct 8, 2024 18:21:12.829452038 CEST	49747	443	192.168.2.4	34.160.144.191
Oct 8, 2024 18:21:12.829483986 CEST	443	49747	34.160.144.191	192.168.2.4
Oct 8, 2024 18:21:12.832079887 CEST	80	49746	34.107.221.82	192.168.2.4
Oct 8, 2024 18:21:12.834664106 CEST	49746	80	192.168.2.4	34.107.221.82
Oct 8, 2024 18:21:12.834924936 CEST	49746	80	192.168.2.4	34.107.221.82
Oct 8, 2024 18:21:12.840007067 CEST	80	49746	34.107.221.82	192.168.2.4
Oct 8, 2024 18:21:12.966662884 CEST	443	49742	34.117.188.166	192.168.2.4
Oct 8, 2024 18:21:12.967139959 CEST	49742	443	192.168.2.4	34.117.188.166
Oct 8, 2024 18:21:12.971656084 CEST	49742	443	192.168.2.4	34.117.188.166
Oct 8, 2024 18:21:12.971740961 CEST	443	49742	34.117.188.166	192.168.2.4
Oct 8, 2024 18:21:12.971776009 CEST	49742	443	192.168.2.4	34.117.188.166
Oct 8, 2024 18:21:12.972086906 CEST	443	49742	34.117.188.166	192.168.2.4
Oct 8, 2024 18:21:12.972125053 CEST	49748	443	192.168.2.4	34.117.188.166
Oct 8, 2024 18:21:12.972223997 CEST	443	49748	34.117.188.166	192.168.2.4
Oct 8, 2024 18:21:12.972280979 CEST	49742	443	192.168.2.4	34.117.188.166
Oct 8, 2024 18:21:12.972301006 CEST	49748	443	192.168.2.4	34.117.188.166
Oct 8, 2024 18:21:12.974169016 CEST	49748	443	192.168.2.4	34.117.188.166
Oct 8, 2024 18:21:12.974204063 CEST	443	49748	34.117.188.166	192.168.2.4
Oct 8, 2024 18:21:13.002408028 CEST	443	49743	34.117.188.166	192.168.2.4
Oct 8, 2024 18:21:13.003068924 CEST	49743	443	192.168.2.4	34.117.188.166
Oct 8, 2024 18:21:13.010039091 CEST	49743	443	192.168.2.4	34.117.188.166
Oct 8, 2024 18:21:13.010052919 CEST	443	49743	34.117.188.166	192.168.2.4
Oct 8, 2024 18:21:13.010143995 CEST	49743	443	192.168.2.4	34.117.188.166
Oct 8, 2024 18:21:13.010406017 CEST	443	49743	34.117.188.166	192.168.2.4
Oct 8, 2024 18:21:13.010432005 CEST	49749	443	192.168.2.4	34.117.188.166
Oct 8, 2024 18:21:13.010478020 CEST	443	49749	34.117.188.166	192.168.2.4
Oct 8, 2024 18:21:13.010802984 CEST	49743	443	192.168.2.4	34.117.188.166
Oct 8, 2024 18:21:13.010832071 CEST	49749	443	192.168.2.4	34.117.188.166
Oct 8, 2024 18:21:13.012067080 CEST	49749	443	192.168.2.4	34.117.188.166
Oct 8, 2024 18:21:13.012084961 CEST	443	49749	34.117.188.166	192.168.2.4
Oct 8, 2024 18:21:13.286721945 CEST	443	49745	35.244.181.201	192.168.2.4
Oct 8, 2024 18:21:13.286822081 CEST	49745	443	192.168.2.4	35.244.181.201
Oct 8, 2024 18:21:13.306112051 CEST	80	49746	34.107.221.82	192.168.2.4
Oct 8, 2024 18:21:13.322690964 CEST	443	49747	34.160.144.191	192.168.2.4
Oct 8, 2024 18:21:13.325257063 CEST	49747	443	192.168.2.4	34.160.144.191
Oct 8, 2024 18:21:13.355623007 CEST	49746	80	192.168.2.4	34.107.221.82
Oct 8, 2024 18:21:13.445303917 CEST	443	49748	34.117.188.166	192.168.2.4
Oct 8, 2024 18:21:13.451481104 CEST	443	49748	34.117.188.166	192.168.2.4
Oct 8, 2024 18:21:13.454304934 CEST	49748	443	192.168.2.4	34.117.188.166
Oct 8, 2024 18:21:13.461745024 CEST	443	49744	216.58.206.78	192.168.2.4
Oct 8, 2024 18:21:13.462739944 CEST	443	49744	216.58.206.78	192.168.2.4
Oct 8, 2024 18:21:13.475476027 CEST	443	49744	216.58.206.78	192.168.2.4
Oct 8, 2024 18:21:13.476824999 CEST	49744	443	192.168.2.4	216.58.206.78
Oct 8, 2024 18:21:13.523730040 CEST	443	49749	34.117.188.166	192.168.2.4
Oct 8, 2024 18:21:13.535465002 CEST	443	49749	34.117.188.166	192.168.2.4
Oct 8, 2024 18:21:13.537235975 CEST	49749	443	192.168.2.4	34.117.188.166
Oct 8, 2024 18:21:13.621690035 CEST	49745	443	192.168.2.4	35.244.181.201
Oct 8, 2024 18:21:13.621773958 CEST	443	49745	35.244.181.201	192.168.2.4
Oct 8, 2024 18:21:13.622762918 CEST	443	49745	35.244.181.201	192.168.2.4
Oct 8, 2024 18:21:13.626945019 CEST	49747	443	192.168.2.4	34.160.144.191
Oct 8, 2024 18:21:13.627027988 CEST	443	49747	34.160.144.191	192.168.2.4
Oct 8, 2024 18:21:13.627393007 CEST	443	49747	34.160.144.191	192.168.2.4
Oct 8, 2024 18:21:13.640961885 CEST	49745	443	192.168.2.4	35.244.181.201
Oct 8, 2024 18:21:13.641572952 CEST	49745	443	192.168.2.4	35.244.181.201
Oct 8, 2024 18:21:13.641654968 CEST	443	49745	35.244.181.201	192.168.2.4
Oct 8, 2024 18:21:13.641707897 CEST	49748	443	192.168.2.4	34.117.188.166
Oct 8, 2024 18:21:13.641748905 CEST	49745	443	192.168.2.4	35.244.181.201
Oct 8, 2024 18:21:13.641767025 CEST	443	49748	34.117.188.166	192.168.2.4
Oct 8, 2024 18:21:13.641877890 CEST	49747	443	192.168.2.4	34.160.144.191
Oct 8, 2024 18:21:13.642064095 CEST	49748	443	192.168.2.4	34.117.188.166
Oct 8, 2024 18:21:13.642146111 CEST	443	49747	34.160.144.191	192.168.2.4
Oct 8, 2024 18:21:13.642199993 CEST	49744	443	192.168.2.4	216.58.206.78
Oct 8, 2024 18:21:13.642226934 CEST	443	49744	216.58.206.78	192.168.2.4
Oct 8, 2024 18:21:13.642460108 CEST	443	49748	34.117.188.166	192.168.2.4
Oct 8, 2024 18:21:13.642488956 CEST	49747	443	192.168.2.4	34.160.144.191
Oct 8, 2024 18:21:13.642540932 CEST	49748	443	192.168.2.4	34.117.188.166
Oct 8, 2024 18:21:13.642826080 CEST	49747	443	192.168.2.4	34.160.144.191
Oct 8, 2024 18:21:13.642848969 CEST	49744	443	192.168.2.4	216.58.206.78
Oct 8, 2024 18:21:13.642891884 CEST	443	49747	34.160.144.191	192.168.2.4
Oct 8, 2024 18:21:13.642910957 CEST	443	49744	216.58.206.78	192.168.2.4
Oct 8, 2024 18:21:13.643079996 CEST	49744	443	192.168.2.4	216.58.206.78
Oct 8, 2024 18:21:13.643806934 CEST	49751	443	192.168.2.4	34.160.144.191
Oct 8, 2024 18:21:13.643824100 CEST	49749	443	192.168.2.4	34.117.188.166
Oct 8, 2024 18:21:13.643830061 CEST	443	49749	34.117.188.166	192.168.2.4
Oct 8, 2024 18:21:13.643887997 CEST	49749	443	192.168.2.4	34.117.188.166
Oct 8, 2024 18:21:13.643897057 CEST	443	49751	34.160.144.191	192.168.2.4
Oct 8, 2024 18:21:13.644148111 CEST	49751	443	192.168.2.4	34.160.144.191
Oct 8, 2024 18:21:13.644148111 CEST	49751	443	192.168.2.4	34.160.144.191
Oct 8, 2024 18:21:13.644280910 CEST	443	49751	34.160.144.191	192.168.2.4
Oct 8, 2024 18:21:13.644509077 CEST	443	49749	34.117.188.166	192.168.2.4
Oct 8, 2024 18:21:13.644572973 CEST	49749	443	192.168.2.4	34.117.188.166
Oct 8, 2024 18:21:13.669621944 CEST	49739	80	192.168.2.4	34.107.221.82
Oct 8, 2024 18:21:13.669662952 CEST	49746	80	192.168.2.4	34.107.221.82
Oct 8, 2024 18:21:13.675142050 CEST	80	49739	34.107.221.82	192.168.2.4
Oct 8, 2024 18:21:13.675873041 CEST	80	49746	34.107.221.82	192.168.2.4
Oct 8, 2024 18:21:13.677544117 CEST	49752	443	192.168.2.4	34.117.188.166
Oct 8, 2024 18:21:13.677628994 CEST	443	49752	34.117.188.166	192.168.2.4
Oct 8, 2024 18:21:13.678221941 CEST	49752	443	192.168.2.4	34.117.188.166
Oct 8, 2024 18:21:13.678225040 CEST	49739	80	192.168.2.4	34.107.221.82
Oct 8, 2024 18:21:13.678345919 CEST	49746	80	192.168.2.4	34.107.221.82
Oct 8, 2024 18:21:13.679487944 CEST	49752	443	192.168.2.4	34.117.188.166
Oct 8, 2024 18:21:13.679522038 CEST	443	49752	34.117.188.166	192.168.2.4
Oct 8, 2024 18:21:13.684761047 CEST	49754	80	192.168.2.4	34.107.221.82
Oct 8, 2024 18:21:13.689616919 CEST	80	49754	34.107.221.82	192.168.2.4
Oct 8, 2024 18:21:13.689935923 CEST	49754	80	192.168.2.4	34.107.221.82
Oct 8, 2024 18:21:13.690099955 CEST	49754	80	192.168.2.4	34.107.221.82
Oct 8, 2024 18:21:13.695024014 CEST	80	49754	34.107.221.82	192.168.2.4
Oct 8, 2024 18:21:14.130194902 CEST	443	49751	34.160.144.191	192.168.2.4
Oct 8, 2024 18:21:14.130276918 CEST	49751	443	192.168.2.4	34.160.144.191
Oct 8, 2024 18:21:14.131721973 CEST	80	49754	34.107.221.82	192.168.2.4
Oct 8, 2024 18:21:14.132688999 CEST	49751	443	192.168.2.4	34.160.144.191
Oct 8, 2024 18:21:14.132719040 CEST	443	49751	34.160.144.191	192.168.2.4
Oct 8, 2024 18:21:14.133086920 CEST	443	49751	34.160.144.191	192.168.2.4
Oct 8, 2024 18:21:14.134479046 CEST	49751	443	192.168.2.4	34.160.144.191
Oct 8, 2024 18:21:14.134533882 CEST	49751	443	192.168.2.4	34.160.144.191
Oct 8, 2024 18:21:14.134664059 CEST	49751	443	192.168.2.4	34.160.144.191
Oct 8, 2024 18:21:14.180619955 CEST	49754	80	192.168.2.4	34.107.221.82
Oct 8, 2024 18:21:14.192979097 CEST	443	49752	34.117.188.166	192.168.2.4
Oct 8, 2024 18:21:14.196283102 CEST	49752	443	192.168.2.4	34.117.188.166
Oct 8, 2024 18:21:14.202842951 CEST	49752	443	192.168.2.4	34.117.188.166
Oct 8, 2024 18:21:14.202883959 CEST	443	49752	34.117.188.166	192.168.2.4
Oct 8, 2024 18:21:14.202940941 CEST	49752	443	192.168.2.4	34.117.188.166
Oct 8, 2024 18:21:14.203052044 CEST	443	49752	34.117.188.166	192.168.2.4
Oct 8, 2024 18:21:14.203253984 CEST	49755	443	192.168.2.4	34.117.188.166
Oct 8, 2024 18:21:14.203308105 CEST	443	49755	34.117.188.166	192.168.2.4
Oct 8, 2024 18:21:14.211911917 CEST	49752	443	192.168.2.4	34.117.188.166
Oct 8, 2024 18:21:14.211956978 CEST	49755	443	192.168.2.4	34.117.188.166
Oct 8, 2024 18:21:14.214989901 CEST	49755	443	192.168.2.4	34.117.188.166
Oct 8, 2024 18:21:14.215023994 CEST	443	49755	34.117.188.166	192.168.2.4
Oct 8, 2024 18:21:14.472168922 CEST	49756	80	192.168.2.4	34.107.221.82
Oct 8, 2024 18:21:14.472692966 CEST	49754	80	192.168.2.4	34.107.221.82
Oct 8, 2024 18:21:14.477358103 CEST	80	49756	34.107.221.82	192.168.2.4
Oct 8, 2024 18:21:14.477958918 CEST	80	49754	34.107.221.82	192.168.2.4
Oct 8, 2024 18:21:14.478135109 CEST	49756	80	192.168.2.4	34.107.221.82
Oct 8, 2024 18:21:14.478240013 CEST	49756	80	192.168.2.4	34.107.221.82
Oct 8, 2024 18:21:14.483158112 CEST	80	49756	34.107.221.82	192.168.2.4
Oct 8, 2024 18:21:14.567186117 CEST	80	49754	34.107.221.82	192.168.2.4
Oct 8, 2024 18:21:14.613100052 CEST	49754	80	192.168.2.4	34.107.221.82
Oct 8, 2024 18:21:14.717453957 CEST	443	49755	34.117.188.166	192.168.2.4
Oct 8, 2024 18:21:14.717470884 CEST	443	49755	34.117.188.166	192.168.2.4
Oct 8, 2024 18:21:14.718545914 CEST	49755	443	192.168.2.4	34.117.188.166
Oct 8, 2024 18:21:14.722287893 CEST	49755	443	192.168.2.4	34.117.188.166
Oct 8, 2024 18:21:14.722316980 CEST	443	49755	34.117.188.166	192.168.2.4
Oct 8, 2024 18:21:14.722368956 CEST	49755	443	192.168.2.4	34.117.188.166
Oct 8, 2024 18:21:14.722533941 CEST	443	49755	34.117.188.166	192.168.2.4
Oct 8, 2024 18:21:14.723555088 CEST	49755	443	192.168.2.4	34.117.188.166
Oct 8, 2024 18:21:14.845597029 CEST	49756	80	192.168.2.4	34.107.221.82
Oct 8, 2024 18:21:14.851457119 CEST	80	49756	34.107.221.82	192.168.2.4
Oct 8, 2024 18:21:14.851659060 CEST	49756	80	192.168.2.4	34.107.221.82
Oct 8, 2024 18:21:15.266715050 CEST	49757	80	192.168.2.4	34.107.221.82
Oct 8, 2024 18:21:15.271143913 CEST	49754	80	192.168.2.4	34.107.221.82
Oct 8, 2024 18:21:15.547527075 CEST	49758	80	192.168.2.4	34.107.221.82
Oct 8, 2024 18:21:15.584717035 CEST	49754	80	192.168.2.4	34.107.221.82
Oct 8, 2024 18:21:16.034521103 CEST	80	49757	34.107.221.82	192.168.2.4
Oct 8, 2024 18:21:16.034554005 CEST	80	49754	34.107.221.82	192.168.2.4
Oct 8, 2024 18:21:16.034583092 CEST	80	49758	34.107.221.82	192.168.2.4
Oct 8, 2024 18:21:16.034610987 CEST	80	49754	34.107.221.82	192.168.2.4
Oct 8, 2024 18:21:16.034651041 CEST	49757	80	192.168.2.4	34.107.221.82
Oct 8, 2024 18:21:16.034723997 CEST	49758	80	192.168.2.4	34.107.221.82
Oct 8, 2024 18:21:16.034786940 CEST	49757	80	192.168.2.4	34.107.221.82
Oct 8, 2024 18:21:16.042582035 CEST	80	49757	34.107.221.82	192.168.2.4
Oct 8, 2024 18:21:16.123533010 CEST	80	49754	34.107.221.82	192.168.2.4
Oct 8, 2024 18:21:16.181423903 CEST	49754	80	192.168.2.4	34.107.221.82
Oct 8, 2024 18:21:16.251336098 CEST	49757	80	192.168.2.4	34.107.221.82
Oct 8, 2024 18:21:16.256745100 CEST	49758	80	192.168.2.4	34.107.221.82
Oct 8, 2024 18:21:16.261702061 CEST	80	49758	34.107.221.82	192.168.2.4
Oct 8, 2024 18:21:16.262788057 CEST	49759	443	192.168.2.4	34.107.243.93
Oct 8, 2024 18:21:16.262837887 CEST	443	49759	34.107.243.93	192.168.2.4
Oct 8, 2024 18:21:16.263576984 CEST	49759	443	192.168.2.4	34.107.243.93
Oct 8, 2024 18:21:16.264750957 CEST	49759	443	192.168.2.4	34.107.243.93
Oct 8, 2024 18:21:16.264775038 CEST	443	49759	34.107.243.93	192.168.2.4
Oct 8, 2024 18:21:16.265486002 CEST	49760	443	192.168.2.4	34.120.208.123
Oct 8, 2024 18:21:16.265518904 CEST	443	49760	34.120.208.123	192.168.2.4
Oct 8, 2024 18:21:16.266160011 CEST	49760	443	192.168.2.4	34.120.208.123
Oct 8, 2024 18:21:16.267420053 CEST	49760	443	192.168.2.4	34.120.208.123
Oct 8, 2024 18:21:16.267435074 CEST	443	49760	34.120.208.123	192.168.2.4
Oct 8, 2024 18:21:16.276020050 CEST	49761	443	192.168.2.4	34.149.100.209
Oct 8, 2024 18:21:16.276034117 CEST	443	49761	34.149.100.209	192.168.2.4
Oct 8, 2024 18:21:16.277075052 CEST	49761	443	192.168.2.4	34.149.100.209
Oct 8, 2024 18:21:16.278251886 CEST	49761	443	192.168.2.4	34.149.100.209
Oct 8, 2024 18:21:16.278264046 CEST	443	49761	34.149.100.209	192.168.2.4
Oct 8, 2024 18:21:16.302233934 CEST	80	49757	34.107.221.82	192.168.2.4
Oct 8, 2024 18:21:16.308315039 CEST	49762	443	192.168.2.4	35.244.181.201
Oct 8, 2024 18:21:16.308340073 CEST	443	49762	35.244.181.201	192.168.2.4
Oct 8, 2024 18:21:16.310981035 CEST	49762	443	192.168.2.4	35.244.181.201
Oct 8, 2024 18:21:16.311110973 CEST	49762	443	192.168.2.4	35.244.181.201
Oct 8, 2024 18:21:16.311122894 CEST	443	49762	35.244.181.201	192.168.2.4
Oct 8, 2024 18:21:16.405774117 CEST	80	49757	34.107.221.82	192.168.2.4
Oct 8, 2024 18:21:16.409465075 CEST	49757	80	192.168.2.4	34.107.221.82
Oct 8, 2024 18:21:16.486995935 CEST	80	49758	34.107.221.82	192.168.2.4
Oct 8, 2024 18:21:16.538144112 CEST	49758	80	192.168.2.4	34.107.221.82
Oct 8, 2024 18:21:16.746958017 CEST	443	49761	34.149.100.209	192.168.2.4
Oct 8, 2024 18:21:16.747155905 CEST	49761	443	192.168.2.4	34.149.100.209
Oct 8, 2024 18:21:16.751099110 CEST	49761	443	192.168.2.4	34.149.100.209
Oct 8, 2024 18:21:16.751111984 CEST	443	49761	34.149.100.209	192.168.2.4
Oct 8, 2024 18:21:16.751138926 CEST	49761	443	192.168.2.4	34.149.100.209
Oct 8, 2024 18:21:16.751351118 CEST	443	49761	34.149.100.209	192.168.2.4
Oct 8, 2024 18:21:16.751401901 CEST	49761	443	192.168.2.4	34.149.100.209
Oct 8, 2024 18:21:16.754173994 CEST	443	49759	34.107.243.93	192.168.2.4
Oct 8, 2024 18:21:16.755300045 CEST	49759	443	192.168.2.4	34.107.243.93
Oct 8, 2024 18:21:16.758917093 CEST	49759	443	192.168.2.4	34.107.243.93
Oct 8, 2024 18:21:16.758953094 CEST	443	49759	34.107.243.93	192.168.2.4
Oct 8, 2024 18:21:16.759006977 CEST	49759	443	192.168.2.4	34.107.243.93
Oct 8, 2024 18:21:16.759156942 CEST	443	49759	34.107.243.93	192.168.2.4
Oct 8, 2024 18:21:16.759332895 CEST	49759	443	192.168.2.4	34.107.243.93
Oct 8, 2024 18:21:17.122148037 CEST	443	49762	35.244.181.201	192.168.2.4
Oct 8, 2024 18:21:17.124816895 CEST	49762	443	192.168.2.4	35.244.181.201
Oct 8, 2024 18:21:17.126276016 CEST	443	49760	34.120.208.123	192.168.2.4
Oct 8, 2024 18:21:17.128952026 CEST	49762	443	192.168.2.4	35.244.181.201
Oct 8, 2024 18:21:17.128959894 CEST	443	49762	35.244.181.201	192.168.2.4
Oct 8, 2024 18:21:17.129327059 CEST	443	49762	35.244.181.201	192.168.2.4
Oct 8, 2024 18:21:17.131417990 CEST	443	49760	34.120.208.123	192.168.2.4
Oct 8, 2024 18:21:17.132272959 CEST	49762	443	192.168.2.4	35.244.181.201
Oct 8, 2024 18:21:17.132385969 CEST	49762	443	192.168.2.4	35.244.181.201
Oct 8, 2024 18:21:17.132446051 CEST	443	49762	35.244.181.201	192.168.2.4
Oct 8, 2024 18:21:17.134881020 CEST	49762	443	192.168.2.4	35.244.181.201
Oct 8, 2024 18:21:17.134896040 CEST	49762	443	192.168.2.4	35.244.181.201
Oct 8, 2024 18:21:17.134915113 CEST	49760	443	192.168.2.4	34.120.208.123
Oct 8, 2024 18:21:17.140058041 CEST	49760	443	192.168.2.4	34.120.208.123
Oct 8, 2024 18:21:17.140058041 CEST	49760	443	192.168.2.4	34.120.208.123
Oct 8, 2024 18:21:17.140070915 CEST	443	49760	34.120.208.123	192.168.2.4
Oct 8, 2024 18:21:17.140260935 CEST	443	49760	34.120.208.123	192.168.2.4
Oct 8, 2024 18:21:17.140661001 CEST	49760	443	192.168.2.4	34.120.208.123
Oct 8, 2024 18:21:21.608036041 CEST	49754	80	192.168.2.4	34.107.221.82
Oct 8, 2024 18:21:21.870115995 CEST	80	49754	34.107.221.82	192.168.2.4
Oct 8, 2024 18:21:21.872033119 CEST	49764	443	192.168.2.4	34.120.208.123
Oct 8, 2024 18:21:21.872059107 CEST	443	49764	34.120.208.123	192.168.2.4
Oct 8, 2024 18:21:21.872379065 CEST	49764	443	192.168.2.4	34.120.208.123
Oct 8, 2024 18:21:21.872499943 CEST	49764	443	192.168.2.4	34.120.208.123
Oct 8, 2024 18:21:21.872505903 CEST	443	49764	34.120.208.123	192.168.2.4
Oct 8, 2024 18:21:21.873038054 CEST	49765	443	192.168.2.4	34.120.208.123
Oct 8, 2024 18:21:21.873120070 CEST	443	49765	34.120.208.123	192.168.2.4
Oct 8, 2024 18:21:21.873369932 CEST	49765	443	192.168.2.4	34.120.208.123
Oct 8, 2024 18:21:21.875425100 CEST	49765	443	192.168.2.4	34.120.208.123
Oct 8, 2024 18:21:21.875464916 CEST	443	49765	34.120.208.123	192.168.2.4
Oct 8, 2024 18:21:21.958679914 CEST	80	49754	34.107.221.82	192.168.2.4
Oct 8, 2024 18:21:22.012141943 CEST	49754	80	192.168.2.4	34.107.221.82
Oct 8, 2024 18:21:22.077619076 CEST	49768	443	192.168.2.4	34.120.208.123
Oct 8, 2024 18:21:22.077698946 CEST	443	49768	34.120.208.123	192.168.2.4
Oct 8, 2024 18:21:22.081363916 CEST	49768	443	192.168.2.4	34.120.208.123
Oct 8, 2024 18:21:22.081485033 CEST	49768	443	192.168.2.4	34.120.208.123
Oct 8, 2024 18:21:22.081506014 CEST	443	49768	34.120.208.123	192.168.2.4
Oct 8, 2024 18:21:22.334952116 CEST	443	49765	34.120.208.123	192.168.2.4
Oct 8, 2024 18:21:22.335056067 CEST	49765	443	192.168.2.4	34.120.208.123
Oct 8, 2024 18:21:22.335135937 CEST	443	49764	34.120.208.123	192.168.2.4
Oct 8, 2024 18:21:22.336601019 CEST	49764	443	192.168.2.4	34.120.208.123
Oct 8, 2024 18:21:22.341790915 CEST	49764	443	192.168.2.4	34.120.208.123
Oct 8, 2024 18:21:22.341795921 CEST	443	49764	34.120.208.123	192.168.2.4
Oct 8, 2024 18:21:22.342174053 CEST	443	49764	34.120.208.123	192.168.2.4
Oct 8, 2024 18:21:22.367150068 CEST	49764	443	192.168.2.4	34.120.208.123
Oct 8, 2024 18:21:22.367264032 CEST	49764	443	192.168.2.4	34.120.208.123
Oct 8, 2024 18:21:22.367630959 CEST	443	49764	34.120.208.123	192.168.2.4
Oct 8, 2024 18:21:22.369900942 CEST	49765	443	192.168.2.4	34.120.208.123
Oct 8, 2024 18:21:22.369966984 CEST	443	49765	34.120.208.123	192.168.2.4
Oct 8, 2024 18:21:22.370017052 CEST	49765	443	192.168.2.4	34.120.208.123
Oct 8, 2024 18:21:22.370161057 CEST	49764	443	192.168.2.4	34.120.208.123
Oct 8, 2024 18:21:22.370398045 CEST	443	49765	34.120.208.123	192.168.2.4
Oct 8, 2024 18:21:22.370970011 CEST	49765	443	192.168.2.4	34.120.208.123
Oct 8, 2024 18:21:22.541721106 CEST	443	49768	34.120.208.123	192.168.2.4
Oct 8, 2024 18:21:22.544934988 CEST	49768	443	192.168.2.4	34.120.208.123
Oct 8, 2024 18:21:22.587316036 CEST	49768	443	192.168.2.4	34.120.208.123
Oct 8, 2024 18:21:22.587430954 CEST	443	49768	34.120.208.123	192.168.2.4
Oct 8, 2024 18:21:22.587891102 CEST	443	49768	34.120.208.123	192.168.2.4
Oct 8, 2024 18:21:22.614440918 CEST	49768	443	192.168.2.4	34.120.208.123
Oct 8, 2024 18:21:22.614530087 CEST	49768	443	192.168.2.4	34.120.208.123
Oct 8, 2024 18:21:22.614672899 CEST	443	49768	34.120.208.123	192.168.2.4
Oct 8, 2024 18:21:22.618837118 CEST	49768	443	192.168.2.4	34.120.208.123
Oct 8, 2024 18:21:23.531838894 CEST	49758	80	192.168.2.4	34.107.221.82
Oct 8, 2024 18:21:23.537220955 CEST	80	49758	34.107.221.82	192.168.2.4
Oct 8, 2024 18:21:23.627346039 CEST	80	49758	34.107.221.82	192.168.2.4
Oct 8, 2024 18:21:23.685882092 CEST	49758	80	192.168.2.4	34.107.221.82
Oct 8, 2024 18:21:24.945334911 CEST	49754	80	192.168.2.4	34.107.221.82
Oct 8, 2024 18:21:24.946337938 CEST	49773	443	192.168.2.4	34.120.208.123
Oct 8, 2024 18:21:24.946365118 CEST	443	49773	34.120.208.123	192.168.2.4
Oct 8, 2024 18:21:24.946630955 CEST	49773	443	192.168.2.4	34.120.208.123
Oct 8, 2024 18:21:24.948681116 CEST	49773	443	192.168.2.4	34.120.208.123
Oct 8, 2024 18:21:24.948707104 CEST	443	49773	34.120.208.123	192.168.2.4
Oct 8, 2024 18:21:24.950315952 CEST	80	49754	34.107.221.82	192.168.2.4
Oct 8, 2024 18:21:25.056080103 CEST	80	49754	34.107.221.82	192.168.2.4
Oct 8, 2024 18:21:25.105576038 CEST	49754	80	192.168.2.4	34.107.221.82
Oct 8, 2024 18:21:25.284466982 CEST	49758	80	192.168.2.4	34.107.221.82
Oct 8, 2024 18:21:25.289918900 CEST	80	49758	34.107.221.82	192.168.2.4
Oct 8, 2024 18:21:25.381050110 CEST	80	49758	34.107.221.82	192.168.2.4
Oct 8, 2024 18:21:25.422115088 CEST	49758	80	192.168.2.4	34.107.221.82
Oct 8, 2024 18:21:25.431335926 CEST	443	49773	34.120.208.123	192.168.2.4
Oct 8, 2024 18:21:25.431442022 CEST	49773	443	192.168.2.4	34.120.208.123
Oct 8, 2024 18:21:25.870527983 CEST	49773	443	192.168.2.4	34.120.208.123
Oct 8, 2024 18:21:25.870568037 CEST	443	49773	34.120.208.123	192.168.2.4
Oct 8, 2024 18:21:25.870632887 CEST	49773	443	192.168.2.4	34.120.208.123
Oct 8, 2024 18:21:25.871277094 CEST	443	49773	34.120.208.123	192.168.2.4
Oct 8, 2024 18:21:25.871381044 CEST	49773	443	192.168.2.4	34.120.208.123
Oct 8, 2024 18:21:25.975052118 CEST	49754	80	192.168.2.4	34.107.221.82
Oct 8, 2024 18:21:25.980319977 CEST	80	49754	34.107.221.82	192.168.2.4
Oct 8, 2024 18:21:26.069406986 CEST	80	49754	34.107.221.82	192.168.2.4
Oct 8, 2024 18:21:26.124114990 CEST	49754	80	192.168.2.4	34.107.221.82
Oct 8, 2024 18:21:26.748698950 CEST	49758	80	192.168.2.4	34.107.221.82
Oct 8, 2024 18:21:26.753870010 CEST	80	49758	34.107.221.82	192.168.2.4
Oct 8, 2024 18:21:26.754847050 CEST	49774	443	192.168.2.4	34.107.243.93
Oct 8, 2024 18:21:26.754878998 CEST	443	49774	34.107.243.93	192.168.2.4
Oct 8, 2024 18:21:26.757567883 CEST	49774	443	192.168.2.4	34.107.243.93
Oct 8, 2024 18:21:26.758541107 CEST	49774	443	192.168.2.4	34.107.243.93
Oct 8, 2024 18:21:26.758558035 CEST	443	49774	34.107.243.93	192.168.2.4
Oct 8, 2024 18:21:26.844990969 CEST	80	49758	34.107.221.82	192.168.2.4
Oct 8, 2024 18:21:26.895165920 CEST	49758	80	192.168.2.4	34.107.221.82
Oct 8, 2024 18:21:27.253268957 CEST	443	49774	34.107.243.93	192.168.2.4
Oct 8, 2024 18:21:27.253375053 CEST	49774	443	192.168.2.4	34.107.243.93
Oct 8, 2024 18:21:28.272937059 CEST	49774	443	192.168.2.4	34.107.243.93
Oct 8, 2024 18:21:28.272959948 CEST	443	49774	34.107.243.93	192.168.2.4
Oct 8, 2024 18:21:28.273009062 CEST	49774	443	192.168.2.4	34.107.243.93
Oct 8, 2024 18:21:28.273698092 CEST	443	49774	34.107.243.93	192.168.2.4
Oct 8, 2024 18:21:28.274985075 CEST	49774	443	192.168.2.4	34.107.243.93
Oct 8, 2024 18:21:28.515913963 CEST	49754	80	192.168.2.4	34.107.221.82
Oct 8, 2024 18:21:28.521306992 CEST	80	49754	34.107.221.82	192.168.2.4
Oct 8, 2024 18:21:28.612689972 CEST	80	49754	34.107.221.82	192.168.2.4
Oct 8, 2024 18:21:28.615869999 CEST	49758	80	192.168.2.4	34.107.221.82
Oct 8, 2024 18:21:28.622689009 CEST	80	49758	34.107.221.82	192.168.2.4
Oct 8, 2024 18:21:28.662447929 CEST	49754	80	192.168.2.4	34.107.221.82
Oct 8, 2024 18:21:28.711685896 CEST	80	49758	34.107.221.82	192.168.2.4
Oct 8, 2024 18:21:28.762720108 CEST	49758	80	192.168.2.4	34.107.221.82
Oct 8, 2024 18:21:37.952449083 CEST	49775	443	192.168.2.4	35.244.181.201
Oct 8, 2024 18:21:37.952574015 CEST	443	49775	35.244.181.201	192.168.2.4
Oct 8, 2024 18:21:37.952704906 CEST	49775	443	192.168.2.4	35.244.181.201
Oct 8, 2024 18:21:37.953000069 CEST	49775	443	192.168.2.4	35.244.181.201
Oct 8, 2024 18:21:37.953064919 CEST	443	49775	35.244.181.201	192.168.2.4
Oct 8, 2024 18:21:37.969398022 CEST	49776	443	192.168.2.4	34.149.100.209
Oct 8, 2024 18:21:37.969429016 CEST	443	49776	34.149.100.209	192.168.2.4
Oct 8, 2024 18:21:37.969619036 CEST	49776	443	192.168.2.4	34.149.100.209
Oct 8, 2024 18:21:37.969783068 CEST	49776	443	192.168.2.4	34.149.100.209
Oct 8, 2024 18:21:37.969793081 CEST	443	49776	34.149.100.209	192.168.2.4
Oct 8, 2024 18:21:37.977364063 CEST	49777	443	192.168.2.4	52.222.236.48
Oct 8, 2024 18:21:37.977416039 CEST	443	49777	52.222.236.48	192.168.2.4
Oct 8, 2024 18:21:37.977515936 CEST	49777	443	192.168.2.4	52.222.236.48
Oct 8, 2024 18:21:37.977673054 CEST	49777	443	192.168.2.4	52.222.236.48
Oct 8, 2024 18:21:37.977694988 CEST	443	49777	52.222.236.48	192.168.2.4
Oct 8, 2024 18:21:38.193922997 CEST	49778	443	192.168.2.4	35.190.72.216
Oct 8, 2024 18:21:38.193954945 CEST	443	49778	35.190.72.216	192.168.2.4
Oct 8, 2024 18:21:38.199564934 CEST	49778	443	192.168.2.4	35.190.72.216
Oct 8, 2024 18:21:38.201716900 CEST	49778	443	192.168.2.4	35.190.72.216
Oct 8, 2024 18:21:38.201730013 CEST	443	49778	35.190.72.216	192.168.2.4
Oct 8, 2024 18:21:38.211647034 CEST	49779	443	192.168.2.4	35.201.103.21
Oct 8, 2024 18:21:38.211654902 CEST	443	49779	35.201.103.21	192.168.2.4
Oct 8, 2024 18:21:38.212836027 CEST	49779	443	192.168.2.4	35.201.103.21
Oct 8, 2024 18:21:38.228765965 CEST	49779	443	192.168.2.4	35.201.103.21
Oct 8, 2024 18:21:38.228780031 CEST	443	49779	35.201.103.21	192.168.2.4
Oct 8, 2024 18:21:38.415977001 CEST	443	49775	35.244.181.201	192.168.2.4
Oct 8, 2024 18:21:38.416083097 CEST	49775	443	192.168.2.4	35.244.181.201
Oct 8, 2024 18:21:38.419190884 CEST	49775	443	192.168.2.4	35.244.181.201
Oct 8, 2024 18:21:38.419219971 CEST	443	49775	35.244.181.201	192.168.2.4
Oct 8, 2024 18:21:38.420000076 CEST	443	49775	35.244.181.201	192.168.2.4
Oct 8, 2024 18:21:38.422363997 CEST	49775	443	192.168.2.4	35.244.181.201
Oct 8, 2024 18:21:38.422446012 CEST	49775	443	192.168.2.4	35.244.181.201
Oct 8, 2024 18:21:38.422765017 CEST	443	49775	35.244.181.201	192.168.2.4
Oct 8, 2024 18:21:38.423206091 CEST	49775	443	192.168.2.4	35.244.181.201
Oct 8, 2024 18:21:38.427293062 CEST	49754	80	192.168.2.4	34.107.221.82
Oct 8, 2024 18:21:38.430756092 CEST	443	49776	34.149.100.209	192.168.2.4
Oct 8, 2024 18:21:38.430845976 CEST	49776	443	192.168.2.4	34.149.100.209
Oct 8, 2024 18:21:38.432111025 CEST	80	49754	34.107.221.82	192.168.2.4
Oct 8, 2024 18:21:38.434833050 CEST	49776	443	192.168.2.4	34.149.100.209
Oct 8, 2024 18:21:38.434838057 CEST	443	49776	34.149.100.209	192.168.2.4
Oct 8, 2024 18:21:38.435168982 CEST	443	49776	34.149.100.209	192.168.2.4
Oct 8, 2024 18:21:38.438216925 CEST	49776	443	192.168.2.4	34.149.100.209
Oct 8, 2024 18:21:38.438297987 CEST	49776	443	192.168.2.4	34.149.100.209
Oct 8, 2024 18:21:38.438388109 CEST	443	49776	34.149.100.209	192.168.2.4
Oct 8, 2024 18:21:38.439672947 CEST	49776	443	192.168.2.4	34.149.100.209
Oct 8, 2024 18:21:38.521303892 CEST	80	49754	34.107.221.82	192.168.2.4
Oct 8, 2024 18:21:38.524446964 CEST	49758	80	192.168.2.4	34.107.221.82
Oct 8, 2024 18:21:38.529455900 CEST	80	49758	34.107.221.82	192.168.2.4
Oct 8, 2024 18:21:38.531511068 CEST	49780	443	192.168.2.4	34.107.243.93
Oct 8, 2024 18:21:38.531529903 CEST	443	49780	34.107.243.93	192.168.2.4
Oct 8, 2024 18:21:38.531970024 CEST	49780	443	192.168.2.4	34.107.243.93
Oct 8, 2024 18:21:38.533149958 CEST	49780	443	192.168.2.4	34.107.243.93
Oct 8, 2024 18:21:38.533160925 CEST	443	49780	34.107.243.93	192.168.2.4
Oct 8, 2024 18:21:38.575356007 CEST	49754	80	192.168.2.4	34.107.221.82
Oct 8, 2024 18:21:38.630911112 CEST	80	49758	34.107.221.82	192.168.2.4
Oct 8, 2024 18:21:38.675863981 CEST	49758	80	192.168.2.4	34.107.221.82
Oct 8, 2024 18:21:38.684022903 CEST	443	49778	35.190.72.216	192.168.2.4
Oct 8, 2024 18:21:38.691340923 CEST	49778	443	192.168.2.4	35.190.72.216
Oct 8, 2024 18:21:38.695987940 CEST	49778	443	192.168.2.4	35.190.72.216
Oct 8, 2024 18:21:38.696001053 CEST	443	49778	35.190.72.216	192.168.2.4
Oct 8, 2024 18:21:38.696077108 CEST	49778	443	192.168.2.4	35.190.72.216
Oct 8, 2024 18:21:38.696149111 CEST	443	49778	35.190.72.216	192.168.2.4
Oct 8, 2024 18:21:38.697165012 CEST	49778	443	192.168.2.4	35.190.72.216
Oct 8, 2024 18:21:38.699353933 CEST	49754	80	192.168.2.4	34.107.221.82
Oct 8, 2024 18:21:38.704261065 CEST	80	49754	34.107.221.82	192.168.2.4
Oct 8, 2024 18:21:38.706043005 CEST	443	49777	52.222.236.48	192.168.2.4
Oct 8, 2024 18:21:38.706188917 CEST	49777	443	192.168.2.4	52.222.236.48
Oct 8, 2024 18:21:38.707130909 CEST	443	49779	35.201.103.21	192.168.2.4
Oct 8, 2024 18:21:38.710238934 CEST	49777	443	192.168.2.4	52.222.236.48
Oct 8, 2024 18:21:38.710249901 CEST	443	49777	52.222.236.48	192.168.2.4
Oct 8, 2024 18:21:38.710633039 CEST	443	49777	52.222.236.48	192.168.2.4
Oct 8, 2024 18:21:38.713337898 CEST	49777	443	192.168.2.4	52.222.236.48
Oct 8, 2024 18:21:38.713471889 CEST	49777	443	192.168.2.4	52.222.236.48
Oct 8, 2024 18:21:38.713546038 CEST	443	49777	52.222.236.48	192.168.2.4
Oct 8, 2024 18:21:38.719404936 CEST	443	49779	35.201.103.21	192.168.2.4
Oct 8, 2024 18:21:38.723412037 CEST	443	49777	52.222.236.48	192.168.2.4
Oct 8, 2024 18:21:38.726243973 CEST	49781	443	192.168.2.4	35.244.181.201
Oct 8, 2024 18:21:38.726294994 CEST	443	49781	35.244.181.201	192.168.2.4
Oct 8, 2024 18:21:38.729152918 CEST	49777	443	192.168.2.4	52.222.236.48
Oct 8, 2024 18:21:38.729193926 CEST	49777	443	192.168.2.4	52.222.236.48
Oct 8, 2024 18:21:38.729197025 CEST	49779	443	192.168.2.4	35.201.103.21
Oct 8, 2024 18:21:38.729218006 CEST	49777	443	192.168.2.4	52.222.236.48
Oct 8, 2024 18:21:38.729266882 CEST	49781	443	192.168.2.4	35.244.181.201
Oct 8, 2024 18:21:38.732134104 CEST	49781	443	192.168.2.4	35.244.181.201
Oct 8, 2024 18:21:38.732151031 CEST	443	49781	35.244.181.201	192.168.2.4
Oct 8, 2024 18:21:38.734483957 CEST	49782	443	192.168.2.4	35.244.181.201
Oct 8, 2024 18:21:38.734493017 CEST	443	49782	35.244.181.201	192.168.2.4
Oct 8, 2024 18:21:38.734972000 CEST	49782	443	192.168.2.4	35.244.181.201
Oct 8, 2024 18:21:38.735090971 CEST	49782	443	192.168.2.4	35.244.181.201
Oct 8, 2024 18:21:38.735101938 CEST	443	49782	35.244.181.201	192.168.2.4
Oct 8, 2024 18:21:38.736768007 CEST	49783	443	192.168.2.4	35.244.181.201
Oct 8, 2024 18:21:38.736799955 CEST	443	49783	35.244.181.201	192.168.2.4
Oct 8, 2024 18:21:38.736916065 CEST	49779	443	192.168.2.4	35.201.103.21
Oct 8, 2024 18:21:38.736921072 CEST	443	49779	35.201.103.21	192.168.2.4
Oct 8, 2024 18:21:38.737031937 CEST	49779	443	192.168.2.4	35.201.103.21
Oct 8, 2024 18:21:38.737061977 CEST	443	49779	35.201.103.21	192.168.2.4
Oct 8, 2024 18:21:38.737360001 CEST	49779	443	192.168.2.4	35.201.103.21
Oct 8, 2024 18:21:38.737373114 CEST	49783	443	192.168.2.4	35.244.181.201
Oct 8, 2024 18:21:38.737525940 CEST	49783	443	192.168.2.4	35.244.181.201
Oct 8, 2024 18:21:38.737540960 CEST	443	49783	35.244.181.201	192.168.2.4
Oct 8, 2024 18:21:38.748305082 CEST	49784	443	192.168.2.4	34.149.100.209
Oct 8, 2024 18:21:38.748342991 CEST	443	49784	34.149.100.209	192.168.2.4
Oct 8, 2024 18:21:38.748528004 CEST	49784	443	192.168.2.4	34.149.100.209
Oct 8, 2024 18:21:38.760394096 CEST	49784	443	192.168.2.4	34.149.100.209
Oct 8, 2024 18:21:38.760411024 CEST	443	49784	34.149.100.209	192.168.2.4
Oct 8, 2024 18:21:38.793596983 CEST	80	49754	34.107.221.82	192.168.2.4
Oct 8, 2024 18:21:38.796349049 CEST	49758	80	192.168.2.4	34.107.221.82
Oct 8, 2024 18:21:38.801347971 CEST	80	49758	34.107.221.82	192.168.2.4
Oct 8, 2024 18:21:38.845294952 CEST	49754	80	192.168.2.4	34.107.221.82
Oct 8, 2024 18:21:38.891508102 CEST	80	49758	34.107.221.82	192.168.2.4
Oct 8, 2024 18:21:38.945333958 CEST	49758	80	192.168.2.4	34.107.221.82
Oct 8, 2024 18:21:39.004317999 CEST	443	49780	34.107.243.93	192.168.2.4
Oct 8, 2024 18:21:39.004400969 CEST	49780	443	192.168.2.4	34.107.243.93
Oct 8, 2024 18:21:39.009659052 CEST	49780	443	192.168.2.4	34.107.243.93
Oct 8, 2024 18:21:39.009665966 CEST	443	49780	34.107.243.93	192.168.2.4
Oct 8, 2024 18:21:39.009807110 CEST	49780	443	192.168.2.4	34.107.243.93
Oct 8, 2024 18:21:39.009851933 CEST	443	49780	34.107.243.93	192.168.2.4
Oct 8, 2024 18:21:39.010094881 CEST	49780	443	192.168.2.4	34.107.243.93
Oct 8, 2024 18:21:39.012913942 CEST	49754	80	192.168.2.4	34.107.221.82
Oct 8, 2024 18:21:39.018949986 CEST	80	49754	34.107.221.82	192.168.2.4
Oct 8, 2024 18:21:39.107291937 CEST	80	49754	34.107.221.82	192.168.2.4
Oct 8, 2024 18:21:39.111198902 CEST	49758	80	192.168.2.4	34.107.221.82
Oct 8, 2024 18:21:39.117523909 CEST	80	49758	34.107.221.82	192.168.2.4
Oct 8, 2024 18:21:39.161575079 CEST	49754	80	192.168.2.4	34.107.221.82
Oct 8, 2024 18:21:39.210685968 CEST	80	49758	34.107.221.82	192.168.2.4
Oct 8, 2024 18:21:39.211710930 CEST	443	49781	35.244.181.201	192.168.2.4
Oct 8, 2024 18:21:39.211824894 CEST	49781	443	192.168.2.4	35.244.181.201
Oct 8, 2024 18:21:39.214545965 CEST	49781	443	192.168.2.4	35.244.181.201
Oct 8, 2024 18:21:39.214566946 CEST	443	49781	35.244.181.201	192.168.2.4
Oct 8, 2024 18:21:39.215051889 CEST	443	49781	35.244.181.201	192.168.2.4
Oct 8, 2024 18:21:39.217777014 CEST	49781	443	192.168.2.4	35.244.181.201
Oct 8, 2024 18:21:39.217777014 CEST	49781	443	192.168.2.4	35.244.181.201
Oct 8, 2024 18:21:39.218149900 CEST	443	49781	35.244.181.201	192.168.2.4
Oct 8, 2024 18:21:39.218334913 CEST	49781	443	192.168.2.4	35.244.181.201
Oct 8, 2024 18:21:39.222230911 CEST	443	49783	35.244.181.201	192.168.2.4
Oct 8, 2024 18:21:39.222491026 CEST	49754	80	192.168.2.4	34.107.221.82
Oct 8, 2024 18:21:39.223256111 CEST	49783	443	192.168.2.4	35.244.181.201
Oct 8, 2024 18:21:39.226871967 CEST	49783	443	192.168.2.4	35.244.181.201
Oct 8, 2024 18:21:39.226880074 CEST	443	49783	35.244.181.201	192.168.2.4
Oct 8, 2024 18:21:39.227219105 CEST	443	49783	35.244.181.201	192.168.2.4
Oct 8, 2024 18:21:39.228777885 CEST	80	49754	34.107.221.82	192.168.2.4
Oct 8, 2024 18:21:39.229887009 CEST	49783	443	192.168.2.4	35.244.181.201
Oct 8, 2024 18:21:39.230003119 CEST	49783	443	192.168.2.4	35.244.181.201
Oct 8, 2024 18:21:39.230017900 CEST	443	49783	35.244.181.201	192.168.2.4
Oct 8, 2024 18:21:39.230207920 CEST	49783	443	192.168.2.4	35.244.181.201
Oct 8, 2024 18:21:39.232806921 CEST	443	49782	35.244.181.201	192.168.2.4
Oct 8, 2024 18:21:39.232911110 CEST	49782	443	192.168.2.4	35.244.181.201
Oct 8, 2024 18:21:39.235598087 CEST	49782	443	192.168.2.4	35.244.181.201
Oct 8, 2024 18:21:39.235610962 CEST	443	49782	35.244.181.201	192.168.2.4
Oct 8, 2024 18:21:39.235788107 CEST	443	49784	34.149.100.209	192.168.2.4
Oct 8, 2024 18:21:39.235934973 CEST	443	49782	35.244.181.201	192.168.2.4
Oct 8, 2024 18:21:39.236777067 CEST	49784	443	192.168.2.4	34.149.100.209
Oct 8, 2024 18:21:39.239896059 CEST	49784	443	192.168.2.4	34.149.100.209
Oct 8, 2024 18:21:39.239902020 CEST	443	49784	34.149.100.209	192.168.2.4
Oct 8, 2024 18:21:39.240134954 CEST	443	49784	34.149.100.209	192.168.2.4
Oct 8, 2024 18:21:39.242547989 CEST	49782	443	192.168.2.4	35.244.181.201
Oct 8, 2024 18:21:39.242641926 CEST	49782	443	192.168.2.4	35.244.181.201
Oct 8, 2024 18:21:39.242727041 CEST	443	49782	35.244.181.201	192.168.2.4
Oct 8, 2024 18:21:39.244005919 CEST	49784	443	192.168.2.4	34.149.100.209
Oct 8, 2024 18:21:39.244083881 CEST	49784	443	192.168.2.4	34.149.100.209
Oct 8, 2024 18:21:39.244123936 CEST	443	49784	34.149.100.209	192.168.2.4
Oct 8, 2024 18:21:39.244402885 CEST	49782	443	192.168.2.4	35.244.181.201
Oct 8, 2024 18:21:39.244415998 CEST	49784	443	192.168.2.4	34.149.100.209
Oct 8, 2024 18:21:39.261889935 CEST	49758	80	192.168.2.4	34.107.221.82
Oct 8, 2024 18:21:39.316812038 CEST	80	49754	34.107.221.82	192.168.2.4
Oct 8, 2024 18:21:39.319557905 CEST	49758	80	192.168.2.4	34.107.221.82
Oct 8, 2024 18:21:39.324428082 CEST	80	49758	34.107.221.82	192.168.2.4
Oct 8, 2024 18:21:39.362170935 CEST	49754	80	192.168.2.4	34.107.221.82
Oct 8, 2024 18:21:39.416369915 CEST	80	49758	34.107.221.82	192.168.2.4
Oct 8, 2024 18:21:39.462471962 CEST	49758	80	192.168.2.4	34.107.221.82
Oct 8, 2024 18:21:49.325944901 CEST	49754	80	192.168.2.4	34.107.221.82
Oct 8, 2024 18:21:49.331100941 CEST	80	49754	34.107.221.82	192.168.2.4
Oct 8, 2024 18:21:49.426053047 CEST	49758	80	192.168.2.4	34.107.221.82
Oct 8, 2024 18:21:49.430998087 CEST	80	49758	34.107.221.82	192.168.2.4
Oct 8, 2024 18:21:59.028351068 CEST	49787	443	192.168.2.4	34.107.243.93
Oct 8, 2024 18:21:59.028378963 CEST	443	49787	34.107.243.93	192.168.2.4
Oct 8, 2024 18:21:59.028625965 CEST	49787	443	192.168.2.4	34.107.243.93
Oct 8, 2024 18:21:59.030630112 CEST	49787	443	192.168.2.4	34.107.243.93
Oct 8, 2024 18:21:59.030642986 CEST	443	49787	34.107.243.93	192.168.2.4
Oct 8, 2024 18:21:59.340706110 CEST	49754	80	192.168.2.4	34.107.221.82
Oct 8, 2024 18:21:59.347151041 CEST	80	49754	34.107.221.82	192.168.2.4
Oct 8, 2024 18:21:59.440920115 CEST	49758	80	192.168.2.4	34.107.221.82
Oct 8, 2024 18:21:59.445853949 CEST	80	49758	34.107.221.82	192.168.2.4
Oct 8, 2024 18:21:59.535656929 CEST	443	49787	34.107.243.93	192.168.2.4
Oct 8, 2024 18:21:59.535752058 CEST	49787	443	192.168.2.4	34.107.243.93
Oct 8, 2024 18:21:59.545232058 CEST	49787	443	192.168.2.4	34.107.243.93
Oct 8, 2024 18:21:59.545244932 CEST	443	49787	34.107.243.93	192.168.2.4
Oct 8, 2024 18:21:59.545351028 CEST	49787	443	192.168.2.4	34.107.243.93
Oct 8, 2024 18:21:59.545437098 CEST	443	49787	34.107.243.93	192.168.2.4
Oct 8, 2024 18:21:59.547581911 CEST	49787	443	192.168.2.4	34.107.243.93
Oct 8, 2024 18:21:59.549698114 CEST	49754	80	192.168.2.4	34.107.221.82
Oct 8, 2024 18:21:59.554605961 CEST	80	49754	34.107.221.82	192.168.2.4
Oct 8, 2024 18:21:59.643908024 CEST	80	49754	34.107.221.82	192.168.2.4
Oct 8, 2024 18:21:59.655528069 CEST	49758	80	192.168.2.4	34.107.221.82
Oct 8, 2024 18:21:59.660516024 CEST	80	49758	34.107.221.82	192.168.2.4
Oct 8, 2024 18:21:59.704042912 CEST	49754	80	192.168.2.4	34.107.221.82
Oct 8, 2024 18:21:59.751899958 CEST	80	49758	34.107.221.82	192.168.2.4
Oct 8, 2024 18:21:59.804271936 CEST	49758	80	192.168.2.4	34.107.221.82
Oct 8, 2024 18:22:07.493331909 CEST	49839	443	192.168.2.4	34.120.208.123
Oct 8, 2024 18:22:07.493427038 CEST	443	49839	34.120.208.123	192.168.2.4
Oct 8, 2024 18:22:07.493638039 CEST	49839	443	192.168.2.4	34.120.208.123
Oct 8, 2024 18:22:07.493752003 CEST	49839	443	192.168.2.4	34.120.208.123
Oct 8, 2024 18:22:07.493788958 CEST	443	49839	34.120.208.123	192.168.2.4
Oct 8, 2024 18:22:07.513389111 CEST	49840	443	192.168.2.4	34.120.208.123
Oct 8, 2024 18:22:07.513415098 CEST	443	49840	34.120.208.123	192.168.2.4
Oct 8, 2024 18:22:07.515070915 CEST	49840	443	192.168.2.4	34.120.208.123
Oct 8, 2024 18:22:07.515224934 CEST	49840	443	192.168.2.4	34.120.208.123
Oct 8, 2024 18:22:07.515234947 CEST	443	49840	34.120.208.123	192.168.2.4
Oct 8, 2024 18:22:07.515582085 CEST	49841	443	192.168.2.4	34.120.208.123
Oct 8, 2024 18:22:07.515610933 CEST	443	49841	34.120.208.123	192.168.2.4
Oct 8, 2024 18:22:07.516758919 CEST	49841	443	192.168.2.4	34.120.208.123
Oct 8, 2024 18:22:07.516941071 CEST	49841	443	192.168.2.4	34.120.208.123
Oct 8, 2024 18:22:07.516952038 CEST	443	49841	34.120.208.123	192.168.2.4
Oct 8, 2024 18:22:07.980504990 CEST	443	49839	34.120.208.123	192.168.2.4
Oct 8, 2024 18:22:07.980973959 CEST	49839	443	192.168.2.4	34.120.208.123
Oct 8, 2024 18:22:07.985284090 CEST	49839	443	192.168.2.4	34.120.208.123
Oct 8, 2024 18:22:07.985322952 CEST	443	49839	34.120.208.123	192.168.2.4
Oct 8, 2024 18:22:07.985692978 CEST	443	49839	34.120.208.123	192.168.2.4
Oct 8, 2024 18:22:07.988185883 CEST	49839	443	192.168.2.4	34.120.208.123
Oct 8, 2024 18:22:07.988327980 CEST	49839	443	192.168.2.4	34.120.208.123
Oct 8, 2024 18:22:07.988390923 CEST	443	49839	34.120.208.123	192.168.2.4
Oct 8, 2024 18:22:07.991946936 CEST	443	49840	34.120.208.123	192.168.2.4
Oct 8, 2024 18:22:07.993947983 CEST	49839	443	192.168.2.4	34.120.208.123
Oct 8, 2024 18:22:07.993978024 CEST	49840	443	192.168.2.4	34.120.208.123
Oct 8, 2024 18:22:07.995790005 CEST	443	49841	34.120.208.123	192.168.2.4
Oct 8, 2024 18:22:07.998119116 CEST	49840	443	192.168.2.4	34.120.208.123
Oct 8, 2024 18:22:07.998127937 CEST	443	49840	34.120.208.123	192.168.2.4
Oct 8, 2024 18:22:07.998373032 CEST	443	49840	34.120.208.123	192.168.2.4
Oct 8, 2024 18:22:08.001159906 CEST	49840	443	192.168.2.4	34.120.208.123
Oct 8, 2024 18:22:08.001262903 CEST	49840	443	192.168.2.4	34.120.208.123
Oct 8, 2024 18:22:08.001302004 CEST	443	49840	34.120.208.123	192.168.2.4
Oct 8, 2024 18:22:08.003060102 CEST	49841	443	192.168.2.4	34.120.208.123
Oct 8, 2024 18:22:08.006577015 CEST	49841	443	192.168.2.4	34.120.208.123
Oct 8, 2024 18:22:08.006597042 CEST	443	49841	34.120.208.123	192.168.2.4
Oct 8, 2024 18:22:08.007514000 CEST	443	49841	34.120.208.123	192.168.2.4
Oct 8, 2024 18:22:08.009532928 CEST	49841	443	192.168.2.4	34.120.208.123
Oct 8, 2024 18:22:08.009659052 CEST	49841	443	192.168.2.4	34.120.208.123
Oct 8, 2024 18:22:08.009968996 CEST	443	49841	34.120.208.123	192.168.2.4
Oct 8, 2024 18:22:08.011225939 CEST	49840	443	192.168.2.4	34.120.208.123
Oct 8, 2024 18:22:08.011244059 CEST	49840	443	192.168.2.4	34.120.208.123
Oct 8, 2024 18:22:08.011280060 CEST	49841	443	192.168.2.4	34.120.208.123
Oct 8, 2024 18:22:08.011281013 CEST	49841	443	192.168.2.4	34.120.208.123
Oct 8, 2024 18:22:08.025574923 CEST	49754	80	192.168.2.4	34.107.221.82
Oct 8, 2024 18:22:08.030761957 CEST	80	49754	34.107.221.82	192.168.2.4
Oct 8, 2024 18:22:08.122314930 CEST	80	49754	34.107.221.82	192.168.2.4
Oct 8, 2024 18:22:08.126370907 CEST	49758	80	192.168.2.4	34.107.221.82
Oct 8, 2024 18:22:08.131659031 CEST	80	49758	34.107.221.82	192.168.2.4
Oct 8, 2024 18:22:08.166328907 CEST	49754	80	192.168.2.4	34.107.221.82
Oct 8, 2024 18:22:08.222820044 CEST	80	49758	34.107.221.82	192.168.2.4
Oct 8, 2024 18:22:08.282187939 CEST	49758	80	192.168.2.4	34.107.221.82
Oct 8, 2024 18:22:18.128748894 CEST	49754	80	192.168.2.4	34.107.221.82
Oct 8, 2024 18:22:18.134309053 CEST	80	49754	34.107.221.82	192.168.2.4
Oct 8, 2024 18:22:18.229093075 CEST	49758	80	192.168.2.4	34.107.221.82
Oct 8, 2024 18:22:18.234364033 CEST	80	49758	34.107.221.82	192.168.2.4
Oct 8, 2024 18:22:28.135344028 CEST	49754	80	192.168.2.4	34.107.221.82
Oct 8, 2024 18:22:28.142447948 CEST	80	49754	34.107.221.82	192.168.2.4
Oct 8, 2024 18:22:28.235611916 CEST	49758	80	192.168.2.4	34.107.221.82
Oct 8, 2024 18:22:28.241183043 CEST	80	49758	34.107.221.82	192.168.2.4
Oct 8, 2024 18:22:38.148591995 CEST	49754	80	192.168.2.4	34.107.221.82
Oct 8, 2024 18:22:38.153752089 CEST	80	49754	34.107.221.82	192.168.2.4
Oct 8, 2024 18:22:38.249041080 CEST	49758	80	192.168.2.4	34.107.221.82
Oct 8, 2024 18:22:38.253950119 CEST	80	49758	34.107.221.82	192.168.2.4
Oct 8, 2024 18:22:39.976887941 CEST	50024	443	192.168.2.4	34.107.243.93
Oct 8, 2024 18:22:39.976922035 CEST	443	50024	34.107.243.93	192.168.2.4
Oct 8, 2024 18:22:39.977102041 CEST	50024	443	192.168.2.4	34.107.243.93
Oct 8, 2024 18:22:39.979198933 CEST	50024	443	192.168.2.4	34.107.243.93
Oct 8, 2024 18:22:39.979212999 CEST	443	50024	34.107.243.93	192.168.2.4
Oct 8, 2024 18:22:40.454526901 CEST	443	50024	34.107.243.93	192.168.2.4
Oct 8, 2024 18:22:40.454597950 CEST	50024	443	192.168.2.4	34.107.243.93
Oct 8, 2024 18:22:40.460098982 CEST	50024	443	192.168.2.4	34.107.243.93
Oct 8, 2024 18:22:40.460108995 CEST	443	50024	34.107.243.93	192.168.2.4
Oct 8, 2024 18:22:40.460201979 CEST	50024	443	192.168.2.4	34.107.243.93
Oct 8, 2024 18:22:40.460267067 CEST	443	50024	34.107.243.93	192.168.2.4
Oct 8, 2024 18:22:40.462798119 CEST	50024	443	192.168.2.4	34.107.243.93
Oct 8, 2024 18:22:40.463267088 CEST	49754	80	192.168.2.4	34.107.221.82
Oct 8, 2024 18:22:40.468122959 CEST	80	49754	34.107.221.82	192.168.2.4
Oct 8, 2024 18:22:40.557163000 CEST	80	49754	34.107.221.82	192.168.2.4
Oct 8, 2024 18:22:40.561532974 CEST	49758	80	192.168.2.4	34.107.221.82
Oct 8, 2024 18:22:40.566451073 CEST	80	49758	34.107.221.82	192.168.2.4
Oct 8, 2024 18:22:40.609232903 CEST	49754	80	192.168.2.4	34.107.221.82
Oct 8, 2024 18:22:40.657573938 CEST	80	49758	34.107.221.82	192.168.2.4
Oct 8, 2024 18:22:40.709528923 CEST	49758	80	192.168.2.4	34.107.221.82
Oct 8, 2024 18:22:50.568739891 CEST	49754	80	192.168.2.4	34.107.221.82
Oct 8, 2024 18:22:50.573808908 CEST	80	49754	34.107.221.82	192.168.2.4
Oct 8, 2024 18:22:50.668693066 CEST	49758	80	192.168.2.4	34.107.221.82
Oct 8, 2024 18:22:50.673957109 CEST	80	49758	34.107.221.82	192.168.2.4
Oct 8, 2024 18:23:00.584909916 CEST	49754	80	192.168.2.4	34.107.221.82
Oct 8, 2024 18:23:00.591682911 CEST	80	49754	34.107.221.82	192.168.2.4
Oct 8, 2024 18:23:00.685400009 CEST	49758	80	192.168.2.4	34.107.221.82
Oct 8, 2024 18:23:00.690615892 CEST	80	49758	34.107.221.82	192.168.2.4
Oct 8, 2024 18:23:10.605477095 CEST	49754	80	192.168.2.4	34.107.221.82
Oct 8, 2024 18:23:10.611907959 CEST	80	49754	34.107.221.82	192.168.2.4
Oct 8, 2024 18:23:10.705744982 CEST	49758	80	192.168.2.4	34.107.221.82
Oct 8, 2024 18:23:10.712665081 CEST	80	49758	34.107.221.82	192.168.2.4

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Oct 8, 2024 18:21:09.618875027 CEST	59990	53	192.168.2.4	1.1.1.1
Oct 8, 2024 18:21:09.628437996 CEST	53	59990	1.1.1.1	192.168.2.4
Oct 8, 2024 18:21:09.654381037 CEST	62230	53	192.168.2.4	1.1.1.1
Oct 8, 2024 18:21:09.662508965 CEST	53	62230	1.1.1.1	192.168.2.4
Oct 8, 2024 18:21:11.789865971 CEST	63737	53	192.168.2.4	1.1.1.1
Oct 8, 2024 18:21:11.792639971 CEST	60635	53	192.168.2.4	1.1.1.1
Oct 8, 2024 18:21:11.809915066 CEST	53	60635	1.1.1.1	192.168.2.4
Oct 8, 2024 18:21:11.810667992 CEST	58511	53	192.168.2.4	1.1.1.1
Oct 8, 2024 18:21:11.811165094 CEST	51629	53	192.168.2.4	1.1.1.1
Oct 8, 2024 18:21:11.818697929 CEST	53	58511	1.1.1.1	192.168.2.4
Oct 8, 2024 18:21:11.819116116 CEST	53	51629	1.1.1.1	192.168.2.4
Oct 8, 2024 18:21:11.819742918 CEST	52870	53	192.168.2.4	1.1.1.1
Oct 8, 2024 18:21:11.819957018 CEST	60970	53	192.168.2.4	1.1.1.1
Oct 8, 2024 18:21:11.826989889 CEST	53	60970	1.1.1.1	192.168.2.4
Oct 8, 2024 18:21:11.827807903 CEST	53	52870	1.1.1.1	192.168.2.4
Oct 8, 2024 18:21:12.438596010 CEST	61016	53	192.168.2.4	1.1.1.1
Oct 8, 2024 18:21:12.446388006 CEST	53	61016	1.1.1.1	192.168.2.4
Oct 8, 2024 18:21:12.448627949 CEST	63927	53	192.168.2.4	1.1.1.1
Oct 8, 2024 18:21:12.455966949 CEST	53	63927	1.1.1.1	192.168.2.4
Oct 8, 2024 18:21:12.456036091 CEST	64317	53	192.168.2.4	1.1.1.1
Oct 8, 2024 18:21:12.456871033 CEST	56509	53	192.168.2.4	1.1.1.1
Oct 8, 2024 18:21:12.464687109 CEST	53	56509	1.1.1.1	192.168.2.4
Oct 8, 2024 18:21:12.464833021 CEST	53	64317	1.1.1.1	192.168.2.4
Oct 8, 2024 18:21:12.466197968 CEST	61142	53	192.168.2.4	1.1.1.1
Oct 8, 2024 18:21:12.476038933 CEST	53	61142	1.1.1.1	192.168.2.4
Oct 8, 2024 18:21:12.476835966 CEST	56055	53	192.168.2.4	1.1.1.1
Oct 8, 2024 18:21:12.484422922 CEST	53	56055	1.1.1.1	192.168.2.4
Oct 8, 2024 18:21:12.779201031 CEST	56189	53	192.168.2.4	1.1.1.1
Oct 8, 2024 18:21:12.786900043 CEST	53	56189	1.1.1.1	192.168.2.4
Oct 8, 2024 18:21:12.794352055 CEST	51066	53	192.168.2.4	1.1.1.1
Oct 8, 2024 18:21:12.796235085 CEST	64363	53	192.168.2.4	1.1.1.1
Oct 8, 2024 18:21:12.801812887 CEST	53	51066	1.1.1.1	192.168.2.4
Oct 8, 2024 18:21:12.803587914 CEST	53	64363	1.1.1.1	192.168.2.4
Oct 8, 2024 18:21:12.805872917 CEST	55977	53	192.168.2.4	1.1.1.1
Oct 8, 2024 18:21:12.813422918 CEST	53	55977	1.1.1.1	192.168.2.4
Oct 8, 2024 18:21:12.814845085 CEST	58121	53	192.168.2.4	1.1.1.1
Oct 8, 2024 18:21:12.818203926 CEST	50341	53	192.168.2.4	1.1.1.1
Oct 8, 2024 18:21:12.825433969 CEST	53	50341	1.1.1.1	192.168.2.4
Oct 8, 2024 18:21:12.838148117 CEST	58914	53	192.168.2.4	1.1.1.1
Oct 8, 2024 18:21:12.845956087 CEST	53	58914	1.1.1.1	192.168.2.4
Oct 8, 2024 18:21:12.852946997 CEST	62493	53	192.168.2.4	1.1.1.1
Oct 8, 2024 18:21:12.862679958 CEST	53	62493	1.1.1.1	192.168.2.4
Oct 8, 2024 18:21:13.668368101 CEST	62441	53	192.168.2.4	1.1.1.1
Oct 8, 2024 18:21:13.698908091 CEST	53	59480	1.1.1.1	192.168.2.4
Oct 8, 2024 18:21:15.507730961 CEST	51051	53	192.168.2.4	1.1.1.1
Oct 8, 2024 18:21:16.036822081 CEST	53	51051	1.1.1.1	192.168.2.4
Oct 8, 2024 18:21:16.038145065 CEST	52075	53	192.168.2.4	1.1.1.1
Oct 8, 2024 18:21:16.046328068 CEST	53	52075	1.1.1.1	192.168.2.4
Oct 8, 2024 18:21:16.047955036 CEST	56817	53	192.168.2.4	1.1.1.1
Oct 8, 2024 18:21:16.055094004 CEST	53	56817	1.1.1.1	192.168.2.4
Oct 8, 2024 18:21:16.252470016 CEST	54104	53	192.168.2.4	1.1.1.1
Oct 8, 2024 18:21:16.260116100 CEST	53	54104	1.1.1.1	192.168.2.4
Oct 8, 2024 18:21:16.266062021 CEST	61659	53	192.168.2.4	1.1.1.1
Oct 8, 2024 18:21:16.266098022 CEST	55847	53	192.168.2.4	1.1.1.1
Oct 8, 2024 18:21:16.267906904 CEST	55423	53	192.168.2.4	1.1.1.1
Oct 8, 2024 18:21:16.274307013 CEST	53	55847	1.1.1.1	192.168.2.4
Oct 8, 2024 18:21:16.274768114 CEST	50921	53	192.168.2.4	1.1.1.1
Oct 8, 2024 18:21:16.275079966 CEST	53	61659	1.1.1.1	192.168.2.4
Oct 8, 2024 18:21:16.275314093 CEST	53	55423	1.1.1.1	192.168.2.4
Oct 8, 2024 18:21:16.275743961 CEST	58485	53	192.168.2.4	1.1.1.1
Oct 8, 2024 18:21:16.276235104 CEST	50969	53	192.168.2.4	1.1.1.1
Oct 8, 2024 18:21:16.281929970 CEST	53	50921	1.1.1.1	192.168.2.4
Oct 8, 2024 18:21:16.283844948 CEST	53	58485	1.1.1.1	192.168.2.4
Oct 8, 2024 18:21:16.283890009 CEST	53	50969	1.1.1.1	192.168.2.4
Oct 8, 2024 18:21:16.287127018 CEST	49312	53	192.168.2.4	1.1.1.1
Oct 8, 2024 18:21:16.296040058 CEST	53	49312	1.1.1.1	192.168.2.4
Oct 8, 2024 18:21:21.612768888 CEST	57851	53	192.168.2.4	1.1.1.1
Oct 8, 2024 18:21:21.871248007 CEST	53	57851	1.1.1.1	192.168.2.4
Oct 8, 2024 18:21:26.754569054 CEST	53541	53	192.168.2.4	1.1.1.1
Oct 8, 2024 18:21:26.761989117 CEST	53	53541	1.1.1.1	192.168.2.4
Oct 8, 2024 18:21:28.502973080 CEST	52542	53	192.168.2.4	1.1.1.1
Oct 8, 2024 18:21:28.503035069 CEST	52145	53	192.168.2.4	1.1.1.1
Oct 8, 2024 18:21:28.503256083 CEST	60397	53	192.168.2.4	1.1.1.1
Oct 8, 2024 18:21:28.510468006 CEST	53	52145	1.1.1.1	192.168.2.4
Oct 8, 2024 18:21:28.510504007 CEST	53	60397	1.1.1.1	192.168.2.4
Oct 8, 2024 18:21:28.510534048 CEST	53	52542	1.1.1.1	192.168.2.4
Oct 8, 2024 18:21:28.511818886 CEST	56381	53	192.168.2.4	1.1.1.1
Oct 8, 2024 18:21:28.511818886 CEST	60113	53	192.168.2.4	1.1.1.1
Oct 8, 2024 18:21:28.512535095 CEST	57345	53	192.168.2.4	1.1.1.1
Oct 8, 2024 18:21:28.519196033 CEST	53	56381	1.1.1.1	192.168.2.4
Oct 8, 2024 18:21:28.520080090 CEST	53	60113	1.1.1.1	192.168.2.4
Oct 8, 2024 18:21:28.520194054 CEST	53	57345	1.1.1.1	192.168.2.4
Oct 8, 2024 18:21:28.520725965 CEST	54691	53	192.168.2.4	1.1.1.1
Oct 8, 2024 18:21:28.521056890 CEST	50154	53	192.168.2.4	1.1.1.1
Oct 8, 2024 18:21:28.521348953 CEST	64881	53	192.168.2.4	1.1.1.1
Oct 8, 2024 18:21:28.527937889 CEST	53	54691	1.1.1.1	192.168.2.4
Oct 8, 2024 18:21:28.528254986 CEST	53	50154	1.1.1.1	192.168.2.4
Oct 8, 2024 18:21:28.528661013 CEST	53	64881	1.1.1.1	192.168.2.4
Oct 8, 2024 18:21:28.529273987 CEST	54899	53	192.168.2.4	1.1.1.1
Oct 8, 2024 18:21:28.529448986 CEST	60577	53	192.168.2.4	1.1.1.1
Oct 8, 2024 18:21:28.536200047 CEST	53	60577	1.1.1.1	192.168.2.4
Oct 8, 2024 18:21:28.536938906 CEST	53	54899	1.1.1.1	192.168.2.4
Oct 8, 2024 18:21:28.538944006 CEST	55430	53	192.168.2.4	1.1.1.1
Oct 8, 2024 18:21:28.539093971 CEST	62176	53	192.168.2.4	1.1.1.1
Oct 8, 2024 18:21:28.545942068 CEST	53	62176	1.1.1.1	192.168.2.4
Oct 8, 2024 18:21:28.546545982 CEST	57677	53	192.168.2.4	1.1.1.1
Oct 8, 2024 18:21:28.547274113 CEST	53	55430	1.1.1.1	192.168.2.4
Oct 8, 2024 18:21:28.549058914 CEST	57093	53	192.168.2.4	1.1.1.1
Oct 8, 2024 18:21:28.554913998 CEST	53	57677	1.1.1.1	192.168.2.4
Oct 8, 2024 18:21:28.556711912 CEST	53	57093	1.1.1.1	192.168.2.4
Oct 8, 2024 18:21:37.959963083 CEST	51282	53	192.168.2.4	1.1.1.1
Oct 8, 2024 18:21:37.967209101 CEST	63119	53	192.168.2.4	1.1.1.1
Oct 8, 2024 18:21:37.969288111 CEST	53	51282	1.1.1.1	192.168.2.4
Oct 8, 2024 18:21:37.974680901 CEST	53	63119	1.1.1.1	192.168.2.4
Oct 8, 2024 18:21:37.977758884 CEST	51454	53	192.168.2.4	1.1.1.1
Oct 8, 2024 18:21:37.985867977 CEST	53	51454	1.1.1.1	192.168.2.4
Oct 8, 2024 18:21:37.986463070 CEST	57030	53	192.168.2.4	1.1.1.1
Oct 8, 2024 18:21:37.994738102 CEST	53	57030	1.1.1.1	192.168.2.4
Oct 8, 2024 18:21:38.198915958 CEST	64836	53	192.168.2.4	1.1.1.1
Oct 8, 2024 18:21:38.208419085 CEST	53	64836	1.1.1.1	192.168.2.4
Oct 8, 2024 18:21:38.212613106 CEST	64703	53	192.168.2.4	1.1.1.1
Oct 8, 2024 18:21:38.220045090 CEST	53	64703	1.1.1.1	192.168.2.4
Oct 8, 2024 18:21:38.220757008 CEST	49732	53	192.168.2.4	1.1.1.1
Oct 8, 2024 18:21:38.229053974 CEST	53	49732	1.1.1.1	192.168.2.4
Oct 8, 2024 18:21:38.531660080 CEST	61715	53	192.168.2.4	1.1.1.1
Oct 8, 2024 18:21:38.538547039 CEST	53	61715	1.1.1.1	192.168.2.4
Oct 8, 2024 18:21:59.020194054 CEST	54720	53	192.168.2.4	1.1.1.1
Oct 8, 2024 18:21:59.027554989 CEST	53	54720	1.1.1.1	192.168.2.4
Oct 8, 2024 18:21:59.028256893 CEST	55228	53	192.168.2.4	1.1.1.1
Oct 8, 2024 18:21:59.039123058 CEST	53	55228	1.1.1.1	192.168.2.4
Oct 8, 2024 18:21:59.550649881 CEST	53452	53	192.168.2.4	1.1.1.1
Oct 8, 2024 18:22:07.509202957 CEST	55867	53	192.168.2.4	1.1.1.1
Oct 8, 2024 18:22:07.517860889 CEST	53	55867	1.1.1.1	192.168.2.4
Oct 8, 2024 18:22:39.975291967 CEST	56669	53	192.168.2.4	1.1.1.1
Oct 8, 2024 18:22:39.984307051 CEST	53	56669	1.1.1.1	192.168.2.4
Oct 8, 2024 18:22:39.985560894 CEST	60816	53	192.168.2.4	1.1.1.1
Oct 8, 2024 18:22:39.996020079 CEST	53	60816	1.1.1.1	192.168.2.4

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Oct 8, 2024 18:21:09.618875027 CEST	192.168.2.4	1.1.1.1	0x7d1d	Standard query (0)	prod.classify-client.prod.webservices.mozgcp.net	A (IP address)	IN (0x0001)	false
Oct 8, 2024 18:21:09.654381037 CEST	192.168.2.4	1.1.1.1	0xdc00	Standard query (0)	prod.classify-client.prod.webservices.mozgcp.net	28	IN (0x0001)	false
Oct 8, 2024 18:21:11.789865971 CEST	192.168.2.4	1.1.1.1	0x9f70	Standard query (0)	detectportal.firefox.com	A (IP address)	IN (0x0001)	false
Oct 8, 2024 18:21:11.792639971 CEST	192.168.2.4	1.1.1.1	0x514f	Standard query (0)	youtube.com	A (IP address)	IN (0x0001)	false
Oct 8, 2024 18:21:11.810667992 CEST	192.168.2.4	1.1.1.1	0x2225	Standard query (0)	prod.detectportal.prod.cloudops.mozgcp.net	A (IP address)	IN (0x0001)	false
Oct 8, 2024 18:21:11.811165094 CEST	192.168.2.4	1.1.1.1	0x7219	Standard query (0)	youtube.com	A (IP address)	IN (0x0001)	false
Oct 8, 2024 18:21:11.819742918 CEST	192.168.2.4	1.1.1.1	0x842a	Standard query (0)	prod.detectportal.prod.cloudops.mozgcp.net	28	IN (0x0001)	false
Oct 8, 2024 18:21:11.819957018 CEST	192.168.2.4	1.1.1.1	0xc4c0	Standard query (0)	youtube.com	28	IN (0x0001)	false
Oct 8, 2024 18:21:12.438596010 CEST	192.168.2.4	1.1.1.1	0x3477	Standard query (0)	contile.services.mozilla.com	A (IP address)	IN (0x0001)	false
Oct 8, 2024 18:21:12.448627949 CEST	192.168.2.4	1.1.1.1	0xb15	Standard query (0)	contile.services.mozilla.com	A (IP address)	IN (0x0001)	false
Oct 8, 2024 18:21:12.456036091 CEST	192.168.2.4	1.1.1.1	0x8597	Standard query (0)	spocs.getpocket.com	A (IP address)	IN (0x0001)	false
Oct 8, 2024 18:21:12.456871033 CEST	192.168.2.4	1.1.1.1	0x7975	Standard query (0)	contile.services.mozilla.com	28	IN (0x0001)	false
Oct 8, 2024 18:21:12.466197968 CEST	192.168.2.4	1.1.1.1	0x76e7	Standard query (0)	prod.ads.prod.webservices.mozgcp.net	A (IP address)	IN (0x0001)	false
Oct 8, 2024 18:21:12.476835966 CEST	192.168.2.4	1.1.1.1	0x511	Standard query (0)	prod.ads.prod.webservices.mozgcp.net	28	IN (0x0001)	false
Oct 8, 2024 18:21:12.779201031 CEST	192.168.2.4	1.1.1.1	0xfca6	Standard query (0)	prod.balrog.prod.cloudops.mozgcp.net	A (IP address)	IN (0x0001)	false
Oct 8, 2024 18:21:12.794352055 CEST	192.168.2.4	1.1.1.1	0xe34c	Standard query (0)	prod.balrog.prod.cloudops.mozgcp.net	28	IN (0x0001)	false
Oct 8, 2024 18:21:12.796235085 CEST	192.168.2.4	1.1.1.1	0xad82	Standard query (0)	example.org	A (IP address)	IN (0x0001)	false
Oct 8, 2024 18:21:12.805872917 CEST	192.168.2.4	1.1.1.1	0xdca1	Standard query (0)	ipv4only.arpa	A (IP address)	IN (0x0001)	false
Oct 8, 2024 18:21:12.814845085 CEST	192.168.2.4	1.1.1.1	0xb8f7	Standard query (0)	detectportal.firefox.com	A (IP address)	IN (0x0001)	false
Oct 8, 2024 18:21:12.818203926 CEST	192.168.2.4	1.1.1.1	0x85bb	Standard query (0)	content-signature-2.cdn.mozilla.net	A (IP address)	IN (0x0001)	false
Oct 8, 2024 18:21:12.838148117 CEST	192.168.2.4	1.1.1.1	0x39f4	Standard query (0)	prod.content-signature-chains.prod.webservices.mozgcp.net	A (IP address)	IN (0x0001)	false
Oct 8, 2024 18:21:12.852946997 CEST	192.168.2.4	1.1.1.1	0xae21	Standard query (0)	prod.content-signature-chains.prod.webservices.mozgcp.net	28	IN (0x0001)	false
Oct 8, 2024 18:21:13.668368101 CEST	192.168.2.4	1.1.1.1	0xd687	Standard query (0)	shavar.services.mozilla.com	A (IP address)	IN (0x0001)	false
Oct 8, 2024 18:21:15.507730961 CEST	192.168.2.4	1.1.1.1	0xd84b	Standard query (0)	push.services.mozilla.com	A (IP address)	IN (0x0001)	false
Oct 8, 2024 18:21:16.038145065 CEST	192.168.2.4	1.1.1.1	0x3a48	Standard query (0)	push.services.mozilla.com	A (IP address)	IN (0x0001)	false
Oct 8, 2024 18:21:16.047955036 CEST	192.168.2.4	1.1.1.1	0x6c05	Standard query (0)	push.services.mozilla.com	28	IN (0x0001)	false
Oct 8, 2024 18:21:16.252470016 CEST	192.168.2.4	1.1.1.1	0xbea9	Standard query (0)	support.mozilla.org	A (IP address)	IN (0x0001)	false
Oct 8, 2024 18:21:16.266062021 CEST	192.168.2.4	1.1.1.1	0xec7c	Standard query (0)	telemetry-incoming.r53-2.services.mozilla.com	A (IP address)	IN (0x0001)	false
Oct 8, 2024 18:21:16.266098022 CEST	192.168.2.4	1.1.1.1	0x675c	Standard query (0)	us-west1.prod.sumo.prod.webservices.mozgcp.net	A (IP address)	IN (0x0001)	false
Oct 8, 2024 18:21:16.267906904 CEST	192.168.2.4	1.1.1.1	0xff3a	Standard query (0)	firefox.settings.services.mozilla.com	A (IP address)	IN (0x0001)	false
Oct 8, 2024 18:21:16.274768114 CEST	192.168.2.4	1.1.1.1	0x4072	Standard query (0)	us-west1.prod.sumo.prod.webservices.mozgcp.net	28	IN (0x0001)	false
Oct 8, 2024 18:21:16.275743961 CEST	192.168.2.4	1.1.1.1	0xfe6e	Standard query (0)	telemetry-incoming.r53-2.services.mozilla.com	28	IN (0x0001)	false
Oct 8, 2024 18:21:16.276235104 CEST	192.168.2.4	1.1.1.1	0x5cb9	Standard query (0)	prod.remote-settings.prod.webservices.mozgcp.net	A (IP address)	IN (0x0001)	false
Oct 8, 2024 18:21:16.287127018 CEST	192.168.2.4	1.1.1.1	0xd000	Standard query (0)	prod.remote-settings.prod.webservices.mozgcp.net	28	IN (0x0001)	false
Oct 8, 2024 18:21:21.612768888 CEST	192.168.2.4	1.1.1.1	0xe0e4	Standard query (0)	telemetry-incoming.r53-2.services.mozilla.com	28	IN (0x0001)	false
Oct 8, 2024 18:21:26.754569054 CEST	192.168.2.4	1.1.1.1	0x1ead	Standard query (0)	push.services.mozilla.com	28	IN (0x0001)	false
Oct 8, 2024 18:21:28.502973080 CEST	192.168.2.4	1.1.1.1	0xe847	Standard query (0)	www.youtube.com	A (IP address)	IN (0x0001)	false
Oct 8, 2024 18:21:28.503035069 CEST	192.168.2.4	1.1.1.1	0x971b	Standard query (0)	www.facebook.com	A (IP address)	IN (0x0001)	false
Oct 8, 2024 18:21:28.503256083 CEST	192.168.2.4	1.1.1.1	0x6803	Standard query (0)	www.wikipedia.org	A (IP address)	IN (0x0001)	false
Oct 8, 2024 18:21:28.511818886 CEST	192.168.2.4	1.1.1.1	0xdfac	Standard query (0)	star-mini.c10r.facebook.com	A (IP address)	IN (0x0001)	false
Oct 8, 2024 18:21:28.511818886 CEST	192.168.2.4	1.1.1.1	0x5b83	Standard query (0)	dyna.wikimedia.org	A (IP address)	IN (0x0001)	false
Oct 8, 2024 18:21:28.512535095 CEST	192.168.2.4	1.1.1.1	0x9553	Standard query (0)	youtube-ui.l.google.com	A (IP address)	IN (0x0001)	false
Oct 8, 2024 18:21:28.520725965 CEST	192.168.2.4	1.1.1.1	0xb4ba	Standard query (0)	star-mini.c10r.facebook.com	28	IN (0x0001)	false
Oct 8, 2024 18:21:28.521056890 CEST	192.168.2.4	1.1.1.1	0xbb85	Standard query (0)	dyna.wikimedia.org	28	IN (0x0001)	false
Oct 8, 2024 18:21:28.521348953 CEST	192.168.2.4	1.1.1.1	0x8342	Standard query (0)	youtube-ui.l.google.com	28	IN (0x0001)	false
Oct 8, 2024 18:21:28.529273987 CEST	192.168.2.4	1.1.1.1	0xd9d	Standard query (0)	www.reddit.com	A (IP address)	IN (0x0001)	false
Oct 8, 2024 18:21:28.529448986 CEST	192.168.2.4	1.1.1.1	0x69ca	Standard query (0)	twitter.com	A (IP address)	IN (0x0001)	false
Oct 8, 2024 18:21:28.538944006 CEST	192.168.2.4	1.1.1.1	0x6ebc	Standard query (0)	reddit.map.fastly.net	A (IP address)	IN (0x0001)	false
Oct 8, 2024 18:21:28.539093971 CEST	192.168.2.4	1.1.1.1	0x156b	Standard query (0)	twitter.com	A (IP address)	IN (0x0001)	false
Oct 8, 2024 18:21:28.546545982 CEST	192.168.2.4	1.1.1.1	0xc5dc	Standard query (0)	twitter.com	28	IN (0x0001)	false
Oct 8, 2024 18:21:28.549058914 CEST	192.168.2.4	1.1.1.1	0x603c	Standard query (0)	reddit.map.fastly.net	28	IN (0x0001)	false
Oct 8, 2024 18:21:37.959963083 CEST	192.168.2.4	1.1.1.1	0xc3f9	Standard query (0)	prod.balrog.prod.cloudops.mozgcp.net	28	IN (0x0001)	false
Oct 8, 2024 18:21:37.967209101 CEST	192.168.2.4	1.1.1.1	0x4bb6	Standard query (0)	services.addons.mozilla.org	A (IP address)	IN (0x0001)	false
Oct 8, 2024 18:21:37.977758884 CEST	192.168.2.4	1.1.1.1	0xe42	Standard query (0)	services.addons.mozilla.org	A (IP address)	IN (0x0001)	false
Oct 8, 2024 18:21:37.986463070 CEST	192.168.2.4	1.1.1.1	0xb623	Standard query (0)	services.addons.mozilla.org	28	IN (0x0001)	false
Oct 8, 2024 18:21:38.198915958 CEST	192.168.2.4	1.1.1.1	0x59c7	Standard query (0)	normandy.cdn.mozilla.net	A (IP address)	IN (0x0001)	false
Oct 8, 2024 18:21:38.212613106 CEST	192.168.2.4	1.1.1.1	0x7b38	Standard query (0)	normandy-cdn.services.mozilla.com	A (IP address)	IN (0x0001)	false
Oct 8, 2024 18:21:38.220757008 CEST	192.168.2.4	1.1.1.1	0xac12	Standard query (0)	normandy-cdn.services.mozilla.com	28	IN (0x0001)	false
Oct 8, 2024 18:21:38.531660080 CEST	192.168.2.4	1.1.1.1	0xff6e	Standard query (0)	push.services.mozilla.com	28	IN (0x0001)	false
Oct 8, 2024 18:21:59.020194054 CEST	192.168.2.4	1.1.1.1	0x7052	Standard query (0)	push.services.mozilla.com	A (IP address)	IN (0x0001)	false
Oct 8, 2024 18:21:59.028256893 CEST	192.168.2.4	1.1.1.1	0x3d4e	Standard query (0)	push.services.mozilla.com	28	IN (0x0001)	false
Oct 8, 2024 18:21:59.550649881 CEST	192.168.2.4	1.1.1.1	0xda2e	Standard query (0)	detectportal.firefox.com	A (IP address)	IN (0x0001)	false
Oct 8, 2024 18:22:07.509202957 CEST	192.168.2.4	1.1.1.1	0x74c5	Standard query (0)	telemetry-incoming.r53-2.services.mozilla.com	28	IN (0x0001)	false
Oct 8, 2024 18:22:39.975291967 CEST	192.168.2.4	1.1.1.1	0xa234	Standard query (0)	push.services.mozilla.com	A (IP address)	IN (0x0001)	false
Oct 8, 2024 18:22:39.985560894 CEST	192.168.2.4	1.1.1.1	0x9a88	Standard query (0)	push.services.mozilla.com	28	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Oct 8, 2024 18:21:09.607692003 CEST	1.1.1.1	192.168.2.4	0x5a7f	No error (0)	prod.classify-client.prod.webservices.mozgcp.net		35.190.72.216	A (IP address)	IN (0x0001)	false
Oct 8, 2024 18:21:09.628437996 CEST	1.1.1.1	192.168.2.4	0x7d1d	No error (0)	prod.classify-client.prod.webservices.mozgcp.net		35.190.72.216	A (IP address)	IN (0x0001)	false
Oct 8, 2024 18:21:11.807662964 CEST	1.1.1.1	192.168.2.4	0x9f70	No error (0)	detectportal.firefox.com	detectportal.prod.mozaws.net		CNAME (Canonical name)	IN (0x0001)	false
Oct 8, 2024 18:21:11.807662964 CEST	1.1.1.1	192.168.2.4	0x9f70	No error (0)	prod.detectportal.prod.cloudops.mozgcp.net		34.107.221.82	A (IP address)	IN (0x0001)	false
Oct 8, 2024 18:21:11.809915066 CEST	1.1.1.1	192.168.2.4	0x514f	No error (0)	youtube.com		216.58.206.78	A (IP address)	IN (0x0001)	false
Oct 8, 2024 18:21:11.818697929 CEST	1.1.1.1	192.168.2.4	0x2225	No error (0)	prod.detectportal.prod.cloudops.mozgcp.net		34.107.221.82	A (IP address)	IN (0x0001)	false
Oct 8, 2024 18:21:11.819116116 CEST	1.1.1.1	192.168.2.4	0x7219	No error (0)	youtube.com		216.58.206.78	A (IP address)	IN (0x0001)	false
Oct 8, 2024 18:21:11.826989889 CEST	1.1.1.1	192.168.2.4	0xc4c0	No error (0)	youtube.com			28	IN (0x0001)	false
Oct 8, 2024 18:21:11.827807903 CEST	1.1.1.1	192.168.2.4	0x842a	No error (0)	prod.detectportal.prod.cloudops.mozgcp.net			28	IN (0x0001)	false
Oct 8, 2024 18:21:12.446388006 CEST	1.1.1.1	192.168.2.4	0x3477	No error (0)	contile.services.mozilla.com		34.117.188.166	A (IP address)	IN (0x0001)	false
Oct 8, 2024 18:21:12.455966949 CEST	1.1.1.1	192.168.2.4	0xb15	No error (0)	contile.services.mozilla.com		34.117.188.166	A (IP address)	IN (0x0001)	false
Oct 8, 2024 18:21:12.464833021 CEST	1.1.1.1	192.168.2.4	0x8597	No error (0)	spocs.getpocket.com	prod.ads.prod.webservices.mozgcp.net		CNAME (Canonical name)	IN (0x0001)	false
Oct 8, 2024 18:21:12.464833021 CEST	1.1.1.1	192.168.2.4	0x8597	No error (0)	prod.ads.prod.webservices.mozgcp.net		34.117.188.166	A (IP address)	IN (0x0001)	false
Oct 8, 2024 18:21:12.476038933 CEST	1.1.1.1	192.168.2.4	0x76e7	No error (0)	prod.ads.prod.webservices.mozgcp.net		34.117.188.166	A (IP address)	IN (0x0001)	false
Oct 8, 2024 18:21:12.777961969 CEST	1.1.1.1	192.168.2.4	0x698c	No error (0)	balrog-aus5.r53-2.services.mozilla.com	prod.balrog.prod.cloudops.mozgcp.net		CNAME (Canonical name)	IN (0x0001)	false
Oct 8, 2024 18:21:12.777961969 CEST	1.1.1.1	192.168.2.4	0x698c	No error (0)	prod.balrog.prod.cloudops.mozgcp.net		35.244.181.201	A (IP address)	IN (0x0001)	false
Oct 8, 2024 18:21:12.786900043 CEST	1.1.1.1	192.168.2.4	0xfca6	No error (0)	prod.balrog.prod.cloudops.mozgcp.net		35.244.181.201	A (IP address)	IN (0x0001)	false
Oct 8, 2024 18:21:12.803587914 CEST	1.1.1.1	192.168.2.4	0xad82	No error (0)	example.org		93.184.215.14	A (IP address)	IN (0x0001)	false
Oct 8, 2024 18:21:12.813422918 CEST	1.1.1.1	192.168.2.4	0xdca1	No error (0)	ipv4only.arpa		192.0.0.171	A (IP address)	IN (0x0001)	false
Oct 8, 2024 18:21:12.813422918 CEST	1.1.1.1	192.168.2.4	0xdca1	No error (0)	ipv4only.arpa		192.0.0.170	A (IP address)	IN (0x0001)	false
Oct 8, 2024 18:21:12.822279930 CEST	1.1.1.1	192.168.2.4	0xb8f7	No error (0)	detectportal.firefox.com	detectportal.prod.mozaws.net		CNAME (Canonical name)	IN (0x0001)	false
Oct 8, 2024 18:21:12.822279930 CEST	1.1.1.1	192.168.2.4	0xb8f7	No error (0)	prod.detectportal.prod.cloudops.mozgcp.net		34.107.221.82	A (IP address)	IN (0x0001)	false
Oct 8, 2024 18:21:12.825433969 CEST	1.1.1.1	192.168.2.4	0x85bb	No error (0)	content-signature-2.cdn.mozilla.net	content-signature-chains.prod.autograph.services.mozaws.net		CNAME (Canonical name)	IN (0x0001)	false
Oct 8, 2024 18:21:12.825433969 CEST	1.1.1.1	192.168.2.4	0x85bb	No error (0)	content-signature-chains.prod.autograph.services.mozaws.net	prod.content-signature-chains.prod.webservices.mozgcp.net		CNAME (Canonical name)	IN (0x0001)	false
Oct 8, 2024 18:21:12.825433969 CEST	1.1.1.1	192.168.2.4	0x85bb	No error (0)	prod.content-signature-chains.prod.webservices.mozgcp.net		34.160.144.191	A (IP address)	IN (0x0001)	false
Oct 8, 2024 18:21:12.845956087 CEST	1.1.1.1	192.168.2.4	0x39f4	No error (0)	prod.content-signature-chains.prod.webservices.mozgcp.net		34.160.144.191	A (IP address)	IN (0x0001)	false
Oct 8, 2024 18:21:12.862679958 CEST	1.1.1.1	192.168.2.4	0xae21	No error (0)	prod.content-signature-chains.prod.webservices.mozgcp.net			28	IN (0x0001)	false
Oct 8, 2024 18:21:13.678611994 CEST	1.1.1.1	192.168.2.4	0xd687	No error (0)	shavar.services.mozilla.com	shavar.prod.mozaws.net		CNAME (Canonical name)	IN (0x0001)	false
Oct 8, 2024 18:21:16.036822081 CEST	1.1.1.1	192.168.2.4	0xd84b	No error (0)	push.services.mozilla.com		34.107.243.93	A (IP address)	IN (0x0001)	false
Oct 8, 2024 18:21:16.046328068 CEST	1.1.1.1	192.168.2.4	0x3a48	No error (0)	push.services.mozilla.com		34.107.243.93	A (IP address)	IN (0x0001)	false
Oct 8, 2024 18:21:16.260116100 CEST	1.1.1.1	192.168.2.4	0xbea9	No error (0)	support.mozilla.org	prod.sumo.prod.webservices.mozgcp.net		CNAME (Canonical name)	IN (0x0001)	false
Oct 8, 2024 18:21:16.260116100 CEST	1.1.1.1	192.168.2.4	0xbea9	No error (0)	prod.sumo.prod.webservices.mozgcp.net	us-west1.prod.sumo.prod.webservices.mozgcp.net		CNAME (Canonical name)	IN (0x0001)	false
Oct 8, 2024 18:21:16.260116100 CEST	1.1.1.1	192.168.2.4	0xbea9	No error (0)	us-west1.prod.sumo.prod.webservices.mozgcp.net		34.149.128.2	A (IP address)	IN (0x0001)	false
Oct 8, 2024 18:21:16.263637066 CEST	1.1.1.1	192.168.2.4	0x3540	No error (0)	telemetry-incoming.r53-2.services.mozilla.com		34.120.208.123	A (IP address)	IN (0x0001)	false
Oct 8, 2024 18:21:16.274307013 CEST	1.1.1.1	192.168.2.4	0x675c	No error (0)	us-west1.prod.sumo.prod.webservices.mozgcp.net		34.149.128.2	A (IP address)	IN (0x0001)	false
Oct 8, 2024 18:21:16.275079966 CEST	1.1.1.1	192.168.2.4	0xec7c	No error (0)	telemetry-incoming.r53-2.services.mozilla.com		34.120.208.123	A (IP address)	IN (0x0001)	false
Oct 8, 2024 18:21:16.275314093 CEST	1.1.1.1	192.168.2.4	0xff3a	No error (0)	firefox.settings.services.mozilla.com	prod.remote-settings.prod.webservices.mozgcp.net		CNAME (Canonical name)	IN (0x0001)	false
Oct 8, 2024 18:21:16.275314093 CEST	1.1.1.1	192.168.2.4	0xff3a	No error (0)	prod.remote-settings.prod.webservices.mozgcp.net		34.149.100.209	A (IP address)	IN (0x0001)	false
Oct 8, 2024 18:21:16.283890009 CEST	1.1.1.1	192.168.2.4	0x5cb9	No error (0)	prod.remote-settings.prod.webservices.mozgcp.net		34.149.100.209	A (IP address)	IN (0x0001)	false
Oct 8, 2024 18:21:16.305227995 CEST	1.1.1.1	192.168.2.4	0x76b4	No error (0)	balrog-aus5.r53-2.services.mozilla.com	prod.balrog.prod.cloudops.mozgcp.net		CNAME (Canonical name)	IN (0x0001)	false
Oct 8, 2024 18:21:16.305227995 CEST	1.1.1.1	192.168.2.4	0x76b4	No error (0)	prod.balrog.prod.cloudops.mozgcp.net		35.244.181.201	A (IP address)	IN (0x0001)	false
Oct 8, 2024 18:21:21.871735096 CEST	1.1.1.1	192.168.2.4	0xf684	No error (0)	telemetry-incoming.r53-2.services.mozilla.com		34.120.208.123	A (IP address)	IN (0x0001)	false
Oct 8, 2024 18:21:28.510468006 CEST	1.1.1.1	192.168.2.4	0x971b	No error (0)	www.facebook.com	star-mini.c10r.facebook.com		CNAME (Canonical name)	IN (0x0001)	false
Oct 8, 2024 18:21:28.510468006 CEST	1.1.1.1	192.168.2.4	0x971b	No error (0)	star-mini.c10r.facebook.com		157.240.251.35	A (IP address)	IN (0x0001)	false
Oct 8, 2024 18:21:28.510504007 CEST	1.1.1.1	192.168.2.4	0x6803	No error (0)	www.wikipedia.org	dyna.wikimedia.org		CNAME (Canonical name)	IN (0x0001)	false
Oct 8, 2024 18:21:28.510504007 CEST	1.1.1.1	192.168.2.4	0x6803	No error (0)	dyna.wikimedia.org		185.15.59.224	A (IP address)	IN (0x0001)	false
Oct 8, 2024 18:21:28.510534048 CEST	1.1.1.1	192.168.2.4	0xe847	No error (0)	www.youtube.com	youtube-ui.l.google.com		CNAME (Canonical name)	IN (0x0001)	false
Oct 8, 2024 18:21:28.510534048 CEST	1.1.1.1	192.168.2.4	0xe847	No error (0)	youtube-ui.l.google.com		142.250.186.78	A (IP address)	IN (0x0001)	false
Oct 8, 2024 18:21:28.510534048 CEST	1.1.1.1	192.168.2.4	0xe847	No error (0)	youtube-ui.l.google.com		142.250.181.238	A (IP address)	IN (0x0001)	false
Oct 8, 2024 18:21:28.510534048 CEST	1.1.1.1	192.168.2.4	0xe847	No error (0)	youtube-ui.l.google.com		172.217.16.142	A (IP address)	IN (0x0001)	false
Oct 8, 2024 18:21:28.510534048 CEST	1.1.1.1	192.168.2.4	0xe847	No error (0)	youtube-ui.l.google.com		216.58.212.142	A (IP address)	IN (0x0001)	false
Oct 8, 2024 18:21:28.510534048 CEST	1.1.1.1	192.168.2.4	0xe847	No error (0)	youtube-ui.l.google.com		172.217.18.110	A (IP address)	IN (0x0001)	false
Oct 8, 2024 18:21:28.510534048 CEST	1.1.1.1	192.168.2.4	0xe847	No error (0)	youtube-ui.l.google.com		142.250.184.206	A (IP address)	IN (0x0001)	false
Oct 8, 2024 18:21:28.510534048 CEST	1.1.1.1	192.168.2.4	0xe847	No error (0)	youtube-ui.l.google.com		216.58.212.174	A (IP address)	IN (0x0001)	false
Oct 8, 2024 18:21:28.510534048 CEST	1.1.1.1	192.168.2.4	0xe847	No error (0)	youtube-ui.l.google.com		172.217.16.206	A (IP address)	IN (0x0001)	false
Oct 8, 2024 18:21:28.510534048 CEST	1.1.1.1	192.168.2.4	0xe847	No error (0)	youtube-ui.l.google.com		142.250.184.238	A (IP address)	IN (0x0001)	false
Oct 8, 2024 18:21:28.510534048 CEST	1.1.1.1	192.168.2.4	0xe847	No error (0)	youtube-ui.l.google.com		142.250.186.142	A (IP address)	IN (0x0001)	false
Oct 8, 2024 18:21:28.510534048 CEST	1.1.1.1	192.168.2.4	0xe847	No error (0)	youtube-ui.l.google.com		142.250.186.174	A (IP address)	IN (0x0001)	false
Oct 8, 2024 18:21:28.510534048 CEST	1.1.1.1	192.168.2.4	0xe847	No error (0)	youtube-ui.l.google.com		216.58.206.78	A (IP address)	IN (0x0001)	false
Oct 8, 2024 18:21:28.510534048 CEST	1.1.1.1	192.168.2.4	0xe847	No error (0)	youtube-ui.l.google.com		142.250.186.46	A (IP address)	IN (0x0001)	false
Oct 8, 2024 18:21:28.510534048 CEST	1.1.1.1	192.168.2.4	0xe847	No error (0)	youtube-ui.l.google.com		172.217.18.14	A (IP address)	IN (0x0001)	false
Oct 8, 2024 18:21:28.510534048 CEST	1.1.1.1	192.168.2.4	0xe847	No error (0)	youtube-ui.l.google.com		142.250.185.142	A (IP address)	IN (0x0001)	false
Oct 8, 2024 18:21:28.510534048 CEST	1.1.1.1	192.168.2.4	0xe847	No error (0)	youtube-ui.l.google.com		142.250.186.110	A (IP address)	IN (0x0001)	false
Oct 8, 2024 18:21:28.519196033 CEST	1.1.1.1	192.168.2.4	0xdfac	No error (0)	star-mini.c10r.facebook.com		157.240.0.35	A (IP address)	IN (0x0001)	false
Oct 8, 2024 18:21:28.520080090 CEST	1.1.1.1	192.168.2.4	0x5b83	No error (0)	dyna.wikimedia.org		185.15.59.224	A (IP address)	IN (0x0001)	false
Oct 8, 2024 18:21:28.520194054 CEST	1.1.1.1	192.168.2.4	0x9553	No error (0)	youtube-ui.l.google.com		142.250.185.78	A (IP address)	IN (0x0001)	false
Oct 8, 2024 18:21:28.520194054 CEST	1.1.1.1	192.168.2.4	0x9553	No error (0)	youtube-ui.l.google.com		172.217.23.110	A (IP address)	IN (0x0001)	false
Oct 8, 2024 18:21:28.520194054 CEST	1.1.1.1	192.168.2.4	0x9553	No error (0)	youtube-ui.l.google.com		142.250.185.206	A (IP address)	IN (0x0001)	false
Oct 8, 2024 18:21:28.520194054 CEST	1.1.1.1	192.168.2.4	0x9553	No error (0)	youtube-ui.l.google.com		142.250.184.238	A (IP address)	IN (0x0001)	false
Oct 8, 2024 18:21:28.520194054 CEST	1.1.1.1	192.168.2.4	0x9553	No error (0)	youtube-ui.l.google.com		172.217.18.110	A (IP address)	IN (0x0001)	false
Oct 8, 2024 18:21:28.520194054 CEST	1.1.1.1	192.168.2.4	0x9553	No error (0)	youtube-ui.l.google.com		142.250.181.238	A (IP address)	IN (0x0001)	false
Oct 8, 2024 18:21:28.520194054 CEST	1.1.1.1	192.168.2.4	0x9553	No error (0)	youtube-ui.l.google.com		142.250.186.110	A (IP address)	IN (0x0001)	false
Oct 8, 2024 18:21:28.520194054 CEST	1.1.1.1	192.168.2.4	0x9553	No error (0)	youtube-ui.l.google.com		142.250.186.142	A (IP address)	IN (0x0001)	false
Oct 8, 2024 18:21:28.520194054 CEST	1.1.1.1	192.168.2.4	0x9553	No error (0)	youtube-ui.l.google.com		216.58.212.174	A (IP address)	IN (0x0001)	false
Oct 8, 2024 18:21:28.520194054 CEST	1.1.1.1	192.168.2.4	0x9553	No error (0)	youtube-ui.l.google.com		142.250.185.110	A (IP address)	IN (0x0001)	false
Oct 8, 2024 18:21:28.520194054 CEST	1.1.1.1	192.168.2.4	0x9553	No error (0)	youtube-ui.l.google.com		216.58.212.142	A (IP address)	IN (0x0001)	false
Oct 8, 2024 18:21:28.520194054 CEST	1.1.1.1	192.168.2.4	0x9553	No error (0)	youtube-ui.l.google.com		142.250.186.78	A (IP address)	IN (0x0001)	false
Oct 8, 2024 18:21:28.520194054 CEST	1.1.1.1	192.168.2.4	0x9553	No error (0)	youtube-ui.l.google.com		142.250.186.46	A (IP address)	IN (0x0001)	false
Oct 8, 2024 18:21:28.520194054 CEST	1.1.1.1	192.168.2.4	0x9553	No error (0)	youtube-ui.l.google.com		216.58.206.46	A (IP address)	IN (0x0001)	false
Oct 8, 2024 18:21:28.520194054 CEST	1.1.1.1	192.168.2.4	0x9553	No error (0)	youtube-ui.l.google.com		142.250.185.238	A (IP address)	IN (0x0001)	false
Oct 8, 2024 18:21:28.520194054 CEST	1.1.1.1	192.168.2.4	0x9553	No error (0)	youtube-ui.l.google.com		142.250.185.174	A (IP address)	IN (0x0001)	false
Oct 8, 2024 18:21:28.527937889 CEST	1.1.1.1	192.168.2.4	0xb4ba	No error (0)	star-mini.c10r.facebook.com			28	IN (0x0001)	false
Oct 8, 2024 18:21:28.528254986 CEST	1.1.1.1	192.168.2.4	0xbb85	No error (0)	dyna.wikimedia.org			28	IN (0x0001)	false
Oct 8, 2024 18:21:28.528661013 CEST	1.1.1.1	192.168.2.4	0x8342	No error (0)	youtube-ui.l.google.com			28	IN (0x0001)	false
Oct 8, 2024 18:21:28.528661013 CEST	1.1.1.1	192.168.2.4	0x8342	No error (0)	youtube-ui.l.google.com			28	IN (0x0001)	false
Oct 8, 2024 18:21:28.528661013 CEST	1.1.1.1	192.168.2.4	0x8342	No error (0)	youtube-ui.l.google.com			28	IN (0x0001)	false
Oct 8, 2024 18:21:28.528661013 CEST	1.1.1.1	192.168.2.4	0x8342	No error (0)	youtube-ui.l.google.com			28	IN (0x0001)	false
Oct 8, 2024 18:21:28.536200047 CEST	1.1.1.1	192.168.2.4	0x69ca	No error (0)	twitter.com		104.244.42.129	A (IP address)	IN (0x0001)	false
Oct 8, 2024 18:21:28.536938906 CEST	1.1.1.1	192.168.2.4	0xd9d	No error (0)	www.reddit.com	reddit.map.fastly.net		CNAME (Canonical name)	IN (0x0001)	false
Oct 8, 2024 18:21:28.536938906 CEST	1.1.1.1	192.168.2.4	0xd9d	No error (0)	reddit.map.fastly.net		151.101.65.140	A (IP address)	IN (0x0001)	false
Oct 8, 2024 18:21:28.536938906 CEST	1.1.1.1	192.168.2.4	0xd9d	No error (0)	reddit.map.fastly.net		151.101.1.140	A (IP address)	IN (0x0001)	false
Oct 8, 2024 18:21:28.536938906 CEST	1.1.1.1	192.168.2.4	0xd9d	No error (0)	reddit.map.fastly.net		151.101.129.140	A (IP address)	IN (0x0001)	false
Oct 8, 2024 18:21:28.536938906 CEST	1.1.1.1	192.168.2.4	0xd9d	No error (0)	reddit.map.fastly.net		151.101.193.140	A (IP address)	IN (0x0001)	false
Oct 8, 2024 18:21:28.545942068 CEST	1.1.1.1	192.168.2.4	0x156b	No error (0)	twitter.com		104.244.42.1	A (IP address)	IN (0x0001)	false
Oct 8, 2024 18:21:28.547274113 CEST	1.1.1.1	192.168.2.4	0x6ebc	No error (0)	reddit.map.fastly.net		151.101.1.140	A (IP address)	IN (0x0001)	false
Oct 8, 2024 18:21:28.547274113 CEST	1.1.1.1	192.168.2.4	0x6ebc	No error (0)	reddit.map.fastly.net		151.101.129.140	A (IP address)	IN (0x0001)	false
Oct 8, 2024 18:21:28.547274113 CEST	1.1.1.1	192.168.2.4	0x6ebc	No error (0)	reddit.map.fastly.net		151.101.65.140	A (IP address)	IN (0x0001)	false
Oct 8, 2024 18:21:28.547274113 CEST	1.1.1.1	192.168.2.4	0x6ebc	No error (0)	reddit.map.fastly.net		151.101.193.140	A (IP address)	IN (0x0001)	false
Oct 8, 2024 18:21:37.958760023 CEST	1.1.1.1	192.168.2.4	0x2990	No error (0)	balrog-aus5.r53-2.services.mozilla.com	prod.balrog.prod.cloudops.mozgcp.net		CNAME (Canonical name)	IN (0x0001)	false
Oct 8, 2024 18:21:37.958760023 CEST	1.1.1.1	192.168.2.4	0x2990	No error (0)	prod.balrog.prod.cloudops.mozgcp.net		35.244.181.201	A (IP address)	IN (0x0001)	false
Oct 8, 2024 18:21:37.974680901 CEST	1.1.1.1	192.168.2.4	0x4bb6	No error (0)	services.addons.mozilla.org		52.222.236.48	A (IP address)	IN (0x0001)	false
Oct 8, 2024 18:21:37.974680901 CEST	1.1.1.1	192.168.2.4	0x4bb6	No error (0)	services.addons.mozilla.org		52.222.236.80	A (IP address)	IN (0x0001)	false
Oct 8, 2024 18:21:37.974680901 CEST	1.1.1.1	192.168.2.4	0x4bb6	No error (0)	services.addons.mozilla.org		52.222.236.23	A (IP address)	IN (0x0001)	false
Oct 8, 2024 18:21:37.974680901 CEST	1.1.1.1	192.168.2.4	0x4bb6	No error (0)	services.addons.mozilla.org		52.222.236.120	A (IP address)	IN (0x0001)	false
Oct 8, 2024 18:21:37.985867977 CEST	1.1.1.1	192.168.2.4	0xe42	No error (0)	services.addons.mozilla.org		52.222.236.120	A (IP address)	IN (0x0001)	false
Oct 8, 2024 18:21:37.985867977 CEST	1.1.1.1	192.168.2.4	0xe42	No error (0)	services.addons.mozilla.org		52.222.236.48	A (IP address)	IN (0x0001)	false
Oct 8, 2024 18:21:37.985867977 CEST	1.1.1.1	192.168.2.4	0xe42	No error (0)	services.addons.mozilla.org		52.222.236.80	A (IP address)	IN (0x0001)	false
Oct 8, 2024 18:21:37.985867977 CEST	1.1.1.1	192.168.2.4	0xe42	No error (0)	services.addons.mozilla.org		52.222.236.23	A (IP address)	IN (0x0001)	false
Oct 8, 2024 18:21:38.208419085 CEST	1.1.1.1	192.168.2.4	0x59c7	No error (0)	normandy.cdn.mozilla.net	normandy-cdn.services.mozilla.com		CNAME (Canonical name)	IN (0x0001)	false
Oct 8, 2024 18:21:38.208419085 CEST	1.1.1.1	192.168.2.4	0x59c7	No error (0)	normandy-cdn.services.mozilla.com		35.201.103.21	A (IP address)	IN (0x0001)	false
Oct 8, 2024 18:21:38.220045090 CEST	1.1.1.1	192.168.2.4	0x7b38	No error (0)	normandy-cdn.services.mozilla.com		35.201.103.21	A (IP address)	IN (0x0001)	false
Oct 8, 2024 18:21:39.235239983 CEST	1.1.1.1	192.168.2.4	0x8df7	No error (0)	a21ed24aedde648804e7-228765c84088fef4ff5e70f2710398e9.r17.cf1.rackcdn.com	a17.rackcdn.com		CNAME (Canonical name)	IN (0x0001)	false
Oct 8, 2024 18:21:39.235239983 CEST	1.1.1.1	192.168.2.4	0x8df7	No error (0)	a17.rackcdn.com	a17.rackcdn.com.mdc.edgesuite.net		CNAME (Canonical name)	IN (0x0001)	false
Oct 8, 2024 18:21:59.027554989 CEST	1.1.1.1	192.168.2.4	0x7052	No error (0)	push.services.mozilla.com		34.107.243.93	A (IP address)	IN (0x0001)	false
Oct 8, 2024 18:21:59.558509111 CEST	1.1.1.1	192.168.2.4	0xda2e	No error (0)	detectportal.firefox.com	detectportal.prod.mozaws.net		CNAME (Canonical name)	IN (0x0001)	false
Oct 8, 2024 18:21:59.558509111 CEST	1.1.1.1	192.168.2.4	0xda2e	No error (0)	prod.detectportal.prod.cloudops.mozgcp.net		34.107.221.82	A (IP address)	IN (0x0001)	false
Oct 8, 2024 18:22:07.499964952 CEST	1.1.1.1	192.168.2.4	0x156e	No error (0)	telemetry-incoming.r53-2.services.mozilla.com		34.120.208.123	A (IP address)	IN (0x0001)	false
Oct 8, 2024 18:22:39.984307051 CEST	1.1.1.1	192.168.2.4	0xa234	No error (0)	push.services.mozilla.com		34.107.243.93	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

detectportal.firefox.com

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.4	49739	34.107.221.82	80	7336	C:\Program Files\Mozilla Firefox\firefox.exe

Timestamp	Bytes transferred	Direction	Data
Oct 8, 2024 18:21:12.028778076 CEST	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Oct 8, 2024 18:21:12.486759901 CEST	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Tue, 08 Oct 2024 02:48:47 GMT Age: 48745 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.4	49746	34.107.221.82	80	7336	C:\Program Files\Mozilla Firefox\firefox.exe

Timestamp	Bytes transferred	Direction	Data
Oct 8, 2024 18:21:12.834924936 CEST	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Oct 8, 2024 18:21:13.306112051 CEST	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Tue, 08 Oct 2024 04:11:17 GMT Age: 43796 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.4	49754	34.107.221.82	80	7336	C:\Program Files\Mozilla Firefox\firefox.exe

Timestamp	Bytes transferred	Direction	Data
Oct 8, 2024 18:21:13.690099955 CEST	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Oct 8, 2024 18:21:14.131721973 CEST	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Tue, 08 Oct 2024 02:48:47 GMT Age: 48747 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Oct 8, 2024 18:21:14.472692966 CEST	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Oct 8, 2024 18:21:14.567186117 CEST	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Tue, 08 Oct 2024 02:48:47 GMT Age: 48747 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Oct 8, 2024 18:21:15.271143913 CEST	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Oct 8, 2024 18:21:15.584717035 CEST	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Oct 8, 2024 18:21:16.123533010 CEST	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Tue, 08 Oct 2024 02:48:47 GMT Age: 48749 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Oct 8, 2024 18:21:21.608036041 CEST	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Oct 8, 2024 18:21:21.958679914 CEST	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Tue, 08 Oct 2024 02:48:47 GMT Age: 48754 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Oct 8, 2024 18:21:24.945334911 CEST	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Oct 8, 2024 18:21:25.056080103 CEST	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Tue, 08 Oct 2024 02:48:47 GMT Age: 48758 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Oct 8, 2024 18:21:25.975052118 CEST	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Oct 8, 2024 18:21:26.069406986 CEST	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Tue, 08 Oct 2024 02:48:47 GMT Age: 48759 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Oct 8, 2024 18:21:28.515913963 CEST	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Oct 8, 2024 18:21:28.612689972 CEST	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Tue, 08 Oct 2024 02:48:47 GMT Age: 48761 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Oct 8, 2024 18:21:38.427293062 CEST	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Oct 8, 2024 18:21:38.521303892 CEST	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Tue, 08 Oct 2024 02:48:47 GMT Age: 48771 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Oct 8, 2024 18:21:38.699353933 CEST	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Oct 8, 2024 18:21:38.793596983 CEST	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Tue, 08 Oct 2024 02:48:47 GMT Age: 48771 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Oct 8, 2024 18:21:39.012913942 CEST	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Oct 8, 2024 18:21:39.107291937 CEST	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Tue, 08 Oct 2024 02:48:47 GMT Age: 48772 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Oct 8, 2024 18:21:39.222491026 CEST	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Oct 8, 2024 18:21:39.316812038 CEST	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Tue, 08 Oct 2024 02:48:47 GMT Age: 48772 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Oct 8, 2024 18:21:49.325944901 CEST	6	OUT	Data Raw: 00 Data Ascii:
Oct 8, 2024 18:21:59.340706110 CEST	6	OUT	Data Raw: 00 Data Ascii:
Oct 8, 2024 18:21:59.549698114 CEST	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Oct 8, 2024 18:21:59.643908024 CEST	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Tue, 08 Oct 2024 02:48:47 GMT Age: 48792 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Oct 8, 2024 18:22:08.025574923 CEST	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Oct 8, 2024 18:22:08.122314930 CEST	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Tue, 08 Oct 2024 02:48:47 GMT Age: 48801 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Oct 8, 2024 18:22:18.128748894 CEST	6	OUT	Data Raw: 00 Data Ascii:
Oct 8, 2024 18:22:28.135344028 CEST	6	OUT	Data Raw: 00 Data Ascii:
Oct 8, 2024 18:22:38.148591995 CEST	6	OUT	Data Raw: 00 Data Ascii:
Oct 8, 2024 18:22:40.463267088 CEST	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Oct 8, 2024 18:22:40.557163000 CEST	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Tue, 08 Oct 2024 02:48:47 GMT Age: 48833 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Oct 8, 2024 18:22:50.568739891 CEST	6	OUT	Data Raw: 00 Data Ascii:
Oct 8, 2024 18:23:00.584909916 CEST	6	OUT	Data Raw: 00 Data Ascii:
Oct 8, 2024 18:23:10.605477095 CEST	6	OUT	Data Raw: 00 Data Ascii:

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
3	192.168.2.4	49756	34.107.221.82	80	7336	C:\Program Files\Mozilla Firefox\firefox.exe

Timestamp	Bytes transferred	Direction	Data
Oct 8, 2024 18:21:14.478240013 CEST	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
4	192.168.2.4	49757	34.107.221.82	80	7336	C:\Program Files\Mozilla Firefox\firefox.exe

Timestamp	Bytes transferred	Direction	Data
Oct 8, 2024 18:21:16.034786940 CEST	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
5	192.168.2.4	49758	34.107.221.82	80	7336	C:\Program Files\Mozilla Firefox\firefox.exe

Timestamp	Bytes transferred	Direction	Data
Oct 8, 2024 18:21:16.256745100 CEST	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Oct 8, 2024 18:21:16.486995935 CEST	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Tue, 08 Oct 2024 01:58:38 GMT Age: 51758 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Oct 8, 2024 18:21:23.531838894 CEST	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Oct 8, 2024 18:21:23.627346039 CEST	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Tue, 08 Oct 2024 01:58:38 GMT Age: 51765 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Oct 8, 2024 18:21:25.284466982 CEST	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Oct 8, 2024 18:21:25.381050110 CEST	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Tue, 08 Oct 2024 01:58:38 GMT Age: 51767 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Oct 8, 2024 18:21:26.748698950 CEST	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Oct 8, 2024 18:21:26.844990969 CEST	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Tue, 08 Oct 2024 01:58:38 GMT Age: 51768 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Oct 8, 2024 18:21:28.615869999 CEST	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Oct 8, 2024 18:21:28.711685896 CEST	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Tue, 08 Oct 2024 01:58:38 GMT Age: 51770 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Oct 8, 2024 18:21:38.524446964 CEST	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Oct 8, 2024 18:21:38.630911112 CEST	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Tue, 08 Oct 2024 01:58:38 GMT Age: 51780 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Oct 8, 2024 18:21:38.796349049 CEST	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Oct 8, 2024 18:21:38.891508102 CEST	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Tue, 08 Oct 2024 01:58:38 GMT Age: 51780 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Oct 8, 2024 18:21:39.111198902 CEST	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Oct 8, 2024 18:21:39.210685968 CEST	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Tue, 08 Oct 2024 01:58:38 GMT Age: 51781 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Oct 8, 2024 18:21:39.319557905 CEST	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Oct 8, 2024 18:21:39.416369915 CEST	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Tue, 08 Oct 2024 01:58:38 GMT Age: 51781 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Oct 8, 2024 18:21:49.426053047 CEST	6	OUT	Data Raw: 00 Data Ascii:
Oct 8, 2024 18:21:59.440920115 CEST	6	OUT	Data Raw: 00 Data Ascii:
Oct 8, 2024 18:21:59.655528069 CEST	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Oct 8, 2024 18:21:59.751899958 CEST	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Tue, 08 Oct 2024 01:58:38 GMT Age: 51801 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Oct 8, 2024 18:22:08.126370907 CEST	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Oct 8, 2024 18:22:08.222820044 CEST	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Tue, 08 Oct 2024 01:58:38 GMT Age: 51810 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Oct 8, 2024 18:22:18.229093075 CEST	6	OUT	Data Raw: 00 Data Ascii:
Oct 8, 2024 18:22:28.235611916 CEST	6	OUT	Data Raw: 00 Data Ascii:
Oct 8, 2024 18:22:38.249041080 CEST	6	OUT	Data Raw: 00 Data Ascii:
Oct 8, 2024 18:22:40.561532974 CEST	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Oct 8, 2024 18:22:40.657573938 CEST	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Tue, 08 Oct 2024 01:58:38 GMT Age: 51842 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Oct 8, 2024 18:22:50.668693066 CEST	6	OUT	Data Raw: 00 Data Ascii:
Oct 8, 2024 18:23:00.685400009 CEST	6	OUT	Data Raw: 00 Data Ascii:
Oct 8, 2024 18:23:10.705744982 CEST	6	OUT	Data Raw: 00 Data Ascii:

Target ID:	0
Start time:	12:21:05
Start date:	08/10/2024
Path:	C:\Users\user\Desktop\file.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\file.exe"
Imagebase:	0x7e0000
File size:	919'040 bytes
MD5 hash:	D921FE1B8E5B0FB7AE7CC505361EE284
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	1
Start time:	12:21:05
Start date:	08/10/2024
Path:	C:\Program Files\Mozilla Firefox\firefox.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk "https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd" --no-default-browser-check --disable-popup-blocking
Imagebase:	0x7ff6bf500000
File size:	676'768 bytes
MD5 hash:	C86B1BE9ED6496FE0E0CBE73F81D8045
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	2
Start time:	12:21:05
Start date:	08/10/2024
Path:	C:\Program Files\Mozilla Firefox\firefox.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd --no-default-browser-check --disable-popup-blocking --attempting-deelevation
Imagebase:	0x7ff6bf500000
File size:	676'768 bytes
MD5 hash:	C86B1BE9ED6496FE0E0CBE73F81D8045
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	3
Start time:	12:21:05
Start date:	08/10/2024
Path:	C:\Program Files\Mozilla Firefox\firefox.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd --no-default-browser-check --disable-popup-blocking
Imagebase:	0x7ff6bf500000
File size:	676'768 bytes
MD5 hash:	C86B1BE9ED6496FE0E0CBE73F81D8045
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	false

Show Windows behavior

Target ID:	5
Start time:	12:21:06
Start date:	08/10/2024
Path:	C:\Program Files\Mozilla Firefox\firefox.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2296 -parentBuildID 20230927232528 -prefsHandle 2240 -prefMapHandle 2232 -prefsLen 25359 -prefMapSize 237879 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {c0a74e00-7b41-43bf-a354-618a0db3d180} 7336 "\\.\pipe\gecko-crash-server-pipe.7336" 1e8a2471110 socket
Imagebase:	0x7ff6bf500000
File size:	676'768 bytes
MD5 hash:	C86B1BE9ED6496FE0E0CBE73F81D8045
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	false

Show Windows behavior

Target ID:	6
Start time:	12:21:09
Start date:	08/10/2024
Path:	C:\Program Files\Mozilla Firefox\firefox.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4132 -parentBuildID 20230927232528 -prefsHandle 3864 -prefMapHandle 3636 -prefsLen 26374 -prefMapSize 237879 -appDir "C:\Program Files\Mozilla Firefox\browser" - {471a8284-9a89-43a1-b4f0-a535a59985d3} 7336 "\\.\pipe\gecko-crash-server-pipe.7336" 1e8b3b5ce10 rdd
Imagebase:	0x7ff6bf500000
File size:	676'768 bytes
MD5 hash:	C86B1BE9ED6496FE0E0CBE73F81D8045
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	false

Show Windows behavior

Target ID:	7
Start time:	12:21:15
Start date:	08/10/2024
Path:	C:\Program Files\Mozilla Firefox\firefox.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5180 -parentBuildID 20230927232528 -sandboxingKind 0 -prefsHandle 5140 -prefMapHandle 5136 -prefsLen 33185 -prefMapSize 237879 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {5561797f-130c-4525-aaaa-e8630c60aa02} 7336 "\\.\pipe\gecko-crash-server-pipe.7336" 1e8be1ce910 utility
Imagebase:	0x7ff6bf500000
File size:	676'768 bytes
MD5 hash:	C86B1BE9ED6496FE0E0CBE73F81D8045
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	false

Show Windows behavior

Execution Graph

Execution Coverage:	2%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	4.7%
Total number of Nodes:	1488
Total number of Limit Nodes:	44

Executed Functions

Function 007E42DE Relevance: 21.2, APIs: 9, Strings: 3, Instructions: 235
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetVersionExW.KERNEL32(?), ref: 007E430D

Part of subcall function 007E6B57: _wcslen.LIBCMT ref: 007E6B6A

GetCurrentProcess.KERNEL32(?,0087CB64,00000000,?,?), ref: 007E4422
IsWow64Process.KERNEL32(00000000,?,?), ref: 007E4429
LoadLibraryA.KERNEL32(kernel32.dll,?,?), ref: 007E4454
GetProcAddress.KERNEL32(00000000,GetNativeSystemInfo), ref: 007E4466
GetNativeSystemInfo.KERNELBASE(?,?,?), ref: 007E4474
FreeLibrary.KERNEL32(00000000,?,?), ref: 007E447B
GetSystemInfo.KERNEL32(?,?,?), ref: 007E44A0

Strings

kernel32.dll, xrefs: 007E444F
|O, xrefs: 008236F8
GetNativeSystemInfo, xrefs: 007E4460

Memory Dump Source

Source File: 00000000.00000002.1749607290.00000000007E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007E0000, based on PE: true

Associated: 00000000.00000002.1749024776.00000000007E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750122745.000000000087C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750122745.00000000008A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750810397.00000000008AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1751626682.00000000008B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7e0000_file.jbxd

Similarity

API ID: InfoLibraryProcessSystem$AddressCurrentFreeLoadNativeProcVersionWow64_wcslen
String ID: GetNativeSystemInfo$kernel32.dll$|O
API String ID: 3290436268-3101561225
Opcode ID: 68d9b1d9cdf80bd109707d1efd9231897d30dee1c6ca497e9732f4b108aae783
Instruction ID: 541ad2c2b37a67a4cab5b3da3a3a85b91130fe5008f1f5bf3433ccc32283cba1
Opcode Fuzzy Hash: 68d9b1d9cdf80bd109707d1efd9231897d30dee1c6ca497e9732f4b108aae783
Instruction Fuzzy Hash: A8A19461A1A3D0DFCF21C7697C6D19A7FE4BB3E300B984AADD0419BB65F62C4548CB21

Function 007E42A2 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 61
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateStreamOnHGlobal.COMBASE(00000000,00000001,?,?,?,?,?,007E50AA,?,?,00000000,00000000), ref: 007E42B2
FindResourceExW.KERNEL32(?,0000000A,SCRIPT,00000000,?,?,007E50AA,?,?,00000000,00000000), ref: 007E42C9
LoadResource.KERNEL32(?,00000000,?,?,007E50AA,?,?,00000000,00000000,?,?,?,?,?,?,007E4F20), ref: 008235BE
SizeofResource.KERNEL32(?,00000000,?,?,007E50AA,?,?,00000000,00000000,?,?,?,?,?,?,007E4F20), ref: 008235D3
LockResource.KERNEL32(007E50AA,?,?,007E50AA,?,?,00000000,00000000,?,?,?,?,?,?,007E4F20,?), ref: 008235E6

Strings

SCRIPT, xrefs: 007E42BF

Memory Dump Source

Source File: 00000000.00000002.1749607290.00000000007E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007E0000, based on PE: true

Associated: 00000000.00000002.1749024776.00000000007E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750122745.000000000087C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750122745.00000000008A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750810397.00000000008AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1751626682.00000000008B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7e0000_file.jbxd

Similarity

API ID: Resource$CreateFindGlobalLoadLockSizeofStream
String ID: SCRIPT
API String ID: 3051347437-3967369404
Opcode ID: 8faef803457e3ba536dff089ea8627783f987ade3a9446519d58054bd49c54ae
Instruction ID: 3b3107bd53a39afdd3a56dd65c805e8c8d1c73ca1bb126f2e86b402c9c278d41
Opcode Fuzzy Hash: 8faef803457e3ba536dff089ea8627783f987ade3a9446519d58054bd49c54ae
Instruction Fuzzy Hash: 38117C71201700BFDB218B66DC48F277BBEFBC9B51F14816DB51AD7264DB71D8408620

Function 00822BA5 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 62
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetCurrentDirectoryW.KERNEL32(?), ref: 007E2B6B

Part of subcall function 007E3A5A: GetModuleFileNameW.KERNEL32(00000000,?,00007FFF,008B1418,?,007E2E7F,?,?,?,00000000), ref: 007E3A78

Part of subcall function 007E9CB3: _wcslen.LIBCMT ref: 007E9CBD

GetForegroundWindow.USER32(runas,?,?,?,?,?,008A2224), ref: 00822C10
ShellExecuteW.SHELL32(00000000,?,?,008A2224), ref: 00822C17

Strings

runas, xrefs: 00822C0B

Memory Dump Source

Source File: 00000000.00000002.1749607290.00000000007E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007E0000, based on PE: true

Associated: 00000000.00000002.1749024776.00000000007E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750122745.000000000087C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750122745.00000000008A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750810397.00000000008AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1751626682.00000000008B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7e0000_file.jbxd

Similarity

API ID: CurrentDirectoryExecuteFileForegroundModuleNameShellWindow_wcslen
String ID: runas
API String ID: 448630720-4000483414
Opcode ID: 7b529ff054fb35d388928a735fb324c2513cb290ca805f8d9d5a37cf8150ec8d
Instruction ID: 70d47ed85d024eb737c02a1c436fbb9b2f12555587ecec0da79f4eed429f1b10
Opcode Fuzzy Hash: 7b529ff054fb35d388928a735fb324c2513cb290ca805f8d9d5a37cf8150ec8d
Instruction Fuzzy Hash: C3113A3110A3C0EAC714FF61D85DDAEBBA9FB99340F44042CF186471A3DF2C898A8312

Function 0084D4DC Relevance: 6.1, APIs: 4, Instructions: 86
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateToolhelp32Snapshot.KERNEL32 ref: 0084D501
Process32FirstW.KERNEL32(00000000,?), ref: 0084D50F
Process32NextW.KERNEL32(00000000,?), ref: 0084D52F
CloseHandle.KERNELBASE(00000000), ref: 0084D5DC

Memory Dump Source

Source File: 00000000.00000002.1749607290.00000000007E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007E0000, based on PE: true

Associated: 00000000.00000002.1749024776.00000000007E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750122745.000000000087C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750122745.00000000008A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750810397.00000000008AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1751626682.00000000008B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7e0000_file.jbxd

Similarity

API ID: Process32$CloseCreateFirstHandleNextSnapshotToolhelp32
String ID:
API String ID: 420147892-0
Opcode ID: 276520eb40c6f89d72fea6337c644c36ed655427a748d7d9912d85c3cbb3a84f
Instruction ID: 9d42c52cbf934100c661350597156cd01ab6e598aaa1c06b5afda5cb8eee6448
Opcode Fuzzy Hash: 276520eb40c6f89d72fea6337c644c36ed655427a748d7d9912d85c3cbb3a84f
Instruction Fuzzy Hash: DE31AF72108344DFD300EF54C889AAFBBE8FF99344F50092DF585871A1EB71A985CBA2

Function 0084DBBE Relevance: 6.0, APIs: 4, Instructions: 29
filestringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

lstrlenW.KERNEL32(?,00825222), ref: 0084DBCE
GetFileAttributesW.KERNELBASE(?), ref: 0084DBDD
FindFirstFileW.KERNEL32(?,?), ref: 0084DBEE
FindClose.KERNEL32(00000000), ref: 0084DBFA

Memory Dump Source

Source File: 00000000.00000002.1749607290.00000000007E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007E0000, based on PE: true

Associated: 00000000.00000002.1749024776.00000000007E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750122745.000000000087C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750122745.00000000008A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750810397.00000000008AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1751626682.00000000008B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7e0000_file.jbxd

Similarity

API ID: FileFind$AttributesCloseFirstlstrlen
String ID:
API String ID: 2695905019-0
Opcode ID: 768d82b9e3a0f6e7a36898582dd2df228c0786097aa1c7371ad1d814cb75e819
Instruction ID: dd5071457e6e2e9db440c082d23877d8689b07ec48f65c9808563de5304d26c5
Opcode Fuzzy Hash: 768d82b9e3a0f6e7a36898582dd2df228c0786097aa1c7371ad1d814cb75e819
Instruction Fuzzy Hash: 8DF0A030820A185782216BB8AC4D8AA376CFF02334B50471AF83AC22E0FBB099D48695

Function 00804CE8 Relevance: 4.5, APIs: 3, Instructions: 20COMMONLIBRARYCODE

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(008128E9,?,00804CBE,008128E9,008A88B8,0000000C,00804E15,008128E9,00000002,00000000,?,008128E9), ref: 00804D09
TerminateProcess.KERNEL32(00000000,?,00804CBE,008128E9,008A88B8,0000000C,00804E15,008128E9,00000002,00000000,?,008128E9), ref: 00804D10
ExitProcess.KERNEL32 ref: 00804D22

Memory Dump Source

Source File: 00000000.00000002.1749607290.00000000007E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007E0000, based on PE: true

Associated: 00000000.00000002.1749024776.00000000007E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750122745.000000000087C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750122745.00000000008A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750810397.00000000008AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1751626682.00000000008B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7e0000_file.jbxd

Similarity

API ID: Process$CurrentExitTerminate
String ID:
API String ID: 1703294689-0
Opcode ID: f2f714481d220fccb74adbdd4cacb14c5e1f354f175cc92f26fc79ab474cce97
Instruction ID: 003aeb17a5a0926621ea2ac8c4ff4eb408cbc565e8c94bd868e8bb4ecf97a1e8
Opcode Fuzzy Hash: f2f714481d220fccb74adbdd4cacb14c5e1f354f175cc92f26fc79ab474cce97
Instruction Fuzzy Hash: 42E09271040248AFCF51AF54DD09A583B69FB51785B104018FD09DB276CB35D982DA90

Function 0086AFF9 Relevance: 24.4, APIs: 16, Instructions: 418
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_wcslen.LIBCMT ref: 0086B198
GetSystemDirectoryW.KERNEL32(00000000,00000000), ref: 0086B1B0
GetSystemDirectoryW.KERNEL32(00000000,00000000), ref: 0086B1D4
_wcslen.LIBCMT ref: 0086B200
GetCurrentDirectoryW.KERNEL32(00000000,00000000), ref: 0086B214
GetCurrentDirectoryW.KERNEL32(00000000,00000000), ref: 0086B236
_wcslen.LIBCMT ref: 0086B332

Part of subcall function 008505A7: GetStdHandle.KERNEL32(000000F6), ref: 008505C6

_wcslen.LIBCMT ref: 0086B34B
_wcslen.LIBCMT ref: 0086B366
CreateProcessW.KERNELBASE(00000000,?,00000000,00000000,?,?,00000000,?,?,?), ref: 0086B3B6
GetLastError.KERNEL32(00000000), ref: 0086B407
CloseHandle.KERNEL32(?), ref: 0086B439
CloseHandle.KERNEL32(00000000), ref: 0086B44A
CloseHandle.KERNEL32(00000000), ref: 0086B45C
CloseHandle.KERNEL32(00000000), ref: 0086B46E
CloseHandle.KERNEL32(?), ref: 0086B4E3

Memory Dump Source

Source File: 00000000.00000002.1749607290.00000000007E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007E0000, based on PE: true

Associated: 00000000.00000002.1749024776.00000000007E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750122745.000000000087C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750122745.00000000008A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750810397.00000000008AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1751626682.00000000008B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7e0000_file.jbxd

Similarity

API ID: Handle$Close_wcslen$Directory$CurrentSystem$CreateErrorLastProcess
String ID:
API String ID: 2178637699-0
Opcode ID: 50e89a4b1db357716ee821cea13e2810f6d8b55cc7830e4383a7ea5295419c1a
Instruction ID: f6c4d3901c71da7898da98624ceaf2fe05f400766f5bed980cc1ac9ff228ec6c
Opcode Fuzzy Hash: 50e89a4b1db357716ee821cea13e2810f6d8b55cc7830e4383a7ea5295419c1a
Instruction Fuzzy Hash: 99F17831604240DFCB14EF25C895A2ABBE1FF89318F15845DF999DB2A2DB35EC84CB52

Function 007ED730 Relevance: 21.6, APIs: 14, Instructions: 625sleeptimeCOMMON

Download Yara Rule

APIs

GetInputState.USER32 ref: 007ED807
timeGetTime.WINMM ref: 007EDA07
Sleep.KERNELBASE(0000000A), ref: 007EDBB1
Sleep.KERNEL32(0000000A), ref: 00832B76

Memory Dump Source

Source File: 00000000.00000002.1749607290.00000000007E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007E0000, based on PE: true

Associated: 00000000.00000002.1749024776.00000000007E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750122745.000000000087C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750122745.00000000008A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750810397.00000000008AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1751626682.00000000008B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7e0000_file.jbxd

Similarity

API ID: Sleep$InputStateTimetime
String ID:
API String ID: 2764417729-0
Opcode ID: 1fc5cd7a9ee0c7fe520e2835174d0e7d50d4703035b8e50c50de876302fe2a56
Instruction ID: 9cd8f372199b501ea9c0fc5ea31b3ce29ebb5a2dd16ed8d1ac62b53017faed76
Opcode Fuzzy Hash: 1fc5cd7a9ee0c7fe520e2835174d0e7d50d4703035b8e50c50de876302fe2a56
Instruction Fuzzy Hash: BB42CF70609281DFDB34CF25C898B6AB7A1FF89314F14862DE565CB2A1D778EC44CB92

Function 007E2CD4 Relevance: 19.3, APIs: 7, Strings: 4, Instructions: 53
windowregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSysColorBrush.USER32(0000000F), ref: 007E2D07
RegisterClassExW.USER32(00000030), ref: 007E2D31
RegisterWindowMessageW.USER32(TaskbarCreated), ref: 007E2D42
InitCommonControlsEx.COMCTL32(?), ref: 007E2D5F
ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 007E2D6F
LoadIconW.USER32(000000A9), ref: 007E2D85
ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 007E2D94

Strings

TaskbarCreated, xrefs: 007E2D37
AutoIt v3 GUI, xrefs: 007E2D23
+, xrefs: 007E2CF0
0, xrefs: 007E2CE9

Memory Dump Source

Source File: 00000000.00000002.1749607290.00000000007E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007E0000, based on PE: true

Associated: 00000000.00000002.1749024776.00000000007E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750122745.000000000087C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750122745.00000000008A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750810397.00000000008AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1751626682.00000000008B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7e0000_file.jbxd

Similarity

API ID: IconImageList_Register$BrushClassColorCommonControlsCreateInitLoadMessageReplaceWindow
String ID: +$0$AutoIt v3 GUI$TaskbarCreated
API String ID: 2914291525-1005189915
Opcode ID: e476f0b9c255d6f47818ccef87f3aa643a9e68617af94020754bd8b68a0f3c25
Instruction ID: a510e73f21f1c78e9f7b0ca81a2752e8ca61f9d0047992b69963fca87d58226f
Opcode Fuzzy Hash: e476f0b9c255d6f47818ccef87f3aa643a9e68617af94020754bd8b68a0f3c25
Instruction Fuzzy Hash: FF21F0B0901248AFDB00DFA4E89DB9DBFB4FB08701F40821AE615AB2A4D7B495848F90

Function 0082065B Relevance: 17.8, APIs: 9, Strings: 1, Instructions: 272
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 0082039A: CreateFileW.KERNELBASE(00000000,00000000,?,00820704,?,?,00000000,?,00820704,00000000,0000000C), ref: 008203B7

GetLastError.KERNEL32 ref: 0082076F
__dosmaperr.LIBCMT ref: 00820776
GetFileType.KERNELBASE(00000000), ref: 00820782
GetLastError.KERNEL32 ref: 0082078C
__dosmaperr.LIBCMT ref: 00820795
CloseHandle.KERNEL32(00000000), ref: 008207B5
CloseHandle.KERNEL32(?), ref: 008208FF
GetLastError.KERNEL32 ref: 00820931
__dosmaperr.LIBCMT ref: 00820938

Strings

H, xrefs: 008208BD

Memory Dump Source

Source File: 00000000.00000002.1749607290.00000000007E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007E0000, based on PE: true

Associated: 00000000.00000002.1749024776.00000000007E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750122745.000000000087C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750122745.00000000008A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750810397.00000000008AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1751626682.00000000008B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7e0000_file.jbxd

Similarity

API ID: ErrorLast__dosmaperr$CloseFileHandle$CreateType
String ID: H
API String ID: 4237864984-2852464175
Opcode ID: c55ca764c76533830dc92436ad2ec68941748cca8def8eea21da6ded4e11587a
Instruction ID: 0985f18bc6ab79ae78ed342786fbde715454f6d26745bebd54474d5adf02ae9e
Opcode Fuzzy Hash: c55ca764c76533830dc92436ad2ec68941748cca8def8eea21da6ded4e11587a
Instruction Fuzzy Hash: 10A1F132A041189FDF19AF68EC55BAE7BA0FB06324F144159F815DB3D2DA319892CF92

Function 007E344D Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 201
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 007E3A5A: GetModuleFileNameW.KERNEL32(00000000,?,00007FFF,008B1418,?,007E2E7F,?,?,?,00000000), ref: 007E3A78

Part of subcall function 007E3357: GetFullPathNameW.KERNEL32(?,00007FFF,?,?), ref: 007E3379

RegOpenKeyExW.KERNELBASE(80000001,Software\AutoIt v3\AutoIt,00000000,00000001,?,?,\Include\), ref: 007E356A
RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,00000000,?), ref: 0082318D
RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,?,?,00000000), ref: 008231CE
RegCloseKey.ADVAPI32(?), ref: 00823210
_wcslen.LIBCMT ref: 00823277
_wcslen.LIBCMT ref: 00823286

Strings

Include, xrefs: 00823184, 008231C5
\, xrefs: 0082328C
\Include\, xrefs: 007E3527
Software\AutoIt v3\AutoIt, xrefs: 007E3560

Memory Dump Source

Source File: 00000000.00000002.1749607290.00000000007E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007E0000, based on PE: true

Associated: 00000000.00000002.1749024776.00000000007E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750122745.000000000087C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750122745.00000000008A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750810397.00000000008AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1751626682.00000000008B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7e0000_file.jbxd

Similarity

API ID: NameQueryValue_wcslen$CloseFileFullModuleOpenPath
String ID: Include$Software\AutoIt v3\AutoIt$\$\Include\
API String ID: 98802146-2727554177
Opcode ID: 2cc89da2792d6a807049f50624ec3d5c1c1870d0b7494649359ed88318e62612
Instruction ID: fc45468fdcfc8085793178cd9b079a4ce516fcb35860ecd3b1c0a73c3ab2fe03
Opcode Fuzzy Hash: 2cc89da2792d6a807049f50624ec3d5c1c1870d0b7494649359ed88318e62612
Instruction Fuzzy Hash: 79717C71405340EEC314EF65EC8596BBBE8FF99740B504A2EF555C32B0EB389A48CB62

Function 007E2B83 Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 63
windowregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSysColorBrush.USER32(0000000F), ref: 007E2B8E
LoadCursorW.USER32(00000000,00007F00), ref: 007E2B9D
LoadIconW.USER32(00000063), ref: 007E2BB3
LoadIconW.USER32(000000A4), ref: 007E2BC5
LoadIconW.USER32(000000A2), ref: 007E2BD7
LoadImageW.USER32(00000063,00000001,00000010,00000010,00000000), ref: 007E2BEF
RegisterClassExW.USER32(?), ref: 007E2C40

Part of subcall function 007E2CD4: GetSysColorBrush.USER32(0000000F), ref: 007E2D07
Part of subcall function 007E2CD4: RegisterClassExW.USER32(00000030), ref: 007E2D31
Part of subcall function 007E2CD4: RegisterWindowMessageW.USER32(TaskbarCreated), ref: 007E2D42
Part of subcall function 007E2CD4: InitCommonControlsEx.COMCTL32(?), ref: 007E2D5F
Part of subcall function 007E2CD4: ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 007E2D6F
Part of subcall function 007E2CD4: LoadIconW.USER32(000000A9), ref: 007E2D85
Part of subcall function 007E2CD4: ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 007E2D94

Strings

#, xrefs: 007E2C16
AutoIt v3, xrefs: 007E2C2F
0, xrefs: 007E2C0F

Memory Dump Source

Source File: 00000000.00000002.1749607290.00000000007E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007E0000, based on PE: true

Associated: 00000000.00000002.1749024776.00000000007E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750122745.000000000087C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750122745.00000000008A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750810397.00000000008AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1751626682.00000000008B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7e0000_file.jbxd

Similarity

API ID: Load$Icon$ImageRegister$BrushClassColorList_$CommonControlsCreateCursorInitMessageReplaceWindow
String ID: #$0$AutoIt v3
API String ID: 423443420-4155596026
Opcode ID: b47427c0f9e2db9a2269bb11fbca932284ea4dfdbeda137303a114043213a359
Instruction ID: 711b651b5e6a460bf4ed31ddf0fce95faccbf215dbec674039e66bc15f5b2742
Opcode Fuzzy Hash: b47427c0f9e2db9a2269bb11fbca932284ea4dfdbeda137303a114043213a359
Instruction Fuzzy Hash: 95213C71E00354ABDB109FA5EC6DA997FF4FB0CB50F50411AE504AB7A0E7B95540CF90

Function 007E3170 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 145
windowtimeregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DefWindowProcW.USER32(?,?,?,?,?,?,?,?,?,007E316A,?,?), ref: 007E31D8
KillTimer.USER32(?,00000001,?,?,?,?,?,007E316A,?,?), ref: 007E3204
SetTimer.USER32(?,00000001,000002EE,00000000), ref: 007E3227
RegisterWindowMessageW.USER32(TaskbarCreated,?,?,?,?,?,007E316A,?,?), ref: 007E3232
CreatePopupMenu.USER32 ref: 007E3246
PostQuitMessage.USER32(00000000), ref: 007E3267

Strings

TaskbarCreated, xrefs: 007E322D

Memory Dump Source

Source File: 00000000.00000002.1749607290.00000000007E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007E0000, based on PE: true

Associated: 00000000.00000002.1749024776.00000000007E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750122745.000000000087C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750122745.00000000008A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750810397.00000000008AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1751626682.00000000008B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7e0000_file.jbxd

Similarity

API ID: MessageTimerWindow$CreateKillMenuPopupPostProcQuitRegister
String ID: TaskbarCreated
API String ID: 129472671-2362178303
Opcode ID: f6c4ac5c9275cc340676654fc847ada14b1c7ed377a458d38b306acb2ce9d2f6
Instruction ID: beafb216a539388238e8c68a88fed263501ec90d917caec26616658b9f248a69
Opcode Fuzzy Hash: f6c4ac5c9275cc340676654fc847ada14b1c7ed377a458d38b306acb2ce9d2f6
Instruction Fuzzy Hash: 89414935245288B7DF141B799C1EBB93B59F70D380F84022DF656CB2A1DB7DCA8097A1

Function 007E1410 Relevance: 14.3, APIs: 7, Strings: 1, Instructions: 332
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

mciSendStringW.WINMM(close all,00000000,00000000,00000000), ref: 007E1459
CoUninitialize.COMBASE ref: 007E14F8
UnregisterHotKey.USER32(?), ref: 007E16DD
DestroyWindow.USER32(?), ref: 008224B9
FreeLibrary.KERNEL32(?), ref: 0082251E
VirtualFree.KERNEL32(?,00000000,00008000), ref: 0082254B

Strings

close all, xrefs: 007E1454

Memory Dump Source

Source File: 00000000.00000002.1749607290.00000000007E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007E0000, based on PE: true

Associated: 00000000.00000002.1749024776.00000000007E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750122745.000000000087C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750122745.00000000008A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750810397.00000000008AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1751626682.00000000008B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7e0000_file.jbxd

Similarity

API ID: Free$DestroyLibrarySendStringUninitializeUnregisterVirtualWindow
String ID: close all
API String ID: 469580280-3243417748
Opcode ID: d61b73a1895b5f73506bc18e031f7dbfe26fa71eff221bad773dd00fe977ad5e
Instruction ID: 2fceb338cb67d12b97911cd6802946be65769e87776f8a5b69096edbac285b01
Opcode Fuzzy Hash: d61b73a1895b5f73506bc18e031f7dbfe26fa71eff221bad773dd00fe977ad5e
Instruction Fuzzy Hash: 52D1BE31702262DFCB29EF15D49AA29F7A0FF09710F5481ADE54AAB251CB34ED52CF50

Function 007E2C63 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 44
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateWindowExW.USER32(00000000,AutoIt v3,AutoIt v3,00CF0000,80000000,80000000,0000012C,00000064,00000000,00000000,00000000,00000001), ref: 007E2C91
CreateWindowExW.USER32(00000000,edit,00000000,50B008C4,00000000,00000000,00000000,00000000,00000000,00000001,00000000), ref: 007E2CB2
ShowWindow.USER32(00000000,?,?,?,?,?,?,007E1CAD,?), ref: 007E2CC6
ShowWindow.USER32(00000000,?,?,?,?,?,?,007E1CAD,?), ref: 007E2CCF

Strings

edit, xrefs: 007E2CAC
AutoIt v3, xrefs: 007E2C89, 007E2C8E, 007E2C8F

Memory Dump Source

Source File: 00000000.00000002.1749607290.00000000007E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007E0000, based on PE: true

Associated: 00000000.00000002.1749024776.00000000007E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750122745.000000000087C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750122745.00000000008A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750810397.00000000008AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1751626682.00000000008B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7e0000_file.jbxd

Similarity

API ID: Window$CreateShow
String ID: AutoIt v3$edit
API String ID: 1584632944-3779509399
Opcode ID: 68917fe9deb8d269a3ad916079b88fb198054c79900edd4b136132e2def51bc6
Instruction ID: 152537d47a46145c3be8b6e76155938b6b7d3974d2b9f63bf4da0963ed32af2d
Opcode Fuzzy Hash: 68917fe9deb8d269a3ad916079b88fb198054c79900edd4b136132e2def51bc6
Instruction Fuzzy Hash: 44F017755402907AEB300727AC1CE772FFDF7CAF50B54411EFA04AB2A0E6695880DBB0

Function 007E3B1C Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 58
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RegOpenKeyExW.KERNELBASE(80000001,Control Panel\Mouse,00000000,00000001,00000000,?,?,80000001,80000001,?,007E3B0F,SwapMouseButtons,00000004,?), ref: 007E3B40
RegQueryValueExW.KERNELBASE(00000000,00000000,00000000,00000000,?,?,?,?,?,80000001,80000001,?,007E3B0F,SwapMouseButtons,00000004,?), ref: 007E3B61
RegCloseKey.KERNELBASE(00000000,?,?,?,80000001,80000001,?,007E3B0F,SwapMouseButtons,00000004,?), ref: 007E3B83

Strings

Control Panel\Mouse, xrefs: 007E3B3E

Memory Dump Source

Source File: 00000000.00000002.1749607290.00000000007E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007E0000, based on PE: true

Associated: 00000000.00000002.1749024776.00000000007E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750122745.000000000087C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750122745.00000000008A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750810397.00000000008AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1751626682.00000000008B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7e0000_file.jbxd

Similarity

API ID: CloseOpenQueryValue
String ID: Control Panel\Mouse
API String ID: 3677997916-824357125
Opcode ID: 89816b19118708a6b749aac7084e46af06c6ccd81beecd8eefff1254b4c2f82d
Instruction ID: 31ad54e80d7347292377dd0a37ed444a112e9fb876ea1610bc5bef05401c4ee4
Opcode Fuzzy Hash: 89816b19118708a6b749aac7084e46af06c6ccd81beecd8eefff1254b4c2f82d
Instruction Fuzzy Hash: A6112AB5511248FFDB208FAADC48AAEB7B8EF48744B104559E806D7110E235DE4097A0

Function 007E3923 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 94windowCOMMON

Download Yara Rule

APIs

LoadStringW.USER32(00000065,?,0000007F,00000104), ref: 008233A2

Part of subcall function 007E6B57: _wcslen.LIBCMT ref: 007E6B6A

Shell_NotifyIconW.SHELL32(00000001,?), ref: 007E3A04

Strings

Line: , xrefs: 008233EB

Memory Dump Source

Source File: 00000000.00000002.1749607290.00000000007E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007E0000, based on PE: true

Associated: 00000000.00000002.1749024776.00000000007E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750122745.000000000087C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750122745.00000000008A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750810397.00000000008AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1751626682.00000000008B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7e0000_file.jbxd

Similarity

API ID: IconLoadNotifyShell_String_wcslen
String ID: Line:
API String ID: 2289894680-1585850449
Opcode ID: cc63191bfb57775cc0945edfcc70802e91d2edb52e5eeadeaf4b4f5c0141e6de
Instruction ID: dcff8fa67d5970a9aee772a158b860d32ca91ee640075cda6ba1440e42651708
Opcode Fuzzy Hash: cc63191bfb57775cc0945edfcc70802e91d2edb52e5eeadeaf4b4f5c0141e6de
Instruction Fuzzy Hash: 4131C771409380AAC721EB15DC5DBDBB7D8BF48714F10452EF59987291EB78A644C7C2

Function 007FFDDB Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 43COMMON

Download Yara Rule

APIs

__CxxThrowException@8.LIBVCRUNTIME ref: 00800668

Part of subcall function 008032A4: RaiseException.KERNEL32(?,?,?,0080068A,?,008B1444,?,?,?,?,?,?,0080068A,007E1129,008A8738,007E1129), ref: 00803304

__CxxThrowException@8.LIBVCRUNTIME ref: 00800685

Strings

Unknown exception, xrefs: 00800692

Memory Dump Source

Source File: 00000000.00000002.1749607290.00000000007E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007E0000, based on PE: true

Associated: 00000000.00000002.1749024776.00000000007E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750122745.000000000087C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750122745.00000000008A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750810397.00000000008AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1751626682.00000000008B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7e0000_file.jbxd

Similarity

API ID: Exception@8Throw$ExceptionRaise
String ID: Unknown exception
API String ID: 3476068407-410509341
Opcode ID: 9dd93a8e3d590b493a5c201d417d4c1bc96b15205e9b66c2010f108a2d75d726
Instruction ID: 1e5b253c5be72c0a75d77e1dbf82d7bdf5617cc3f2e0f30831ac6dd73806e3c1
Opcode Fuzzy Hash: 9dd93a8e3d590b493a5c201d417d4c1bc96b15205e9b66c2010f108a2d75d726
Instruction Fuzzy Hash: 99F0283490030CB7CB40B6A8DC46E5E776DFE10310F604131FA24D26D1EF71DA25C982

Function 007E10F3 Relevance: 4.7, APIs: 3, Instructions: 153comCOMMON

Download Yara Rule

APIs

Part of subcall function 007E1BC3: MapVirtualKeyW.USER32(0000005B,00000000), ref: 007E1BF4
Part of subcall function 007E1BC3: MapVirtualKeyW.USER32(00000010,00000000), ref: 007E1BFC
Part of subcall function 007E1BC3: MapVirtualKeyW.USER32(000000A0,00000000), ref: 007E1C07
Part of subcall function 007E1BC3: MapVirtualKeyW.USER32(000000A1,00000000), ref: 007E1C12
Part of subcall function 007E1BC3: MapVirtualKeyW.USER32(00000011,00000000), ref: 007E1C1A
Part of subcall function 007E1BC3: MapVirtualKeyW.USER32(00000012,00000000), ref: 007E1C22

Part of subcall function 007E1B4A: RegisterWindowMessageW.USER32(00000004,?,007E12C4), ref: 007E1BA2

GetStdHandle.KERNEL32(000000F6,00000000,00000000), ref: 007E136A
OleInitialize.OLE32 ref: 007E1388
CloseHandle.KERNEL32(00000000,00000000), ref: 008224AB

Memory Dump Source

Source File: 00000000.00000002.1749607290.00000000007E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007E0000, based on PE: true

Associated: 00000000.00000002.1749024776.00000000007E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750122745.000000000087C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750122745.00000000008A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750810397.00000000008AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1751626682.00000000008B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7e0000_file.jbxd

Similarity

API ID: Virtual$Handle$CloseInitializeMessageRegisterWindow
String ID:
API String ID: 1986988660-0
Opcode ID: 70590121c7b364c7c96eb8bb22a69a76be8a621c7323af1407d478c0cd1c3ee0
Instruction ID: d5e587492e373fb391548e04aa0bf2ba90b90b7e99debc99f296c403b9525165
Opcode Fuzzy Hash: 70590121c7b364c7c96eb8bb22a69a76be8a621c7323af1407d478c0cd1c3ee0
Instruction Fuzzy Hash: F471ADB49122408ECBA4DFBAA86D6953BE1FB893403E4833ED51ACF361EB349445CF55

Function 0084C161 Relevance: 4.6, APIs: 3, Instructions: 74timewindowCOMMON

Download Yara Rule

APIs

Part of subcall function 007E3923: Shell_NotifyIconW.SHELL32(00000001,?), ref: 007E3A04

Shell_NotifyIconW.SHELL32(00000001,000003A8), ref: 0084C259
KillTimer.USER32(?,00000001,?,?), ref: 0084C261
SetTimer.USER32(?,00000001,000002EE,00000000), ref: 0084C270

Memory Dump Source

Source File: 00000000.00000002.1749607290.00000000007E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007E0000, based on PE: true

Associated: 00000000.00000002.1749024776.00000000007E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750122745.000000000087C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750122745.00000000008A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750810397.00000000008AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1751626682.00000000008B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7e0000_file.jbxd

Similarity

API ID: IconNotifyShell_Timer$Kill
String ID:
API String ID: 3500052701-0
Opcode ID: 3ce219d1603a9247664016bff03447c5476a10237f27b7bbd13cf2b92a8c8267
Instruction ID: 554524ac4d37c9c24a30ba1204bdcb972d6735f242c822a3fac76d7b5eadc61a
Opcode Fuzzy Hash: 3ce219d1603a9247664016bff03447c5476a10237f27b7bbd13cf2b92a8c8267
Instruction Fuzzy Hash: F4319370905358AFEB629F648859BE7BBECFB06308F00049ED6DEE7241C7B45A84CB51

Function 008186AE Relevance: 4.6, APIs: 3, Instructions: 61COMMONLIBRARYCODE

Download Yara Rule

APIs

CloseHandle.KERNELBASE(00000000,00000000,?,?,008185CC,?,008A8CC8,0000000C), ref: 00818704
GetLastError.KERNEL32(?,008185CC,?,008A8CC8,0000000C), ref: 0081870E
__dosmaperr.LIBCMT ref: 00818739

Memory Dump Source

Source File: 00000000.00000002.1749607290.00000000007E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007E0000, based on PE: true

Associated: 00000000.00000002.1749024776.00000000007E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750122745.000000000087C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750122745.00000000008A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750810397.00000000008AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1751626682.00000000008B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7e0000_file.jbxd

Similarity

API ID: CloseErrorHandleLast__dosmaperr
String ID:
API String ID: 2583163307-0
Opcode ID: 35fb58c6fc6206adfab3615e6b0173da6e36cf1212dfa015e3cc5563de3f08c6
Instruction ID: 45aa7a8a79894daaea30bdff1b8ad47fa8588e1eaa7a751d923671019e4b5c2a
Opcode Fuzzy Hash: 35fb58c6fc6206adfab3615e6b0173da6e36cf1212dfa015e3cc5563de3f08c6
Instruction Fuzzy Hash: D3010832605620D6D66462386C4BBFF674DFF92778F29021EE828DB2D2DEA0CCC18151

Function 007EDB38 Relevance: 4.5, APIs: 3, Instructions: 29windowsleepCOMMON

Download Yara Rule

APIs

TranslateMessage.USER32(?), ref: 007EDB7B
DispatchMessageW.USER32(?), ref: 007EDB89
PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 007EDB9F
Sleep.KERNELBASE(0000000A), ref: 007EDBB1
TranslateAcceleratorW.USER32(?,?,?), ref: 00831CC9

Memory Dump Source

Source File: 00000000.00000002.1749607290.00000000007E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007E0000, based on PE: true

Associated: 00000000.00000002.1749024776.00000000007E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750122745.000000000087C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750122745.00000000008A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750810397.00000000008AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1751626682.00000000008B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7e0000_file.jbxd

Similarity

API ID: Message$Translate$AcceleratorDispatchPeekSleep
String ID:
API String ID: 3288985973-0
Opcode ID: 611981030f050ebc863e9224b53c4afc9966c42c1853ff5fbea9744663dafa43
Instruction ID: 6b7d7bb56d03ba7634c83706694f1873cb03947b818b0fd78425907849329620
Opcode Fuzzy Hash: 611981030f050ebc863e9224b53c4afc9966c42c1853ff5fbea9744663dafa43
Instruction Fuzzy Hash: A4F054306053849BEB34C7A5DC9DFEA73ACFB88750F504519E619C70D0EB3494888B15

Function 007F1310 Relevance: 4.0, APIs: 1, Strings: 1, Instructions: 531COMMON

Download Yara Rule

APIs

__Init_thread_footer.LIBCMT ref: 007F17F6

Strings

CALL, xrefs: 007F17C6

Memory Dump Source

Source File: 00000000.00000002.1749607290.00000000007E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007E0000, based on PE: true

Associated: 00000000.00000002.1749024776.00000000007E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750122745.000000000087C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750122745.00000000008A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750810397.00000000008AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1751626682.00000000008B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7e0000_file.jbxd

Similarity

API ID: Init_thread_footer
String ID: CALL
API String ID: 1385522511-4196123274
Opcode ID: cf4fa0485369447d0a3bcf26c755aee76caea0dc37239329491cc6d06cf6d9dd
Instruction ID: 48bb7752d3b5d1fcb46b2ae2e36e7e06e1fec5c3546577ff3325b2c8a625d68b
Opcode Fuzzy Hash: cf4fa0485369447d0a3bcf26c755aee76caea0dc37239329491cc6d06cf6d9dd
Instruction Fuzzy Hash: B5228A70608245DFC714DF18C484A3ABBE1FF89314F54892DF6968B361E739E855CB92

Function 007E2DE3 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 64COMMON

Download Yara Rule

APIs

GetOpenFileNameW.COMDLG32(?), ref: 00822C8C

Part of subcall function 007E3AA2: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,007E3A97,?,?,007E2E7F,?,?,?,00000000), ref: 007E3AC2

Part of subcall function 007E2DA5: GetLongPathNameW.KERNELBASE(?,?,00007FFF), ref: 007E2DC4

Strings

X, xrefs: 00822C5A

Memory Dump Source

Source File: 00000000.00000002.1749607290.00000000007E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007E0000, based on PE: true

Associated: 00000000.00000002.1749024776.00000000007E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750122745.000000000087C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750122745.00000000008A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750810397.00000000008AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1751626682.00000000008B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7e0000_file.jbxd

Similarity

API ID: Name$Path$FileFullLongOpen
String ID: X
API String ID: 779396738-3081909835
Opcode ID: f4e27e5aa214c41c94122a4ec3add1a18ff304ea4a196e9e18bf74e587d65e52
Instruction ID: 537a852b36f242651ea3e9109aa24d0b41d826041662c562169109a98358454b
Opcode Fuzzy Hash: f4e27e5aa214c41c94122a4ec3add1a18ff304ea4a196e9e18bf74e587d65e52
Instruction Fuzzy Hash: 4021D171A00298AADB01DF95C809BEE7BFCFF4D304F008059E504E7241EBB85A898BA1

Function 007E3837 Relevance: 3.1, APIs: 2, Instructions: 77windowCOMMON

Download Yara Rule

APIs

Shell_NotifyIconW.SHELL32(00000000,?), ref: 007E3908

Memory Dump Source

Source File: 00000000.00000002.1749607290.00000000007E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007E0000, based on PE: true

Associated: 00000000.00000002.1749024776.00000000007E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750122745.000000000087C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750122745.00000000008A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750810397.00000000008AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1751626682.00000000008B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7e0000_file.jbxd

Similarity

API ID: IconNotifyShell_
String ID:
API String ID: 1144537725-0
Opcode ID: aa089121fb05a471ec6151feab93dcc0cd9566c78ab5aaa66899d1a00907c63a
Instruction ID: 8fffee27fc19f8edcbb4b8e294abadd1c10d8e139f1531365beb4672ba579ffa
Opcode Fuzzy Hash: aa089121fb05a471ec6151feab93dcc0cd9566c78ab5aaa66899d1a00907c63a
Instruction Fuzzy Hash: 7A319C705053408FD720DF25D8987A7BBE8FB4D308F00092EF69987340E779AA44CB62

Function 007FF645 Relevance: 3.0, APIs: 2, Instructions: 29sleeptimeCOMMON

Download Yara Rule

APIs

timeGetTime.WINMM ref: 007FF661

Part of subcall function 007ED730: GetInputState.USER32 ref: 007ED807

Sleep.KERNEL32(00000000), ref: 0083F2DE

Memory Dump Source

Source File: 00000000.00000002.1749607290.00000000007E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007E0000, based on PE: true

Associated: 00000000.00000002.1749024776.00000000007E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750122745.000000000087C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750122745.00000000008A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750810397.00000000008AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1751626682.00000000008B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7e0000_file.jbxd

Similarity

API ID: InputSleepStateTimetime
String ID:
API String ID: 4149333218-0
Opcode ID: b8375dce83163e5524f41bebc68f6abb9dfd6d432432c959f9098217c014a3e5
Instruction ID: f191c423063de0b958330c74238d2729e6f4a6b4dba3486e7d20d6593eaed08c
Opcode Fuzzy Hash: b8375dce83163e5524f41bebc68f6abb9dfd6d432432c959f9098217c014a3e5
Instruction Fuzzy Hash: 85F0F831240645DFD324EB6AD449B6ABBE8FF49761F004069E95AC7361DBA0A850CB91

Function 007E4ECB Relevance: 1.6, APIs: 1, Instructions: 65libraryCOMMON

Download Yara Rule

APIs

Part of subcall function 007E4E90: LoadLibraryA.KERNEL32(kernel32.dll,?,?,007E4EDD,?,008B1418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 007E4E9C
Part of subcall function 007E4E90: GetProcAddress.KERNEL32(00000000,Wow64DisableWow64FsRedirection), ref: 007E4EAE
Part of subcall function 007E4E90: FreeLibrary.KERNEL32(00000000,?,?,007E4EDD,?,008B1418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 007E4EC0

LoadLibraryExW.KERNEL32(?,00000000,00000002,?,008B1418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 007E4EFD

Part of subcall function 007E4E59: LoadLibraryA.KERNEL32(kernel32.dll,?,?,00823CDE,?,008B1418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 007E4E62
Part of subcall function 007E4E59: GetProcAddress.KERNEL32(00000000,Wow64RevertWow64FsRedirection), ref: 007E4E74
Part of subcall function 007E4E59: FreeLibrary.KERNEL32(00000000,?,?,00823CDE,?,008B1418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 007E4E87

Memory Dump Source

Source File: 00000000.00000002.1749607290.00000000007E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007E0000, based on PE: true

Associated: 00000000.00000002.1749024776.00000000007E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750122745.000000000087C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750122745.00000000008A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750810397.00000000008AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1751626682.00000000008B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7e0000_file.jbxd

Similarity

API ID: Library$Load$AddressFreeProc
String ID:
API String ID: 2632591731-0
Opcode ID: ee88a0450938a480e96e735c51e2e188cb5e8832b9a37055e01132baa909a9c6
Instruction ID: 9eafe50f99d022fd4435be046a32d736543ee8517bfde2eea005f450ff7185c2
Opcode Fuzzy Hash: ee88a0450938a480e96e735c51e2e188cb5e8832b9a37055e01132baa909a9c6
Instruction Fuzzy Hash: C1112332601205EACB14BB66DC0AFAD77A5AF48B10F10882DF542EA1C1EE789A449750

Function 00818402 Relevance: 1.6, APIs: 1, Instructions: 54COMMON

Download Yara Rule

APIs

__wsopen_s.LIBCMT ref: 00818440

Memory Dump Source

Source File: 00000000.00000002.1749607290.00000000007E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007E0000, based on PE: true

Associated: 00000000.00000002.1749024776.00000000007E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750122745.000000000087C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750122745.00000000008A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750810397.00000000008AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1751626682.00000000008B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7e0000_file.jbxd

Similarity

API ID: __wsopen_s
String ID:
API String ID: 3347428461-0
Opcode ID: f9bd3050e37edf60df424c3e7fe9adae9c220c30b9bfd717ccb3aa67be82b711
Instruction ID: 4423537485bedb0c7d933f4be672eaa8f91982d2b0782909a1cc671aefc06c7d
Opcode Fuzzy Hash: f9bd3050e37edf60df424c3e7fe9adae9c220c30b9bfd717ccb3aa67be82b711
Instruction Fuzzy Hash: E211487190410AEFCB05DF58E9419DA7BF9FF48314F104059F808EB312DA30DA11CBA5

Function 00815000 Relevance: 1.6, APIs: 1, Instructions: 52COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 00814C7D: RtlAllocateHeap.NTDLL(00000008,007E1129,00000000,?,00812E29,00000001,00000364,?,?,?,0080F2DE,00813863,008B1444,?,007FFDF5,?), ref: 00814CBE

_free.LIBCMT ref: 0081506C

Memory Dump Source

Source File: 00000000.00000002.1749607290.00000000007E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007E0000, based on PE: true

Associated: 00000000.00000002.1749024776.00000000007E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750122745.000000000087C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750122745.00000000008A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750810397.00000000008AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1751626682.00000000008B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7e0000_file.jbxd

Similarity

API ID: AllocateHeap_free
String ID:
API String ID: 614378929-0
Opcode ID: 9ba45ce058d1080761d5af908226540236078fd1fc19e2e0238d0ad147f07c6e
Instruction ID: 7d327fe2ece2610c5b94af8b907a99863702e464d45f921fde6347d2a49e040b
Opcode Fuzzy Hash: 9ba45ce058d1080761d5af908226540236078fd1fc19e2e0238d0ad147f07c6e
Instruction Fuzzy Hash: CB012B72204B049BE321CE599841ADAFBECFFC9370F25051DE184C3280E6306845C6B4

Function 0080E602 Relevance: 1.5, APIs: 1, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1749607290.00000000007E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007E0000, based on PE: true

Associated: 00000000.00000002.1749024776.00000000007E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750122745.000000000087C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750122745.00000000008A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750810397.00000000008AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1751626682.00000000008B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7e0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d6c69ec2a70ac845cc05b5f137181c3f07394ab8b33ef369e8c7ef627d5c9574
Instruction ID: cb657b78a55407ef3b2be6c35da502bacf772e2bf3f3250935414a2fd1bdc55e
Opcode Fuzzy Hash: d6c69ec2a70ac845cc05b5f137181c3f07394ab8b33ef369e8c7ef627d5c9574
Instruction Fuzzy Hash: BDF0D132510A1496D6712A6DAC05B9B379CFF62335F100B15F435D22D2CB719841C6A7

Function 00814C7D Relevance: 1.5, APIs: 1, Instructions: 39memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(00000008,007E1129,00000000,?,00812E29,00000001,00000364,?,?,?,0080F2DE,00813863,008B1444,?,007FFDF5,?), ref: 00814CBE

Memory Dump Source

Source File: 00000000.00000002.1749607290.00000000007E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007E0000, based on PE: true

Associated: 00000000.00000002.1749024776.00000000007E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750122745.000000000087C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750122745.00000000008A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750810397.00000000008AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1751626682.00000000008B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7e0000_file.jbxd

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: d91a3684ad778890b731e14eb211079805ab21e884b8d3b6d598921507ab568d
Instruction ID: e30b8ff145729d490d4be8bc79221624cc6435827dc5efc3fa890c0dfafee8db
Opcode Fuzzy Hash: d91a3684ad778890b731e14eb211079805ab21e884b8d3b6d598921507ab568d
Instruction Fuzzy Hash: 4CF0E93160222467DB215F6A9C09BDA378CFF517B0B146125BD19EB2D1CA70D88086E1

Function 00813820 Relevance: 1.5, APIs: 1, Instructions: 32memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(00000000,?,008B1444,?,007FFDF5,?,?,007EA976,00000010,008B1440,007E13FC,?,007E13C6,?,007E1129), ref: 00813852

Memory Dump Source

Source File: 00000000.00000002.1749607290.00000000007E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007E0000, based on PE: true

Associated: 00000000.00000002.1749024776.00000000007E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750122745.000000000087C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750122745.00000000008A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750810397.00000000008AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1751626682.00000000008B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7e0000_file.jbxd

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: d1547a40acdd43e7f40f5e4c8753a5b1094f082f4e8926b9c03be5a8a96b50f6
Instruction ID: 0b5baedd07481e6df07b0bc23c26cf45baa4b78ad6ceca9ce131a8601a88c11e
Opcode Fuzzy Hash: d1547a40acdd43e7f40f5e4c8753a5b1094f082f4e8926b9c03be5a8a96b50f6
Instruction Fuzzy Hash: 23E0E53110022497E631276A9C04BDA374CFF427B0F054130BD19D69D1DB50DE8181E1

Function 007E4F39 Relevance: 1.5, APIs: 1, Instructions: 28COMMON

Download Yara Rule

APIs

FreeLibrary.KERNEL32(?,?,008B1418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 007E4F6D

Memory Dump Source

Source File: 00000000.00000002.1749607290.00000000007E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007E0000, based on PE: true

Associated: 00000000.00000002.1749024776.00000000007E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750122745.000000000087C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750122745.00000000008A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750810397.00000000008AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1751626682.00000000008B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7e0000_file.jbxd

Similarity

API ID: FreeLibrary
String ID:
API String ID: 3664257935-0
Opcode ID: a6a70988c4803af7b783ee19a053a28a26f9da9fd43ebcf182effa625c29e585
Instruction ID: 07dc40df446358120e784e1df22ad3956b96a5dfe4a555885300d682a95dfad3
Opcode Fuzzy Hash: a6a70988c4803af7b783ee19a053a28a26f9da9fd43ebcf182effa625c29e585
Instruction Fuzzy Hash: 4DF03071106791CFDB349F66D494812B7E4FF18719318897EE1EA83511C7399C44DF50

Function 007E30F2 Relevance: 1.5, APIs: 1, Instructions: 24windowCOMMON

Download Yara Rule

APIs

Shell_NotifyIconW.SHELL32(00000002,?), ref: 007E314E

Memory Dump Source

Source File: 00000000.00000002.1749607290.00000000007E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007E0000, based on PE: true

Associated: 00000000.00000002.1749024776.00000000007E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750122745.000000000087C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750122745.00000000008A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750810397.00000000008AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1751626682.00000000008B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7e0000_file.jbxd

Similarity

API ID: IconNotifyShell_
String ID:
API String ID: 1144537725-0
Opcode ID: 19537249316af98e68e69920b97c52be6876cc7889c062871d4b8847a5c11230
Instruction ID: c23ca2c7eb1ff46d0e52bc2edf05b95d85ae17aed4c63d5964bba1a366f61a18
Opcode Fuzzy Hash: 19537249316af98e68e69920b97c52be6876cc7889c062871d4b8847a5c11230
Instruction Fuzzy Hash: AAF0A7709043089FEB529B24DC4D7D57BFCB705708F0001E9A24897292E7745788CF41

Function 007E2DA5 Relevance: 1.5, APIs: 1, Instructions: 23COMMON

Download Yara Rule

APIs

GetLongPathNameW.KERNELBASE(?,?,00007FFF), ref: 007E2DC4

Part of subcall function 007E6B57: _wcslen.LIBCMT ref: 007E6B6A

Memory Dump Source

Source File: 00000000.00000002.1749607290.00000000007E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007E0000, based on PE: true

Associated: 00000000.00000002.1749024776.00000000007E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750122745.000000000087C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750122745.00000000008A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750810397.00000000008AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1751626682.00000000008B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7e0000_file.jbxd

Similarity

API ID: LongNamePath_wcslen
String ID:
API String ID: 541455249-0
Opcode ID: aed1dcad9d738354cd7b6226ee5d71ae3f1cfec4f67211c7109cdeb7d42b83f9
Instruction ID: 9b1339b55ab0d12b0929130e97bd6b26f2d31eff9265a05f2350550505370058
Opcode Fuzzy Hash: aed1dcad9d738354cd7b6226ee5d71ae3f1cfec4f67211c7109cdeb7d42b83f9
Instruction Fuzzy Hash: E4E0CD726001245BCB1092589C09FDA77DDEFC87D0F040075FD09D725CDA74EDC08551

Function 007E2B3D Relevance: 1.5, APIs: 1, Instructions: 22COMMON

Download Yara Rule

APIs

Part of subcall function 007E3837: Shell_NotifyIconW.SHELL32(00000000,?), ref: 007E3908

Part of subcall function 007ED730: GetInputState.USER32 ref: 007ED807

SetCurrentDirectoryW.KERNEL32(?), ref: 007E2B6B

Part of subcall function 007E30F2: Shell_NotifyIconW.SHELL32(00000002,?), ref: 007E314E

Memory Dump Source

Source File: 00000000.00000002.1749607290.00000000007E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007E0000, based on PE: true

Associated: 00000000.00000002.1749024776.00000000007E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750122745.000000000087C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750122745.00000000008A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750810397.00000000008AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1751626682.00000000008B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7e0000_file.jbxd

Similarity

API ID: IconNotifyShell_$CurrentDirectoryInputState
String ID:
API String ID: 3667716007-0
Opcode ID: f42b0c1757c0510e892ddf008ccd9bb88199dc5200b344b9f7c9010fdc9211f9
Instruction ID: 01f3ae4134e145042feb6ce0ceed7803ca7ec53c5fb191fada3eb14c6ec58e09
Opcode Fuzzy Hash: f42b0c1757c0510e892ddf008ccd9bb88199dc5200b344b9f7c9010fdc9211f9
Instruction Fuzzy Hash: 6EE026223022C483CA04BB72A86E4ADB34AABD9311F80053EF14287263CE2D89894351

Function 0082039A Relevance: 1.5, APIs: 1, Instructions: 15fileCOMMONLIBRARYCODE

Download Yara Rule

APIs

CreateFileW.KERNELBASE(00000000,00000000,?,00820704,?,?,00000000,?,00820704,00000000,0000000C), ref: 008203B7

Memory Dump Source

Source File: 00000000.00000002.1749607290.00000000007E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007E0000, based on PE: true

Associated: 00000000.00000002.1749024776.00000000007E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750122745.000000000087C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750122745.00000000008A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750810397.00000000008AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1751626682.00000000008B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7e0000_file.jbxd

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: facfe5b52aa9af365b373d7ce033994944bcbf3b276d71aa38f413de5ba20fe6
Instruction ID: 7055d264f4943dcea85f14f5a7c4407507182a4cda878a22c22820687d117437
Opcode Fuzzy Hash: facfe5b52aa9af365b373d7ce033994944bcbf3b276d71aa38f413de5ba20fe6
Instruction Fuzzy Hash: 9FD06C3204010DBBDF028F84DD06EDA3BAAFB48714F014050BE1856020C732E861AB90

Function 007E1CAD Relevance: 1.5, APIs: 1, Instructions: 8COMMON

Download Yara Rule

APIs

SystemParametersInfoW.USER32(00002001,00000000,00000002), ref: 007E1CBC

Memory Dump Source

Source File: 00000000.00000002.1749607290.00000000007E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007E0000, based on PE: true

Associated: 00000000.00000002.1749024776.00000000007E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750122745.000000000087C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750122745.00000000008A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750810397.00000000008AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1751626682.00000000008B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7e0000_file.jbxd

Similarity

API ID: InfoParametersSystem
String ID:
API String ID: 3098949447-0
Opcode ID: 9c33efa6aee021c0790d9d2f14d5468f492f60cba7de359e5be2c83c79aa1ed7
Instruction ID: a98c48159406eb6bff9e328df3283d8d61da4f0bd6440c550e25c445db30174b
Opcode Fuzzy Hash: 9c33efa6aee021c0790d9d2f14d5468f492f60cba7de359e5be2c83c79aa1ed7
Instruction Fuzzy Hash: 86C09236280304AFF6248B80BC5EF1077A4B34CB00F488201F60DAA6E3D3A27860EB50

Non-executed Functions

Function 00879576 Relevance: 72.4, APIs: 39, Strings: 2, Instructions: 625windowkeyboardCOMMON

Download Yara Rule

APIs

Part of subcall function 007F9BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 007F9BB2

DefDlgProcW.USER32(?,0000004E,?,?,?,?,?,?), ref: 0087961A
SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 0087965B
GetWindowLongW.USER32(FFFFFDD9,000000F0), ref: 0087969F
SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 008796C9
SendMessageW.USER32 ref: 008796F2
GetKeyState.USER32(00000011), ref: 0087978B
GetKeyState.USER32(00000009), ref: 00879798
SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 008797AE
GetKeyState.USER32(00000010), ref: 008797B8
SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 008797E9
SendMessageW.USER32 ref: 00879810
SendMessageW.USER32(?,00001030,?,00877E95), ref: 00879918
ImageList_SetDragCursorImage.COMCTL32(00000000,00000000,00000000,?,?,?), ref: 0087992E
ImageList_BeginDrag.COMCTL32(00000000,000000F8,000000F0), ref: 00879941
SetCapture.USER32(?), ref: 0087994A
ClientToScreen.USER32(?,?), ref: 008799AF
ImageList_DragEnter.COMCTL32(00000000,?,?), ref: 008799BC
InvalidateRect.USER32(?,00000000,00000001,?,?,?), ref: 008799D6
ReleaseCapture.USER32 ref: 008799E1
GetCursorPos.USER32(?), ref: 00879A19
ScreenToClient.USER32(?,?), ref: 00879A26
SendMessageW.USER32(?,00001012,00000000,?), ref: 00879A80
SendMessageW.USER32 ref: 00879AAE
SendMessageW.USER32(?,00001111,00000000,?), ref: 00879AEB
SendMessageW.USER32 ref: 00879B1A
SendMessageW.USER32(?,0000110B,00000009,00000000), ref: 00879B3B
SendMessageW.USER32(?,0000110B,00000009,?), ref: 00879B4A
GetCursorPos.USER32(?), ref: 00879B68
ScreenToClient.USER32(?,?), ref: 00879B75
GetParent.USER32(?), ref: 00879B93
SendMessageW.USER32(?,00001012,00000000,?), ref: 00879BFA
SendMessageW.USER32 ref: 00879C2B
ClientToScreen.USER32(?,?), ref: 00879C84
TrackPopupMenuEx.USER32(?,00000000,?,?,?,00000000), ref: 00879CB4
SendMessageW.USER32(?,00001111,00000000,?), ref: 00879CDE
SendMessageW.USER32 ref: 00879D01
ClientToScreen.USER32(?,?), ref: 00879D4E
TrackPopupMenuEx.USER32(?,00000080,?,?,?,00000000), ref: 00879D82

Part of subcall function 007F9944: GetWindowLongW.USER32(?,000000EB), ref: 007F9952

GetWindowLongW.USER32(?,000000F0), ref: 00879E05

Strings

F, xrefs: 00879D07
@GUI_DRAGID, xrefs: 0087997D

Memory Dump Source

Source File: 00000000.00000002.1749607290.00000000007E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007E0000, based on PE: true

Associated: 00000000.00000002.1749024776.00000000007E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750122745.000000000087C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750122745.00000000008A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750810397.00000000008AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1751626682.00000000008B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7e0000_file.jbxd

Similarity

API ID: MessageSend$ClientScreen$ImageLongWindow$CursorDragList_State$CaptureMenuPopupTrack$BeginEnterInvalidateParentProcRectRelease
String ID: @GUI_DRAGID$F
API String ID: 3429851547-4164748364
Opcode ID: 626ce367de7374cff5bf9d273a668ad03f0cd4da9d74db15db4f7ae927869b7f
Instruction ID: 17d8c49fd58535784c4cb4af7d8c77f7e77ea34ba1e71e820d512b84970cb679
Opcode Fuzzy Hash: 626ce367de7374cff5bf9d273a668ad03f0cd4da9d74db15db4f7ae927869b7f
Instruction Fuzzy Hash: D042AB71204241AFDB24CF68CC88AAABBE5FF59314F14861DF69DC72A9E731E850CB51

Function 00874873 Relevance: 60.1, APIs: 33, Strings: 1, Instructions: 566windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000408,00000000,00000000), ref: 008748F3
SendMessageW.USER32(00000000,00000188,00000000,00000000), ref: 00874908
SendMessageW.USER32(00000000,0000018A,00000000,00000000), ref: 00874927
SendMessageW.USER32(?,00000148,00000000,00000000), ref: 0087494B
SendMessageW.USER32(00000000,00000147,00000000,00000000), ref: 0087495C
SendMessageW.USER32(00000000,00000149,00000000,00000000), ref: 0087497B
SendMessageW.USER32(00000000,0000130B,00000000,00000000), ref: 008749AE
SendMessageW.USER32(00000000,0000133C,00000000,?), ref: 008749D4
SendMessageW.USER32(00000000,0000110A,00000009,00000000), ref: 00874A0F
SendMessageW.USER32(00000000,0000113E,00000000,00000004), ref: 00874A56
SendMessageW.USER32(00000000,0000113E,00000000,00000004), ref: 00874A7E
IsMenu.USER32(?), ref: 00874A97
GetMenuItemInfoW.USER32(?,?,00000000,?), ref: 00874AF2
GetMenuItemInfoW.USER32(?,?,00000000,?), ref: 00874B20
GetWindowLongW.USER32(?,000000F0), ref: 00874B94
SendMessageW.USER32(?,0000113E,00000000,00000008), ref: 00874BE3
SendMessageW.USER32(00000000,00001001,00000000,?), ref: 00874C82
wsprintfW.USER32 ref: 00874CAE
SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 00874CC9
GetWindowTextW.USER32(?,00000000,00000001), ref: 00874CF1
SendMessageW.USER32(00000000,000000F0,00000000,00000000), ref: 00874D13
SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 00874D33
GetWindowTextW.USER32(?,00000000,00000001), ref: 00874D5A

Strings

%d/%02d/%02d, xrefs: 00874CA8

Memory Dump Source

Source File: 00000000.00000002.1749607290.00000000007E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007E0000, based on PE: true

Associated: 00000000.00000002.1749024776.00000000007E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750122745.000000000087C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750122745.00000000008A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750810397.00000000008AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1751626682.00000000008B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7e0000_file.jbxd

Similarity

API ID: MessageSend$MenuWindow$InfoItemText$Longwsprintf
String ID: %d/%02d/%02d
API String ID: 4054740463-328681919
Opcode ID: 13961ebb76606b9e8aceb7713f9b058834efec61561debc31a99dc086104bc44
Instruction ID: 2e93e39ad450717d0c3a9a4858ab67ea61e1bf8092267ae1e13c140a62ea5376
Opcode Fuzzy Hash: 13961ebb76606b9e8aceb7713f9b058834efec61561debc31a99dc086104bc44
Instruction Fuzzy Hash: 0312DE71600218ABEB258F28CC49FAE7BA8FF45714F14912DF51AEB2E9DB74D940CB50

Function 007FF98E Relevance: 43.9, APIs: 24, Strings: 1, Instructions: 130keyboardthreadwindowCOMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32(00000000,00000000,00000000), ref: 007FF998
FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 0083F474
IsIconic.USER32(00000000), ref: 0083F47D
ShowWindow.USER32(00000000,00000009), ref: 0083F48A
SetForegroundWindow.USER32(00000000), ref: 0083F494
GetWindowThreadProcessId.USER32(00000000,00000000), ref: 0083F4AA
GetCurrentThreadId.KERNEL32 ref: 0083F4B1
GetWindowThreadProcessId.USER32(00000000,00000000), ref: 0083F4BD
AttachThreadInput.USER32(?,00000000,00000001), ref: 0083F4CE
AttachThreadInput.USER32(?,00000000,00000001), ref: 0083F4D6
AttachThreadInput.USER32(00000000,000000FF,00000001), ref: 0083F4DE
SetForegroundWindow.USER32(00000000), ref: 0083F4E1
MapVirtualKeyW.USER32(00000012,00000000), ref: 0083F4F6
keybd_event.USER32(00000012,00000000), ref: 0083F501
MapVirtualKeyW.USER32(00000012,00000000), ref: 0083F50B
keybd_event.USER32(00000012,00000000), ref: 0083F510
MapVirtualKeyW.USER32(00000012,00000000), ref: 0083F519
keybd_event.USER32(00000012,00000000), ref: 0083F51E
MapVirtualKeyW.USER32(00000012,00000000), ref: 0083F528
keybd_event.USER32(00000012,00000000), ref: 0083F52D
SetForegroundWindow.USER32(00000000), ref: 0083F530
AttachThreadInput.USER32(?,000000FF,00000000), ref: 0083F557

Strings

Shell_TrayWnd, xrefs: 0083F46F

Memory Dump Source

Source File: 00000000.00000002.1749607290.00000000007E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007E0000, based on PE: true

Associated: 00000000.00000002.1749024776.00000000007E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750122745.000000000087C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750122745.00000000008A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750810397.00000000008AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1751626682.00000000008B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7e0000_file.jbxd

Similarity

API ID: Window$Thread$AttachForegroundInputVirtualkeybd_event$Process$CurrentFindIconicShow
String ID: Shell_TrayWnd
API String ID: 4125248594-2988720461
Opcode ID: 984549b74b25289a7f8c93719d1c6d67371365dffbec5c6c304bf00244610bde
Instruction ID: 61d269ad259b24e3552a45905239a95b50c06b32bfc23322bb84f02aee551666
Opcode Fuzzy Hash: 984549b74b25289a7f8c93719d1c6d67371365dffbec5c6c304bf00244610bde
Instruction Fuzzy Hash: 3F312371E40218BBEB216BB55C4AFBF7E6CFB84B50F140069F705EB1D1D6B19D40AAA0

Function 00841201 Relevance: 38.7, APIs: 19, Strings: 3, Instructions: 241COMMON

Download Yara Rule

APIs

Part of subcall function 008416C3: LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 0084170D
Part of subcall function 008416C3: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 0084173A
Part of subcall function 008416C3: GetLastError.KERNEL32 ref: 0084174A

LogonUserW.ADVAPI32(?,?,?,00000000,00000000,?), ref: 00841286
DuplicateTokenEx.ADVAPI32(?,00000000,00000000,00000002,00000001,?), ref: 008412A8
CloseHandle.KERNEL32(?), ref: 008412B9
OpenWindowStationW.USER32(winsta0,00000000,00060000), ref: 008412D1
GetProcessWindowStation.USER32 ref: 008412EA
SetProcessWindowStation.USER32(00000000), ref: 008412F4
OpenDesktopW.USER32(default,00000000,00000000,00060081), ref: 00841310

Part of subcall function 008410BF: AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000,?,008411FC), ref: 008410D4
Part of subcall function 008410BF: CloseHandle.KERNEL32(?,?,008411FC), ref: 008410E9

Strings

default, xrefs: 0084130B
, xrefs: 0084125A
winsta0, xrefs: 008412CC

Memory Dump Source

Source File: 00000000.00000002.1749607290.00000000007E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007E0000, based on PE: true

Associated: 00000000.00000002.1749024776.00000000007E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750122745.000000000087C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750122745.00000000008A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750810397.00000000008AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1751626682.00000000008B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7e0000_file.jbxd

Similarity

API ID: StationTokenWindow$AdjustCloseHandleOpenPrivilegesProcess$DesktopDuplicateErrorLastLogonLookupPrivilegeUserValue
String ID: $default$winsta0
API String ID: 22674027-1027155976
Opcode ID: 99a58069374dda1b5b49a05053ce8e0af32ae2a78b4bf019b957eb8a13faeb21
Instruction ID: 75dc57bb95c441c0babb58e7eb55f21dd793d165814fb949ec84dc86123c3404
Opcode Fuzzy Hash: 99a58069374dda1b5b49a05053ce8e0af32ae2a78b4bf019b957eb8a13faeb21
Instruction Fuzzy Hash: 51817A7190020DABDF219FA8DC8DBEE7BBAFF04704F144129FA14E62A0D7749984CB65

Function 00840B62 Relevance: 31.7, APIs: 21, Instructions: 202memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 008410F9: GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 00841114
Part of subcall function 008410F9: GetLastError.KERNEL32(?,00000000,00000000,?,?,00840B9B,?,?,?), ref: 00841120
Part of subcall function 008410F9: GetProcessHeap.KERNEL32(00000008,?,?,00000000,00000000,?,?,00840B9B,?,?,?), ref: 0084112F
Part of subcall function 008410F9: HeapAlloc.KERNEL32(00000000,?,00000000,00000000,?,?,00840B9B,?,?,?), ref: 00841136
Part of subcall function 008410F9: GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 0084114D

GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 00840BCC
GetAclInformation.ADVAPI32(?,?,0000000C,00000002), ref: 00840C00
GetLengthSid.ADVAPI32(?), ref: 00840C17
GetAce.ADVAPI32(?,00000000,?), ref: 00840C51
AddAce.ADVAPI32(?,00000002,000000FF,?,?), ref: 00840C6D
GetLengthSid.ADVAPI32(?), ref: 00840C84
GetProcessHeap.KERNEL32(00000008,00000008), ref: 00840C8C
HeapAlloc.KERNEL32(00000000), ref: 00840C93
GetLengthSid.ADVAPI32(?,00000008,?), ref: 00840CB4
CopySid.ADVAPI32(00000000), ref: 00840CBB
AddAce.ADVAPI32(?,00000002,000000FF,00000000,?), ref: 00840CEA
SetSecurityDescriptorDacl.ADVAPI32(?,00000001,?,00000000), ref: 00840D0C
SetUserObjectSecurity.USER32(?,00000004,?), ref: 00840D1E
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00840D45
HeapFree.KERNEL32(00000000), ref: 00840D4C
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00840D55
HeapFree.KERNEL32(00000000), ref: 00840D5C
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00840D65
HeapFree.KERNEL32(00000000), ref: 00840D6C
GetProcessHeap.KERNEL32(00000000,?), ref: 00840D78
HeapFree.KERNEL32(00000000), ref: 00840D7F

Part of subcall function 00841193: GetProcessHeap.KERNEL32(00000008,00840BB1,?,00000000,?,00840BB1,?), ref: 008411A1
Part of subcall function 00841193: HeapAlloc.KERNEL32(00000000,?,00000000,?,00840BB1,?), ref: 008411A8
Part of subcall function 00841193: InitializeSecurityDescriptor.ADVAPI32(00000000,00000001,?,00000000,?,00840BB1,?), ref: 008411B7

Memory Dump Source

Source File: 00000000.00000002.1749607290.00000000007E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007E0000, based on PE: true

Associated: 00000000.00000002.1749024776.00000000007E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750122745.000000000087C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750122745.00000000008A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750810397.00000000008AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1751626682.00000000008B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7e0000_file.jbxd

Similarity

API ID: Heap$Process$Security$Free$AllocDescriptorLengthObjectUser$Dacl$CopyErrorInformationInitializeLast
String ID:
API String ID: 4175595110-0
Opcode ID: 4ec09b96a37e0ac444d0a7edb0827d97844c7b2fde1bb93c7a04f27c591ef1e5
Instruction ID: c162e846ad4e868e9d7b2ee621b344ca79af4030767892b8dcd8e11d121e4275
Opcode Fuzzy Hash: 4ec09b96a37e0ac444d0a7edb0827d97844c7b2fde1bb93c7a04f27c591ef1e5
Instruction Fuzzy Hash: C8712A7290020AABDF109FA4DC48BAFBBB8FF44310F144629EA19E7191D775E945CFA0

Function 0085EAFF Relevance: 30.2, APIs: 20, Instructions: 191clipboardfileCOMMON

Download Yara Rule

APIs

OpenClipboard.USER32(0087CC08), ref: 0085EB29
IsClipboardFormatAvailable.USER32(0000000D), ref: 0085EB37
GetClipboardData.USER32(0000000D), ref: 0085EB43
CloseClipboard.USER32 ref: 0085EB4F
GlobalLock.KERNEL32(00000000), ref: 0085EB87
CloseClipboard.USER32 ref: 0085EB91
GlobalUnlock.KERNEL32(00000000), ref: 0085EBBC
IsClipboardFormatAvailable.USER32(00000001), ref: 0085EBC9
GetClipboardData.USER32(00000001), ref: 0085EBD1
GlobalLock.KERNEL32(00000000), ref: 0085EBE2
GlobalUnlock.KERNEL32(00000000), ref: 0085EC22
IsClipboardFormatAvailable.USER32(0000000F), ref: 0085EC38
GetClipboardData.USER32(0000000F), ref: 0085EC44
GlobalLock.KERNEL32(00000000), ref: 0085EC55
DragQueryFileW.SHELL32(00000000,000000FF,00000000,00000000), ref: 0085EC77
DragQueryFileW.SHELL32(00000000,?,?,00000104), ref: 0085EC94
DragQueryFileW.SHELL32(00000000,?,?,00000104), ref: 0085ECD2
GlobalUnlock.KERNEL32(00000000), ref: 0085ECF3
CountClipboardFormats.USER32 ref: 0085ED14
CloseClipboard.USER32 ref: 0085ED59

Memory Dump Source

Source File: 00000000.00000002.1749607290.00000000007E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007E0000, based on PE: true

Associated: 00000000.00000002.1749024776.00000000007E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750122745.000000000087C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750122745.00000000008A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750810397.00000000008AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1751626682.00000000008B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7e0000_file.jbxd

Similarity

API ID: Clipboard$Global$AvailableCloseDataDragFileFormatLockQueryUnlock$CountFormatsOpen
String ID:
API String ID: 420908878-0
Opcode ID: 81c56480f42bd87d9b3c46c80a06f92d0237a5a58ae9f9b491423cb8eeb302da
Instruction ID: 464086f9759e87eb900c9b79ef56ebbd23fde302c9072a1c1eb9c206203b255b
Opcode Fuzzy Hash: 81c56480f42bd87d9b3c46c80a06f92d0237a5a58ae9f9b491423cb8eeb302da
Instruction Fuzzy Hash: D661AC352082059FD314EF24CC89F2AB7A4FF88715F14455DF85AD72A2CB31DA49CB62

Function 0085698F Relevance: 21.4, APIs: 7, Strings: 5, Instructions: 363timefileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?), ref: 008569BE
FindClose.KERNEL32(00000000), ref: 00856A12
FileTimeToLocalFileTime.KERNEL32(?,?), ref: 00856A4E
FileTimeToLocalFileTime.KERNEL32(?,?), ref: 00856A75

Part of subcall function 007E9CB3: _wcslen.LIBCMT ref: 007E9CBD

FileTimeToSystemTime.KERNEL32(?,?), ref: 00856AB2
FileTimeToSystemTime.KERNEL32(?,?), ref: 00856ADF

Strings

%4d, xrefs: 00856BB1
%02d, xrefs: 00856C00, 00856C0A, 00856C5A, 00856CAA, 00856CFA, 00856D4A
%4d%02d%02d%02d%02d%02d%03d, xrefs: 00856B32
%03d, xrefs: 00856DA2
%4d%02d%02d%02d%02d%02d, xrefs: 00856B6A

Memory Dump Source

Source File: 00000000.00000002.1749607290.00000000007E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007E0000, based on PE: true

Associated: 00000000.00000002.1749024776.00000000007E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750122745.000000000087C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750122745.00000000008A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750810397.00000000008AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1751626682.00000000008B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7e0000_file.jbxd

Similarity

API ID: Time$File$FindLocalSystem$CloseFirst_wcslen
String ID: %02d$%03d$%4d$%4d%02d%02d%02d%02d%02d$%4d%02d%02d%02d%02d%02d%03d
API String ID: 3830820486-3289030164
Opcode ID: 6e5a4b95ae6f890a87bda06f7c5a2e811720ffc8fe759dd004e416f77e762e0c
Instruction ID: 4ca981e3c88b29339211b18ac8e6640620e2ea0f3b68f66a2eaaf53a5ab1ff85
Opcode Fuzzy Hash: 6e5a4b95ae6f890a87bda06f7c5a2e811720ffc8fe759dd004e416f77e762e0c
Instruction Fuzzy Hash: F0D16172509340AEC714EBA1C885EABB7ECFF98704F44491DF985D7191EB38DA48C762

Function 00859642 Relevance: 21.1, APIs: 11, Strings: 1, Instructions: 118fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?,74DE8FB0,?,00000000), ref: 00859663
GetFileAttributesW.KERNEL32(?), ref: 008596A1
SetFileAttributesW.KERNEL32(?,?), ref: 008596BB
FindNextFileW.KERNEL32(00000000,?), ref: 008596D3
FindClose.KERNEL32(00000000), ref: 008596DE
FindFirstFileW.KERNEL32(*.*,?), ref: 008596FA
SetCurrentDirectoryW.KERNEL32(?), ref: 0085974A
SetCurrentDirectoryW.KERNEL32(008A6B7C), ref: 00859768
FindNextFileW.KERNEL32(00000000,00000010), ref: 00859772
FindClose.KERNEL32(00000000), ref: 0085977F
FindClose.KERNEL32(00000000), ref: 0085978F

Strings

*.*, xrefs: 008596F5

Memory Dump Source

Source File: 00000000.00000002.1749607290.00000000007E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007E0000, based on PE: true

Associated: 00000000.00000002.1749024776.00000000007E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750122745.000000000087C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750122745.00000000008A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750810397.00000000008AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1751626682.00000000008B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7e0000_file.jbxd

Similarity

API ID: Find$File$Close$AttributesCurrentDirectoryFirstNext
String ID: *.*
API String ID: 1409584000-438819550
Opcode ID: e68efb3e91abda4cf15701f9aabd70b2400c0233674c822005cf7c47c4629e07
Instruction ID: 30b936de6a094e46828a0f4f100a29c57876318577948d6cad1360957c533bb8
Opcode Fuzzy Hash: e68efb3e91abda4cf15701f9aabd70b2400c0233674c822005cf7c47c4629e07
Instruction Fuzzy Hash: B931D532501619AEDB14AFB4DC49ADE77ACFF49321F14415AF859E3190EB34DE888E20

Function 0085979D Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 111fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?,74DE8FB0,?,00000000), ref: 008597BE
FindNextFileW.KERNEL32(00000000,?), ref: 00859819
FindClose.KERNEL32(00000000), ref: 00859824
FindFirstFileW.KERNEL32(*.*,?), ref: 00859840
SetCurrentDirectoryW.KERNEL32(?), ref: 00859890
SetCurrentDirectoryW.KERNEL32(008A6B7C), ref: 008598AE
FindNextFileW.KERNEL32(00000000,00000010), ref: 008598B8
FindClose.KERNEL32(00000000), ref: 008598C5
FindClose.KERNEL32(00000000), ref: 008598D5

Part of subcall function 0084DAE5: CreateFileW.KERNEL32(?,40000000,00000001,00000000,00000003,02000080,00000000), ref: 0084DB00

Strings

*.*, xrefs: 0085983B

Memory Dump Source

Source File: 00000000.00000002.1749607290.00000000007E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007E0000, based on PE: true

Associated: 00000000.00000002.1749024776.00000000007E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750122745.000000000087C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750122745.00000000008A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750810397.00000000008AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1751626682.00000000008B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7e0000_file.jbxd

Similarity

API ID: Find$File$Close$CurrentDirectoryFirstNext$Create
String ID: *.*
API String ID: 2640511053-438819550
Opcode ID: 7bb1c64409bee816630abf562e60a36d7e935a3dc592c4ee191fc6b673ae6c79
Instruction ID: f8b328eed1e0022ecb782948b88670bf927e8b035ea6cc398ccd2c6550fe7719
Opcode Fuzzy Hash: 7bb1c64409bee816630abf562e60a36d7e935a3dc592c4ee191fc6b673ae6c79
Instruction Fuzzy Hash: D131C331501219AAEF10EFB4DC49ADE77ACFF06321F144169E894E31D5EB35DA898B20

Function 0086BE44 Relevance: 17.0, APIs: 11, Instructions: 456registryCOMMON

Download Yara Rule

APIs

Part of subcall function 0086C998: CharUpperBuffW.USER32(?,?,?,?,?,?,?,0086B6AE,?,?), ref: 0086C9B5
Part of subcall function 0086C998: _wcslen.LIBCMT ref: 0086C9F1
Part of subcall function 0086C998: _wcslen.LIBCMT ref: 0086CA68
Part of subcall function 0086C998: _wcslen.LIBCMT ref: 0086CA9E

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 0086BF3E
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?,?,?), ref: 0086BFA9
RegCloseKey.ADVAPI32(00000000), ref: 0086BFCD
RegQueryValueExW.ADVAPI32(?,?,00000000,?,00000000,?), ref: 0086C02C
RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,?,00000008), ref: 0086C0E7
RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,?,?,?,00000000), ref: 0086C154
RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,?,?,?,00000000), ref: 0086C1E9
RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,00000000,?,?,?,00000000), ref: 0086C23A
RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,?,?,?,00000000), ref: 0086C2E3
RegCloseKey.ADVAPI32(?,?,00000000), ref: 0086C382
RegCloseKey.ADVAPI32(00000000), ref: 0086C38F

Memory Dump Source

Source File: 00000000.00000002.1749607290.00000000007E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007E0000, based on PE: true

Associated: 00000000.00000002.1749024776.00000000007E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750122745.000000000087C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750122745.00000000008A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750810397.00000000008AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1751626682.00000000008B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7e0000_file.jbxd

Similarity

API ID: QueryValue$Close_wcslen$BuffCharConnectOpenRegistryUpper
String ID:
API String ID: 3102970594-0
Opcode ID: a56357ca0bb39c31a88a0b55e9f04e2f2ae15b247ea58fa70bf716e8d38054f0
Instruction ID: 51b195aeeb0a5a77ae09cd0a23428d022dfaa330b88000081c4a8ac4a1ec85d2
Opcode Fuzzy Hash: a56357ca0bb39c31a88a0b55e9f04e2f2ae15b247ea58fa70bf716e8d38054f0
Instruction Fuzzy Hash: 9E022A716042409FD714DF28C895E2ABBE5FF89318F19849DE88ACB3A2DB31ED45CB51

Function 00858195 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 186timeCOMMON

Download Yara Rule

APIs

GetLocalTime.KERNEL32(?), ref: 00858257
SystemTimeToFileTime.KERNEL32(?,?), ref: 00858267
LocalFileTimeToFileTime.KERNEL32(?,?), ref: 00858273
GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 00858310
SetCurrentDirectoryW.KERNEL32(?), ref: 00858324
SetCurrentDirectoryW.KERNEL32(?), ref: 00858356
SetCurrentDirectoryW.KERNEL32(?,?,?,?,?), ref: 0085838C
SetCurrentDirectoryW.KERNEL32(?), ref: 00858395

Strings

*.*, xrefs: 0085839B

Memory Dump Source

Source File: 00000000.00000002.1749607290.00000000007E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007E0000, based on PE: true

Associated: 00000000.00000002.1749024776.00000000007E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750122745.000000000087C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750122745.00000000008A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750810397.00000000008AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1751626682.00000000008B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7e0000_file.jbxd

Similarity

API ID: CurrentDirectoryTime$File$Local$System
String ID: *.*
API String ID: 1464919966-438819550
Opcode ID: 5de97e73282dfdadda1147c284edd9a339250a760d40e2127450b9c0e5a3bc38
Instruction ID: 0414f12fd1256f552e22caa9932924045b1194b9fc8c8a15e2b8b82a4f521c19
Opcode Fuzzy Hash: 5de97e73282dfdadda1147c284edd9a339250a760d40e2127450b9c0e5a3bc38
Instruction Fuzzy Hash: 9F6185B21043459FCB10EF24C8449AEB3E8FF88315F04882EF999D7251EB35E949CB92

Function 0084D076 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 172fileCOMMON

Download Yara Rule

APIs

Part of subcall function 007E3AA2: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,007E3A97,?,?,007E2E7F,?,?,?,00000000), ref: 007E3AC2

Part of subcall function 0084E199: GetFileAttributesW.KERNEL32(?,0084CF95), ref: 0084E19A

FindFirstFileW.KERNEL32(?,?), ref: 0084D122
DeleteFileW.KERNEL32(?,?,?,?,?,00000000,?,?,?), ref: 0084D1DD
MoveFileW.KERNEL32(?,?), ref: 0084D1F0
DeleteFileW.KERNEL32(?,?,?,?), ref: 0084D20D
FindNextFileW.KERNEL32(00000000,00000010), ref: 0084D237

Part of subcall function 0084D29C: CopyFileExW.KERNEL32(?,?,00000000,00000000,00000000,00000008,?,?,0084D21C,?,?), ref: 0084D2B2

FindClose.KERNEL32(00000000,?,?,?), ref: 0084D253
FindClose.KERNEL32(00000000), ref: 0084D264

Strings

\*.*, xrefs: 0084D0CD, 0084D0D6, 0084D0EB

Memory Dump Source

Source File: 00000000.00000002.1749607290.00000000007E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007E0000, based on PE: true

Associated: 00000000.00000002.1749024776.00000000007E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750122745.000000000087C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750122745.00000000008A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750810397.00000000008AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1751626682.00000000008B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7e0000_file.jbxd

Similarity

API ID: File$Find$CloseDelete$AttributesCopyFirstFullMoveNameNextPath
String ID: \*.*
API String ID: 1946585618-1173974218
Opcode ID: 145b0688be0d3c47a9c47d14ea64438a04953f18b731490f619eb0a31d32cde1
Instruction ID: 90b901fbcc68e7fda0343b53454aac36161d0962d4b43da6b45c5e38381f2b2e
Opcode Fuzzy Hash: 145b0688be0d3c47a9c47d14ea64438a04953f18b731490f619eb0a31d32cde1
Instruction Fuzzy Hash: 48617C3180225DEACF15EBE1C9969EDB7B5FF59300F204069E405B71A2EB34AF49CB61

Function 0085ED6A Relevance: 13.6, APIs: 9, Instructions: 102clipboardmemoryCOMMON

Download Yara Rule

APIs

OpenClipboard.USER32 ref: 0085ED91
EmptyClipboard.USER32 ref: 0085ED97
GlobalAlloc.KERNEL32(00000002,?), ref: 0085EDAC
CloseClipboard.USER32 ref: 0085EEA3

Memory Dump Source

Source File: 00000000.00000002.1749607290.00000000007E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007E0000, based on PE: true

Associated: 00000000.00000002.1749024776.00000000007E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750122745.000000000087C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750122745.00000000008A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750810397.00000000008AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1751626682.00000000008B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7e0000_file.jbxd

Similarity

API ID: Clipboard$AllocCloseEmptyGlobalOpen
String ID:
API String ID: 1737998785-0
Opcode ID: 1bc53411e8c3ca67738050f78596ab30455fb320ed9d08d88bd08c173659e709
Instruction ID: 58fe384a1104195ca41373eba100dc8d6245d9aad2be4fd104ee5fdfe837ff91
Opcode Fuzzy Hash: 1bc53411e8c3ca67738050f78596ab30455fb320ed9d08d88bd08c173659e709
Instruction Fuzzy Hash: 73417B35208611AFE724DF19D88DB19BBE5FF44319F14809DE829CB6A2C735ED86CB90

Function 0084E8F6 Relevance: 12.3, APIs: 3, Strings: 4, Instructions: 57shutdownCOMMON

Download Yara Rule

APIs

Part of subcall function 008416C3: LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 0084170D
Part of subcall function 008416C3: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 0084173A
Part of subcall function 008416C3: GetLastError.KERNEL32 ref: 0084174A

ExitWindowsEx.USER32(?,00000000), ref: 0084E932

Strings

, xrefs: 0084E920
@, xrefs: 0084E925
, xrefs: 0084E95C
SeShutdownPrivilege, xrefs: 0084E902

Memory Dump Source

Source File: 00000000.00000002.1749607290.00000000007E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007E0000, based on PE: true

Associated: 00000000.00000002.1749024776.00000000007E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750122745.000000000087C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750122745.00000000008A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750810397.00000000008AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1751626682.00000000008B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7e0000_file.jbxd

Similarity

API ID: AdjustErrorExitLastLookupPrivilegePrivilegesTokenValueWindows
String ID: $ $@$SeShutdownPrivilege
API String ID: 2234035333-3163812486
Opcode ID: 142ffc1ddb8c029a466c549637a3c71529a0e1d4ff9f39187a24f8a8999ce8f6
Instruction ID: 1ded507ee2f7e5dc2c8b0467359786ed31957a342bf7ead6e88403488a3277e8
Opcode Fuzzy Hash: 142ffc1ddb8c029a466c549637a3c71529a0e1d4ff9f39187a24f8a8999ce8f6
Instruction Fuzzy Hash: 5701FE7371021DABEB5426B89C89FBF7E9CF714754F150425FC13E31D1D6619C808290

Function 00861204 Relevance: 12.1, APIs: 8, Instructions: 113networkCOMMON

Download Yara Rule

APIs

socket.WSOCK32(00000002,00000001,00000006,?,00000002,00000000), ref: 00861276
WSAGetLastError.WSOCK32 ref: 00861283
bind.WSOCK32(00000000,?,00000010), ref: 008612BA
WSAGetLastError.WSOCK32 ref: 008612C5
closesocket.WSOCK32(00000000), ref: 008612F4
listen.WSOCK32(00000000,00000005), ref: 00861303
WSAGetLastError.WSOCK32 ref: 0086130D
closesocket.WSOCK32(00000000), ref: 0086133C

Memory Dump Source

Source File: 00000000.00000002.1749607290.00000000007E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007E0000, based on PE: true

Associated: 00000000.00000002.1749024776.00000000007E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750122745.000000000087C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750122745.00000000008A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750810397.00000000008AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1751626682.00000000008B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7e0000_file.jbxd

Similarity

API ID: ErrorLast$closesocket$bindlistensocket
String ID:
API String ID: 540024437-0
Opcode ID: 802ff29d6f8da0c2371a997adcda9c207ab3690552f2c3fad393ef8ff9d88a99
Instruction ID: 8d14a953bfe6984189ca0d2d695a3e74a285e138a20825e28f9936d0a0647784
Opcode Fuzzy Hash: 802ff29d6f8da0c2371a997adcda9c207ab3690552f2c3fad393ef8ff9d88a99
Instruction Fuzzy Hash: 8E415C316001409FDB10DF24C499A2ABBE5FF46318F19819CD8568B397C775EC81CBA1

Function 0084D3A9 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 91fileCOMMON

Download Yara Rule

APIs

Part of subcall function 007E3AA2: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,007E3A97,?,?,007E2E7F,?,?,?,00000000), ref: 007E3AC2

Part of subcall function 0084E199: GetFileAttributesW.KERNEL32(?,0084CF95), ref: 0084E19A

FindFirstFileW.KERNEL32(?,?), ref: 0084D420
DeleteFileW.KERNEL32(?,?,?,?), ref: 0084D470
FindNextFileW.KERNEL32(00000000,00000010), ref: 0084D481
FindClose.KERNEL32(00000000), ref: 0084D498
FindClose.KERNEL32(00000000), ref: 0084D4A1

Strings

\*.*, xrefs: 0084D3F2

Memory Dump Source

Source File: 00000000.00000002.1749607290.00000000007E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007E0000, based on PE: true

Associated: 00000000.00000002.1749024776.00000000007E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750122745.000000000087C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750122745.00000000008A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750810397.00000000008AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1751626682.00000000008B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7e0000_file.jbxd

Similarity

API ID: FileFind$Close$AttributesDeleteFirstFullNameNextPath
String ID: \*.*
API String ID: 2649000838-1173974218
Opcode ID: d9dc51066a87a0c740696a481f49d4ab27deb3fcbd4826e371c3fdaab7a46bb8
Instruction ID: 755c45ac132dc3bf5a6ab61b09121e58fc6d26316bb0997caf757da8b00e8772
Opcode Fuzzy Hash: d9dc51066a87a0c740696a481f49d4ab27deb3fcbd4826e371c3fdaab7a46bb8
Instruction Fuzzy Hash: 83318071009385ABC301EF65C8998AFB7A8FE95304F444A1DF4D593192EB34EA49C767

Function 0081E4FF Relevance: 10.1, APIs: 1, Strings: 4, Instructions: 1381COMMON

Download Yara Rule

APIs

__floor_pentium4.LIBCMT ref: 0081E645

Strings

1#SNAN, xrefs: 0081F844
1#INF, xrefs: 0081F852
1#IND, xrefs: 0081F83D
1#QNAN, xrefs: 0081F84B

Memory Dump Source

Source File: 00000000.00000002.1749607290.00000000007E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007E0000, based on PE: true

Associated: 00000000.00000002.1749024776.00000000007E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750122745.000000000087C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750122745.00000000008A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750810397.00000000008AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1751626682.00000000008B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7e0000_file.jbxd

Similarity

API ID: __floor_pentium4
String ID: 1#IND$1#INF$1#QNAN$1#SNAN
API String ID: 4168288129-2761157908
Opcode ID: b18ebd1570e59f85a37044ef991678694ce0d2cf657453da50db1fa9bb1938c4
Instruction ID: a5df80bd80490f150277707903dc265c3bb86a525d5af300a70fb09d3b297f37
Opcode Fuzzy Hash: b18ebd1570e59f85a37044ef991678694ce0d2cf657453da50db1fa9bb1938c4
Instruction Fuzzy Hash: ABC22971E086298BDB65CE289D447EAB7B9FF48304F1441EAD94DE7281E774AEC18F40

Function 0085648E Relevance: 9.1, APIs: 4, Strings: 1, Instructions: 367comCOMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 008564DC
CoInitialize.OLE32(00000000), ref: 00856639
CoCreateInstance.OLE32(0087FCF8,00000000,00000001,0087FB68,?), ref: 00856650
CoUninitialize.OLE32 ref: 008568D4

Strings

.lnk, xrefs: 008564BA, 00856524, 008565E0

Memory Dump Source

Source File: 00000000.00000002.1749607290.00000000007E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007E0000, based on PE: true

Associated: 00000000.00000002.1749024776.00000000007E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750122745.000000000087C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750122745.00000000008A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750810397.00000000008AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1751626682.00000000008B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7e0000_file.jbxd

Similarity

API ID: CreateInitializeInstanceUninitialize_wcslen
String ID: .lnk
API String ID: 886957087-24824748
Opcode ID: 906557885aabf9b74a090bccec311fadd030d87aec1265b298e3f9554c12e3e1
Instruction ID: 5b30d5eb31f84a332b48b6b021f472b16386baddfb39f67b30d155eceade28fc
Opcode Fuzzy Hash: 906557885aabf9b74a090bccec311fadd030d87aec1265b298e3f9554c12e3e1
Instruction Fuzzy Hash: DBD159715082419FC314EF25C885A6BB7E8FF98704F54496DF595CB2A1EB30EE09CBA2

Function 008622DA Relevance: 9.1, APIs: 6, Instructions: 103COMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32(?,?,00000000), ref: 008622E8

Part of subcall function 0085E4EC: GetWindowRect.USER32(?,?), ref: 0085E504

GetDesktopWindow.USER32 ref: 00862312
GetWindowRect.USER32(00000000), ref: 00862319
mouse_event.USER32(00008001,?,?,00000002,00000002), ref: 00862355
GetCursorPos.USER32(?), ref: 00862381
mouse_event.USER32(00008001,?,?,00000000,00000000), ref: 008623DF

Memory Dump Source

Source File: 00000000.00000002.1749607290.00000000007E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007E0000, based on PE: true

Associated: 00000000.00000002.1749024776.00000000007E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750122745.000000000087C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750122745.00000000008A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750810397.00000000008AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1751626682.00000000008B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7e0000_file.jbxd

Similarity

API ID: Window$Rectmouse_event$CursorDesktopForeground
String ID:
API String ID: 2387181109-0
Opcode ID: 9f7360a4472622b9a04a593503ed2b5cb9d726dfe11529c824983dd3e7558ff0
Instruction ID: dbb864c62591725efa6826a3f6d8dfe8747d8550a84a7c5d7811fd9728fd9a6b
Opcode Fuzzy Hash: 9f7360a4472622b9a04a593503ed2b5cb9d726dfe11529c824983dd3e7558ff0
Instruction Fuzzy Hash: 0B31CD72505715ABC720DF58C849A5BBBA9FF84314F00091DF989D7291DB34EA48CB92

Function 00859B2B Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 119filesleepCOMMON

Download Yara Rule

APIs

Part of subcall function 007E9CB3: _wcslen.LIBCMT ref: 007E9CBD

FindFirstFileW.KERNEL32(00000001,?,*.*,?,?,00000000,00000000), ref: 00859B78
FindClose.KERNEL32(00000000,?,00000000,00000000), ref: 00859C8B

Part of subcall function 00853874: GetInputState.USER32 ref: 008538CB
Part of subcall function 00853874: PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00853966

Sleep.KERNEL32(0000000A,?,00000000,00000000), ref: 00859BA8
FindNextFileW.KERNEL32(?,?,?,00000000,00000000), ref: 00859C75

Strings

*.*, xrefs: 00859B5D

Memory Dump Source

Source File: 00000000.00000002.1749607290.00000000007E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007E0000, based on PE: true

Associated: 00000000.00000002.1749024776.00000000007E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750122745.000000000087C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750122745.00000000008A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750810397.00000000008AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1751626682.00000000008B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7e0000_file.jbxd

Similarity

API ID: Find$File$CloseFirstInputMessageNextPeekSleepState_wcslen
String ID: *.*
API String ID: 1972594611-438819550
Opcode ID: d93ccbf3d0f27c7bbd3f6dcad382e6815a4d986103f8f1ad1922898a069faf3a
Instruction ID: 1127300c0987def0af8b713c619168397e390c917657ef8696b17e05996be8c2
Opcode Fuzzy Hash: d93ccbf3d0f27c7bbd3f6dcad382e6815a4d986103f8f1ad1922898a069faf3a
Instruction Fuzzy Hash: 0D415E7190120ADBDF14DF64C849AEEBBB8FF09311F644059E859E3291EB349E88CF61

Function 007F997D Relevance: 7.9, APIs: 5, Instructions: 375COMMON

Download Yara Rule

APIs

Part of subcall function 007F9BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 007F9BB2

DefDlgProcW.USER32(?,?,?,?,?), ref: 007F9A4E
GetSysColor.USER32(0000000F), ref: 007F9B23
SetBkColor.GDI32(?,00000000), ref: 007F9B36

Memory Dump Source

Source File: 00000000.00000002.1749607290.00000000007E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007E0000, based on PE: true

Associated: 00000000.00000002.1749024776.00000000007E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750122745.000000000087C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750122745.00000000008A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750810397.00000000008AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1751626682.00000000008B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7e0000_file.jbxd

Similarity

API ID: Color$LongProcWindow
String ID:
API String ID: 3131106179-0
Opcode ID: 3d9764873cb280fa24029131fb4726f8b01028be6fa50b149b362569c2444044
Instruction ID: 46572ad162eaca3397a2c01d030a4868fcf2e2b49facff7c2ffbf4a730572e6a
Opcode Fuzzy Hash: 3d9764873cb280fa24029131fb4726f8b01028be6fa50b149b362569c2444044
Instruction Fuzzy Hash: B1A10BB010844CBEE739AA2C8C5DF7B2A9DFBC2340F158219F712D6795DA29DD05D2B2

Function 00861806 Relevance: 7.7, APIs: 5, Instructions: 153networkCOMMON

Download Yara Rule

APIs

Part of subcall function 0086304E: inet_addr.WSOCK32(?,?,?,?,?,00000000), ref: 0086307A
Part of subcall function 0086304E: _wcslen.LIBCMT ref: 0086309B

socket.WSOCK32(00000002,00000002,00000011,?,?,00000000), ref: 0086185D
WSAGetLastError.WSOCK32 ref: 00861884
bind.WSOCK32(00000000,?,00000010), ref: 008618DB
WSAGetLastError.WSOCK32 ref: 008618E6
closesocket.WSOCK32(00000000), ref: 00861915

Memory Dump Source

Source File: 00000000.00000002.1749607290.00000000007E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007E0000, based on PE: true

Associated: 00000000.00000002.1749024776.00000000007E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750122745.000000000087C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750122745.00000000008A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750810397.00000000008AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1751626682.00000000008B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7e0000_file.jbxd

Similarity

API ID: ErrorLast$_wcslenbindclosesocketinet_addrsocket
String ID:
API String ID: 1601658205-0
Opcode ID: e7fe843c678026280861f615285d40cced43d58d5998b6434743e22b80336ee3
Instruction ID: 7cf960425596f5b9f9a80cc77e2941a5d3be090040dd0f7329659c2a1f38e66a
Opcode Fuzzy Hash: e7fe843c678026280861f615285d40cced43d58d5998b6434743e22b80336ee3
Instruction Fuzzy Hash: 16519175A00240AFDB10AF24C88AF3A77E5EB49718F08845CF91A9F393C775AD41CBA1

Function 00871C41 Relevance: 7.6, APIs: 5, Instructions: 83windowCOMMON

Download Yara Rule

APIs

IsWindowVisible.USER32 ref: 00871CC0
IsWindowEnabled.USER32 ref: 00871CCE
GetForegroundWindow.USER32(?,?,00000001,?), ref: 00871CDB
IsIconic.USER32 ref: 00871CE9
IsZoomed.USER32 ref: 00871CF7

Memory Dump Source

Source File: 00000000.00000002.1749607290.00000000007E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007E0000, based on PE: true

Associated: 00000000.00000002.1749024776.00000000007E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750122745.000000000087C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750122745.00000000008A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750810397.00000000008AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1751626682.00000000008B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7e0000_file.jbxd

Similarity

API ID: Window$EnabledForegroundIconicVisibleZoomed
String ID:
API String ID: 292994002-0
Opcode ID: 119563b96fb80a61aba6767f3b615785e0321465538faa2873b7915422ad0940
Instruction ID: 0ae887e2954d36058c97290347bfb8a9b640e71ceabee984fa936aa7b479625b
Opcode Fuzzy Hash: 119563b96fb80a61aba6767f3b615785e0321465538faa2873b7915422ad0940
Instruction Fuzzy Hash: 54219E317402109FDB218F5EC888B2A7BA5FF95314B19C05CE84ECB659CB71D842CB90

Function 007E8060 Relevance: 7.4, Strings: 5, Instructions: 1151COMMON

Download Yara Rule

Strings

VUUU, xrefs: 00825DF0
VUUU, xrefs: 007E843C
ERCP, xrefs: 007E813C
VUUU, xrefs: 007E83E8
VUUU, xrefs: 007E83FA

Memory Dump Source

Source File: 00000000.00000002.1749607290.00000000007E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007E0000, based on PE: true

Associated: 00000000.00000002.1749024776.00000000007E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750122745.000000000087C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750122745.00000000008A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750810397.00000000008AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1751626682.00000000008B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7e0000_file.jbxd

Similarity

API ID:
String ID: ERCP$VUUU$VUUU$VUUU$VUUU
API String ID: 0-1546025612
Opcode ID: 49b097ad854c968b6fc01f6d589a352b4c828d134946fea4590d954d0a5abff3
Instruction ID: f7a9fcdb4e265865ed2e87cf21368bc3dddcefe902a67eb9b5e661aa5ff0970b
Opcode Fuzzy Hash: 49b097ad854c968b6fc01f6d589a352b4c828d134946fea4590d954d0a5abff3
Instruction Fuzzy Hash: DDA2AE70A0126ACBDF64CF59D8407ADB7B2FF58310F2481AAD819E7285EB349DD1CB91

Function 0084AA57 Relevance: 6.1, APIs: 4, Instructions: 107keyboardwindowCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?,00000001,00000040,00000000), ref: 0084AAAC
SetKeyboardState.USER32(00000080), ref: 0084AAC8
PostMessageW.USER32(?,00000102,00000001,00000001), ref: 0084AB36
SendInput.USER32(00000001,?,0000001C,00000001,00000040,00000000), ref: 0084AB88

Memory Dump Source

Source File: 00000000.00000002.1749607290.00000000007E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007E0000, based on PE: true

Associated: 00000000.00000002.1749024776.00000000007E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750122745.000000000087C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750122745.00000000008A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750810397.00000000008AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1751626682.00000000008B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7e0000_file.jbxd

Similarity

API ID: KeyboardState$InputMessagePostSend
String ID:
API String ID: 432972143-0
Opcode ID: 485150d01e3c88fdfe22ae8e4a34dbb35f28a1254a72ce0f5f3690a78f14417c
Instruction ID: 10338f41841a3775a891a8b0a8a30456fc122d25cf3015a6db7a29124661459c
Opcode Fuzzy Hash: 485150d01e3c88fdfe22ae8e4a34dbb35f28a1254a72ce0f5f3690a78f14417c
Instruction Fuzzy Hash: A131E570AC025CAEFB39CA688C49BFA7BA6FB54320F04421AF595DA1D1D375C981C763

Function 0081BB6F Relevance: 6.1, APIs: 4, Instructions: 90timeCOMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 0081BB7F

Part of subcall function 008129C8: RtlFreeHeap.NTDLL(00000000,00000000,?,0081D7D1,00000000,00000000,00000000,00000000,?,0081D7F8,00000000,00000007,00000000,?,0081DBF5,00000000), ref: 008129DE
Part of subcall function 008129C8: GetLastError.KERNEL32(00000000,?,0081D7D1,00000000,00000000,00000000,00000000,?,0081D7F8,00000000,00000007,00000000,?,0081DBF5,00000000,00000000), ref: 008129F0

GetTimeZoneInformation.KERNEL32 ref: 0081BB91
WideCharToMultiByte.KERNEL32(00000000,?,008B121C,000000FF,?,0000003F,?,?), ref: 0081BC09
WideCharToMultiByte.KERNEL32(00000000,?,008B1270,000000FF,?,0000003F,?,?,?,008B121C,000000FF,?,0000003F,?,?), ref: 0081BC36

Memory Dump Source

Source File: 00000000.00000002.1749607290.00000000007E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007E0000, based on PE: true

Associated: 00000000.00000002.1749024776.00000000007E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750122745.000000000087C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750122745.00000000008A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750810397.00000000008AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1751626682.00000000008B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7e0000_file.jbxd

Similarity

API ID: ByteCharMultiWide$ErrorFreeHeapInformationLastTimeZone_free
String ID:
API String ID: 806657224-0
Opcode ID: 943c9776f6a023ad0d7379511bc4ffd76975adb0ee2425cac4549dc5dc10ba59
Instruction ID: a13d547c9868040df7bba88cb815cefb765cd3ef0072a4279215e1df5c143b0b
Opcode Fuzzy Hash: 943c9776f6a023ad0d7379511bc4ffd76975adb0ee2425cac4549dc5dc10ba59
Instruction Fuzzy Hash: 5431DE70908205DFCB10DF69CC949AEBBBCFF55720B5442AAE065DB3A1D7309E90CB90

Function 0085CE44 Relevance: 6.1, APIs: 4, Instructions: 75filenetworkCOMMON

Download Yara Rule

APIs

InternetReadFile.WININET(?,?,00000400,?), ref: 0085CE89
GetLastError.KERNEL32(?,00000000), ref: 0085CEEA
SetEvent.KERNEL32(?,?,00000000), ref: 0085CEFE

Memory Dump Source

Source File: 00000000.00000002.1749607290.00000000007E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007E0000, based on PE: true

Associated: 00000000.00000002.1749024776.00000000007E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750122745.000000000087C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750122745.00000000008A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750810397.00000000008AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1751626682.00000000008B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7e0000_file.jbxd

Similarity

API ID: ErrorEventFileInternetLastRead
String ID:
API String ID: 234945975-0
Opcode ID: 122407b261aee71d6360d1ac5f2e0f53549770c4402583ace5f705feaa708f25
Instruction ID: 144d1bc7029fe37b6602b3f56d740c19086657784f269aaba029b560861bccb1
Opcode Fuzzy Hash: 122407b261aee71d6360d1ac5f2e0f53549770c4402583ace5f705feaa708f25
Instruction Fuzzy Hash: 5D218CB15007059FE7209FA5C94ABA77BF8FB50359F10481EE946E2151EBB4EE488F60

Function 00848298 Relevance: 5.1, APIs: 1, Strings: 2, Instructions: 568stringCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(?,?,?,00000000), ref: 008482AA

Strings

|, xrefs: 008482DA
(, xrefs: 008482F0

Memory Dump Source

Source File: 00000000.00000002.1749607290.00000000007E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007E0000, based on PE: true

Associated: 00000000.00000002.1749024776.00000000007E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750122745.000000000087C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750122745.00000000008A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750810397.00000000008AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1751626682.00000000008B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7e0000_file.jbxd

Similarity

API ID: lstrlen
String ID: ($|
API String ID: 1659193697-1631851259
Opcode ID: 0bf902ba7ebc9e5318d6ac4144bd6e85140e3e48f556ca4537b96dd28d110aa7
Instruction ID: 0a3c4c19ae227dbc52bad57773323a0238fdd29a06dadf173332894daa0e8f20
Opcode Fuzzy Hash: 0bf902ba7ebc9e5318d6ac4144bd6e85140e3e48f556ca4537b96dd28d110aa7
Instruction Fuzzy Hash: 88323475A00609DFCB28CF59C481A6AB7F0FF48710B15C56EE59ADB3A1EB70E981CB44

Function 00855C97 Relevance: 4.6, APIs: 3, Instructions: 138fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?), ref: 00855CC1
FindNextFileW.KERNEL32(00000000,?), ref: 00855D17
FindClose.KERNEL32(?), ref: 00855D5F

Memory Dump Source

Source File: 00000000.00000002.1749607290.00000000007E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007E0000, based on PE: true

Associated: 00000000.00000002.1749024776.00000000007E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750122745.000000000087C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750122745.00000000008A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750810397.00000000008AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1751626682.00000000008B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7e0000_file.jbxd

Similarity

API ID: Find$File$CloseFirstNext
String ID:
API String ID: 3541575487-0
Opcode ID: 3525d1b1c40c9ce1e5603c110147794daaab1462aa514342cd5b1f056f5e8db3
Instruction ID: 383a1e909e442131ef7800e7ae608a0e43b790fe7b36ee401419bb90101d6592
Opcode Fuzzy Hash: 3525d1b1c40c9ce1e5603c110147794daaab1462aa514342cd5b1f056f5e8db3
Instruction Fuzzy Hash: 0C5169756046019FC714CF28C4A8A9AB7F4FF49314F14856DE96ACB3A2DB30ED49CB91

Function 00812622 Relevance: 4.6, APIs: 3, Instructions: 78COMMONLIBRARYCODE

Download Yara Rule

APIs

IsDebuggerPresent.KERNEL32 ref: 0081271A
SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 00812724
UnhandledExceptionFilter.KERNEL32(?), ref: 00812731

Memory Dump Source

Source File: 00000000.00000002.1749607290.00000000007E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007E0000, based on PE: true

Associated: 00000000.00000002.1749024776.00000000007E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750122745.000000000087C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750122745.00000000008A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750810397.00000000008AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1751626682.00000000008B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7e0000_file.jbxd

Similarity

API ID: ExceptionFilterUnhandled$DebuggerPresent
String ID:
API String ID: 3906539128-0
Opcode ID: 8a422175310799e9db7462365f67ee0cf283dc4c2a66114c8d18a4611685b8bf
Instruction ID: ad5a80862a79cddb78a5cde9b3b583407f2b2e4939107967365c1919b0da0e89
Opcode Fuzzy Hash: 8a422175310799e9db7462365f67ee0cf283dc4c2a66114c8d18a4611685b8bf
Instruction Fuzzy Hash: D431C4759112289BCB61DF68DC887D9B7B8FF08310F5045EAE40CA72A1E7709F818F45

Function 008551CD Relevance: 4.6, APIs: 3, Instructions: 76COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 008551DA
GetDiskFreeSpaceExW.KERNEL32(?,?,?,?), ref: 00855238
SetErrorMode.KERNEL32(00000000), ref: 008552A1

Memory Dump Source

Source File: 00000000.00000002.1749607290.00000000007E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007E0000, based on PE: true

Associated: 00000000.00000002.1749024776.00000000007E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750122745.000000000087C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750122745.00000000008A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750810397.00000000008AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1751626682.00000000008B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7e0000_file.jbxd

Similarity

API ID: ErrorMode$DiskFreeSpace
String ID:
API String ID: 1682464887-0
Opcode ID: 20e800b2178aa173a456de3b5ecc6ae059705496e4125ed869592ab38853df03
Instruction ID: 6efe840885d1cb0892e9b4644a51bf0dd5425ec42a4bf819e558b6822e160f84
Opcode Fuzzy Hash: 20e800b2178aa173a456de3b5ecc6ae059705496e4125ed869592ab38853df03
Instruction Fuzzy Hash: 4F318135A00508DFDB00DF54D888EADBBB5FF08318F088099E8099B362DB35EC5ACB60

Function 008416C3 Relevance: 4.6, APIs: 3, Instructions: 68COMMON

Download Yara Rule

APIs

Part of subcall function 007FFDDB: __CxxThrowException@8.LIBVCRUNTIME ref: 00800668
Part of subcall function 007FFDDB: __CxxThrowException@8.LIBVCRUNTIME ref: 00800685

LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 0084170D
AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 0084173A
GetLastError.KERNEL32 ref: 0084174A

Memory Dump Source

Source File: 00000000.00000002.1749607290.00000000007E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007E0000, based on PE: true

Associated: 00000000.00000002.1749024776.00000000007E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750122745.000000000087C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750122745.00000000008A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750810397.00000000008AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1751626682.00000000008B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7e0000_file.jbxd

Similarity

API ID: Exception@8Throw$AdjustErrorLastLookupPrivilegePrivilegesTokenValue
String ID:
API String ID: 577356006-0
Opcode ID: c8907e307bf5fc3928f18da8d261647524bc609ae1f51bd4a881b3a73cb34ee7
Instruction ID: fe989f0c2a72e6dd002f1624a80e06fce5e25e503ff595e2927111f7ba794d3c
Opcode Fuzzy Hash: c8907e307bf5fc3928f18da8d261647524bc609ae1f51bd4a881b3a73cb34ee7
Instruction Fuzzy Hash: 1F1191B2514308AFD7189F54DC8AD6AB7F9FF44714B20852EE05A97255EB70FC818A60

Function 0084D5EB Relevance: 4.6, APIs: 3, Instructions: 58fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(?,00000080,00000003,00000000,00000003,00000080,00000000), ref: 0084D608
DeviceIoControl.KERNEL32(00000000,002D1400,?,0000000C,?,00000028,?,00000000), ref: 0084D645
CloseHandle.KERNEL32(?,?,00000080,00000003,00000000,00000003,00000080,00000000), ref: 0084D650

Memory Dump Source

Source File: 00000000.00000002.1749607290.00000000007E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007E0000, based on PE: true

Associated: 00000000.00000002.1749024776.00000000007E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750122745.000000000087C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750122745.00000000008A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750810397.00000000008AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1751626682.00000000008B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7e0000_file.jbxd

Similarity

API ID: CloseControlCreateDeviceFileHandle
String ID:
API String ID: 33631002-0
Opcode ID: 798d909805eaabc18f7bb980361b2613eda3b6debadb72845539dfb0ae2749f2
Instruction ID: 30e35524f9f492bbb38e2bec34441e0f4a3b2b6370165c8dc826a16f9afdbf18
Opcode Fuzzy Hash: 798d909805eaabc18f7bb980361b2613eda3b6debadb72845539dfb0ae2749f2
Instruction Fuzzy Hash: 17113C75E05228BBDB108F999C49FAFBBBCFB45B50F108165F908E7294D6704A058BA1

Function 00841663 Relevance: 4.5, APIs: 3, Instructions: 40memoryCOMMON

Download Yara Rule

APIs

AllocateAndInitializeSid.ADVAPI32(?,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,?,?), ref: 0084168C
CheckTokenMembership.ADVAPI32(00000000,?,?), ref: 008416A1
FreeSid.ADVAPI32(?), ref: 008416B1

Memory Dump Source

Source File: 00000000.00000002.1749607290.00000000007E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007E0000, based on PE: true

Associated: 00000000.00000002.1749024776.00000000007E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750122745.000000000087C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750122745.00000000008A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750810397.00000000008AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1751626682.00000000008B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7e0000_file.jbxd

Similarity

API ID: AllocateCheckFreeInitializeMembershipToken
String ID:
API String ID: 3429775523-0
Opcode ID: 8ecd86a5432a02c3295e92c652c8d2c844aba5334b5d177b30bbaf39cada1dbb
Instruction ID: ea7b432809dd4c763b6f13f9e2284bc5cf974ebfea8693327b07005009bf831c
Opcode Fuzzy Hash: 8ecd86a5432a02c3295e92c652c8d2c844aba5334b5d177b30bbaf39cada1dbb
Instruction Fuzzy Hash: FBF0F47195030DFBDF00DFE49C89EAEBBBCFB08604F504565E501E2181E774EA848BA0

Function 0083D27A Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 10COMMON

Download Yara Rule

APIs

GetUserNameW.ADVAPI32(?,?), ref: 0083D28C

Strings

X64, xrefs: 0083D2A8

Memory Dump Source

Source File: 00000000.00000002.1749607290.00000000007E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007E0000, based on PE: true

Associated: 00000000.00000002.1749024776.00000000007E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750122745.000000000087C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750122745.00000000008A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750810397.00000000008AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1751626682.00000000008B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7e0000_file.jbxd

Similarity

API ID: NameUser
String ID: X64
API String ID: 2645101109-893830106
Opcode ID: 7175645fb2f355e0269aca7315639c7dc72608761dc92d3534817552e6321a6b
Instruction ID: bbc92bd3153f5cb0fc3aac5d6a321fa9b605d7292918ab786e7de768dfa78316
Opcode Fuzzy Hash: 7175645fb2f355e0269aca7315639c7dc72608761dc92d3534817552e6321a6b
Instruction Fuzzy Hash: F5D0C9B480111DEACF90CB90EC88DDAB37CBB14305F100155F506E2100DB7495489F50

Function 0080CAA0 Relevance: 3.5, APIs: 2, Instructions: 464COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1749607290.00000000007E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007E0000, based on PE: true

Associated: 00000000.00000002.1749024776.00000000007E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750122745.000000000087C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750122745.00000000008A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750810397.00000000008AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1751626682.00000000008B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7e0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2fbdbeface8d474e65e3d830227d731b015bc4fe83c76ff0107a9da6199ccf29
Instruction ID: 077a239a27aa962e5209a539ce3bf758a933cc806e2f31b0267ecfbc7e00e1a2
Opcode Fuzzy Hash: 2fbdbeface8d474e65e3d830227d731b015bc4fe83c76ff0107a9da6199ccf29
Instruction Fuzzy Hash: 62021D71E002199FDF54CFA9D8806ADFBF1FF48314F25826AE819E7384D731AA418B94

Function 008568EE Relevance: 3.1, APIs: 2, Instructions: 57fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?), ref: 00856918
FindClose.KERNEL32(00000000), ref: 00856961

Memory Dump Source

Source File: 00000000.00000002.1749607290.00000000007E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007E0000, based on PE: true

Associated: 00000000.00000002.1749024776.00000000007E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750122745.000000000087C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750122745.00000000008A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750810397.00000000008AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1751626682.00000000008B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7e0000_file.jbxd

Similarity

API ID: Find$CloseFileFirst
String ID:
API String ID: 2295610775-0
Opcode ID: 86dc60d9b5b12071c7518c2da2541a439fe1d7f6095aa681fefb8299f957b11d
Instruction ID: 40c820d1c2ae7e12eaee8a7270cd692f15277472a2f1eb7e5e0da2159a4e7b01
Opcode Fuzzy Hash: 86dc60d9b5b12071c7518c2da2541a439fe1d7f6095aa681fefb8299f957b11d
Instruction Fuzzy Hash: 8611D0356142009FC710CF2AD488A16BBE0FF88329F44C69DE8698F2A2DB34EC45CB91

Function 008537B5 Relevance: 3.0, APIs: 2, Instructions: 33windowCOMMON

Download Yara Rule

APIs

GetLastError.KERNEL32(00000000,?,00000FFF,00000000,?,?,?,00864891,?,?,00000035,?), ref: 008537E4
FormatMessageW.KERNEL32(00001000,00000000,?,00000000,?,00000FFF,00000000,?,?,?,00864891,?,?,00000035,?), ref: 008537F4

Memory Dump Source

Source File: 00000000.00000002.1749607290.00000000007E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007E0000, based on PE: true

Associated: 00000000.00000002.1749024776.00000000007E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750122745.000000000087C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750122745.00000000008A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750810397.00000000008AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1751626682.00000000008B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7e0000_file.jbxd

Similarity

API ID: ErrorFormatLastMessage
String ID:
API String ID: 3479602957-0
Opcode ID: 36b9f5cdc5024152588110460a029efe519055c073100c97c231ee5d8933a7a6
Instruction ID: 7cf843e7c4c665b1ef276d9c155e9501f86e17ad331a45dd77959a7767f8f424
Opcode Fuzzy Hash: 36b9f5cdc5024152588110460a029efe519055c073100c97c231ee5d8933a7a6
Instruction Fuzzy Hash: DDF0EC716052286AE71017765C4DFDB369DFFC8761F000175F509D3295D9609944C7B0

Function 0084B226 Relevance: 3.0, APIs: 2, Instructions: 29keyboardCOMMON

Download Yara Rule

APIs

SendInput.USER32(00000001,?,0000001C,?,?,00000002), ref: 0084B25D
keybd_event.USER32(?,75C0C0D0,?,00000000), ref: 0084B270

Memory Dump Source

Source File: 00000000.00000002.1749607290.00000000007E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007E0000, based on PE: true

Associated: 00000000.00000002.1749024776.00000000007E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750122745.000000000087C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750122745.00000000008A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750810397.00000000008AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1751626682.00000000008B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7e0000_file.jbxd

Similarity

API ID: InputSendkeybd_event
String ID:
API String ID: 3536248340-0
Opcode ID: 04a46aea55bb48c28077f3d9d5358c703544957f3c9dc31bd3eb8e08ae3ab350
Instruction ID: b4f19aa099e8ddb42a62c020facabc272144224eadd64857d404f9f63cc2d28f
Opcode Fuzzy Hash: 04a46aea55bb48c28077f3d9d5358c703544957f3c9dc31bd3eb8e08ae3ab350
Instruction Fuzzy Hash: 1CF01D7180424EABDB059FA4C805BAE7BB4FF04309F008009F955A6191D779C6519F94

Function 008410BF Relevance: 3.0, APIs: 2, Instructions: 24COMMON

Download Yara Rule

APIs

AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000,?,008411FC), ref: 008410D4
CloseHandle.KERNEL32(?,?,008411FC), ref: 008410E9

Memory Dump Source

Source File: 00000000.00000002.1749607290.00000000007E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007E0000, based on PE: true

Associated: 00000000.00000002.1749024776.00000000007E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750122745.000000000087C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750122745.00000000008A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750810397.00000000008AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1751626682.00000000008B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7e0000_file.jbxd

Similarity

API ID: AdjustCloseHandlePrivilegesToken
String ID:
API String ID: 81990902-0
Opcode ID: c2c8f4c82210ac5473a844b6478cc4757e8d5e02d08f72be5d050e4472673e39
Instruction ID: 8a7d62d83ac26e74cb32a7a1d4c88eaed18ee345705cc9a66158037469b92281
Opcode Fuzzy Hash: c2c8f4c82210ac5473a844b6478cc4757e8d5e02d08f72be5d050e4472673e39
Instruction Fuzzy Hash: 67E04F32004A00EEF7252B11FC0DE7377A9FF04320B10882DF5A9815B5DB62ACD0DB50

Function 007ECAF0 Relevance: 1.9, Strings: 1, Instructions: 659COMMON

Download Yara Rule

Strings

Variable is not of type 'Object'., xrefs: 00830C40

Memory Dump Source

Source File: 00000000.00000002.1749607290.00000000007E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007E0000, based on PE: true

Associated: 00000000.00000002.1749024776.00000000007E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750122745.000000000087C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750122745.00000000008A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750810397.00000000008AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1751626682.00000000008B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7e0000_file.jbxd

Similarity

API ID:
String ID: Variable is not of type 'Object'.
API String ID: 0-1840281001
Opcode ID: 23c3006d0fce190a24cad745b7ff1161c23377d6e136793316daf2b3cbd55e7f
Instruction ID: b6e42193384b3dedefc2ccbbac90b419cd7d45887deadea8fb9ea14142f84221
Opcode Fuzzy Hash: 23c3006d0fce190a24cad745b7ff1161c23377d6e136793316daf2b3cbd55e7f
Instruction Fuzzy Hash: D232DF78A01258DFCF15DF95C895BEDB7B5FF48304F244059E806AB292C739AE46CBA0

Function 0081676B Relevance: 1.8, APIs: 1, Instructions: 269COMMONLIBRARYCODE

Download Yara Rule

APIs

RaiseException.KERNEL32(C000000D,00000000,00000001,?,?,00000008,?,?,00816766,?,?,00000008,?,?,0081FEFE,00000000), ref: 00816998

Memory Dump Source

Source File: 00000000.00000002.1749607290.00000000007E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007E0000, based on PE: true

Associated: 00000000.00000002.1749024776.00000000007E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750122745.000000000087C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750122745.00000000008A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750810397.00000000008AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1751626682.00000000008B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7e0000_file.jbxd

Similarity

API ID: ExceptionRaise
String ID:
API String ID: 3997070919-0
Opcode ID: fe068044b41415b7b8a2ebb119997012df1cea8e0deedd71521e6b61feb0f722
Instruction ID: 8a9afc1d323184f1f848444284e89d668533c93d42226338aeb3380b03bdf3bd
Opcode Fuzzy Hash: fe068044b41415b7b8a2ebb119997012df1cea8e0deedd71521e6b61feb0f722
Instruction Fuzzy Hash: AEB14C31610609DFD715CF28C48ABA57BE4FF45368F298658E8D9CF2A2D335E9A1CB40

Function 007FB119 Relevance: 1.8, Strings: 1, Instructions: 511COMMON

Download Yara Rule

Strings

, xrefs: 0083851F

Memory Dump Source

Source File: 00000000.00000002.1749607290.00000000007E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007E0000, based on PE: true

Associated: 00000000.00000002.1749024776.00000000007E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750122745.000000000087C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750122745.00000000008A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750810397.00000000008AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1751626682.00000000008B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7e0000_file.jbxd

Similarity

API ID:
String ID:
API String ID: 0-3916222277
Opcode ID: abed6d7762589a6e70ccba8731ee62e5556cb9389c9ec99ad0d2e33c28c3fb30
Instruction ID: d6f0efe4600d3f19cb5a2b72ca39dafb75a21b2544772b9a574de0b3d24b25fc
Opcode Fuzzy Hash: abed6d7762589a6e70ccba8731ee62e5556cb9389c9ec99ad0d2e33c28c3fb30
Instruction Fuzzy Hash: E5124D71A00229DFCB14DF58C980ABEB7B5FF48710F14819AE949EB355EB349A81CF90

Function 0085EAA2 Relevance: 1.5, APIs: 1, Instructions: 25keyboardCOMMON

Download Yara Rule

APIs

BlockInput.USER32(00000001), ref: 0085EABD

Memory Dump Source

Source File: 00000000.00000002.1749607290.00000000007E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007E0000, based on PE: true

Associated: 00000000.00000002.1749024776.00000000007E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750122745.000000000087C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750122745.00000000008A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750810397.00000000008AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1751626682.00000000008B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7e0000_file.jbxd

Similarity

API ID: BlockInput
String ID:
API String ID: 3456056419-0
Opcode ID: a3d067be208f5edc9e03b9d5aa31ac7cc46c2bf949e2c3e4c0ca4e16c0de058e
Instruction ID: 7e3f6a5dfe5c6edc58790e53eb902a3498678d84f3ba1d90e5878513541d2f0d
Opcode Fuzzy Hash: a3d067be208f5edc9e03b9d5aa31ac7cc46c2bf949e2c3e4c0ca4e16c0de058e
Instruction Fuzzy Hash: C4E012352002149FC710DF6AD848D5AB7DDFF68760F00841AFD49C7251D674E9458B90

Function 008009D5 Relevance: 1.5, APIs: 1, Instructions: 3COMMON

Download Yara Rule

APIs

SetUnhandledExceptionFilter.KERNEL32(Function_000209E1,008003EE), ref: 008009DA

Memory Dump Source

Source File: 00000000.00000002.1749607290.00000000007E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007E0000, based on PE: true

Associated: 00000000.00000002.1749024776.00000000007E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750122745.000000000087C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750122745.00000000008A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750810397.00000000008AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1751626682.00000000008B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7e0000_file.jbxd

Similarity

API ID: ExceptionFilterUnhandled
String ID:
API String ID: 3192549508-0
Opcode ID: 1dd8d928e2385aa07a170b77be7b8067b5c5db13c29e4f20a7ec184f4e48bb1d
Instruction ID: ad557c10b0d22d89e7664099dfaf15f5735a327b9e532266a9a244bbf693dc6a
Opcode Fuzzy Hash: 1dd8d928e2385aa07a170b77be7b8067b5c5db13c29e4f20a7ec184f4e48bb1d
Instruction Fuzzy Hash:

Function 0080781B Relevance: 1.5, Strings: 1, Instructions: 214COMMON

Download Yara Rule

Strings

0, xrefs: 0080798B

Memory Dump Source

Source File: 00000000.00000002.1749607290.00000000007E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007E0000, based on PE: true

Associated: 00000000.00000002.1749024776.00000000007E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750122745.000000000087C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750122745.00000000008A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750810397.00000000008AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1751626682.00000000008B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7e0000_file.jbxd

Similarity

API ID:
String ID: 0
API String ID: 0-4108050209
Opcode ID: 9084b4e029052128895840c3c28e948f6724b1d83b91d22a18243ac96ad56844
Instruction ID: e12d4a1f2c4efeb71ee1e80b3dbe49af3918bf2e340f92685bb9866892de6424
Opcode Fuzzy Hash: 9084b4e029052128895840c3c28e948f6724b1d83b91d22a18243ac96ad56844
Instruction Fuzzy Hash: 47516861F0C6499BDBF8852C8C5D7BE2B85FB52304F188539D882C72D2CA19FE41D36A

Function 00816DD9 Relevance: .6, Instructions: 637COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1749607290.00000000007E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007E0000, based on PE: true

Associated: 00000000.00000002.1749024776.00000000007E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750122745.000000000087C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750122745.00000000008A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750810397.00000000008AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1751626682.00000000008B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7e0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2117dee7d94df1f0ce5fe3752f34bac5c90ab932553b8524c4f6bd28a1c92d50
Instruction ID: 7199afbfc3963731c37f9d75f186c157c2ff0bca2ca6b15ae371a2ce9c18eeaa
Opcode Fuzzy Hash: 2117dee7d94df1f0ce5fe3752f34bac5c90ab932553b8524c4f6bd28a1c92d50
Instruction Fuzzy Hash: 4C32E131D29F014DD7239638D822365A69DBFB73C5F15D73BE81AB59A6EB29C4C34200

Function 007FCC39 Relevance: .6, Instructions: 635COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1749607290.00000000007E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007E0000, based on PE: true

Associated: 00000000.00000002.1749024776.00000000007E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750122745.000000000087C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750122745.00000000008A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750810397.00000000008AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1751626682.00000000008B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7e0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 27c2969b92cb426e591de7db69d5a65f0c77f97a6afbf492e540e78e63adbc9d
Instruction ID: 55ff59a4e6aceed4afdf76b0416b250f4065381f232a200d09b0053c9c8a92d2
Opcode Fuzzy Hash: 27c2969b92cb426e591de7db69d5a65f0c77f97a6afbf492e540e78e63adbc9d
Instruction Fuzzy Hash: 22324732A0015D8BDF29CF29C59067DBBA1FBC5314F28812AD94AEB391E334DD81DB90

Function 007E7920 Relevance: .6, Instructions: 563COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1749607290.00000000007E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007E0000, based on PE: true

Associated: 00000000.00000002.1749024776.00000000007E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750122745.000000000087C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750122745.00000000008A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750810397.00000000008AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1751626682.00000000008B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7e0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 021d63495a4826410740f7cfdcf59b02a624a0a3a3a98c23ddd2ea0deae24601
Instruction ID: 6661ba2833a28949274c4e3d0d0126887fc3438e66b692055e41a3f48bd6eedb
Opcode Fuzzy Hash: 021d63495a4826410740f7cfdcf59b02a624a0a3a3a98c23ddd2ea0deae24601
Instruction Fuzzy Hash: 5622B3B0A04659DFDF18CF69D985AAEB3F5FF48300F104529E816EB291EB39AD50CB50

Function 007E91C0 Relevance: .5, Instructions: 475COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1749607290.00000000007E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007E0000, based on PE: true

Associated: 00000000.00000002.1749024776.00000000007E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750122745.000000000087C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750122745.00000000008A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750810397.00000000008AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1751626682.00000000008B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7e0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6e9857574e1d6dd6e4ebf829f67a82bd1bd69ebd3933ef17d0b2d54d0db338ad
Instruction ID: 157916b012ac2538c4a5c32a1481b27dbf4ed34894825aa9a30887b56a120bc0
Opcode Fuzzy Hash: 6e9857574e1d6dd6e4ebf829f67a82bd1bd69ebd3933ef17d0b2d54d0db338ad
Instruction Fuzzy Hash: A802D6B1E00219EBDF04DF55E885AAEB7B5FF54300F108169E906DB391EB35AE50CB85

Function 00819EEE Relevance: .3, Instructions: 294COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1749607290.00000000007E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007E0000, based on PE: true

Associated: 00000000.00000002.1749024776.00000000007E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750122745.000000000087C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750122745.00000000008A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750810397.00000000008AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1751626682.00000000008B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7e0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6db48e34b8015a9a356737feec80cb9ce94780ac12ae5716c5351749696b05d0
Instruction ID: aef65c18f0358bc6cbb754b25e1a9c0e04ea43e90eea24b891005d5940828084
Opcode Fuzzy Hash: 6db48e34b8015a9a356737feec80cb9ce94780ac12ae5716c5351749696b05d0
Instruction Fuzzy Hash: 43B1CF30D2AF414DD2239639D825336B65CBFBB6D5F91D71BFC2674E62EB2286834240

Function 00801C77 Relevance: .3, Instructions: 254COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1749607290.00000000007E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007E0000, based on PE: true

Associated: 00000000.00000002.1749024776.00000000007E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750122745.000000000087C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750122745.00000000008A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750810397.00000000008AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1751626682.00000000008B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7e0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 93657a121f16255c59120ad0d08fdbba6372c273009ad596b4ecdf6e8f3c6909
Instruction ID: bbfafb76e796cb20bf4a2027fe21f65eb2b21cfdf779055359a8e0255bd3cf43
Opcode Fuzzy Hash: 93657a121f16255c59120ad0d08fdbba6372c273009ad596b4ecdf6e8f3c6909
Instruction Fuzzy Hash: DD9168722090A349EFA94639897C03EFFE1FA523B535A079DD8F2CA1C5FE14D554D620

Function 00801F32 Relevance: .2, Instructions: 244COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1749607290.00000000007E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007E0000, based on PE: true

Associated: 00000000.00000002.1749024776.00000000007E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750122745.000000000087C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750122745.00000000008A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750810397.00000000008AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1751626682.00000000008B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7e0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 05e0b846b00456d0f1e87463b9d189974beed2fe63262d4392584e128a114ea2
Instruction ID: 65a265286ac18350a97781130d606e4f578ec4721ad889a375838a5146442af2
Opcode Fuzzy Hash: 05e0b846b00456d0f1e87463b9d189974beed2fe63262d4392584e128a114ea2
Instruction Fuzzy Hash: AF9155722091A349EBA942398D7C43EFFE1EA923B131A079DD4F2CB1C5EE64D554E620

Function 008019B0 Relevance: .2, Instructions: 240COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1749607290.00000000007E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007E0000, based on PE: true

Associated: 00000000.00000002.1749024776.00000000007E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750122745.000000000087C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750122745.00000000008A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750810397.00000000008AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1751626682.00000000008B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7e0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 40101273f58913c3cb3bc7eb54df01d47b4121c3e67d19f11ec2cb23d33ea445
Instruction ID: f9a5d24fc462bf9e01e1647b225a526d4a08f6caeb3ab1fcf495547d80768a91
Opcode Fuzzy Hash: 40101273f58913c3cb3bc7eb54df01d47b4121c3e67d19f11ec2cb23d33ea445
Instruction Fuzzy Hash: 1F9122722090A34EEFA9467A897C03EFFE1EA923B535A079DD4F2CA1C1FE14D554D620

Function 00807A4A Relevance: .2, Instructions: 237COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1749607290.00000000007E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007E0000, based on PE: true

Associated: 00000000.00000002.1749024776.00000000007E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750122745.000000000087C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750122745.00000000008A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750810397.00000000008AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1751626682.00000000008B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7e0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ddcff08c3557746cfe7a48bdd5dc0cba97c561025b12ccac3609404be3442cd1
Instruction ID: 42a6cd199ef40d380872b008430ee872e71694b1330e3983a440532c9b6932ac
Opcode Fuzzy Hash: ddcff08c3557746cfe7a48bdd5dc0cba97c561025b12ccac3609404be3442cd1
Instruction Fuzzy Hash: 17616B31F08759A6EEF4592C8CB5BBE3394FF41764F100919E982DB2C1DA51BE82C356

Function 00807CA7 Relevance: .2, Instructions: 237COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1749607290.00000000007E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007E0000, based on PE: true

Associated: 00000000.00000002.1749024776.00000000007E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750122745.000000000087C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750122745.00000000008A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750810397.00000000008AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1751626682.00000000008B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7e0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 52b9c6e8c96c208f7ab10e2e4ffe6bacf8e3b57384a699a4412cc10018b8c5cd
Instruction ID: 424192a364dd91e1af257e0258fca0e79fc0fbbc8666afe539cca7c56b6806b4
Opcode Fuzzy Hash: 52b9c6e8c96c208f7ab10e2e4ffe6bacf8e3b57384a699a4412cc10018b8c5cd
Instruction Fuzzy Hash: C8614971F0870DA6DEF85A2C8C55BBF2394FF52B04F100959ED82DB6C5EA12FD828256

Function 00801706 Relevance: .2, Instructions: 232COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1749607290.00000000007E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007E0000, based on PE: true

Associated: 00000000.00000002.1749024776.00000000007E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750122745.000000000087C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750122745.00000000008A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750810397.00000000008AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1751626682.00000000008B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7e0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 70da388f96bbbf26b230a155b4728740b34f0d100ea60ab2bbadb9d7d0befbf0
Instruction ID: f8738c5524010a718c926ff9806895f4097dcd6b62f43e2049d5423f0ffffee4
Opcode Fuzzy Hash: 70da388f96bbbf26b230a155b4728740b34f0d100ea60ab2bbadb9d7d0befbf0
Instruction Fuzzy Hash: EB8169335090A349DFAD4279897C43EFFE1FA923B135A47ADD4F2CA1C5EE148654D620

Function 00852046 Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1749607290.00000000007E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007E0000, based on PE: true

Associated: 00000000.00000002.1749024776.00000000007E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750122745.000000000087C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750122745.00000000008A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750810397.00000000008AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1751626682.00000000008B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7e0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d38e5257db7a5132202ac9d520ca012cb21740dc7b8fa4424aa6033816645a3f
Instruction ID: d4bb5c3b8e04f5e1d9a8d2b503db810325acd07c79fd4109b1d532ba9e481074
Opcode Fuzzy Hash: d38e5257db7a5132202ac9d520ca012cb21740dc7b8fa4424aa6033816645a3f
Instruction Fuzzy Hash: 0A21A8326616118BDB28CE79C81267E73E5F765310F15862EE4A7C77D0DE35A904CB40

Function 00862ADE Relevance: 77.5, APIs: 40, Strings: 4, Instructions: 486filecommemoryCOMMON

Download Yara Rule

APIs

DeleteObject.GDI32(00000000), ref: 00862B30
DeleteObject.GDI32(00000000), ref: 00862B43
DestroyWindow.USER32 ref: 00862B52
GetDesktopWindow.USER32 ref: 00862B6D
GetWindowRect.USER32(00000000), ref: 00862B74
SetRect.USER32(?,00000000,00000000,00000007,00000002), ref: 00862CA3
AdjustWindowRectEx.USER32(?,88C00000,00000000,?), ref: 00862CB1
CreateWindowExW.USER32(?,AutoIt v3,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00862CF8
GetClientRect.USER32(00000000,?), ref: 00862D04
CreateWindowExW.USER32(00000000,static,00000000,5000000E,00000000,00000000,?,?,00000000,00000000,00000000), ref: 00862D40
CreateFileW.KERNEL32(?,80000000,00000000,00000000,00000003,00000000,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00862D62
GetFileSize.KERNEL32(00000000,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00862D75
GlobalAlloc.KERNEL32(00000002,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00862D80
GlobalLock.KERNEL32(00000000), ref: 00862D89
ReadFile.KERNEL32(00000000,00000000,00000000,?,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00862D98
GlobalUnlock.KERNEL32(00000000), ref: 00862DA1
CloseHandle.KERNEL32(00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00862DA8
GlobalFree.KERNEL32(00000000), ref: 00862DB3
CreateStreamOnHGlobal.OLE32(00000000,00000001,?,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00862DC5
OleLoadPicture.OLEAUT32(?,00000000,00000000,0087FC38,00000000), ref: 00862DDB
GlobalFree.KERNEL32(00000000), ref: 00862DEB
CopyImage.USER32(00000007,00000000,00000000,00000000,00002000), ref: 00862E11
SendMessageW.USER32(00000000,00000172,00000000,00000007), ref: 00862E30
SetWindowPos.USER32(00000000,00000000,00000000,00000000,?,?,00000020,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00862E52
ShowWindow.USER32(00000004,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 0086303F

Strings

DISPLAY, xrefs: 00862EA2
AutoIt v3, xrefs: 00862CF2
, xrefs: 00862FC5
static, xrefs: 00862D3A, 00862E91

Memory Dump Source

Source File: 00000000.00000002.1749607290.00000000007E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007E0000, based on PE: true

Associated: 00000000.00000002.1749024776.00000000007E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750122745.000000000087C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750122745.00000000008A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750810397.00000000008AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1751626682.00000000008B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7e0000_file.jbxd

Similarity

API ID: Window$Global$CreateRect$File$DeleteFreeObject$AdjustAllocClientCloseCopyDesktopDestroyHandleImageLoadLockMessagePictureReadSendShowSizeStreamUnlock
String ID: $AutoIt v3$DISPLAY$static
API String ID: 2211948467-2373415609
Opcode ID: 4a203d25e07e31f275b2a622d9a8bbe513c8fce1c237f104a967afae6743e36d
Instruction ID: 09c8bf8c4eaca8f38e94d6ca0b47b8551dab95a3c5fc38ef0333d0860fb48b95
Opcode Fuzzy Hash: 4a203d25e07e31f275b2a622d9a8bbe513c8fce1c237f104a967afae6743e36d
Instruction Fuzzy Hash: 28023771A00209EFDB14DF64CC8DEAE7BB9FB48710F148158F919AB2A5DB74E941CB60

Function 008770D5 Relevance: 49.8, APIs: 33, Instructions: 273COMMON

Download Yara Rule

APIs

SetTextColor.GDI32(?,00000000), ref: 0087712F
GetSysColorBrush.USER32(0000000F), ref: 00877160
GetSysColor.USER32(0000000F), ref: 0087716C
SetBkColor.GDI32(?,000000FF), ref: 00877186
SelectObject.GDI32(?,?), ref: 00877195
InflateRect.USER32(?,000000FF,000000FF), ref: 008771C0
GetSysColor.USER32(00000010), ref: 008771C8
CreateSolidBrush.GDI32(00000000), ref: 008771CF
FrameRect.USER32(?,?,00000000), ref: 008771DE
DeleteObject.GDI32(00000000), ref: 008771E5
InflateRect.USER32(?,000000FE,000000FE), ref: 00877230
FillRect.USER32(?,?,?), ref: 00877262
GetWindowLongW.USER32(?,000000F0), ref: 00877284

Part of subcall function 008773E8: GetSysColor.USER32(00000012), ref: 00877421
Part of subcall function 008773E8: SetTextColor.GDI32(?,?), ref: 00877425
Part of subcall function 008773E8: GetSysColorBrush.USER32(0000000F), ref: 0087743B
Part of subcall function 008773E8: GetSysColor.USER32(0000000F), ref: 00877446
Part of subcall function 008773E8: GetSysColor.USER32(00000011), ref: 00877463
Part of subcall function 008773E8: CreatePen.GDI32(00000000,00000001,00743C00), ref: 00877471
Part of subcall function 008773E8: SelectObject.GDI32(?,00000000), ref: 00877482
Part of subcall function 008773E8: SetBkColor.GDI32(?,00000000), ref: 0087748B
Part of subcall function 008773E8: SelectObject.GDI32(?,?), ref: 00877498
Part of subcall function 008773E8: InflateRect.USER32(?,000000FF,000000FF), ref: 008774B7
Part of subcall function 008773E8: RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 008774CE
Part of subcall function 008773E8: GetWindowLongW.USER32(00000000,000000F0), ref: 008774DB

Memory Dump Source

Source File: 00000000.00000002.1749607290.00000000007E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007E0000, based on PE: true

Associated: 00000000.00000002.1749024776.00000000007E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750122745.000000000087C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750122745.00000000008A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750810397.00000000008AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1751626682.00000000008B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7e0000_file.jbxd

Similarity

API ID: Color$Rect$Object$BrushInflateSelect$CreateLongTextWindow$DeleteFillFrameRoundSolid
String ID:
API String ID: 4124339563-0
Opcode ID: 105e36aa94f7a09f634a6585695cb9047d1cee4cb47889eb0473fad989b00e9d
Instruction ID: f650494eed841eef67acb9f936fdb083f53a4936e992434ea83899a513911acc
Opcode Fuzzy Hash: 105e36aa94f7a09f634a6585695cb9047d1cee4cb47889eb0473fad989b00e9d
Instruction Fuzzy Hash: 13A19072008301AFD7109F60DC4CA6B7BA9FB49320F504A2DF96AD71E5D771E984CB61

Function 007F8D85 Relevance: 47.7, APIs: 26, Strings: 1, Instructions: 480windowCOMMON

Download Yara Rule

APIs

DestroyWindow.USER32(?,?), ref: 007F8E14
SendMessageW.USER32(?,00001308,?,00000000), ref: 00836AC5
ImageList_Remove.COMCTL32(?,000000FF,?), ref: 00836AFE
MoveWindow.USER32(?,?,?,?,?,00000000), ref: 00836F43

Part of subcall function 007F8F62: InvalidateRect.USER32(?,00000000,00000001,?,?,?,007F8BE8,?,00000000,?,?,?,?,007F8BBA,00000000,?), ref: 007F8FC5

SendMessageW.USER32(?,00001053), ref: 00836F7F
SendMessageW.USER32(?,00001008,000000FF,00000000), ref: 00836F96
ImageList_Destroy.COMCTL32(00000000,?), ref: 00836FAC
ImageList_Destroy.COMCTL32(00000000,?), ref: 00836FB7

Strings

0, xrefs: 00836DCF

Memory Dump Source

Source File: 00000000.00000002.1749607290.00000000007E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007E0000, based on PE: true

Associated: 00000000.00000002.1749024776.00000000007E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750122745.000000000087C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750122745.00000000008A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750810397.00000000008AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1751626682.00000000008B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7e0000_file.jbxd

Similarity

API ID: DestroyImageList_MessageSend$Window$InvalidateMoveRectRemove
String ID: 0
API String ID: 2760611726-4108050209
Opcode ID: 3da564dc42c759cf6e04ce2255d2b2f4ec2a5559776088f10b7e371047a93a1c
Instruction ID: 6271a8b144c266907542f991677129917c28acec520b768d5374cba6514a0b38
Opcode Fuzzy Hash: 3da564dc42c759cf6e04ce2255d2b2f4ec2a5559776088f10b7e371047a93a1c
Instruction Fuzzy Hash: FE12AF30200645EFDB65CF28C858BB5BBE1FF85310F548569E589CB261DB36ECA1CB91

Function 00862711 Relevance: 45.8, APIs: 22, Strings: 4, Instructions: 330windowCOMMON

Download Yara Rule

APIs

DestroyWindow.USER32(00000000), ref: 0086273E
SystemParametersInfoW.USER32(00000030,00000000,?,00000000), ref: 0086286A
SetRect.USER32(?,00000000,00000000,0000012C,?), ref: 008628A9
AdjustWindowRectEx.USER32(?,88C00000,00000000,00000008), ref: 008628B9
CreateWindowExW.USER32(00000008,AutoIt v3,?,88C00000,000000FF,?,?,?,00000000,00000000,00000000), ref: 00862900
GetClientRect.USER32(00000000,?), ref: 0086290C
CreateWindowExW.USER32(00000000,static,?,50000000,?,00000004,00000500,-00000017,00000000,00000000,00000000), ref: 00862955
CreateDCW.GDI32(DISPLAY,00000000,00000000,00000000), ref: 00862964
GetStockObject.GDI32(00000011), ref: 00862974
SelectObject.GDI32(00000000,00000000), ref: 00862978
GetTextFaceW.GDI32(00000000,00000040,?,?,50000000,?,00000004,00000500,-00000017,00000000,00000000,00000000,?,88C00000,000000FF,?), ref: 00862988
GetDeviceCaps.GDI32(00000000,0000005A), ref: 00862991
DeleteDC.GDI32(00000000), ref: 0086299A
CreateFontW.GDI32(00000000,00000000,00000000,00000000,00000258,00000000,00000000,00000000,00000001,00000004,00000000,00000002,00000000,?), ref: 008629C6
SendMessageW.USER32(00000030,00000000,00000001), ref: 008629DD
CreateWindowExW.USER32(00000200,msctls_progress32,00000000,50000001,?,-0000001D,00000104,00000014,00000000,00000000,00000000), ref: 00862A1D
SendMessageW.USER32(00000000,00000401,00000000,00640000), ref: 00862A31
SendMessageW.USER32(00000404,00000001,00000000), ref: 00862A42
CreateWindowExW.USER32(00000000,static,?,50000000,?,00000041,00000500,-00000027,00000000,00000000,00000000), ref: 00862A77
GetStockObject.GDI32(00000011), ref: 00862A82
SendMessageW.USER32(00000030,00000000,?,50000000), ref: 00862A8D
ShowWindow.USER32(00000004,?,50000000,?,00000004,00000500,-00000017,00000000,00000000,00000000,?,88C00000,000000FF,?,?,?), ref: 00862A97

Strings

DISPLAY, xrefs: 0086295A
AutoIt v3, xrefs: 008628F8
msctls_progress32, xrefs: 00862A13
static, xrefs: 0086294F, 00862A71

Memory Dump Source

Source File: 00000000.00000002.1749607290.00000000007E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007E0000, based on PE: true

Associated: 00000000.00000002.1749024776.00000000007E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750122745.000000000087C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750122745.00000000008A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750810397.00000000008AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1751626682.00000000008B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7e0000_file.jbxd

Similarity

API ID: Window$Create$MessageSend$ObjectRect$Stock$AdjustCapsClientDeleteDestroyDeviceFaceFontInfoParametersSelectShowSystemText
String ID: AutoIt v3$DISPLAY$msctls_progress32$static
API String ID: 2910397461-517079104
Opcode ID: 0e432f99cc05730cd0a4af0e24cd84f275866740c6fca832ed38a29406515772
Instruction ID: de86a6dc0556fdc22dd40c354aed284d757b76639e42890bce012e7b3cc9e272
Opcode Fuzzy Hash: 0e432f99cc05730cd0a4af0e24cd84f275866740c6fca832ed38a29406515772
Instruction Fuzzy Hash: 3AB14D71A00615AFEB14DF69DC89FAE7BA9FB08714F104258F915EB290D774ED40CBA0

Function 00854ADF Relevance: 45.7, APIs: 3, Strings: 23, Instructions: 191COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 00854AED
GetDriveTypeW.KERNEL32(?,0087CB68,?,\\.\,0087CC08), ref: 00854BCA
SetErrorMode.KERNEL32(00000000,0087CB68,?,\\.\,0087CC08), ref: 00854D36

Strings

Virtual, xrefs: 00854CE5
RAMDisk, xrefs: 00854BF4
MMC, xrefs: 00854CDE
PhysicalDrive, xrefs: 00854B76
CDROM, xrefs: 00854BFB
Fixed, xrefs: 00854C09
FileBackedVirtual, xrefs: 00854CEC
USB, xrefs: 00854CB4
Fibre, xrefs: 00854CAD
Network, xrefs: 00854C02
iSCSI, xrefs: 00854CC2
SAS, xrefs: 00854CC9
Unknown, xrefs: 00854BED, 00854C83
ATAPI, xrefs: 00854C91
\\.\, xrefs: 00854B3F
RAID, xrefs: 00854CBB
Removable, xrefs: 00854C10, 00854C15
1394, xrefs: 00854C9F
SSD, xrefs: 00854C4A
SCSI, xrefs: 00854C8A
SSA, xrefs: 00854CA6
SATA, xrefs: 00854CD0
ATA, xrefs: 00854C98

Memory Dump Source

Source File: 00000000.00000002.1749607290.00000000007E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007E0000, based on PE: true

Associated: 00000000.00000002.1749024776.00000000007E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750122745.000000000087C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750122745.00000000008A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750810397.00000000008AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1751626682.00000000008B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7e0000_file.jbxd

Similarity

API ID: ErrorMode$DriveType
String ID: 1394$ATA$ATAPI$CDROM$Fibre$FileBackedVirtual$Fixed$MMC$Network$PhysicalDrive$RAID$RAMDisk$Removable$SAS$SATA$SCSI$SSA$SSD$USB$Unknown$Virtual$\\.\$iSCSI
API String ID: 2907320926-4222207086
Opcode ID: 91f8a9b5524bc81f01d3e5e13f2bc74c9d739583ec10e7645e8230bf65eb5397
Instruction ID: efd330362d168ec73a22a197b23fde5e9da76bea4dbe150208029c2323a31910
Opcode Fuzzy Hash: 91f8a9b5524bc81f01d3e5e13f2bc74c9d739583ec10e7645e8230bf65eb5397
Instruction Fuzzy Hash: 8561F330205209EBDB04DF24C98596877B0FB8538EB286015FC16EBB95EB3ADDD9DB41

Function 008773E8 Relevance: 39.2, APIs: 26, Instructions: 201windowCOMMON

Download Yara Rule

APIs

GetSysColor.USER32(00000012), ref: 00877421
SetTextColor.GDI32(?,?), ref: 00877425
GetSysColorBrush.USER32(0000000F), ref: 0087743B
GetSysColor.USER32(0000000F), ref: 00877446
CreateSolidBrush.GDI32(?), ref: 0087744B
GetSysColor.USER32(00000011), ref: 00877463
CreatePen.GDI32(00000000,00000001,00743C00), ref: 00877471
SelectObject.GDI32(?,00000000), ref: 00877482
SetBkColor.GDI32(?,00000000), ref: 0087748B
SelectObject.GDI32(?,?), ref: 00877498
InflateRect.USER32(?,000000FF,000000FF), ref: 008774B7
RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 008774CE
GetWindowLongW.USER32(00000000,000000F0), ref: 008774DB
SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 0087752A
GetWindowTextW.USER32(00000000,00000000,00000001), ref: 00877554
InflateRect.USER32(?,000000FD,000000FD), ref: 00877572
DrawFocusRect.USER32(?,?), ref: 0087757D
GetSysColor.USER32(00000011), ref: 0087758E
SetTextColor.GDI32(?,00000000), ref: 00877596
DrawTextW.USER32(?,008770F5,000000FF,?,00000000), ref: 008775A8
SelectObject.GDI32(?,?), ref: 008775BF
DeleteObject.GDI32(?), ref: 008775CA
SelectObject.GDI32(?,?), ref: 008775D0
DeleteObject.GDI32(?), ref: 008775D5
SetTextColor.GDI32(?,?), ref: 008775DB
SetBkColor.GDI32(?,?), ref: 008775E5

Memory Dump Source

Source File: 00000000.00000002.1749607290.00000000007E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007E0000, based on PE: true

Associated: 00000000.00000002.1749024776.00000000007E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750122745.000000000087C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750122745.00000000008A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750810397.00000000008AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1751626682.00000000008B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7e0000_file.jbxd

Similarity

API ID: Color$Object$Text$RectSelect$BrushCreateDeleteDrawInflateWindow$FocusLongMessageRoundSendSolid
String ID:
API String ID: 1996641542-0
Opcode ID: e67b678c9b63ec5637e949c265736724ffb1dd4988d200300ccb46b86af3191e
Instruction ID: f8c449cfc56d7a713514f588a4f42a87a442efbb5333efb02476b40dd9603725
Opcode Fuzzy Hash: e67b678c9b63ec5637e949c265736724ffb1dd4988d200300ccb46b86af3191e
Instruction Fuzzy Hash: FE614072900218AFDF119FA4DC49AAE7F79FB09320F118125F919AB2A5D775D980CFA0

Function 00870FF3 Relevance: 37.0, APIs: 18, Strings: 3, Instructions: 284windowCOMMON

Download Yara Rule

APIs

GetCursorPos.USER32(?), ref: 00871128
GetDesktopWindow.USER32 ref: 0087113D
GetWindowRect.USER32(00000000), ref: 00871144
GetWindowLongW.USER32(?,000000F0), ref: 00871199
DestroyWindow.USER32(?), ref: 008711B9
CreateWindowExW.USER32(00000008,tooltips_class32,00000000,7FFFFFFD,80000000,80000000,80000000,80000000,00000000,00000000,00000000,00000000), ref: 008711ED
SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 0087120B
SendMessageW.USER32(00000000,00000418,00000000,?), ref: 0087121D
SendMessageW.USER32(00000000,00000421,?,?), ref: 00871232
SendMessageW.USER32(00000000,0000041D,00000000,00000000), ref: 00871245
IsWindowVisible.USER32(00000000), ref: 008712A1
SendMessageW.USER32(00000000,00000412,00000000,D8F0D8F0), ref: 008712BC
SendMessageW.USER32(00000000,00000411,00000001,00000030), ref: 008712D0
GetWindowRect.USER32(00000000,?), ref: 008712E8
MonitorFromPoint.USER32(?,?,00000002), ref: 0087130E
GetMonitorInfoW.USER32(00000000,?), ref: 00871328
CopyRect.USER32(?,?), ref: 0087133F
SendMessageW.USER32(00000000,00000412,00000000), ref: 008713AA

Strings

tooltips_class32, xrefs: 008711E6
0, xrefs: 008710D3
(, xrefs: 0087131B

Memory Dump Source

Source File: 00000000.00000002.1749607290.00000000007E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007E0000, based on PE: true

Associated: 00000000.00000002.1749024776.00000000007E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750122745.000000000087C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750122745.00000000008A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750810397.00000000008AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1751626682.00000000008B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7e0000_file.jbxd

Similarity

API ID: MessageSendWindow$Rect$Monitor$CopyCreateCursorDesktopDestroyFromInfoLongPointVisible
String ID: ($0$tooltips_class32
API String ID: 698492251-4156429822
Opcode ID: 5f4e86d2cbbd00796ccd77a564ffcb35a882f4cf2f4757ec96864524276eae13
Instruction ID: 91bdc857130f3346c89d5349ec9d62aad57a0f04a12f19fb3bc07efc4e2dbff5
Opcode Fuzzy Hash: 5f4e86d2cbbd00796ccd77a564ffcb35a882f4cf2f4757ec96864524276eae13
Instruction Fuzzy Hash: 40B17B71604341AFDB14DF69C888B6ABBE4FF88354F00891CF999DB265C731E844CBA1

Function 007F8891 Relevance: 33.5, APIs: 18, Strings: 1, Instructions: 282windowtimeCOMMON

Download Yara Rule

APIs

SystemParametersInfoW.USER32(00000030,00000000,000000FF,00000000), ref: 007F8968
GetSystemMetrics.USER32(00000007), ref: 007F8970
SystemParametersInfoW.USER32(00000030,00000000,000000FF,00000000), ref: 007F899B
GetSystemMetrics.USER32(00000008), ref: 007F89A3
GetSystemMetrics.USER32(00000004), ref: 007F89C8
SetRect.USER32(000000FF,00000000,00000000,000000FF,000000FF), ref: 007F89E5
AdjustWindowRectEx.USER32(000000FF,?,00000000,?), ref: 007F89F5
CreateWindowExW.USER32(?,AutoIt v3 GUI,?,?,?,000000FF,000000FF,000000FF,?,00000000,00000000), ref: 007F8A28
SetWindowLongW.USER32(00000000,000000EB,00000000), ref: 007F8A3C
GetClientRect.USER32(00000000,000000FF), ref: 007F8A5A
GetStockObject.GDI32(00000011), ref: 007F8A76
SendMessageW.USER32(00000000,00000030,00000000), ref: 007F8A81

Part of subcall function 007F912D: GetCursorPos.USER32(?), ref: 007F9141
Part of subcall function 007F912D: ScreenToClient.USER32(00000000,?), ref: 007F915E
Part of subcall function 007F912D: GetAsyncKeyState.USER32(00000001), ref: 007F9183
Part of subcall function 007F912D: GetAsyncKeyState.USER32(00000002), ref: 007F919D

SetTimer.USER32(00000000,00000000,00000028,007F90FC), ref: 007F8AA8

Strings

AutoIt v3 GUI, xrefs: 007F8A20

Memory Dump Source

Source File: 00000000.00000002.1749607290.00000000007E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007E0000, based on PE: true

Associated: 00000000.00000002.1749024776.00000000007E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750122745.000000000087C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750122745.00000000008A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750810397.00000000008AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1751626682.00000000008B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7e0000_file.jbxd

Similarity

API ID: System$MetricsRectWindow$AsyncClientInfoParametersState$AdjustCreateCursorLongMessageObjectScreenSendStockTimer
String ID: AutoIt v3 GUI
API String ID: 1458621304-248962490
Opcode ID: b4ad47e73e3088a1aa9ea173148a45ff3f28a417ee1345ea092f6dd69d9c2100
Instruction ID: cfe5d75562dfccd401fec10e450baf2de4c51b0595bf4dcd4a5c6fd98a98f196
Opcode Fuzzy Hash: b4ad47e73e3088a1aa9ea173148a45ff3f28a417ee1345ea092f6dd69d9c2100
Instruction Fuzzy Hash: F6B14E71A00209AFDF14DFA8CC59BAE7BB5FB48314F508229FA15EB290DB74E950CB51

Function 00840D8B Relevance: 31.7, APIs: 21, Instructions: 202memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 008410F9: GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 00841114
Part of subcall function 008410F9: GetLastError.KERNEL32(?,00000000,00000000,?,?,00840B9B,?,?,?), ref: 00841120
Part of subcall function 008410F9: GetProcessHeap.KERNEL32(00000008,?,?,00000000,00000000,?,?,00840B9B,?,?,?), ref: 0084112F
Part of subcall function 008410F9: HeapAlloc.KERNEL32(00000000,?,00000000,00000000,?,?,00840B9B,?,?,?), ref: 00841136
Part of subcall function 008410F9: GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 0084114D

GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 00840DF5
GetAclInformation.ADVAPI32(?,?,0000000C,00000002), ref: 00840E29
GetLengthSid.ADVAPI32(?), ref: 00840E40
GetAce.ADVAPI32(?,00000000,?), ref: 00840E7A
AddAce.ADVAPI32(?,00000002,000000FF,?,?), ref: 00840E96
GetLengthSid.ADVAPI32(?), ref: 00840EAD
GetProcessHeap.KERNEL32(00000008,00000008), ref: 00840EB5
HeapAlloc.KERNEL32(00000000), ref: 00840EBC
GetLengthSid.ADVAPI32(?,00000008,?), ref: 00840EDD
CopySid.ADVAPI32(00000000), ref: 00840EE4
AddAce.ADVAPI32(?,00000002,000000FF,00000000,?), ref: 00840F13
SetSecurityDescriptorDacl.ADVAPI32(?,00000001,?,00000000), ref: 00840F35
SetUserObjectSecurity.USER32(?,00000004,?), ref: 00840F47
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00840F6E
HeapFree.KERNEL32(00000000), ref: 00840F75
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00840F7E
HeapFree.KERNEL32(00000000), ref: 00840F85
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00840F8E
HeapFree.KERNEL32(00000000), ref: 00840F95
GetProcessHeap.KERNEL32(00000000,?), ref: 00840FA1
HeapFree.KERNEL32(00000000), ref: 00840FA8

Part of subcall function 00841193: GetProcessHeap.KERNEL32(00000008,00840BB1,?,00000000,?,00840BB1,?), ref: 008411A1
Part of subcall function 00841193: HeapAlloc.KERNEL32(00000000,?,00000000,?,00840BB1,?), ref: 008411A8
Part of subcall function 00841193: InitializeSecurityDescriptor.ADVAPI32(00000000,00000001,?,00000000,?,00840BB1,?), ref: 008411B7

Memory Dump Source

Source File: 00000000.00000002.1749607290.00000000007E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007E0000, based on PE: true

Associated: 00000000.00000002.1749024776.00000000007E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750122745.000000000087C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750122745.00000000008A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750810397.00000000008AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1751626682.00000000008B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7e0000_file.jbxd

Similarity

API ID: Heap$Process$Security$Free$AllocDescriptorLengthObjectUser$Dacl$CopyErrorInformationInitializeLast
String ID:
API String ID: 4175595110-0
Opcode ID: 7e316f0157d1662149d88cc297bc06e8c337c575f49969d411ff71f3be8fccc8
Instruction ID: ef156a85607528efee8cd6a1039f93e6e7d2aca2f1e99e096bf1b8d01f23ebd2
Opcode Fuzzy Hash: 7e316f0157d1662149d88cc297bc06e8c337c575f49969d411ff71f3be8fccc8
Instruction Fuzzy Hash: 84712C7290020AABDF209FA4DC48FAFBBB8FF05310F144129EA59E7191DB759945CFA0

Function 0086C3B7 Relevance: 30.2, APIs: 11, Strings: 6, Instructions: 495registryCOMMON

Download Yara Rule

APIs

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 0086C4BD
RegCreateKeyExW.ADVAPI32(?,?,00000000,0087CC08,00000000,?,00000000,?,?), ref: 0086C544
RegCloseKey.ADVAPI32(00000000,00000000,00000000), ref: 0086C5A4
_wcslen.LIBCMT ref: 0086C5F4
_wcslen.LIBCMT ref: 0086C66F
RegSetValueExW.ADVAPI32(00000001,?,00000000,00000001,?,?), ref: 0086C6B2
RegSetValueExW.ADVAPI32(00000001,?,00000000,00000007,?,?), ref: 0086C7C1
RegSetValueExW.ADVAPI32(00000001,?,00000000,0000000B,?,00000008), ref: 0086C84D
RegCloseKey.ADVAPI32(?), ref: 0086C881
RegCloseKey.ADVAPI32(00000000), ref: 0086C88E
RegSetValueExW.ADVAPI32(00000001,?,00000000,00000003,00000000,00000000), ref: 0086C960

Strings

REG_EXPAND_SZ, xrefs: 0086C5CD
REG_MULTI_SZ, xrefs: 0086C6F5
REG_SZ, xrefs: 0086C644
REG_DWORD, xrefs: 0086C804
REG_BINARY, xrefs: 0086C913
REG_QWORD, xrefs: 0086C8C3

Memory Dump Source

Source File: 00000000.00000002.1749607290.00000000007E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007E0000, based on PE: true

Associated: 00000000.00000002.1749024776.00000000007E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750122745.000000000087C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750122745.00000000008A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750810397.00000000008AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1751626682.00000000008B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7e0000_file.jbxd

Similarity

API ID: Value$Close$_wcslen$ConnectCreateRegistry
String ID: REG_BINARY$REG_DWORD$REG_EXPAND_SZ$REG_MULTI_SZ$REG_QWORD$REG_SZ
API String ID: 9721498-966354055
Opcode ID: 284c8d6f1b11723bfc13278209b249aa34758b4a020a4499cc0c732d496c9a88
Instruction ID: d669df238cc02f5e33e2a484f1a85790a3d36787e86240f1d557d7b86ea9ef23
Opcode Fuzzy Hash: 284c8d6f1b11723bfc13278209b249aa34758b4a020a4499cc0c732d496c9a88
Instruction Fuzzy Hash: 6F126735204600DFDB14DF29C885A2AB7E5FF88714F05889CF99A9B3A2DB35ED41CB81

Function 0087091E Relevance: 30.1, APIs: 6, Strings: 11, Instructions: 372windowCOMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?), ref: 008709C6
_wcslen.LIBCMT ref: 00870A01
SendMessageW.USER32(?,00001105,00000000,00000000), ref: 00870A54
_wcslen.LIBCMT ref: 00870A8A
_wcslen.LIBCMT ref: 00870B06
_wcslen.LIBCMT ref: 00870B81

Part of subcall function 007FF9F2: _wcslen.LIBCMT ref: 007FF9FD

Part of subcall function 00842BE8: SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 00842BFA

Strings

COLLAPSE, xrefs: 00870B01, 00870B1C
SELECT, xrefs: 00870D11
GETTOTALCOUNT, xrefs: 008709F2, 00870A17
UNCHECK, xrefs: 00870D3E
EXISTS, xrefs: 00870B7C, 00870B97
GETTEXT, xrefs: 00870C97
EXPAND, xrefs: 00870BF8
GETSELECTED, xrefs: 00870C4E
CHECK, xrefs: 00870A85, 00870AA0
GETITEMCOUNT, xrefs: 00870C1E
ISCHECKED, xrefs: 00870CE1

Memory Dump Source

Source File: 00000000.00000002.1749607290.00000000007E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007E0000, based on PE: true

Associated: 00000000.00000002.1749024776.00000000007E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750122745.000000000087C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750122745.00000000008A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750810397.00000000008AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1751626682.00000000008B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7e0000_file.jbxd

Similarity

API ID: _wcslen$MessageSend$BuffCharUpper
String ID: CHECK$COLLAPSE$EXISTS$EXPAND$GETITEMCOUNT$GETSELECTED$GETTEXT$GETTOTALCOUNT$ISCHECKED$SELECT$UNCHECK
API String ID: 1103490817-4258414348
Opcode ID: 5aeea50b84af30f7b7ba64bf1bd172d3ab1d41d8251d60a77cf974691dda064c
Instruction ID: 4a48eb5c4f094e4c246a20b3354ee5302ba65d303ae8bdab4e51bd1ec288721f
Opcode Fuzzy Hash: 5aeea50b84af30f7b7ba64bf1bd172d3ab1d41d8251d60a77cf974691dda064c
Instruction Fuzzy Hash: CAE15631208745DFC714DF29C45092AB7E2FF98318F148958F89A9B3A6DB34EE45CB82

Function 0086C998 Relevance: 30.0, APIs: 7, Strings: 10, Instructions: 242COMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?,?,?,?,?,?,0086B6AE,?,?), ref: 0086C9B5
_wcslen.LIBCMT ref: 0086C9F1
_wcslen.LIBCMT ref: 0086CA68
_wcslen.LIBCMT ref: 0086CA9E
_wcslen.LIBCMT ref: 0086CAF9
_wcslen.LIBCMT ref: 0086CB2F
_wcslen.LIBCMT ref: 0086CB7F

Strings

HKEY_CLASSES_ROOT, xrefs: 0086CAF3, 0086CAF8
HKCR, xrefs: 0086CB29, 0086CB2E
HKCC, xrefs: 0086CBAC
HKCU, xrefs: 0086CBCE
HKEY_USERS, xrefs: 0086CBDF
HKU, xrefs: 0086CBF0
HKEY_CURRENT_CONFIG, xrefs: 0086CB79, 0086CB7E
HKEY_LOCAL_MACHINE, xrefs: 0086CA62, 0086CA67
HKEY_CURRENT_USER, xrefs: 0086CBBD
HKLM, xrefs: 0086CA98, 0086CA9D

Memory Dump Source

Source File: 00000000.00000002.1749607290.00000000007E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007E0000, based on PE: true

Associated: 00000000.00000002.1749024776.00000000007E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750122745.000000000087C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750122745.00000000008A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750810397.00000000008AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1751626682.00000000008B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7e0000_file.jbxd

Similarity

API ID: _wcslen$BuffCharUpper
String ID: HKCC$HKCR$HKCU$HKEY_CLASSES_ROOT$HKEY_CURRENT_CONFIG$HKEY_CURRENT_USER$HKEY_LOCAL_MACHINE$HKEY_USERS$HKLM$HKU
API String ID: 1256254125-909552448
Opcode ID: b6e848b1e150d7fbee545d49f82e56a5688dd0d89ce52f1cbb1f4a87066ff6b1
Instruction ID: 7e00c37187a95fce9ac984899b75f0f2a00d80164db25773f3c16b268216f2c1
Opcode Fuzzy Hash: b6e848b1e150d7fbee545d49f82e56a5688dd0d89ce52f1cbb1f4a87066ff6b1
Instruction Fuzzy Hash: E071057260016A8BCB20DEBCCD516BE3391FF65764F160128FDA6DB294EA35DD44D3A0

Function 0087833C Relevance: 29.9, APIs: 14, Strings: 3, Instructions: 196windowlibraryCOMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 0087835A
_wcslen.LIBCMT ref: 0087836E
_wcslen.LIBCMT ref: 00878391
_wcslen.LIBCMT ref: 008783B4
LoadImageW.USER32(00000000,?,00000001,?,?,00002010), ref: 008783F2
LoadLibraryExW.KERNEL32(?,00000000,00000032,?,?,00000001,?,?,?,0087361A,?), ref: 0087844E
LoadImageW.USER32(?,?,00000001,?,?,00000000), ref: 00878487
LoadImageW.USER32(00000000,?,00000001,?,?,00000000), ref: 008784CA
LoadImageW.USER32(?,?,00000001,?,?,00000000), ref: 00878501
FreeLibrary.KERNEL32(?), ref: 0087850D
ExtractIconExW.SHELL32(?,00000000,00000000,00000000,00000001), ref: 0087851D
DestroyIcon.USER32(?), ref: 0087852C
SendMessageW.USER32(?,00000170,00000000,00000000), ref: 00878549
SendMessageW.USER32(?,00000064,00000172,00000001), ref: 00878555

Strings

.exe, xrefs: 00878388
.dll, xrefs: 008783AB
.icl, xrefs: 00878368

Memory Dump Source

Source File: 00000000.00000002.1749607290.00000000007E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007E0000, based on PE: true

Associated: 00000000.00000002.1749024776.00000000007E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750122745.000000000087C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750122745.00000000008A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750810397.00000000008AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1751626682.00000000008B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7e0000_file.jbxd

Similarity

API ID: Load$Image_wcslen$IconLibraryMessageSend$DestroyExtractFree
String ID: .dll$.exe$.icl
API String ID: 799131459-1154884017
Opcode ID: a68fcb6da99944faecd09b22b39b9e92b40b4927b065bed45881c24bdf02cd08
Instruction ID: bc1ff0c42ef99c4131400d5f132cc8f652332ce9f19f60a35e633ddbc16fd401
Opcode Fuzzy Hash: a68fcb6da99944faecd09b22b39b9e92b40b4927b065bed45881c24bdf02cd08
Instruction Fuzzy Hash: 8661D2B1580215FEEB14DF68CC49BBE7BA8FB08B11F108509F919D61D1DBB4E990DBA0

Function 007E7778 Relevance: 28.3, APIs: 1, Strings: 15, Instructions: 273COMMON

Download Yara Rule

Strings

#comments-start, xrefs: 007E785F, 007E78B1
#comments-end, xrefs: 007E78D9
Unterminated group of comments, xrefs: 0082528C
#OnAutoItStartRegister, xrefs: 007E7817
#include, xrefs: 007E7847
#cs, xrefs: 007E7873, 007E78C5
Cannot parse #include, xrefs: 00825279
#notrayicon, xrefs: 007E77E7
Bad directive syntax error, xrefs: 0082519A
", xrefs: 00825153
#pragma compile, xrefs: 007E77D3
', xrefs: 00825169
#include-once, xrefs: 007E782F
#requireadmin, xrefs: 007E77FF
#ce, xrefs: 007E78ED

Memory Dump Source

Source File: 00000000.00000002.1749607290.00000000007E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007E0000, based on PE: true

Associated: 00000000.00000002.1749024776.00000000007E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750122745.000000000087C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750122745.00000000008A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750810397.00000000008AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1751626682.00000000008B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7e0000_file.jbxd

Similarity

API ID:
String ID: "$#OnAutoItStartRegister$#ce$#comments-end$#comments-start$#cs$#include$#include-once$#notrayicon$#pragma compile$#requireadmin$'$Bad directive syntax error$Cannot parse #include$Unterminated group of comments
API String ID: 0-1645009161
Opcode ID: 7584fa5b5a4795af0711afe0855413b9c9e7529f77e65537125f30ac67d49af6
Instruction ID: e410a2be3ed957e26fa123a152a2df12efeb3a807d83837eea5423ca9b036052
Opcode Fuzzy Hash: 7584fa5b5a4795af0711afe0855413b9c9e7529f77e65537125f30ac67d49af6
Instruction Fuzzy Hash: 9F81F171645215FBDB24AF65DC46FAF37A8FF19300F044024F908EA296EB78DA91C7A1

Function 00853E79 Relevance: 28.2, APIs: 8, Strings: 8, Instructions: 205COMMON

Download Yara Rule

APIs

CharLowerBuffW.USER32(?,?), ref: 00853EF8
_wcslen.LIBCMT ref: 00853F03
_wcslen.LIBCMT ref: 00853F5A
_wcslen.LIBCMT ref: 00853F98
GetDriveTypeW.KERNEL32(?), ref: 00853FD6
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 0085401E
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 00854059
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 00854087

Strings

close, xrefs: 00853EFE, 00853F18
open, xrefs: 00853F54, 00853F59
set cd door , xrefs: 00854028
closed, xrefs: 00853F08, 00853F2D, 00853F46, 00853F7E, 00853F97
type cdaudio alias cd wait, xrefs: 00854001
close cd wait, xrefs: 00854072
wait, xrefs: 00854044
open , xrefs: 00853FE5

Memory Dump Source

Source File: 00000000.00000002.1749607290.00000000007E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007E0000, based on PE: true

Associated: 00000000.00000002.1749024776.00000000007E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750122745.000000000087C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750122745.00000000008A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750810397.00000000008AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1751626682.00000000008B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7e0000_file.jbxd

Similarity

API ID: SendString_wcslen$BuffCharDriveLowerType
String ID: type cdaudio alias cd wait$ wait$close$close cd wait$closed$open$open $set cd door
API String ID: 1839972693-4113822522
Opcode ID: 56ca5e1899664208de5d292c2c84789794604b5d465c43e3e9f53c6f8b5fe923
Instruction ID: c661fda0c7f9fa58799f373886ad22e69f6e373459f512d653b5fd7a58c51236
Opcode Fuzzy Hash: 56ca5e1899664208de5d292c2c84789794604b5d465c43e3e9f53c6f8b5fe923
Instruction Fuzzy Hash: E471F2726042019FC310EF24C88086AB7F4FF987A8F14492DF9A5D72A5EB35ED49CB91

Function 00845A1B Relevance: 27.2, APIs: 18, Instructions: 198windowtimeCOMMON

Download Yara Rule

APIs

LoadIconW.USER32(00000063), ref: 00845A2E
SendMessageW.USER32(?,00000080,00000000,00000000), ref: 00845A40
SetWindowTextW.USER32(?,?), ref: 00845A57
GetDlgItem.USER32(?,000003EA), ref: 00845A6C
SetWindowTextW.USER32(00000000,?), ref: 00845A72
GetDlgItem.USER32(?,000003E9), ref: 00845A82
SetWindowTextW.USER32(00000000,?), ref: 00845A88
SendDlgItemMessageW.USER32(?,000003E9,000000CC,?,00000000), ref: 00845AA9
SendDlgItemMessageW.USER32(?,000003E9,000000C5,00000000,00000000), ref: 00845AC3
GetWindowRect.USER32(?,?), ref: 00845ACC
_wcslen.LIBCMT ref: 00845B33
SetWindowTextW.USER32(?,?), ref: 00845B6F
GetDesktopWindow.USER32 ref: 00845B75
GetWindowRect.USER32(00000000), ref: 00845B7C
MoveWindow.USER32(?,?,00000080,00000000,?,00000000), ref: 00845BD3
GetClientRect.USER32(?,?), ref: 00845BE0
PostMessageW.USER32(?,00000005,00000000,?), ref: 00845C05
SetTimer.USER32(?,0000040A,00000000,00000000), ref: 00845C2F

Memory Dump Source

Source File: 00000000.00000002.1749607290.00000000007E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007E0000, based on PE: true

Associated: 00000000.00000002.1749024776.00000000007E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750122745.000000000087C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750122745.00000000008A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750810397.00000000008AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1751626682.00000000008B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7e0000_file.jbxd

Similarity

API ID: Window$ItemMessageText$RectSend$ClientDesktopIconLoadMovePostTimer_wcslen
String ID:
API String ID: 895679908-0
Opcode ID: 614d9418947767c785911f29459dff3385b27531bc3ee28c333398be001d3a41
Instruction ID: 8643b082377d9739ca1c6484ac79867d95885142cb107a56c859c99e9578e42c
Opcode Fuzzy Hash: 614d9418947767c785911f29459dff3385b27531bc3ee28c333398be001d3a41
Instruction Fuzzy Hash: 07713831900B09AFDB20DFA8CE89AAEBBF5FB48714F10491CE546E35A1D775E944CB50

Function 0085FE0E Relevance: 27.1, APIs: 18, Instructions: 128COMMON

Download Yara Rule

APIs

LoadCursorW.USER32(00000000,00007F89), ref: 0085FE27
LoadCursorW.USER32(00000000,00007F8A), ref: 0085FE32
LoadCursorW.USER32(00000000,00007F00), ref: 0085FE3D
LoadCursorW.USER32(00000000,00007F03), ref: 0085FE48
LoadCursorW.USER32(00000000,00007F8B), ref: 0085FE53
LoadCursorW.USER32(00000000,00007F01), ref: 0085FE5E
LoadCursorW.USER32(00000000,00007F81), ref: 0085FE69
LoadCursorW.USER32(00000000,00007F88), ref: 0085FE74
LoadCursorW.USER32(00000000,00007F80), ref: 0085FE7F
LoadCursorW.USER32(00000000,00007F86), ref: 0085FE8A
LoadCursorW.USER32(00000000,00007F83), ref: 0085FE95
LoadCursorW.USER32(00000000,00007F85), ref: 0085FEA0
LoadCursorW.USER32(00000000,00007F82), ref: 0085FEAB
LoadCursorW.USER32(00000000,00007F84), ref: 0085FEB6
LoadCursorW.USER32(00000000,00007F04), ref: 0085FEC1
LoadCursorW.USER32(00000000,00007F02), ref: 0085FECC
GetCursorInfo.USER32(?), ref: 0085FEDC
GetLastError.KERNEL32 ref: 0085FF1E

Memory Dump Source

Source File: 00000000.00000002.1749607290.00000000007E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007E0000, based on PE: true

Associated: 00000000.00000002.1749024776.00000000007E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750122745.000000000087C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750122745.00000000008A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750810397.00000000008AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1751626682.00000000008B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7e0000_file.jbxd

Similarity

API ID: Cursor$Load$ErrorInfoLast
String ID:
API String ID: 3215588206-0
Opcode ID: 9d2f91b5b153747df47aabc116e8c9dfd3131426489f6b38667f7f7e3fc7ea8a
Instruction ID: e09a6cffb4ea05f9a02cb306ab50c0818e54b6cf0b5db476c1d9e40126c4c2d4
Opcode Fuzzy Hash: 9d2f91b5b153747df47aabc116e8c9dfd3131426489f6b38667f7f7e3fc7ea8a
Instruction Fuzzy Hash: 794172B0D04319AADB109FBA8C8985EBFE8FF04354B50452AF51DE7281DB78E901CF90

Function 008000C6 Relevance: 26.3, APIs: 10, Strings: 5, Instructions: 81COMMON

Download Yara Rule

APIs

__scrt_initialize_thread_safe_statics_platform_specific.LIBCMT ref: 008000C6

Part of subcall function 008000ED: InitializeCriticalSectionAndSpinCount.KERNEL32(008B070C,00000FA0,CA0A7492,?,?,?,?,008223B3,000000FF), ref: 0080011C
Part of subcall function 008000ED: GetModuleHandleW.KERNEL32(api-ms-win-core-synch-l1-2-0.dll,?,?,?,?,008223B3,000000FF), ref: 00800127
Part of subcall function 008000ED: GetModuleHandleW.KERNEL32(kernel32.dll,?,?,?,?,008223B3,000000FF), ref: 00800138
Part of subcall function 008000ED: GetProcAddress.KERNEL32(00000000,InitializeConditionVariable), ref: 0080014E
Part of subcall function 008000ED: GetProcAddress.KERNEL32(00000000,SleepConditionVariableCS), ref: 0080015C
Part of subcall function 008000ED: GetProcAddress.KERNEL32(00000000,WakeAllConditionVariable), ref: 0080016A
Part of subcall function 008000ED: __crt_fast_encode_pointer.LIBVCRUNTIME ref: 00800195
Part of subcall function 008000ED: __crt_fast_encode_pointer.LIBVCRUNTIME ref: 008001A0

___scrt_fastfail.LIBCMT ref: 008000E7

Part of subcall function 008000A3: __onexit.LIBCMT ref: 008000A9

Strings

api-ms-win-core-synch-l1-2-0.dll, xrefs: 00800122
SleepConditionVariableCS, xrefs: 00800154
WakeAllConditionVariable, xrefs: 00800162
kernel32.dll, xrefs: 00800133
InitializeConditionVariable, xrefs: 00800148

Memory Dump Source

Source File: 00000000.00000002.1749607290.00000000007E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007E0000, based on PE: true

Associated: 00000000.00000002.1749024776.00000000007E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750122745.000000000087C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750122745.00000000008A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750810397.00000000008AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1751626682.00000000008B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7e0000_file.jbxd

Similarity

API ID: AddressProc$HandleModule__crt_fast_encode_pointer$CountCriticalInitializeSectionSpin___scrt_fastfail__onexit__scrt_initialize_thread_safe_statics_platform_specific
String ID: InitializeConditionVariable$SleepConditionVariableCS$WakeAllConditionVariable$api-ms-win-core-synch-l1-2-0.dll$kernel32.dll
API String ID: 66158676-1714406822
Opcode ID: 39200d1b95b2fe56549275d85ddb216450d3c2e355f31f175447717cc3e1065f
Instruction ID: 640ba0c8cd71f4a7ebf46701e8baaf5d536e04456e6765375544b826c2d0b3ad
Opcode Fuzzy Hash: 39200d1b95b2fe56549275d85ddb216450d3c2e355f31f175447717cc3e1065f
Instruction Fuzzy Hash: C4210432A44710ABE7605B64AC0EB6E7794FB06B60F00413AF919E33D6DF78D8008EA5

Function 008430F7 Relevance: 24.9, APIs: 8, Strings: 6, Instructions: 400COMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 0084318D
_wcslen.LIBCMT ref: 008431F8

Strings

CLASSNN, xrefs: 008431F3, 00843204
TEXT, xrefs: 0084347C
NAME, xrefs: 00843335, 00843346
INSTANCE, xrefs: 00843453
CLASS, xrefs: 00843188, 008431A5
REGEXPCLASS, xrefs: 00843255, 00843266

Memory Dump Source

Source File: 00000000.00000002.1749607290.00000000007E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007E0000, based on PE: true

Associated: 00000000.00000002.1749024776.00000000007E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750122745.000000000087C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750122745.00000000008A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750810397.00000000008AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1751626682.00000000008B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7e0000_file.jbxd

Similarity

API ID: _wcslen
String ID: CLASS$CLASSNN$INSTANCE$NAME$REGEXPCLASS$TEXT
API String ID: 176396367-1603158881
Opcode ID: b625a102be8a02b69e088cc17f57687c099c5394542f81f4fbabfac7599c4cb5
Instruction ID: 64e2c57503d0167a7082d45a32986939414e0016ad156ca77ab423198eb44d75
Opcode Fuzzy Hash: b625a102be8a02b69e088cc17f57687c099c5394542f81f4fbabfac7599c4cb5
Instruction Fuzzy Hash: C4E1D432A0051EEBCB18DFA8C8516EDFBB0FF54714F558129E556F7280EB70AE8587A0

Function 008544C0 Relevance: 24.8, APIs: 7, Strings: 7, Instructions: 309COMMON

Download Yara Rule

APIs

CharLowerBuffW.USER32(00000000,00000000,0087CC08), ref: 00854527
_wcslen.LIBCMT ref: 0085453B
_wcslen.LIBCMT ref: 00854599
_wcslen.LIBCMT ref: 008545F4
_wcslen.LIBCMT ref: 0085463F
_wcslen.LIBCMT ref: 008546A7

Part of subcall function 007FF9F2: _wcslen.LIBCMT ref: 007FF9FD

GetDriveTypeW.KERNEL32(?,008A6BF0,00000061), ref: 00854743

Strings

ramdisk, xrefs: 008546F1
unknown, xrefs: 00854708
network, xrefs: 0085469D, 008546A2
cdrom, xrefs: 0085458F, 00854594
all, xrefs: 00854531, 00854536
removable, xrefs: 008545EA, 008545EF
fixed, xrefs: 00854635, 0085463A

Memory Dump Source

Source File: 00000000.00000002.1749607290.00000000007E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007E0000, based on PE: true

Associated: 00000000.00000002.1749024776.00000000007E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750122745.000000000087C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750122745.00000000008A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750810397.00000000008AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1751626682.00000000008B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7e0000_file.jbxd

Similarity

API ID: _wcslen$BuffCharDriveLowerType
String ID: all$cdrom$fixed$network$ramdisk$removable$unknown
API String ID: 2055661098-1000479233
Opcode ID: 3b20afcb533e956be005fb54d79a28eb5b87f4884d6fbca59e24bdd5eefa7ed4
Instruction ID: e123e69304046c8d477b7cd57ea434b609413a10a70b9800cb84497cb222099b
Opcode Fuzzy Hash: 3b20afcb533e956be005fb54d79a28eb5b87f4884d6fbca59e24bdd5eefa7ed4
Instruction Fuzzy Hash: 80B125316083029FC710DF28C890A6AB7E5FFA9769F50591DF996C7291E730D889CB62

Function 00863FE9 Relevance: 23.2, APIs: 11, Strings: 2, Instructions: 478libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,?,0087CC08), ref: 008640BB
GetProcAddress.KERNEL32(00000000,GetModuleHandleExW), ref: 008640CD
GetModuleFileNameW.KERNEL32(?,?,00000104,?,?,?,0087CC08), ref: 008640F2
FreeLibrary.KERNEL32(00000000,?,0087CC08), ref: 0086413E
StringFromGUID2.OLE32(?,?,00000028,?,0087CC08), ref: 008641A8
SysFreeString.OLEAUT32(00000009), ref: 00864262
QueryPathOfRegTypeLib.OLEAUT32(?,?,?,?,?), ref: 008642C8
SysFreeString.OLEAUT32(?), ref: 008642F2

Strings

kernel32.dll, xrefs: 008640B6
GetModuleHandleExW, xrefs: 008640C7

Memory Dump Source

Source File: 00000000.00000002.1749607290.00000000007E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007E0000, based on PE: true

Associated: 00000000.00000002.1749024776.00000000007E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750122745.000000000087C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750122745.00000000008A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750810397.00000000008AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1751626682.00000000008B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7e0000_file.jbxd

Similarity

API ID: FreeString$Library$AddressFileFromLoadModuleNamePathProcQueryType
String ID: GetModuleHandleExW$kernel32.dll
API String ID: 354098117-199464113
Opcode ID: 908f85f260ded3212395e91a2c08565807de76d582daff7f269e866998363188
Instruction ID: 4723cd5d1386fc7207046c6d3f72b64fdc985048c6922c31583f444e5dc8c524
Opcode Fuzzy Hash: 908f85f260ded3212395e91a2c08565807de76d582daff7f269e866998363188
Instruction Fuzzy Hash: 6D124D75A00119EFDB14DF54C888EAEB7B5FF45318F259098E906DB251CB31ED86CBA0

Function 007E326F Relevance: 23.0, APIs: 12, Strings: 1, Instructions: 214windowCOMMON

Download Yara Rule

APIs

GetMenuItemCount.USER32(008B1990), ref: 00822F8D
GetMenuItemCount.USER32(008B1990), ref: 0082303D
GetCursorPos.USER32(?), ref: 00823081
SetForegroundWindow.USER32(00000000), ref: 0082308A
TrackPopupMenuEx.USER32(008B1990,00000000,?,00000000,00000000,00000000), ref: 0082309D
PostMessageW.USER32(00000000,00000000,00000000,00000000), ref: 008230A9

Strings

0, xrefs: 007E327D

Memory Dump Source

Source File: 00000000.00000002.1749607290.00000000007E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007E0000, based on PE: true

Associated: 00000000.00000002.1749024776.00000000007E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750122745.000000000087C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750122745.00000000008A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750810397.00000000008AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1751626682.00000000008B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7e0000_file.jbxd

Similarity

API ID: Menu$CountItem$CursorForegroundMessagePopupPostTrackWindow
String ID: 0
API String ID: 36266755-4108050209
Opcode ID: 5eefdcc32615ea1e66af65009d054a5205b3478b95bc0fcb92ccd2baeb260908
Instruction ID: e771a4a0e76b886e2dd357f9bd2d2ffc85e4e6327ff0694a9207d57e7662d3f8
Opcode Fuzzy Hash: 5eefdcc32615ea1e66af65009d054a5205b3478b95bc0fcb92ccd2baeb260908
Instruction Fuzzy Hash: A2712930644255BEEB318F29DC8DF9ABF68FF04324F204216F628AB1E0C7B5A990D751

Function 00876CD9 Relevance: 22.9, APIs: 11, Strings: 2, Instructions: 194windowCOMMON

Download Yara Rule

APIs

DestroyWindow.USER32(00000000,?), ref: 00876DEB

Part of subcall function 007E6B57: _wcslen.LIBCMT ref: 007E6B6A

CreateWindowExW.USER32(00000008,tooltips_class32,00000000,?,80000000,80000000,80000000,80000000,?,00000000,00000000,?), ref: 00876E5F
SendMessageW.USER32(00000000,00000433,00000000,00000030), ref: 00876E81
SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 00876E94
DestroyWindow.USER32(?), ref: 00876EB5
CreateWindowExW.USER32(00000008,tooltips_class32,00000000,?,80000000,80000000,80000000,80000000,?,00000000,007E0000,00000000), ref: 00876EE4
SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 00876EFD
GetDesktopWindow.USER32 ref: 00876F16
GetWindowRect.USER32(00000000), ref: 00876F1D
SendMessageW.USER32(00000000,00000418,00000000,?), ref: 00876F35
SendMessageW.USER32(00000000,00000421,?,00000000), ref: 00876F4D

Part of subcall function 007F9944: GetWindowLongW.USER32(?,000000EB), ref: 007F9952

Strings

tooltips_class32, xrefs: 00876E58, 00876EDD
0, xrefs: 00876D98

Memory Dump Source

Source File: 00000000.00000002.1749607290.00000000007E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007E0000, based on PE: true

Associated: 00000000.00000002.1749024776.00000000007E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750122745.000000000087C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750122745.00000000008A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750810397.00000000008AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1751626682.00000000008B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7e0000_file.jbxd

Similarity

API ID: Window$MessageSend$CreateDestroy$DesktopLongRect_wcslen
String ID: 0$tooltips_class32
API String ID: 2429346358-3619404913
Opcode ID: 0f2711ff5aa438a8df288190de25b6dce43c35b3a711089a874e82fb55d85162
Instruction ID: 989a42019e7c4e07edccd39f4f2b0431b77edb7940a7920c99561d0f0fae4e6f
Opcode Fuzzy Hash: 0f2711ff5aa438a8df288190de25b6dce43c35b3a711089a874e82fb55d85162
Instruction Fuzzy Hash: DB719771104244AFDB21DF28DC88FAABBE9FB88304F64851DF989C7265DB70E959CB11

Function 0087911E Relevance: 22.9, APIs: 10, Strings: 3, Instructions: 181windowfileCOMMON

Download Yara Rule

APIs

Part of subcall function 007F9BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 007F9BB2

DragQueryPoint.SHELL32(?,?), ref: 00879147

Part of subcall function 00877674: ClientToScreen.USER32(?,?), ref: 0087769A
Part of subcall function 00877674: GetWindowRect.USER32(?,?), ref: 00877710
Part of subcall function 00877674: PtInRect.USER32(?,?,00878B89), ref: 00877720

SendMessageW.USER32(?,000000B0,?,?), ref: 008791B0
DragQueryFileW.SHELL32(?,000000FF,00000000,00000000), ref: 008791BB
DragQueryFileW.SHELL32(?,00000000,?,00000104), ref: 008791DE
SendMessageW.USER32(?,000000C2,00000001,?), ref: 00879225
SendMessageW.USER32(?,000000B0,?,?), ref: 0087923E
SendMessageW.USER32(?,000000B1,?,?), ref: 00879255
SendMessageW.USER32(?,000000B1,?,?), ref: 00879277
DragFinish.SHELL32(?), ref: 0087927E
DefDlgProcW.USER32(?,00000233,?,00000000,?,?,?), ref: 00879371

Strings

@GUI_DRAGFILE, xrefs: 00879320
@GUI_DRAGID, xrefs: 008792E9
@GUI_DROPID, xrefs: 0087929E

Memory Dump Source

Source File: 00000000.00000002.1749607290.00000000007E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007E0000, based on PE: true

Associated: 00000000.00000002.1749024776.00000000007E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750122745.000000000087C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750122745.00000000008A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750810397.00000000008AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1751626682.00000000008B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7e0000_file.jbxd

Similarity

API ID: MessageSend$Drag$Query$FileRectWindow$ClientFinishLongPointProcScreen
String ID: @GUI_DRAGFILE$@GUI_DRAGID$@GUI_DROPID
API String ID: 221274066-3440237614
Opcode ID: 036ad532a9567cc0f2743839e8889f3067468608e87231bf4a9557930cce787c
Instruction ID: 4c9f32257da8a351ff5ddf8bf57441f5f34db66f228d09d5cc27bace47a0c254
Opcode Fuzzy Hash: 036ad532a9567cc0f2743839e8889f3067468608e87231bf4a9557930cce787c
Instruction Fuzzy Hash: A7615872108340AFD701EF65CC89DABBBE8FB99350F40091DF6A5922A1DB30DA49CB52

Function 0085C476 Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 143networkCOMMON

Download Yara Rule

APIs

InternetConnectW.WININET(?,?,?,?,?,?,00000000,00000000), ref: 0085C4B0
GetLastError.KERNEL32(?,00000003,?,?,?,?,?,?), ref: 0085C4C3
SetEvent.KERNEL32(?,?,00000003,?,?,?,?,?,?), ref: 0085C4D7
HttpOpenRequestW.WININET(00000000,00000000,?,00000000,00000000,00000000,?,00000000), ref: 0085C4F0
InternetQueryOptionW.WININET(00000000,0000001F,?,?), ref: 0085C533
InternetSetOptionW.WININET(00000000,0000001F,00000100,00000004), ref: 0085C549
HttpSendRequestW.WININET(00000000,00000000,00000000,00000000,00000000), ref: 0085C554
HttpQueryInfoW.WININET(00000000,00000005,?,?,?), ref: 0085C584
GetLastError.KERNEL32(?,00000003,?,?,?,?,?,?), ref: 0085C5DC
SetEvent.KERNEL32(?,?,00000003,?,?,?,?,?,?), ref: 0085C5F0
InternetCloseHandle.WININET(00000000), ref: 0085C5FB

Strings

, xrefs: 0085C575

Memory Dump Source

Source File: 00000000.00000002.1749607290.00000000007E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007E0000, based on PE: true

Associated: 00000000.00000002.1749024776.00000000007E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750122745.000000000087C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750122745.00000000008A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750810397.00000000008AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1751626682.00000000008B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7e0000_file.jbxd

Similarity

API ID: Internet$Http$ErrorEventLastOptionQueryRequest$CloseConnectHandleInfoOpenSend
String ID:
API String ID: 3800310941-3916222277
Opcode ID: 06dcd59b610ee993537639bf023c08a12e5eb8ae3b6601b38d74a8077e49f6f9
Instruction ID: 9601407974eab3e95e6b2b79c406f267798abe948641efb824c4e6ac67b7656f
Opcode Fuzzy Hash: 06dcd59b610ee993537639bf023c08a12e5eb8ae3b6601b38d74a8077e49f6f9
Instruction Fuzzy Hash: 00512CB1500708BFDB219FA4C988AAB7BBCFB04795F00451DF949D7250EB74EA489F61

Function 0087856F Relevance: 22.6, APIs: 15, Instructions: 131filecommemoryCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(?,80000000,00000000,00000000,00000003,00000000,00000000,?,00000000,?), ref: 00878592
GetFileSize.KERNEL32(00000000,00000000), ref: 008785A2
GlobalAlloc.KERNEL32(00000002,00000000), ref: 008785AD
CloseHandle.KERNEL32(00000000), ref: 008785BA
GlobalLock.KERNEL32(00000000), ref: 008785C8
ReadFile.KERNEL32(00000000,00000000,00000000,?,00000000), ref: 008785D7
GlobalUnlock.KERNEL32(00000000), ref: 008785E0
CloseHandle.KERNEL32(00000000), ref: 008785E7
CreateStreamOnHGlobal.OLE32(00000000,00000001,?), ref: 008785F8
OleLoadPicture.OLEAUT32(?,00000000,00000000,0087FC38,?), ref: 00878611
GlobalFree.KERNEL32(00000000), ref: 00878621
GetObjectW.GDI32(?,00000018,000000FF), ref: 00878641
CopyImage.USER32(?,00000000,00000000,?,00002000), ref: 00878671
DeleteObject.GDI32(00000000), ref: 00878699
SendMessageW.USER32(?,00000172,00000000,00000000), ref: 008786AF

Memory Dump Source

Source File: 00000000.00000002.1749607290.00000000007E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007E0000, based on PE: true

Associated: 00000000.00000002.1749024776.00000000007E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750122745.000000000087C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750122745.00000000008A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750810397.00000000008AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1751626682.00000000008B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7e0000_file.jbxd

Similarity

API ID: Global$File$CloseCreateHandleObject$AllocCopyDeleteFreeImageLoadLockMessagePictureReadSendSizeStreamUnlock
String ID:
API String ID: 3840717409-0
Opcode ID: bd2f8909a2560206c77be52c88c1c56d4843b5dcea2f7508076d37a31885a4ca
Instruction ID: d3628e6d2bb297b55a167320bcf411f78d5da067cce3c3b7022a5db931719235
Opcode Fuzzy Hash: bd2f8909a2560206c77be52c88c1c56d4843b5dcea2f7508076d37a31885a4ca
Instruction Fuzzy Hash: 04411775640208FFDB119FA5CC8CEAA7BB8FB99B15F108058F909E7264DB30D941CB60

Function 008514BD Relevance: 21.4, APIs: 10, Strings: 2, Instructions: 360timeCOMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(00000000), ref: 00851502
VariantCopy.OLEAUT32(?,?), ref: 0085150B
VariantClear.OLEAUT32(?), ref: 00851517
VariantTimeToSystemTime.OLEAUT32(?,?,?), ref: 008515FB
VarR8FromDec.OLEAUT32(?,?), ref: 00851657
VariantInit.OLEAUT32(?), ref: 00851708
SysFreeString.OLEAUT32(?), ref: 0085178C
VariantClear.OLEAUT32(?), ref: 008517D8
VariantClear.OLEAUT32(?), ref: 008517E7
VariantInit.OLEAUT32(00000000), ref: 00851823

Strings

Default, xrefs: 008516AF
%4d%02d%02d%02d%02d%02d, xrefs: 00851625

Memory Dump Source

Source File: 00000000.00000002.1749607290.00000000007E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007E0000, based on PE: true

Associated: 00000000.00000002.1749024776.00000000007E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750122745.000000000087C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750122745.00000000008A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750810397.00000000008AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1751626682.00000000008B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7e0000_file.jbxd

Similarity

API ID: Variant$ClearInit$Time$CopyFreeFromStringSystem
String ID: %4d%02d%02d%02d%02d%02d$Default
API String ID: 1234038744-3931177956
Opcode ID: 43219cae0888d3d80cf9b1fd790cbfe5b3b71ad14b92bad3b80e3ed028c1e59f
Instruction ID: 4214e7f39622f97184da490f954cf91cc0a429e4cd0b5a4d8d4ff511611dcb68
Opcode Fuzzy Hash: 43219cae0888d3d80cf9b1fd790cbfe5b3b71ad14b92bad3b80e3ed028c1e59f
Instruction Fuzzy Hash: F3D1DE71A00109EBDF00AF65D88DB79B7B5FF48705F14805AF806EB290EB38E849DB61

Function 0086B60E Relevance: 21.3, APIs: 10, Strings: 2, Instructions: 285registrylibraryloaderCOMMON

Download Yara Rule

APIs

Part of subcall function 007E9CB3: _wcslen.LIBCMT ref: 007E9CBD

Part of subcall function 0086C998: CharUpperBuffW.USER32(?,?,?,?,?,?,?,0086B6AE,?,?), ref: 0086C9B5
Part of subcall function 0086C998: _wcslen.LIBCMT ref: 0086C9F1
Part of subcall function 0086C998: _wcslen.LIBCMT ref: 0086CA68
Part of subcall function 0086C998: _wcslen.LIBCMT ref: 0086CA9E

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 0086B6F4
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 0086B772
RegDeleteValueW.ADVAPI32(?,?), ref: 0086B80A
RegCloseKey.ADVAPI32(?), ref: 0086B87E
RegCloseKey.ADVAPI32(?), ref: 0086B89C
LoadLibraryA.KERNEL32(advapi32.dll), ref: 0086B8F2
GetProcAddress.KERNEL32(00000000,RegDeleteKeyExW), ref: 0086B904
RegDeleteKeyW.ADVAPI32(?,?), ref: 0086B922
FreeLibrary.KERNEL32(00000000), ref: 0086B983
RegCloseKey.ADVAPI32(00000000), ref: 0086B994

Strings

RegDeleteKeyExW, xrefs: 0086B8FE
advapi32.dll, xrefs: 0086B8ED

Memory Dump Source

Source File: 00000000.00000002.1749607290.00000000007E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007E0000, based on PE: true

Associated: 00000000.00000002.1749024776.00000000007E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750122745.000000000087C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750122745.00000000008A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750810397.00000000008AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1751626682.00000000008B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7e0000_file.jbxd

Similarity

API ID: _wcslen$Close$DeleteLibrary$AddressBuffCharConnectFreeLoadOpenProcRegistryUpperValue
String ID: RegDeleteKeyExW$advapi32.dll
API String ID: 146587525-4033151799
Opcode ID: 34929e797cdb351499fa701b2cdfaebc931760354804a084076c8a2da4e71e9f
Instruction ID: 1962399b901c6d55058c1708e78daab1f90020f7c933acef4b8c68ff1566f240
Opcode Fuzzy Hash: 34929e797cdb351499fa701b2cdfaebc931760354804a084076c8a2da4e71e9f
Instruction Fuzzy Hash: B1C17C35205241EFD714DF15C499F2ABBE5FF88308F15845CE5AA8B2A2CB35EC85CB91

Function 0086255C Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 169windowCOMMON

Download Yara Rule

APIs

GetDC.USER32(00000000), ref: 008625D8
CreateCompatibleBitmap.GDI32(00000000,?,?), ref: 008625E8
CreateCompatibleDC.GDI32(?), ref: 008625F4
SelectObject.GDI32(00000000,?), ref: 00862601
StretchBlt.GDI32(?,00000000,00000000,?,?,?,00000006,?,?,?,00CC0020), ref: 0086266D
GetDIBits.GDI32(?,?,00000000,00000000,00000000,00000028,00000000), ref: 008626AC
GetDIBits.GDI32(?,?,00000000,?,00000000,00000028,00000000), ref: 008626D0
SelectObject.GDI32(?,?), ref: 008626D8
DeleteObject.GDI32(?), ref: 008626E1
DeleteDC.GDI32(?), ref: 008626E8
ReleaseDC.USER32(00000000,?), ref: 008626F3

Strings

(, xrefs: 0086268D

Memory Dump Source

Source File: 00000000.00000002.1749607290.00000000007E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007E0000, based on PE: true

Associated: 00000000.00000002.1749024776.00000000007E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750122745.000000000087C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750122745.00000000008A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750810397.00000000008AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1751626682.00000000008B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7e0000_file.jbxd

Similarity

API ID: Object$BitsCompatibleCreateDeleteSelect$BitmapReleaseStretch
String ID: (
API String ID: 2598888154-3887548279
Opcode ID: 8e968facc894f180db279cccd18d7b536fe293dcfc4e132b6a86f527c17a04ef
Instruction ID: 1e550039b4f7c5e624ea22e6a401d3aafbeea1446ba643b66c256f6f26408667
Opcode Fuzzy Hash: 8e968facc894f180db279cccd18d7b536fe293dcfc4e132b6a86f527c17a04ef
Instruction Fuzzy Hash: B861E275D00619EFCF14CFA8D888AAEBBB5FF48310F208569E959A7250D770A951CFA0

Function 0081DA5D Relevance: 19.6, APIs: 13, Instructions: 114COMMONLIBRARYCODE

Download Yara Rule

APIs

___free_lconv_mon.LIBCMT ref: 0081DAA1

Part of subcall function 0081D63C: _free.LIBCMT ref: 0081D659
Part of subcall function 0081D63C: _free.LIBCMT ref: 0081D66B
Part of subcall function 0081D63C: _free.LIBCMT ref: 0081D67D
Part of subcall function 0081D63C: _free.LIBCMT ref: 0081D68F
Part of subcall function 0081D63C: _free.LIBCMT ref: 0081D6A1
Part of subcall function 0081D63C: _free.LIBCMT ref: 0081D6B3
Part of subcall function 0081D63C: _free.LIBCMT ref: 0081D6C5
Part of subcall function 0081D63C: _free.LIBCMT ref: 0081D6D7
Part of subcall function 0081D63C: _free.LIBCMT ref: 0081D6E9
Part of subcall function 0081D63C: _free.LIBCMT ref: 0081D6FB
Part of subcall function 0081D63C: _free.LIBCMT ref: 0081D70D
Part of subcall function 0081D63C: _free.LIBCMT ref: 0081D71F
Part of subcall function 0081D63C: _free.LIBCMT ref: 0081D731

_free.LIBCMT ref: 0081DA96

Part of subcall function 008129C8: RtlFreeHeap.NTDLL(00000000,00000000,?,0081D7D1,00000000,00000000,00000000,00000000,?,0081D7F8,00000000,00000007,00000000,?,0081DBF5,00000000), ref: 008129DE
Part of subcall function 008129C8: GetLastError.KERNEL32(00000000,?,0081D7D1,00000000,00000000,00000000,00000000,?,0081D7F8,00000000,00000007,00000000,?,0081DBF5,00000000,00000000), ref: 008129F0

_free.LIBCMT ref: 0081DAB8
_free.LIBCMT ref: 0081DACD
_free.LIBCMT ref: 0081DAD8
_free.LIBCMT ref: 0081DAFA
_free.LIBCMT ref: 0081DB0D
_free.LIBCMT ref: 0081DB1B
_free.LIBCMT ref: 0081DB26
_free.LIBCMT ref: 0081DB5E
_free.LIBCMT ref: 0081DB65
_free.LIBCMT ref: 0081DB82
_free.LIBCMT ref: 0081DB9A

Memory Dump Source

Source File: 00000000.00000002.1749607290.00000000007E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007E0000, based on PE: true

Associated: 00000000.00000002.1749024776.00000000007E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750122745.000000000087C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750122745.00000000008A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750810397.00000000008AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1751626682.00000000008B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7e0000_file.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast___free_lconv_mon
String ID:
API String ID: 161543041-0
Opcode ID: 0c832162cde3a2cc4a28db39e02b2540376502b279ce88c2aad35935de57619f
Instruction ID: aa0f878a77c4ebab8aefa1ef93768314bf22dcd3e6c36ed0f33fad107adc9d7a
Opcode Fuzzy Hash: 0c832162cde3a2cc4a28db39e02b2540376502b279ce88c2aad35935de57619f
Instruction Fuzzy Hash: E6312A326087059FEB21AA7DE845FDA7BEDFF10320F154429E449DB191DB35ACE08721

Function 0084365B Relevance: 19.5, APIs: 10, Strings: 1, Instructions: 267windowtimeCOMMON

Download Yara Rule

APIs

GetClassNameW.USER32(?,?,00000100), ref: 0084369C
_wcslen.LIBCMT ref: 008436A7
SendMessageTimeoutW.USER32(?,?,00000101,00000000,00000002,00001388,?), ref: 00843797
GetClassNameW.USER32(?,?,00000400), ref: 0084380C
GetDlgCtrlID.USER32(?), ref: 0084385D
GetWindowRect.USER32(?,?), ref: 00843882
GetParent.USER32(?), ref: 008438A0
ScreenToClient.USER32(00000000), ref: 008438A7
GetClassNameW.USER32(?,?,00000100), ref: 00843921
GetWindowTextW.USER32(?,?,00000400), ref: 0084395D

Strings

%s%u, xrefs: 00843734

Memory Dump Source

Source File: 00000000.00000002.1749607290.00000000007E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007E0000, based on PE: true

Associated: 00000000.00000002.1749024776.00000000007E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750122745.000000000087C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750122745.00000000008A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750810397.00000000008AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1751626682.00000000008B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7e0000_file.jbxd

Similarity

API ID: ClassName$Window$ClientCtrlMessageParentRectScreenSendTextTimeout_wcslen
String ID: %s%u
API String ID: 4010501982-679674701
Opcode ID: 8c90ff1beb856800d964ad68ca5cfb8cc5561b242ac09d7fbf912b574481e1bc
Instruction ID: 2e12db102e63bc01f82a5a1eea9daf3f447a67f731a4e5405d01b152225e5c9c
Opcode Fuzzy Hash: 8c90ff1beb856800d964ad68ca5cfb8cc5561b242ac09d7fbf912b574481e1bc
Instruction Fuzzy Hash: 6291A17120470AAFD719DF24C885BAAFBE8FF54350F10852DF999D2190EB30EA55CB91

Function 00844954 Relevance: 19.5, APIs: 10, Strings: 1, Instructions: 253COMMON

Download Yara Rule

APIs

GetClassNameW.USER32(?,?,00000400), ref: 00844994
GetWindowTextW.USER32(?,?,00000400), ref: 008449DA
_wcslen.LIBCMT ref: 008449EB
CharUpperBuffW.USER32(?,00000000), ref: 008449F7
_wcsstr.LIBVCRUNTIME ref: 00844A2C
GetClassNameW.USER32(00000018,?,00000400), ref: 00844A64
GetWindowTextW.USER32(?,?,00000400), ref: 00844A9D
GetClassNameW.USER32(00000018,?,00000400), ref: 00844AE6
GetClassNameW.USER32(?,?,00000400), ref: 00844B20
GetWindowRect.USER32(?,?), ref: 00844B8B

Strings

ThumbnailClass, xrefs: 00844A6F, 00844AF1

Memory Dump Source

Source File: 00000000.00000002.1749607290.00000000007E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007E0000, based on PE: true

Associated: 00000000.00000002.1749024776.00000000007E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750122745.000000000087C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750122745.00000000008A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750810397.00000000008AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1751626682.00000000008B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7e0000_file.jbxd

Similarity

API ID: ClassName$Window$Text$BuffCharRectUpper_wcslen_wcsstr
String ID: ThumbnailClass
API String ID: 1311036022-1241985126
Opcode ID: 5ff0857c936beae3a9f839738d20267d031eba74ff34345fb6ddd9bf3856ce7c
Instruction ID: 0e36e68608c827bf139c05b83bcd5ab419ecff2e1e8a20d3608317f00e7d820a
Opcode Fuzzy Hash: 5ff0857c936beae3a9f839738d20267d031eba74ff34345fb6ddd9bf3856ce7c
Instruction Fuzzy Hash: 2291CE710042099FDB04DF54C985BAABBE8FF84314F04946EFD89DA196EB34ED45CBA2

Function 0084BF30 Relevance: 19.4, APIs: 10, Strings: 1, Instructions: 190windowsleepCOMMON

Download Yara Rule

APIs

GetMenuItemInfoW.USER32(008B1990,000000FF,00000000,00000030), ref: 0084BFAC
SetMenuItemInfoW.USER32(008B1990,00000004,00000000,00000030), ref: 0084BFE1
Sleep.KERNEL32(000001F4), ref: 0084BFF3
GetMenuItemCount.USER32(?), ref: 0084C039
GetMenuItemID.USER32(?,00000000), ref: 0084C056
GetMenuItemID.USER32(?,-00000001), ref: 0084C082
GetMenuItemID.USER32(?,?), ref: 0084C0C9
CheckMenuRadioItem.USER32(?,00000000,?,00000000,00000400), ref: 0084C10F
GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 0084C124
SetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 0084C145

Strings

0, xrefs: 0084BF3D

Memory Dump Source

Source File: 00000000.00000002.1749607290.00000000007E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007E0000, based on PE: true

Associated: 00000000.00000002.1749024776.00000000007E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750122745.000000000087C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750122745.00000000008A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750810397.00000000008AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1751626682.00000000008B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7e0000_file.jbxd

Similarity

API ID: ItemMenu$Info$CheckCountRadioSleep
String ID: 0
API String ID: 1460738036-4108050209
Opcode ID: d1c3fd8fa0dcbed930f4810e376506b35476cf2ea11f7d822e6977d62e7ec60f
Instruction ID: 97deb67b403e3d3464b1a5c741f259682545c572464d6436a7556c7d35f9e66a
Opcode Fuzzy Hash: d1c3fd8fa0dcbed930f4810e376506b35476cf2ea11f7d822e6977d62e7ec60f
Instruction Fuzzy Hash: 9B618BB090124EAFDF51CF68CC88AAEBBB8FB05348F000159E815E7292DB35ED45CB61

Function 0086CC34 Relevance: 19.4, APIs: 9, Strings: 2, Instructions: 104registryCOMMON

Download Yara Rule

APIs

RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?,?,?,00000000), ref: 0086CC64
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?,?,?,00000000), ref: 0086CC8D
FreeLibrary.KERNEL32(00000000,?,?,00000000), ref: 0086CD48

Part of subcall function 0086CC34: RegCloseKey.ADVAPI32(?,?,?,00000000), ref: 0086CCAA
Part of subcall function 0086CC34: LoadLibraryA.KERNEL32(advapi32.dll,?,?,00000000), ref: 0086CCBD
Part of subcall function 0086CC34: GetProcAddress.KERNEL32(00000000,RegDeleteKeyExW), ref: 0086CCCF
Part of subcall function 0086CC34: FreeLibrary.KERNEL32(00000000,?,?,00000000), ref: 0086CD05
Part of subcall function 0086CC34: RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?,?,?,00000000), ref: 0086CD28

RegDeleteKeyW.ADVAPI32(?,?), ref: 0086CCF3

Strings

RegDeleteKeyExW, xrefs: 0086CCC9
advapi32.dll, xrefs: 0086CCB8

Memory Dump Source

Source File: 00000000.00000002.1749607290.00000000007E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007E0000, based on PE: true

Associated: 00000000.00000002.1749024776.00000000007E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750122745.000000000087C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750122745.00000000008A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750810397.00000000008AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1751626682.00000000008B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7e0000_file.jbxd

Similarity

API ID: Library$EnumFree$AddressCloseDeleteLoadOpenProc
String ID: RegDeleteKeyExW$advapi32.dll
API String ID: 2734957052-4033151799
Opcode ID: aeb6ea434ed80e09ef35d7df12681b92af18eaead7fe09032a640aa9c131b7dc
Instruction ID: de234654d3d046584b7dcc402961ce8f719fd22be3308a15484652ea119432de
Opcode Fuzzy Hash: aeb6ea434ed80e09ef35d7df12681b92af18eaead7fe09032a640aa9c131b7dc
Instruction Fuzzy Hash: 02315C71A01129BBDB209B54DC88EFFBB7CFF56750F010169A949E3244DA349A85AAF0

Function 00853D1E Relevance: 19.4, APIs: 8, Strings: 3, Instructions: 101fileCOMMON

Download Yara Rule

APIs

GetFullPathNameW.KERNEL32(?,00007FFF,?,?), ref: 00853D40
_wcslen.LIBCMT ref: 00853D6D
CreateDirectoryW.KERNEL32(?,00000000), ref: 00853D9D
CreateFileW.KERNEL32(?,40000000,00000000,00000000,00000003,02200000,00000000), ref: 00853DBE
RemoveDirectoryW.KERNEL32(?), ref: 00853DCE
DeviceIoControl.KERNEL32(00000000,000900A4,?,?,00000000,00000000,?,00000000), ref: 00853E55
CloseHandle.KERNEL32(00000000), ref: 00853E60
CloseHandle.KERNEL32(00000000), ref: 00853E6B

Strings

\??\%s, xrefs: 00853D5B
\, xrefs: 00853D77
:, xrefs: 00853D82

Memory Dump Source

Source File: 00000000.00000002.1749607290.00000000007E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007E0000, based on PE: true

Associated: 00000000.00000002.1749024776.00000000007E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750122745.000000000087C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750122745.00000000008A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750810397.00000000008AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1751626682.00000000008B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7e0000_file.jbxd

Similarity

API ID: CloseCreateDirectoryHandle$ControlDeviceFileFullNamePathRemove_wcslen
String ID: :$\$\??\%s
API String ID: 1149970189-3457252023
Opcode ID: 228b538ac829e1cf989a5e83703bf859970663fd605203828b880e5e936fe045
Instruction ID: 51575a76265dec01819d957b6413c8b12319ba63f7dd657860d1b3417dd7cb37
Opcode Fuzzy Hash: 228b538ac829e1cf989a5e83703bf859970663fd605203828b880e5e936fe045
Instruction Fuzzy Hash: B631A572500109ABDB219BA4DC49FEB37BDFF89741F1040B9F919D6164EB74D7848B24

Function 0084E6B0 Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 72sleepwindowtimeCOMMON

Download Yara Rule

APIs

timeGetTime.WINMM ref: 0084E6B4

Part of subcall function 007FE551: timeGetTime.WINMM(?,?,0084E6D4), ref: 007FE555

Sleep.KERNEL32(0000000A), ref: 0084E6E1
EnumThreadWindows.USER32(?,Function_0006E665,00000000), ref: 0084E705
FindWindowExW.USER32(00000000,00000000,BUTTON,00000000), ref: 0084E727
SetActiveWindow.USER32 ref: 0084E746
SendMessageW.USER32(00000000,000000F5,00000000,00000000), ref: 0084E754
SendMessageW.USER32(00000010,00000000,00000000), ref: 0084E773
Sleep.KERNEL32(000000FA), ref: 0084E77E
IsWindow.USER32 ref: 0084E78A
EndDialog.USER32(00000000), ref: 0084E79B

Strings

BUTTON, xrefs: 0084E719

Memory Dump Source

Source File: 00000000.00000002.1749607290.00000000007E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007E0000, based on PE: true

Associated: 00000000.00000002.1749024776.00000000007E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750122745.000000000087C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750122745.00000000008A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750810397.00000000008AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1751626682.00000000008B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7e0000_file.jbxd

Similarity

API ID: Window$MessageSendSleepTimetime$ActiveDialogEnumFindThreadWindows
String ID: BUTTON
API String ID: 1194449130-3405671355
Opcode ID: 9ea1c91b897738351d918b01ce39639e47a1aefc355a8ec1f78c0f024d593511
Instruction ID: b93eab40b1162cefb1695b0fd908098546f6adf5a0a5bc8b2029326945ad8c41
Opcode Fuzzy Hash: 9ea1c91b897738351d918b01ce39639e47a1aefc355a8ec1f78c0f024d593511
Instruction Fuzzy Hash: 612190B0600208AFEB109FA4ECCEE263B69F775399F101529F51AC22B5DB75EC40DB25

Function 0084E9FC Relevance: 19.3, APIs: 5, Strings: 6, Instructions: 71COMMON

Download Yara Rule

APIs

Part of subcall function 007E9CB3: _wcslen.LIBCMT ref: 007E9CBD

mciSendStringW.WINMM(status PlayMe mode,?,00000100,00000000), ref: 0084EA5D
mciSendStringW.WINMM(close PlayMe,00000000,00000000,00000000), ref: 0084EA73
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 0084EA84
mciSendStringW.WINMM(play PlayMe wait,00000000,00000000,00000000), ref: 0084EA96
mciSendStringW.WINMM(play PlayMe,00000000,00000000,00000000), ref: 0084EAA7

Strings

alias PlayMe, xrefs: 0084EA36
status PlayMe mode, xrefs: 0084EA58
play PlayMe, xrefs: 0084EAA2
close PlayMe, xrefs: 0084EA6E, 0084EA9B
play PlayMe wait, xrefs: 0084EA91
open , xrefs: 0084EA0C

Memory Dump Source

Source File: 00000000.00000002.1749607290.00000000007E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007E0000, based on PE: true

Associated: 00000000.00000002.1749024776.00000000007E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750122745.000000000087C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750122745.00000000008A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750810397.00000000008AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1751626682.00000000008B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7e0000_file.jbxd

Similarity

API ID: SendString$_wcslen
String ID: alias PlayMe$close PlayMe$open $play PlayMe$play PlayMe wait$status PlayMe mode
API String ID: 2420728520-1007645807
Opcode ID: 477886800a30856961ba3650311254afe1ef182f619970d175585747eead20d1
Instruction ID: a496ce6e1792f3290523e7566690407ffe4abf470de3aa42179d1fc21c5c3945
Opcode Fuzzy Hash: 477886800a30856961ba3650311254afe1ef182f619970d175585747eead20d1
Instruction Fuzzy Hash: 5011BF21A50269B9E720E3A2DC4EDFB6A7CFBD2B40F0804297821E20D5EEB40944C5B0

Function 00849F91 Relevance: 18.2, APIs: 12, Instructions: 188keyboardCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?), ref: 0084A012
SetKeyboardState.USER32(?), ref: 0084A07D
GetAsyncKeyState.USER32(000000A0), ref: 0084A09D
GetKeyState.USER32(000000A0), ref: 0084A0B4
GetAsyncKeyState.USER32(000000A1), ref: 0084A0E3
GetKeyState.USER32(000000A1), ref: 0084A0F4
GetAsyncKeyState.USER32(00000011), ref: 0084A120
GetKeyState.USER32(00000011), ref: 0084A12E
GetAsyncKeyState.USER32(00000012), ref: 0084A157
GetKeyState.USER32(00000012), ref: 0084A165
GetAsyncKeyState.USER32(0000005B), ref: 0084A18E
GetKeyState.USER32(0000005B), ref: 0084A19C

Memory Dump Source

Source File: 00000000.00000002.1749607290.00000000007E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007E0000, based on PE: true

Associated: 00000000.00000002.1749024776.00000000007E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750122745.000000000087C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750122745.00000000008A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750810397.00000000008AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1751626682.00000000008B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7e0000_file.jbxd

Similarity

API ID: State$Async$Keyboard
String ID:
API String ID: 541375521-0
Opcode ID: eca64f135a93c597954f01e7670df7dfdde90d4436f7e72728af000dc5b0bac6
Instruction ID: b55e3af94791083987f141e7cb0afd2744095eb800c4e83ae63c4ab15a7f70a3
Opcode Fuzzy Hash: eca64f135a93c597954f01e7670df7dfdde90d4436f7e72728af000dc5b0bac6
Instruction Fuzzy Hash: F951B62054478C29FB39DBA488547ABBFB5FF11380F084599D5C2DB1C2DA949A8CC763

Function 00845CC6 Relevance: 18.2, APIs: 12, Instructions: 173COMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,00000001), ref: 00845CE2
GetWindowRect.USER32(00000000,?), ref: 00845CFB
MoveWindow.USER32(?,0000000A,00000004,?,?,00000004,00000000), ref: 00845D59
GetDlgItem.USER32(?,00000002), ref: 00845D69
GetWindowRect.USER32(00000000,?), ref: 00845D7B
MoveWindow.USER32(?,?,00000004,00000000,?,00000004,00000000), ref: 00845DCF
GetDlgItem.USER32(?,000003E9), ref: 00845DDD
GetWindowRect.USER32(00000000,?), ref: 00845DEF
MoveWindow.USER32(?,0000000A,00000000,?,00000004,00000000), ref: 00845E31
GetDlgItem.USER32(?,000003EA), ref: 00845E44
MoveWindow.USER32(00000000,0000000A,0000000A,?,-00000005,00000000), ref: 00845E5A
InvalidateRect.USER32(?,00000000,00000001), ref: 00845E67

Memory Dump Source

Source File: 00000000.00000002.1749607290.00000000007E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007E0000, based on PE: true

Associated: 00000000.00000002.1749024776.00000000007E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750122745.000000000087C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750122745.00000000008A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750810397.00000000008AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1751626682.00000000008B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7e0000_file.jbxd

Similarity

API ID: Window$ItemMoveRect$Invalidate
String ID:
API String ID: 3096461208-0
Opcode ID: 7d4e3ba3c6fb48b82a0af4d26fddc9d760e5bda520bbc94a48734df65b1dc171
Instruction ID: be2dd80571847d403393bf4db8d5f15278711de09d2b984838e0eeaeb535399d
Opcode Fuzzy Hash: 7d4e3ba3c6fb48b82a0af4d26fddc9d760e5bda520bbc94a48734df65b1dc171
Instruction Fuzzy Hash: 24510C71A00609AFDB18CF68DD89AAEBBB5FF48300F54812DF519E7295D770AE44CB50

Function 007F8BCD Relevance: 18.2, APIs: 12, Instructions: 168timeCOMMON

Download Yara Rule

APIs

Part of subcall function 007F8F62: InvalidateRect.USER32(?,00000000,00000001,?,?,?,007F8BE8,?,00000000,?,?,?,?,007F8BBA,00000000,?), ref: 007F8FC5

DestroyWindow.USER32(?), ref: 007F8C81
KillTimer.USER32(00000000,?,?,?,?,007F8BBA,00000000,?), ref: 007F8D1B
DestroyAcceleratorTable.USER32(00000000), ref: 00836973
ImageList_Destroy.COMCTL32(00000000,?,?,?,?,?,?,00000000,?,?,?,?,007F8BBA,00000000,?), ref: 008369A1
ImageList_Destroy.COMCTL32(?,?,?,?,?,?,?,00000000,?,?,?,?,007F8BBA,00000000,?), ref: 008369B8
ImageList_Destroy.COMCTL32(00000000,?,?,?,?,?,?,?,?,00000000,?,?,?,?,007F8BBA,00000000), ref: 008369D4
DeleteObject.GDI32(00000000), ref: 008369E6

Memory Dump Source

Source File: 00000000.00000002.1749607290.00000000007E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007E0000, based on PE: true

Associated: 00000000.00000002.1749024776.00000000007E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750122745.000000000087C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750122745.00000000008A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750810397.00000000008AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1751626682.00000000008B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7e0000_file.jbxd

Similarity

API ID: Destroy$ImageList_$AcceleratorDeleteInvalidateKillObjectRectTableTimerWindow
String ID:
API String ID: 641708696-0
Opcode ID: 380329afc88cb2e9353496f6ff9bcc4f62ba0b50d56b276a6c431841fd943946
Instruction ID: db0ea710d718e057bff8e802e8ae8dde778a7d1398de99abd32e83e08fa11ab9
Opcode Fuzzy Hash: 380329afc88cb2e9353496f6ff9bcc4f62ba0b50d56b276a6c431841fd943946
Instruction Fuzzy Hash: 0D61A030101618EFDB659F18D95CB36BBF1FB40312F54865CE1469B760CB39A9A0CFA2

Function 007F9838 Relevance: 18.1, APIs: 12, Instructions: 137COMMON

Download Yara Rule

APIs

Part of subcall function 007F9944: GetWindowLongW.USER32(?,000000EB), ref: 007F9952

GetSysColor.USER32(0000000F), ref: 007F9862

Memory Dump Source

Source File: 00000000.00000002.1749607290.00000000007E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007E0000, based on PE: true

Associated: 00000000.00000002.1749024776.00000000007E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750122745.000000000087C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750122745.00000000008A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750810397.00000000008AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1751626682.00000000008B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7e0000_file.jbxd

Similarity

API ID: ColorLongWindow
String ID:
API String ID: 259745315-0
Opcode ID: b925dc681f7f9cae5d5ce5f8ca37009cdd8bf657f97beae06f73c2ee0889e1dd
Instruction ID: 74bb0062c253cc07963a20cf9205eec14a3368679e0a1ccf5f5f968ce7551474
Opcode Fuzzy Hash: b925dc681f7f9cae5d5ce5f8ca37009cdd8bf657f97beae06f73c2ee0889e1dd
Instruction Fuzzy Hash: A741AF31104648AFDB309F389C88BB93BA5FB46370F544619FBA68B2E5D735D981DB20

Function 008496E2 Relevance: 17.6, APIs: 5, Strings: 5, Instructions: 137windowCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,?,00000FFF,00000001,00000000,?,?,0082F7F8,00000001,0000138C,00000001,?,00000001,00000000,?,?), ref: 00849717
LoadStringW.USER32(00000000,?,0082F7F8,00000001), ref: 00849720

Part of subcall function 007E9CB3: _wcslen.LIBCMT ref: 007E9CBD

GetModuleHandleW.KERNEL32(00000000,00000001,?,00000FFF,?,?,0082F7F8,00000001,0000138C,00000001,?,00000001,00000000,?,?,00000000), ref: 00849742
LoadStringW.USER32(00000000,?,0082F7F8,00000001), ref: 00849745
MessageBoxW.USER32(00000000,00000000,?,00011010), ref: 00849866

Strings

Error: , xrefs: 0084981D
%s (%d) : ==> %s: %s %s, xrefs: 0084984A
^ ERROR, xrefs: 008497FB
Line %d (File "%s"):, xrefs: 0084978F
Line %d:, xrefs: 008497A0

Memory Dump Source

Source File: 00000000.00000002.1749607290.00000000007E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007E0000, based on PE: true

Associated: 00000000.00000002.1749024776.00000000007E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750122745.000000000087C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750122745.00000000008A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750810397.00000000008AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1751626682.00000000008B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7e0000_file.jbxd

Similarity

API ID: HandleLoadModuleString$Message_wcslen
String ID: Error: $%s (%d) : ==> %s: %s %s$Line %d (File "%s"):$Line %d:$^ ERROR
API String ID: 747408836-2268648507
Opcode ID: d0dbbdc3619b74991e94cd00ea578b783de8283542bd8b22085aef07cc324743
Instruction ID: abd9943294cfeea549fbebb99ac597fef703e0ad54e7b2f4df757c60bac684e7
Opcode Fuzzy Hash: d0dbbdc3619b74991e94cd00ea578b783de8283542bd8b22085aef07cc324743
Instruction Fuzzy Hash: 2241517280125DAADF14EBE5CD4ADEEB778FF59340F600025F605B2192EA396F48CB61

Function 008406DE Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 127registryshareCOMMON

Download Yara Rule

APIs

Part of subcall function 007E6B57: _wcslen.LIBCMT ref: 007E6B6A

WNetAddConnection2W.MPR(?,?,?,00000000), ref: 008407A2
RegConnectRegistryW.ADVAPI32(?,80000002,?), ref: 008407BE
RegOpenKeyExW.ADVAPI32(?,?,00000000,00020019,?,?,SOFTWARE\Classes\), ref: 008407DA
RegQueryValueExW.ADVAPI32(?,00000000,00000000,00000000,?,?,?,SOFTWARE\Classes\), ref: 00840804
CLSIDFromString.OLE32(?,000001FE,?,SOFTWARE\Classes\), ref: 0084082C
RegCloseKey.ADVAPI32(?,?,SOFTWARE\Classes\), ref: 00840837
RegCloseKey.ADVAPI32(?,?,SOFTWARE\Classes\), ref: 0084083C

Strings

\CLSID, xrefs: 00840724
SOFTWARE\Classes\, xrefs: 0084070E
\IPC$, xrefs: 00840784

Memory Dump Source

Source File: 00000000.00000002.1749607290.00000000007E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007E0000, based on PE: true

Associated: 00000000.00000002.1749024776.00000000007E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750122745.000000000087C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750122745.00000000008A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750810397.00000000008AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1751626682.00000000008B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7e0000_file.jbxd

Similarity

API ID: Close$ConnectConnection2FromOpenQueryRegistryStringValue_wcslen
String ID: SOFTWARE\Classes\$\CLSID$\IPC$
API String ID: 323675364-22481851
Opcode ID: db6e3b19c04609c817820d0b5cc00b607e7ad80799db0d44605863c513e36326
Instruction ID: 22b1ea62efeaacbf50afa58f660a9473979ccb0cd9d7149f46d2aa46281142e6
Opcode Fuzzy Hash: db6e3b19c04609c817820d0b5cc00b607e7ad80799db0d44605863c513e36326
Instruction Fuzzy Hash: 96410772C11229EBDF11EBA4DC89CEEB778FF48350B144129E915A7161EB34AE44CFA0

Function 00873F98 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 101windowCOMMON

Download Yara Rule

APIs

MoveWindow.USER32(?,?,?,000000FF,000000FF,00000000,?,?,000000FF,000000FF,?,?,static,00000000,00000000,?), ref: 0087403B
CreateCompatibleDC.GDI32(00000000), ref: 00874042
SendMessageW.USER32(?,00000173,00000000,00000000), ref: 00874055
SelectObject.GDI32(00000000,00000000), ref: 0087405D
GetPixel.GDI32(00000000,00000000,00000000), ref: 00874068
DeleteDC.GDI32(00000000), ref: 00874072
GetWindowLongW.USER32(?,000000EC), ref: 0087407C
SetLayeredWindowAttributes.USER32(?,?,00000000,00000001,?,00000000,?), ref: 00874092
DestroyWindow.USER32(?,?,?,000000FF,000000FF,?,?,static,00000000,00000000,?,?,00000000,00000000,?), ref: 0087409E

Strings

static, xrefs: 00873FD3

Memory Dump Source

Source File: 00000000.00000002.1749607290.00000000007E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007E0000, based on PE: true

Associated: 00000000.00000002.1749024776.00000000007E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750122745.000000000087C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750122745.00000000008A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750810397.00000000008AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1751626682.00000000008B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7e0000_file.jbxd

Similarity

API ID: Window$AttributesCompatibleCreateDeleteDestroyLayeredLongMessageMoveObjectPixelSelectSend
String ID: static
API String ID: 2559357485-2160076837
Opcode ID: 0e44ea76fc2141125bea1b5d8d7f4484c336d9152908642078922edeb3c4f1f5
Instruction ID: bce870355acab4ae2356a824ff0ebdf0f95f67505bc1c7959ccb9b89cfd989ad
Opcode Fuzzy Hash: 0e44ea76fc2141125bea1b5d8d7f4484c336d9152908642078922edeb3c4f1f5
Instruction Fuzzy Hash: 8B318E32101219EBDF219FA8CC48FDA3B68FF0D764F104214FA29E61A4C775D890DB60

Function 00863C30 Relevance: 16.8, APIs: 11, Instructions: 344fileCOMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 00863C5C
CoInitialize.OLE32(00000000), ref: 00863C8A
CoUninitialize.OLE32 ref: 00863C94
_wcslen.LIBCMT ref: 00863D2D
GetRunningObjectTable.OLE32(00000000,?), ref: 00863DB1
SetErrorMode.KERNEL32(00000001,00000029), ref: 00863ED5
CoGetInstanceFromFile.OLE32(00000000,?,00000000,00000015,00000002,?,00000001,?), ref: 00863F0E
CoGetObject.OLE32(?,00000000,0087FB98,?), ref: 00863F2D
SetErrorMode.KERNEL32(00000000), ref: 00863F40
SetErrorMode.KERNEL32(00000000,00000000,00000000,00000000,00000000), ref: 00863FC4
VariantClear.OLEAUT32(?), ref: 00863FD8

Memory Dump Source

Source File: 00000000.00000002.1749607290.00000000007E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007E0000, based on PE: true

Associated: 00000000.00000002.1749024776.00000000007E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750122745.000000000087C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750122745.00000000008A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750810397.00000000008AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1751626682.00000000008B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7e0000_file.jbxd

Similarity

API ID: ErrorMode$ObjectVariant$ClearFileFromInitInitializeInstanceRunningTableUninitialize_wcslen
String ID:
API String ID: 429561992-0
Opcode ID: a23c7695a2b87371d690a3a125ea2ef754bbaf5675f5d4323b49bfeac8498181
Instruction ID: d5127f8f4799599f0d0f85313f76c8d52ec0e60db721c968fb3b6e1ae17b72c7
Opcode Fuzzy Hash: a23c7695a2b87371d690a3a125ea2ef754bbaf5675f5d4323b49bfeac8498181
Instruction Fuzzy Hash: CFC13571608205AFC700DF68C88492BB7E9FF89748F15491DF98ADB251DB31EE45CB52

Function 00857A96 Relevance: 16.8, APIs: 11, Instructions: 298comCOMMON

Download Yara Rule

APIs

CoInitialize.OLE32(00000000), ref: 00857AF3
SHGetSpecialFolderLocation.SHELL32(00000000,00000000,?), ref: 00857B8F
SHGetDesktopFolder.SHELL32(?), ref: 00857BA3
CoCreateInstance.OLE32(0087FD08,00000000,00000001,008A6E6C,?), ref: 00857BEF
SHCreateShellItem.SHELL32(00000000,00000000,?,00000003), ref: 00857C74
CoTaskMemFree.OLE32(?,?), ref: 00857CCC
SHBrowseForFolderW.SHELL32(?), ref: 00857D57
SHGetPathFromIDListW.SHELL32(00000000,?), ref: 00857D7A
CoTaskMemFree.OLE32(00000000), ref: 00857D81
CoTaskMemFree.OLE32(00000000), ref: 00857DD6
CoUninitialize.OLE32 ref: 00857DDC

Memory Dump Source

Source File: 00000000.00000002.1749607290.00000000007E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007E0000, based on PE: true

Associated: 00000000.00000002.1749024776.00000000007E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750122745.000000000087C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750122745.00000000008A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750810397.00000000008AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1751626682.00000000008B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7e0000_file.jbxd

Similarity

API ID: FolderFreeTask$Create$BrowseDesktopFromInitializeInstanceItemListLocationPathShellSpecialUninitialize
String ID:
API String ID: 2762341140-0
Opcode ID: 0492fa42424d1c5ad11791e1227e0b43b3e58976bcf37c69f8222ae8e22c0b46
Instruction ID: da9636d4b332ac0a3b4ed1facaba2ed7ae5d038c45a8eec3d9453ca061dd05fd
Opcode Fuzzy Hash: 0492fa42424d1c5ad11791e1227e0b43b3e58976bcf37c69f8222ae8e22c0b46
Instruction Fuzzy Hash: CEC12A75A04109EFCB14DFA4D888DAEBBB9FF48315B1484A8E91ADB361D730ED45CB90

Function 0087541D Relevance: 16.7, APIs: 11, Instructions: 191windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00000158,000000FF,00000158), ref: 00875504
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 00875515
CharNextW.USER32(00000158), ref: 00875544
SendMessageW.USER32(?,0000014B,00000000,00000000), ref: 00875585
SendMessageW.USER32(?,00000158,000000FF,0000014E), ref: 0087559B
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 008755AC

Memory Dump Source

Source File: 00000000.00000002.1749607290.00000000007E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007E0000, based on PE: true

Associated: 00000000.00000002.1749024776.00000000007E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750122745.000000000087C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750122745.00000000008A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750810397.00000000008AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1751626682.00000000008B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7e0000_file.jbxd

Similarity

API ID: MessageSend$CharNext
String ID:
API String ID: 1350042424-0
Opcode ID: 300d16a65dcefc4fb17b0956af35f5d9c0ad0d0a84b70b9a6bad837bab336559
Instruction ID: 2096cef42e93bf5a2aae6bdeb6a418c6b621543f95a304b99c94e595911181f4
Opcode Fuzzy Hash: 300d16a65dcefc4fb17b0956af35f5d9c0ad0d0a84b70b9a6bad837bab336559
Instruction Fuzzy Hash: 3E618E70904608ABDF108F54DC88AFE7BB9FB15764F108149F629EB298D7B4DA80DB61

Function 0083FA88 Relevance: 16.6, APIs: 11, Instructions: 122memoryCOMMON

Download Yara Rule

APIs

SafeArrayAllocDescriptorEx.OLEAUT32(0000000C,?,?), ref: 0083FAAF
SafeArrayAllocData.OLEAUT32(?), ref: 0083FB08
VariantInit.OLEAUT32(?), ref: 0083FB1A
SafeArrayAccessData.OLEAUT32(?,?), ref: 0083FB3A
VariantCopy.OLEAUT32(?,?), ref: 0083FB8D
SafeArrayUnaccessData.OLEAUT32(?), ref: 0083FBA1
VariantClear.OLEAUT32(?), ref: 0083FBB6
SafeArrayDestroyData.OLEAUT32(?), ref: 0083FBC3
SafeArrayDestroyDescriptor.OLEAUT32(?), ref: 0083FBCC
VariantClear.OLEAUT32(?), ref: 0083FBDE
SafeArrayDestroyDescriptor.OLEAUT32(?), ref: 0083FBE9

Memory Dump Source

Source File: 00000000.00000002.1749607290.00000000007E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007E0000, based on PE: true

Associated: 00000000.00000002.1749024776.00000000007E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750122745.000000000087C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750122745.00000000008A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750810397.00000000008AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1751626682.00000000008B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7e0000_file.jbxd

Similarity

API ID: ArraySafe$DataVariant$DescriptorDestroy$AllocClear$AccessCopyInitUnaccess
String ID:
API String ID: 2706829360-0
Opcode ID: 2151c5544a4fe555419dc84f064502f0c0a3d02d3107361d0a44066145827268
Instruction ID: 7031c28a2cdf10e55eb56b8bf544d1250cca90247703006627bb853fedeb701d
Opcode Fuzzy Hash: 2151c5544a4fe555419dc84f064502f0c0a3d02d3107361d0a44066145827268
Instruction Fuzzy Hash: 0E412E75E002199FCB00DF68D8589AEBBB9FF48354F008069E955E7261D734E945CFE0

Function 00849C79 Relevance: 16.6, APIs: 11, Instructions: 119keyboardCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?), ref: 00849CA1
GetAsyncKeyState.USER32(000000A0), ref: 00849D22
GetKeyState.USER32(000000A0), ref: 00849D3D
GetAsyncKeyState.USER32(000000A1), ref: 00849D57
GetKeyState.USER32(000000A1), ref: 00849D6C
GetAsyncKeyState.USER32(00000011), ref: 00849D84
GetKeyState.USER32(00000011), ref: 00849D96
GetAsyncKeyState.USER32(00000012), ref: 00849DAE
GetKeyState.USER32(00000012), ref: 00849DC0
GetAsyncKeyState.USER32(0000005B), ref: 00849DD8
GetKeyState.USER32(0000005B), ref: 00849DEA

Memory Dump Source

Source File: 00000000.00000002.1749607290.00000000007E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007E0000, based on PE: true

Associated: 00000000.00000002.1749024776.00000000007E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750122745.000000000087C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750122745.00000000008A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750810397.00000000008AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1751626682.00000000008B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7e0000_file.jbxd

Similarity

API ID: State$Async$Keyboard
String ID:
API String ID: 541375521-0
Opcode ID: 70cb10166f9488bf001f75bae4b2745093ec604f13dba9021d2d068b36c76836
Instruction ID: b0dbf9a36778365c0db296c8fceb112a28d12a44b24e4ebcdffda62421060418
Opcode Fuzzy Hash: 70cb10166f9488bf001f75bae4b2745093ec604f13dba9021d2d068b36c76836
Instruction Fuzzy Hash: 8C4195349047CD6DFF319A6488447B7BEA0FB11344F04819EDAC6975C2EBA599C8C7A2

Function 0086055B Relevance: 16.0, APIs: 8, Strings: 1, Instructions: 207networkfileCOMMON

Download Yara Rule

APIs

WSAStartup.WSOCK32(00000101,?), ref: 008605BC
inet_addr.WSOCK32(?), ref: 0086061C
gethostbyname.WSOCK32(?), ref: 00860628
IcmpCreateFile.IPHLPAPI ref: 00860636
IcmpSendEcho.IPHLPAPI(?,?,?,00000005,00000000,?,00000029,00000FA0), ref: 008606C6
IcmpSendEcho.IPHLPAPI(00000000,00000000,?,00000005,00000000,?,00000029,00000FA0), ref: 008606E5
IcmpCloseHandle.IPHLPAPI(?), ref: 008607B9
WSACleanup.WSOCK32 ref: 008607BF

Strings

Ping, xrefs: 00860676

Memory Dump Source

Source File: 00000000.00000002.1749607290.00000000007E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007E0000, based on PE: true

Associated: 00000000.00000002.1749024776.00000000007E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750122745.000000000087C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750122745.00000000008A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750810397.00000000008AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1751626682.00000000008B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7e0000_file.jbxd

Similarity

API ID: Icmp$EchoSend$CleanupCloseCreateFileHandleStartupgethostbynameinet_addr
String ID: Ping
API String ID: 1028309954-2246546115
Opcode ID: 9ca1221492d63dee93f6a0dc501411f379083a64011ad6bba91e4ed791989233
Instruction ID: 5f9123c014a7731ccd0e95d874a0ff511ce8747d3cd1cf07334c5739d712ca89
Opcode Fuzzy Hash: 9ca1221492d63dee93f6a0dc501411f379083a64011ad6bba91e4ed791989233
Instruction Fuzzy Hash: A5917C356042419FD320CF15D889F1ABBE0FF48318F1585A9E46ADB6A2CB35ED45CF91

Function 00868CD3 Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 193COMMON

Download Yara Rule

APIs

CharLowerBuffW.USER32(?,?,00000000,?), ref: 00868CF3

Part of subcall function 00848E54: _wcslen.LIBCMT ref: 00848E77

_wcslen.LIBCMT ref: 00868D4E
_wcslen.LIBCMT ref: 00868D9C
_wcslen.LIBCMT ref: 00868DDC
_wcslen.LIBCMT ref: 00868E6E

Strings

none, xrefs: 00868E65, 00868E6A
winapi, xrefs: 00868D96, 00868D9B
cdecl, xrefs: 00868D48, 00868D4D
stdcall, xrefs: 00868DD6, 00868DDB

Memory Dump Source

Source File: 00000000.00000002.1749607290.00000000007E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007E0000, based on PE: true

Associated: 00000000.00000002.1749024776.00000000007E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750122745.000000000087C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750122745.00000000008A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750810397.00000000008AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1751626682.00000000008B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7e0000_file.jbxd

Similarity

API ID: _wcslen$BuffCharLower
String ID: cdecl$none$stdcall$winapi
API String ID: 707087890-567219261
Opcode ID: 168edcbc47e3f437c5796cb68692aadf202aac3f9dd8cd32f28ac8712385f248
Instruction ID: b6a65c72afc51014d98b34e67c9d34fa4eb5fcfaac411145b10a8e528533169d
Opcode Fuzzy Hash: 168edcbc47e3f437c5796cb68692aadf202aac3f9dd8cd32f28ac8712385f248
Instruction Fuzzy Hash: 54519072A00116DBCB24DF6CC9509BEB7A5FF64324B224329E92AE72C4DB35DD40C790

Function 0086372C Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 187comCOMMON

Download Yara Rule

APIs

CoInitialize.OLE32 ref: 00863774
CoUninitialize.OLE32 ref: 0086377F
CoCreateInstance.OLE32(?,00000000,00000017,0087FB78,?), ref: 008637D9
IIDFromString.OLE32(?,?), ref: 0086384C
VariantInit.OLEAUT32(?), ref: 008638E4
VariantClear.OLEAUT32(?), ref: 00863936

Strings

Failed to create object, xrefs: 008637E4, 0086389A
Invalid parameter, xrefs: 00863865
NULL Pointer assignment, xrefs: 0086381E

Memory Dump Source

Source File: 00000000.00000002.1749607290.00000000007E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007E0000, based on PE: true

Associated: 00000000.00000002.1749024776.00000000007E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750122745.000000000087C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750122745.00000000008A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750810397.00000000008AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1751626682.00000000008B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7e0000_file.jbxd

Similarity

API ID: Variant$ClearCreateFromInitInitializeInstanceStringUninitialize
String ID: Failed to create object$Invalid parameter$NULL Pointer assignment
API String ID: 636576611-1287834457
Opcode ID: 1f25abca384a683be7e837edc0d89f94222aaa41179a5a8286dba2473eaa579f
Instruction ID: 44edbb7bb248f154dbab9924ff26c117f3339e0126f891c6f9c47810ae5a43d5
Opcode Fuzzy Hash: 1f25abca384a683be7e837edc0d89f94222aaa41179a5a8286dba2473eaa579f
Instruction Fuzzy Hash: 84618A71608301AFD310DF64D889BAABBE8FF49714F110829F985DB291D774EE48CB92

Function 00853388 Relevance: 15.9, APIs: 3, Strings: 6, Instructions: 149COMMON

Download Yara Rule

APIs

LoadStringW.USER32(00000066,?,00000FFF,?), ref: 008533CF

Part of subcall function 007E9CB3: _wcslen.LIBCMT ref: 007E9CBD

LoadStringW.USER32(00000072,?,00000FFF,?), ref: 008533F0

Strings

"%s" (%d) : ==> %s:%s%s, xrefs: 00853504
"%s" (%d) : ==> %s:, xrefs: 00853522
^ ERROR , xrefs: 0085349E
Error: , xrefs: 008534D1
Line %d (File "%s"):, xrefs: 00853443, 0085345C
Incorrect parameters to object property !, xrefs: 008534AB

Memory Dump Source

Source File: 00000000.00000002.1749607290.00000000007E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007E0000, based on PE: true

Associated: 00000000.00000002.1749024776.00000000007E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750122745.000000000087C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750122745.00000000008A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750810397.00000000008AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1751626682.00000000008B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7e0000_file.jbxd

Similarity

API ID: LoadString$_wcslen
String ID: Error: $"%s" (%d) : ==> %s:$"%s" (%d) : ==> %s:%s%s$Incorrect parameters to object property !$Line %d (File "%s"):$^ ERROR
API String ID: 4099089115-3080491070
Opcode ID: 519ecc73ce489ec113d3399761bb219145ae4b279656d18b42a81763f808948f
Instruction ID: da680b3f5e02a5c78048244d18ea918ac1100ea0a158d9c61e579feac456206a
Opcode Fuzzy Hash: 519ecc73ce489ec113d3399761bb219145ae4b279656d18b42a81763f808948f
Instruction Fuzzy Hash: B151B432801149EADF15EBA1CD4AEEEB778FF18340F244165F505B2162EB396F58CB61

Function 0084B5C8 Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 142COMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?), ref: 0084B5FC
_wcslen.LIBCMT ref: 0084B608
_wcslen.LIBCMT ref: 0084B64D
_wcslen.LIBCMT ref: 0084B68C
_wcslen.LIBCMT ref: 0084B6C7

Strings

REMOVE, xrefs: 0084B602, 0084B607
EXISTS, xrefs: 0084B686, 0084B68B
KEYS, xrefs: 0084B647, 0084B64C
APPEND, xrefs: 0084B6C1, 0084B6C6

Memory Dump Source

Source File: 00000000.00000002.1749607290.00000000007E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007E0000, based on PE: true

Associated: 00000000.00000002.1749024776.00000000007E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750122745.000000000087C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750122745.00000000008A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750810397.00000000008AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1751626682.00000000008B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7e0000_file.jbxd

Similarity

API ID: _wcslen$BuffCharUpper
String ID: APPEND$EXISTS$KEYS$REMOVE
API String ID: 1256254125-769500911
Opcode ID: af83f8e3a790c3426455acb1ea411b47aba242d52de86d3dd67224130cb4f442
Instruction ID: 532a7d8c2a87a9ac9850d7016b6aab6c94cdd8b19c35e4583b31afae134bc834
Opcode Fuzzy Hash: af83f8e3a790c3426455acb1ea411b47aba242d52de86d3dd67224130cb4f442
Instruction Fuzzy Hash: 4A41D632A0112A9BCB209F7DCC905BE77A5FFB1754B264229E921DB294F735CD81C790

Function 00855393 Relevance: 15.9, APIs: 4, Strings: 5, Instructions: 103COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 008553A0
GetDiskFreeSpaceW.KERNEL32(?,?,?,?,?,00000002,00000001), ref: 00855416
GetLastError.KERNEL32 ref: 00855420
SetErrorMode.KERNEL32(00000000,READY), ref: 008554A7

Strings

READY, xrefs: 00855460, 00855468
NOTREADY, xrefs: 0085544B
READONLY, xrefs: 00855452
UNKNOWN, xrefs: 00855444
INVALID, xrefs: 00855459

Memory Dump Source

Source File: 00000000.00000002.1749607290.00000000007E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007E0000, based on PE: true

Associated: 00000000.00000002.1749024776.00000000007E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750122745.000000000087C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750122745.00000000008A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750810397.00000000008AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1751626682.00000000008B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7e0000_file.jbxd

Similarity

API ID: Error$Mode$DiskFreeLastSpace
String ID: INVALID$NOTREADY$READONLY$READY$UNKNOWN
API String ID: 4194297153-14809454
Opcode ID: de3b59ef482041cb9c52bc3b7a88ba401519a54caec9839fe2e5ac77b785168e
Instruction ID: d070c48cd0192075aab4163d737d9836e6a6cb7bd086ee6c0d77edc67a6fa988
Opcode Fuzzy Hash: de3b59ef482041cb9c52bc3b7a88ba401519a54caec9839fe2e5ac77b785168e
Instruction Fuzzy Hash: 0D31EA75A00504DFDB10DF68C498BA97BB4FF0530AF548069E905DF292E775DD8ACB90

Function 00873C46 Relevance: 15.9, APIs: 7, Strings: 2, Instructions: 101windowCOMMON

Download Yara Rule

APIs

CreateMenu.USER32 ref: 00873C79
SetMenu.USER32(?,00000000), ref: 00873C88
GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00873D10
IsMenu.USER32(?), ref: 00873D24
CreatePopupMenu.USER32 ref: 00873D2E
InsertMenuItemW.USER32(?,?,00000001,00000030), ref: 00873D5B
DrawMenuBar.USER32 ref: 00873D63

Strings

0, xrefs: 00873C54
F, xrefs: 00873D4E

Memory Dump Source

Source File: 00000000.00000002.1749607290.00000000007E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007E0000, based on PE: true

Associated: 00000000.00000002.1749024776.00000000007E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750122745.000000000087C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750122745.00000000008A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750810397.00000000008AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1751626682.00000000008B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7e0000_file.jbxd

Similarity

API ID: Menu$CreateItem$DrawInfoInsertPopup
String ID: 0$F
API String ID: 161812096-3044882817
Opcode ID: 1f635f5016cf0d8d7b7247d5b28ed04599ae737366f682b0077bd75dc9b3065e
Instruction ID: 5063e996d541cf571c21a019d98b7be9b6c43efb16994608f67a05dd6bdc0404
Opcode Fuzzy Hash: 1f635f5016cf0d8d7b7247d5b28ed04599ae737366f682b0077bd75dc9b3065e
Instruction Fuzzy Hash: 51416875A01209EFDB24CF64D848AAABBB5FF49350F18402CE94AE7360D771EA10DB91

Function 00841EDF Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 78windowCOMMON

Download Yara Rule

APIs

Part of subcall function 007E9CB3: _wcslen.LIBCMT ref: 007E9CBD

Part of subcall function 00843CA7: GetClassNameW.USER32(?,?,000000FF), ref: 00843CCA

SendMessageW.USER32(?,0000018C,000000FF,00020000), ref: 00841F64
GetDlgCtrlID.USER32 ref: 00841F6F
GetParent.USER32 ref: 00841F8B
SendMessageW.USER32(00000000,?,00000111,?), ref: 00841F8E
GetDlgCtrlID.USER32(?), ref: 00841F97
GetParent.USER32(?), ref: 00841FAB
SendMessageW.USER32(00000000,?,00000111,?), ref: 00841FAE

Strings

ComboBox, xrefs: 00841EEC
ListBox, xrefs: 00841F21

Memory Dump Source

Source File: 00000000.00000002.1749607290.00000000007E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007E0000, based on PE: true

Associated: 00000000.00000002.1749024776.00000000007E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750122745.000000000087C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750122745.00000000008A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750810397.00000000008AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1751626682.00000000008B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7e0000_file.jbxd

Similarity

API ID: MessageSend$CtrlParent$ClassName_wcslen
String ID: ComboBox$ListBox
API String ID: 711023334-1403004172
Opcode ID: 0a6911810b02d4419739a46a684b7628ea9caea3b165459bb3c59d8ee62f9f3c
Instruction ID: e120f58b011efb06826bc6ce176216d72ac3289757c13ab64cf5334022092ea0
Opcode Fuzzy Hash: 0a6911810b02d4419739a46a684b7628ea9caea3b165459bb3c59d8ee62f9f3c
Instruction Fuzzy Hash: D921DA71900218BBCF04AFA0CC89DEEBBB4FF25310F100119F965A72A1DB399949DB70

Function 00841FC0 Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 77windowCOMMON

Download Yara Rule

APIs

Part of subcall function 007E9CB3: _wcslen.LIBCMT ref: 007E9CBD

Part of subcall function 00843CA7: GetClassNameW.USER32(?,?,000000FF), ref: 00843CCA

SendMessageW.USER32(?,00000186,00020000,00000000), ref: 00842043
GetDlgCtrlID.USER32 ref: 0084204E
GetParent.USER32 ref: 0084206A
SendMessageW.USER32(00000000,?,00000111,?), ref: 0084206D
GetDlgCtrlID.USER32(?), ref: 00842076
GetParent.USER32(?), ref: 0084208A
SendMessageW.USER32(00000000,?,00000111,?), ref: 0084208D

Strings

ComboBox, xrefs: 00841FCD
ListBox, xrefs: 00842002

Memory Dump Source

Source File: 00000000.00000002.1749607290.00000000007E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007E0000, based on PE: true

Associated: 00000000.00000002.1749024776.00000000007E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750122745.000000000087C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750122745.00000000008A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750810397.00000000008AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1751626682.00000000008B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7e0000_file.jbxd

Similarity

API ID: MessageSend$CtrlParent$ClassName_wcslen
String ID: ComboBox$ListBox
API String ID: 711023334-1403004172
Opcode ID: 49b83b79f4aef1c293376a95f1fbe7e9fa8b543f5ea32c362644273183b9516f
Instruction ID: a59b58523d565cf2c26272697d1b09009cfda79103bf1439df6dfdf1549fbc7e
Opcode Fuzzy Hash: 49b83b79f4aef1c293376a95f1fbe7e9fa8b543f5ea32c362644273183b9516f
Instruction Fuzzy Hash: 6021D171900218BBDF10AFA0CC89EEEBBB8FF29340F500449B955A72A1DB798955DB60

Function 00873A23 Relevance: 15.2, APIs: 10, Instructions: 182windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,0000101F,00000000,00000000), ref: 00873A9D
SendMessageW.USER32(00000000,?,0000101F,00000000), ref: 00873AA0
GetWindowLongW.USER32(?,000000F0), ref: 00873AC7
SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00873AEA
SendMessageW.USER32(?,0000104D,00000000,00000007), ref: 00873B62
SendMessageW.USER32(?,00001074,00000000,00000007), ref: 00873BAC
SendMessageW.USER32(?,00001057,00000000,00000000), ref: 00873BC7
SendMessageW.USER32(?,0000101D,00001004,00000000), ref: 00873BE2
SendMessageW.USER32(?,0000101E,00001004,00000000), ref: 00873BF6
SendMessageW.USER32(?,00001008,00000000,00000007), ref: 00873C13

Memory Dump Source

Source File: 00000000.00000002.1749607290.00000000007E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007E0000, based on PE: true

Associated: 00000000.00000002.1749024776.00000000007E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750122745.000000000087C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750122745.00000000008A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750810397.00000000008AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1751626682.00000000008B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7e0000_file.jbxd

Similarity

API ID: MessageSend$LongWindow
String ID:
API String ID: 312131281-0
Opcode ID: 6e06423a92627f33ce90aedeb75d2d53ceb42980e241e5dbcd4c659252a9fbf6
Instruction ID: e4e10b65c191c3328755e3f8f6376b89330075b9513e7d847bc2e28533e19673
Opcode Fuzzy Hash: 6e06423a92627f33ce90aedeb75d2d53ceb42980e241e5dbcd4c659252a9fbf6
Instruction Fuzzy Hash: 68619A71A00248AFDB11DFA8CC85EEE77B8FB49710F104199FA19EB2A1C770AE41DB51

Function 0084B12F Relevance: 15.1, APIs: 10, Instructions: 88threadCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 0084B151
GetForegroundWindow.USER32(00000000,?,?,?,?,?,0084A1E1,?,00000001), ref: 0084B165
GetWindowThreadProcessId.USER32(00000000), ref: 0084B16C
AttachThreadInput.USER32(00000000,00000000,00000001,?,?,?,?,?,0084A1E1,?,00000001), ref: 0084B17B
GetWindowThreadProcessId.USER32(?,00000000), ref: 0084B18D
AttachThreadInput.USER32(?,00000000,00000001,?,?,?,?,?,0084A1E1,?,00000001), ref: 0084B1A6
AttachThreadInput.USER32(00000000,00000000,00000001,?,?,?,?,?,0084A1E1,?,00000001), ref: 0084B1B8
AttachThreadInput.USER32(00000000,00000000,?,?,?,?,?,0084A1E1,?,00000001), ref: 0084B1FD
AttachThreadInput.USER32(?,?,00000000,?,?,?,?,?,0084A1E1,?,00000001), ref: 0084B212
AttachThreadInput.USER32(00000000,?,00000000,?,?,?,?,?,0084A1E1,?,00000001), ref: 0084B21D

Memory Dump Source

Source File: 00000000.00000002.1749607290.00000000007E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007E0000, based on PE: true

Associated: 00000000.00000002.1749024776.00000000007E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750122745.000000000087C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750122745.00000000008A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750810397.00000000008AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1751626682.00000000008B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7e0000_file.jbxd

Similarity

API ID: Thread$AttachInput$Window$Process$CurrentForeground
String ID:
API String ID: 2156557900-0
Opcode ID: de63e475788bf3e423e91e75417544c12d43deda883343b685b918295876489e
Instruction ID: 0c26e87fd69379f6c62df87fb7ee2c090267fdc82db08723f5c4e484b0c0e012
Opcode Fuzzy Hash: de63e475788bf3e423e91e75417544c12d43deda883343b685b918295876489e
Instruction Fuzzy Hash: DF3187B154061CAFDB20AF64DC88BAE7BA9FF61311F104119FA09D71A0D7B4DA828F64

Function 00812C80 Relevance: 15.1, APIs: 10, Instructions: 54COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 00812C94

Part of subcall function 008129C8: RtlFreeHeap.NTDLL(00000000,00000000,?,0081D7D1,00000000,00000000,00000000,00000000,?,0081D7F8,00000000,00000007,00000000,?,0081DBF5,00000000), ref: 008129DE
Part of subcall function 008129C8: GetLastError.KERNEL32(00000000,?,0081D7D1,00000000,00000000,00000000,00000000,?,0081D7F8,00000000,00000007,00000000,?,0081DBF5,00000000,00000000), ref: 008129F0

_free.LIBCMT ref: 00812CA0
_free.LIBCMT ref: 00812CAB
_free.LIBCMT ref: 00812CB6
_free.LIBCMT ref: 00812CC1
_free.LIBCMT ref: 00812CCC
_free.LIBCMT ref: 00812CD7
_free.LIBCMT ref: 00812CE2
_free.LIBCMT ref: 00812CED
_free.LIBCMT ref: 00812CFB

Memory Dump Source

Source File: 00000000.00000002.1749607290.00000000007E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007E0000, based on PE: true

Associated: 00000000.00000002.1749024776.00000000007E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750122745.000000000087C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750122745.00000000008A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750810397.00000000008AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1751626682.00000000008B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7e0000_file.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: a7f055f88f25263e4bddfa15c1c66e68fe413d24ed8ec485edfe8e4c4a5ea0cc
Instruction ID: d21cda204ad00c7e9b34bbac0bf1a748988038753dd8cad37f1c16b5fdff2bc0
Opcode Fuzzy Hash: a7f055f88f25263e4bddfa15c1c66e68fe413d24ed8ec485edfe8e4c4a5ea0cc
Instruction Fuzzy Hash: 7D116676500108AFCB02EF58D942DDD3FA9FF05360F5145A5FA489F222DA31EAA09B91

Function 00857DF0 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 230COMMON

Download Yara Rule

APIs

GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 00857FAD
SetCurrentDirectoryW.KERNEL32(?), ref: 00857FC1
GetFileAttributesW.KERNEL32(?), ref: 00857FEB
SetFileAttributesW.KERNEL32(?,00000000), ref: 00858005
SetCurrentDirectoryW.KERNEL32(?), ref: 00858017
SetCurrentDirectoryW.KERNEL32(?), ref: 00858060
SetCurrentDirectoryW.KERNEL32(?,?,?,?,?), ref: 008580B0

Strings

*.*, xrefs: 00858066

Memory Dump Source

Source File: 00000000.00000002.1749607290.00000000007E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007E0000, based on PE: true

Associated: 00000000.00000002.1749024776.00000000007E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750122745.000000000087C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750122745.00000000008A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750810397.00000000008AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1751626682.00000000008B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7e0000_file.jbxd

Similarity

API ID: CurrentDirectory$AttributesFile
String ID: *.*
API String ID: 769691225-438819550
Opcode ID: f68bc37c621e0283baead669f5b470544924167d79050643d1c9cc99c224c3e1
Instruction ID: 6afa0487fcf1f3ebfa8b1094ec946433f447f98c6d48d226b850887433636ff7
Opcode Fuzzy Hash: f68bc37c621e0283baead669f5b470544924167d79050643d1c9cc99c224c3e1
Instruction Fuzzy Hash: 47818E72508345DBCB20EF15D8469AAB3E8FF88716F14886EFC89D7250EB34DD498B52

Function 007E5BEA Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 184windowCOMMON

Download Yara Rule

APIs

SetWindowLongW.USER32(?,000000EB), ref: 007E5C7A

Part of subcall function 007E5D0A: GetClientRect.USER32(?,?), ref: 007E5D30
Part of subcall function 007E5D0A: GetWindowRect.USER32(?,?), ref: 007E5D71
Part of subcall function 007E5D0A: ScreenToClient.USER32(?,?), ref: 007E5D99

GetDC.USER32 ref: 008246F5
SendMessageW.USER32(?,00000031,00000000,00000000), ref: 00824708
SelectObject.GDI32(00000000,00000000), ref: 00824716
SelectObject.GDI32(00000000,00000000), ref: 0082472B
ReleaseDC.USER32(?,00000000), ref: 00824733
MoveWindow.USER32(?,?,?,?,?,?,?,00000031,00000000,00000000), ref: 008247C4

Strings

U, xrefs: 00824693

Memory Dump Source

Source File: 00000000.00000002.1749607290.00000000007E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007E0000, based on PE: true

Associated: 00000000.00000002.1749024776.00000000007E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750122745.000000000087C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750122745.00000000008A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750810397.00000000008AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1751626682.00000000008B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7e0000_file.jbxd

Similarity

API ID: Window$ClientObjectRectSelect$LongMessageMoveReleaseScreenSend
String ID: U
API String ID: 4009187628-3372436214
Opcode ID: 851b563160308550cd8d1a6282dbab177e11d19543498a01dde318edddb40d63
Instruction ID: 662ee1b2c71f8cf492083ccfffa9cd9f1590fd8153edbfa9d0cf79e42167adf5
Opcode Fuzzy Hash: 851b563160308550cd8d1a6282dbab177e11d19543498a01dde318edddb40d63
Instruction Fuzzy Hash: 71710231500209DFCF218F64D984ABA3BB1FF4A314F245269ED659A1AAC731C8C1DF70

Function 0085359C Relevance: 14.2, APIs: 3, Strings: 5, Instructions: 150COMMON

Download Yara Rule

APIs

LoadStringW.USER32(00000066,?,00000FFF,00000000), ref: 008535E4

Part of subcall function 007E9CB3: _wcslen.LIBCMT ref: 007E9CBD

LoadStringW.USER32(008B2390,?,00000FFF,?), ref: 0085360A

Strings

"%s" (%d) : ==> %s:%s%s, xrefs: 00853724
"%s" (%d) : ==> %s:, xrefs: 00853742
Error: , xrefs: 008536EF
^ ERROR, xrefs: 008536C9
Line %d (File "%s"):, xrefs: 0085366B

Memory Dump Source

Source File: 00000000.00000002.1749607290.00000000007E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007E0000, based on PE: true

Associated: 00000000.00000002.1749024776.00000000007E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750122745.000000000087C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750122745.00000000008A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750810397.00000000008AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1751626682.00000000008B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7e0000_file.jbxd

Similarity

API ID: LoadString$_wcslen
String ID: Error: $"%s" (%d) : ==> %s:$"%s" (%d) : ==> %s:%s%s$Line %d (File "%s"):$^ ERROR
API String ID: 4099089115-2391861430
Opcode ID: de43822810effca18c885bff463baf17a73c54233edf4c717b0fb8efeb5dc4f1
Instruction ID: 8244531e8cb46e6c7c2c31a41bc9fbd3bf2dec243c8d146c356059f4766da9b3
Opcode Fuzzy Hash: de43822810effca18c885bff463baf17a73c54233edf4c717b0fb8efeb5dc4f1
Instruction Fuzzy Hash: 6B518F72C01249FADF15EBA1CC4AEEEBB78FF18341F544125F505B21A1EB342A98DB61

Function 0085C253 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 94networkCOMMON

Download Yara Rule

APIs

InternetOpenUrlW.WININET(?,?,00000000,00000000,?,00000000), ref: 0085C272
HttpSendRequestW.WININET(00000000,00000000,00000000,00000000,00000000), ref: 0085C29A
HttpQueryInfoW.WININET(00000000,00000005,?,?,?), ref: 0085C2CA
GetLastError.KERNEL32 ref: 0085C322
SetEvent.KERNEL32(?), ref: 0085C336
InternetCloseHandle.WININET(00000000), ref: 0085C341

Strings

, xrefs: 0085C2BB

Memory Dump Source

Source File: 00000000.00000002.1749607290.00000000007E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007E0000, based on PE: true

Associated: 00000000.00000002.1749024776.00000000007E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750122745.000000000087C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750122745.00000000008A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750810397.00000000008AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1751626682.00000000008B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7e0000_file.jbxd

Similarity

API ID: HttpInternet$CloseErrorEventHandleInfoLastOpenQueryRequestSend
String ID:
API String ID: 3113390036-3916222277
Opcode ID: ea896331ab46883f44eba524815dc69886cf14b5f711cb4fb826e1bb8b277958
Instruction ID: 5b159b829186fa4974fda6abd19d8685df7aa3b28a6a88c56904c92efa0ba8e3
Opcode Fuzzy Hash: ea896331ab46883f44eba524815dc69886cf14b5f711cb4fb826e1bb8b277958
Instruction Fuzzy Hash: 71315CB1500708AFD7219F688C88AAB7AFCFB49785F10851DA84AD3211DB70D9489F61

Function 0084989B Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 74windowCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,?,?,00000FFF,00000000,?,00823AAF,?,?,Bad directive syntax error,0087CC08,00000000,00000010,?,?,>>>AUTOIT SCRIPT<<<), ref: 008498BC
LoadStringW.USER32(00000000,?,00823AAF,?), ref: 008498C3

Part of subcall function 007E9CB3: _wcslen.LIBCMT ref: 007E9CBD

MessageBoxW.USER32(00000000,00000001,00000001,00011010), ref: 00849987

Strings

Error: , xrefs: 00849955
., xrefs: 0084996D
Line %d (File "%s"):, xrefs: 0084992D
%s (%d) : ==> %s.: %s %s, xrefs: 008498F1
Line %d:, xrefs: 00849912

Memory Dump Source

Source File: 00000000.00000002.1749607290.00000000007E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007E0000, based on PE: true

Associated: 00000000.00000002.1749024776.00000000007E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750122745.000000000087C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750122745.00000000008A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750810397.00000000008AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1751626682.00000000008B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7e0000_file.jbxd

Similarity

API ID: HandleLoadMessageModuleString_wcslen
String ID: Error: $%s (%d) : ==> %s.: %s %s$.$Line %d (File "%s"):$Line %d:
API String ID: 858772685-4153970271
Opcode ID: d6b986f930422c5fc5732fcabfe4d6abc30094265f2afc71bdec0233d82a2f79
Instruction ID: 4212b5370a0e47581d40e62c84bedb61181ebe5277569445a5efeb4d88413d7c
Opcode Fuzzy Hash: d6b986f930422c5fc5732fcabfe4d6abc30094265f2afc71bdec0233d82a2f79
Instruction Fuzzy Hash: 7C21963280025DEBDF15AF90CC0EEEE7B35FF18304F044459F529A61A1EB759658CB21

Function 0084209F Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 71windowCOMMON

Download Yara Rule

APIs

GetParent.USER32 ref: 008420AB
GetClassNameW.USER32(00000000,?,00000100), ref: 008420C0
SendMessageW.USER32(00000000,00000111,0000702B,00000000), ref: 0084214D

Strings

largeicons, xrefs: 008420E1
smallicons, xrefs: 00842115
details, xrefs: 008420FB
list, xrefs: 0084212F
SHELLDLL_DefView, xrefs: 008420CC

Memory Dump Source

Source File: 00000000.00000002.1749607290.00000000007E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007E0000, based on PE: true

Associated: 00000000.00000002.1749024776.00000000007E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750122745.000000000087C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750122745.00000000008A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750810397.00000000008AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1751626682.00000000008B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7e0000_file.jbxd

Similarity

API ID: ClassMessageNameParentSend
String ID: SHELLDLL_DefView$details$largeicons$list$smallicons
API String ID: 1290815626-3381328864
Opcode ID: 92a86d98dac852c53dc851e8f8465ca5db5292ec9fb3b3f697d64a4bc7ce8aa1
Instruction ID: 42bbaa94beb15060eb5626292530a0c759b2a019e68bd24ad326026be73f0a13
Opcode Fuzzy Hash: 92a86d98dac852c53dc851e8f8465ca5db5292ec9fb3b3f697d64a4bc7ce8aa1
Instruction Fuzzy Hash: 8911367A2CC70EB9F6012228DC0BDE6739CFB15725B60001AFB04E50D2FBA9B8825624

Function 00818D45 Relevance: 13.8, APIs: 9, Instructions: 300COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1749607290.00000000007E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007E0000, based on PE: true

Associated: 00000000.00000002.1749024776.00000000007E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750122745.000000000087C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750122745.00000000008A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750810397.00000000008AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1751626682.00000000008B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7e0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1a144290f4e106d4f175ed8c0e6bf0eaff8896fecda8a831069a684eaf603e7f
Instruction ID: 313529e7fd8e67676bf220023076fbd040f0f3058fa7a113c4d08d0fba1f7604
Opcode Fuzzy Hash: 1a144290f4e106d4f175ed8c0e6bf0eaff8896fecda8a831069a684eaf603e7f
Instruction Fuzzy Hash: 35C1C274A04249DFDB219FACD855BEDBBB8FF09310F144199E554E7392CB309982CB61

Function 0081CE90 Relevance: 13.7, APIs: 9, Instructions: 209COMMON

Download Yara Rule

APIs

___from_strstr_to_strchr.LIBCMT ref: 0081CEB7
_free.LIBCMT ref: 0081CF22
_free.LIBCMT ref: 0081CF48
_free.LIBCMT ref: 0081CF71
_free.LIBCMT ref: 0081CFA9
_free.LIBCMT ref: 0081CFDA
_free.LIBCMT ref: 0081D01B
SetEnvironmentVariableA.KERNEL32(00000000,00000000), ref: 0081D09C
_free.LIBCMT ref: 0081D0B5

Memory Dump Source

Source File: 00000000.00000002.1749607290.00000000007E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007E0000, based on PE: true

Associated: 00000000.00000002.1749024776.00000000007E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750122745.000000000087C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750122745.00000000008A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750810397.00000000008AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1751626682.00000000008B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7e0000_file.jbxd

Similarity

API ID: _free$EnvironmentVariable___from_strstr_to_strchr
String ID:
API String ID: 1282221369-0
Opcode ID: a4b53a825163773488bebd6bc83920db1f2b6cab2082c06c5721312c3fd81a3e
Instruction ID: 6e34eb480bc47ebf943aa966f02e650446cd90c2d66be068f4977040bbf8a922
Opcode Fuzzy Hash: a4b53a825163773488bebd6bc83920db1f2b6cab2082c06c5721312c3fd81a3e
Instruction Fuzzy Hash: 12611671944314AFDB21AFB89881BEA7BADFF05320F04426DF944D7282DB7199C2D791

Function 008750D4 Relevance: 13.7, APIs: 9, Instructions: 162windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00002001,00000000,00000000), ref: 00875186
ShowWindow.USER32(?,00000000), ref: 008751C7
ShowWindow.USER32(?,00000005,?,00000000), ref: 008751CD
SetFocus.USER32(?,?,00000005,?,00000000), ref: 008751D1

Part of subcall function 00876FBA: DeleteObject.GDI32(00000000), ref: 00876FE6

GetWindowLongW.USER32(?,000000F0), ref: 0087520D
SetWindowLongW.USER32(?,000000F0,00000000), ref: 0087521A
InvalidateRect.USER32(?,00000000,00000001,?,00000001), ref: 0087524D
SendMessageW.USER32(?,00001001,00000000,000000FE), ref: 00875287
SendMessageW.USER32(?,00001026,00000000,000000FE), ref: 00875296

Memory Dump Source

Source File: 00000000.00000002.1749607290.00000000007E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007E0000, based on PE: true

Associated: 00000000.00000002.1749024776.00000000007E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750122745.000000000087C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750122745.00000000008A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750810397.00000000008AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1751626682.00000000008B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7e0000_file.jbxd

Similarity

API ID: Window$MessageSend$LongShow$DeleteFocusInvalidateObjectRect
String ID:
API String ID: 3210457359-0
Opcode ID: 8d85e7f81cc4f2afbceb3dbc6811c250345fbb8610cf62c0e940681eb6daab76
Instruction ID: a5d453b1c60528d18517e15db172845336b3328f5b476f35a223bdd1e69a89c0
Opcode Fuzzy Hash: 8d85e7f81cc4f2afbceb3dbc6811c250345fbb8610cf62c0e940681eb6daab76
Instruction Fuzzy Hash: E951B130A50A08FEEF209F24CC49B983B61FB05326F54C115FA2DD62E9CBB5E980DB51

Function 007F8B06 Relevance: 13.7, APIs: 9, Instructions: 155windowCOMMON

Download Yara Rule

APIs

LoadImageW.USER32(00000000,?,?,00000010,00000010,00000010), ref: 00836890
ExtractIconExW.SHELL32(?,?,00000000,00000000,00000001), ref: 008368A9
LoadImageW.USER32(00000000,?,00000001,00000000,00000000,00000050), ref: 008368B9
ExtractIconExW.SHELL32(?,?,?,00000000,00000001), ref: 008368D1
SendMessageW.USER32(00000000,00000080,00000000,00000000), ref: 008368F2
DestroyIcon.USER32(00000000,?,00000010,00000010,00000010,?,?,?,?,?,007F8874,00000000,00000000,00000000,000000FF,00000000), ref: 00836901
SendMessageW.USER32(00000000,00000080,00000001,00000000), ref: 0083691E
DestroyIcon.USER32(00000000,?,00000010,00000010,00000010,?,?,?,?,?,007F8874,00000000,00000000,00000000,000000FF,00000000), ref: 0083692D

Memory Dump Source

Source File: 00000000.00000002.1749607290.00000000007E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007E0000, based on PE: true

Associated: 00000000.00000002.1749024776.00000000007E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750122745.000000000087C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750122745.00000000008A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750810397.00000000008AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1751626682.00000000008B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7e0000_file.jbxd

Similarity

API ID: Icon$DestroyExtractImageLoadMessageSend
String ID:
API String ID: 1268354404-0
Opcode ID: 91889cc3db8af290ae466a9608e92d31d9840d70ff4f03335c23b568ff918aae
Instruction ID: cce3c75a54a4b013897408945d1f0fbc80254270dd5c51cd1fad8836af35cadb
Opcode Fuzzy Hash: 91889cc3db8af290ae466a9608e92d31d9840d70ff4f03335c23b568ff918aae
Instruction Fuzzy Hash: 77514EB0600209EFDB20CF29CC59BAA7BB5FB58750F10451CFA56D72A0DB75E990DB50

Function 0085C143 Relevance: 13.6, APIs: 9, Instructions: 95networkCOMMON

Download Yara Rule

APIs

InternetConnectW.WININET(?,?,?,?,?,?,00000000,00000000), ref: 0085C182
GetLastError.KERNEL32 ref: 0085C195
SetEvent.KERNEL32(?), ref: 0085C1A9

Part of subcall function 0085C253: InternetOpenUrlW.WININET(?,?,00000000,00000000,?,00000000), ref: 0085C272
Part of subcall function 0085C253: GetLastError.KERNEL32 ref: 0085C322
Part of subcall function 0085C253: SetEvent.KERNEL32(?), ref: 0085C336
Part of subcall function 0085C253: InternetCloseHandle.WININET(00000000), ref: 0085C341

Memory Dump Source

Source File: 00000000.00000002.1749607290.00000000007E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007E0000, based on PE: true

Associated: 00000000.00000002.1749024776.00000000007E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750122745.000000000087C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750122745.00000000008A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750810397.00000000008AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1751626682.00000000008B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7e0000_file.jbxd

Similarity

API ID: Internet$ErrorEventLast$CloseConnectHandleOpen
String ID:
API String ID: 337547030-0
Opcode ID: dfffc4999d4dc79ffbd45acb09dd447afd3398c411f922e3ceff251520119ef1
Instruction ID: 0a561eb570e7630138edf4a5fdf4ac15fc16ce114429376aff7fc1bff5358a8b
Opcode Fuzzy Hash: dfffc4999d4dc79ffbd45acb09dd447afd3398c411f922e3ceff251520119ef1
Instruction Fuzzy Hash: CC317A75200B05AFDB219FA9DC48A66BBE9FF18342F00441DF95AC7615DB30E8589FA0

Function 008425A2 Relevance: 13.6, APIs: 9, Instructions: 60sleepkeyboardwindowCOMMON

Download Yara Rule

APIs

Part of subcall function 00843A3D: GetWindowThreadProcessId.USER32(?,00000000), ref: 00843A57
Part of subcall function 00843A3D: GetCurrentThreadId.KERNEL32 ref: 00843A5E
Part of subcall function 00843A3D: AttachThreadInput.USER32(00000000,?,00000000,00000000,?,008425B3), ref: 00843A65

MapVirtualKeyW.USER32(00000025,00000000), ref: 008425BD
PostMessageW.USER32(?,00000100,00000025,00000000), ref: 008425DB
Sleep.KERNEL32(00000000,?,00000100,00000025,00000000), ref: 008425DF
MapVirtualKeyW.USER32(00000025,00000000), ref: 008425E9
PostMessageW.USER32(?,00000100,00000027,00000000), ref: 00842601
Sleep.KERNEL32(00000000,?,00000100,00000027,00000000), ref: 00842605
MapVirtualKeyW.USER32(00000025,00000000), ref: 0084260F
PostMessageW.USER32(?,00000101,00000027,00000000), ref: 00842623
Sleep.KERNEL32(00000000,?,00000101,00000027,00000000,?,00000100,00000027,00000000), ref: 00842627

Memory Dump Source

Source File: 00000000.00000002.1749607290.00000000007E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007E0000, based on PE: true

Associated: 00000000.00000002.1749024776.00000000007E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750122745.000000000087C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750122745.00000000008A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750810397.00000000008AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1751626682.00000000008B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7e0000_file.jbxd

Similarity

API ID: MessagePostSleepThreadVirtual$AttachCurrentInputProcessWindow
String ID:
API String ID: 2014098862-0
Opcode ID: ba5d13290677cd1b96524843e1aab16a539fa1f744b8e35f7e237df841a38623
Instruction ID: aa2b3f4ce52098c7e792bca476eebc9b64243c45a4374d755309b7bbea397aa2
Opcode Fuzzy Hash: ba5d13290677cd1b96524843e1aab16a539fa1f744b8e35f7e237df841a38623
Instruction Fuzzy Hash: 2E01B530394624BBFB1067689C8EF593E59EB5AB11F510019F318EF0D5C9E15484CA6A

Function 00841803 Relevance: 13.5, APIs: 9, Instructions: 49memorythreadCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000008,0000000C,?,00000000,?,00841449,?,?,00000000), ref: 0084180C
HeapAlloc.KERNEL32(00000000,?,00841449,?,?,00000000), ref: 00841813
GetCurrentProcess.KERNEL32(00000000,00000000,00000000,00000002,?,00841449,?,?,00000000), ref: 00841828
GetCurrentProcess.KERNEL32(?,00000000,?,00841449,?,?,00000000), ref: 00841830
DuplicateHandle.KERNEL32(00000000,?,00841449,?,?,00000000), ref: 00841833
GetCurrentProcess.KERNEL32(00000000,00000000,00000000,00000002,?,00841449,?,?,00000000), ref: 00841843
GetCurrentProcess.KERNEL32(00841449,00000000,?,00841449,?,?,00000000), ref: 0084184B
DuplicateHandle.KERNEL32(00000000,?,00841449,?,?,00000000), ref: 0084184E
CreateThread.KERNEL32(00000000,00000000,00841874,00000000,00000000,00000000), ref: 00841868

Memory Dump Source

Source File: 00000000.00000002.1749607290.00000000007E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007E0000, based on PE: true

Associated: 00000000.00000002.1749024776.00000000007E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750122745.000000000087C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750122745.00000000008A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750810397.00000000008AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1751626682.00000000008B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7e0000_file.jbxd

Similarity

API ID: Process$Current$DuplicateHandleHeap$AllocCreateThread
String ID:
API String ID: 1957940570-0
Opcode ID: f4f151e1798a9d35bb0918f72daa59dd81d9233496e4c671d5f8b07b88abf991
Instruction ID: ef0c7813580624792f8a01a7c0af3f15a295e5390751c00a6e8d1500cdce2474
Opcode Fuzzy Hash: f4f151e1798a9d35bb0918f72daa59dd81d9233496e4c671d5f8b07b88abf991
Instruction Fuzzy Hash: 0E01A8B5240308BFE610ABA5DC4DF6B7BACFB89B11F404425FA09DB2A5CA74D8408B30

Function 0086A0E2 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 160COMMON

Download Yara Rule

APIs

Part of subcall function 0084D4DC: CreateToolhelp32Snapshot.KERNEL32 ref: 0084D501
Part of subcall function 0084D4DC: Process32FirstW.KERNEL32(00000000,?), ref: 0084D50F
Part of subcall function 0084D4DC: CloseHandle.KERNELBASE(00000000), ref: 0084D5DC

OpenProcess.KERNEL32(00000001,00000000,?), ref: 0086A16D
GetLastError.KERNEL32 ref: 0086A180
OpenProcess.KERNEL32(00000001,00000000,?), ref: 0086A1B3
TerminateProcess.KERNEL32(00000000,00000000), ref: 0086A268
GetLastError.KERNEL32(00000000), ref: 0086A273
CloseHandle.KERNEL32(00000000), ref: 0086A2C4

Strings

SeDebugPrivilege, xrefs: 0086A18F

Memory Dump Source

Source File: 00000000.00000002.1749607290.00000000007E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007E0000, based on PE: true

Associated: 00000000.00000002.1749024776.00000000007E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750122745.000000000087C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750122745.00000000008A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750810397.00000000008AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1751626682.00000000008B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7e0000_file.jbxd

Similarity

API ID: Process$CloseErrorHandleLastOpen$CreateFirstProcess32SnapshotTerminateToolhelp32
String ID: SeDebugPrivilege
API String ID: 2533919879-2896544425
Opcode ID: c96452427327ef59c5ea926022f47db0d2505c2a8849cf1dab92891d048d108d
Instruction ID: fa26f2bd8f954972ee74bd666b49734e18a7d2ff955d154c48504b65ebec1d43
Opcode Fuzzy Hash: c96452427327ef59c5ea926022f47db0d2505c2a8849cf1dab92891d048d108d
Instruction Fuzzy Hash: 50618B312042429FD724DF19C898F16BBA1FF54318F19849CE46A9B7A2C776EC85CB92

Function 00873886 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 141windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00001036,00000010,00000010), ref: 00873925
SendMessageW.USER32(00000000,00001036,00000000,?), ref: 0087393A
SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000013), ref: 00873954
_wcslen.LIBCMT ref: 00873999
SendMessageW.USER32(?,00001057,00000000,?), ref: 008739C6
SendMessageW.USER32(?,00001061,?,0000000F), ref: 008739F4

Strings

SysListView32, xrefs: 008738F7

Memory Dump Source

Source File: 00000000.00000002.1749607290.00000000007E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007E0000, based on PE: true

Associated: 00000000.00000002.1749024776.00000000007E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750122745.000000000087C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750122745.00000000008A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750810397.00000000008AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1751626682.00000000008B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7e0000_file.jbxd

Similarity

API ID: MessageSend$Window_wcslen
String ID: SysListView32
API String ID: 2147712094-78025650
Opcode ID: d44dcc2acf2b50c9cc89a57719e700e984c33b125898afe7670401dbb2b1ea43
Instruction ID: 20170833b220a64a08139ef4a5bcebaaa813549cba754cfd2ad2c5021f65bab9
Opcode Fuzzy Hash: d44dcc2acf2b50c9cc89a57719e700e984c33b125898afe7670401dbb2b1ea43
Instruction Fuzzy Hash: FC41D071A00218ABEF219F64CC49FEA7BA9FF18354F10412AF95CE7285D771DA80DB91

Function 0084BC5E Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 137windowCOMMON

Download Yara Rule

APIs

GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 0084BCFD
IsMenu.USER32(00000000), ref: 0084BD1D
CreatePopupMenu.USER32 ref: 0084BD53
GetMenuItemCount.USER32(01995038), ref: 0084BDA4
InsertMenuItemW.USER32(01995038,?,00000001,00000030), ref: 0084BDCC

Strings

2, xrefs: 0084BD37
0, xrefs: 0084BCA8

Memory Dump Source

Source File: 00000000.00000002.1749607290.00000000007E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007E0000, based on PE: true

Associated: 00000000.00000002.1749024776.00000000007E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750122745.000000000087C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750122745.00000000008A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750810397.00000000008AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1751626682.00000000008B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7e0000_file.jbxd

Similarity

API ID: Menu$Item$CountCreateInfoInsertPopup
String ID: 0$2
API String ID: 93392585-3793063076
Opcode ID: ee2e72cebd9ecd93e721309679d7ab5aeba993e3405db9f5446200b153d2fe8c
Instruction ID: 2b559812b7b6c7ab99010c01a376306a2633bb940ed42271bf3e61ccf118dd34
Opcode Fuzzy Hash: ee2e72cebd9ecd93e721309679d7ab5aeba993e3405db9f5446200b153d2fe8c
Instruction Fuzzy Hash: C5519B70A0020D9BDF20CFA8D888BAEBBF8FF55354F1442A9E415EB290D770D945CB62

Function 0084C874 Relevance: 12.3, APIs: 2, Strings: 5, Instructions: 81windowCOMMON

Download Yara Rule

APIs

LoadIconW.USER32(00000000,00007F03), ref: 0084C913

Strings

stop, xrefs: 0084C8E4
warning, xrefs: 0084C8FC
blank, xrefs: 0084C895
info, xrefs: 0084C8B4
question, xrefs: 0084C8CC

Memory Dump Source

Source File: 00000000.00000002.1749607290.00000000007E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007E0000, based on PE: true

Associated: 00000000.00000002.1749024776.00000000007E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750122745.000000000087C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750122745.00000000008A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750810397.00000000008AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1751626682.00000000008B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7e0000_file.jbxd

Similarity

API ID: IconLoad
String ID: blank$info$question$stop$warning
API String ID: 2457776203-404129466
Opcode ID: 9c26ac506fa7ffc7ae042668fa82fddd263f770163518e6e6147b10fb61be43b
Instruction ID: 78dc0f261786025e33ab514703039d9b335f4c5134b8ec551177945f04b1accf
Opcode Fuzzy Hash: 9c26ac506fa7ffc7ae042668fa82fddd263f770163518e6e6147b10fb61be43b
Instruction Fuzzy Hash: 2211EB3278A31EBAF7456B589C83CAA6F9CFF15358B10002BF504E62C2EB789D405265

Function 0084DE27 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 70networkCOMMON

Download Yara Rule

APIs

WSAStartup.WSOCK32(00000101,?), ref: 0084DE42
gethostname.WSOCK32(?,00000100), ref: 0084DE5C
gethostbyname.WSOCK32(?), ref: 0084DE69
inet_ntoa.WSOCK32(?), ref: 0084DEAB
_strcat.LIBCMT ref: 0084DEB9
WSACleanup.WSOCK32 ref: 0084DEDE

Strings

0.0.0.0, xrefs: 0084DE87

Memory Dump Source

Source File: 00000000.00000002.1749607290.00000000007E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007E0000, based on PE: true

Associated: 00000000.00000002.1749024776.00000000007E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750122745.000000000087C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750122745.00000000008A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750810397.00000000008AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1751626682.00000000008B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7e0000_file.jbxd

Similarity

API ID: CleanupStartup_strcatgethostbynamegethostnameinet_ntoa
String ID: 0.0.0.0
API String ID: 642191829-3771769585
Opcode ID: 5489a64fe030978678defebb4664b27a20e55307e7b6b9776fd80c6b720da53a
Instruction ID: 9ff3bb1f684a7eb0ac3c00c42ed21626c2629246752612c93eccf1f5a3868c9d
Opcode Fuzzy Hash: 5489a64fe030978678defebb4664b27a20e55307e7b6b9776fd80c6b720da53a
Instruction Fuzzy Hash: F511E17190420CABCB24AB68DC4AEEE77ACFF11711F0001BDF549EB091EF74CA818A61

Function 00879F86 Relevance: 12.3, APIs: 8, Instructions: 260windowCOMMON

Download Yara Rule

APIs

Part of subcall function 007F9BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 007F9BB2

GetSystemMetrics.USER32(0000000F), ref: 00879FC7
GetSystemMetrics.USER32(0000000F), ref: 00879FE7
MoveWindow.USER32(00000003,?,?,?,?,00000000,?,?,?), ref: 0087A224
SendMessageW.USER32(00000003,00000142,00000000,0000FFFF), ref: 0087A242
SendMessageW.USER32(00000003,00000469,?,00000000), ref: 0087A263
ShowWindow.USER32(00000003,00000000), ref: 0087A282
InvalidateRect.USER32(?,00000000,00000001), ref: 0087A2A7
DefDlgProcW.USER32(?,00000005,?,?), ref: 0087A2CA

Memory Dump Source

Source File: 00000000.00000002.1749607290.00000000007E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007E0000, based on PE: true

Associated: 00000000.00000002.1749024776.00000000007E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750122745.000000000087C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750122745.00000000008A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750810397.00000000008AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1751626682.00000000008B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7e0000_file.jbxd

Similarity

API ID: Window$MessageMetricsSendSystem$InvalidateLongMoveProcRectShow
String ID:
API String ID: 1211466189-0
Opcode ID: 10b4ed1caf43a4f6e9fa02794e9fa933754c7cb501a26ae42d0cede84c3ef020
Instruction ID: f15a78cabcee11802d8908c67cbab81da887cdb9c3d40d9fdc4702bff04cbe27
Opcode Fuzzy Hash: 10b4ed1caf43a4f6e9fa02794e9fa933754c7cb501a26ae42d0cede84c3ef020
Instruction Fuzzy Hash: C0B15A31600215DBDF18CF68C9897AE7BB2FB84711F18C069EC49DB29ADB31E940CB61

Function 0084ED19 Relevance: 12.1, APIs: 8, Instructions: 137timeCOMMON

Download Yara Rule

APIs

GetLocalTime.KERNEL32 ref: 0084ED2A
_wcslen.LIBCMT ref: 0084ED3B
_wcslen.LIBCMT ref: 0084ED79
_wcslen.LIBCMT ref: 0084EDAF
_wcslen.LIBCMT ref: 0084EDDF
_wcslen.LIBCMT ref: 0084EDEF
_wcslen.LIBCMT ref: 0084EE2B
_wcslen.LIBCMT ref: 0084EE5A

Memory Dump Source

Source File: 00000000.00000002.1749607290.00000000007E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007E0000, based on PE: true

Associated: 00000000.00000002.1749024776.00000000007E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750122745.000000000087C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750122745.00000000008A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750810397.00000000008AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1751626682.00000000008B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7e0000_file.jbxd

Similarity

API ID: _wcslen$LocalTime
String ID:
API String ID: 952045576-0
Opcode ID: 6c12e9eeee9cd327ff02d9cf7ea488047a93fc07349b29ecf3c4ec669a6ff902
Instruction ID: 415d235074362f1b4fe0af84dd47a9330125db818b24630208d44ded965cfd12
Opcode Fuzzy Hash: 6c12e9eeee9cd327ff02d9cf7ea488047a93fc07349b29ecf3c4ec669a6ff902
Instruction Fuzzy Hash: 60413065C1021875CB51EBF88C8AACFB7A8FF45710F508566E918E3162FB34E265C3A6

Function 007FF8D8 Relevance: 12.1, APIs: 8, Instructions: 124COMMON

Download Yara Rule

APIs

ShowWindow.USER32(FFFFFFFF,000000FF,?,00000000,?,0083682C,00000004,00000000,00000000), ref: 007FF953
ShowWindow.USER32(FFFFFFFF,00000006,?,00000000,?,0083682C,00000004,00000000,00000000), ref: 0083F3D1
ShowWindow.USER32(FFFFFFFF,000000FF,?,00000000,?,0083682C,00000004,00000000,00000000), ref: 0083F454

Memory Dump Source

Source File: 00000000.00000002.1749607290.00000000007E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007E0000, based on PE: true

Associated: 00000000.00000002.1749024776.00000000007E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750122745.000000000087C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750122745.00000000008A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750810397.00000000008AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1751626682.00000000008B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7e0000_file.jbxd

Similarity

API ID: ShowWindow
String ID:
API String ID: 1268545403-0
Opcode ID: 51ff83effd6c61de1ad26f16cc54602775b6b5d34ee5bc212c53ea0b4ff7ed70
Instruction ID: 85d2c17e8209184094eb0597b99c3ea8a932879e87e7f25a651b06478aa80ae8
Opcode Fuzzy Hash: 51ff83effd6c61de1ad26f16cc54602775b6b5d34ee5bc212c53ea0b4ff7ed70
Instruction Fuzzy Hash: 2D41C631608688FAC729DB29888C7367A91BF96314F54453DE247D6761CAB9B880CB91

Function 00872D03 Relevance: 12.1, APIs: 8, Instructions: 95windowCOMMON

Download Yara Rule

APIs

DeleteObject.GDI32(00000000), ref: 00872D1B
GetDC.USER32(00000000), ref: 00872D23
GetDeviceCaps.GDI32(00000000,0000005A), ref: 00872D2E
ReleaseDC.USER32(00000000,00000000), ref: 00872D3A
CreateFontW.GDI32(?,00000000,00000000,00000000,?,00000000,00000000,00000000,00000001,00000004,00000000,?,00000000,?), ref: 00872D76
SendMessageW.USER32(?,00000030,00000000,00000001), ref: 00872D87
MoveWindow.USER32(?,?,?,?,?,00000000,?,?,00875A65,?,?,000000FF,00000000,?,000000FF,?), ref: 00872DC2
SendMessageW.USER32(?,00000142,00000000,00000000), ref: 00872DE1

Memory Dump Source

Source File: 00000000.00000002.1749607290.00000000007E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007E0000, based on PE: true

Associated: 00000000.00000002.1749024776.00000000007E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750122745.000000000087C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750122745.00000000008A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750810397.00000000008AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1751626682.00000000008B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7e0000_file.jbxd

Similarity

API ID: MessageSend$CapsCreateDeleteDeviceFontMoveObjectReleaseWindow
String ID:
API String ID: 3864802216-0
Opcode ID: 06a28ee64fd8386bfcf5fe2993d7cf5d025c8138b3da8605041bac79a728bf58
Instruction ID: eaf1a2c89650aa0d7c2af99f58008c4b0af29473ba7b5224999051149afe19f7
Opcode Fuzzy Hash: 06a28ee64fd8386bfcf5fe2993d7cf5d025c8138b3da8605041bac79a728bf58
Instruction Fuzzy Hash: 4C317A72201214ABEB218F548C8AFEB3FA9FB19751F044059FE0CDA295C675D880CBA0

Function 00845622 Relevance: 12.1, APIs: 8, Instructions: 92COMMON

Download Yara Rule

APIs

_memcmp.LIBVCRUNTIME ref: 00845637
_memcmp.LIBVCRUNTIME ref: 00845659
_memcmp.LIBVCRUNTIME ref: 00845671
_memcmp.LIBVCRUNTIME ref: 00845684
_memcmp.LIBVCRUNTIME ref: 0084569E
_memcmp.LIBVCRUNTIME ref: 008456B1
_memcmp.LIBVCRUNTIME ref: 008456C9
_memcmp.LIBVCRUNTIME ref: 008456E4

Memory Dump Source

Source File: 00000000.00000002.1749607290.00000000007E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007E0000, based on PE: true

Associated: 00000000.00000002.1749024776.00000000007E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750122745.000000000087C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750122745.00000000008A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750810397.00000000008AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1751626682.00000000008B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7e0000_file.jbxd

Similarity

API ID: _memcmp
String ID:
API String ID: 2931989736-0
Opcode ID: 948f24c427670d11f7398e6f510c6b732b278ad255ab998690c6c819341bc27f
Instruction ID: 63c512c54e972cf32a3e1d351811f9488d167908bd60d05677ffc1054201324c
Opcode Fuzzy Hash: 948f24c427670d11f7398e6f510c6b732b278ad255ab998690c6c819341bc27f
Instruction Fuzzy Hash: F421D061641A1D7BD61456258E82FBE334CFF713A8B464020FE08DA787F728ED1185A6

Function 00864FAE Relevance: 10.9, APIs: 4, Strings: 2, Instructions: 359COMMON

Download Yara Rule

Strings

Not an Object type, xrefs: 00865007
NULL Pointer assignment, xrefs: 0086502E, 00865383

Memory Dump Source

Source File: 00000000.00000002.1749607290.00000000007E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007E0000, based on PE: true

Associated: 00000000.00000002.1749024776.00000000007E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750122745.000000000087C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750122745.00000000008A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750810397.00000000008AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1751626682.00000000008B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7e0000_file.jbxd

Similarity

API ID:
String ID: NULL Pointer assignment$Not an Object type
API String ID: 0-572801152
Opcode ID: 5470067218553e82c3015a1f7875669564a8a3139d2959de1da05d3c1a9081a6
Instruction ID: bc97493e9b871ccd11dc08ece42cecdf8d791937e65d3dd5f9bf2f704e8ab20d
Opcode Fuzzy Hash: 5470067218553e82c3015a1f7875669564a8a3139d2959de1da05d3c1a9081a6
Instruction Fuzzy Hash: 5ED19C71A0060AAFDB10CFA8C891BAEB7B5FF49344F168069E915EB381E771DD45CB90

Function 00821522 Relevance: 10.8, APIs: 7, Instructions: 268COMMON

Download Yara Rule

APIs

GetCPInfo.KERNEL32(?,?), ref: 008215CE
MultiByteToWideChar.KERNEL32(?,00000009,?,?,00000000,00000000), ref: 00821651
MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 008216E4
MultiByteToWideChar.KERNEL32(?,00000009,?,?,00000000,00000000), ref: 008216FB

Part of subcall function 00813820: RtlAllocateHeap.NTDLL(00000000,?,008B1444,?,007FFDF5,?,?,007EA976,00000010,008B1440,007E13FC,?,007E13C6,?,007E1129), ref: 00813852

MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 00821777
__freea.LIBCMT ref: 008217A2
__freea.LIBCMT ref: 008217AE

Memory Dump Source

Source File: 00000000.00000002.1749607290.00000000007E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007E0000, based on PE: true

Associated: 00000000.00000002.1749024776.00000000007E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750122745.000000000087C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750122745.00000000008A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750810397.00000000008AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1751626682.00000000008B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7e0000_file.jbxd

Similarity

API ID: ByteCharMultiWide$__freea$AllocateHeapInfo
String ID:
API String ID: 2829977744-0
Opcode ID: 05ddc0a3f3fd0e5606ed63594a902941b1af3ee29ce15fa58385cfc16ea4b634
Instruction ID: efbe6ac748b1bd9d4437cea962b55afdee9d85ce9928ae2ffca30443c5342d22
Opcode Fuzzy Hash: 05ddc0a3f3fd0e5606ed63594a902941b1af3ee29ce15fa58385cfc16ea4b634
Instruction Fuzzy Hash: BF91C571E002269EDF208E64ED89AEE7BB5FFA5714F280569E805E7145DB35CDC0C7A0

Function 00864523 Relevance: 10.8, APIs: 4, Strings: 2, Instructions: 262COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 00864648
VariantInit.OLEAUT32(?), ref: 00864749
VariantClear.OLEAUT32(?), ref: 00864753
VariantClear.OLEAUT32(?), ref: 008647B0

Strings

Incorrect Object type in FOR..IN loop, xrefs: 0086472C
Null Object assignment in FOR..IN loop, xrefs: 008645D8, 00864706, 008647BE

Memory Dump Source

Source File: 00000000.00000002.1749607290.00000000007E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007E0000, based on PE: true

Associated: 00000000.00000002.1749024776.00000000007E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750122745.000000000087C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750122745.00000000008A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750810397.00000000008AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1751626682.00000000008B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7e0000_file.jbxd

Similarity

API ID: Variant$ClearInit
String ID: Incorrect Object type in FOR..IN loop$Null Object assignment in FOR..IN loop
API String ID: 2610073882-625585964
Opcode ID: ffca61a2622a8a562b5cad9ec57c9939660f8c9d5bb143c7a5d8d4ef841f6eec
Instruction ID: dcaaeab07e9fa6a1f51cc583cd8e28e467a54ef01e225d0b63f8c554d337b6c7
Opcode Fuzzy Hash: ffca61a2622a8a562b5cad9ec57c9939660f8c9d5bb143c7a5d8d4ef841f6eec
Instruction Fuzzy Hash: E2918871A00219ABDF20CFA5CC88FAEBBB8FF46714F119559F516EB280D7709945CBA0

Function 00851187 Relevance: 10.8, APIs: 7, Instructions: 254COMMON

Download Yara Rule

APIs

SafeArrayGetVartype.OLEAUT32(00000001,?), ref: 0085125C
SafeArrayAccessData.OLEAUT32(00000000,?), ref: 00851284
SafeArrayUnaccessData.OLEAUT32(00000001), ref: 008512A8
SafeArrayAccessData.OLEAUT32(00000001,?), ref: 008512D8
SafeArrayAccessData.OLEAUT32(00000001,?), ref: 0085135F
SafeArrayAccessData.OLEAUT32(00000001,?), ref: 008513C4
SafeArrayAccessData.OLEAUT32(00000001,?), ref: 00851430

Memory Dump Source

Source File: 00000000.00000002.1749607290.00000000007E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007E0000, based on PE: true

Associated: 00000000.00000002.1749024776.00000000007E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750122745.000000000087C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750122745.00000000008A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750810397.00000000008AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1751626682.00000000008B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7e0000_file.jbxd

Similarity

API ID: ArraySafe$Data$Access$UnaccessVartype
String ID:
API String ID: 2550207440-0
Opcode ID: 6326e47243f40eadcaf5daf40e0b865558be6f429803cd662b75215399a800fc
Instruction ID: 8c4d18d2379d0cda8275dd921a478574fd429b5650596d047a87a23701c33eb4
Opcode Fuzzy Hash: 6326e47243f40eadcaf5daf40e0b865558be6f429803cd662b75215399a800fc
Instruction Fuzzy Hash: 4391D271A00209AFDF00DF98C899BBEB7B6FF45316F104029E910E7291D778A949CB95

Function 007F948A Relevance: 10.8, APIs: 7, Instructions: 254COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1749607290.00000000007E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007E0000, based on PE: true

Associated: 00000000.00000002.1749024776.00000000007E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750122745.000000000087C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750122745.00000000008A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750810397.00000000008AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1751626682.00000000008B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7e0000_file.jbxd

Similarity

API ID: ObjectSelect$BeginCreatePath
String ID:
API String ID: 3225163088-0
Opcode ID: 2dae5360d1d90f8138bd59ff2c041e56080ec5d91f8972e7de6b65ce69839a6a
Instruction ID: a19713b385aff9d156024d1c7950b65639b71964507cbbb16d40be4a39017beb
Opcode Fuzzy Hash: 2dae5360d1d90f8138bd59ff2c041e56080ec5d91f8972e7de6b65ce69839a6a
Instruction Fuzzy Hash: E8912771D04219EFCB14CFA9C888AEEBBB8FF49320F144459E615B7391D378A951CBA0

Function 00863947 Relevance: 10.7, APIs: 4, Strings: 2, Instructions: 240COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 0086396B
CharUpperBuffW.USER32(?,?), ref: 00863A7A
_wcslen.LIBCMT ref: 00863A8A
VariantClear.OLEAUT32(?), ref: 00863C1F

Part of subcall function 00850CDF: VariantInit.OLEAUT32(00000000), ref: 00850D1F
Part of subcall function 00850CDF: VariantCopy.OLEAUT32(?,?), ref: 00850D28
Part of subcall function 00850CDF: VariantClear.OLEAUT32(?), ref: 00850D34

Strings

Incorrect Parameter format, xrefs: 008639A6, 00863BA1
AUTOIT.ERROR, xrefs: 00863A80, 00863A85

Memory Dump Source

Source File: 00000000.00000002.1749607290.00000000007E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007E0000, based on PE: true

Associated: 00000000.00000002.1749024776.00000000007E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750122745.000000000087C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750122745.00000000008A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750810397.00000000008AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1751626682.00000000008B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7e0000_file.jbxd

Similarity

API ID: Variant$ClearInit$BuffCharCopyUpper_wcslen
String ID: AUTOIT.ERROR$Incorrect Parameter format
API String ID: 4137639002-1221869570
Opcode ID: 8a6e2e350a93d5848cea7b55374a4559b92b2a9ce7e54880297d4fd8f535a39e
Instruction ID: b6905e7a17bfbdb4c49118b1e3db0e469041d9db721dd83968a2763bf20eec05
Opcode Fuzzy Hash: 8a6e2e350a93d5848cea7b55374a4559b92b2a9ce7e54880297d4fd8f535a39e
Instruction Fuzzy Hash: C4913F756083459FC704EF68C48492ABBE5FF89314F14882EF88A9B351DB30EE45CB92

Function 00864BAD Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 236COMMON

Download Yara Rule

APIs

Part of subcall function 0084000E: CLSIDFromProgID.OLE32(?,?,?,00000000,?,?,?,-C000001E,00000001,?,0083FF41,80070057,?,?,?,0084035E), ref: 0084002B
Part of subcall function 0084000E: ProgIDFromCLSID.OLE32(?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,0083FF41,80070057,?,?), ref: 00840046
Part of subcall function 0084000E: lstrcmpiW.KERNEL32(?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,0083FF41,80070057,?,?), ref: 00840054
Part of subcall function 0084000E: CoTaskMemFree.OLE32(00000000,?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,0083FF41,80070057,?), ref: 00840064

CoInitializeSecurity.OLE32(00000000,000000FF,00000000,00000000,00000002,00000003,00000000,00000000,00000000,00000001,?,?), ref: 00864C51
_wcslen.LIBCMT ref: 00864D59
CoCreateInstanceEx.OLE32(?,00000000,00000015,?,00000001,?), ref: 00864DCF
CoTaskMemFree.OLE32(?), ref: 00864DDA

Strings

NULL Pointer assignment, xrefs: 00864E23, 00864E52

Memory Dump Source

Source File: 00000000.00000002.1749607290.00000000007E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007E0000, based on PE: true

Associated: 00000000.00000002.1749024776.00000000007E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750122745.000000000087C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750122745.00000000008A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750810397.00000000008AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1751626682.00000000008B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7e0000_file.jbxd

Similarity

API ID: FreeFromProgTask$CreateInitializeInstanceSecurity_wcslenlstrcmpi
String ID: NULL Pointer assignment
API String ID: 614568839-2785691316
Opcode ID: 94225b4d63e8aa55242c02cd2464d380557af862a2b88559467745aea75c85c6
Instruction ID: 6cd1da9b4d9177b610af583534cf667de249044d6fba2499c254222432ee1bd0
Opcode Fuzzy Hash: 94225b4d63e8aa55242c02cd2464d380557af862a2b88559467745aea75c85c6
Instruction Fuzzy Hash: 89912571D0021DEFDF14DFA4C885AEEB7B9FF08310F108169E919AB251EB34AA448F61

Function 008720FD Relevance: 10.7, APIs: 7, Instructions: 196windowCOMMON

Download Yara Rule

APIs

GetMenu.USER32(?), ref: 00872183
GetMenuItemCount.USER32(00000000), ref: 008721B5
GetMenuStringW.USER32(00000000,00000000,?,00007FFF,00000400), ref: 008721DD
_wcslen.LIBCMT ref: 00872213
GetMenuItemID.USER32(?,?), ref: 0087224D
GetSubMenu.USER32(?,?), ref: 0087225B

Part of subcall function 00843A3D: GetWindowThreadProcessId.USER32(?,00000000), ref: 00843A57
Part of subcall function 00843A3D: GetCurrentThreadId.KERNEL32 ref: 00843A5E
Part of subcall function 00843A3D: AttachThreadInput.USER32(00000000,?,00000000,00000000,?,008425B3), ref: 00843A65

PostMessageW.USER32(?,00000111,00000000,00000000), ref: 008722E3

Part of subcall function 0084E97B: Sleep.KERNEL32 ref: 0084E9F3

Memory Dump Source

Source File: 00000000.00000002.1749607290.00000000007E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007E0000, based on PE: true

Associated: 00000000.00000002.1749024776.00000000007E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750122745.000000000087C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750122745.00000000008A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750810397.00000000008AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1751626682.00000000008B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7e0000_file.jbxd

Similarity

API ID: Menu$Thread$Item$AttachCountCurrentInputMessagePostProcessSleepStringWindow_wcslen
String ID:
API String ID: 4196846111-0
Opcode ID: 0a4e3e6fbaee0c56e552eeb398ca7a6099095049cc84bdb88ca5a573c37a9eca
Instruction ID: dc9999910237595b2141a7766e26e4c42915a652aa8c0a7b74c3da3bf3dbbb96
Opcode Fuzzy Hash: 0a4e3e6fbaee0c56e552eeb398ca7a6099095049cc84bdb88ca5a573c37a9eca
Instruction Fuzzy Hash: F9718175A00219EFCB10DF69C885AAEB7F5FF48310F148499E91AEB355DB34EE418B90

Function 00877E9E Relevance: 10.7, APIs: 7, Instructions: 193windowCOMMON

Download Yara Rule

APIs

IsWindow.USER32(019951C8), ref: 00877F37
IsWindowEnabled.USER32(019951C8), ref: 00877F43
SendMessageW.USER32(00000000,0000041C,00000000,00000000), ref: 0087801E
SendMessageW.USER32(019951C8,000000B0,?,?), ref: 00878051
IsDlgButtonChecked.USER32(?,?), ref: 00878089
GetWindowLongW.USER32(019951C8,000000EC), ref: 008780AB
SendMessageW.USER32(?,000000A1,00000002,00000000), ref: 008780C3

Memory Dump Source

Source File: 00000000.00000002.1749607290.00000000007E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007E0000, based on PE: true

Associated: 00000000.00000002.1749024776.00000000007E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750122745.000000000087C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750122745.00000000008A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750810397.00000000008AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1751626682.00000000008B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7e0000_file.jbxd

Similarity

API ID: MessageSendWindow$ButtonCheckedEnabledLong
String ID:
API String ID: 4072528602-0
Opcode ID: 4cc3e26f8a8af76e807916baf284bdd841d8ea2ececdd3f3ea1a951d72f1dae1
Instruction ID: 79760e73f17b5c9715be829e337d232370985b505fd6106519c5f9973eb069ff
Opcode Fuzzy Hash: 4cc3e26f8a8af76e807916baf284bdd841d8ea2ececdd3f3ea1a951d72f1dae1
Instruction Fuzzy Hash: EC719C34608644EFEF21DF64C998FAABBB5FF19300F148459E949D7269CB31E884CB20

Function 0084AEBA Relevance: 10.7, APIs: 7, Instructions: 162windowCOMMON

Download Yara Rule

APIs

GetParent.USER32(?), ref: 0084AEF9
GetKeyboardState.USER32(?), ref: 0084AF0E
SetKeyboardState.USER32(?), ref: 0084AF6F
PostMessageW.USER32(?,00000101,00000010,?), ref: 0084AF9D
PostMessageW.USER32(?,00000101,00000011,?), ref: 0084AFBC
PostMessageW.USER32(?,00000101,00000012,?), ref: 0084AFFD
PostMessageW.USER32(?,00000101,0000005B,?), ref: 0084B020

Memory Dump Source

Source File: 00000000.00000002.1749607290.00000000007E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007E0000, based on PE: true

Associated: 00000000.00000002.1749024776.00000000007E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750122745.000000000087C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750122745.00000000008A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750810397.00000000008AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1751626682.00000000008B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7e0000_file.jbxd

Similarity

API ID: MessagePost$KeyboardState$Parent
String ID:
API String ID: 87235514-0
Opcode ID: d977ad0d4ef500abc643e22d1c104d7ad3a545b72cd0bc99bb738dc92e07cc4a
Instruction ID: 1d2f8890be79c85f34a3cdde0cb773c34cca3a89ee3afc004e384490e5339b4c
Opcode Fuzzy Hash: d977ad0d4ef500abc643e22d1c104d7ad3a545b72cd0bc99bb738dc92e07cc4a
Instruction Fuzzy Hash: D051C5A06447D93DFB3A43348845BBB7E99BB06304F088489E1E9D94C2D7D9EDC8D751

Function 0084ACDA Relevance: 10.7, APIs: 7, Instructions: 161windowCOMMON

Download Yara Rule

APIs

GetParent.USER32(00000000), ref: 0084AD19
GetKeyboardState.USER32(?), ref: 0084AD2E
SetKeyboardState.USER32(?), ref: 0084AD8F
PostMessageW.USER32(00000000,00000100,00000010,?), ref: 0084ADBB
PostMessageW.USER32(00000000,00000100,00000011,?), ref: 0084ADD8
PostMessageW.USER32(00000000,00000100,00000012,?), ref: 0084AE17
PostMessageW.USER32(00000000,00000100,0000005B,?), ref: 0084AE38

Memory Dump Source

Source File: 00000000.00000002.1749607290.00000000007E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007E0000, based on PE: true

Associated: 00000000.00000002.1749024776.00000000007E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750122745.000000000087C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750122745.00000000008A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750810397.00000000008AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1751626682.00000000008B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7e0000_file.jbxd

Similarity

API ID: MessagePost$KeyboardState$Parent
String ID:
API String ID: 87235514-0
Opcode ID: a363dcf4fe15e9aed67c3ecb603ef65d7264330a73f753ede2908c51b942068d
Instruction ID: 1223607b735b8aef861ac1005073967ccf30edb518fac3f1efc7ca739ba06d5e
Opcode Fuzzy Hash: a363dcf4fe15e9aed67c3ecb603ef65d7264330a73f753ede2908c51b942068d
Instruction Fuzzy Hash: 2651E8A19887D93DFB3A83748C85B7A7E98FB45304F08848DE1E5CE8C2D294EC84D752

Function 0081542E Relevance: 10.7, APIs: 7, Instructions: 152fileCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetConsoleCP.KERNEL32(00823CD6,?,?,?,?,?,?,?,?,00815BA3,?,?,00823CD6,?,?), ref: 00815470
__fassign.LIBCMT ref: 008154EB
__fassign.LIBCMT ref: 00815506
WideCharToMultiByte.KERNEL32(?,00000000,?,00000001,00823CD6,00000005,00000000,00000000), ref: 0081552C
WriteFile.KERNEL32(?,00823CD6,00000000,00815BA3,00000000,?,?,?,?,?,?,?,?,?,00815BA3,?), ref: 0081554B
WriteFile.KERNEL32(?,?,00000001,00815BA3,00000000,?,?,?,?,?,?,?,?,?,00815BA3,?), ref: 00815584

Memory Dump Source

Source File: 00000000.00000002.1749607290.00000000007E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007E0000, based on PE: true

Associated: 00000000.00000002.1749024776.00000000007E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750122745.000000000087C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750122745.00000000008A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750810397.00000000008AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1751626682.00000000008B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7e0000_file.jbxd

Similarity

API ID: FileWrite__fassign$ByteCharConsoleMultiWide
String ID:
API String ID: 1324828854-0
Opcode ID: 382d100350069f5653bbbba838679678f10d4d4f11cb27c8b9b01b402966df7e
Instruction ID: ac43e28ba7ab20140fd4ae0c39dd6f31d1bf47eb4342a71fe60599a9c2a09044
Opcode Fuzzy Hash: 382d100350069f5653bbbba838679678f10d4d4f11cb27c8b9b01b402966df7e
Instruction Fuzzy Hash: B3518FB1A00649DFDB10CFA8D895AEEBBFEFF49300F14415AE555E7291D630AA81CB60

Function 00802D20 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 117COMMON

Download Yara Rule

APIs

_ValidateLocalCookies.LIBCMT ref: 00802D4B
___except_validate_context_record.LIBVCRUNTIME ref: 00802D53
_ValidateLocalCookies.LIBCMT ref: 00802DE1
__IsNonwritableInCurrentImage.LIBCMT ref: 00802E0C
_ValidateLocalCookies.LIBCMT ref: 00802E61

Strings

csm, xrefs: 00802DF6

Memory Dump Source

Source File: 00000000.00000002.1749607290.00000000007E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007E0000, based on PE: true

Associated: 00000000.00000002.1749024776.00000000007E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750122745.000000000087C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750122745.00000000008A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750810397.00000000008AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1751626682.00000000008B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7e0000_file.jbxd

Similarity

API ID: CookiesLocalValidate$CurrentImageNonwritable___except_validate_context_record
String ID: csm
API String ID: 1170836740-1018135373
Opcode ID: 82d8c907a3eb99d792ba45aa903e185798f67a6899206a4d07e5e303e9141d15
Instruction ID: b90b9141ef50f689391b06b2a28174b9df94484af2fc1016b6fd40cf65808de7
Opcode Fuzzy Hash: 82d8c907a3eb99d792ba45aa903e185798f67a6899206a4d07e5e303e9141d15
Instruction Fuzzy Hash: 69416E34A0020DABCF50DF68CC49A9EBBA5FF45324F1481A5EC14EB292D7B1AE15CB91

Function 008610B8 Relevance: 10.6, APIs: 7, Instructions: 110networkCOMMON

Download Yara Rule

APIs

Part of subcall function 0086304E: inet_addr.WSOCK32(?,?,?,?,?,00000000), ref: 0086307A
Part of subcall function 0086304E: _wcslen.LIBCMT ref: 0086309B

socket.WSOCK32(00000002,00000001,00000006,?,?,00000000), ref: 00861112
WSAGetLastError.WSOCK32 ref: 00861121
WSAGetLastError.WSOCK32 ref: 008611C9
closesocket.WSOCK32(00000000), ref: 008611F9

Memory Dump Source

Source File: 00000000.00000002.1749607290.00000000007E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007E0000, based on PE: true

Associated: 00000000.00000002.1749024776.00000000007E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750122745.000000000087C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750122745.00000000008A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750810397.00000000008AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1751626682.00000000008B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7e0000_file.jbxd

Similarity

API ID: ErrorLast$_wcslenclosesocketinet_addrsocket
String ID:
API String ID: 2675159561-0
Opcode ID: dd5adc48e243384b5b0ab7affd2a199231e4545befab87ed32fa0bb4b5ca5159
Instruction ID: 7059876b12753616121f4e5660e5ac760a718881f7a75368b67a973723f7c85b
Opcode Fuzzy Hash: dd5adc48e243384b5b0ab7affd2a199231e4545befab87ed32fa0bb4b5ca5159
Instruction Fuzzy Hash: A341F631600204AFDB109F14C888BA9B7E9FF46364F198059F919DB296C774ED81CBE1

Function 0084CF00 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 108filestringCOMMON

Download Yara Rule

APIs

Part of subcall function 0084DDE0: GetFullPathNameW.KERNEL32(00000000,00007FFF,?,?,?,?,?,?,0084CF22,?), ref: 0084DDFD

Part of subcall function 0084DDE0: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,?,0084CF22,?), ref: 0084DE16

lstrcmpiW.KERNEL32(?,?), ref: 0084CF45
MoveFileW.KERNEL32(?,?), ref: 0084CF7F
_wcslen.LIBCMT ref: 0084D005
_wcslen.LIBCMT ref: 0084D01B
SHFileOperationW.SHELL32(?), ref: 0084D061

Strings

\*.*, xrefs: 0084CFF3

Memory Dump Source

Source File: 00000000.00000002.1749607290.00000000007E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007E0000, based on PE: true

Associated: 00000000.00000002.1749024776.00000000007E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750122745.000000000087C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750122745.00000000008A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750810397.00000000008AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1751626682.00000000008B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7e0000_file.jbxd

Similarity

API ID: FileFullNamePath_wcslen$MoveOperationlstrcmpi
String ID: \*.*
API String ID: 3164238972-1173974218
Opcode ID: 87f8263f7fd9ac2244c2df3e3fd251b2b8433eed656bbc397bfcfda5369693f2
Instruction ID: 0e4787c3c6c57d44d469129927708ca09d6709293e2d9429c059d0277d16b1dc
Opcode Fuzzy Hash: 87f8263f7fd9ac2244c2df3e3fd251b2b8433eed656bbc397bfcfda5369693f2
Instruction Fuzzy Hash: C341437194621C9EDF52EBA4C981ADEB7BCFF08340F1000A6E509EB151EE75A688CB51

Function 00872DFD Relevance: 10.6, APIs: 7, Instructions: 99windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,000000F0,00000000,00000000), ref: 00872E1C
GetWindowLongW.USER32(?,000000F0), ref: 00872E4F
GetWindowLongW.USER32(?,000000F0), ref: 00872E84
SendMessageW.USER32(?,000000F1,00000000,00000000), ref: 00872EB6
SendMessageW.USER32(?,000000F1,00000001,00000000), ref: 00872EE0
GetWindowLongW.USER32(?,000000F0), ref: 00872EF1
SetWindowLongW.USER32(?,000000F0,00000000), ref: 00872F0B

Memory Dump Source

Source File: 00000000.00000002.1749607290.00000000007E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007E0000, based on PE: true

Associated: 00000000.00000002.1749024776.00000000007E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750122745.000000000087C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750122745.00000000008A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750810397.00000000008AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1751626682.00000000008B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7e0000_file.jbxd

Similarity

API ID: LongWindow$MessageSend
String ID:
API String ID: 2178440468-0
Opcode ID: 78a2fcaf0cce06e8e2a8c1b286c4c3e12092742fe1150d272c21683591a70a5d
Instruction ID: c93e49a65527d860d00bdef75f7d25be90de37a0b937d959a494a2ea10a4abd6
Opcode Fuzzy Hash: 78a2fcaf0cce06e8e2a8c1b286c4c3e12092742fe1150d272c21683591a70a5d
Instruction Fuzzy Hash: 043114326041409FDB20CF58DC98F6937E0FB6A710F5541A8F949CF2BACB71E8809B41

Function 00847726 Relevance: 10.6, APIs: 7, Instructions: 94memoryCOMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 00847769
MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 0084778F
SysAllocString.OLEAUT32(00000000), ref: 00847792
SysAllocString.OLEAUT32(?), ref: 008477B0
SysFreeString.OLEAUT32(?), ref: 008477B9
StringFromGUID2.OLE32(?,?,00000028), ref: 008477DE
SysAllocString.OLEAUT32(?), ref: 008477EC

Memory Dump Source

Source File: 00000000.00000002.1749607290.00000000007E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007E0000, based on PE: true

Associated: 00000000.00000002.1749024776.00000000007E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750122745.000000000087C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750122745.00000000008A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750810397.00000000008AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1751626682.00000000008B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7e0000_file.jbxd

Similarity

API ID: String$Alloc$ByteCharMultiWide$FreeFrom
String ID:
API String ID: 3761583154-0
Opcode ID: cbb17c235da1f0142232e243fe2b31c926e31d9a63f924d3e6526081e9113bdb
Instruction ID: 38f61a5abb8c3f9fd7214ba21aa5e3e8b18286f82573f5d2399856937f0362b4
Opcode Fuzzy Hash: cbb17c235da1f0142232e243fe2b31c926e31d9a63f924d3e6526081e9113bdb
Instruction Fuzzy Hash: DA21B07660421DAFDB10DFA8CC88CBB77ACFB093647408029FA19DB260D770DC8187A4

Function 008477FD Relevance: 10.6, APIs: 7, Instructions: 89memoryCOMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 00847842
MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 00847868
SysAllocString.OLEAUT32(00000000), ref: 0084786B
SysAllocString.OLEAUT32 ref: 0084788C
SysFreeString.OLEAUT32 ref: 00847895
StringFromGUID2.OLE32(?,?,00000028), ref: 008478AF
SysAllocString.OLEAUT32(?), ref: 008478BD

Memory Dump Source

Source File: 00000000.00000002.1749607290.00000000007E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007E0000, based on PE: true

Associated: 00000000.00000002.1749024776.00000000007E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750122745.000000000087C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750122745.00000000008A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750810397.00000000008AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1751626682.00000000008B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7e0000_file.jbxd

Similarity

API ID: String$Alloc$ByteCharMultiWide$FreeFrom
String ID:
API String ID: 3761583154-0
Opcode ID: b7706c499bc8567302e8e658efa8a50e713103b25fbae422fcc2d99b422f56b7
Instruction ID: c3a5e87586a9ffe28cc370fc8df619d23a51879c04a2c7abf040d9aacb9d212d
Opcode Fuzzy Hash: b7706c499bc8567302e8e658efa8a50e713103b25fbae422fcc2d99b422f56b7
Instruction Fuzzy Hash: 9E213075608208AFDB109FA8DC8CDAA77ECFB097647108135F915DB2A5DB74DC81CB68

Function 008504D2 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 80pipeCOMMON

Download Yara Rule

APIs

GetStdHandle.KERNEL32(0000000C), ref: 008504F2
CreatePipe.KERNEL32(?,?,0000000C,00000000), ref: 0085052E

Strings

nul, xrefs: 00850567

Memory Dump Source

Source File: 00000000.00000002.1749607290.00000000007E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007E0000, based on PE: true

Associated: 00000000.00000002.1749024776.00000000007E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750122745.000000000087C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750122745.00000000008A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750810397.00000000008AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1751626682.00000000008B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7e0000_file.jbxd

Similarity

API ID: CreateHandlePipe
String ID: nul
API String ID: 1424370930-2873401336
Opcode ID: 8278584bc34e1f5cba8da0b838b284fae77cda81b51382d1cd444e1737da5faf
Instruction ID: 83f905a1e4d3e89b8125a950f78813a81de2768c57a9c0297631a02bc018f8bd
Opcode Fuzzy Hash: 8278584bc34e1f5cba8da0b838b284fae77cda81b51382d1cd444e1737da5faf
Instruction Fuzzy Hash: AF218D71500305ABDB208F69DC08A9A77A4FF45726F204A19FCA1E72E0E770D948CF20

Function 008505A7 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 80pipeCOMMON

Download Yara Rule

APIs

GetStdHandle.KERNEL32(000000F6), ref: 008505C6
CreatePipe.KERNEL32(?,?,0000000C,00000000), ref: 00850601

Strings

nul, xrefs: 00850639

Memory Dump Source

Source File: 00000000.00000002.1749607290.00000000007E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007E0000, based on PE: true

Associated: 00000000.00000002.1749024776.00000000007E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750122745.000000000087C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750122745.00000000008A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750810397.00000000008AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1751626682.00000000008B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7e0000_file.jbxd

Similarity

API ID: CreateHandlePipe
String ID: nul
API String ID: 1424370930-2873401336
Opcode ID: 72bad901b4169e70d8bf64fd2d5bc6e4c6ef214c0483c37db6632add509f45a3
Instruction ID: 13cd98fbdf12a21674ecfe85a53b8d4b163b06effbd8b659c10d304a9f6f6be8
Opcode Fuzzy Hash: 72bad901b4169e70d8bf64fd2d5bc6e4c6ef214c0483c37db6632add509f45a3
Instruction Fuzzy Hash: 4221B5755003059BDB208F68CC04A9A77E4FFA5726F200A19FCA2E72E0D770D968CF10

Function 008740AD Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 75windowCOMMON

Download Yara Rule

APIs

Part of subcall function 007E600E: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 007E604C
Part of subcall function 007E600E: GetStockObject.GDI32(00000011), ref: 007E6060
Part of subcall function 007E600E: SendMessageW.USER32(00000000,00000030,00000000), ref: 007E606A

SendMessageW.USER32(00000000,00002001,00000000,FF000000), ref: 00874112
SendMessageW.USER32(?,00000409,00000000,FF000000), ref: 0087411F
SendMessageW.USER32(?,00000402,00000000,00000000), ref: 0087412A
SendMessageW.USER32(?,00000401,00000000,00640000), ref: 00874139
SendMessageW.USER32(?,00000404,00000001,00000000), ref: 00874145

Strings

Msctls_Progress32, xrefs: 008740E3

Memory Dump Source

Source File: 00000000.00000002.1749607290.00000000007E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007E0000, based on PE: true

Associated: 00000000.00000002.1749024776.00000000007E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750122745.000000000087C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750122745.00000000008A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750810397.00000000008AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1751626682.00000000008B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7e0000_file.jbxd

Similarity

API ID: MessageSend$CreateObjectStockWindow
String ID: Msctls_Progress32
API String ID: 1025951953-3636473452
Opcode ID: b359310292697d1f6ceadfb0eec1c07e61c7717b406a050d32f5c35c3cb78e05
Instruction ID: a2119c727df98930d3a2758ac02b35d5606d002197b0885ba256e1fa746acd48
Opcode Fuzzy Hash: b359310292697d1f6ceadfb0eec1c07e61c7717b406a050d32f5c35c3cb78e05
Instruction Fuzzy Hash: 93118EB2140219BEEF119E64CC85EE77F9DFF18798F008110BA18E6150C776DC619BA4

Function 0081D7DF Relevance: 10.6, APIs: 7, Instructions: 65COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 0081D7A3: _free.LIBCMT ref: 0081D7CC

_free.LIBCMT ref: 0081D82D

Part of subcall function 008129C8: RtlFreeHeap.NTDLL(00000000,00000000,?,0081D7D1,00000000,00000000,00000000,00000000,?,0081D7F8,00000000,00000007,00000000,?,0081DBF5,00000000), ref: 008129DE
Part of subcall function 008129C8: GetLastError.KERNEL32(00000000,?,0081D7D1,00000000,00000000,00000000,00000000,?,0081D7F8,00000000,00000007,00000000,?,0081DBF5,00000000,00000000), ref: 008129F0

_free.LIBCMT ref: 0081D838
_free.LIBCMT ref: 0081D843
_free.LIBCMT ref: 0081D897
_free.LIBCMT ref: 0081D8A2
_free.LIBCMT ref: 0081D8AD
_free.LIBCMT ref: 0081D8B8

Memory Dump Source

Source File: 00000000.00000002.1749607290.00000000007E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007E0000, based on PE: true

Associated: 00000000.00000002.1749024776.00000000007E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750122745.000000000087C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750122745.00000000008A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750810397.00000000008AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1751626682.00000000008B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7e0000_file.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: d5e9bbcb1dbdafe4c8d3bd98f36014f41f46dc5d4a3df644b036f3c2391e0fc8
Instruction ID: e0c2e248ae79b415458958c0f75f7ae5c14e74e9785f316ad4640c974c292452
Opcode Fuzzy Hash: d5e9bbcb1dbdafe4c8d3bd98f36014f41f46dc5d4a3df644b036f3c2391e0fc8
Instruction Fuzzy Hash: 25115E71540B04AAD621BFB8CC47FCB7BDCFF00710F440C25B299EA0D2DAA5B5A58662

Function 0084DA5A Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 46windowCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,?,?,00000100,00000000), ref: 0084DA74
LoadStringW.USER32(00000000), ref: 0084DA7B
GetModuleHandleW.KERNEL32(00000000,00001389,?,00000100), ref: 0084DA91
LoadStringW.USER32(00000000), ref: 0084DA98
MessageBoxW.USER32(00000000,?,?,00011010), ref: 0084DADC

Strings

%s (%d) : ==> %s: %s %s, xrefs: 0084DAB9

Memory Dump Source

Source File: 00000000.00000002.1749607290.00000000007E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007E0000, based on PE: true

Associated: 00000000.00000002.1749024776.00000000007E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750122745.000000000087C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750122745.00000000008A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750810397.00000000008AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1751626682.00000000008B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7e0000_file.jbxd

Similarity

API ID: HandleLoadModuleString$Message
String ID: %s (%d) : ==> %s: %s %s
API String ID: 4072794657-3128320259
Opcode ID: 3ce6f89a478c81369c7d0eca4bcc648e55188cf083ab8672fc398a96ee6e55bd
Instruction ID: 26987e41079f3506f5ab850363046a2d5adcaf1dce427a58ebea17db5f78e7c1
Opcode Fuzzy Hash: 3ce6f89a478c81369c7d0eca4bcc648e55188cf083ab8672fc398a96ee6e55bd
Instruction Fuzzy Hash: CF014FF25002187FE711ABA49D89EEB366CF708705F4044A9B75AE3045EA749EC44B75

Function 0085096B Relevance: 10.5, APIs: 7, Instructions: 35synchronizationthreadCOMMON

Download Yara Rule

APIs

InterlockedExchange.KERNEL32(0198DF60,0198DF60), ref: 0085097B
EnterCriticalSection.KERNEL32(0198DF40,00000000), ref: 0085098D
TerminateThread.KERNEL32(?,000001F6), ref: 0085099B
WaitForSingleObject.KERNEL32(?,000003E8), ref: 008509A9
CloseHandle.KERNEL32(?), ref: 008509B8
InterlockedExchange.KERNEL32(0198DF60,000001F6), ref: 008509C8
LeaveCriticalSection.KERNEL32(0198DF40), ref: 008509CF

Memory Dump Source

Source File: 00000000.00000002.1749607290.00000000007E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007E0000, based on PE: true

Associated: 00000000.00000002.1749024776.00000000007E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750122745.000000000087C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750122745.00000000008A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750810397.00000000008AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1751626682.00000000008B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7e0000_file.jbxd

Similarity

API ID: CriticalExchangeInterlockedSection$CloseEnterHandleLeaveObjectSingleTerminateThreadWait
String ID:
API String ID: 3495660284-0
Opcode ID: 2409dca4748c34c84a0d23cd392e528d4cb783e714b459b613429ebcb6b7803d
Instruction ID: 4e4bf8cd86897754ca003c68292cb6211db8db4fc2e5cf1120a5c42fcc54c227
Opcode Fuzzy Hash: 2409dca4748c34c84a0d23cd392e528d4cb783e714b459b613429ebcb6b7803d
Instruction Fuzzy Hash: 38F03132442502BBD7415F94EE8CBD6BB35FF01702F441029F205A28AAC774D4A5CF90

Function 007E5D0A Relevance: 9.3, APIs: 6, Instructions: 276COMMON

Download Yara Rule

APIs

GetClientRect.USER32(?,?), ref: 007E5D30
GetWindowRect.USER32(?,?), ref: 007E5D71
ScreenToClient.USER32(?,?), ref: 007E5D99
GetClientRect.USER32(?,?), ref: 007E5ED7
GetWindowRect.USER32(?,?), ref: 007E5EF8

Memory Dump Source

Source File: 00000000.00000002.1749607290.00000000007E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007E0000, based on PE: true

Associated: 00000000.00000002.1749024776.00000000007E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750122745.000000000087C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750122745.00000000008A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750810397.00000000008AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1751626682.00000000008B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7e0000_file.jbxd

Similarity

API ID: Rect$Client$Window$Screen
String ID:
API String ID: 1296646539-0
Opcode ID: d9bc6b9d151e8fc6d1636e0b23cd190e912a12a5f861e36c121339f1fbded849
Instruction ID: 6a3bc4075ffddfe1c2e8bf521265e2f8b8395311d896635a08f1ba735c0ff087
Opcode Fuzzy Hash: d9bc6b9d151e8fc6d1636e0b23cd190e912a12a5f861e36c121339f1fbded849
Instruction Fuzzy Hash: 37B17A34A1078ADBDB10CFA9C4807EEB7F1FF58314F14951AE8A9D7250DB34AA91DB60

Function 008101B7 Relevance: 9.3, APIs: 6, Instructions: 269COMMON

Download Yara Rule

APIs

__allrem.LIBCMT ref: 008100BA
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 008100D6
__allrem.LIBCMT ref: 008100ED
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 0081010B
__allrem.LIBCMT ref: 00810122
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00810140

Memory Dump Source

Source File: 00000000.00000002.1749607290.00000000007E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007E0000, based on PE: true

Associated: 00000000.00000002.1749024776.00000000007E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750122745.000000000087C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750122745.00000000008A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750810397.00000000008AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1751626682.00000000008B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7e0000_file.jbxd

Similarity

API ID: Unothrow_t@std@@@__allrem__ehfuncinfo$??2@
String ID:
API String ID: 1992179935-0
Opcode ID: c0aa086816e9a6b10c8594d9af3fc1b6618250ddc70608c46d0048b3e4fbc764
Instruction ID: dd905c0ea718aa1b6b6e980c93d618cd4f1edcc419db5fa8d94d0e8f8a464bc0
Opcode Fuzzy Hash: c0aa086816e9a6b10c8594d9af3fc1b6618250ddc70608c46d0048b3e4fbc764
Instruction Fuzzy Hash: 1181F671A00B06ABE7209A6CDC41BAA73ECFF55324F248539F551D66C2EFB4D9C08B51

Function 00861D10 Relevance: 9.3, APIs: 6, Instructions: 254networkCOMMON

Download Yara Rule

APIs

Part of subcall function 00863149: select.WSOCK32(00000000,?,00000000,00000000,?,?,?,00000000,?,?,?,0086101C,00000000,?,?,00000000), ref: 00863195

__WSAFDIsSet.WSOCK32(00000000,?,00000000,00000000,?,00000064,00000000), ref: 00861DC0
#17.WSOCK32(00000000,?,?,00000000,?,00000010), ref: 00861DE1
WSAGetLastError.WSOCK32 ref: 00861DF2
inet_ntoa.WSOCK32(?), ref: 00861E8C
htons.WSOCK32(?,?,?,?,?), ref: 00861EDB
_strlen.LIBCMT ref: 00861F35

Part of subcall function 008439E8: _strlen.LIBCMT ref: 008439F2

Part of subcall function 007E6D9E: MultiByteToWideChar.KERNEL32(00000000,00000001,?,?,00000000,00000000,00000002,?,?,?,?,007FCF58,?,?,?), ref: 007E6DBA
Part of subcall function 007E6D9E: MultiByteToWideChar.KERNEL32(00000000,00000001,?,?,00000000,?,?,?,007FCF58,?,?,?), ref: 007E6DED

Memory Dump Source

Source File: 00000000.00000002.1749607290.00000000007E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007E0000, based on PE: true

Associated: 00000000.00000002.1749024776.00000000007E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750122745.000000000087C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750122745.00000000008A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750810397.00000000008AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1751626682.00000000008B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7e0000_file.jbxd

Similarity

API ID: ByteCharMultiWide_strlen$ErrorLasthtonsinet_ntoaselect
String ID:
API String ID: 1923757996-0
Opcode ID: f87ca07495d2a368cd9220c8b2f48a7604f75c40a28af5110bf641e48e244888
Instruction ID: 4fc3560a65a2685b09ba1ba1980b41ce5379d1a4ca6982b288677dd1c13d6fdc
Opcode Fuzzy Hash: f87ca07495d2a368cd9220c8b2f48a7604f75c40a28af5110bf641e48e244888
Instruction Fuzzy Hash: 82A1E231204340AFC724DF24C889E2A7BA5FF88318F59895CF5569B2A3CB31ED45CB92

Function 008161FE Relevance: 9.2, APIs: 6, Instructions: 216COMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000001,00000000,?,?,00000000,00000000,?,008082D9,008082D9,?,?,?,0081644F,00000001,00000001,8BE85006), ref: 00816258
MultiByteToWideChar.KERNEL32(00000001,00000001,?,?,00000000,?,?,?,?,0081644F,00000001,00000001,8BE85006,?,?,?), ref: 008162DE
WideCharToMultiByte.KERNEL32(00000001,00000000,00000000,00000000,?,8BE85006,00000000,00000000,?,00000400,00000000,?,00000000,00000000,00000000,00000000), ref: 008163D8
__freea.LIBCMT ref: 008163E5

Part of subcall function 00813820: RtlAllocateHeap.NTDLL(00000000,?,008B1444,?,007FFDF5,?,?,007EA976,00000010,008B1440,007E13FC,?,007E13C6,?,007E1129), ref: 00813852

__freea.LIBCMT ref: 008163EE
__freea.LIBCMT ref: 00816413

Memory Dump Source

Source File: 00000000.00000002.1749607290.00000000007E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007E0000, based on PE: true

Associated: 00000000.00000002.1749024776.00000000007E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750122745.000000000087C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750122745.00000000008A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750810397.00000000008AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1751626682.00000000008B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7e0000_file.jbxd

Similarity

API ID: ByteCharMultiWide__freea$AllocateHeap
String ID:
API String ID: 1414292761-0
Opcode ID: 1e8b1784a32b150297ad2c7de7d99a3ac343cc45f5a0c61994a3ca755c55fa3c
Instruction ID: d78d6b53409409b7f299161941eb75a350a7a26b73c07b12ff1364eb0e55a97b
Opcode Fuzzy Hash: 1e8b1784a32b150297ad2c7de7d99a3ac343cc45f5a0c61994a3ca755c55fa3c
Instruction Fuzzy Hash: F251DE72A00216ABEB258F68DC81EEF77AEFF44710F144229F855D6240EB34DCE0C6A0

Function 0086BBDB Relevance: 9.2, APIs: 6, Instructions: 191registryCOMMON

Download Yara Rule

APIs

Part of subcall function 007E9CB3: _wcslen.LIBCMT ref: 007E9CBD

Part of subcall function 0086C998: CharUpperBuffW.USER32(?,?,?,?,?,?,?,0086B6AE,?,?), ref: 0086C9B5
Part of subcall function 0086C998: _wcslen.LIBCMT ref: 0086C9F1
Part of subcall function 0086C998: _wcslen.LIBCMT ref: 0086CA68
Part of subcall function 0086C998: _wcslen.LIBCMT ref: 0086CA9E

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 0086BCCA
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 0086BD25
RegCloseKey.ADVAPI32(00000000), ref: 0086BD6A
RegEnumValueW.ADVAPI32(?,-00000001,?,?,00000000,?,00000000,00000000), ref: 0086BD99
RegCloseKey.ADVAPI32(?,?,00000000), ref: 0086BDF3
RegCloseKey.ADVAPI32(?), ref: 0086BDFF

Memory Dump Source

Source File: 00000000.00000002.1749607290.00000000007E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007E0000, based on PE: true

Associated: 00000000.00000002.1749024776.00000000007E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750122745.000000000087C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750122745.00000000008A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750810397.00000000008AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1751626682.00000000008B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7e0000_file.jbxd

Similarity

API ID: _wcslen$Close$BuffCharConnectEnumOpenRegistryUpperValue
String ID:
API String ID: 1120388591-0
Opcode ID: ed6ecb58da38495ab780ec24313474d66e76d903a1cc4f7f2591dae6e8eb3597
Instruction ID: c9aae5847bafba938be7266a4e04a3415d83d0ce3f868ae474b6b4727c661686
Opcode Fuzzy Hash: ed6ecb58da38495ab780ec24313474d66e76d903a1cc4f7f2591dae6e8eb3597
Instruction Fuzzy Hash: 81817C71208241EFD714DF24C895E2ABBE5FF84308F15895CF5598B2A2DB32ED85CB92

Function 0083F7AD Relevance: 9.2, APIs: 6, Instructions: 183memoryCOMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(00000035), ref: 0083F7B9
SysAllocString.OLEAUT32(00000001), ref: 0083F860
VariantCopy.OLEAUT32(0083FA64,00000000), ref: 0083F889
VariantClear.OLEAUT32(0083FA64), ref: 0083F8AD
VariantCopy.OLEAUT32(0083FA64,00000000), ref: 0083F8B1
VariantClear.OLEAUT32(?), ref: 0083F8BB

Memory Dump Source

Source File: 00000000.00000002.1749607290.00000000007E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007E0000, based on PE: true

Associated: 00000000.00000002.1749024776.00000000007E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750122745.000000000087C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750122745.00000000008A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750810397.00000000008AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1751626682.00000000008B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7e0000_file.jbxd

Similarity

API ID: Variant$ClearCopy$AllocInitString
String ID:
API String ID: 3859894641-0
Opcode ID: 0e027deee85fcc1b9048ab4e94b74f192f3cbea55900f418ecfb6dd207e2ccae
Instruction ID: 1c39b22c2d6b5b94cc08f526c4a8e5cdb4be92fa313bf668ae1fd5e1d67fbca3
Opcode Fuzzy Hash: 0e027deee85fcc1b9048ab4e94b74f192f3cbea55900f418ecfb6dd207e2ccae
Instruction Fuzzy Hash: B151B331A00314FACF24AB65D899B29B7A4FF85314F24946AEE06DF297DB748C40C7D6

Function 0085910C Relevance: 9.1, APIs: 4, Strings: 1, Instructions: 383COMMON

Download Yara Rule

APIs

Part of subcall function 007E7620: _wcslen.LIBCMT ref: 007E7625

Part of subcall function 007E6B57: _wcslen.LIBCMT ref: 007E6B6A

GetOpenFileNameW.COMDLG32(00000058), ref: 008594E5
_wcslen.LIBCMT ref: 00859506
_wcslen.LIBCMT ref: 0085952D
GetSaveFileNameW.COMDLG32(00000058), ref: 00859585

Strings

X, xrefs: 00859412

Memory Dump Source

Source File: 00000000.00000002.1749607290.00000000007E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007E0000, based on PE: true

Associated: 00000000.00000002.1749024776.00000000007E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750122745.000000000087C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750122745.00000000008A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750810397.00000000008AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1751626682.00000000008B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7e0000_file.jbxd

Similarity

API ID: _wcslen$FileName$OpenSave
String ID: X
API String ID: 83654149-3081909835
Opcode ID: 2eb635babaf3503287d8734d24f39212be2b7c667553e63ac1d5d78f9b8ab392
Instruction ID: 75047fefa106f65c960cef90970f38f477b2bf40efc764286ff38d87c33c0860
Opcode Fuzzy Hash: 2eb635babaf3503287d8734d24f39212be2b7c667553e63ac1d5d78f9b8ab392
Instruction Fuzzy Hash: A6E19031504340DFC724DF25C885A6AB7E0FF89314F14896DE9999B3A2EB35DD09CB92

Function 007F920C Relevance: 9.1, APIs: 6, Instructions: 113COMMON

Download Yara Rule

APIs

Part of subcall function 007F9BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 007F9BB2

BeginPaint.USER32(?,?,?), ref: 007F9241
GetWindowRect.USER32(?,?), ref: 007F92A5
ScreenToClient.USER32(?,?), ref: 007F92C2
SetViewportOrgEx.GDI32(00000000,?,?,00000000), ref: 007F92D3
EndPaint.USER32(?,?,?,?,?), ref: 007F9321
Rectangle.GDI32(00000000,00000000,00000000,?,?), ref: 008371EA

Part of subcall function 007F9339: BeginPath.GDI32(00000000), ref: 007F9357

Memory Dump Source

Source File: 00000000.00000002.1749607290.00000000007E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007E0000, based on PE: true

Associated: 00000000.00000002.1749024776.00000000007E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750122745.000000000087C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750122745.00000000008A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750810397.00000000008AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1751626682.00000000008B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7e0000_file.jbxd

Similarity

API ID: BeginPaintWindow$ClientLongPathRectRectangleScreenViewport
String ID:
API String ID: 3050599898-0
Opcode ID: 48a1fcf94b5a182ada5ffea7ca6809bee3af7ccff0b77fec9c42b1e36e265a37
Instruction ID: 3aa5b456e222b03febeafc343b060e2648aa0248c4e269fd6e702c4467d06d49
Opcode Fuzzy Hash: 48a1fcf94b5a182ada5ffea7ca6809bee3af7ccff0b77fec9c42b1e36e265a37
Instruction Fuzzy Hash: 56418E71104245EFDB21DF24C898FBA7BA8FF95724F140229FB64CB2A1C7359845DB61

Function 008507EF Relevance: 9.1, APIs: 6, Instructions: 107fileCOMMON

Download Yara Rule

APIs

InterlockedExchange.KERNEL32(?,000001F5), ref: 0085080C
ReadFile.KERNEL32(?,?,0000FFFF,?,00000000), ref: 00850847
EnterCriticalSection.KERNEL32(?), ref: 00850863
LeaveCriticalSection.KERNEL32(?), ref: 008508DC
ReadFile.KERNEL32(?,?,0000FFFF,00000000,00000000), ref: 008508F3
InterlockedExchange.KERNEL32(?,000001F6), ref: 00850921

Memory Dump Source

Source File: 00000000.00000002.1749607290.00000000007E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007E0000, based on PE: true

Associated: 00000000.00000002.1749024776.00000000007E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750122745.000000000087C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750122745.00000000008A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750810397.00000000008AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1751626682.00000000008B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7e0000_file.jbxd

Similarity

API ID: CriticalExchangeFileInterlockedReadSection$EnterLeave
String ID:
API String ID: 3368777196-0
Opcode ID: f5b72dbfff2f4eabecc2cd2d623a283b8611c27a3091ca1fca48201b25dfcdce
Instruction ID: 6f97ef6d96a542d15b158290d4d1a08aa867add8f638ab91f28ddbfac02e8cf2
Opcode Fuzzy Hash: f5b72dbfff2f4eabecc2cd2d623a283b8611c27a3091ca1fca48201b25dfcdce
Instruction Fuzzy Hash: 9E415671900209EBDF14AF54DC89A6A77B8FF04311F1440A9ED04EA2ABDB30DE64DBA0

Function 008781DB Relevance: 9.1, APIs: 6, Instructions: 104windowCOMMON

Download Yara Rule

APIs

ShowWindow.USER32(FFFFFFFF,00000000,?,00000000,00000000,?,0083F3AB,00000000,?,?,00000000,?,0083682C,00000004,00000000,00000000), ref: 0087824C
EnableWindow.USER32(?,00000000), ref: 00878272
ShowWindow.USER32(FFFFFFFF,00000000), ref: 008782D1
ShowWindow.USER32(?,00000004), ref: 008782E5
EnableWindow.USER32(?,00000001), ref: 0087830B
SendMessageW.USER32(?,0000130C,00000000,00000000), ref: 0087832F

Memory Dump Source

Source File: 00000000.00000002.1749607290.00000000007E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007E0000, based on PE: true

Associated: 00000000.00000002.1749024776.00000000007E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750122745.000000000087C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750122745.00000000008A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750810397.00000000008AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1751626682.00000000008B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7e0000_file.jbxd

Similarity

API ID: Window$Show$Enable$MessageSend
String ID:
API String ID: 642888154-0
Opcode ID: 1401ddbfe5a9b41c42bc2fed0e45534051c322070f816c046c182ca47b0a2105
Instruction ID: de82b4b26668ff51263145e62f842730f33a27a73efa71d96023b6e0016e29d5
Opcode Fuzzy Hash: 1401ddbfe5a9b41c42bc2fed0e45534051c322070f816c046c182ca47b0a2105
Instruction Fuzzy Hash: 2A415034641644EFDF15CF29D89DBA47BE1FB0A715F588269E60C8F266CB31E841CB50

Function 00844C7D Relevance: 9.1, APIs: 6, Instructions: 87windowCOMMON

Download Yara Rule

APIs

IsWindowVisible.USER32(?), ref: 00844C95
SendMessageW.USER32(?,0000000E,00000000,00000000), ref: 00844CB2
SendMessageW.USER32(?,0000000D,00000001,00000000), ref: 00844CEA
_wcslen.LIBCMT ref: 00844D08
CharUpperBuffW.USER32(00000000,00000000,?,?,?,?), ref: 00844D10
_wcsstr.LIBVCRUNTIME ref: 00844D1A

Memory Dump Source

Source File: 00000000.00000002.1749607290.00000000007E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007E0000, based on PE: true

Associated: 00000000.00000002.1749024776.00000000007E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750122745.000000000087C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750122745.00000000008A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750810397.00000000008AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1751626682.00000000008B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7e0000_file.jbxd

Similarity

API ID: MessageSend$BuffCharUpperVisibleWindow_wcslen_wcsstr
String ID:
API String ID: 72514467-0
Opcode ID: dd250fad798fb6ffb4525f3ab8622f64c40798e8c48950e02828825efe091add
Instruction ID: 59adf0afb591ad00b2beb4c5651ccd9bda64c61355d7722de1a4430d0bd741da
Opcode Fuzzy Hash: dd250fad798fb6ffb4525f3ab8622f64c40798e8c48950e02828825efe091add
Instruction Fuzzy Hash: 41212632604208BBEB555B39AC89F7B7B9CFF55750F10903DF909CB1A2EE65CC4082A0

Function 0085581E Relevance: 9.1, APIs: 4, Strings: 1, Instructions: 336comCOMMON

Download Yara Rule

APIs

Part of subcall function 007E3AA2: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,007E3A97,?,?,007E2E7F,?,?,?,00000000), ref: 007E3AC2

_wcslen.LIBCMT ref: 0085587B
CoInitialize.OLE32(00000000), ref: 00855995
CoCreateInstance.OLE32(0087FCF8,00000000,00000001,0087FB68,?), ref: 008559AE
CoUninitialize.OLE32 ref: 008559CC

Strings

.lnk, xrefs: 00855876, 008558C1, 00855985

Memory Dump Source

Source File: 00000000.00000002.1749607290.00000000007E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007E0000, based on PE: true

Associated: 00000000.00000002.1749024776.00000000007E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750122745.000000000087C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750122745.00000000008A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750810397.00000000008AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1751626682.00000000008B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7e0000_file.jbxd

Similarity

API ID: CreateFullInitializeInstanceNamePathUninitialize_wcslen
String ID: .lnk
API String ID: 3172280962-24824748
Opcode ID: b2b66685cf6b33fa1418e2ad1d64b1857af068d2eb8985df6e1496ba903f4aa7
Instruction ID: b479b66013b5bc8ab82eb19e1416ecb97e0c60284e8a7188a07ee44be5a8523c
Opcode Fuzzy Hash: b2b66685cf6b33fa1418e2ad1d64b1857af068d2eb8985df6e1496ba903f4aa7
Instruction Fuzzy Hash: 31D15171608601DFC714DF25C498A2ABBE1FF89721F148859F88ADB361DB35EC49CB92

Function 0084175D Relevance: 9.1, APIs: 6, Instructions: 68memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 00840FB4: GetTokenInformation.ADVAPI32(?,00000002,?,00000000,?), ref: 00840FCA
Part of subcall function 00840FB4: GetLastError.KERNEL32(?,00000002,?,00000000,?), ref: 00840FD6
Part of subcall function 00840FB4: GetProcessHeap.KERNEL32(00000008,?,?,00000002,?,00000000,?), ref: 00840FE5
Part of subcall function 00840FB4: HeapAlloc.KERNEL32(00000000,?,00000002,?,00000000,?), ref: 00840FEC
Part of subcall function 00840FB4: GetTokenInformation.ADVAPI32(?,00000002,00000000,?,?,?,00000002,?,00000000,?), ref: 00841002

GetLengthSid.ADVAPI32(?,00000000,00841335), ref: 008417AE
GetProcessHeap.KERNEL32(00000008,00000000), ref: 008417BA
HeapAlloc.KERNEL32(00000000), ref: 008417C1
CopySid.ADVAPI32(00000000,00000000,?), ref: 008417DA
GetProcessHeap.KERNEL32(00000000,00000000,00841335), ref: 008417EE
HeapFree.KERNEL32(00000000), ref: 008417F5

Memory Dump Source

Source File: 00000000.00000002.1749607290.00000000007E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007E0000, based on PE: true

Associated: 00000000.00000002.1749024776.00000000007E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750122745.000000000087C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750122745.00000000008A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750810397.00000000008AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1751626682.00000000008B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7e0000_file.jbxd

Similarity

API ID: Heap$Process$AllocInformationToken$CopyErrorFreeLastLength
String ID:
API String ID: 3008561057-0
Opcode ID: c75fda0039c7b223092ffcc4c021c85a10fe29f6ab225b55b4cc663598acb7fe
Instruction ID: d6ed9b095d690e830213667f2d484a6ae3c2fe0181acc871003a83d5765c3940
Opcode Fuzzy Hash: c75fda0039c7b223092ffcc4c021c85a10fe29f6ab225b55b4cc663598acb7fe
Instruction Fuzzy Hash: 7C117C31510609EFDF109FA4CC4DBAE7BA9FB45359F144028F445D7218D739E984CB60

Function 008414CE Relevance: 9.1, APIs: 6, Instructions: 64processCOMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(0000000A,00000004), ref: 008414FF
OpenProcessToken.ADVAPI32(00000000), ref: 00841506
CreateEnvironmentBlock.USERENV(?,00000004,00000001), ref: 00841515
CloseHandle.KERNEL32(00000004), ref: 00841520
CreateProcessWithLogonW.ADVAPI32(?,?,?,00000000,00000000,?,?,00000000,?,?,?), ref: 0084154F
DestroyEnvironmentBlock.USERENV(00000000), ref: 00841563

Memory Dump Source

Source File: 00000000.00000002.1749607290.00000000007E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007E0000, based on PE: true

Associated: 00000000.00000002.1749024776.00000000007E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750122745.000000000087C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750122745.00000000008A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750810397.00000000008AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1751626682.00000000008B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7e0000_file.jbxd

Similarity

API ID: Process$BlockCreateEnvironment$CloseCurrentDestroyHandleLogonOpenTokenWith
String ID:
API String ID: 1413079979-0
Opcode ID: 9142b2c99a0a9b08e0a644d5ef19c1bff34fde7ddc00d804de4701aeb9b7ff64
Instruction ID: c69e216803b7e339a893abff824d5174544748a0d2e79f5ca78089fef470b89d
Opcode Fuzzy Hash: 9142b2c99a0a9b08e0a644d5ef19c1bff34fde7ddc00d804de4701aeb9b7ff64
Instruction Fuzzy Hash: 5F11E77250120DABDF118F98DD4DBDA7BA9FB49744F054019FA09A2160C375CEA59B60

Function 00803382 Relevance: 9.1, APIs: 6, Instructions: 60COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,00803379,00802FE5), ref: 00803390
___vcrt_FlsGetValue.LIBVCRUNTIME ref: 0080339E
___vcrt_FlsSetValue.LIBVCRUNTIME ref: 008033B7
SetLastError.KERNEL32(00000000,?,00803379,00802FE5), ref: 00803409

Memory Dump Source

Source File: 00000000.00000002.1749607290.00000000007E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007E0000, based on PE: true

Associated: 00000000.00000002.1749024776.00000000007E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750122745.000000000087C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750122745.00000000008A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750810397.00000000008AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1751626682.00000000008B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7e0000_file.jbxd

Similarity

API ID: ErrorLastValue___vcrt_
String ID:
API String ID: 3852720340-0
Opcode ID: 2afd992f701d1f0cc32a7e197d5a52ccb9e973b8dd6e9ec313c251c950140249
Instruction ID: 2398ef2257623ce2d0bb5eb62ba6aae772142261b759edd0843fcbe7b9bda199
Opcode Fuzzy Hash: 2afd992f701d1f0cc32a7e197d5a52ccb9e973b8dd6e9ec313c251c950140249
Instruction Fuzzy Hash: 0401D432609B11BEF7A527787CC5A672A9CFB26379720022DF620C52F0FF224D416644

Function 00812D74 Relevance: 9.0, APIs: 6, Instructions: 50COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,00815686,00823CD6,?,00000000,?,00815B6A,?,?,?,?,?,0080E6D1,?,008A8A48), ref: 00812D78
_free.LIBCMT ref: 00812DAB
_free.LIBCMT ref: 00812DD3
SetLastError.KERNEL32(00000000,?,?,?,?,0080E6D1,?,008A8A48,00000010,007E4F4A,?,?,00000000,00823CD6), ref: 00812DE0
SetLastError.KERNEL32(00000000,?,?,?,?,0080E6D1,?,008A8A48,00000010,007E4F4A,?,?,00000000,00823CD6), ref: 00812DEC
_abort.LIBCMT ref: 00812DF2

Memory Dump Source

Source File: 00000000.00000002.1749607290.00000000007E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007E0000, based on PE: true

Associated: 00000000.00000002.1749024776.00000000007E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750122745.000000000087C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750122745.00000000008A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750810397.00000000008AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1751626682.00000000008B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7e0000_file.jbxd

Similarity

API ID: ErrorLast$_free$_abort
String ID:
API String ID: 3160817290-0
Opcode ID: dcb22f5672215eb07dfcdfdfdbb5a89e7044d3a9ef395b75da0d83ef4e6ec000
Instruction ID: 34c839a81232a33393f7d3d4019d0ed389d947dfcbc19da8d990eadafbe972e4
Opcode Fuzzy Hash: dcb22f5672215eb07dfcdfdfdbb5a89e7044d3a9ef395b75da0d83ef4e6ec000
Instruction Fuzzy Hash: 24F0A4325446046BD622373CFC0AEDA265DFFC27B5B24051CF828D22D6EF3488E14262

Function 00878A24 Relevance: 9.0, APIs: 6, Instructions: 49COMMON

Download Yara Rule

APIs

Part of subcall function 007F9639: ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 007F9693
Part of subcall function 007F9639: SelectObject.GDI32(?,00000000), ref: 007F96A2
Part of subcall function 007F9639: BeginPath.GDI32(?), ref: 007F96B9
Part of subcall function 007F9639: SelectObject.GDI32(?,00000000), ref: 007F96E2

MoveToEx.GDI32(?,-00000002,00000000,00000000), ref: 00878A4E
LineTo.GDI32(?,00000003,00000000), ref: 00878A62
MoveToEx.GDI32(?,00000000,-00000002,00000000), ref: 00878A70
LineTo.GDI32(?,00000000,00000003), ref: 00878A80
EndPath.GDI32(?), ref: 00878A90
StrokePath.GDI32(?), ref: 00878AA0

Memory Dump Source

Source File: 00000000.00000002.1749607290.00000000007E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007E0000, based on PE: true

Associated: 00000000.00000002.1749024776.00000000007E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750122745.000000000087C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750122745.00000000008A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750810397.00000000008AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1751626682.00000000008B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7e0000_file.jbxd

Similarity

API ID: Path$LineMoveObjectSelect$BeginCreateStroke
String ID:
API String ID: 43455801-0
Opcode ID: 546eb27db2ec3ddaf384212652be208a3acb2c5276a8c4bd9589ffd432580dcd
Instruction ID: 1e578accc8ccbdfa320a5be9dfa6ddd78f46294ef6373626741ba716c0a34e3e
Opcode Fuzzy Hash: 546eb27db2ec3ddaf384212652be208a3acb2c5276a8c4bd9589ffd432580dcd
Instruction Fuzzy Hash: 9D11F776040158FFDF129F90DC8CEAA7F6DFB08350F008026FA199A1A5C7719D95DBA0

Function 008451FD Relevance: 9.0, APIs: 6, Instructions: 49COMMON

Download Yara Rule

APIs

GetDC.USER32(00000000), ref: 00845218
GetDeviceCaps.GDI32(00000000,00000058), ref: 00845229
GetDeviceCaps.GDI32(00000000,0000005A), ref: 00845230
ReleaseDC.USER32(00000000,00000000), ref: 00845238
MulDiv.KERNEL32(000009EC,?,00000000), ref: 0084524F
MulDiv.KERNEL32(000009EC,00000001,?), ref: 00845261

Memory Dump Source

Source File: 00000000.00000002.1749607290.00000000007E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007E0000, based on PE: true

Associated: 00000000.00000002.1749024776.00000000007E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750122745.000000000087C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750122745.00000000008A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750810397.00000000008AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1751626682.00000000008B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7e0000_file.jbxd

Similarity

API ID: CapsDevice$Release
String ID:
API String ID: 1035833867-0
Opcode ID: b84821f91a731f5abee7dedadc9a90a3506496c3f0b074a42db6e6d853604601
Instruction ID: 263dcf76e6a05e96e80bd6e141d25773fefa20933a7d025809fd1a59e5321975
Opcode Fuzzy Hash: b84821f91a731f5abee7dedadc9a90a3506496c3f0b074a42db6e6d853604601
Instruction Fuzzy Hash: B6014475E00718BBEB105BA59C49A5EBFB8FF54751F044069FA08E7285D670D800CFA0

Function 007E1BC3 Relevance: 9.0, APIs: 6, Instructions: 44keyboardCOMMON

Download Yara Rule

APIs

MapVirtualKeyW.USER32(0000005B,00000000), ref: 007E1BF4
MapVirtualKeyW.USER32(00000010,00000000), ref: 007E1BFC
MapVirtualKeyW.USER32(000000A0,00000000), ref: 007E1C07
MapVirtualKeyW.USER32(000000A1,00000000), ref: 007E1C12
MapVirtualKeyW.USER32(00000011,00000000), ref: 007E1C1A
MapVirtualKeyW.USER32(00000012,00000000), ref: 007E1C22

Memory Dump Source

Source File: 00000000.00000002.1749607290.00000000007E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007E0000, based on PE: true

Associated: 00000000.00000002.1749024776.00000000007E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750122745.000000000087C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750122745.00000000008A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750810397.00000000008AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1751626682.00000000008B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7e0000_file.jbxd

Similarity

API ID: Virtual
String ID:
API String ID: 4278518827-0
Opcode ID: 65b7ee17f6af09367b61ec2a664ab71746e734189b6e9aca7c51d1e3fac3db61
Instruction ID: 0c61cc12923ac0594bf93937a5732f6184b8b9e86117ea77f2a6383fabde09e5
Opcode Fuzzy Hash: 65b7ee17f6af09367b61ec2a664ab71746e734189b6e9aca7c51d1e3fac3db61
Instruction Fuzzy Hash: 63016CB09027597DE3008F5A8C85B52FFA8FF19754F00411F915C47941C7F5A864CBE5

Function 0084EB20 Relevance: 9.0, APIs: 6, Instructions: 42windowtimethreadCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,00000010,00000000,00000000), ref: 0084EB30
SendMessageTimeoutW.USER32(?,00000010,00000000,00000000,00000002,000001F4,?), ref: 0084EB46
GetWindowThreadProcessId.USER32(?,?), ref: 0084EB55
OpenProcess.KERNEL32(001F0FFF,00000000,?,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 0084EB64
TerminateProcess.KERNEL32(00000000,00000000,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 0084EB6E
CloseHandle.KERNEL32(00000000,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 0084EB75

Memory Dump Source

Source File: 00000000.00000002.1749607290.00000000007E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007E0000, based on PE: true

Associated: 00000000.00000002.1749024776.00000000007E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750122745.000000000087C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750122745.00000000008A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750810397.00000000008AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1751626682.00000000008B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7e0000_file.jbxd

Similarity

API ID: Process$Message$CloseHandleOpenPostSendTerminateThreadTimeoutWindow
String ID:
API String ID: 839392675-0
Opcode ID: a4827e34b925164899c7dddf93653c4e1bf49671534ba31bf4f7c8ef6c364bce
Instruction ID: 78b3d6927c95a9b7a1e6ca463a44548794ee7cb5f41969c2d0312955cfd4d530
Opcode Fuzzy Hash: a4827e34b925164899c7dddf93653c4e1bf49671534ba31bf4f7c8ef6c364bce
Instruction Fuzzy Hash: 55F09A72200118BBE7205B629C4EEEF3A7CFFCBB11F00016CF605E2090D7A09A41CAB4

Function 00837439 Relevance: 9.0, APIs: 6, Instructions: 37windowCOMMON

Download Yara Rule

APIs

GetClientRect.USER32(?), ref: 00837452
SendMessageW.USER32(?,00001328,00000000,?), ref: 00837469
GetWindowDC.USER32(?), ref: 00837475
GetPixel.GDI32(00000000,?,?), ref: 00837484
ReleaseDC.USER32(?,00000000), ref: 00837496
GetSysColor.USER32(00000005), ref: 008374B0

Memory Dump Source

Source File: 00000000.00000002.1749607290.00000000007E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007E0000, based on PE: true

Associated: 00000000.00000002.1749024776.00000000007E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750122745.000000000087C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750122745.00000000008A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750810397.00000000008AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1751626682.00000000008B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7e0000_file.jbxd

Similarity

API ID: ClientColorMessagePixelRectReleaseSendWindow
String ID:
API String ID: 272304278-0
Opcode ID: 1fdaac0a05a75976477bfa4bf9deeecdc764ac82db828d6120396c4989e5ad99
Instruction ID: 15f64608ccf4a4861602e49c6fca95b0dfc89ea3ee674dc11d283ecadb99e6a5
Opcode Fuzzy Hash: 1fdaac0a05a75976477bfa4bf9deeecdc764ac82db828d6120396c4989e5ad99
Instruction Fuzzy Hash: F4016D31404219EFDB615F64DC0CBAA7BB5FF54311F510168FA1AA31A1CB31AE91EB50

Function 00841874 Relevance: 9.0, APIs: 6, Instructions: 23memorysynchronizationCOMMON

Download Yara Rule

APIs

WaitForSingleObject.KERNEL32(?,000000FF), ref: 0084187F
UnloadUserProfile.USERENV(?,?), ref: 0084188B
CloseHandle.KERNEL32(?), ref: 00841894
CloseHandle.KERNEL32(?), ref: 0084189C
GetProcessHeap.KERNEL32(00000000,?), ref: 008418A5
HeapFree.KERNEL32(00000000), ref: 008418AC

Memory Dump Source

Source File: 00000000.00000002.1749607290.00000000007E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007E0000, based on PE: true

Associated: 00000000.00000002.1749024776.00000000007E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750122745.000000000087C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750122745.00000000008A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750810397.00000000008AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1751626682.00000000008B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7e0000_file.jbxd

Similarity

API ID: CloseHandleHeap$FreeObjectProcessProfileSingleUnloadUserWait
String ID:
API String ID: 146765662-0
Opcode ID: 27f6e833bc2ce33d8df8497b3f1a4405729d76c82bbb17d37f0b4f9b44518b2c
Instruction ID: 13d21639a4706c95bf4e9ca05522ab23e0ddee261b93ae6b6701dac4c9d7dd44
Opcode Fuzzy Hash: 27f6e833bc2ce33d8df8497b3f1a4405729d76c82bbb17d37f0b4f9b44518b2c
Instruction Fuzzy Hash: A5E0E536004101BBEB015FA5ED0C90AFF39FF4AB22B508228F22992578CB32D4A0DF60

Function 0084C5D0 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 191windowCOMMON

Download Yara Rule

APIs

Part of subcall function 007E7620: _wcslen.LIBCMT ref: 007E7625

GetMenuItemInfoW.USER32(?,?,00000000,?), ref: 0084C6EE
_wcslen.LIBCMT ref: 0084C735
SetMenuItemInfoW.USER32(?,?,00000000,?), ref: 0084C79C
SetMenuDefaultItem.USER32(?,000000FF,00000000), ref: 0084C7CA

Strings

0, xrefs: 0084C6AF

Memory Dump Source

Source File: 00000000.00000002.1749607290.00000000007E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007E0000, based on PE: true

Associated: 00000000.00000002.1749024776.00000000007E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750122745.000000000087C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750122745.00000000008A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750810397.00000000008AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1751626682.00000000008B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7e0000_file.jbxd

Similarity

API ID: ItemMenu$Info_wcslen$Default
String ID: 0
API String ID: 1227352736-4108050209
Opcode ID: 5192717e6fa6089d052e1c664ca07db187a5cc5cfd8837a8ae2ac9f44171197b
Instruction ID: 57c17448c8d8effd5fd15bf7531f810291048fae96b2ac25fed887711bf34bdf
Opcode Fuzzy Hash: 5192717e6fa6089d052e1c664ca07db187a5cc5cfd8837a8ae2ac9f44171197b
Instruction Fuzzy Hash: 5A51ED716063499BD7949F2CC889A6BBBECFF99314F040A2DF995D32A0DB74D804CB52

Function 0086AD64 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 176COMMON

Download Yara Rule

APIs

ShellExecuteExW.SHELL32(0000003C), ref: 0086AEA3

Part of subcall function 007E7620: _wcslen.LIBCMT ref: 007E7625

GetProcessId.KERNEL32(00000000), ref: 0086AF38
CloseHandle.KERNEL32(00000000), ref: 0086AF67

Strings

@, xrefs: 0086AE72
<, xrefs: 0086AE6B

Memory Dump Source

Source File: 00000000.00000002.1749607290.00000000007E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007E0000, based on PE: true

Associated: 00000000.00000002.1749024776.00000000007E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750122745.000000000087C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750122745.00000000008A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750810397.00000000008AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1751626682.00000000008B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7e0000_file.jbxd

Similarity

API ID: CloseExecuteHandleProcessShell_wcslen
String ID: <$@
API String ID: 146682121-1426351568
Opcode ID: 2212e4e17b35da00a8b430dffc6e668ff7e0d92ecab376c3927facc2a0aadd98
Instruction ID: 6686b4cecc153946a0d71b07bb6a2af7df16cb7e48dd2caf709e753539582edf
Opcode Fuzzy Hash: 2212e4e17b35da00a8b430dffc6e668ff7e0d92ecab376c3927facc2a0aadd98
Instruction Fuzzy Hash: 7A714475A00659DFCB18DF55C488A9EBBF0FF08314F058499E816AB3A2CB75ED41CB91

Function 0084719E Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 120comlibraryloaderCOMMON

Download Yara Rule

APIs

CoCreateInstance.OLE32(?,00000000,00000005,?,?,?,?,?,?,?,?,?,?,?), ref: 00847206
SetErrorMode.KERNEL32(00000001,?,?,?,?,?,?,?,?,?), ref: 0084723C
GetProcAddress.KERNEL32(?,DllGetClassObject), ref: 0084724D
SetErrorMode.KERNEL32(00000000,?,?,?,?,?,?,?,?,?), ref: 008472CF

Strings

DllGetClassObject, xrefs: 00847242

Memory Dump Source

Source File: 00000000.00000002.1749607290.00000000007E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007E0000, based on PE: true

Associated: 00000000.00000002.1749024776.00000000007E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750122745.000000000087C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750122745.00000000008A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750810397.00000000008AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1751626682.00000000008B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7e0000_file.jbxd

Similarity

API ID: ErrorMode$AddressCreateInstanceProc
String ID: DllGetClassObject
API String ID: 753597075-1075368562
Opcode ID: a6b937e6d854b18b786f1645aa5982d05f42345482e3610c5d1fc54184f1ade1
Instruction ID: 469549396199fbf041ace072eac72c2cc05f10e4268344c15386f45c3b21a301
Opcode Fuzzy Hash: a6b937e6d854b18b786f1645aa5982d05f42345482e3610c5d1fc54184f1ade1
Instruction Fuzzy Hash: 85416D71A04218EFDB15CF64C884A9A7BA9FF44314F1480ADBD0ADF20AD7F1DA44CBA0

Function 00873D7C Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 101windowCOMMON

Download Yara Rule

APIs

GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00873E35
IsMenu.USER32(?), ref: 00873E4A
InsertMenuItemW.USER32(?,?,00000001,00000030), ref: 00873E92
DrawMenuBar.USER32 ref: 00873EA5

Strings

0, xrefs: 00873D89

Memory Dump Source

Source File: 00000000.00000002.1749607290.00000000007E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007E0000, based on PE: true

Associated: 00000000.00000002.1749024776.00000000007E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750122745.000000000087C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750122745.00000000008A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750810397.00000000008AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1751626682.00000000008B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7e0000_file.jbxd

Similarity

API ID: Menu$Item$DrawInfoInsert
String ID: 0
API String ID: 3076010158-4108050209
Opcode ID: c4d54b550dff6bbc2dd8d5ccf00d9fa5343a8474aa551e9f298c8a5a4bb44adc
Instruction ID: 9ba24673c67557fdcfc3049095e1ddabeb7cbd8cabbfc3b439ba7a69887547ec
Opcode Fuzzy Hash: c4d54b550dff6bbc2dd8d5ccf00d9fa5343a8474aa551e9f298c8a5a4bb44adc
Instruction Fuzzy Hash: 02414776A01209EFDB10DF50D884AAABBB9FF49354F04812AE909EB654D730EE44EF51

Function 00841DE2 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 93windowCOMMON

Download Yara Rule

APIs

Part of subcall function 007E9CB3: _wcslen.LIBCMT ref: 007E9CBD

Part of subcall function 00843CA7: GetClassNameW.USER32(?,?,000000FF), ref: 00843CCA

SendMessageW.USER32(?,00000188,00000000,00000000), ref: 00841E66
SendMessageW.USER32(?,0000018A,00000000,00000000), ref: 00841E79
SendMessageW.USER32(?,00000189,?,00000000), ref: 00841EA9

Part of subcall function 007E6B57: _wcslen.LIBCMT ref: 007E6B6A

Strings

ComboBox, xrefs: 00841DF0
ListBox, xrefs: 00841E25

Memory Dump Source

Source File: 00000000.00000002.1749607290.00000000007E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007E0000, based on PE: true

Associated: 00000000.00000002.1749024776.00000000007E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750122745.000000000087C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750122745.00000000008A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750810397.00000000008AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1751626682.00000000008B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7e0000_file.jbxd

Similarity

API ID: MessageSend$_wcslen$ClassName
String ID: ComboBox$ListBox
API String ID: 2081771294-1403004172
Opcode ID: e6aa50086adfeb55469372821c22b8365cd3c38411e702c972a4e52f9187869b
Instruction ID: 509cea564e597c2b859cc8d36160494c33e5c140fda19f9b1f3a69c0e2423e62
Opcode Fuzzy Hash: e6aa50086adfeb55469372821c22b8365cd3c38411e702c972a4e52f9187869b
Instruction Fuzzy Hash: 5A21F376A00108EADB14ABA5DC8DCFFB7B9FF55360B10411DF925E72E1DB384D8A8620

Function 0086C9EA Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 91COMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 0086C9F1
_wcslen.LIBCMT ref: 0086CA68
_wcslen.LIBCMT ref: 0086CA9E
_wcslen.LIBCMT ref: 0086CAF9
_wcslen.LIBCMT ref: 0086CB2F
_wcslen.LIBCMT ref: 0086CB7F

Strings

HKEY_LOCAL_MACHINE, xrefs: 0086CA62, 0086CA67
HKLM, xrefs: 0086CA98, 0086CA9D

Memory Dump Source

Source File: 00000000.00000002.1749607290.00000000007E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007E0000, based on PE: true

Associated: 00000000.00000002.1749024776.00000000007E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750122745.000000000087C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750122745.00000000008A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750810397.00000000008AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1751626682.00000000008B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7e0000_file.jbxd

Similarity

API ID: _wcslen
String ID: HKEY_LOCAL_MACHINE$HKLM
API String ID: 176396367-4004644295
Opcode ID: e9f9ecdecb52a0ef3cd023340bb45a36dbbe8d66424a6e733d9127f4ccaabd30
Instruction ID: 76ba03eca2f31b30d489cdac9f51ce729f14beb5290bbba9b9ac35d1ab0a427e
Opcode Fuzzy Hash: e9f9ecdecb52a0ef3cd023340bb45a36dbbe8d66424a6e733d9127f4ccaabd30
Instruction Fuzzy Hash: C531F5B3A001798BCB20DFAC98405BE3792FBA1752F474129E891EB355EA70CD8493A0

Function 00872F17 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 78windowlibraryCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000467,00000000,?), ref: 00872F8D
LoadLibraryW.KERNEL32(?), ref: 00872F94
SendMessageW.USER32(?,00000467,00000000,00000000), ref: 00872FA9
DestroyWindow.USER32(?), ref: 00872FB1

Strings

SysAnimate32, xrefs: 00872F68

Memory Dump Source

Source File: 00000000.00000002.1749607290.00000000007E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007E0000, based on PE: true

Associated: 00000000.00000002.1749024776.00000000007E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750122745.000000000087C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750122745.00000000008A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750810397.00000000008AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1751626682.00000000008B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7e0000_file.jbxd

Similarity

API ID: MessageSend$DestroyLibraryLoadWindow
String ID: SysAnimate32
API String ID: 3529120543-1011021900
Opcode ID: 7d6592e1391335c820e0340add110410a4e3ff28d5a0ab8a989e2ded0cfe9ffc
Instruction ID: c459c18f59824b7b78f0ec7ce394ba57c266f5432e5bd877dc8c9dc39372cd00
Opcode Fuzzy Hash: 7d6592e1391335c820e0340add110410a4e3ff28d5a0ab8a989e2ded0cfe9ffc
Instruction Fuzzy Hash: 4A21CD72204209ABEF205F68DC84EBB37BDFB59368F108628F958D7198DB71DC919760

Function 00804D6D Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 38libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,?,?,?,00804D1E,008128E9,?,00804CBE,008128E9,008A88B8,0000000C,00804E15,008128E9,00000002), ref: 00804D8D
GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 00804DA0
FreeLibrary.KERNEL32(00000000,?,?,?,00804D1E,008128E9,?,00804CBE,008128E9,008A88B8,0000000C,00804E15,008128E9,00000002,00000000), ref: 00804DC3

Strings

mscoree.dll, xrefs: 00804D86
CorExitProcess, xrefs: 00804D98

Memory Dump Source

Source File: 00000000.00000002.1749607290.00000000007E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007E0000, based on PE: true

Associated: 00000000.00000002.1749024776.00000000007E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750122745.000000000087C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750122745.00000000008A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750810397.00000000008AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1751626682.00000000008B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7e0000_file.jbxd

Similarity

API ID: AddressFreeHandleLibraryModuleProc
String ID: CorExitProcess$mscoree.dll
API String ID: 4061214504-1276376045
Opcode ID: bd1324be46715b2ca99548c660902ab6e4b1765859025b1d26416d3c352d9559
Instruction ID: a2cbcb427fa69e08f634dfe7723895d8f14c73667f424c8b5a73ec87f79a344a
Opcode Fuzzy Hash: bd1324be46715b2ca99548c660902ab6e4b1765859025b1d26416d3c352d9559
Instruction Fuzzy Hash: 0DF04F74A40218FBDB91AF94DC49BADBBB5FF44751F4400A8FD09E22A0CB359984DF91

Function 0083D3A0 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 29libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32 ref: 0083D3AD
GetProcAddress.KERNEL32(00000000,GetSystemWow64DirectoryW), ref: 0083D3BF
FreeLibrary.KERNEL32(00000000), ref: 0083D3E5

Strings

GetSystemWow64DirectoryW, xrefs: 0083D3B9
X64, xrefs: 0083D2A8

Memory Dump Source

Source File: 00000000.00000002.1749607290.00000000007E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007E0000, based on PE: true

Associated: 00000000.00000002.1749024776.00000000007E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750122745.000000000087C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750122745.00000000008A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750810397.00000000008AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1751626682.00000000008B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7e0000_file.jbxd

Similarity

API ID: Library$AddressFreeLoadProc
String ID: GetSystemWow64DirectoryW$X64
API String ID: 145871493-2590602151
Opcode ID: 382bb8e81433dfec3f909eae76c1e193b1cddda018444d3650af6d9e1340c803
Instruction ID: 70fd456c3e84c3165d1772dc3d2a67f931d8936afea82436a18a5946cacd27d4
Opcode Fuzzy Hash: 382bb8e81433dfec3f909eae76c1e193b1cddda018444d3650af6d9e1340c803
Instruction Fuzzy Hash: 6DF027704057248BD7B117209C1C96A3310FF50701F948069F505E7318EB34CD8086D1

Function 007E4E90 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 24libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,?,?,007E4EDD,?,008B1418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 007E4E9C
GetProcAddress.KERNEL32(00000000,Wow64DisableWow64FsRedirection), ref: 007E4EAE
FreeLibrary.KERNEL32(00000000,?,?,007E4EDD,?,008B1418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 007E4EC0

Strings

kernel32.dll, xrefs: 007E4E94
Wow64DisableWow64FsRedirection, xrefs: 007E4EA8

Memory Dump Source

Source File: 00000000.00000002.1749607290.00000000007E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007E0000, based on PE: true

Associated: 00000000.00000002.1749024776.00000000007E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750122745.000000000087C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750122745.00000000008A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750810397.00000000008AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1751626682.00000000008B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7e0000_file.jbxd

Similarity

API ID: Library$AddressFreeLoadProc
String ID: Wow64DisableWow64FsRedirection$kernel32.dll
API String ID: 145871493-3689287502
Opcode ID: a9dd40376e6c687abe6e8d0d4b0760dfeb2cf12d15f3760966d8b82d9576956b
Instruction ID: 57cd3a6f8f9890f184e2c0277de009f2b3c1ca47c2d96b1d012c170a29c07cdd
Opcode Fuzzy Hash: a9dd40376e6c687abe6e8d0d4b0760dfeb2cf12d15f3760966d8b82d9576956b
Instruction Fuzzy Hash: DAE08635A025625BD2311B266C1CA5F7654BFC5B62B050129FC08D3214DB68CD4185B0

Function 007E4E59 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 22libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,?,?,00823CDE,?,008B1418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 007E4E62
GetProcAddress.KERNEL32(00000000,Wow64RevertWow64FsRedirection), ref: 007E4E74
FreeLibrary.KERNEL32(00000000,?,?,00823CDE,?,008B1418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 007E4E87

Strings

kernel32.dll, xrefs: 007E4E5B
Wow64RevertWow64FsRedirection, xrefs: 007E4E6E

Memory Dump Source

Source File: 00000000.00000002.1749607290.00000000007E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007E0000, based on PE: true

Associated: 00000000.00000002.1749024776.00000000007E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750122745.000000000087C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750122745.00000000008A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750810397.00000000008AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1751626682.00000000008B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7e0000_file.jbxd

Similarity

API ID: Library$AddressFreeLoadProc
String ID: Wow64RevertWow64FsRedirection$kernel32.dll
API String ID: 145871493-1355242751
Opcode ID: 80226055e2b3b8dee02b856850ba1d538fdaffd05b86fa4ef2bcab4a27b160c7
Instruction ID: 793a2cb57ff71dd31337ab222d3ab16501305913e91c7db8b958968ec1308f50
Opcode Fuzzy Hash: 80226055e2b3b8dee02b856850ba1d538fdaffd05b86fa4ef2bcab4a27b160c7
Instruction Fuzzy Hash: E3D01235903AA15756221B266C1CD8F7A18FF8DB613494529B909E7218CF68CD41C5E0

Function 00852947 Relevance: 7.8, APIs: 5, Instructions: 313fileCOMMON

Download Yara Rule

APIs

DeleteFileW.KERNEL32(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 00852C05
DeleteFileW.KERNEL32(?), ref: 00852C87
CopyFileW.KERNEL32(?,?,00000000,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001), ref: 00852C9D
DeleteFileW.KERNEL32(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 00852CAE
DeleteFileW.KERNEL32(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 00852CC0

Memory Dump Source

Source File: 00000000.00000002.1749607290.00000000007E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007E0000, based on PE: true

Associated: 00000000.00000002.1749024776.00000000007E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750122745.000000000087C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750122745.00000000008A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750810397.00000000008AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1751626682.00000000008B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7e0000_file.jbxd

Similarity

API ID: File$Delete$Copy
String ID:
API String ID: 3226157194-0
Opcode ID: fdb241781ae30dd02fe26a09bb2fa00fcdf465083410a5051c95291148a58435
Instruction ID: 9651fd6279259144c9d46be6ce78ee26cebcbe9a95c83ba502d2fcd2e3690fbf
Opcode Fuzzy Hash: fdb241781ae30dd02fe26a09bb2fa00fcdf465083410a5051c95291148a58435
Instruction Fuzzy Hash: 9DB14E7290111DABDF21DBA4CC89EDEB7BDFF49354F1040A6F909E7141EA349A488F61

Function 0086A387 Relevance: 7.8, APIs: 5, Instructions: 256COMMON

Download Yara Rule

APIs

GetCurrentProcessId.KERNEL32 ref: 0086A427
OpenProcess.KERNEL32(00000410,00000000,00000000), ref: 0086A435
GetProcessIoCounters.KERNEL32(00000000,?), ref: 0086A468
CloseHandle.KERNEL32(?), ref: 0086A63D

Memory Dump Source

Source File: 00000000.00000002.1749607290.00000000007E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007E0000, based on PE: true

Associated: 00000000.00000002.1749024776.00000000007E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750122745.000000000087C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750122745.00000000008A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750810397.00000000008AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1751626682.00000000008B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7e0000_file.jbxd

Similarity

API ID: Process$CloseCountersCurrentHandleOpen
String ID:
API String ID: 3488606520-0
Opcode ID: 8de51e2325b1efe29b9c59238cecd599fdf4d58f7ec8d0a22f4ac5918141cb5c
Instruction ID: f0f8aedcbf6b87696b1cb714b8d526b873780050beb15332cb85fcea17828d94
Opcode Fuzzy Hash: 8de51e2325b1efe29b9c59238cecd599fdf4d58f7ec8d0a22f4ac5918141cb5c
Instruction Fuzzy Hash: 73A19D756043009FD724DF24C88AB2AB7E5EF88714F14881DF56ADB392DBB4EC418B92

Function 0084E3FB Relevance: 7.7, APIs: 5, Instructions: 167filestringCOMMON

Download Yara Rule

APIs

Part of subcall function 0084DDE0: GetFullPathNameW.KERNEL32(00000000,00007FFF,?,?,?,?,?,?,0084CF22,?), ref: 0084DDFD

Part of subcall function 0084DDE0: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,?,0084CF22,?), ref: 0084DE16

Part of subcall function 0084E199: GetFileAttributesW.KERNEL32(?,0084CF95), ref: 0084E19A

lstrcmpiW.KERNEL32(?,?), ref: 0084E473
MoveFileW.KERNEL32(?,?), ref: 0084E4AC
_wcslen.LIBCMT ref: 0084E5EB
_wcslen.LIBCMT ref: 0084E603
SHFileOperationW.SHELL32(?,?,?,?,?,?), ref: 0084E650

Memory Dump Source

Source File: 00000000.00000002.1749607290.00000000007E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007E0000, based on PE: true

Associated: 00000000.00000002.1749024776.00000000007E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750122745.000000000087C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750122745.00000000008A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750810397.00000000008AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1751626682.00000000008B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7e0000_file.jbxd

Similarity

API ID: File$FullNamePath_wcslen$AttributesMoveOperationlstrcmpi
String ID:
API String ID: 3183298772-0
Opcode ID: b9e7bfa48ecabeda75c2e50ef93f336eaa2752f87df672aeba710e42ed76891a
Instruction ID: 36c88eb228b5a50a6008ab1f74b26a972711ac01132e7956bfe26faaab27b476
Opcode Fuzzy Hash: b9e7bfa48ecabeda75c2e50ef93f336eaa2752f87df672aeba710e42ed76891a
Instruction Fuzzy Hash: 165163B24087899BC764EB94DC859DBB3DCFF94340F00491EF689D3191EF74A588876A

Function 0086B9C9 Relevance: 7.7, APIs: 5, Instructions: 167registryCOMMON

Download Yara Rule

APIs

Part of subcall function 007E9CB3: _wcslen.LIBCMT ref: 007E9CBD

Part of subcall function 0086C998: CharUpperBuffW.USER32(?,?,?,?,?,?,?,0086B6AE,?,?), ref: 0086C9B5
Part of subcall function 0086C998: _wcslen.LIBCMT ref: 0086C9F1
Part of subcall function 0086C998: _wcslen.LIBCMT ref: 0086CA68
Part of subcall function 0086C998: _wcslen.LIBCMT ref: 0086CA9E

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 0086BAA5
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 0086BB00
RegEnumKeyExW.ADVAPI32(?,-00000001,?,?,00000000,00000000,00000000,?), ref: 0086BB63
RegCloseKey.ADVAPI32(?,?), ref: 0086BBA6
RegCloseKey.ADVAPI32(00000000), ref: 0086BBB3

Memory Dump Source

Source File: 00000000.00000002.1749607290.00000000007E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007E0000, based on PE: true

Associated: 00000000.00000002.1749024776.00000000007E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750122745.000000000087C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750122745.00000000008A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750810397.00000000008AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1751626682.00000000008B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7e0000_file.jbxd

Similarity

API ID: _wcslen$Close$BuffCharConnectEnumOpenRegistryUpper
String ID:
API String ID: 826366716-0
Opcode ID: f795a819bbdb9bdd3a82a60fc193198dc2a1eab3c15bdbc2e65f8f185e03f2d3
Instruction ID: b956a0bd5a960cf7876b64e8df8e3ecc86c363edb608215e18fcca1d58b9e794
Opcode Fuzzy Hash: f795a819bbdb9bdd3a82a60fc193198dc2a1eab3c15bdbc2e65f8f185e03f2d3
Instruction Fuzzy Hash: F8618C31209241EFC314DF64C494E2ABBE5FF84318F55895CF4998B2A2DB31ED85CB92

Function 00848BB0 Relevance: 7.7, APIs: 5, Instructions: 159COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 00848BCD
VariantClear.OLEAUT32 ref: 00848C3E
VariantClear.OLEAUT32 ref: 00848C9D
VariantClear.OLEAUT32(?), ref: 00848D10
VariantChangeType.OLEAUT32(?,?,00000000,00000013), ref: 00848D3B

Memory Dump Source

Source File: 00000000.00000002.1749607290.00000000007E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007E0000, based on PE: true

Associated: 00000000.00000002.1749024776.00000000007E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750122745.000000000087C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750122745.00000000008A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750810397.00000000008AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1751626682.00000000008B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7e0000_file.jbxd

Similarity

API ID: Variant$Clear$ChangeInitType
String ID:
API String ID: 4136290138-0
Opcode ID: 4b51b68a779e136b62019952d925267ad1567bef8e7ba5eeb382590787c5fa90
Instruction ID: 6bdd2d303d55b573cf3bacc9669af172e06cb51ef6acf02929220a48667e0ee5
Opcode Fuzzy Hash: 4b51b68a779e136b62019952d925267ad1567bef8e7ba5eeb382590787c5fa90
Instruction Fuzzy Hash: 4A5157B5A01219EFCB14CF68C894AAAB7F8FF89314B158569E909DB354E730E911CF90

Function 00858AFB Relevance: 7.6, APIs: 5, Instructions: 143COMMON

Download Yara Rule

APIs

GetPrivateProfileSectionW.KERNEL32(00000003,?,00007FFF,?), ref: 00858BAE
GetPrivateProfileSectionW.KERNEL32(?,00000003,00000003,?), ref: 00858BDA
WritePrivateProfileSectionW.KERNEL32(?,?,?), ref: 00858C32
WritePrivateProfileStringW.KERNEL32(00000003,00000000,00000000,?), ref: 00858C57
WritePrivateProfileStringW.KERNEL32(00000000,00000000,00000000,?), ref: 00858C5F

Memory Dump Source

Source File: 00000000.00000002.1749607290.00000000007E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007E0000, based on PE: true

Associated: 00000000.00000002.1749024776.00000000007E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750122745.000000000087C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750122745.00000000008A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750810397.00000000008AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1751626682.00000000008B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7e0000_file.jbxd

Similarity

API ID: PrivateProfile$SectionWrite$String
String ID:
API String ID: 2832842796-0
Opcode ID: b65c34901e616d6bc048a222e6a033cfc397107e21c3c893299a2c083ec08c4b
Instruction ID: 42a94159ce3d4f7f69f4c0e9c2b6591ee2f7bc7fe9671335c125d3347b2bf72b
Opcode Fuzzy Hash: b65c34901e616d6bc048a222e6a033cfc397107e21c3c893299a2c083ec08c4b
Instruction Fuzzy Hash: C0515935A00618EFCB05DF65C885A6EBBF5FF48314F088099E849AB362DB35ED55CB90

Function 00868EE4 Relevance: 7.6, APIs: 5, Instructions: 143libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryW.KERNEL32(?,00000000,?), ref: 00868F40
GetProcAddress.KERNEL32(00000000,?), ref: 00868FD0
GetProcAddress.KERNEL32(00000000,00000000), ref: 00868FEC
GetProcAddress.KERNEL32(00000000,?), ref: 00869032
FreeLibrary.KERNEL32(00000000), ref: 00869052

Part of subcall function 007FF6C9: WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,00000000,00000000,00000000,?,00000000,?,?,?,00851043,?,753CE610), ref: 007FF6E6
Part of subcall function 007FF6C9: WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,0083FA64,00000000,00000000,?,?,00851043,?,753CE610,?,0083FA64), ref: 007FF70D

Memory Dump Source

Source File: 00000000.00000002.1749607290.00000000007E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007E0000, based on PE: true

Associated: 00000000.00000002.1749024776.00000000007E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750122745.000000000087C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750122745.00000000008A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750810397.00000000008AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1751626682.00000000008B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7e0000_file.jbxd

Similarity

API ID: AddressProc$ByteCharLibraryMultiWide$FreeLoad
String ID:
API String ID: 666041331-0
Opcode ID: 2493ebc950896fcd4c18d3ef7c332f6026f606c495b0613886ad10945cbd2c0e
Instruction ID: fecefeae26a2709ba9b212f8512ff1ed538a4e7ad7240c3b660a531d4011718d
Opcode Fuzzy Hash: 2493ebc950896fcd4c18d3ef7c332f6026f606c495b0613886ad10945cbd2c0e
Instruction Fuzzy Hash: D8515835601245DFCB11DF68C4888ADBBF1FF49324B0581A8E90AAF362DB31ED85CB91

Function 00876B76 Relevance: 7.6, APIs: 5, Instructions: 131windowCOMMON

Download Yara Rule

APIs

SetWindowLongW.USER32(00000002,000000F0,?), ref: 00876C33
SetWindowLongW.USER32(?,000000EC,?), ref: 00876C4A
SendMessageW.USER32(00000002,00001036,00000000,?), ref: 00876C73
ShowWindow.USER32(00000002,00000000,00000002,00000002,?,?,?,?,?,?,?,0085AB79,00000000,00000000), ref: 00876C98
SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000027,00000002,?,00000001,00000002,00000002,?,?,?), ref: 00876CC7

Memory Dump Source

Source File: 00000000.00000002.1749607290.00000000007E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007E0000, based on PE: true

Associated: 00000000.00000002.1749024776.00000000007E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750122745.000000000087C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750122745.00000000008A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750810397.00000000008AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1751626682.00000000008B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7e0000_file.jbxd

Similarity

API ID: Window$Long$MessageSendShow
String ID:
API String ID: 3688381893-0
Opcode ID: 614448b2390bb2ad5678ac0723f08e4af19108d0de1fd98a09d7c99c6dd05e11
Instruction ID: 2c89c0c91f1380f2fee84b93097bd6869acbbfa408730f89e62148355d58b62e
Opcode Fuzzy Hash: 614448b2390bb2ad5678ac0723f08e4af19108d0de1fd98a09d7c99c6dd05e11
Instruction Fuzzy Hash: 0041D635600504AFDB25CF28CC58FA97BA4FB49364F148268F89DE72E8E371ED60DA40

Function 00812051 Relevance: 7.6, APIs: 5, Instructions: 129COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 008120C3
_free.LIBCMT ref: 008120E3

Memory Dump Source

Source File: 00000000.00000002.1749607290.00000000007E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007E0000, based on PE: true

Associated: 00000000.00000002.1749024776.00000000007E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750122745.000000000087C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750122745.00000000008A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750810397.00000000008AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1751626682.00000000008B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7e0000_file.jbxd

Similarity

API ID: _free
String ID:
API String ID: 269201875-0
Opcode ID: f717cc9357ff40365a6876664c51ca5cbcd4c9f6764d90f334b529b7449d5b58
Instruction ID: b526c564e1d20b40db130c0adb0238d0cad1b5132a4e63c8b204a75d9437d945
Opcode Fuzzy Hash: f717cc9357ff40365a6876664c51ca5cbcd4c9f6764d90f334b529b7449d5b58
Instruction Fuzzy Hash: 0D41D232A00604EFDB24DF78C881A9DB7A9FF89324F1545A8E615EB391DB31AD51CB81

Function 007F912D Relevance: 7.6, APIs: 5, Instructions: 121keyboardCOMMON

Download Yara Rule

APIs

GetCursorPos.USER32(?), ref: 007F9141
ScreenToClient.USER32(00000000,?), ref: 007F915E
GetAsyncKeyState.USER32(00000001), ref: 007F9183
GetAsyncKeyState.USER32(00000002), ref: 007F919D

Memory Dump Source

Source File: 00000000.00000002.1749607290.00000000007E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007E0000, based on PE: true

Associated: 00000000.00000002.1749024776.00000000007E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750122745.000000000087C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750122745.00000000008A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750810397.00000000008AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1751626682.00000000008B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7e0000_file.jbxd

Similarity

API ID: AsyncState$ClientCursorScreen
String ID:
API String ID: 4210589936-0
Opcode ID: bcd24c7e0611c8792618bf0b5a85559397958e02f25da42b4faf8aa5bcb690f8
Instruction ID: d84cb388944dfe82fbd3692749bc5dd53df6362716338b5cc49c7c975558faa0
Opcode Fuzzy Hash: bcd24c7e0611c8792618bf0b5a85559397958e02f25da42b4faf8aa5bcb690f8
Instruction Fuzzy Hash: 87416F71A0860EFBDF159F68C848BFEB774FB45324F208229E529A3290C734A950CB91

Function 00853874 Relevance: 7.6, APIs: 5, Instructions: 101windowCOMMON

Download Yara Rule

APIs

GetInputState.USER32 ref: 008538CB
TranslateAcceleratorW.USER32(?,00000000,?), ref: 00853922
TranslateMessage.USER32(?), ref: 0085394B
DispatchMessageW.USER32(?), ref: 00853955
PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00853966

Memory Dump Source

Source File: 00000000.00000002.1749607290.00000000007E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007E0000, based on PE: true

Associated: 00000000.00000002.1749024776.00000000007E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750122745.000000000087C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750122745.00000000008A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750810397.00000000008AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1751626682.00000000008B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7e0000_file.jbxd

Similarity

API ID: Message$Translate$AcceleratorDispatchInputPeekState
String ID:
API String ID: 2256411358-0
Opcode ID: 2ff40fbd3f13677d6daaca696d453963983ce23a54248f2a4bf2170970628316
Instruction ID: d68a415b9be0aff43a5be6d8d3aa6f0770a782bfd148a7836f72fe10ccf1339b
Opcode Fuzzy Hash: 2ff40fbd3f13677d6daaca696d453963983ce23a54248f2a4bf2170970628316
Instruction Fuzzy Hash: 4E31D5B05083859EEF35CB34985CBB67FE8FB06386F44056DE866C61A0E7B4968CCB11

Function 0085CF1A Relevance: 7.6, APIs: 5, Instructions: 93networkfileCOMMON

Download Yara Rule

APIs

InternetQueryDataAvailable.WININET(?,?,00000000,00000000,00000000,?,00000000,?,?,?,0085C21E,00000000), ref: 0085CF38
InternetReadFile.WININET(?,00000000,?,?), ref: 0085CF6F
GetLastError.KERNEL32(?,00000000,?,?,?,0085C21E,00000000), ref: 0085CFB4
SetEvent.KERNEL32(?,?,00000000,?,?,?,0085C21E,00000000), ref: 0085CFC8
SetEvent.KERNEL32(?,?,00000000,?,?,?,0085C21E,00000000), ref: 0085CFF2

Memory Dump Source

Source File: 00000000.00000002.1749607290.00000000007E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007E0000, based on PE: true

Associated: 00000000.00000002.1749024776.00000000007E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750122745.000000000087C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750122745.00000000008A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750810397.00000000008AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1751626682.00000000008B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7e0000_file.jbxd

Similarity

API ID: EventInternet$AvailableDataErrorFileLastQueryRead
String ID:
API String ID: 3191363074-0
Opcode ID: 1c2f3446c169189c5d6aa27797777bcc99f9a7d00bd0f49fe02d5982cb7f5773
Instruction ID: 60c81d8a29788c6a803369712cb3515ca1dc4a189d4da7f8c318649b85557eff
Opcode Fuzzy Hash: 1c2f3446c169189c5d6aa27797777bcc99f9a7d00bd0f49fe02d5982cb7f5773
Instruction Fuzzy Hash: 05313C71604309EFDB24DFA5C8889AABBF9FB14356B10446EE90AD2151DB70ED449F60

Function 00841901 Relevance: 7.6, APIs: 5, Instructions: 93sleepwindowCOMMON

Download Yara Rule

APIs

GetWindowRect.USER32(?,?), ref: 00841915
PostMessageW.USER32(00000001,00000201,00000001), ref: 008419C1
Sleep.KERNEL32(00000000,?,?,?), ref: 008419C9
PostMessageW.USER32(00000001,00000202,00000000), ref: 008419DA
Sleep.KERNEL32(00000000,?,?,?,?), ref: 008419E2

Memory Dump Source

Source File: 00000000.00000002.1749607290.00000000007E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007E0000, based on PE: true

Associated: 00000000.00000002.1749024776.00000000007E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750122745.000000000087C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750122745.00000000008A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750810397.00000000008AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1751626682.00000000008B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7e0000_file.jbxd

Similarity

API ID: MessagePostSleep$RectWindow
String ID:
API String ID: 3382505437-0
Opcode ID: 5c0d328eeab9e0e80ddb066954cacb84bf8d21ab6862494febf439d5f23eaf08
Instruction ID: 18dac9eea1b2c14ca6670ba1ac24bb30e0230f47712886b5c83f1c2b1b8e9b4b
Opcode Fuzzy Hash: 5c0d328eeab9e0e80ddb066954cacb84bf8d21ab6862494febf439d5f23eaf08
Instruction Fuzzy Hash: 0A317672A0021DAFCB048FA8C99DAAE3FA5FB14315F504229F925EB2D1C7709984CB90

Function 00875706 Relevance: 7.6, APIs: 5, Instructions: 82windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00001053,000000FF,?), ref: 00875745
SendMessageW.USER32(?,00001074,?,00000001), ref: 0087579D
_wcslen.LIBCMT ref: 008757AF
_wcslen.LIBCMT ref: 008757BA
SendMessageW.USER32(?,00001002,00000000,?), ref: 00875816

Memory Dump Source

Source File: 00000000.00000002.1749607290.00000000007E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007E0000, based on PE: true

Associated: 00000000.00000002.1749024776.00000000007E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750122745.000000000087C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750122745.00000000008A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750810397.00000000008AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1751626682.00000000008B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7e0000_file.jbxd

Similarity

API ID: MessageSend$_wcslen
String ID:
API String ID: 763830540-0
Opcode ID: fb29c817aa4e341347aeb8c8454828f4a0e5cfe3512d6028c0e99e75d0704cba
Instruction ID: a39636dcc97be65a2810b25cbcc6611f67c290ab6ec23881c7e58090f91aec74
Opcode Fuzzy Hash: fb29c817aa4e341347aeb8c8454828f4a0e5cfe3512d6028c0e99e75d0704cba
Instruction Fuzzy Hash: DC21A7719046189ADB208F64CC84AEE7B78FF14364F10C21AE91DEB1D8D7B0C985CF50

Function 00860930 Relevance: 7.6, APIs: 5, Instructions: 69COMMON

Download Yara Rule

APIs

IsWindow.USER32(00000000), ref: 00860951
GetForegroundWindow.USER32 ref: 00860968
GetDC.USER32(00000000), ref: 008609A4
GetPixel.GDI32(00000000,?,00000003), ref: 008609B0
ReleaseDC.USER32(00000000,00000003), ref: 008609E8

Memory Dump Source

Source File: 00000000.00000002.1749607290.00000000007E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007E0000, based on PE: true

Associated: 00000000.00000002.1749024776.00000000007E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750122745.000000000087C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750122745.00000000008A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750810397.00000000008AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1751626682.00000000008B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7e0000_file.jbxd

Similarity

API ID: Window$ForegroundPixelRelease
String ID:
API String ID: 4156661090-0
Opcode ID: 0ed06cbeaad3474bea86137b9ebb255285fddf4be9730f093f9416bbb8ff04fb
Instruction ID: 3b53d1c4521269126c7b95b6d6b77288d3068a19eabc62c8d80c049a4984a186
Opcode Fuzzy Hash: 0ed06cbeaad3474bea86137b9ebb255285fddf4be9730f093f9416bbb8ff04fb
Instruction Fuzzy Hash: 46216F35A00204AFD704EF69D889AAEBBE5FF48701F04846CE84AE7352DB70ED44CB50

Function 0081CDBD Relevance: 7.6, APIs: 5, Instructions: 68COMMON

Download Yara Rule

APIs

GetEnvironmentStringsW.KERNEL32 ref: 0081CDC6
WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 0081CDE9

Part of subcall function 00813820: RtlAllocateHeap.NTDLL(00000000,?,008B1444,?,007FFDF5,?,?,007EA976,00000010,008B1440,007E13FC,?,007E13C6,?,007E1129), ref: 00813852

WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,00000000,00000000), ref: 0081CE0F
_free.LIBCMT ref: 0081CE22
FreeEnvironmentStringsW.KERNEL32(00000000), ref: 0081CE31

Memory Dump Source

Source File: 00000000.00000002.1749607290.00000000007E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007E0000, based on PE: true

Associated: 00000000.00000002.1749024776.00000000007E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750122745.000000000087C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750122745.00000000008A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750810397.00000000008AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1751626682.00000000008B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7e0000_file.jbxd

Similarity

API ID: ByteCharEnvironmentMultiStringsWide$AllocateFreeHeap_free
String ID:
API String ID: 336800556-0
Opcode ID: 0d6396c031c0f97d0a540cb7873ed4c8c565e62949fd6221c14b4b85bc495c93
Instruction ID: b428ded0fa77fcb7fc782566cf7f37c23ca1aa826fd6871bc2f7ba4ce79936e1
Opcode Fuzzy Hash: 0d6396c031c0f97d0a540cb7873ed4c8c565e62949fd6221c14b4b85bc495c93
Instruction Fuzzy Hash: 7901D4726412157F23211ABAAC8CDBF7A6DFFC6BA1315012DF909C7200EB61CD8191B0

Function 007F9639 Relevance: 7.6, APIs: 5, Instructions: 66COMMON

Download Yara Rule

APIs

ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 007F9693
SelectObject.GDI32(?,00000000), ref: 007F96A2
BeginPath.GDI32(?), ref: 007F96B9
SelectObject.GDI32(?,00000000), ref: 007F96E2

Memory Dump Source

Source File: 00000000.00000002.1749607290.00000000007E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007E0000, based on PE: true

Associated: 00000000.00000002.1749024776.00000000007E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750122745.000000000087C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750122745.00000000008A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750810397.00000000008AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1751626682.00000000008B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7e0000_file.jbxd

Similarity

API ID: ObjectSelect$BeginCreatePath
String ID:
API String ID: 3225163088-0
Opcode ID: 8ab7185ab646db76218b9ac1a87ff849f260b5a851ab74bb6b8add797336098c
Instruction ID: ab52f0986b60a8b8c68f3338ae651590c88b3cbd53c747aff0aaa014985560b7
Opcode Fuzzy Hash: 8ab7185ab646db76218b9ac1a87ff849f260b5a851ab74bb6b8add797336098c
Instruction Fuzzy Hash: 0C213D70802349EBDF119F64DC2C7B97FA8BB50355F90031AF614EB2A4D3759896CB94

Function 00845711 Relevance: 7.6, APIs: 5, Instructions: 61COMMON

Download Yara Rule

APIs

_memcmp.LIBVCRUNTIME ref: 00845726
_memcmp.LIBVCRUNTIME ref: 00845744
_memcmp.LIBVCRUNTIME ref: 00845757
_memcmp.LIBVCRUNTIME ref: 0084576F
_memcmp.LIBVCRUNTIME ref: 00845787

Memory Dump Source

Source File: 00000000.00000002.1749607290.00000000007E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007E0000, based on PE: true

Associated: 00000000.00000002.1749024776.00000000007E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750122745.000000000087C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750122745.00000000008A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750810397.00000000008AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1751626682.00000000008B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7e0000_file.jbxd

Similarity

API ID: _memcmp
String ID:
API String ID: 2931989736-0
Opcode ID: 59b82cb312e65f0fe9f9c71635ffba0cd7da54a8a12d8f1204299dad2999cd83
Instruction ID: 162c5eab3823ed9a4d52f765350934ffa018d7fb04b7fa8195e5013abf4380d4
Opcode Fuzzy Hash: 59b82cb312e65f0fe9f9c71635ffba0cd7da54a8a12d8f1204299dad2999cd83
Instruction Fuzzy Hash: 5B0196A164161DBBE60855159E42EBE635CFB613A8B008031FE18DA383F768ED11C2A1

Function 00812DF8 Relevance: 7.6, APIs: 5, Instructions: 53COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,?,0080F2DE,00813863,008B1444,?,007FFDF5,?,?,007EA976,00000010,008B1440,007E13FC,?,007E13C6), ref: 00812DFD
_free.LIBCMT ref: 00812E32
_free.LIBCMT ref: 00812E59
SetLastError.KERNEL32(00000000,007E1129), ref: 00812E66
SetLastError.KERNEL32(00000000,007E1129), ref: 00812E6F

Memory Dump Source

Source File: 00000000.00000002.1749607290.00000000007E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007E0000, based on PE: true

Associated: 00000000.00000002.1749024776.00000000007E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750122745.000000000087C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750122745.00000000008A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750810397.00000000008AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1751626682.00000000008B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7e0000_file.jbxd

Similarity

API ID: ErrorLast$_free
String ID:
API String ID: 3170660625-0
Opcode ID: 8fa207762b2fe82788260c31e2be6e91e28903c9b55fb0de3d53225a379788dc
Instruction ID: 68d81c0931b819fc80fc64bea90d6278668a6408659b82ef79d49a45e9b59183
Opcode Fuzzy Hash: 8fa207762b2fe82788260c31e2be6e91e28903c9b55fb0de3d53225a379788dc
Instruction Fuzzy Hash: DC0181326456006B961266787C89EEB265DFFD13BAB254128F829E2293EA74C8E14161

Function 0084000E Relevance: 7.5, APIs: 5, Instructions: 47stringCOMMON

Download Yara Rule

APIs

CLSIDFromProgID.OLE32(?,?,?,00000000,?,?,?,-C000001E,00000001,?,0083FF41,80070057,?,?,?,0084035E), ref: 0084002B
ProgIDFromCLSID.OLE32(?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,0083FF41,80070057,?,?), ref: 00840046
lstrcmpiW.KERNEL32(?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,0083FF41,80070057,?,?), ref: 00840054
CoTaskMemFree.OLE32(00000000,?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,0083FF41,80070057,?), ref: 00840064
CLSIDFromString.OLE32(?,?,?,?,?,00000000,?,?,?,-C000001E,00000001,?,0083FF41,80070057,?,?), ref: 00840070

Memory Dump Source

Source File: 00000000.00000002.1749607290.00000000007E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007E0000, based on PE: true

Associated: 00000000.00000002.1749024776.00000000007E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750122745.000000000087C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750122745.00000000008A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750810397.00000000008AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1751626682.00000000008B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7e0000_file.jbxd

Similarity

API ID: From$Prog$FreeStringTasklstrcmpi
String ID:
API String ID: 3897988419-0
Opcode ID: 95576e212e644e3d519f4d28aea719beac5e1fe60ac1a8f190b3a48e58c3bd95
Instruction ID: a746f0ca4c3ff956cd534671a36f9f4b6d57b889cdc0473fb27747159a73beb2
Opcode Fuzzy Hash: 95576e212e644e3d519f4d28aea719beac5e1fe60ac1a8f190b3a48e58c3bd95
Instruction Fuzzy Hash: C4018F72600608BFDB204F68DC08BAB7AADFB44751F144128FE09D3214D771DE808BA0

Function 0084E97B Relevance: 7.5, APIs: 5, Instructions: 47sleepCOMMON

Download Yara Rule

APIs

QueryPerformanceCounter.KERNEL32(?), ref: 0084E997
QueryPerformanceFrequency.KERNEL32(?), ref: 0084E9A5
Sleep.KERNEL32(00000000), ref: 0084E9AD
QueryPerformanceCounter.KERNEL32(?), ref: 0084E9B7
Sleep.KERNEL32 ref: 0084E9F3

Memory Dump Source

Source File: 00000000.00000002.1749607290.00000000007E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007E0000, based on PE: true

Associated: 00000000.00000002.1749024776.00000000007E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750122745.000000000087C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750122745.00000000008A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750810397.00000000008AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1751626682.00000000008B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7e0000_file.jbxd

Similarity

API ID: PerformanceQuery$CounterSleep$Frequency
String ID:
API String ID: 2833360925-0
Opcode ID: 2ec62fa97c92995d5c25c660eab5bbbe54694a57f50bef6b9cf088f0964ed634
Instruction ID: ad8150cca81aaf220c86d13563c7bf15b0d8ac361bc0e232994bb1a98c6b27b2
Opcode Fuzzy Hash: 2ec62fa97c92995d5c25c660eab5bbbe54694a57f50bef6b9cf088f0964ed634
Instruction Fuzzy Hash: 8D010531C0162DDBCF00AFE5D859AEDBF78FB09715F40055AE506F2285CB309594CBA1

Function 008410F9 Relevance: 7.5, APIs: 5, Instructions: 46memoryCOMMON

Download Yara Rule

APIs

GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 00841114
GetLastError.KERNEL32(?,00000000,00000000,?,?,00840B9B,?,?,?), ref: 00841120
GetProcessHeap.KERNEL32(00000008,?,?,00000000,00000000,?,?,00840B9B,?,?,?), ref: 0084112F
HeapAlloc.KERNEL32(00000000,?,00000000,00000000,?,?,00840B9B,?,?,?), ref: 00841136
GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 0084114D

Memory Dump Source

Source File: 00000000.00000002.1749607290.00000000007E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007E0000, based on PE: true

Associated: 00000000.00000002.1749024776.00000000007E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750122745.000000000087C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750122745.00000000008A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750810397.00000000008AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1751626682.00000000008B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7e0000_file.jbxd

Similarity

API ID: HeapObjectSecurityUser$AllocErrorLastProcess
String ID:
API String ID: 842720411-0
Opcode ID: fd1661ea00d0c36d5fd6ed2c2690de37d9a0aeb1dc7604c11de3f8aea4de01a0
Instruction ID: e073c7d106e452b87a598917bbedf1f53e856a9a854d24f490198854d494c263
Opcode Fuzzy Hash: fd1661ea00d0c36d5fd6ed2c2690de37d9a0aeb1dc7604c11de3f8aea4de01a0
Instruction Fuzzy Hash: 22013C75200209BFDB154FA9DC4DE6A7F6EFF893A1B244429FA49D7360DB31DC809A60

Function 00840FB4 Relevance: 7.5, APIs: 5, Instructions: 43memoryCOMMON

Download Yara Rule

APIs

GetTokenInformation.ADVAPI32(?,00000002,?,00000000,?), ref: 00840FCA
GetLastError.KERNEL32(?,00000002,?,00000000,?), ref: 00840FD6
GetProcessHeap.KERNEL32(00000008,?,?,00000002,?,00000000,?), ref: 00840FE5
HeapAlloc.KERNEL32(00000000,?,00000002,?,00000000,?), ref: 00840FEC
GetTokenInformation.ADVAPI32(?,00000002,00000000,?,?,?,00000002,?,00000000,?), ref: 00841002

Memory Dump Source

Source File: 00000000.00000002.1749607290.00000000007E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007E0000, based on PE: true

Associated: 00000000.00000002.1749024776.00000000007E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750122745.000000000087C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750122745.00000000008A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750810397.00000000008AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1751626682.00000000008B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7e0000_file.jbxd

Similarity

API ID: HeapInformationToken$AllocErrorLastProcess
String ID:
API String ID: 44706859-0
Opcode ID: 0f32c17f6b5cd2e415e4a82a8ec13207475e0484a6d6788e1071c4c4c5f7dcea
Instruction ID: 1a86f770a233d968894a8ff4323818c5821d2b5cd13c34e384103ad3ed26c00d
Opcode Fuzzy Hash: 0f32c17f6b5cd2e415e4a82a8ec13207475e0484a6d6788e1071c4c4c5f7dcea
Instruction Fuzzy Hash: C6F04935200705ABDB214FA4AC4DF563FADFF8AB62F504428FA49D7251DA70DC808A60

Function 00841014 Relevance: 7.5, APIs: 5, Instructions: 43memoryCOMMON

Download Yara Rule

APIs

GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),?,00000000,?), ref: 0084102A
GetLastError.KERNEL32(?,TokenIntegrityLevel,?,00000000,?), ref: 00841036
GetProcessHeap.KERNEL32(00000008,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00841045
HeapAlloc.KERNEL32(00000000,?,TokenIntegrityLevel,?,00000000,?), ref: 0084104C
GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),00000000,?,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00841062

Memory Dump Source

Source File: 00000000.00000002.1749607290.00000000007E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007E0000, based on PE: true

Associated: 00000000.00000002.1749024776.00000000007E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750122745.000000000087C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750122745.00000000008A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750810397.00000000008AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1751626682.00000000008B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7e0000_file.jbxd

Similarity

API ID: HeapInformationToken$AllocErrorLastProcess
String ID:
API String ID: 44706859-0
Opcode ID: fa9800dd367b9ca36ab141a46e88120c2b8728db869db93c7cdec0a0381ef6a4
Instruction ID: 6e7c1927518bdbcf2b8accf19d24b921cd5022f0190abe020191ba9f7c82de07
Opcode Fuzzy Hash: fa9800dd367b9ca36ab141a46e88120c2b8728db869db93c7cdec0a0381ef6a4
Instruction Fuzzy Hash: E3F06D35200705EBDB219FA4EC4DF563BADFF8A761F100428FA49D7250CA70D8908A60

Function 0085030F Relevance: 7.5, APIs: 6, Instructions: 41COMMON

Download Yara Rule

APIs

CloseHandle.KERNEL32(?,?,?,?,0085017D,?,008532FC,?,00000001,00822592,?), ref: 00850324
CloseHandle.KERNEL32(?,?,?,?,0085017D,?,008532FC,?,00000001,00822592,?), ref: 00850331
CloseHandle.KERNEL32(?,?,?,?,0085017D,?,008532FC,?,00000001,00822592,?), ref: 0085033E
CloseHandle.KERNEL32(?,?,?,?,0085017D,?,008532FC,?,00000001,00822592,?), ref: 0085034B
CloseHandle.KERNEL32(?,?,?,?,0085017D,?,008532FC,?,00000001,00822592,?), ref: 00850358
CloseHandle.KERNEL32(?,?,?,?,0085017D,?,008532FC,?,00000001,00822592,?), ref: 00850365

Memory Dump Source

Source File: 00000000.00000002.1749607290.00000000007E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007E0000, based on PE: true

Associated: 00000000.00000002.1749024776.00000000007E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750122745.000000000087C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750122745.00000000008A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750810397.00000000008AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1751626682.00000000008B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7e0000_file.jbxd

Similarity

API ID: CloseHandle
String ID:
API String ID: 2962429428-0
Opcode ID: b9aa24ec43485dfbab37f99c2d08a00abb5b3d349934abef8dbf87693b0eb40c
Instruction ID: 49b3365a718556fcc64bfd14dcba5eb0ff246a53095025734f84267373c1f4b4
Opcode Fuzzy Hash: b9aa24ec43485dfbab37f99c2d08a00abb5b3d349934abef8dbf87693b0eb40c
Instruction Fuzzy Hash: 2F01A272800B159FCB309F66D880452F7F5FF503163158A3FD19692A31C371A958CF80

Function 0081D73A Relevance: 7.5, APIs: 5, Instructions: 40COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 0081D752

Part of subcall function 008129C8: RtlFreeHeap.NTDLL(00000000,00000000,?,0081D7D1,00000000,00000000,00000000,00000000,?,0081D7F8,00000000,00000007,00000000,?,0081DBF5,00000000), ref: 008129DE
Part of subcall function 008129C8: GetLastError.KERNEL32(00000000,?,0081D7D1,00000000,00000000,00000000,00000000,?,0081D7F8,00000000,00000007,00000000,?,0081DBF5,00000000,00000000), ref: 008129F0

_free.LIBCMT ref: 0081D764
_free.LIBCMT ref: 0081D776
_free.LIBCMT ref: 0081D788
_free.LIBCMT ref: 0081D79A

Memory Dump Source

Source File: 00000000.00000002.1749607290.00000000007E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007E0000, based on PE: true

Associated: 00000000.00000002.1749024776.00000000007E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750122745.000000000087C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750122745.00000000008A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750810397.00000000008AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1751626682.00000000008B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7e0000_file.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: 1248eeb6ddfc7e1c99cb5347f8202779470ff90929a345a1b952932a12a33da1
Instruction ID: eb2ce435d9fdbdf171a88134f88a1873a70e198fa9f5fea06482710bbd4fee33
Opcode Fuzzy Hash: 1248eeb6ddfc7e1c99cb5347f8202779470ff90929a345a1b952932a12a33da1
Instruction Fuzzy Hash: 7FF0FF32545314AB9621EB6CF9C5E967BDDFF45720B980C05F049DB941CB24FCD086A5

Function 00845C44 Relevance: 7.5, APIs: 5, Instructions: 40windowtimeCOMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,000003E9), ref: 00845C58
GetWindowTextW.USER32(00000000,?,00000100), ref: 00845C6F
MessageBeep.USER32(00000000), ref: 00845C87
KillTimer.USER32(?,0000040A), ref: 00845CA3
EndDialog.USER32(?,00000001), ref: 00845CBD

Memory Dump Source

Source File: 00000000.00000002.1749607290.00000000007E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007E0000, based on PE: true

Associated: 00000000.00000002.1749024776.00000000007E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750122745.000000000087C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750122745.00000000008A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750810397.00000000008AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1751626682.00000000008B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7e0000_file.jbxd

Similarity

API ID: BeepDialogItemKillMessageTextTimerWindow
String ID:
API String ID: 3741023627-0
Opcode ID: 7c6ac11a6d1e2d8586e1ce1c6417ceac9dd2e83d4c1bb35cdc30b598c2747e9b
Instruction ID: 6b303a002b6265e2062b7b0ee58b4de12f411b42caa4262525e669925c237dac
Opcode Fuzzy Hash: 7c6ac11a6d1e2d8586e1ce1c6417ceac9dd2e83d4c1bb35cdc30b598c2747e9b
Instruction Fuzzy Hash: 6A018670500B08ABEB315B50DDCEFAA77B8FB14B45F04055DA587A20E5DBF4A9C48B91

Function 008122A0 Relevance: 7.5, APIs: 5, Instructions: 30COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 008122BE

Part of subcall function 008129C8: RtlFreeHeap.NTDLL(00000000,00000000,?,0081D7D1,00000000,00000000,00000000,00000000,?,0081D7F8,00000000,00000007,00000000,?,0081DBF5,00000000), ref: 008129DE
Part of subcall function 008129C8: GetLastError.KERNEL32(00000000,?,0081D7D1,00000000,00000000,00000000,00000000,?,0081D7F8,00000000,00000007,00000000,?,0081DBF5,00000000,00000000), ref: 008129F0

_free.LIBCMT ref: 008122D0
_free.LIBCMT ref: 008122E3
_free.LIBCMT ref: 008122F4
_free.LIBCMT ref: 00812305

Memory Dump Source

Source File: 00000000.00000002.1749607290.00000000007E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007E0000, based on PE: true

Associated: 00000000.00000002.1749024776.00000000007E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750122745.000000000087C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750122745.00000000008A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750810397.00000000008AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1751626682.00000000008B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7e0000_file.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: c25bebbac9ebd2cf05d6c6d8ad06be7781d4728e7e094732a1339191c7230cac
Instruction ID: c9fc4b66c877a098db6ec27119d4c7b5f30635d0d9e4dd57c8762dd11d65cbd7
Opcode Fuzzy Hash: c25bebbac9ebd2cf05d6c6d8ad06be7781d4728e7e094732a1339191c7230cac
Instruction Fuzzy Hash: FFF05E719001208B8A12EF5CBC01DAD3F68FB19760740071AF424DA3B5CB3448B1AFE5

Function 007F95C5 Relevance: 7.5, APIs: 5, Instructions: 29COMMON

Download Yara Rule

APIs

EndPath.GDI32(?), ref: 007F95D4
StrokeAndFillPath.GDI32(?,?,008371F7,00000000,?,?,?), ref: 007F95F0
SelectObject.GDI32(?,00000000), ref: 007F9603
DeleteObject.GDI32 ref: 007F9616
StrokePath.GDI32(?), ref: 007F9631

Memory Dump Source

Source File: 00000000.00000002.1749607290.00000000007E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007E0000, based on PE: true

Associated: 00000000.00000002.1749024776.00000000007E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750122745.000000000087C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750122745.00000000008A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750810397.00000000008AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1751626682.00000000008B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7e0000_file.jbxd

Similarity

API ID: Path$ObjectStroke$DeleteFillSelect
String ID:
API String ID: 2625713937-0
Opcode ID: 9e62fbf4d62bcb184e187c96c031126603b04f803f76d1f1a98f910c7f6952ee
Instruction ID: cc20874b67a6468aa8177a42e63c41554c34b70817c59c54268d2c56092ce26f
Opcode Fuzzy Hash: 9e62fbf4d62bcb184e187c96c031126603b04f803f76d1f1a98f910c7f6952ee
Instruction Fuzzy Hash: 9DF04F30005648EBDF225F65ED2C7B43F65BB00322F948318F6299A1F0D73489A1DF60

Function 00810F47 Relevance: 7.4, APIs: 2, Strings: 2, Instructions: 389COMMONLIBRARYCODE

Download Yara Rule

APIs

__freea.LIBCMT ref: 008110F9
__freea.LIBCMT ref: 00811117

Part of subcall function 00811537: _free.LIBCMT ref: 0081154F

Strings

am/pm, xrefs: 0081117A
a/p, xrefs: 008111DE

Memory Dump Source

Source File: 00000000.00000002.1749607290.00000000007E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007E0000, based on PE: true

Associated: 00000000.00000002.1749024776.00000000007E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750122745.000000000087C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750122745.00000000008A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750810397.00000000008AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1751626682.00000000008B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7e0000_file.jbxd

Similarity

API ID: __freea$_free
String ID: a/p$am/pm
API String ID: 3432400110-3206640213
Opcode ID: a52e43ffa0617c28ad76952356b36ee40474e4aab3d989d2caecf703a83b6162
Instruction ID: 6adff294a1a6d814daf785fb922f3b65d292e652c17775152d712d0c25b118e5
Opcode Fuzzy Hash: a52e43ffa0617c28ad76952356b36ee40474e4aab3d989d2caecf703a83b6162
Instruction Fuzzy Hash: 85D1DF7191020A9ACF249F68C84DBFAB7B9FF05704F280159EB11DBA54D7799DC0CB91

Function 00867B7E Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 230COMMON

Download Yara Rule

APIs

Part of subcall function 00800242: EnterCriticalSection.KERNEL32(008B070C,008B1884,?,?,007F198B,008B2518,?,?,?,007E12F9,00000000), ref: 0080024D
Part of subcall function 00800242: LeaveCriticalSection.KERNEL32(008B070C,?,007F198B,008B2518,?,?,?,007E12F9,00000000), ref: 0080028A

Part of subcall function 007E9CB3: _wcslen.LIBCMT ref: 007E9CBD

Part of subcall function 008000A3: __onexit.LIBCMT ref: 008000A9

__Init_thread_footer.LIBCMT ref: 00867BFB

Part of subcall function 008001F8: EnterCriticalSection.KERNEL32(008B070C,?,?,007F8747,008B2514), ref: 00800202
Part of subcall function 008001F8: LeaveCriticalSection.KERNEL32(008B070C,?,007F8747,008B2514), ref: 00800235

Strings

Variable must be of type 'Object'., xrefs: 00867C3A
G, xrefs: 00867C7F
5, xrefs: 00867C78

Memory Dump Source

Source File: 00000000.00000002.1749607290.00000000007E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007E0000, based on PE: true

Associated: 00000000.00000002.1749024776.00000000007E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750122745.000000000087C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750122745.00000000008A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750810397.00000000008AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1751626682.00000000008B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7e0000_file.jbxd

Similarity

API ID: CriticalSection$EnterLeave$Init_thread_footer__onexit_wcslen
String ID: 5$G$Variable must be of type 'Object'.
API String ID: 535116098-3733170431
Opcode ID: f8a5b64e4141289b4c23fcd51a0e650a35c1cdbe9dbd43fb64134fb15a8402b5
Instruction ID: eebdd97583599baed00a0def259cfc6ce743fef8155c4e53448febc5f8ff130b
Opcode Fuzzy Hash: f8a5b64e4141289b4c23fcd51a0e650a35c1cdbe9dbd43fb64134fb15a8402b5
Instruction Fuzzy Hash: 49918970A04209EFCB15EF98D8859ADB7B1FF48308F118449F906DB3A2DB35AE45CB91

Function 00815AA9 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 186COMMONLIBRARYCODE

Download Yara Rule

Strings

JO~, xrefs: 00815BA8, 00815C6C

Memory Dump Source

Source File: 00000000.00000002.1749607290.00000000007E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007E0000, based on PE: true

Associated: 00000000.00000002.1749024776.00000000007E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750122745.000000000087C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750122745.00000000008A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750810397.00000000008AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1751626682.00000000008B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7e0000_file.jbxd

Similarity

API ID:
String ID: JO~
API String ID: 0-1108401909
Opcode ID: 3470e67d6324346f1039ee8e289ab7ced369d458dfb963ac85b8898da881bca5
Instruction ID: 3363d4b8754735d0ba27397a1f93eb56f6d38de24df93a2d91d3d80a18024506
Opcode Fuzzy Hash: 3470e67d6324346f1039ee8e289ab7ced369d458dfb963ac85b8898da881bca5
Instruction Fuzzy Hash: 1B519F71D04609DFDB209FA8CC45EEEBBBCFF85324F140059E405E7292D77199818BA2

Function 00842716 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 121windowCOMMON

Download Yara Rule

APIs

Part of subcall function 0084B403: WriteProcessMemory.KERNEL32(?,?,?,00000000,00000000,00000000,?,008421D0,?,?,00000034,00000800,?,00000034), ref: 0084B42D

SendMessageW.USER32(?,00001104,00000000,00000000), ref: 00842760

Part of subcall function 0084B3CE: ReadProcessMemory.KERNEL32(?,?,?,00000000,00000000,00000000,?,008421FF,?,?,00000800,?,00001073,00000000,?,?), ref: 0084B3F8

Part of subcall function 0084B32A: GetWindowThreadProcessId.USER32(?,?), ref: 0084B355
Part of subcall function 0084B32A: OpenProcess.KERNEL32(00000438,00000000,?,?,?,00842194,00000034,?,?,00001004,00000000,00000000), ref: 0084B365
Part of subcall function 0084B32A: VirtualAllocEx.KERNEL32(00000000,00000000,?,00001000,00000004,?,?,00842194,00000034,?,?,00001004,00000000,00000000), ref: 0084B37B

SendMessageW.USER32(?,00001111,00000000,00000000), ref: 008427CD
SendMessageW.USER32(?,00001111,00000000,00000000), ref: 0084281A

Strings

@, xrefs: 00842832

Memory Dump Source

Source File: 00000000.00000002.1749607290.00000000007E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007E0000, based on PE: true

Associated: 00000000.00000002.1749024776.00000000007E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750122745.000000000087C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750122745.00000000008A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750810397.00000000008AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1751626682.00000000008B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7e0000_file.jbxd

Similarity

API ID: Process$MessageSend$Memory$AllocOpenReadThreadVirtualWindowWrite
String ID: @
API String ID: 4150878124-2766056989
Opcode ID: ba613f218c753eb6d0addb359f6776cc659e23e47d4a31331d23877fafd7f3a7
Instruction ID: e196bed1e1bc05f193caaf1c5d662f49c73e2b39eaa9c771936c1c6ad8f9c909
Opcode Fuzzy Hash: ba613f218c753eb6d0addb359f6776cc659e23e47d4a31331d23877fafd7f3a7
Instruction Fuzzy Hash: 5D41FC7690021CAEDB10DFA8C985ADEBBB8FF19700F104099FA55B7181DA71AE85CB61

Function 0081172E Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 115COMMON

Download Yara Rule

APIs

GetModuleFileNameW.KERNEL32(00000000,C:\Users\user\Desktop\file.exe,00000104), ref: 00811769
_free.LIBCMT ref: 00811834
_free.LIBCMT ref: 0081183E

Strings

C:\Users\user\Desktop\file.exe, xrefs: 00811760, 00811767, 00811796, 008117CE

Memory Dump Source

Source File: 00000000.00000002.1749607290.00000000007E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007E0000, based on PE: true

Associated: 00000000.00000002.1749024776.00000000007E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750122745.000000000087C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750122745.00000000008A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750810397.00000000008AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1751626682.00000000008B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7e0000_file.jbxd

Similarity

API ID: _free$FileModuleName
String ID: C:\Users\user\Desktop\file.exe
API String ID: 2506810119-1957095476
Opcode ID: 9af88b28fb6d00f870daa304188a82009bfc92dc86346233529cf985d8eb1eac
Instruction ID: 39dc128907e64889b40fa2265deac51ae6ad282d42d0cc7885a7badcde26f2e5
Opcode Fuzzy Hash: 9af88b28fb6d00f870daa304188a82009bfc92dc86346233529cf985d8eb1eac
Instruction Fuzzy Hash: D5316D71A04218ABDF21DF999889DDEBBBCFF85310B548166EA04DB351D6708A80CB91

Function 0084C27D Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 114windowCOMMON

Download Yara Rule

APIs

GetMenuItemInfoW.USER32(00000004,00000000,00000000,?), ref: 0084C306
DeleteMenu.USER32(?,00000007,00000000), ref: 0084C34C
DeleteMenu.USER32(?,00000000,00000000,?,00000000,00000000,008B1990,01995038), ref: 0084C395

Strings

0, xrefs: 0084C2DF

Memory Dump Source

Source File: 00000000.00000002.1749607290.00000000007E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007E0000, based on PE: true

Associated: 00000000.00000002.1749024776.00000000007E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750122745.000000000087C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750122745.00000000008A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750810397.00000000008AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1751626682.00000000008B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7e0000_file.jbxd

Similarity

API ID: Menu$Delete$InfoItem
String ID: 0
API String ID: 135850232-4108050209
Opcode ID: eb731685b5244a32be783abbae5ce2187e4ebfd76f4564e60ff9977abecb124b
Instruction ID: 0c93a535ef7a966dcbfd6e47c9e07cc400ddaf9b6976a6528377d6f5d48c43c3
Opcode Fuzzy Hash: eb731685b5244a32be783abbae5ce2187e4ebfd76f4564e60ff9977abecb124b
Instruction Fuzzy Hash: 38418A322063059FD760DF29D884B1ABBE8FB85324F008A1DE9A5D7391D770E904CB62

Function 00874416 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 106COMMON

Download Yara Rule

APIs

SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000013,?,?,SysTreeView32,0087CC08,00000000,?,?,?,?), ref: 008744AA
GetWindowLongW.USER32 ref: 008744C7
SetWindowLongW.USER32(?,000000F0,00000000), ref: 008744D7

Strings

SysTreeView32, xrefs: 0087447C

Memory Dump Source

Source File: 00000000.00000002.1749607290.00000000007E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007E0000, based on PE: true

Associated: 00000000.00000002.1749024776.00000000007E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750122745.000000000087C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750122745.00000000008A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750810397.00000000008AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1751626682.00000000008B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7e0000_file.jbxd

Similarity

API ID: Window$Long
String ID: SysTreeView32
API String ID: 847901565-1698111956
Opcode ID: 5288dd272f9b11ea587259127715450dd142866adce198def58eb0e47c4618ee
Instruction ID: 495d4ca97a00d6672a73d17762c554b00feb2a8de169b0209fd39469b15b4a17
Opcode Fuzzy Hash: 5288dd272f9b11ea587259127715450dd142866adce198def58eb0e47c4618ee
Instruction Fuzzy Hash: 58319E31200205AFDB208E38DC45BEA77A9FB08328F209719F979E31E4DB74EC909750

Function 0086304E Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 90networkCOMMON

Download Yara Rule

APIs

Part of subcall function 0086335B: WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,00000000,00000000,00000000,?,?,?,?,?,00863077,?,?), ref: 00863378

inet_addr.WSOCK32(?,?,?,?,?,00000000), ref: 0086307A
_wcslen.LIBCMT ref: 0086309B
htons.WSOCK32(00000000,?,?,00000000), ref: 00863106

Strings

255.255.255.255, xrefs: 00863095, 0086309A

Memory Dump Source

Source File: 00000000.00000002.1749607290.00000000007E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007E0000, based on PE: true

Associated: 00000000.00000002.1749024776.00000000007E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750122745.000000000087C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750122745.00000000008A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750810397.00000000008AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1751626682.00000000008B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7e0000_file.jbxd

Similarity

API ID: ByteCharMultiWide_wcslenhtonsinet_addr
String ID: 255.255.255.255
API String ID: 946324512-2422070025
Opcode ID: 46a5f6acf4f1e696c7b497214b2ac8a566d51a54f084c8cf1612a5140b51eddc
Instruction ID: 84fc834887e3ed14e65004dd38e20aec204ae8ac54998c06edbf717be914bfec
Opcode Fuzzy Hash: 46a5f6acf4f1e696c7b497214b2ac8a566d51a54f084c8cf1612a5140b51eddc
Instruction Fuzzy Hash: 3231D535604205DFC710CF68C585E6977E0FF15318F268059E915CB3A2DB32DE85C761

Function 00873EB8 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 89windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00001009,00000000,?), ref: 00873F40
SetWindowPos.USER32(?,00000000,?,?,?,?,00000004), ref: 00873F54
SendMessageW.USER32(?,00001002,00000000,?), ref: 00873F78

Strings

SysMonthCal32, xrefs: 00873F0B

Memory Dump Source

Source File: 00000000.00000002.1749607290.00000000007E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007E0000, based on PE: true

Associated: 00000000.00000002.1749024776.00000000007E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750122745.000000000087C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750122745.00000000008A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750810397.00000000008AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1751626682.00000000008B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7e0000_file.jbxd

Similarity

API ID: MessageSend$Window
String ID: SysMonthCal32
API String ID: 2326795674-1439706946
Opcode ID: cab02554b11d6dc1aabc343fb0794daca410df940a1bf833823451d3d3f125c3
Instruction ID: 26a721b83aa33f591d1c1ece1154ccbc331526fe53702cfdc9b15e7f42566511
Opcode Fuzzy Hash: cab02554b11d6dc1aabc343fb0794daca410df940a1bf833823451d3d3f125c3
Instruction Fuzzy Hash: E421EF32600218BFDF118F54CC86FEA3B75FB48754F114218FA19AB1D4DAB1E8909BA0

Function 00874653 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 87windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000469,?,00000000), ref: 00874705
SendMessageW.USER32(00000000,00000465,00000000,80017FFF), ref: 00874713
DestroyWindow.USER32(00000000,00000000,?,?,?,00000000,msctls_updown32,00000000,00000000,00000000,00000000,00000000,00000000,?,?,00000000), ref: 0087471A

Strings

msctls_updown32, xrefs: 00874684

Memory Dump Source

Source File: 00000000.00000002.1749607290.00000000007E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007E0000, based on PE: true

Associated: 00000000.00000002.1749024776.00000000007E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750122745.000000000087C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750122745.00000000008A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750810397.00000000008AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1751626682.00000000008B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7e0000_file.jbxd

Similarity

API ID: MessageSend$DestroyWindow
String ID: msctls_updown32
API String ID: 4014797782-2298589950
Opcode ID: e891d9380ad410b9abd8e7f8b7d971b59ba2a3d847f596b03da34187e863dcca
Instruction ID: 8c7a9e26f80d1c73350232353b5aea11dce720263d22ac47dde8c762bb704f85
Opcode Fuzzy Hash: e891d9380ad410b9abd8e7f8b7d971b59ba2a3d847f596b03da34187e863dcca
Instruction Fuzzy Hash: 892190B5600208AFEB10DF68DCD5DAB37ADFB9A398B404149FA05DB351CB30EC51CA61

Function 008495AD Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 85COMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 0084961D

Strings

#notrayicon, xrefs: 008495B7
#OnAutoItStartRegister, xrefs: 008495F3
#requireadmin, xrefs: 008495D9

Memory Dump Source

Source File: 00000000.00000002.1749607290.00000000007E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007E0000, based on PE: true

Associated: 00000000.00000002.1749024776.00000000007E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750122745.000000000087C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750122745.00000000008A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750810397.00000000008AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1751626682.00000000008B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7e0000_file.jbxd

Similarity

API ID: _wcslen
String ID: #OnAutoItStartRegister$#notrayicon$#requireadmin
API String ID: 176396367-2734436370
Opcode ID: b0a7a15c1f14991c5ae9db43b6496422264c6ec2c32b7e741a0c3bf036fd062e
Instruction ID: 214390076c582a0cbaa50a7c5c11fc6d61b5206b74c6fb53f9d40121697aded2
Opcode Fuzzy Hash: b0a7a15c1f14991c5ae9db43b6496422264c6ec2c32b7e741a0c3bf036fd062e
Instruction Fuzzy Hash: A6215B72104518A6C331AB29EC06FB7B3D8FFA5324F118026FAC9D7181EB55DD81C295

Function 008737B7 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 84windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000180,00000000,?), ref: 00873840
SendMessageW.USER32(?,00000186,00000000,00000000), ref: 00873850
MoveWindow.USER32(00000000,?,?,?,?,00000000,?,?,Listbox,00000000,00000000,?,?,?,?,?), ref: 00873876

Strings

Listbox, xrefs: 0087380F

Memory Dump Source

Source File: 00000000.00000002.1749607290.00000000007E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007E0000, based on PE: true

Associated: 00000000.00000002.1749024776.00000000007E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750122745.000000000087C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750122745.00000000008A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750810397.00000000008AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1751626682.00000000008B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7e0000_file.jbxd

Similarity

API ID: MessageSend$MoveWindow
String ID: Listbox
API String ID: 3315199576-2633736733
Opcode ID: 601c3af3ea471752077b983d4972920fe03d4dd1a20d48cda71f2f375b8e8e1a
Instruction ID: be65a3a9fa5ac0ecb596bc78ed4217ac2ea1d4a962121bd7c3e42e4e633c7f04
Opcode Fuzzy Hash: 601c3af3ea471752077b983d4972920fe03d4dd1a20d48cda71f2f375b8e8e1a
Instruction Fuzzy Hash: CE21C272600118BBEF118F54CC85FBB376EFF89794F108124F9189B194C671DC5297A1

Function 008549F4 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 78COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 00854A08
GetVolumeInformationW.KERNEL32(?,?,00007FFF,?,00000000,00000000,00000000,00000000), ref: 00854A5C
SetErrorMode.KERNEL32(00000000,?,?,0087CC08), ref: 00854AD0

Strings

%lu, xrefs: 00854A6F

Memory Dump Source

Source File: 00000000.00000002.1749607290.00000000007E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007E0000, based on PE: true

Associated: 00000000.00000002.1749024776.00000000007E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750122745.000000000087C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750122745.00000000008A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750810397.00000000008AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1751626682.00000000008B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7e0000_file.jbxd

Similarity

API ID: ErrorMode$InformationVolume
String ID: %lu
API String ID: 2507767853-685833217
Opcode ID: a56027df7f0ca8dc5d75620b1281838026d48421fa63a5dbfc25d511b8f2bef0
Instruction ID: 3aaf5160cca7bc8d58b5bc5dff6bf5bd42d468a33400ddf1b03ad67e735017c6
Opcode Fuzzy Hash: a56027df7f0ca8dc5d75620b1281838026d48421fa63a5dbfc25d511b8f2bef0
Instruction Fuzzy Hash: D6315071A00118AFDB11DF64C985EAA7BF8FF08308F1480A9F909DB262D775ED85CB61

Function 008741EB Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 67windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000405,00000000,00000000), ref: 0087424F
SendMessageW.USER32(?,00000406,00000000,00640000), ref: 00874264
SendMessageW.USER32(?,00000414,0000000A,00000000), ref: 00874271

Strings

msctls_trackbar32, xrefs: 00874226

Memory Dump Source

Source File: 00000000.00000002.1749607290.00000000007E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007E0000, based on PE: true

Associated: 00000000.00000002.1749024776.00000000007E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750122745.000000000087C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750122745.00000000008A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750810397.00000000008AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1751626682.00000000008B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7e0000_file.jbxd

Similarity

API ID: MessageSend
String ID: msctls_trackbar32
API String ID: 3850602802-1010561917
Opcode ID: 814fe627e260645f9430d6722e2ef41d449079571b0f4f167cd9aca6884718d6
Instruction ID: 02ba81b032b0a0f24f1387abd1531217e47b59ca733ea2ae57fcfffeeacfb818
Opcode Fuzzy Hash: 814fe627e260645f9430d6722e2ef41d449079571b0f4f167cd9aca6884718d6
Instruction Fuzzy Hash: 8011E331350248BEEF205E29CC46FAB3BACFF95B54F114528FA59E6090D271DC619B20

Function 00842F52 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 67windowCOMMON

Download Yara Rule

APIs

Part of subcall function 007E6B57: _wcslen.LIBCMT ref: 007E6B6A

Part of subcall function 00842DA7: SendMessageTimeoutW.USER32(?,00000000,00000000,00000000,00000002,00001388,?), ref: 00842DC5
Part of subcall function 00842DA7: GetWindowThreadProcessId.USER32(?,00000000), ref: 00842DD6
Part of subcall function 00842DA7: GetCurrentThreadId.KERNEL32 ref: 00842DDD
Part of subcall function 00842DA7: AttachThreadInput.USER32(00000000,?,00000000,00000000), ref: 00842DE4

GetFocus.USER32 ref: 00842F78

Part of subcall function 00842DEE: GetParent.USER32(00000000), ref: 00842DF9

GetClassNameW.USER32(?,?,00000100), ref: 00842FC3
EnumChildWindows.USER32(?,0084303B), ref: 00842FEB

Strings

%s%d, xrefs: 00842FFF

Memory Dump Source

Source File: 00000000.00000002.1749607290.00000000007E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007E0000, based on PE: true

Associated: 00000000.00000002.1749024776.00000000007E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750122745.000000000087C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750122745.00000000008A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750810397.00000000008AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1751626682.00000000008B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7e0000_file.jbxd

Similarity

API ID: Thread$AttachChildClassCurrentEnumFocusInputMessageNameParentProcessSendTimeoutWindowWindows_wcslen
String ID: %s%d
API String ID: 1272988791-1110647743
Opcode ID: ea6d10214a2d79a1047e074673f05b3a664487e3735505690a1c1c005b2c95ba
Instruction ID: d32afa1420c6d444b04a34ac7f29ff444dd171dee1c0a7df65246ff07440ab33
Opcode Fuzzy Hash: ea6d10214a2d79a1047e074673f05b3a664487e3735505690a1c1c005b2c95ba
Instruction Fuzzy Hash: 6811C0B160020DABCF007F658CC9EED37AAFF94304F0440B9B909DB256DE3499458B60

Function 00875882 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 47windowCOMMON

Download Yara Rule

APIs

GetMenuItemInfoW.USER32(?,?,?,00000030), ref: 008758C1
SetMenuItemInfoW.USER32(?,?,?,00000030), ref: 008758EE
DrawMenuBar.USER32(?), ref: 008758FD

Strings

0, xrefs: 0087588F

Memory Dump Source

Source File: 00000000.00000002.1749607290.00000000007E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007E0000, based on PE: true

Associated: 00000000.00000002.1749024776.00000000007E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750122745.000000000087C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750122745.00000000008A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750810397.00000000008AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1751626682.00000000008B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7e0000_file.jbxd

Similarity

API ID: Menu$InfoItem$Draw
String ID: 0
API String ID: 3227129158-4108050209
Opcode ID: 9dcbbc065c31e6658ed30a97e98ff459e2d01aa955b6423978f217d6e35f6073
Instruction ID: 8e50d29de578ce173b3e659c9a1ff0603a3efe3d947aea121ea2cc445dded737
Opcode Fuzzy Hash: 9dcbbc065c31e6658ed30a97e98ff459e2d01aa955b6423978f217d6e35f6073
Instruction Fuzzy Hash: A2015B31500218EEDB219F11EC48BAEBBB4FF45360F10C099E94DD6265DB71CA84DF21

Function 0084007F Relevance: 6.3, APIs: 4, Instructions: 322COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1749607290.00000000007E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007E0000, based on PE: true

Associated: 00000000.00000002.1749024776.00000000007E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750122745.000000000087C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750122745.00000000008A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750810397.00000000008AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1751626682.00000000008B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7e0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6a6c5a68b22bcf66f0699223d6e8850341c11d8463b498df2a4b89524f6e5ba4
Instruction ID: 0912bb2628a4e1b86e5d100a1ca0648bdc42748644f1fbe47eca2fe3e79dc89a
Opcode Fuzzy Hash: 6a6c5a68b22bcf66f0699223d6e8850341c11d8463b498df2a4b89524f6e5ba4
Instruction Fuzzy Hash: 48C14B75A0021AEFDB14CFA4C898AAEBBB5FF48704F108598E605EB251D771ED41DF90

Function 00813E80 Relevance: 6.3, APIs: 4, Instructions: 305COMMON

Download Yara Rule

APIs

_strrchr.LIBCMT ref: 00813F0B
__alldvrm.LIBCMT ref: 0081410C
__alldvrm.LIBCMT ref: 0081412E

Memory Dump Source

Source File: 00000000.00000002.1749607290.00000000007E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007E0000, based on PE: true

Associated: 00000000.00000002.1749024776.00000000007E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750122745.000000000087C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750122745.00000000008A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750810397.00000000008AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1751626682.00000000008B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7e0000_file.jbxd

Similarity

API ID: __alldvrm$_strrchr
String ID:
API String ID: 1036877536-0
Opcode ID: 190bec492484a18a97fe5f025dcdb3e473ceac46589bc02d4dbe4f94f5be8f6e
Instruction ID: 97c90545f626397d442ddba788ec3097792a538a1405d19101661d5c5b39f92d
Opcode Fuzzy Hash: 190bec492484a18a97fe5f025dcdb3e473ceac46589bc02d4dbe4f94f5be8f6e
Instruction Fuzzy Hash: E9A12672D00786AFDB25CE18C891BEABBE9FF65350F28416DE585DB281C63489C2C751

Function 0086342E Relevance: 6.3, APIs: 4, Instructions: 257COMMON

Download Yara Rule

APIs

CoInitialize.OLE32(00000000), ref: 00863459
CoUninitialize.OLE32 ref: 00863463
VariantInit.OLEAUT32(?), ref: 0086346E
VariantClear.OLEAUT32(?), ref: 0086371B

Memory Dump Source

Source File: 00000000.00000002.1749607290.00000000007E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007E0000, based on PE: true

Associated: 00000000.00000002.1749024776.00000000007E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750122745.000000000087C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750122745.00000000008A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750810397.00000000008AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1751626682.00000000008B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7e0000_file.jbxd

Similarity

API ID: Variant$ClearInitInitializeUninitialize
String ID:
API String ID: 1998397398-0
Opcode ID: da6f1c1b735036757f6028c8623b9f7fd505e56fcf79757d4f6a110fc4fa9233
Instruction ID: cab5ddfe9ce35dde055c16b617aeca155ea1ce46a3e9afe9c80c99e97c6c9bf0
Opcode Fuzzy Hash: da6f1c1b735036757f6028c8623b9f7fd505e56fcf79757d4f6a110fc4fa9233
Instruction Fuzzy Hash: 7DA11475204604DFC714DF29C889A2AB7E5FF88714F058859F98ADB362DB34EE01CB92

Function 00840436 Relevance: 6.2, APIs: 4, Instructions: 230COMMON

Download Yara Rule

APIs

ProgIDFromCLSID.OLE32(?,00000000,?,00000000,00000800,00000000,?,0087FC08,?), ref: 008405F0
CoTaskMemFree.OLE32(00000000,00000000,?,00000000,00000800,00000000,?,0087FC08,?), ref: 00840608
CLSIDFromProgID.OLE32(?,?,00000000,0087CC40,000000FF,?,00000000,00000800,00000000,?,0087FC08,?), ref: 0084062D
_memcmp.LIBVCRUNTIME ref: 0084064E

Memory Dump Source

Source File: 00000000.00000002.1749607290.00000000007E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007E0000, based on PE: true

Associated: 00000000.00000002.1749024776.00000000007E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750122745.000000000087C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750122745.00000000008A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750810397.00000000008AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1751626682.00000000008B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7e0000_file.jbxd

Similarity

API ID: FromProg$FreeTask_memcmp
String ID:
API String ID: 314563124-0
Opcode ID: 7269fad494b281d94661d47d5fd169f187795f3991c5cec1d0c3baa43da8c9bf
Instruction ID: 385837ff395d7a8e6eaeac63f37ace261f42f70bcd9d3205ba6b73c51b9bdaa2
Opcode Fuzzy Hash: 7269fad494b281d94661d47d5fd169f187795f3991c5cec1d0c3baa43da8c9bf
Instruction Fuzzy Hash: D681F871A00209EFCB04DF94C988DEEB7B9FF89315B214558E616EB250DB71AE46CF60

Function 0086A67C Relevance: 6.2, APIs: 4, Instructions: 175processCOMMON

Download Yara Rule

APIs

CreateToolhelp32Snapshot.KERNEL32 ref: 0086A6AC
Process32FirstW.KERNEL32(00000000,?), ref: 0086A6BA

Part of subcall function 007E9CB3: _wcslen.LIBCMT ref: 007E9CBD

Process32NextW.KERNEL32(00000000,?), ref: 0086A79C
CloseHandle.KERNEL32(00000000), ref: 0086A7AB

Part of subcall function 007FCE60: CompareStringW.KERNEL32(00000409,00000001,?,00000000,00000000,?,?,00000000,?,00823303,?), ref: 007FCE8A

Memory Dump Source

Source File: 00000000.00000002.1749607290.00000000007E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007E0000, based on PE: true

Associated: 00000000.00000002.1749024776.00000000007E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750122745.000000000087C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750122745.00000000008A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750810397.00000000008AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1751626682.00000000008B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7e0000_file.jbxd

Similarity

API ID: Process32$CloseCompareCreateFirstHandleNextSnapshotStringToolhelp32_wcslen
String ID:
API String ID: 1991900642-0
Opcode ID: 0ed1d2ce0ef13b3e3cd595c677934aa7b76b358b0f80627c6c882631400b9143
Instruction ID: 7d1c0bc874de0db192cc8af8ed00a00eed507c6263aa26c13252b1683485a561
Opcode Fuzzy Hash: 0ed1d2ce0ef13b3e3cd595c677934aa7b76b358b0f80627c6c882631400b9143
Instruction Fuzzy Hash: 55515B71508340AFD310EF25C88AA6BBBE8FF89754F40492DF585D7262EB34D904CB92

Function 00821391 Relevance: 6.2, APIs: 4, Instructions: 152COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 008214C0

Memory Dump Source

Source File: 00000000.00000002.1749607290.00000000007E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007E0000, based on PE: true

Associated: 00000000.00000002.1749024776.00000000007E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750122745.000000000087C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750122745.00000000008A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750810397.00000000008AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1751626682.00000000008B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7e0000_file.jbxd

Similarity

API ID: _free
String ID:
API String ID: 269201875-0
Opcode ID: d47baeac997eb998f0e0aa9056078bdf3422bd62b5f306bb74450ca874ea4736
Instruction ID: 3628301b1baf9a21fcf3adc7cbd71e7657175baf03df850348504aa6f495acb5
Opcode Fuzzy Hash: d47baeac997eb998f0e0aa9056078bdf3422bd62b5f306bb74450ca874ea4736
Instruction Fuzzy Hash: 58413E31600524ABDF317BBCAC4D6AE3AAAFF61370F344225F41CD61D2E67448C15267

Function 00876278 Relevance: 6.1, APIs: 4, Instructions: 138COMMON

Download Yara Rule

APIs

GetWindowRect.USER32(?,?), ref: 008762E2
ScreenToClient.USER32(?,?), ref: 00876315
MoveWindow.USER32(?,?,?,?,000000FF,00000001,?,?,?,?,?), ref: 00876382

Memory Dump Source

Source File: 00000000.00000002.1749607290.00000000007E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007E0000, based on PE: true

Associated: 00000000.00000002.1749024776.00000000007E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750122745.000000000087C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750122745.00000000008A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750810397.00000000008AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1751626682.00000000008B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7e0000_file.jbxd

Similarity

API ID: Window$ClientMoveRectScreen
String ID:
API String ID: 3880355969-0
Opcode ID: f74c04d38c6f3bb88736156f755a719d5ab73a98b9bd16398c9e5ebdc6aa1e1b
Instruction ID: f45d16f0459a2ce60dc1ba7691b72986fa6f4f2a3083a6e768f7a2490884cc76
Opcode Fuzzy Hash: f74c04d38c6f3bb88736156f755a719d5ab73a98b9bd16398c9e5ebdc6aa1e1b
Instruction Fuzzy Hash: 0A514A70A00649EFCF10DF68D8849AE7BB6FB45364F108259F819DB2A4E730ED91CB90

Function 00861AD6 Relevance: 6.1, APIs: 4, Instructions: 138networkCOMMON

Download Yara Rule

APIs

socket.WSOCK32(00000002,00000002,00000011), ref: 00861AFD
WSAGetLastError.WSOCK32 ref: 00861B0B
#21.WSOCK32(?,0000FFFF,00000020,00000002,00000004), ref: 00861B8A
WSAGetLastError.WSOCK32 ref: 00861B94

Memory Dump Source

Source File: 00000000.00000002.1749607290.00000000007E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007E0000, based on PE: true

Associated: 00000000.00000002.1749024776.00000000007E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750122745.000000000087C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750122745.00000000008A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750810397.00000000008AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1751626682.00000000008B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7e0000_file.jbxd

Similarity

API ID: ErrorLast$socket
String ID:
API String ID: 1881357543-0
Opcode ID: 256c34ff63a492dff40d49382e31d8a3b5c94635b7c01b2b14dd81e7647529bf
Instruction ID: 27eb8074832bbb851ffdf607c4305b4c70b6a028317a77f3ea94e3eaee3bb638
Opcode Fuzzy Hash: 256c34ff63a492dff40d49382e31d8a3b5c94635b7c01b2b14dd81e7647529bf
Instruction Fuzzy Hash: 7B417135600240AFEB20AF25C88AF3977E5EB48718F588458FA1A9F3D3D776DD418B90

Function 0081B41F Relevance: 6.1, APIs: 4, Instructions: 133COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1749607290.00000000007E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007E0000, based on PE: true

Associated: 00000000.00000002.1749024776.00000000007E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750122745.000000000087C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750122745.00000000008A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750810397.00000000008AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1751626682.00000000008B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7e0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5de676bd43aff15cbcfd989c548d46644e069eac3b0beb379378e6bf6a016710
Instruction ID: 03d5b34e148918b535db9b76fe5ce4c7d745dce8c7cc6ab261f6657ce71c0e08
Opcode Fuzzy Hash: 5de676bd43aff15cbcfd989c548d46644e069eac3b0beb379378e6bf6a016710
Instruction Fuzzy Hash: 0341D175A00214AFD724AF7CCC41BEABBADFF88720F20852EF141DB682D77199818795

Function 008556D9 Relevance: 6.1, APIs: 4, Instructions: 110fileCOMMON

Download Yara Rule

APIs

CreateHardLinkW.KERNEL32(00000002,?,00000000), ref: 00855783
GetLastError.KERNEL32(?,00000000), ref: 008557A9
DeleteFileW.KERNEL32(00000002,?,00000000), ref: 008557CE
CreateHardLinkW.KERNEL32(00000002,?,00000000,?,00000000), ref: 008557FA

Memory Dump Source

Source File: 00000000.00000002.1749607290.00000000007E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007E0000, based on PE: true

Associated: 00000000.00000002.1749024776.00000000007E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750122745.000000000087C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750122745.00000000008A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750810397.00000000008AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1751626682.00000000008B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7e0000_file.jbxd

Similarity

API ID: CreateHardLink$DeleteErrorFileLast
String ID:
API String ID: 3321077145-0
Opcode ID: dbcc1f1d097e6a7e519842c4538899c0ee21dc3b7a2316dc9cab022ce362072c
Instruction ID: 90dca78146b610da04fcc079cfabb2440f74ccab0aa3dda349189bad95248d47
Opcode Fuzzy Hash: dbcc1f1d097e6a7e519842c4538899c0ee21dc3b7a2316dc9cab022ce362072c
Instruction Fuzzy Hash: 21411A39600A50DFCB15DF15C448A1ABBE2FF8D321B188498EC4AAB362CB34FD45CB91

Function 0081D8C3 Relevance: 6.1, APIs: 4, Instructions: 110COMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(?,00000000,8BE85006,00806D71,00000000,00000000,008082D9,?,008082D9,?,00000001,00806D71,8BE85006,00000001,008082D9,008082D9), ref: 0081D910
MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 0081D999
GetStringTypeW.KERNEL32(?,00000000,00000000,?), ref: 0081D9AB
__freea.LIBCMT ref: 0081D9B4

Part of subcall function 00813820: RtlAllocateHeap.NTDLL(00000000,?,008B1444,?,007FFDF5,?,?,007EA976,00000010,008B1440,007E13FC,?,007E13C6,?,007E1129), ref: 00813852

Memory Dump Source

Source File: 00000000.00000002.1749607290.00000000007E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007E0000, based on PE: true

Associated: 00000000.00000002.1749024776.00000000007E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750122745.000000000087C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750122745.00000000008A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750810397.00000000008AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1751626682.00000000008B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7e0000_file.jbxd

Similarity

API ID: ByteCharMultiWide$AllocateHeapStringType__freea
String ID:
API String ID: 2652629310-0
Opcode ID: 8fc9b57b946113750f54c29bcfc903232b2f0f5ecbae12918a7dbfe906c4fa3f
Instruction ID: 087861d98f10bdfebf413c5514926240eb877eca6df874597e4da7105cddd517
Opcode Fuzzy Hash: 8fc9b57b946113750f54c29bcfc903232b2f0f5ecbae12918a7dbfe906c4fa3f
Instruction Fuzzy Hash: 7731AE72A0021AABDF249F69DC45EEE7BA9FF40310B054168FC04D7290EB35DD91CBA1

Function 008752C1 Relevance: 6.1, APIs: 4, Instructions: 104windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00001024,00000000,?), ref: 00875352
GetWindowLongW.USER32(?,000000F0), ref: 00875375
SetWindowLongW.USER32(?,000000F0,00000000), ref: 00875382
InvalidateRect.USER32(?,00000000,00000001,?,?,?), ref: 008753A8

Memory Dump Source

Source File: 00000000.00000002.1749607290.00000000007E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007E0000, based on PE: true

Associated: 00000000.00000002.1749024776.00000000007E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750122745.000000000087C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750122745.00000000008A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750810397.00000000008AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1751626682.00000000008B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7e0000_file.jbxd

Similarity

API ID: LongWindow$InvalidateMessageRectSend
String ID:
API String ID: 3340791633-0
Opcode ID: d3e5900a3877726f96814f9e1988660641e4f2d7da34bb708c37cca5d25fefa4
Instruction ID: aebbd7fdeee27dfce82d587526abf3160bd4f623f8246a1b602b29e84ca0e5e3
Opcode Fuzzy Hash: d3e5900a3877726f96814f9e1988660641e4f2d7da34bb708c37cca5d25fefa4
Instruction Fuzzy Hash: 7631CF30A55A0CEFEB209A14CC5ABE97761FB06390F988105BA19D63F8C7F4ED809B41

Function 0084AB9C Relevance: 6.1, APIs: 4, Instructions: 103keyboardwindowCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?,75C0C0D0,?,00008000), ref: 0084ABF1
SetKeyboardState.USER32(00000080,?,00008000), ref: 0084AC0D
PostMessageW.USER32(00000000,00000101,00000000), ref: 0084AC74
SendInput.USER32(00000001,?,0000001C,75C0C0D0,?,00008000), ref: 0084ACC6

Memory Dump Source

Source File: 00000000.00000002.1749607290.00000000007E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007E0000, based on PE: true

Associated: 00000000.00000002.1749024776.00000000007E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750122745.000000000087C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750122745.00000000008A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750810397.00000000008AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1751626682.00000000008B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7e0000_file.jbxd

Similarity

API ID: KeyboardState$InputMessagePostSend
String ID:
API String ID: 432972143-0
Opcode ID: 85663fe392478caefc58c220301ce816ddd69106f46713e9a00896887e2a90c8
Instruction ID: 9ff36f77e8794ca4c516a146c0d3759b2283e78f2301ffd8334224eec2f79441
Opcode Fuzzy Hash: 85663fe392478caefc58c220301ce816ddd69106f46713e9a00896887e2a90c8
Instruction Fuzzy Hash: 3131F670A8061CAFEB79CB65C8887FA7AA5FB49310F04421EE495DB1D1C375C9858792

Function 00877674 Relevance: 6.1, APIs: 4, Instructions: 102windowCOMMON

Download Yara Rule

APIs

ClientToScreen.USER32(?,?), ref: 0087769A
GetWindowRect.USER32(?,?), ref: 00877710
PtInRect.USER32(?,?,00878B89), ref: 00877720
MessageBeep.USER32(00000000), ref: 0087778C

Memory Dump Source

Source File: 00000000.00000002.1749607290.00000000007E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007E0000, based on PE: true

Associated: 00000000.00000002.1749024776.00000000007E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750122745.000000000087C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750122745.00000000008A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750810397.00000000008AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1751626682.00000000008B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7e0000_file.jbxd

Similarity

API ID: Rect$BeepClientMessageScreenWindow
String ID:
API String ID: 1352109105-0
Opcode ID: 5d535e27dbe67e51cfa1eecce5703e02bfe426df8b0c486f8aab0e0eca22c7f9
Instruction ID: 25fcf8347536857db9e1b91fe258bba6016834d77305ce73e9f2bb05fa4c0956
Opcode Fuzzy Hash: 5d535e27dbe67e51cfa1eecce5703e02bfe426df8b0c486f8aab0e0eca22c7f9
Instruction Fuzzy Hash: 6D41AD34609254EFDB05CF58C898EA9BBF5FB49384F5481A8E418DF269C330E941CF90

Function 008716DA Relevance: 6.1, APIs: 4, Instructions: 101COMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32 ref: 008716EB

Part of subcall function 00843A3D: GetWindowThreadProcessId.USER32(?,00000000), ref: 00843A57
Part of subcall function 00843A3D: GetCurrentThreadId.KERNEL32 ref: 00843A5E
Part of subcall function 00843A3D: AttachThreadInput.USER32(00000000,?,00000000,00000000,?,008425B3), ref: 00843A65

GetCaretPos.USER32(?), ref: 008716FF
ClientToScreen.USER32(00000000,?), ref: 0087174C
GetForegroundWindow.USER32 ref: 00871752

Memory Dump Source

Source File: 00000000.00000002.1749607290.00000000007E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007E0000, based on PE: true

Associated: 00000000.00000002.1749024776.00000000007E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750122745.000000000087C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750122745.00000000008A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750810397.00000000008AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1751626682.00000000008B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7e0000_file.jbxd

Similarity

API ID: ThreadWindow$Foreground$AttachCaretClientCurrentInputProcessScreen
String ID:
API String ID: 2759813231-0
Opcode ID: 08673035f9957af23bfb0a435b751ca74bc0b814650f4e642ceb7edf94ce19c1
Instruction ID: da1964f72edbc2e0c22591465ec69cbeb63dbfe09a78b81cb66a3ff28eb673d4
Opcode Fuzzy Hash: 08673035f9957af23bfb0a435b751ca74bc0b814650f4e642ceb7edf94ce19c1
Instruction Fuzzy Hash: B7317275D01149AFCB04DFAAC885CAEB7F9FF48304B54806AE415E7211D735DE45CBA1

Function 0084DF95 Relevance: 6.1, APIs: 4, Instructions: 87COMMON

Download Yara Rule

APIs

Part of subcall function 007E7620: _wcslen.LIBCMT ref: 007E7625

_wcslen.LIBCMT ref: 0084DFCB
_wcslen.LIBCMT ref: 0084DFE2
_wcslen.LIBCMT ref: 0084E00D
GetTextExtentPoint32W.GDI32(?,00000000,00000000,?), ref: 0084E018

Memory Dump Source

Source File: 00000000.00000002.1749607290.00000000007E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007E0000, based on PE: true

Associated: 00000000.00000002.1749024776.00000000007E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750122745.000000000087C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750122745.00000000008A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750810397.00000000008AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1751626682.00000000008B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7e0000_file.jbxd

Similarity

API ID: _wcslen$ExtentPoint32Text
String ID:
API String ID: 3763101759-0
Opcode ID: 13a4e509bf84def8181df5d6e5d93955293dbac92c3949e2d5350f11b6243d1d
Instruction ID: 68424ada42abb0db907a62a44f4a5e642e252ea057ee6ec21cb87ce7fc62457a
Opcode Fuzzy Hash: 13a4e509bf84def8181df5d6e5d93955293dbac92c3949e2d5350f11b6243d1d
Instruction Fuzzy Hash: 1F219F71900618EFCB20AFA8D981BAEBBF8FF45750F144065E915FB385D6749E408BA2

Function 00878FC9 Relevance: 6.1, APIs: 4, Instructions: 78windowCOMMON

Download Yara Rule

APIs

Part of subcall function 007F9BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 007F9BB2

GetCursorPos.USER32(?), ref: 00879001
TrackPopupMenuEx.USER32(?,00000000,?,?,?,00000000,?,00837711,?,?,?,?,?), ref: 00879016
GetCursorPos.USER32(?), ref: 0087905E
DefDlgProcW.USER32(?,0000007B,?,?,?,?,?,?,?,?,?,?,00837711,?,?,?), ref: 00879094

Memory Dump Source

Source File: 00000000.00000002.1749607290.00000000007E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007E0000, based on PE: true

Associated: 00000000.00000002.1749024776.00000000007E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750122745.000000000087C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750122745.00000000008A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750810397.00000000008AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1751626682.00000000008B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7e0000_file.jbxd

Similarity

API ID: Cursor$LongMenuPopupProcTrackWindow
String ID:
API String ID: 2864067406-0
Opcode ID: 494131e43f4616978465e07857149add603a9b92c665e5d5884f453e9feaa589
Instruction ID: 5c5e08fdb538f28930c78d3686a248b15844d877a761a2fd0fd6310e4eaf30f5
Opcode Fuzzy Hash: 494131e43f4616978465e07857149add603a9b92c665e5d5884f453e9feaa589
Instruction Fuzzy Hash: 4B219F35610418EFDB258F94C898EFA7BF9FB89350F448169F9498B265C331D990DB60

Function 0084D2C1 Relevance: 6.1, APIs: 4, Instructions: 78COMMON

Download Yara Rule

APIs

GetFileAttributesW.KERNEL32(?,0087CB68), ref: 0084D2FB
GetLastError.KERNEL32 ref: 0084D30A
CreateDirectoryW.KERNEL32(?,00000000), ref: 0084D319
CreateDirectoryW.KERNEL32(?,00000000,00000000,000000FF,0087CB68), ref: 0084D376

Memory Dump Source

Source File: 00000000.00000002.1749607290.00000000007E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007E0000, based on PE: true

Associated: 00000000.00000002.1749024776.00000000007E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750122745.000000000087C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750122745.00000000008A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750810397.00000000008AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1751626682.00000000008B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7e0000_file.jbxd

Similarity

API ID: CreateDirectory$AttributesErrorFileLast
String ID:
API String ID: 2267087916-0
Opcode ID: 9be2f841a998264409e7a2d5ac1a5c60943914960a9e595dc073db5a6606c076
Instruction ID: a0f6a1bea015c25f37bd2ad3a13e4b0eb1cae762d704aeee68ee436bf8065f31
Opcode Fuzzy Hash: 9be2f841a998264409e7a2d5ac1a5c60943914960a9e595dc073db5a6606c076
Instruction Fuzzy Hash: 802157705093059F8710DF28C88586AB7E8FA5A328F504A5DF4A9D73A1EB30D986CB93

Function 00841571 Relevance: 6.1, APIs: 4, Instructions: 78memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 00841014: GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),?,00000000,?), ref: 0084102A
Part of subcall function 00841014: GetLastError.KERNEL32(?,TokenIntegrityLevel,?,00000000,?), ref: 00841036
Part of subcall function 00841014: GetProcessHeap.KERNEL32(00000008,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00841045
Part of subcall function 00841014: HeapAlloc.KERNEL32(00000000,?,TokenIntegrityLevel,?,00000000,?), ref: 0084104C
Part of subcall function 00841014: GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),00000000,?,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00841062

LookupPrivilegeValueW.ADVAPI32(00000000,?,?), ref: 008415BE
_memcmp.LIBVCRUNTIME ref: 008415E1
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00841617
HeapFree.KERNEL32(00000000), ref: 0084161E

Memory Dump Source

Source File: 00000000.00000002.1749607290.00000000007E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007E0000, based on PE: true

Associated: 00000000.00000002.1749024776.00000000007E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750122745.000000000087C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750122745.00000000008A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750810397.00000000008AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1751626682.00000000008B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7e0000_file.jbxd

Similarity

API ID: Heap$InformationProcessToken$AllocErrorFreeLastLookupPrivilegeValue_memcmp
String ID:
API String ID: 1592001646-0
Opcode ID: b48afddd7d9351e55d46f91a59bf9d2519a3ab8e46eb84520d145ac7f3d1aeb1
Instruction ID: 474dc9609859134899ee5c711ff9e468aca10b8901bf96684fd38d5eff0ed195
Opcode Fuzzy Hash: b48afddd7d9351e55d46f91a59bf9d2519a3ab8e46eb84520d145ac7f3d1aeb1
Instruction Fuzzy Hash: 8C216931E00108AFDF00DFA4C949BEEB7B8FF54354F0A4459E445EB241E730AA85CBA0

Function 00872782 Relevance: 6.1, APIs: 4, Instructions: 75COMMON

Download Yara Rule

APIs

GetWindowLongW.USER32(?,000000EC), ref: 0087280A
SetWindowLongW.USER32(?,000000EC,00000000), ref: 00872824
SetWindowLongW.USER32(?,000000EC,00000000), ref: 00872832
SetLayeredWindowAttributes.USER32(?,00000000,?,00000002), ref: 00872840

Memory Dump Source

Source File: 00000000.00000002.1749607290.00000000007E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007E0000, based on PE: true

Associated: 00000000.00000002.1749024776.00000000007E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750122745.000000000087C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750122745.00000000008A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750810397.00000000008AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1751626682.00000000008B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7e0000_file.jbxd

Similarity

API ID: Window$Long$AttributesLayered
String ID:
API String ID: 2169480361-0
Opcode ID: d3793c4e2e4521b28873a6dc6943ce7c4aa824ce3663a353b81019098f7b2e66
Instruction ID: 126781bbf6071df903f56dcabaca113cbb037ce138911dd3bf98020ddfa0374d
Opcode Fuzzy Hash: d3793c4e2e4521b28873a6dc6943ce7c4aa824ce3663a353b81019098f7b2e66
Instruction Fuzzy Hash: 6C21D331209115AFD7149B24C848FAA7B95FF49324F14825CF42ACB6E6CB76FC82C791

Function 008478F5 Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 71stringCOMMON

Download Yara Rule

APIs

Part of subcall function 00848D7D: lstrlenW.KERNEL32(?,00000002,000000FF,?,?,?,0084790A,?,000000FF,?,00848754,00000000,?,0000001C,?,?), ref: 00848D8C
Part of subcall function 00848D7D: lstrcpyW.KERNEL32(00000000,?,?,0084790A,?,000000FF,?,00848754,00000000,?,0000001C,?,?,00000000), ref: 00848DB2
Part of subcall function 00848D7D: lstrcmpiW.KERNEL32(00000000,?,0084790A,?,000000FF,?,00848754,00000000,?,0000001C,?,?), ref: 00848DE3

lstrlenW.KERNEL32(?,00000002,000000FF,?,000000FF,?,00848754,00000000,?,0000001C,?,?,00000000), ref: 00847923
lstrcpyW.KERNEL32(00000000,?,?,00848754,00000000,?,0000001C,?,?,00000000), ref: 00847949
lstrcmpiW.KERNEL32(00000002,cdecl,?,00848754,00000000,?,0000001C,?,?,00000000), ref: 00847984

Strings

cdecl, xrefs: 0084797B

Memory Dump Source

Source File: 00000000.00000002.1749607290.00000000007E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007E0000, based on PE: true

Associated: 00000000.00000002.1749024776.00000000007E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750122745.000000000087C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750122745.00000000008A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750810397.00000000008AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1751626682.00000000008B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7e0000_file.jbxd

Similarity

API ID: lstrcmpilstrcpylstrlen
String ID: cdecl
API String ID: 4031866154-3896280584
Opcode ID: e89b8b49241bc91a88d417c786249b63959aa49627aea04b379a3468c82d8aea
Instruction ID: 7e6f2db0e931b3d5e6f486abb084f1de2c1261f77f29ac0ca20f378042cd4b99
Opcode Fuzzy Hash: e89b8b49241bc91a88d417c786249b63959aa49627aea04b379a3468c82d8aea
Instruction Fuzzy Hash: 4A11263A20034AABCB159F38C848E7A7BA9FF85350B40402AF906C73A4EF35D851C7A1

Function 00877CC2 Relevance: 6.1, APIs: 4, Instructions: 70COMMON

Download Yara Rule

APIs

GetWindowLongW.USER32(?,000000F0), ref: 00877D0B
SetWindowLongW.USER32(00000000,000000F0,?), ref: 00877D2A
SetWindowLongW.USER32(00000000,000000EC,000000FF), ref: 00877D42
SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,?,?,?,?,?,?,?,?,0085B7AD,00000000), ref: 00877D6B

Part of subcall function 007F9BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 007F9BB2

Memory Dump Source

Source File: 00000000.00000002.1749607290.00000000007E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007E0000, based on PE: true

Associated: 00000000.00000002.1749024776.00000000007E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750122745.000000000087C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750122745.00000000008A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750810397.00000000008AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1751626682.00000000008B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7e0000_file.jbxd

Similarity

API ID: Window$Long
String ID:
API String ID: 847901565-0
Opcode ID: 507eefb2575c873af82df6f58e160e0b840f36e8b33a7b1c0e6d1fc2f2344677
Instruction ID: 38f205c2b6ede9af45ae589458c0288700c23320fcc9f600f4fd4be664af68c8
Opcode Fuzzy Hash: 507eefb2575c873af82df6f58e160e0b840f36e8b33a7b1c0e6d1fc2f2344677
Instruction Fuzzy Hash: 9B118C31604659AFCB209F68CC08AA63BA5FF45364B558728F93DDB2F8D731D960CB90

Function 00875660 Relevance: 6.1, APIs: 4, Instructions: 67windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00001060,?,00000004), ref: 008756BB
_wcslen.LIBCMT ref: 008756CD
_wcslen.LIBCMT ref: 008756D8
SendMessageW.USER32(?,00001002,00000000,?), ref: 00875816

Memory Dump Source

Source File: 00000000.00000002.1749607290.00000000007E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007E0000, based on PE: true

Associated: 00000000.00000002.1749024776.00000000007E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750122745.000000000087C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750122745.00000000008A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750810397.00000000008AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1751626682.00000000008B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7e0000_file.jbxd

Similarity

API ID: MessageSend_wcslen
String ID:
API String ID: 455545452-0
Opcode ID: 0eb028a6a7cfbe133e2e3ea432a2a1363070f68d27f21ae0ba10cce3a564cdf4
Instruction ID: 4d1a568810885d6315253a1f9a432cfe84dd71deb3fc04c20186fc7c45ea7676
Opcode Fuzzy Hash: 0eb028a6a7cfbe133e2e3ea432a2a1363070f68d27f21ae0ba10cce3a564cdf4
Instruction Fuzzy Hash: 7F11B471A0060896DF209F65DC85AEE7B6CFF20764F50802AFA1DD6189E7B0D984CB65

Function 00811D09 Relevance: 6.1, APIs: 4, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1749607290.00000000007E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007E0000, based on PE: true

Associated: 00000000.00000002.1749024776.00000000007E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750122745.000000000087C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750122745.00000000008A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750810397.00000000008AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1751626682.00000000008B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7e0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c74c146381d858395b9c082c5bc5da03e490aa33c92bf395bbc4a11f6fd7dfe0
Instruction ID: 03bb4595544befa0fb84ddbff95cb8838dd4c0bcf8d64e81067a4713c430c354
Opcode Fuzzy Hash: c74c146381d858395b9c082c5bc5da03e490aa33c92bf395bbc4a11f6fd7dfe0
Instruction Fuzzy Hash: 680162B220961A7EFA11167C7CC9FA7661DFF413B8B340329F625D51D6DB608C905171

Function 00841A27 Relevance: 6.1, APIs: 4, Instructions: 56windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,000000B0,?,?), ref: 00841A47
SendMessageW.USER32(?,000000C9,?,00000000), ref: 00841A59
SendMessageW.USER32(?,000000C9,?,00000000), ref: 00841A6F
SendMessageW.USER32(?,000000C9,?,00000000), ref: 00841A8A

Memory Dump Source

Source File: 00000000.00000002.1749607290.00000000007E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007E0000, based on PE: true

Associated: 00000000.00000002.1749024776.00000000007E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750122745.000000000087C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750122745.00000000008A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750810397.00000000008AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1751626682.00000000008B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7e0000_file.jbxd

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: 0f7fb15890c1f2440bc265fe92f37f28e9dc03be2fed29e31cc7fd1f97cd03fd
Instruction ID: 7725b2b840a80de76c1404ec918f0fd429c27ae8d430e0a5700bb0e0bcc191da
Opcode Fuzzy Hash: 0f7fb15890c1f2440bc265fe92f37f28e9dc03be2fed29e31cc7fd1f97cd03fd
Instruction Fuzzy Hash: 2D112A3A901229FFEF10DBA4C985FADBB78FB04754F200495E604B7290D771AE50DB94

Function 0084E1D6 Relevance: 6.1, APIs: 4, Instructions: 55synchronizationthreadwindowCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 0084E1FD
MessageBoxW.USER32(?,?,?,?), ref: 0084E230
WaitForSingleObject.KERNEL32(00000000,000000FF,?,?,?,?), ref: 0084E246
CloseHandle.KERNEL32(00000000,?,?,?,?), ref: 0084E24D

Memory Dump Source

Source File: 00000000.00000002.1749607290.00000000007E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007E0000, based on PE: true

Associated: 00000000.00000002.1749024776.00000000007E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750122745.000000000087C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750122745.00000000008A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750810397.00000000008AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1751626682.00000000008B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7e0000_file.jbxd

Similarity

API ID: CloseCurrentHandleMessageObjectSingleThreadWait
String ID:
API String ID: 2880819207-0
Opcode ID: bca2cf1dcc257644f490eb7cded415778bc91d307d2f9e74426c415cd5d007c4
Instruction ID: d40e980c5f689ec9f5524676c74bbf9e0461621bec9f47d2e6cfa3763dc916d0
Opcode Fuzzy Hash: bca2cf1dcc257644f490eb7cded415778bc91d307d2f9e74426c415cd5d007c4
Instruction Fuzzy Hash: D211E572904218ABCB019FA89C09A9A7BACFB45360F404329F825E3390D7B4C90087A0

Function 0080D1CC Relevance: 6.1, APIs: 4, Instructions: 55threadCOMMON

Download Yara Rule

APIs

CreateThread.KERNEL32(00000000,?,0080CFF9,00000000,00000004,00000000), ref: 0080D218
GetLastError.KERNEL32 ref: 0080D224
__dosmaperr.LIBCMT ref: 0080D22B
ResumeThread.KERNEL32(00000000), ref: 0080D249

Memory Dump Source

Source File: 00000000.00000002.1749607290.00000000007E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007E0000, based on PE: true

Associated: 00000000.00000002.1749024776.00000000007E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750122745.000000000087C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750122745.00000000008A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750810397.00000000008AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1751626682.00000000008B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7e0000_file.jbxd

Similarity

API ID: Thread$CreateErrorLastResume__dosmaperr
String ID:
API String ID: 173952441-0
Opcode ID: 2b518bb0d9ecaa434829ec0f77130cb769d4f9aa39854d4ee2b90192eac926a7
Instruction ID: 023c8760b8aadb2e58cc20565837c1da89b4055e95362d6e0f6a7f882b334ca2
Opcode Fuzzy Hash: 2b518bb0d9ecaa434829ec0f77130cb769d4f9aa39854d4ee2b90192eac926a7
Instruction Fuzzy Hash: DC01D236805308BBDB616BE9DC09BAE7A69FF82730F104229F929D61D1CF70D941C7A1

Function 00879EF3 Relevance: 6.1, APIs: 4, Instructions: 55COMMON

Download Yara Rule

APIs

Part of subcall function 007F9BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 007F9BB2

GetClientRect.USER32(?,?), ref: 00879F31
GetCursorPos.USER32(?), ref: 00879F3B
ScreenToClient.USER32(?,?), ref: 00879F46
DefDlgProcW.USER32(?,00000020,?,00000000,?,?,?), ref: 00879F7A

Memory Dump Source

Source File: 00000000.00000002.1749607290.00000000007E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007E0000, based on PE: true

Associated: 00000000.00000002.1749024776.00000000007E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750122745.000000000087C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750122745.00000000008A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750810397.00000000008AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1751626682.00000000008B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7e0000_file.jbxd

Similarity

API ID: Client$CursorLongProcRectScreenWindow
String ID:
API String ID: 4127811313-0
Opcode ID: 7f6ed3ab8d92449a9c6686e6c21578c0d12bebb467e0ebc61b3f3ab07a9bd6c8
Instruction ID: 39cb8e0209761ce95775663395d6c4970a45b125dcfa6842c3e42cf1ac1c04e1
Opcode Fuzzy Hash: 7f6ed3ab8d92449a9c6686e6c21578c0d12bebb467e0ebc61b3f3ab07a9bd6c8
Instruction Fuzzy Hash: 80115732A0051AABDF10EFA8D889DEE77B8FB06311F408455F955E7144DB30FA81CBA1

Function 007E600E Relevance: 6.1, APIs: 4, Instructions: 53windowCOMMON

Download Yara Rule

APIs

CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 007E604C
GetStockObject.GDI32(00000011), ref: 007E6060
SendMessageW.USER32(00000000,00000030,00000000), ref: 007E606A

Memory Dump Source

Source File: 00000000.00000002.1749607290.00000000007E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007E0000, based on PE: true

Associated: 00000000.00000002.1749024776.00000000007E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750122745.000000000087C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750122745.00000000008A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750810397.00000000008AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1751626682.00000000008B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7e0000_file.jbxd

Similarity

API ID: CreateMessageObjectSendStockWindow
String ID:
API String ID: 3970641297-0
Opcode ID: 52be7485582ec40d8cb9afeb8f70ad7259844802362cc8eb0fce80d2c1819387
Instruction ID: 98d40c62521b4bddb2638aace96675d24da69dd452c02e7fbd8dbfb5ce49da73
Opcode Fuzzy Hash: 52be7485582ec40d8cb9afeb8f70ad7259844802362cc8eb0fce80d2c1819387
Instruction Fuzzy Hash: 3C11A172102558BFEF125F959C48EEA7B69FF2C3A4F000215FA0452020C736ECA0DBA0

Function 00803B3C Relevance: 6.1, APIs: 4, Instructions: 53COMMONLIBRARYCODE

Download Yara Rule

APIs

___BuildCatchObject.LIBVCRUNTIME ref: 00803B56

Part of subcall function 00803AA3: BuildCatchObjectHelperInternal.LIBVCRUNTIME ref: 00803AD2
Part of subcall function 00803AA3: ___AdjustPointer.LIBCMT ref: 00803AED

_UnwindNestedFrames.LIBCMT ref: 00803B6B
__FrameHandler3::FrameUnwindToState.LIBVCRUNTIME ref: 00803B7C
CallCatchBlock.LIBVCRUNTIME ref: 00803BA4

Memory Dump Source

Source File: 00000000.00000002.1749607290.00000000007E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007E0000, based on PE: true

Associated: 00000000.00000002.1749024776.00000000007E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750122745.000000000087C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750122745.00000000008A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750810397.00000000008AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1751626682.00000000008B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7e0000_file.jbxd

Similarity

API ID: Catch$BuildFrameObjectUnwind$AdjustBlockCallFramesHandler3::HelperInternalNestedPointerState
String ID:
API String ID: 737400349-0
Opcode ID: 12ea49abee573113f57dbd3ec3a577afcc9c348439d29e6cbe32e78011ac24d3
Instruction ID: 679b5d6c70aa2e656c70e28e8f61eb6a7a199dee8487818693ad9ca97b773b3b
Opcode Fuzzy Hash: 12ea49abee573113f57dbd3ec3a577afcc9c348439d29e6cbe32e78011ac24d3
Instruction Fuzzy Hash: 4E014C72100148BBDF526E99CC42EEB3F6DFF88768F044414FE48A6161C732E961DBA1

Function 00813073 Relevance: 6.1, APIs: 4, Instructions: 52libraryCOMMONLIBRARYCODE

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32(00000000,00000000,00000800,007E13C6,00000000,00000000,?,0081301A,007E13C6,00000000,00000000,00000000,?,0081328B,00000006,FlsSetValue), ref: 008130A5
GetLastError.KERNEL32(?,0081301A,007E13C6,00000000,00000000,00000000,?,0081328B,00000006,FlsSetValue,00882290,FlsSetValue,00000000,00000364,?,00812E46), ref: 008130B1
LoadLibraryExW.KERNEL32(00000000,00000000,00000000,?,0081301A,007E13C6,00000000,00000000,00000000,?,0081328B,00000006,FlsSetValue,00882290,FlsSetValue,00000000), ref: 008130BF

Memory Dump Source

Source File: 00000000.00000002.1749607290.00000000007E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007E0000, based on PE: true

Associated: 00000000.00000002.1749024776.00000000007E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750122745.000000000087C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750122745.00000000008A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750810397.00000000008AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1751626682.00000000008B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7e0000_file.jbxd

Similarity

API ID: LibraryLoad$ErrorLast
String ID:
API String ID: 3177248105-0
Opcode ID: fa6100dd8b387a1e205fac6f93b773bd0fad318eec74df592261d98e36e01bfc
Instruction ID: 3eeca2d863ce27788880322e00681fab88575298f7c80c6abae2b8847e780029
Opcode Fuzzy Hash: fa6100dd8b387a1e205fac6f93b773bd0fad318eec74df592261d98e36e01bfc
Instruction Fuzzy Hash: F401F732311A26ABCB314B799C48DA77BDCFF09B61B210624F909E3240DB21DA81C7E0

Function 00847464 Relevance: 6.1, APIs: 4, Instructions: 51registryCOMMON

Download Yara Rule

APIs

GetModuleFileNameW.KERNEL32(?,?,00000104,00000000), ref: 0084747F
LoadTypeLibEx.OLEAUT32(?,00000002,?), ref: 00847497
RegisterTypeLib.OLEAUT32(?,?,00000000), ref: 008474AC
RegisterTypeLibForUser.OLEAUT32(?,?,00000000), ref: 008474CA

Memory Dump Source

Source File: 00000000.00000002.1749607290.00000000007E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007E0000, based on PE: true

Associated: 00000000.00000002.1749024776.00000000007E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750122745.000000000087C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750122745.00000000008A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750810397.00000000008AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1751626682.00000000008B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7e0000_file.jbxd

Similarity

API ID: Type$Register$FileLoadModuleNameUser
String ID:
API String ID: 1352324309-0
Opcode ID: 7fb98cd99f2c304247b6c34c151d48fd2c81604f47c72a7b654cf9727f672664
Instruction ID: 1010690813d699ead7225226615b35c6f8930d40ceb2f5e221deba297e7fb6fd
Opcode Fuzzy Hash: 7fb98cd99f2c304247b6c34c151d48fd2c81604f47c72a7b654cf9727f672664
Instruction Fuzzy Hash: 6A116DB5205319ABE7208F54DC0DBA27BFCFB00B04F10856DE65AD7191D7B4E984DBA4

Function 0084B0A8 Relevance: 6.0, APIs: 4, Instructions: 50sleepCOMMON

Download Yara Rule

APIs

QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,?,?,0084ACD3,?,00008000), ref: 0084B0C4
Sleep.KERNEL32(00000000,?,?,?,?,?,?,?,?,0084ACD3,?,00008000), ref: 0084B0E9
QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,?,?,0084ACD3,?,00008000), ref: 0084B0F3
Sleep.KERNEL32(00000000,?,?,?,?,?,?,?,?,0084ACD3,?,00008000), ref: 0084B126

Memory Dump Source

Source File: 00000000.00000002.1749607290.00000000007E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007E0000, based on PE: true

Associated: 00000000.00000002.1749024776.00000000007E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750122745.000000000087C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750122745.00000000008A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750810397.00000000008AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1751626682.00000000008B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7e0000_file.jbxd

Similarity

API ID: CounterPerformanceQuerySleep
String ID:
API String ID: 2875609808-0
Opcode ID: 5d08d36cafe45b1c27aae5102a0c66632da8e4b3df5b8da897d44cf27dd758ce
Instruction ID: 44dfed7290a4c20ca960d561b7098a718ca85d9b39aeeeda9d71dab5ce20df69
Opcode Fuzzy Hash: 5d08d36cafe45b1c27aae5102a0c66632da8e4b3df5b8da897d44cf27dd758ce
Instruction Fuzzy Hash: 54113931C0192DE7CF04AFE4E9586EEBB78FF09711F104099D941B2285DB309650CB61

Function 00877E14 Relevance: 6.0, APIs: 4, Instructions: 46COMMON

Download Yara Rule

APIs

GetWindowRect.USER32(?,?), ref: 00877E33
ScreenToClient.USER32(?,?), ref: 00877E4B
ScreenToClient.USER32(?,?), ref: 00877E6F
InvalidateRect.USER32(?,?,?,?,?,?,?,?,?,?,?,?), ref: 00877E8A

Memory Dump Source

Source File: 00000000.00000002.1749607290.00000000007E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007E0000, based on PE: true

Associated: 00000000.00000002.1749024776.00000000007E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750122745.000000000087C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750122745.00000000008A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750810397.00000000008AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1751626682.00000000008B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7e0000_file.jbxd

Similarity

API ID: ClientRectScreen$InvalidateWindow
String ID:
API String ID: 357397906-0
Opcode ID: 705c21aade121229eb78ff5eb8df5cfe9716ff66d16761e1f91180ff194e5bb7
Instruction ID: ad1246795243411afbc9605933b5d621773bc9d0d5ae7b6f92cdfa27366a34c9
Opcode Fuzzy Hash: 705c21aade121229eb78ff5eb8df5cfe9716ff66d16761e1f91180ff194e5bb7
Instruction Fuzzy Hash: 261156B9D0020AAFDB41DF98D8849EEBBF5FF18310F509056E915E3214D735AA94CF51

Function 00842DA7 Relevance: 6.0, APIs: 4, Instructions: 34threadwindowtimeCOMMON

Download Yara Rule

APIs

SendMessageTimeoutW.USER32(?,00000000,00000000,00000000,00000002,00001388,?), ref: 00842DC5
GetWindowThreadProcessId.USER32(?,00000000), ref: 00842DD6
GetCurrentThreadId.KERNEL32 ref: 00842DDD
AttachThreadInput.USER32(00000000,?,00000000,00000000), ref: 00842DE4

Memory Dump Source

Source File: 00000000.00000002.1749607290.00000000007E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007E0000, based on PE: true

Associated: 00000000.00000002.1749024776.00000000007E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750122745.000000000087C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750122745.00000000008A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750810397.00000000008AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1751626682.00000000008B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7e0000_file.jbxd

Similarity

API ID: Thread$AttachCurrentInputMessageProcessSendTimeoutWindow
String ID:
API String ID: 2710830443-0
Opcode ID: 635f7a278c3309a4678ca4a5aee9fe166b89f28fba61151262f56f1893a4bd3e
Instruction ID: 61497d1fd9ab0f33363162c7ab0f433765f8d3148284f6cb413970e98b9c6565
Opcode Fuzzy Hash: 635f7a278c3309a4678ca4a5aee9fe166b89f28fba61151262f56f1893a4bd3e
Instruction Fuzzy Hash: 5FE0EDB150562C7AD7201B629C4DFEB7E6CFB56BA1F84011DB50AD20949AA5C981C6B0

Function 00878863 Relevance: 6.0, APIs: 4, Instructions: 31COMMON

Download Yara Rule

APIs

Part of subcall function 007F9639: ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 007F9693
Part of subcall function 007F9639: SelectObject.GDI32(?,00000000), ref: 007F96A2
Part of subcall function 007F9639: BeginPath.GDI32(?), ref: 007F96B9
Part of subcall function 007F9639: SelectObject.GDI32(?,00000000), ref: 007F96E2

MoveToEx.GDI32(?,00000000,00000000,00000000), ref: 00878887
LineTo.GDI32(?,?,?), ref: 00878894
EndPath.GDI32(?), ref: 008788A4
StrokePath.GDI32(?), ref: 008788B2

Memory Dump Source

Source File: 00000000.00000002.1749607290.00000000007E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007E0000, based on PE: true

Associated: 00000000.00000002.1749024776.00000000007E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750122745.000000000087C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750122745.00000000008A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750810397.00000000008AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1751626682.00000000008B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7e0000_file.jbxd

Similarity

API ID: Path$ObjectSelect$BeginCreateLineMoveStroke
String ID:
API String ID: 1539411459-0
Opcode ID: 5b386717904e7d5ae7cd11aa4f6fdd8bee79a27277368d6c22d03fb2e7984d91
Instruction ID: f39befc21fd1a54d6fa1f14d8c8baefe0dd22c2db175078d608505ae56ec3bde
Opcode Fuzzy Hash: 5b386717904e7d5ae7cd11aa4f6fdd8bee79a27277368d6c22d03fb2e7984d91
Instruction Fuzzy Hash: EAF09A36041658FADB122F94AC0DFCA3F19BF06310F808104FB15A60E1C7748550CBE5

Function 007F98B0 Relevance: 6.0, APIs: 4, Instructions: 23COMMON

Download Yara Rule

APIs

GetSysColor.USER32(00000008), ref: 007F98CC
SetTextColor.GDI32(?,?), ref: 007F98D6
SetBkMode.GDI32(?,00000001), ref: 007F98E9
GetStockObject.GDI32(00000005), ref: 007F98F1

Memory Dump Source

Source File: 00000000.00000002.1749607290.00000000007E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007E0000, based on PE: true

Associated: 00000000.00000002.1749024776.00000000007E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750122745.000000000087C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750122745.00000000008A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750810397.00000000008AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1751626682.00000000008B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7e0000_file.jbxd

Similarity

API ID: Color$ModeObjectStockText
String ID:
API String ID: 4037423528-0
Opcode ID: 478d6d0dd4823821f2412d1ef7babb7aa7e7e0f04bda34862f769d5a2e3d27e4
Instruction ID: 2936611773eb6421530e3f66fa9cb34909a9b64777e231f8962510423a34a99f
Opcode Fuzzy Hash: 478d6d0dd4823821f2412d1ef7babb7aa7e7e0f04bda34862f769d5a2e3d27e4
Instruction Fuzzy Hash: A8E03031244244AADB215B74AC0DBE83B10FB51335F148229F7B9950E5C37196809B20

Function 0084162B Relevance: 6.0, APIs: 4, Instructions: 22threadCOMMON

Download Yara Rule

APIs

GetCurrentThread.KERNEL32 ref: 00841634
OpenThreadToken.ADVAPI32(00000000,?,?,?,008411D9), ref: 0084163B
GetCurrentProcess.KERNEL32(00000028,?,?,?,?,008411D9), ref: 00841648
OpenProcessToken.ADVAPI32(00000000,?,?,?,008411D9), ref: 0084164F

Memory Dump Source

Source File: 00000000.00000002.1749607290.00000000007E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007E0000, based on PE: true

Associated: 00000000.00000002.1749024776.00000000007E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750122745.000000000087C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750122745.00000000008A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750810397.00000000008AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1751626682.00000000008B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7e0000_file.jbxd

Similarity

API ID: CurrentOpenProcessThreadToken
String ID:
API String ID: 3974789173-0
Opcode ID: 3227d58824a0944224dda64650ee6ad967b22e136e43e5cd1643215e45a3bcd3
Instruction ID: dbc9bbe32a355da180163b8a1c17d97d5879b43ffe98bd8ef85170145c4042c3
Opcode Fuzzy Hash: 3227d58824a0944224dda64650ee6ad967b22e136e43e5cd1643215e45a3bcd3
Instruction Fuzzy Hash: 2DE08C32602211EBDB201FA1AE0DB867B7CFF55792F15880CF24DDA094E634C4C0CBA4

Function 0083D858 Relevance: 6.0, APIs: 4, Instructions: 19COMMON

Download Yara Rule

APIs

GetDesktopWindow.USER32 ref: 0083D858
GetDC.USER32(00000000), ref: 0083D862
GetDeviceCaps.GDI32(00000000,0000000C), ref: 0083D882
ReleaseDC.USER32(?), ref: 0083D8A3

Memory Dump Source

Source File: 00000000.00000002.1749607290.00000000007E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007E0000, based on PE: true

Associated: 00000000.00000002.1749024776.00000000007E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750122745.000000000087C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750122745.00000000008A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750810397.00000000008AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1751626682.00000000008B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7e0000_file.jbxd

Similarity

API ID: CapsDesktopDeviceReleaseWindow
String ID:
API String ID: 2889604237-0
Opcode ID: cbc09b11acdc24800d3c1fa0f7bd0a76f83c046a9fb9c6afc23afe97f8799a2a
Instruction ID: a7c08799fca90e18313b81a3f644895fbb6ebf614bda3ef448f3df43b2560438
Opcode Fuzzy Hash: cbc09b11acdc24800d3c1fa0f7bd0a76f83c046a9fb9c6afc23afe97f8799a2a
Instruction Fuzzy Hash: 18E01AB5800204DFCB41AFA0D84C66DBBB2FB18310F14841DE80AE7254DB389981AF40

Function 0083D86C Relevance: 6.0, APIs: 4, Instructions: 18COMMON

Download Yara Rule

APIs

GetDesktopWindow.USER32 ref: 0083D86C
GetDC.USER32(00000000), ref: 0083D876
GetDeviceCaps.GDI32(00000000,0000000C), ref: 0083D882
ReleaseDC.USER32(?), ref: 0083D8A3

Memory Dump Source

Source File: 00000000.00000002.1749607290.00000000007E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007E0000, based on PE: true

Associated: 00000000.00000002.1749024776.00000000007E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750122745.000000000087C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750122745.00000000008A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750810397.00000000008AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1751626682.00000000008B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7e0000_file.jbxd

Similarity

API ID: CapsDesktopDeviceReleaseWindow
String ID:
API String ID: 2889604237-0
Opcode ID: fc287d8b1c2d3b72bd1711c2aa7beaa4f720c4728a517eb17803b73e202e49cf
Instruction ID: 9d95f1de05b38d0d42a2c7f5522274c8f24de7d70d1b81aaf6e7cebdf92410c7
Opcode Fuzzy Hash: fc287d8b1c2d3b72bd1711c2aa7beaa4f720c4728a517eb17803b73e202e49cf
Instruction Fuzzy Hash: CBE012B5800204EFCB51AFA0D84C66DBBB2BB18310B14800CE90EE7264DB389982AF40

Function 00854D87 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 230shareCOMMON

Download Yara Rule

APIs

Part of subcall function 007E7620: _wcslen.LIBCMT ref: 007E7625

WNetUseConnectionW.MPR(00000000,?,0000002A,00000000,?,?,0000002A,?), ref: 00854ED4

Strings

LPT, xrefs: 00854DFB
*, xrefs: 00854E10

Memory Dump Source

Source File: 00000000.00000002.1749607290.00000000007E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007E0000, based on PE: true

Associated: 00000000.00000002.1749024776.00000000007E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750122745.000000000087C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750122745.00000000008A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750810397.00000000008AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1751626682.00000000008B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7e0000_file.jbxd

Similarity

API ID: Connection_wcslen
String ID: *$LPT
API String ID: 1725874428-3443410124
Opcode ID: 793b3c3c2c1c2a48cb4dd0b74d5aa8e70cc428a9dc522acf152c80f7d1132ccd
Instruction ID: 52c3d499756554f7b977ba3c234fc8368c43e4f34491cce9d60a828073b0b269
Opcode Fuzzy Hash: 793b3c3c2c1c2a48cb4dd0b74d5aa8e70cc428a9dc522acf152c80f7d1132ccd
Instruction Fuzzy Hash: 66913D759002449FCB14DF58C484EA9BBF1FF48319F189099E80A9F362DB35ED89CB51

Function 0080E27D Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 189COMMON

Download Yara Rule

APIs

__startOneArgErrorHandling.LIBCMT ref: 0080E30D

Strings

pow, xrefs: 0080E2E5, 0080E302

Memory Dump Source

Source File: 00000000.00000002.1749607290.00000000007E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007E0000, based on PE: true

Associated: 00000000.00000002.1749024776.00000000007E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750122745.000000000087C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750122745.00000000008A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750810397.00000000008AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1751626682.00000000008B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7e0000_file.jbxd

Similarity

API ID: ErrorHandling__start
String ID: pow
API String ID: 3213639722-2276729525
Opcode ID: 8ae1736300507272948875ed0eb7cdd2d975125c257989b42bb843dc11127014
Instruction ID: 761445852a846283412d3ee8e978aaa7c31816ead7e397a47bf2efa06772c991
Opcode Fuzzy Hash: 8ae1736300507272948875ed0eb7cdd2d975125c257989b42bb843dc11127014
Instruction Fuzzy Hash: 04510671A0C60696DB657718DD413BB2BB8FF40B40F344DACE095C22E9DB358CD19A86

Function 007FE187 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 184COMMON

Download Yara Rule

Strings

#, xrefs: 007FE1B1

Memory Dump Source

Source File: 00000000.00000002.1749607290.00000000007E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007E0000, based on PE: true

Associated: 00000000.00000002.1749024776.00000000007E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750122745.000000000087C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750122745.00000000008A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750810397.00000000008AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1751626682.00000000008B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7e0000_file.jbxd

Similarity

API ID:
String ID: #
API String ID: 0-1885708031
Opcode ID: 1fa9bec3fbce77fe589dcd9c35d18a3ff1a6b778b85e47051e7c9e50a00dd948
Instruction ID: 8176275da988eef6cf71812ab317a313f94a54fe94cb9a545402d57aaa335337
Opcode Fuzzy Hash: 1fa9bec3fbce77fe589dcd9c35d18a3ff1a6b778b85e47051e7c9e50a00dd948
Instruction Fuzzy Hash: B751353590524ADFDB15EF28C485AFA7BA4FF95310F244059F991DB2E0E7389D42CB90

Function 007FF291 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 144sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNEL32(00000000), ref: 007FF2A2
GlobalMemoryStatusEx.KERNEL32(?), ref: 007FF2BB

Strings

@, xrefs: 007FF2AF

Memory Dump Source

Source File: 00000000.00000002.1749607290.00000000007E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007E0000, based on PE: true

Associated: 00000000.00000002.1749024776.00000000007E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750122745.000000000087C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750122745.00000000008A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750810397.00000000008AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1751626682.00000000008B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7e0000_file.jbxd

Similarity

API ID: GlobalMemorySleepStatus
String ID: @
API String ID: 2783356886-2766056989
Opcode ID: 927e99f3cbaf59d04c720a24a866ab8818679c3f0f6c50df2cece7b5e7260bba
Instruction ID: 74373b7af5605abcdc9eededc0697b314405ad3c82b3e91e04e2c16f792c7414
Opcode Fuzzy Hash: 927e99f3cbaf59d04c720a24a866ab8818679c3f0f6c50df2cece7b5e7260bba
Instruction Fuzzy Hash: 10515972419785DBD320AF11E88ABABB7F8FB88300F81485DF19941195EB358529CB66

Function 00865745 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 125COMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?,?,00000003,?,?), ref: 008657E0
_wcslen.LIBCMT ref: 008657EC

Strings

CALLARGARRAY, xrefs: 008657E6, 008657EB

Memory Dump Source

Source File: 00000000.00000002.1749607290.00000000007E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007E0000, based on PE: true

Associated: 00000000.00000002.1749024776.00000000007E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750122745.000000000087C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750122745.00000000008A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750810397.00000000008AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1751626682.00000000008B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7e0000_file.jbxd

Similarity

API ID: BuffCharUpper_wcslen
String ID: CALLARGARRAY
API String ID: 157775604-1150593374
Opcode ID: d47dc3b20a7344689fa7ce4c367a230a8c5290f605e5ac784c2615cc80939b44
Instruction ID: e72dd67f55dc0724cf31ffdd3612f43df42ebe8fc13a0f0a444b8e637fe72e1f
Opcode Fuzzy Hash: d47dc3b20a7344689fa7ce4c367a230a8c5290f605e5ac784c2615cc80939b44
Instruction Fuzzy Hash: 0E41AE71A00209DFCB14DFA9C8859BEBBB5FF59724F114069E605EB352E7349D81CB90

Function 0085D0F4 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 98networkCOMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 0085D130
InternetCrackUrlW.WININET(?,00000000,00000000,0000007C), ref: 0085D13A

Strings

|, xrefs: 0085D10B

Memory Dump Source

Source File: 00000000.00000002.1749607290.00000000007E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007E0000, based on PE: true

Associated: 00000000.00000002.1749024776.00000000007E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750122745.000000000087C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750122745.00000000008A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750810397.00000000008AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1751626682.00000000008B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7e0000_file.jbxd

Similarity

API ID: CrackInternet_wcslen
String ID: |
API String ID: 596671847-2343686810
Opcode ID: 4f0790b91f7d572690474cd5a53ab2facf56b10dbd69e0532b7d18f9080c6afa
Instruction ID: 960ca85a0f3553a14da714602e79a46888f9e34242b2eaa20cb8983f8d5f1003
Opcode Fuzzy Hash: 4f0790b91f7d572690474cd5a53ab2facf56b10dbd69e0532b7d18f9080c6afa
Instruction Fuzzy Hash: BA311B71D01209EBCF15EFA5CC89AEEBFB9FF18340F000059ED15A6165E735A946CB60

Function 0087356C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 96COMMON

Download Yara Rule

APIs

DestroyWindow.USER32(?,?,?,?), ref: 00873621
MoveWindow.USER32(?,?,?,?,?,00000001,?,?,?), ref: 0087365C

Strings

static, xrefs: 008735BC

Memory Dump Source

Source File: 00000000.00000002.1749607290.00000000007E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007E0000, based on PE: true

Associated: 00000000.00000002.1749024776.00000000007E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750122745.000000000087C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750122745.00000000008A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750810397.00000000008AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1751626682.00000000008B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7e0000_file.jbxd

Similarity

API ID: Window$DestroyMove
String ID: static
API String ID: 2139405536-2160076837
Opcode ID: 6b09d85a31309b9d0286c195913da8a6404f828e380f2e4f9fb268d29fac1136
Instruction ID: 51a74c82378336ae9f4d91c3fafb4721ac96423ca8b868b92a21b4909d046528
Opcode Fuzzy Hash: 6b09d85a31309b9d0286c195913da8a6404f828e380f2e4f9fb268d29fac1136
Instruction Fuzzy Hash: 11318B71100608AADB109F28DC84EBB73A9FF98764F10D61DF9A9D7280DA35ED81E761

Function 00874537 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 95windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000027,00001132,00000000,?), ref: 0087461F
SendMessageW.USER32(?,00001105,00000000,00000000), ref: 00874634

Strings

', xrefs: 0087458E

Memory Dump Source

Source File: 00000000.00000002.1749607290.00000000007E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007E0000, based on PE: true

Associated: 00000000.00000002.1749024776.00000000007E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750122745.000000000087C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750122745.00000000008A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750810397.00000000008AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1751626682.00000000008B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7e0000_file.jbxd

Similarity

API ID: MessageSend
String ID: '
API String ID: 3850602802-1997036262
Opcode ID: 48670005c891760fda8b6d2444aa5f216dae206ff0207549f05e5ae8b1dc95d7
Instruction ID: 8b3df63d9ee316a9e48d04359849316107d2b5f54086dea6ea0fee061f6209c4
Opcode Fuzzy Hash: 48670005c891760fda8b6d2444aa5f216dae206ff0207549f05e5ae8b1dc95d7
Instruction Fuzzy Hash: F4311774A0120A9FDB14CF69C990ADABBB5FB19300F109169E908EB355D770E941CF90

Function 008731EF Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 72windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000143,00000000,?), ref: 0087327C
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 00873287

Strings

Combobox, xrefs: 00873249

Memory Dump Source

Source File: 00000000.00000002.1749607290.00000000007E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007E0000, based on PE: true

Associated: 00000000.00000002.1749024776.00000000007E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750122745.000000000087C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750122745.00000000008A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750810397.00000000008AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1751626682.00000000008B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7e0000_file.jbxd

Similarity

API ID: MessageSend
String ID: Combobox
API String ID: 3850602802-2096851135
Opcode ID: 40ad309b7760fa7d370ff56ee4db26a89887c1ecc288bc8c2efc45ba4ddeb802
Instruction ID: 3629b5e1089b84056f0e53757eac8675b8c6e250b858666f0c2c13cfea43aee0
Opcode Fuzzy Hash: 40ad309b7760fa7d370ff56ee4db26a89887c1ecc288bc8c2efc45ba4ddeb802
Instruction Fuzzy Hash: 5411D071310208AFEF219E54DC84EAB376AFBA83A5F108128F92CE7295D631DD51A760

Function 00873710 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 67COMMON

Download Yara Rule

APIs

Part of subcall function 007E600E: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 007E604C
Part of subcall function 007E600E: GetStockObject.GDI32(00000011), ref: 007E6060
Part of subcall function 007E600E: SendMessageW.USER32(00000000,00000030,00000000), ref: 007E606A

GetWindowRect.USER32(00000000,?), ref: 0087377A
GetSysColor.USER32(00000012), ref: 00873794

Strings

static, xrefs: 00873757

Memory Dump Source

Source File: 00000000.00000002.1749607290.00000000007E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007E0000, based on PE: true

Associated: 00000000.00000002.1749024776.00000000007E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750122745.000000000087C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750122745.00000000008A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750810397.00000000008AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1751626682.00000000008B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7e0000_file.jbxd

Similarity

API ID: Window$ColorCreateMessageObjectRectSendStock
String ID: static
API String ID: 1983116058-2160076837
Opcode ID: 6c23d354bc3c135ff214c9dccb1232276e63b7f2b8cc519f537c5b431ad4f428
Instruction ID: 7755833cda2ec11b42838bc9aa11839a106321245c1ee7e6a293bcba7ab58399
Opcode Fuzzy Hash: 6c23d354bc3c135ff214c9dccb1232276e63b7f2b8cc519f537c5b431ad4f428
Instruction Fuzzy Hash: 931129B2610209AFDF00DFA8CC49EFA7BB8FB08354F004928F959E3250E735E8519B61

Function 0085CD1E Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 66networkCOMMON

Download Yara Rule

APIs

InternetOpenW.WININET(?,00000000,00000000,00000000,00000000), ref: 0085CD7D
InternetSetOptionW.WININET(00000000,00000032,?,00000008), ref: 0085CDA6

Strings

<local>, xrefs: 0085CD66

Memory Dump Source

Source File: 00000000.00000002.1749607290.00000000007E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007E0000, based on PE: true

Associated: 00000000.00000002.1749024776.00000000007E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750122745.000000000087C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750122745.00000000008A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750810397.00000000008AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1751626682.00000000008B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7e0000_file.jbxd

Similarity

API ID: Internet$OpenOption
String ID: <local>
API String ID: 942729171-4266983199
Opcode ID: 16154fc6570257e92e0c3d23313780bae23c39f1874c908f4594b139c016a842
Instruction ID: 089eef2ff7dda921b735a952ac31fb2f36035db529c1a7a3a1d417fe06a8d086
Opcode Fuzzy Hash: 16154fc6570257e92e0c3d23313780bae23c39f1874c908f4594b139c016a842
Instruction Fuzzy Hash: D511A371205735BED7284A668C49FE7BEB8FB127A5F00422AB909C3180D6649848DAF0

Function 00873429 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 64windowCOMMON

Download Yara Rule

APIs

GetWindowTextLengthW.USER32(00000000), ref: 008734AB
SendMessageW.USER32(?,000000B1,00000000,00000000), ref: 008734BA

Strings

edit, xrefs: 0087348F

Memory Dump Source

Source File: 00000000.00000002.1749607290.00000000007E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007E0000, based on PE: true

Associated: 00000000.00000002.1749024776.00000000007E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750122745.000000000087C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750122745.00000000008A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750810397.00000000008AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1751626682.00000000008B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7e0000_file.jbxd

Similarity

API ID: LengthMessageSendTextWindow
String ID: edit
API String ID: 2978978980-2167791130
Opcode ID: 83a3e33e2c6341de05fee0ca37d6a6532ac5bf5a0b877fb305b39019b7d200d7
Instruction ID: 96d96ee157d0944b1ca84e01a577a31301511da387da0e7cfa94c26b5ab5f7e8
Opcode Fuzzy Hash: 83a3e33e2c6341de05fee0ca37d6a6532ac5bf5a0b877fb305b39019b7d200d7
Instruction Fuzzy Hash: EC11BF71100108ABEB154E64DC44AAB376AFB25378F508328FA68D31D8C731DD91A76A

Function 00846C86 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 56COMMON

Download Yara Rule

APIs

Part of subcall function 007E9CB3: _wcslen.LIBCMT ref: 007E9CBD

CharUpperBuffW.USER32(?,?,?), ref: 00846CB6
_wcslen.LIBCMT ref: 00846CC2

Strings

STOP, xrefs: 00846CBC, 00846CC1

Memory Dump Source

Source File: 00000000.00000002.1749607290.00000000007E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007E0000, based on PE: true

Associated: 00000000.00000002.1749024776.00000000007E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750122745.000000000087C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750122745.00000000008A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750810397.00000000008AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1751626682.00000000008B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7e0000_file.jbxd

Similarity

API ID: _wcslen$BuffCharUpper
String ID: STOP
API String ID: 1256254125-2411985666
Opcode ID: 3fa19b2623e64cc41d57b4f5cb08df1a3b879bc6870b96a2499630437e5b0d9a
Instruction ID: c547a1117f2652e4c8eebaf67695baa3a3d6d85aa495b46e01e8e36edf48fe87
Opcode Fuzzy Hash: 3fa19b2623e64cc41d57b4f5cb08df1a3b879bc6870b96a2499630437e5b0d9a
Instruction Fuzzy Hash: DE010432A0052E8ACB20AFBDCC849BF77A4FF667147100528E852D7190FA36DC60C651

Function 00841CDE Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 52windowCOMMON

Download Yara Rule

APIs

Part of subcall function 007E9CB3: _wcslen.LIBCMT ref: 007E9CBD

Part of subcall function 00843CA7: GetClassNameW.USER32(?,?,000000FF), ref: 00843CCA

SendMessageW.USER32(?,000001A2,000000FF,?), ref: 00841D4C

Strings

ComboBox, xrefs: 00841CEB
ListBox, xrefs: 00841D16

Memory Dump Source

Source File: 00000000.00000002.1749607290.00000000007E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007E0000, based on PE: true

Associated: 00000000.00000002.1749024776.00000000007E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750122745.000000000087C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750122745.00000000008A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750810397.00000000008AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1751626682.00000000008B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7e0000_file.jbxd

Similarity

API ID: ClassMessageNameSend_wcslen
String ID: ComboBox$ListBox
API String ID: 624084870-1403004172
Opcode ID: 5637054eaa1bb1ff442b7a69d1afdb95c2fb97f35f2f11c953ce3b1ace8fc9a1
Instruction ID: 6e987747ceb55939727d853bfe8f4b9dc06d020b8a5353ced04acf5f7c6b2dd6
Opcode Fuzzy Hash: 5637054eaa1bb1ff442b7a69d1afdb95c2fb97f35f2f11c953ce3b1ace8fc9a1
Instruction Fuzzy Hash: 7E01D871A4121CABCF14FFA4CC59EFE7368FB56350B140919F832A73D1EA3459498670

Function 00841BD8 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 50windowCOMMON

Download Yara Rule

APIs

Part of subcall function 007E9CB3: _wcslen.LIBCMT ref: 007E9CBD

Part of subcall function 00843CA7: GetClassNameW.USER32(?,?,000000FF), ref: 00843CCA

SendMessageW.USER32(?,00000180,00000000,?), ref: 00841C46

Strings

ComboBox, xrefs: 00841BE5
ListBox, xrefs: 00841C10

Memory Dump Source

Source File: 00000000.00000002.1749607290.00000000007E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007E0000, based on PE: true

Associated: 00000000.00000002.1749024776.00000000007E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750122745.000000000087C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750122745.00000000008A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750810397.00000000008AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1751626682.00000000008B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7e0000_file.jbxd

Similarity

API ID: ClassMessageNameSend_wcslen
String ID: ComboBox$ListBox
API String ID: 624084870-1403004172
Opcode ID: ed3c21f8de1c955ddfe4c6f5ddbc21e5bb266b873507035dbc774ab47850f2fc
Instruction ID: f1e0ba40f9d1d0df3abc6f11ff130509d6f67f304574e52bc1cafa9f4008d2f4
Opcode Fuzzy Hash: ed3c21f8de1c955ddfe4c6f5ddbc21e5bb266b873507035dbc774ab47850f2fc
Instruction Fuzzy Hash: B801FC7168111CA6CF14F7A0CD99AFFB3A8FB15340F100019A916B7291EA249E488671

Function 00841C5C Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 49windowCOMMON

Download Yara Rule

APIs

Part of subcall function 007E9CB3: _wcslen.LIBCMT ref: 007E9CBD

Part of subcall function 00843CA7: GetClassNameW.USER32(?,?,000000FF), ref: 00843CCA

SendMessageW.USER32(?,00000182,?,00000000), ref: 00841CC8

Strings

ComboBox, xrefs: 00841C69
ListBox, xrefs: 00841C94

Memory Dump Source

Source File: 00000000.00000002.1749607290.00000000007E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007E0000, based on PE: true

Associated: 00000000.00000002.1749024776.00000000007E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750122745.000000000087C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750122745.00000000008A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750810397.00000000008AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1751626682.00000000008B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7e0000_file.jbxd

Similarity

API ID: ClassMessageNameSend_wcslen
String ID: ComboBox$ListBox
API String ID: 624084870-1403004172
Opcode ID: 8b2e527d6c69fcc79b002f5d1c54c4c1ae78bc55aa135e3577010983df1f6887
Instruction ID: 8040fd4eddd3efe0769555c9826c73c8bf9f9a04d40b95194d9f369fa99e974e
Opcode Fuzzy Hash: 8b2e527d6c69fcc79b002f5d1c54c4c1ae78bc55aa135e3577010983df1f6887
Instruction Fuzzy Hash: 6301DB7268111CA7DF14F7A5CE89AFE73A8FB15340F540019B901F7291FA249F49C671

Function 00841D68 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 46windowCOMMON

Download Yara Rule

APIs

Part of subcall function 007E9CB3: _wcslen.LIBCMT ref: 007E9CBD

Part of subcall function 00843CA7: GetClassNameW.USER32(?,?,000000FF), ref: 00843CCA

SendMessageW.USER32(?,0000018B,00000000,00000000), ref: 00841DD3

Strings

ComboBox, xrefs: 00841D75
ListBox, xrefs: 00841DA0

Memory Dump Source

Source File: 00000000.00000002.1749607290.00000000007E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007E0000, based on PE: true

Associated: 00000000.00000002.1749024776.00000000007E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750122745.000000000087C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750122745.00000000008A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750810397.00000000008AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1751626682.00000000008B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7e0000_file.jbxd

Similarity

API ID: ClassMessageNameSend_wcslen
String ID: ComboBox$ListBox
API String ID: 624084870-1403004172
Opcode ID: 0beb2c9f6e815875de2918f70f4e06589fc12faff2b61418a954407e013ae183
Instruction ID: 2f0265670a6e769c6bb5229362f386444add15fbd846a476d6703d8deefc9cc0
Opcode Fuzzy Hash: 0beb2c9f6e815875de2918f70f4e06589fc12faff2b61418a954407e013ae183
Instruction Fuzzy Hash: F1F0F4B2F4121CA6DB14F7A4CC9ABFE7368FB06350F440919B922E72D1EA6459488270

Function 0086747E Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 36COMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 00867493
_wcslen.LIBCMT ref: 008674B9

Strings

3, 3, 16, 1, xrefs: 00867483

Memory Dump Source

Source File: 00000000.00000002.1749607290.00000000007E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007E0000, based on PE: true

Associated: 00000000.00000002.1749024776.00000000007E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750122745.000000000087C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750122745.00000000008A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750810397.00000000008AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1751626682.00000000008B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7e0000_file.jbxd

Similarity

API ID: _wcslen
String ID: 3, 3, 16, 1
API String ID: 176396367-3042988571
Opcode ID: 9cb1d75317ee2c4c75fe79e840c91899233b734dd5d38c4cab045873ecb677a7
Instruction ID: e34783ebbe64694c0057ede808831e237746bc853a43aea1c56297e339ac35f4
Opcode Fuzzy Hash: 9cb1d75317ee2c4c75fe79e840c91899233b734dd5d38c4cab045873ecb677a7
Instruction Fuzzy Hash: 9FE02B4224522010D271127D9CC5A7F5A8AFFC5B50711283BFE81C22B6EE948D9193E6

Function 00840B15 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 28windowCOMMON

Download Yara Rule

APIs

MessageBoxW.USER32(00000000,Error allocating memory.,AutoIt,00000010), ref: 00840B23

Strings

Error allocating memory., xrefs: 00840B1C
AutoIt, xrefs: 00840B17

Memory Dump Source

Source File: 00000000.00000002.1749607290.00000000007E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007E0000, based on PE: true

Associated: 00000000.00000002.1749024776.00000000007E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750122745.000000000087C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750122745.00000000008A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750810397.00000000008AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1751626682.00000000008B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7e0000_file.jbxd

Similarity

API ID: Message
String ID: AutoIt$Error allocating memory.
API String ID: 2030045667-4017498283
Opcode ID: 3798a2db451c67b8acfd27c0b8ff2b86d64bd73f73635c7d96ffb2076feffc0f
Instruction ID: a7fbc5c101b91d27b7c50564b9add224dd8347ae9462e76b564c911057ca6120
Opcode Fuzzy Hash: 3798a2db451c67b8acfd27c0b8ff2b86d64bd73f73635c7d96ffb2076feffc0f
Instruction Fuzzy Hash: 78E0D83238430C66D21436947C07F897A84EF05B60F10446EF79CDA6C38EE564D006E9

Function 00800D42 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 22COMMON

Download Yara Rule

APIs

Part of subcall function 007FF7C9: InitializeCriticalSectionAndSpinCount.KERNEL32(?,00000000,?,00800D71,?,?,?,007E100A), ref: 007FF7CE

IsDebuggerPresent.KERNEL32(?,?,?,007E100A), ref: 00800D75
OutputDebugStringW.KERNEL32(ERROR : Unable to initialize critical section in CAtlBaseModule,?,?,?,007E100A), ref: 00800D84

Strings

ERROR : Unable to initialize critical section in CAtlBaseModule, xrefs: 00800D7F

Memory Dump Source

Source File: 00000000.00000002.1749607290.00000000007E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007E0000, based on PE: true

Associated: 00000000.00000002.1749024776.00000000007E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750122745.000000000087C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750122745.00000000008A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750810397.00000000008AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1751626682.00000000008B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7e0000_file.jbxd

Similarity

API ID: CountCriticalDebugDebuggerInitializeOutputPresentSectionSpinString
String ID: ERROR : Unable to initialize critical section in CAtlBaseModule
API String ID: 55579361-631824599
Opcode ID: 672f55dd25669d36cdb0807e3711f706f74c1d3130e91489aae465d149091567
Instruction ID: b7604372bbbbeb2fc1c251ddc4f8e520e0bc4fc3823a3501a90c6c630633ea6a
Opcode Fuzzy Hash: 672f55dd25669d36cdb0807e3711f706f74c1d3130e91489aae465d149091567
Instruction Fuzzy Hash: 73E065702007418BD3609FB9D8083427BE0FF04744F008A2DE989C7756DBB4E4848FA1

Function 00853017 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 18COMMON

Download Yara Rule

APIs

GetTempPathW.KERNEL32(00000104,?,00000001), ref: 0085302F
GetTempFileNameW.KERNEL32(?,aut,00000000,?), ref: 00853044

Strings

aut, xrefs: 00853038

Memory Dump Source

Source File: 00000000.00000002.1749607290.00000000007E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007E0000, based on PE: true

Associated: 00000000.00000002.1749024776.00000000007E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750122745.000000000087C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750122745.00000000008A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750810397.00000000008AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1751626682.00000000008B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7e0000_file.jbxd

Similarity

API ID: Temp$FileNamePath
String ID: aut
API String ID: 3285503233-3010740371
Opcode ID: 3fa6ac1a815abe217484a396be4157b97fbac341092cab37f61dbefd50f8a4f6
Instruction ID: 596ad55de9f461afbc3984433084b46a14f7627968f8a3cbf785180a4ceace64
Opcode Fuzzy Hash: 3fa6ac1a815abe217484a396be4157b97fbac341092cab37f61dbefd50f8a4f6
Instruction Fuzzy Hash: 60D05B7250032467DB209794AC0DFC73B6CE705750F0001517655D3095DAB4DA84CBD0

Function 0083D21C Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 17timeCOMMON

Download Yara Rule

APIs

GetLocalTime.KERNEL32(?), ref: 0083D220

Strings

%.3d, xrefs: 0083D22B
X64, xrefs: 0083D2A8

Memory Dump Source

Source File: 00000000.00000002.1749607290.00000000007E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007E0000, based on PE: true

Associated: 00000000.00000002.1749024776.00000000007E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750122745.000000000087C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750122745.00000000008A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750810397.00000000008AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1751626682.00000000008B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7e0000_file.jbxd

Similarity

API ID: LocalTime
String ID: %.3d$X64
API String ID: 481472006-1077770165
Opcode ID: 8cf63ae515b0bda19ceeb4b85249ca9c3edc32e88709b261f98399f465e4f417
Instruction ID: d83c047a5ce99f70f4516df436da25b642bd2746d87ae36647061865ee8c095a
Opcode Fuzzy Hash: 8cf63ae515b0bda19ceeb4b85249ca9c3edc32e88709b261f98399f465e4f417
Instruction Fuzzy Hash: B3D012A180820CE9CB9096E0EC498BBB37CFB48305F608452F906D2141DA38E54867A1

Function 00872322 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15windowCOMMON

Download Yara Rule

APIs

FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 0087232C
PostMessageW.USER32(00000000,00000111,00000197,00000000), ref: 0087233F

Part of subcall function 0084E97B: Sleep.KERNEL32 ref: 0084E9F3

Strings

Shell_TrayWnd, xrefs: 00872325

Memory Dump Source

Source File: 00000000.00000002.1749607290.00000000007E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007E0000, based on PE: true

Associated: 00000000.00000002.1749024776.00000000007E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750122745.000000000087C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750122745.00000000008A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750810397.00000000008AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1751626682.00000000008B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7e0000_file.jbxd

Similarity

API ID: FindMessagePostSleepWindow
String ID: Shell_TrayWnd
API String ID: 529655941-2988720461
Opcode ID: 4cf6f161bb6fab17bccfa724c002d7e5645463ef1386057ecffb3de8415be307
Instruction ID: 636a9ebc518c170e09123836ddee7a94579e15c30781855dd785472815660128
Opcode Fuzzy Hash: 4cf6f161bb6fab17bccfa724c002d7e5645463ef1386057ecffb3de8415be307
Instruction Fuzzy Hash: E0D0C936394310B6E6A4A7709C4FFC66A14BB10B10F004A1AB659EA1E8D9A4A8418A54

Function 00872356 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15windowCOMMON

Download Yara Rule

APIs

FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 0087236C
PostMessageW.USER32(00000000), ref: 00872373

Part of subcall function 0084E97B: Sleep.KERNEL32 ref: 0084E9F3

Strings

Shell_TrayWnd, xrefs: 00872365

Memory Dump Source

Source File: 00000000.00000002.1749607290.00000000007E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007E0000, based on PE: true

Associated: 00000000.00000002.1749024776.00000000007E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750122745.000000000087C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750122745.00000000008A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750810397.00000000008AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1751626682.00000000008B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7e0000_file.jbxd

Similarity

API ID: FindMessagePostSleepWindow
String ID: Shell_TrayWnd
API String ID: 529655941-2988720461
Opcode ID: 40d91a180a2ba07c811dc9ff746604255bb5bd4d5765e48fee496ceb185eccd5
Instruction ID: 48e7756b639d83a8ccc480d4782b9583b5b94361fe1c1b1dad8d8c049f932bc0
Opcode Fuzzy Hash: 40d91a180a2ba07c811dc9ff746604255bb5bd4d5765e48fee496ceb185eccd5
Instruction Fuzzy Hash: 5FD0C932391310BAE6A4A7709C4FFC66A14BB15B10F004A1AB659EA1E8D9A4A8418A54

Function 0081BDFD Relevance: 5.1, APIs: 4, Instructions: 139COMMONLIBRARYCODE

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(?,00000009,?,00000000,00000000,?,?,?,00000000,?,?,?,?,?,00000000,?), ref: 0081BE93
GetLastError.KERNEL32 ref: 0081BEA1
MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 0081BEFC

Memory Dump Source

Source File: 00000000.00000002.1749607290.00000000007E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007E0000, based on PE: true

Associated: 00000000.00000002.1749024776.00000000007E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750122745.000000000087C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750122745.00000000008A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750810397.00000000008AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1751626682.00000000008B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7e0000_file.jbxd

Similarity

API ID: ByteCharMultiWide$ErrorLast
String ID:
API String ID: 1717984340-0
Opcode ID: 333deabe872dad182cae0548f9369570af976bfe43851d98e51a14e075b96551
Instruction ID: ff391fd463b338164bdb0514158d17f9826f08924120bd24c39f27413479d056
Opcode Fuzzy Hash: 333deabe872dad182cae0548f9369570af976bfe43851d98e51a14e075b96551
Instruction Fuzzy Hash: 6341A235604206AFDB218FA9DC44AEA7BA9FF41320F244169F959D71E1DF308D82CB61

Analysis Process: firefox.exePID: 8100, Parent PID: 7336COMMON

Execution Graph

Execution Coverage:	0.4%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	100%
Total number of Nodes:	6
Total number of Limit Nodes:	0

Callgraph

Executed
Not Executed
Opacity -> Relevance
Disassembly available

Executed Functions

Function 0000020932944DB2 Relevance: 26.1, APIs: 1, Strings: 10, Instructions: 6826nativeCOMMON

Download Yara Rule

APIs

NtQuerySystemInformation.NTDLL ref: 0000020932944E17

Strings

A, xrefs: 0000020932944E0F
#, xrefs: 0000020932945EF1
z, xrefs: 00000209329463F6
>, xrefs: 0000020932944E79
4, xrefs: 0000020932948E99
>, xrefs: 0000020932945C1C
>, xrefs: 0000020932948EBF
z, xrefs: 0000020932944E4B
#, xrefs: 0000020932943185
#, xrefs: 0000020932944E42

Memory Dump Source

Source File: 00000006.00000002.3004008674.0000020932942000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000020932942000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_20932942000_firefox.jbxd

Similarity

API ID: InformationQuerySystem
String ID: #$#$#$4$>$>$>$A$z$z
API String ID: 3562636166-3072146587
Opcode ID: a7beeb6ed6d4bd1c13836e24e4a4bf8602c8d7752103ee20adf8d6ea9f6b849f
Instruction ID: a09c0c1abfe1b82c61091c41bf480ca7e76935185af153189932e6f24403d925
Opcode Fuzzy Hash: a7beeb6ed6d4bd1c13836e24e4a4bf8602c8d7752103ee20adf8d6ea9f6b849f
Instruction Fuzzy Hash: C7A3C431618B498BDB2DDF18DC857AA73E5FB98700F14426ED84BC7256DF34EA428B81

Source: Joe Sandbox View	IP Address: 34.149.100.209 34.149.100.209
Source: Joe Sandbox View	IP Address: 34.117.188.166 34.117.188.166
Source: Joe Sandbox View	IP Address: 34.160.144.191 34.160.144.191
Source: Joe Sandbox View	IP Address: 52.222.236.48 52.222.236.48

Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache

Source: firefox.exe, 00000003.00000003.1896661866.000001E8BC181000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: 8://www.facebook.com/ equals www.facebook.com (Facebook)
Source: firefox.exe, 00000003.00000003.1920057059.000001E8BC1A1000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000003.00000003.1896436505.000001E8BC19A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: 8://www.youtube.com/ equals www.youtube.com (Youtube)
Source: firefox.exe, 00000003.00000003.1901361960.000001E8BA0B5000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000003.00000003.1898935614.000001E8BA344000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000003.00000003.1908127691.000001E8B57CF000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: 8https://www.facebook.com/ equals www.facebook.com (Facebook)
Source: firefox.exe, 00000003.00000003.1901361960.000001E8BA0B5000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000003.00000003.1898935614.000001E8BA344000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000003.00000003.1906039416.000001E8BA344000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: 8https://www.youtube.com/ equals www.youtube.com (Youtube)
Source: firefox.exe, 00000003.00000003.1896661866.000001E8BC181000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: 8www.facebook.com equals www.facebook.com (Facebook)
Source: firefox.exe, 00000003.00000003.1920057059.000001E8BC1A5000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000003.00000003.1896436505.000001E8BC19A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: 8www.youtube.com equals www.youtube.com (Youtube)
Source: firefox.exe, 00000003.00000003.1897978118.000001E8BA684000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: `https://www.facebook.com/ equals www.facebook.com (Facebook)
Source: firefox.exe, 00000003.00000003.1897978118.000001E8BA684000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: `https://www.youtube.com/ equals www.youtube.com (Youtube)
Source: firefox.exe, 00000003.00000003.1943091565.000001E8B4386000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://vk.com/,https://www.youtube.com/,https://ok.ru/,https://www.avito.ru/,https://www.aliexpress.com/,https://www.wikipedia.org/ equals www.youtube.com (Youtube)
Source: firefox.exe, 00000003.00000003.1901361960.000001E8BA0B5000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000003.00000003.1898935614.000001E8BA344000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000003.00000003.1908127691.000001E8B57CF000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.facebook.com/ equals www.facebook.com (Facebook)
Source: firefox.exe, 00000003.00000003.1901361960.000001E8BA0B5000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000003.00000003.1898935614.000001E8BA344000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000003.00000003.1906039416.000001E8BA344000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/ equals www.youtube.com (Youtube)
Source: firefox.exe, 00000003.00000003.1943091565.000001E8B4386000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://allegro.pl/,https://www.wikipedia.org/,https://www.olx.pl/,https://www.wykop.pl/ equals www.facebook.com (Facebook)
Source: firefox.exe, 00000003.00000003.1943091565.000001E8B4386000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://allegro.pl/,https://www.wikipedia.org/,https://www.olx.pl/,https://www.wykop.pl/ equals www.youtube.com (Youtube)
Source: firefox.exe, 00000003.00000003.1943091565.000001E8B4386000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.amazon.com/,https://www.reddit.com/,https://www.wikipedia.org/,https://twitter.com/ equals www.facebook.com (Facebook)
Source: firefox.exe, 00000003.00000003.1943091565.000001E8B4386000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.amazon.com/,https://www.reddit.com/,https://www.wikipedia.org/,https://twitter.com/ equals www.twitter.com (Twitter)
Source: firefox.exe, 00000003.00000003.1943091565.000001E8B4386000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.amazon.com/,https://www.reddit.com/,https://www.wikipedia.org/,https://twitter.com/ equals www.youtube.com (Youtube)
Source: firefox.exe, 00000003.00000003.1943091565.000001E8B4386000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.amazon.de/,https://www.ebay.de/,https://www.wikipedia.org/,https://www.reddit.com/ equals www.facebook.com (Facebook)
Source: firefox.exe, 00000003.00000003.1943091565.000001E8B4386000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.amazon.de/,https://www.ebay.de/,https://www.wikipedia.org/,https://www.reddit.com/ equals www.youtube.com (Youtube)
Source: firefox.exe, 00000003.00000003.1943091565.000001E8B4386000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.reddit.com/,https://www.amazon.co.uk/,https://www.bbc.co.uk/,https://www.ebay.co.uk/ equals www.facebook.com (Facebook)
Source: firefox.exe, 00000003.00000003.1943091565.000001E8B4386000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.reddit.com/,https://www.amazon.co.uk/,https://www.bbc.co.uk/,https://www.ebay.co.uk/ equals www.youtube.com (Youtube)
Source: firefox.exe, 00000003.00000003.1943091565.000001E8B4386000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.reddit.com/,https://www.wikipedia.org/,https://www.amazon.ca/,https://twitter.com/ equals www.facebook.com (Facebook)
Source: firefox.exe, 00000003.00000003.1943091565.000001E8B4386000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.reddit.com/,https://www.wikipedia.org/,https://www.amazon.ca/,https://twitter.com/ equals www.twitter.com (Twitter)
Source: firefox.exe, 00000003.00000003.1943091565.000001E8B4386000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.reddit.com/,https://www.wikipedia.org/,https://www.amazon.ca/,https://twitter.com/ equals www.youtube.com (Youtube)
Source: firefox.exe, 00000003.00000003.1943091565.000001E8B4386000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.wikipedia.org/,https://www.amazon.fr/,https://www.leboncoin.fr/,https://twitter.com/ equals www.facebook.com (Facebook)
Source: firefox.exe, 00000003.00000003.1943091565.000001E8B4386000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.wikipedia.org/,https://www.amazon.fr/,https://www.leboncoin.fr/,https://twitter.com/ equals www.twitter.com (Twitter)
Source: firefox.exe, 00000003.00000003.1943091565.000001E8B4386000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.wikipedia.org/,https://www.amazon.fr/,https://www.leboncoin.fr/,https://twitter.com/ equals www.youtube.com (Youtube)
Source: firefox.exe, 00000003.00000003.1943091565.000001E8B4386000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.wikipedia.org/,https://www.amazon.fr/,https://www.leboncoin.fr/,https://twitter.com/L equals www.facebook.com (Facebook)
Source: firefox.exe, 00000003.00000003.1943091565.000001E8B4386000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.wikipedia.org/,https://www.amazon.fr/,https://www.leboncoin.fr/,https://twitter.com/L equals www.twitter.com (Twitter)
Source: firefox.exe, 00000003.00000003.1943091565.000001E8B4386000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.wikipedia.org/,https://www.amazon.fr/,https://www.leboncoin.fr/,https://twitter.com/L equals www.youtube.com (Youtube)
Source: firefox.exe, 00000003.00000003.1943091565.000001E8B4386000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000006.00000002.3000028757.000002093230A000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000007.00000002.3000852968.00000210A5E0C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.wikipedia.org/,https://www.reddit.com/,https://www.amazon.com/,https://twitter.com/ equals www.facebook.com (Facebook)
Source: firefox.exe, 00000003.00000003.1943091565.000001E8B4386000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000006.00000002.3000028757.000002093230A000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000007.00000002.3000852968.00000210A5E0C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.wikipedia.org/,https://www.reddit.com/,https://www.amazon.com/,https://twitter.com/ equals www.twitter.com (Twitter)
Source: firefox.exe, 00000003.00000003.1943091565.000001E8B4386000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000006.00000002.3000028757.000002093230A000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000007.00000002.3000852968.00000210A5E0C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.wikipedia.org/,https://www.reddit.com/,https://www.amazon.com/,https://twitter.com/ equals www.youtube.com (Youtube)
Source: firefox.exe, 00000003.00000003.1920057059.000001E8BC1A5000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000003.00000003.1896436505.000001E8BC19A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: moz-extension://a581a2f1-688c-434b-8db8-16166b1993d9/injections/js/bug1842437-www.youtube.com-performance-now-precision.js equals www.youtube.com (Youtube)
Source: firefox.exe, 00000003.00000003.1896661866.000001E8BC181000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: www.facebook.com equals www.facebook.com (Facebook)
Source: firefox.exe, 00000003.00000003.1920057059.000001E8BC1A5000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000003.00000003.1896436505.000001E8BC19A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: www.youtube.com equals www.youtube.com (Youtube)

Source: global traffic	DNS traffic detected: DNS query: prod.classify-client.prod.webservices.mozgcp.net
Source: global traffic	DNS traffic detected: DNS query: detectportal.firefox.com
Source: global traffic	DNS traffic detected: DNS query: youtube.com
Source: global traffic	DNS traffic detected: DNS query: prod.detectportal.prod.cloudops.mozgcp.net
Source: global traffic	DNS traffic detected: DNS query: contile.services.mozilla.com
Source: global traffic	DNS traffic detected: DNS query: spocs.getpocket.com
Source: global traffic	DNS traffic detected: DNS query: prod.ads.prod.webservices.mozgcp.net
Source: global traffic	DNS traffic detected: DNS query: prod.balrog.prod.cloudops.mozgcp.net
Source: global traffic	DNS traffic detected: DNS query: example.org
Source: global traffic	DNS traffic detected: DNS query: ipv4only.arpa
Source: global traffic	DNS traffic detected: DNS query: content-signature-2.cdn.mozilla.net
Source: global traffic	DNS traffic detected: DNS query: prod.content-signature-chains.prod.webservices.mozgcp.net
Source: global traffic	DNS traffic detected: DNS query: shavar.services.mozilla.com
Source: global traffic	DNS traffic detected: DNS query: push.services.mozilla.com
Source: global traffic	DNS traffic detected: DNS query: support.mozilla.org
Source: global traffic	DNS traffic detected: DNS query: telemetry-incoming.r53-2.services.mozilla.com
Source: global traffic	DNS traffic detected: DNS query: us-west1.prod.sumo.prod.webservices.mozgcp.net
Source: global traffic	DNS traffic detected: DNS query: firefox.settings.services.mozilla.com
Source: global traffic	DNS traffic detected: DNS query: prod.remote-settings.prod.webservices.mozgcp.net
Source: global traffic	DNS traffic detected: DNS query: www.youtube.com
Source: global traffic	DNS traffic detected: DNS query: www.facebook.com
Source: global traffic	DNS traffic detected: DNS query: www.wikipedia.org
Source: global traffic	DNS traffic detected: DNS query: star-mini.c10r.facebook.com
Source: global traffic	DNS traffic detected: DNS query: dyna.wikimedia.org
Source: global traffic	DNS traffic detected: DNS query: youtube-ui.l.google.com
Source: global traffic	DNS traffic detected: DNS query: www.reddit.com
Source: global traffic	DNS traffic detected: DNS query: twitter.com
Source: global traffic	DNS traffic detected: DNS query: reddit.map.fastly.net
Source: global traffic	DNS traffic detected: DNS query: services.addons.mozilla.org
Source: global traffic	DNS traffic detected: DNS query: normandy.cdn.mozilla.net
Source: global traffic	DNS traffic detected: DNS query: normandy-cdn.services.mozilla.com

Source: unknown	HTTPS traffic detected: 35.244.181.201:443 -> 192.168.2.4:49745 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.160.144.191:443 -> 192.168.2.4:49747 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.160.144.191:443 -> 192.168.2.4:49751 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 35.244.181.201:443 -> 192.168.2.4:49762 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.120.208.123:443 -> 192.168.2.4:49764 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.120.208.123:443 -> 192.168.2.4:49768 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 35.244.181.201:443 -> 192.168.2.4:49775 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.149.100.209:443 -> 192.168.2.4:49776 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 52.222.236.48:443 -> 192.168.2.4:49777 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 35.244.181.201:443 -> 192.168.2.4:49781 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 35.244.181.201:443 -> 192.168.2.4:49783 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 35.244.181.201:443 -> 192.168.2.4:49782 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.149.100.209:443 -> 192.168.2.4:49784 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.120.208.123:443 -> 192.168.2.4:49839 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.120.208.123:443 -> 192.168.2.4:49840 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.120.208.123:443 -> 192.168.2.4:49841 version: TLS 1.2

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49744
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49743
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49787
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49742
Source: unknown	Network traffic detected: HTTP traffic on port 49779 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49740
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49784
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49783
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49782
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49781
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49780
Source: unknown	Network traffic detected: HTTP traffic on port 49743 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49762 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49781 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49776 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49738
Source: unknown	Network traffic detected: HTTP traffic on port 49736 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49736
Source: unknown	Network traffic detected: HTTP traffic on port 49759 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49779
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49778
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49777
Source: unknown	Network traffic detected: HTTP traffic on port 49841 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49776
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49775
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49774
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49773
Source: unknown	Network traffic detected: HTTP traffic on port 49742 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49784 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50024
Source: unknown	Network traffic detected: HTTP traffic on port 49749 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49780 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49752 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49777 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49773 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49768
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49765
Source: unknown	Network traffic detected: HTTP traffic on port 49783 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49764
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49841
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49840
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49762
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49761
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49760
Source: unknown	Network traffic detected: HTTP traffic on port 49840 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49787 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49748 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49760 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49764 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49745 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50024 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49751 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49839
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49759
Source: unknown	Network traffic detected: HTTP traffic on port 49778 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49774 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49738 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49755 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49755
Source: unknown	Network traffic detected: HTTP traffic on port 49782 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49752
Source: unknown	Network traffic detected: HTTP traffic on port 49839 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49751
Source: unknown	Network traffic detected: HTTP traffic on port 49740 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49761 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49765 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49747 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49744 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49768 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49775 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49749
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49748
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49747
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49745

Description:	Adversaries may obtain and abuse credentials of existing accounts as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion. Compromised credentials may be used to bypass access controls placed on various resources on systems within the network and may even be used for persistent access to remote systems and externally available services, such as VPNs, Outlook Web Access, network devices, and remote desktop.Compromised credentials may also grant an adversary increased privilege to specific systems or access to restricted areas of the network. Adversaries may choose not to use malware or tools in conjunction with the legitimate access those credentials provide to make it harder to detect their presence.
Tactics:	Defense Evasion, Initial Access, Persistence, Privilege Escalation
Data Sources:	Logon Session: Logon Session Creation, Logon Session: Logon Session Metadata, User Account: User Account Authentication
Platforms:	Azure AD, Containers, Google Workspace, IaaS, Linux, macOS, Network, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may exploit software vulnerabilities in an attempt to elevate privileges. Exploitation of a software vulnerability occurs when an adversary takes advantage of a programming error in a program, service, or within the operating system software or kernel itself to execute adversary-controlled code. Security constructs such as permission levels will often hinder access to information and use of certain techniques, so adversaries will likely need to perform privilege escalation to include use of software exploitation to circumvent those restrictions.
Tactics:	Privilege Escalation
Data Sources:	Driver: Driver Load, Process: Process Creation
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject malicious code into process via Extra Window Memory (EWM) in order to evade process-based defenses as well as possibly elevate privileges. EWM injection is a method of executing arbitrary code in the address space of a separate live process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Process: OS API Execution
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify access tokens to operate under a different user or system security context to perform actions and bypass access controls. Windows uses access tokens to determine the ownership of a running process. A user can manipulate access tokens to make a running process appear as though it is the child of a different process or belongs to someone other than the user that started the process. When this occurs, the process also takes on the security context associated with the new token.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Active Directory: Active Directory Object Modification, Command: Command Execution, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, User Account: User Account Metadata
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	Driver: Driver Load, File: File Modification, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Windows Registry: Windows Registry Key Modification
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of valid accounts, usernames, or email addresses on a system or within a compromised environment. This information can help adversaries determine which accounts exist, which can aid in follow-on behavior such as brute-forcing, spear-phishing attacks, or account takeovers (e.g., Valid Accounts ).
Tactics:	Discovery
Data Sources:	Command: Command Execution, File: File Access, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report file.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Memory Dumps

Sigma Signatures

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Spreading

Software Vulnerabilities

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

Private

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\ProgramData\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\uninstall_ping_308046B0AF4A39CB_73fb8d8e-e288-46e4-b359-ffe2b7aea558.json (copy)

C:\ProgramData\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\uninstall_ping_308046B0AF4A39CB_73fb8d8e-e288-46e4-b359-ffe2b7aea558.json.tmp

C:\Users\user\AppData\Local\Temp\mozilla-temp-files\mozilla-temp-41

C:\Users\user\AppData\Local\Temp\tmpaddon

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\ExperimentStoreData.json (copy)

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\ExperimentStoreData.json.tmp

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\addonStartup.json.lz4 (copy)

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\addonStartup.json.lz4.tmp

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\addons.json (copy)

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\addons.json.tmp

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\content-prefs.sqlite

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\crashes\store.json.mozlz4 (copy)

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\crashes\store.json.mozlz4.tmp

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\extensions.json (copy)

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\extensions.json.tmp

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\favicons.sqlite-shm

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll (copy)

Windows Analysis Report
file.exe

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to identify the primary user, currently logged in user, set of users that commonly uses a system, or whether a user is actively using the system. They may do this, for example, by retrieving account usernames or by using OS Credential Dumping . The information may be collected in a number of different ways using other Discovery techniques, because user and username details are prevalent throughout a system and include running process ownership, file/directory ownership, session information, and system logs. Adversaries may use the information from [System Owner/User Discovery](https://attack.mitre.org/techniques/T1033) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may collect data stored in the clipboard from users copying information within or between applications.
Tactics:	Collection
Data Sources:	Command: Command Execution, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may shutdown/reboot systems to interrupt access to, or aid in the destruction of, those systems. Operating systems may contain commands to initiate a shutdown/reboot of a machine or network device. In some cases, these commands may also be used to initiate a shutdown/reboot of a remote computer or network device via Network Device CLI (e.g. `reload` ).
Tactics:	Impact
Data Sources:	Command: Command Execution, Process: Process Creation, Sensor Health: Host Status
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre