Edit tour

Windows Analysis Report
file.exe

Overview

General Information

Sample name:	file.exe
Analysis ID:	1532857
MD5:	d29616a63cc243d71d01c45a8c366bf1
SHA1:	6870b92acb2d8849422cd18bb60a79135c7d17b9
SHA256:	301dc00582a54384072627f1ce837d6ce3059d4d10a71b2f53cd478933f4bd3f
Tags:	exeuser-Bitsight
Infos:

Detection

Credential Flusher

Score:	72
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Multi AV Scanner detection for submitted file

Yara detected Credential Flusher

AI detected suspicious sample

Binary is likely a compiled AutoIt script file

Found API chain indicative of sandbox detection

Machine Learning detection for sample

Connects to many different domains

Contains functionality for execution timing, often used to detect debuggers

Contains functionality for read data from the clipboard

Contains functionality to block mouse and keyboard input (often used to hinder debugging)

Contains functionality to call native functions

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to check if a window is minimized (may be used to check if an application is visible)

Contains functionality to communicate with device drivers

Contains functionality to dynamically determine API calls

Contains functionality to execute programs as a different user

Contains functionality to launch a process as a different user

Contains functionality to launch a program with higher privileges

Contains functionality to modify clipboard data

Contains functionality to open a port and listen for incoming connection (possibly a backdoor)

Contains functionality to query CPU information (cpuid)

Contains functionality to read the PEB

Contains functionality to read the clipboard data

Contains functionality to retrieve information about pressed keystrokes

Contains functionality to shutdown / reboot the system

Contains functionality to simulate keystroke presses

Contains functionality to simulate mouse events

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Detected potential crypto function

Drops PE files

Enables debug privileges

Found large amount of non-executed APIs

Found potential string decryption / allocating functions

IP address seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

OS version to string mapping found (often used in BOTs)

PE file contains sections with non-standard names

Potential key logger detected (key state polling based)

Sample execution stops while process was sleeping (likely an evasion)

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Uses taskkill to terminate processes

Classification

Process Tree

System is w10x64

file.exe (PID: 6396 cmdline: "C:\Users\user\Desktop\file.exe" MD5: D29616A63CC243D71D01C45A8C366BF1)

taskkill.exe (PID: 6440 cmdline: taskkill /F /IM firefox.exe /T MD5: CA313FD7E6C2A778FFD21CFB5C1C56CD)

conhost.exe (PID: 6464 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

taskkill.exe (PID: 6740 cmdline: taskkill /F /IM chrome.exe /T MD5: CA313FD7E6C2A778FFD21CFB5C1C56CD)

conhost.exe (PID: 6760 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

taskkill.exe (PID: 6940 cmdline: taskkill /F /IM msedge.exe /T MD5: CA313FD7E6C2A778FFD21CFB5C1C56CD)

conhost.exe (PID: 6952 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

taskkill.exe (PID: 6104 cmdline: taskkill /F /IM opera.exe /T MD5: CA313FD7E6C2A778FFD21CFB5C1C56CD)

conhost.exe (PID: 2692 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

taskkill.exe (PID: 2896 cmdline: taskkill /F /IM brave.exe /T MD5: CA313FD7E6C2A778FFD21CFB5C1C56CD)

conhost.exe (PID: 4432 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

firefox.exe (PID: 1704 cmdline: "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk "https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd" --no-default-browser-check --disable-popup-blocking MD5: C86B1BE9ED6496FE0E0CBE73F81D8045)

firefox.exe (PID: 4820 cmdline: "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd --no-default-browser-check --disable-popup-blocking --attempting-deelevation MD5: C86B1BE9ED6496FE0E0CBE73F81D8045)

firefox.exe (PID: 4500 cmdline: "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd --no-default-browser-check --disable-popup-blocking MD5: C86B1BE9ED6496FE0E0CBE73F81D8045)

firefox.exe (PID: 6948 cmdline: "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2284 -parentBuildID 20230927232528 -prefsHandle 2228 -prefMapHandle 2220 -prefsLen 25359 -prefMapSize 237879 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {fed7d3f9-3f84-4124-88f8-77ce22b2e84c} 4500 "\\.\pipe\gecko-crash-server-pipe.4500" 207eab70110 socket MD5: C86B1BE9ED6496FE0E0CBE73F81D8045)

firefox.exe (PID: 7528 cmdline: "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4124 -parentBuildID 20230927232528 -prefsHandle 1436 -prefMapHandle 1440 -prefsLen 26374 -prefMapSize 237879 -appDir "C:\Program Files\Mozilla Firefox\browser" - {db1543cd-8414-42c4-bb43-4630dcef5d4a} 4500 "\\.\pipe\gecko-crash-server-pipe.4500" 207fa65b510 rdd MD5: C86B1BE9ED6496FE0E0CBE73F81D8045)

firefox.exe (PID: 8144 cmdline: "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5044 -parentBuildID 20230927232528 -sandboxingKind 0 -prefsHandle 5036 -prefMapHandle 4932 -prefsLen 33185 -prefMapSize 237879 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {65da813e-ccec-4f64-88d9-a37c36bab38f} 4500 "\\.\pipe\gecko-crash-server-pipe.4500" 208064bcf10 utility MD5: C86B1BE9ED6496FE0E0CBE73F81D8045)

cleanup

Yara Signatures

Memory Dumps

Source	Rule	Description	Author	Strings
00000000.00000003.1745082520.000000000150F000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_CredentialFlusher	Yara detected Credential Flusher	Joe Security
Process Memory Space: file.exe PID: 6396	JoeSecurity_CredentialFlusher	Yara detected Credential Flusher	Joe Security

Code function: 0_2_0079EAFF OpenClipboard,IsClipboardFormatAvailable,IsClipboardFormatAvailable,GetClipboardData,CloseClipboard,GlobalLock,CloseClipboard,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,DragQueryFileW,DragQueryFileW,DragQueryFileW,GlobalUnlock,CountClipboardFormats,CloseClipboard,

0_2_0079EAFF

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_0079ED6A OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,

0_2_0079ED6A

Source: C:\Users\user\Desktop\file.exe

0_2_0079EAFF

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_0078AA57 GetKeyboardState,SetKeyboardState,PostMessageW,SendInput,

0_2_0078AA57

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_007B9576 DefDlgProcW,SendMessageW,GetWindowLongW,SendMessageW,SendMessageW,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,SendMessageW,SendMessageW,SendMessageW,ImageList_SetDragCursorImage,ImageList_BeginDrag,SetCapture,ClientToScreen,ImageList_DragEnter,InvalidateRect,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW,

0_2_007B9576

System Summary

Binary is likely a compiled AutoIt script file

Source: file.exe	String found in binary or memory: This is a third-party compiled AutoIt script.
Source: file.exe, 00000000.00000002.1746071756.00000000007E2000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: This is a third-party compiled AutoIt script.	memstr_eb0430e7-9
Source: file.exe, 00000000.00000002.1746071756.00000000007E2000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: AnyArabicArmenianAvestanBalineseBamumBassa_VahBatakBengaliBopomofoBrahmiBrailleBugineseBuhidCCanadian_AboriginalCarianCaucasian_AlbanianCcCfChakmaChamCherokeeCnCoCommonCopticCsCuneiformCypriotCyrillicDeseretDevanagariDuployanEgyptian_HieroglyphsElbasanEthiopicGeorgianGlagoliticGothicGranthaGreekGujaratiGurmukhiHanHangulHanunooHebrewHiraganaImperial_AramaicInheritedInscriptional_PahlaviInscriptional_ParthianJavaneseKaithiKannadaKatakanaKayah_LiKharoshthiKhmerKhojkiKhudawadiLL&LaoLatinLepchaLimbuLinear_ALinear_BLisuLlLmLoLtLuLycianLydianMMahajaniMalayalamMandaicManichaeanMcMeMeetei_MayekMende_KikakuiMeroitic_CursiveMeroitic_HieroglyphsMiaoMnModiMongolianMroMyanmarNNabataeanNdNew_Tai_LueNkoNlNoOghamOl_ChikiOld_ItalicOld_North_ArabianOld_PermicOld_PersianOld_South_ArabianOld_TurkicOriyaOsmanyaPPahawh_HmongPalmyrenePau_Cin_HauPcPdPePfPhags_PaPhoenicianPiPoPsPsalter_PahlaviRejangRunicSSamaritanSaurashtraScSharadaShavianSiddhamSinhalaSkSmSoSora_SompengSundaneseSyloti_NagriSyriacTagalogTagbanwaTai_LeTai_ThamTai_VietTakriTamilTeluguThaanaThaiTibetanTifinaghTirhutaUgariticVaiWarang_CitiXanXpsXspXucXwdYiZZlZpZsSDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBoxSHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer	memstr_654274e7-9
Source: file.exe	String found in binary or memory: This is a third-party compiled AutoIt script.	memstr_b95c9cd8-c
Source: file.exe	String found in binary or memory: AnyArabicArmenianAvestanBalineseBamumBassa_VahBatakBengaliBopomofoBrahmiBrailleBugineseBuhidCCanadian_AboriginalCarianCaucasian_AlbanianCcCfChakmaChamCherokeeCnCoCommonCopticCsCuneiformCypriotCyrillicDeseretDevanagariDuployanEgyptian_HieroglyphsElbasanEthiopicGeorgianGlagoliticGothicGranthaGreekGujaratiGurmukhiHanHangulHanunooHebrewHiraganaImperial_AramaicInheritedInscriptional_PahlaviInscriptional_ParthianJavaneseKaithiKannadaKatakanaKayah_LiKharoshthiKhmerKhojkiKhudawadiLL&LaoLatinLepchaLimbuLinear_ALinear_BLisuLlLmLoLtLuLycianLydianMMahajaniMalayalamMandaicManichaeanMcMeMeetei_MayekMende_KikakuiMeroitic_CursiveMeroitic_HieroglyphsMiaoMnModiMongolianMroMyanmarNNabataeanNdNew_Tai_LueNkoNlNoOghamOl_ChikiOld_ItalicOld_North_ArabianOld_PermicOld_PersianOld_South_ArabianOld_TurkicOriyaOsmanyaPPahawh_HmongPalmyrenePau_Cin_HauPcPdPePfPhags_PaPhoenicianPiPoPsPsalter_PahlaviRejangRunicSSamaritanSaurashtraScSharadaShavianSiddhamSinhalaSkSmSoSora_SompengSundaneseSyloti_NagriSyriacTagalogTagbanwaTai_LeTai_ThamTai_VietTakriTamilTeluguThaanaThaiTibetanTifinaghTirhutaUgariticVaiWarang_CitiXanXpsXspXucXwdYiZZlZpZsSDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBoxSHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer	memstr_dad320ad-d

Source: C:\Program Files\Mozilla Firefox\firefox.exe	Code function: 16_2_0000025088545C37 NtQuerySystemInformation,		16_2_0000025088545C37
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Code function: 16_2_00000250889DABF2 NtQuerySystemInformation,		16_2_00000250889DABF2

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_0078D5EB: CreateFileW,DeviceIoControl,CloseHandle,

0_2_0078D5EB

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00781201 LogonUserW,DuplicateTokenEx,CloseHandle,OpenWindowStationW,GetProcessWindowStation,SetProcessWindowStation,OpenDesktopW,_wcslen,LoadUserProfileW,CreateEnvironmentBlock,CreateProcessAsUserW,UnloadUserProfile,GetProcessHeap,HeapFree,CloseWindowStation,CloseDesktop,SetProcessWindowStation,CloseHandle,DestroyEnvironmentBlock,

0_2_00781201

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_0078E8F6 ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState,

0_2_0078E8F6

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00728060	0_2_00728060
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00792046	0_2_00792046
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00788298	0_2_00788298
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0075E4FF	0_2_0075E4FF
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0075676B	0_2_0075676B
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_007B4873	0_2_007B4873
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0072CAF0	0_2_0072CAF0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0074CAA0	0_2_0074CAA0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0073CC39	0_2_0073CC39
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00756DD9	0_2_00756DD9
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0073B119	0_2_0073B119
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_007291C0	0_2_007291C0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00741394	0_2_00741394
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00741706	0_2_00741706
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0074781B	0_2_0074781B
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0073997D	0_2_0073997D
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00727920	0_2_00727920
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_007419B0	0_2_007419B0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00747A4A	0_2_00747A4A
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00741C77	0_2_00741C77
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00747CA7	0_2_00747CA7
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_007ABE44	0_2_007ABE44
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00759EEE	0_2_00759EEE
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00741F32	0_2_00741F32
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Code function: 16_2_0000025088545C37	16_2_0000025088545C37
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Code function: 16_2_00000250889DABF2	16_2_00000250889DABF2
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Code function: 16_2_00000250889DB31C	16_2_00000250889DB31C
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Code function: 16_2_00000250889DAC32	16_2_00000250889DAC32

Source: C:\Users\user\Desktop\file.exe	Code function: String function: 0073F9F2 appears 31 times
Source: C:\Users\user\Desktop\file.exe	Code function: String function: 00740A30 appears 46 times

Source: file.exe

Static PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE

Source: classification engine

Classification label: mal72.troj.evad.winEXE@34/34@68/12

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_007937B5 GetLastError,FormatMessageW,

0_2_007937B5

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_007810BF AdjustTokenPrivileges,CloseHandle,		0_2_007810BF
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_007816C3 LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,		0_2_007816C3

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_007951CD SetErrorMode,GetDiskFreeSpaceExW,SetErrorMode,

0_2_007951CD

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_0078D4DC CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,CloseHandle,

0_2_0078D4DC

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_0079648E _wcslen,CoInitialize,CoCreateInstance,CoUninitialize,

0_2_0079648E

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_007242A2 CreateStreamOnHGlobal,FindResourceExW,LoadResource,SizeofResource,LockResource,

0_2_007242A2

Source: C:\Program Files\Mozilla Firefox\firefox.exe

File created: C:\Users\user\AppData\Local\Mozilla\Firefox\SkeletonUILock-c388d246

Jump to behavior

Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4432:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2692:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6952:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6760:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6464:120:WilError_03

Source: C:\Program Files\Mozilla Firefox\firefox.exe

File created: C:\Users\user\AppData\Local\Temp\firefox

Jump to behavior

Source: file.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Windows\SysWOW64\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\SysWOW64\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\SysWOW64\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\SysWOW64\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\SysWOW64\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process

Source: C:\Program Files\Mozilla Firefox\firefox.exe

File read: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini

Jump to behavior

Source: C:\Users\user\Desktop\file.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: firefox.exe, 0000000D.00000003.1922676920.00000207FA46C000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1885572530.0000020806160000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: SELECT * FROM events WHERE timestamp BETWEEN date(:dateFrom) AND date(:dateTo);
Source: firefox.exe, 0000000D.00000003.1885572530.0000020806160000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: CREATE TABLE events (id INTEGER PRIMARY KEY, type INTEGER NOT NULL, count INTEGER NOT NULL, timestamp DATE );
Source: firefox.exe, 0000000D.00000003.1885572530.0000020806160000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: INSERT INTO events (type, count, timestamp) VALUES (:type, 1, date(:date));
Source: firefox.exe, 0000000D.00000003.1885572530.0000020806160000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: SELECT timestamp FROM events ORDER BY timestamp ASC LIMIT 1;;
Source: firefox.exe, 0000000D.00000003.1922676920.00000207FA46C000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1872451798.0000020802CC9000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: SELECT sum(count) FROM events;
Source: firefox.exe, 0000000D.00000003.1885572530.0000020806160000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: SELECT timestamp FROM events ORDER BY timestamp ASC LIMIT 1;;Fy6
Source: firefox.exe, 0000000D.00000003.1885572530.0000020806160000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: UPDATE events SET count = count + 1 WHERE id = :id;-
Source: firefox.exe, 0000000D.00000003.1885572530.0000020806160000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: SELECT sum(count) FROM events;9'
Source: firefox.exe, 0000000D.00000003.1885572530.0000020806160000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: SELECT sum(count) FROM events;9
Source: firefox.exe, 0000000D.00000003.1885572530.0000020806160000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: SELECT * FROM events WHERE type = :type AND timestamp = date(:date);

Source: file.exe

Virustotal: Detection: 35%

Source: unknown	Process created: C:\Users\user\Desktop\file.exe "C:\Users\user\Desktop\file.exe"
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM firefox.exe /T
Source: C:\Windows\SysWOW64\taskkill.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM chrome.exe /T
Source: C:\Windows\SysWOW64\taskkill.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM msedge.exe /T
Source: C:\Windows\SysWOW64\taskkill.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM opera.exe /T
Source: C:\Windows\SysWOW64\taskkill.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM brave.exe /T
Source: C:\Windows\SysWOW64\taskkill.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk "https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd" --no-default-browser-check --disable-popup-blocking
Source: unknown	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd --no-default-browser-check --disable-popup-blocking --attempting-deelevation
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd --no-default-browser-check --disable-popup-blocking
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2284 -parentBuildID 20230927232528 -prefsHandle 2228 -prefMapHandle 2220 -prefsLen 25359 -prefMapSize 237879 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {fed7d3f9-3f84-4124-88f8-77ce22b2e84c} 4500 "\\.\pipe\gecko-crash-server-pipe.4500" 207eab70110 socket
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4124 -parentBuildID 20230927232528 -prefsHandle 1436 -prefMapHandle 1440 -prefsLen 26374 -prefMapSize 237879 -appDir "C:\Program Files\Mozilla Firefox\browser" - {db1543cd-8414-42c4-bb43-4630dcef5d4a} 4500 "\\.\pipe\gecko-crash-server-pipe.4500" 207fa65b510 rdd
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5044 -parentBuildID 20230927232528 -sandboxingKind 0 -prefsHandle 5036 -prefMapHandle 4932 -prefsLen 33185 -prefMapSize 237879 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {65da813e-ccec-4f64-88d9-a37c36bab38f} 4500 "\\.\pipe\gecko-crash-server-pipe.4500" 208064bcf10 utility
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM firefox.exe /T	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM chrome.exe /T	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM msedge.exe /T	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM opera.exe /T	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM brave.exe /T	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk "https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd" --no-default-browser-check --disable-popup-blocking	Jump to behavior
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd --no-default-browser-check --disable-popup-blocking	Jump to behavior
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2284 -parentBuildID 20230927232528 -prefsHandle 2228 -prefMapHandle 2220 -prefsLen 25359 -prefMapSize 237879 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {fed7d3f9-3f84-4124-88f8-77ce22b2e84c} 4500 "\\.\pipe\gecko-crash-server-pipe.4500" 207eab70110 socket	Jump to behavior
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4124 -parentBuildID 20230927232528 -prefsHandle 1436 -prefMapHandle 1440 -prefsLen 26374 -prefMapSize 237879 -appDir "C:\Program Files\Mozilla Firefox\browser" - {db1543cd-8414-42c4-bb43-4630dcef5d4a} 4500 "\\.\pipe\gecko-crash-server-pipe.4500" 207fa65b510 rdd	Jump to behavior
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5044 -parentBuildID 20230927232528 -sandboxingKind 0 -prefsHandle 5036 -prefMapHandle 4932 -prefsLen 33185 -prefMapSize 237879 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {65da813e-ccec-4f64-88d9-a37c36bab38f} 4500 "\\.\pipe\gecko-crash-server-pipe.4500" 208064bcf10 utility	Jump to behavior
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: unknown unknown	Jump to behavior

Source: C:\Users\user\Desktop\file.exe	Section loaded: wsock32.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: framedynos.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: dbghelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: winsta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: framedynos.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: dbghelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: winsta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: framedynos.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: dbghelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: winsta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: framedynos.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: dbghelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: winsta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: framedynos.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: dbghelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: winsta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: profapi.dll	Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: file.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: file.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: file.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: file.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: file.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: file.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT

Source: file.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: UxTheme.pdb source: firefox.exe, 0000000D.00000003.1913718983.00000207FAD76000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: wininet.pdb source: firefox.exe, 0000000D.00000003.1920145694.00000207FBDD9000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1893408815.00000207FBDDB000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1911997628.00000207FBDDB000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: rsaenh.pdb source: firefox.exe, 0000000D.00000003.1892803133.00000207FC0FC000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1887830465.00000207FC0EB000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: UMPDC.pdb source: firefox.exe, 0000000D.00000003.1893609792.00000207FB7B7000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: xWindows.Security.Integrity.pdb source: firefox.exe, 0000000D.00000003.1920145694.00000207FBDDE000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1893356217.00000207FBDDF000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1888331457.00000207FC0AC000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1911946917.00000207FBDDF000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1911532378.00000207FC0AC000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: winsta.pdb source: firefox.exe, 0000000D.00000003.1912747108.00000207FB5A2000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1912747108.00000207FB53F000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1920738421.00000207FB546000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: combase.pdb@ source: firefox.exe, 0000000D.00000003.1913718983.00000207FAD76000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: rpcrt4.pdb source: firefox.exe, 0000000D.00000003.1913718983.00000207FAD76000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: bcrypt.pdb source: firefox.exe, 0000000D.00000003.1913718983.00000207FAD76000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: 8TextInputFramework.pdb source: firefox.exe, 0000000D.00000003.1924373174.00000207F7864000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: pnrpnsp.pdb source: firefox.exe, 0000000D.00000003.1921238779.00000207FB354000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: wshbth.pdb source: firefox.exe, 0000000D.00000003.1921238779.00000207FB354000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: ktmw32.pdb source: firefox.exe, 0000000D.00000003.1921238779.00000207FB33C000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: NapiNSP.pdb source: firefox.exe, 0000000D.00000003.1921238779.00000207FB354000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: msimg32.pdb source: firefox.exe, 0000000D.00000003.1888263738.00000207FC0B4000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1911468649.00000207FC0B4000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: 8InputHost.pdb source: firefox.exe, 0000000D.00000003.1923268924.00000207F788B000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: msvcrt.pdb source: firefox.exe, 0000000D.00000003.1913718983.00000207FAD76000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: xWindows.StateRepositoryPS.pdb source: firefox.exe, 0000000D.00000003.1913718983.00000207FAD76000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1913718983.00000207FAD6A000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: xOneCoreUAPCommonProxyStub.pdb source: firefox.exe, 0000000D.00000003.1887695945.00000207FC6E6000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1909571328.00000207FC6E6000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1888331457.00000207FC0AC000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1892423818.00000207FC6E6000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1911532378.00000207FC0AC000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: 8WinTypes.pdb source: firefox.exe, 0000000D.00000003.1923268924.00000207F788B000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: xul.pdb source: firefox.exe, 0000000D.00000003.1921238779.00000207FB33C000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: nssckbi.pdb source: firefox.exe, 0000000D.00000003.1920145694.00000207FBDD9000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1893408815.00000207FBDDB000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1911997628.00000207FBDDB000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: mozglue.pdb source: firefox.exe, 0000000D.00000003.1913718983.00000207FAD76000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: dcomp.pdb source: firefox.exe, 0000000D.00000003.1920413580.00000207FB636000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1912696259.00000207FB636000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1888781956.00000207FB636000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: 8audioses.pdb source: firefox.exe, 0000000D.00000003.1923268924.00000207F78A2000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: profapi.pdbsqldb:places.sqlite #1 source: firefox.exe, 0000000D.00000003.1921238779.00000207FB354000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: 8Bcp47mrm.pdb source: firefox.exe, 0000000D.00000003.1923268924.00000207F78A2000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: 8netutils.pdb source: firefox.exe, 0000000D.00000003.1923268924.00000207F78A2000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: cryptsp.pdb source: firefox.exe, 0000000D.00000003.1892803133.00000207FC0FC000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1887830465.00000207FC0EB000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: 8dhcpcsvc6.pdb source: firefox.exe, 0000000D.00000003.1924373174.00000207F7864000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: sechost.pdb@ source: firefox.exe, 0000000D.00000003.1913718983.00000207FAD76000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: 8softokn3.pdb source: firefox.exe, 0000000D.00000003.1923268924.00000207F78E6000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1923268924.00000207F78A2000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: sspicli.pdb source: firefox.exe, 0000000D.00000003.1920145694.00000207FBDD9000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1893408815.00000207FBDDB000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1911997628.00000207FBDDB000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: 8Bcp47Langs.pdb source: firefox.exe, 0000000D.00000003.1923268924.00000207F78A2000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: 8wtsapi32.pdb source: firefox.exe, 0000000D.00000003.1924373174.00000207F7864000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: CLBCatQ.pdb source: firefox.exe, 0000000D.00000003.1921238779.00000207FB354000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: ntmarta.pdb source: firefox.exe, 0000000D.00000003.1913718983.00000207FAD76000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: 8twinapi.appcore.pdb source: firefox.exe, 0000000D.00000003.1923268924.00000207F788B000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: userenv.pdb source: firefox.exe, 0000000D.00000003.1920413580.00000207FB636000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1912696259.00000207FB636000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1888781956.00000207FB636000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: 8Windows.UI.pdb source: firefox.exe, 0000000D.00000003.1923268924.00000207F788B000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: nlaapi.pdb source: firefox.exe, 0000000D.00000003.1894465911.00000207FB3E1000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1921238779.00000207FB354000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1921238779.00000207FB3E1000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: UxTheme.pdb@ source: firefox.exe, 0000000D.00000003.1913718983.00000207FAD76000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: msimg32.pdb source: firefox.exe, 0000000D.00000003.1888263738.00000207FC0B4000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1911468649.00000207FC0B4000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: 8CoreMessaging.pdb source: firefox.exe, 0000000D.00000003.1923268924.00000207F788B000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1924373174.00000207F7864000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: crypt32.pdb@ source: firefox.exe, 0000000D.00000003.1913718983.00000207FAD76000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: win32u.pdb source: firefox.exe, 0000000D.00000003.1913718983.00000207FAD76000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: d3d11.pdb source: firefox.exe, 0000000D.00000003.1912201174.00000207FB64A000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1894062681.00000207FB64A000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1888507514.00000207FB64A000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: dbghelp.pdb source: firefox.exe, 0000000D.00000003.1921238779.00000207FB345000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: srvcli.pdb source: firefox.exe, 0000000D.00000003.1893609792.00000207FB738000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: imm32.pdb source: firefox.exe, 0000000D.00000003.1913718983.00000207FAD76000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: 8netprofm.pdb source: firefox.exe, 0000000D.00000003.1924373174.00000207F7864000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: gdi32.pdb source: firefox.exe, 0000000D.00000003.1913718983.00000207FAD76000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: profapi.pdb source: firefox.exe, 0000000D.00000003.1921238779.00000207FB345000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: avrt.pdb source: firefox.exe, 0000000D.00000003.1888263738.00000207FC0B4000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1911468649.00000207FC0B4000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: 8Windows.Globalization.pdb source: firefox.exe, 0000000D.00000003.1923268924.00000207F78A2000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: mswsock.pdb source: firefox.exe, 0000000D.00000003.1894465911.00000207FB3E1000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1921238779.00000207FB3E1000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: sechost.pdb source: firefox.exe, 0000000D.00000003.1913718983.00000207FAD76000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: 8directmanipulation.pdb source: firefox.exe, 0000000D.00000003.1923268924.00000207F788B000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: 8setupapi.pdb source: firefox.exe, 0000000D.00000003.1924373174.00000207F7864000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: 8gkcodecs.pdb source: firefox.exe, 0000000D.00000003.1924373174.00000207F7864000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: 8iphlpapi.pdb source: firefox.exe, 0000000D.00000003.1924373174.00000207F7864000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: 8vcruntime140_1.amd64.pdb source: firefox.exe, 0000000D.00000003.1924373174.00000207F7864000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: propsys.pdb source: firefox.exe, 0000000D.00000003.1921238779.00000207FB33C000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: 8lgpllibs.pdb source: firefox.exe, 0000000D.00000003.1924373174.00000207F7864000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: firefox.pdb@ source: firefox.exe, 0000000D.00000003.1913718983.00000207FAD76000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: z:\task_1551543573\build\openh264\gmpopenh264.pdb source: gmpopenh264.dll.tmp.13.dr
Source:	Binary string: winmm.pdb source: firefox.exe, 0000000D.00000003.1921238779.00000207FB354000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: 8vcruntime140.amd64.pdb source: firefox.exe, 0000000D.00000003.1924373174.00000207F7864000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: version.pdb source: firefox.exe, 0000000D.00000003.1921238779.00000207FB345000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: dbgcore.pdb source: firefox.exe, 0000000D.00000003.1921238779.00000207FB345000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: 8osclientcerts.pdb source: firefox.exe, 0000000D.00000003.1923268924.00000207F78E6000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: 8CoreUIComponents.pdb source: firefox.exe, 0000000D.00000003.1924373174.00000207F7864000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: mscms.pdb source: firefox.exe, 0000000D.00000003.1920413580.00000207FB636000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1912696259.00000207FB636000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1888781956.00000207FB636000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: user32.pdb source: firefox.exe, 0000000D.00000003.1913718983.00000207FAD76000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: 8cfgmgr32.pdb source: firefox.exe, 0000000D.00000003.1924373174.00000207F7864000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: msasn1.pdb source: firefox.exe, 0000000D.00000003.1921238779.00000207FB345000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: 8DataExchange.pdb source: firefox.exe, 0000000D.00000003.1923268924.00000207F78A2000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: z:\task_1551543573\build\openh264\gmpopenh264.pdbV source: gmpopenh264.dll.tmp.13.dr
Source:	Binary string: 8wintrust.pdb source: firefox.exe, 0000000D.00000003.1924373174.00000207F7864000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: psapi.pdb source: firefox.exe, 0000000D.00000003.1921238779.00000207FB345000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: 8WindowManagementAPI.pdb source: firefox.exe, 0000000D.00000003.1923268924.00000207F788B000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: DWrite.pdb source: firefox.exe, 0000000D.00000003.1921238779.00000207FB345000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: ntdll.pdb source: firefox.exe, 0000000D.00000003.1913718983.00000207FAD76000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: 8iertutil.pdb source: firefox.exe, 0000000D.00000003.1923268924.00000207F78A2000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: 8dhcpcsvc.pdb source: firefox.exe, 0000000D.00000003.1924373174.00000207F7864000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: dxgi.pdb source: firefox.exe, 0000000D.00000003.1920413580.00000207FB636000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1912696259.00000207FB636000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1888781956.00000207FB636000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: 8msvcp140.amd64.pdb source: firefox.exe, 0000000D.00000003.1924373174.00000207F7864000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: ncrypt.pdb source: firefox.exe, 0000000D.00000003.1920145694.00000207FBDD9000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1893408815.00000207FBDDB000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1911997628.00000207FBDDB000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: 8webauthn.pdb source: firefox.exe, 0000000D.00000003.1924373174.00000207F7864000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: 8npmproxy.pdb source: firefox.exe, 0000000D.00000003.1924373174.00000207F7864000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: 8ColorAdapterClient.pdb source: firefox.exe, 0000000D.00000003.1923268924.00000207F78A2000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1923268924.00000207F7890000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: 8powrprof.pdb source: firefox.exe, 0000000D.00000003.1923268924.00000207F78A2000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: 8Windows.UI.Immersive.pdb source: firefox.exe, 0000000D.00000003.1923268924.00000207F788B000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1923268924.00000207F7890000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: crypt32.pdb source: firefox.exe, 0000000D.00000003.1913718983.00000207FAD76000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: 8MMDevAPI.pdb source: firefox.exe, 0000000D.00000003.1923268924.00000207F78A2000.00000004.00000800.00020000.00000000.sdmp

Source: file.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: file.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: file.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: file.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: file.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_007242DE GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

0_2_007242DE

Source: gmpopenh264.dll.tmp.13.dr

Static PE information: section name: .rodata

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00740A76 push ecx; ret

0_2_00740A89

Source: C:\Program Files\Mozilla Firefox\firefox.exe	File created: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll.tmp			Jump to dropped file
Source: C:\Program Files\Mozilla Firefox\firefox.exe	File created: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll (copy)			Jump to dropped file

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0073F98E GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,		0_2_0073F98E
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_007B1C41 IsWindowVisible,IsWindowEnabled,GetForegroundWindow,IsIconic,IsZoomed,		0_2_007B1C41

Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Found API chain indicative of sandbox detection

Source: C:\Users\user\Desktop\file.exe

Sandbox detection routine: GetForegroundWindow, DecisionNode, Sleep

graph_0-95857

Source: C:\Program Files\Mozilla Firefox\firefox.exe

Code function: 16_2_0000025088545C37 rdtsc

16_2_0000025088545C37

Source: C:\Users\user\Desktop\file.exe

API coverage: 3.6 %

Source: C:\Users\user\Desktop\file.exe TID: 6392	Thread sleep count: 116 > 30			Jump to behavior
Source: C:\Users\user\Desktop\file.exe TID: 6392	Thread sleep count: 171 > 30			Jump to behavior

Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0078DBBE lstrlenW,GetFileAttributesW,FindFirstFileW,FindClose,	0_2_0078DBBE
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_007968EE FindFirstFileW,FindClose,	0_2_007968EE
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0079698F FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,FileTimeToSystemTime,FileTimeToSystemTime,	0_2_0079698F
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0078D076 FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	0_2_0078D076
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0078D3A9 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	0_2_0078D3A9
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00799642 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	0_2_00799642
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0079979D SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	0_2_0079979D
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00799B2B FindFirstFileW,Sleep,FindNextFileW,FindClose,	0_2_00799B2B
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00795C97 FindFirstFileW,FindNextFileW,FindClose,	0_2_00795C97

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_007242DE GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

0_2_007242DE

Source: firefox.exe, 00000011.00000002.2959142095.000001DB692B0000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW7
Source: firefox.exe, 0000000F.00000002.2953285823.00000225F438A000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 00000010.00000002.2959654159.0000025088B80000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 00000011.00000002.2952614194.000001DB68DDA000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: firefox.exe, 0000000F.00000002.2959384338.00000225F481B000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW : 2 : 34 : 1 : 1 : 0x20026 : 0x8 : %SystemRoot%\system32\mswsock.dll : : 1234191b-4bf7-4ca7-86e0-dfd7c32b5445
Source: firefox.exe, 00000010.00000002.2959654159.0000025088B80000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll^
Source: firefox.exe, 00000010.00000002.2952271563.00000250880DA000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW^
Source: firefox.exe, 00000010.00000002.2959654159.0000025088B80000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll"
Source: firefox.exe, 0000000F.00000002.2960025336.00000225F4908000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 00000010.00000002.2959654159.0000025088B80000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

Source: C:\Users\user\Desktop\file.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Program Files\Mozilla Firefox\firefox.exe

Code function: 16_2_0000025088545C37 rdtsc

16_2_0000025088545C37

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_0079EAA2 BlockInput,

0_2_0079EAA2

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00752622 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

0_2_00752622

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_007242DE GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

0_2_007242DE

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00744CE8 mov eax, dword ptr fs:[00000030h]

0_2_00744CE8

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00780B62 GetSecurityDescriptorDacl,GetAclInformation,GetLengthSid,GetLengthSid,GetAce,AddAce,GetLengthSid,GetProcessHeap,HeapAlloc,GetLengthSid,CopySid,AddAce,SetSecurityDescriptorDacl,SetUserObjectSecurity,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,

0_2_00780B62

Source: C:\Windows\SysWOW64\taskkill.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Process token adjusted: Debug	Jump to behavior

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00752622 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_00752622
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0074083F IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_0074083F
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_007409D5 SetUnhandledExceptionFilter,	0_2_007409D5
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00740C21 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	0_2_00740C21

Source: C:\Users\user\Desktop\file.exe

0_2_00781201

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00762BA5 KiUserCallbackDispatcher,SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW,

0_2_00762BA5

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_0078B226 SendInput,keybd_event,

0_2_0078B226

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_007A22DA GetForegroundWindow,GetDesktopWindow,GetWindowRect,mouse_event,GetCursorPos,mouse_event,

0_2_007A22DA

Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM firefox.exe /T	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM chrome.exe /T	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM msedge.exe /T	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM opera.exe /T	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM brave.exe /T	Jump to behavior

Source: C:\Users\user\Desktop\file.exe

0_2_00780B62

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00781663 AllocateAndInitializeSid,CheckTokenMembership,FreeSid,

0_2_00781663

Source: file.exe	Binary or memory string: Run Script:AutoIt script files (.au3, .a3x).au3;.a3xAll files (.).au3#include depth exceeded. Make sure there are no recursive includesError opening the file>>>AUTOIT SCRIPT<<<Bad directive syntax errorUnterminated stringCannot parse #includeUnterminated group of commentsONOFF0%d%dShell_TrayWndREMOVEKEYSEXISTSAPPENDblankinfoquestionstopwarning
Source: file.exe	Binary or memory string: Shell_TrayWnd
Source: firefox.exe, 0000000D.00000003.1882285478.0000020804501000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: hSoftware\Policies\Microsoft\Windows\PersonalizationNoChangingStartMenuBackgroundPersonalColors_BackgroundWilStaging_02RtlDisownModuleHeapAllocationRtlQueryFeatureConfigurationRtlRegisterFeatureConfigurationChangeNotificationRtlSubscribeWnfStateChangeNotificationRtlDllShutdownInProgressntdll.dllNtQueryWnfStateDataLocal\SM0:%d:%d:%hs_p0Local\SessionImmersiveColorPreferenceBEGINTHMthmfile\Sessions\%d\Windows\ThemeSectionMessageWindowendthemewndThemeApiConnectionRequest\ThemeApiPortwinsta0SOFTWARE\Microsoft\Windows\CurrentVersion\Themes\PersonalizeAppsUseLightThemeSystemUsesLightThemedefaultshell\themes\uxtheme\render.cppCompositedWindow::WindowdeletedrcacheMDIClientSoftware\Microsoft\Windows\DWMColorPrevalenceSoftware\Microsoft\Windows\CurrentVersion\ImmersiveShellTabletModeMENUAccentColorSoftware\Microsoft\Windows\CurrentVersion\Explorer\AccentDefaultStartColorControl Panel\DesktopAutoColorizationAccentColorMenuStartColorMenuAutoColorSoftware\Microsoft\Windows\CurrentVersion\Themes\History\ColorsSoftware\Microsoft\Windows\CurrentVersion\Themes\HistoryAccentPaletteTab$Shell_TrayWndLocal\SessionImmersiveColorMutex

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00740698 cpuid

0_2_00740698

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00798195 GetLocalTime,SystemTimeToFileTime,LocalFileTimeToFileTime,GetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,

0_2_00798195

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_0077D27A GetUserNameW,

0_2_0077D27A

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_0075BB6F _free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,

0_2_0075BB6F

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_007242DE GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

0_2_007242DE

Stealing of Sensitive Information

Yara detected Credential Flusher

Source: Yara match	File source: 00000000.00000003.1745082520.000000000150F000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: file.exe PID: 6396, type: MEMORYSTR

Source: file.exe	Binary or memory string: WIN_81
Source: file.exe	Binary or memory string: WIN_XP
Source: file.exe	Binary or memory string: %.3d%S%M%H%m%Y%jX86IA64X64WIN32_NTWIN_11WIN_10WIN_2022WIN_2019WIN_2016WIN_81WIN_2012R2WIN_2012WIN_8WIN_2008R2WIN_7WIN_2008WIN_VISTAWIN_2003WIN_XPeWIN_XPInstallLanguageSYSTEM\CurrentControlSet\Control\Nls\LanguageSchemeLangIDControl Panel\AppearanceUSERPROFILEUSERDOMAINUSERDNSDOMAINGetSystemWow64DirectoryWSeDebugPrivilege:winapistdcallubyte64HKEY_LOCAL_MACHINEHKLMHKEY_CLASSES_ROOTHKCRHKEY_CURRENT_CONFIGHKCCHKEY_CURRENT_USERHKCUHKEY_USERSHKUREG_EXPAND_SZREG_SZREG_MULTI_SZREG_DWORDREG_QWORDREG_BINARYRegDeleteKeyExWadvapi32.dll+.-.\\[\\nrt]\|%%\|%[-+ 0#]?([0-9]\|\)?(\.[0-9]\|\.\)?[hlL]?[diouxXeEfgGs](*UCP)\XISVISIBLEISENABLEDTABLEFTTABRIGHTCURRENTTABSHOWDROPDOWNHIDEDROPDOWNADDSTRINGDELSTRINGFINDSTRINGGETCOUNTSETCURRENTSELECTIONGETCURRENTSELECTIONSELECTSTRINGISCHECKEDCHECKUNCHECKGETSELECTEDGETLINECOUNTGETCURRENTLINEGETCURRENTCOLEDITPASTEGETLINESENDCOMMANDIDGETITEMCOUNTGETSUBITEMCOUNTGETTEXTGETSELECTEDCOUNTISSELECTEDSELECTALLSELECTCLEARSELECTINVERTDESELECTFINDITEMVIEWCHANGEGETTOTALCOUNTCOLLAPSEEXPANDmsctls_statusbar321tooltips_class32%d/%02d/%02dbuttonComboboxListboxSysDateTimePick32SysMonthCal32.icl.exe.dllMsctls_Progress32msctls_trackbar32SysAnimate32msctls_updown32SysTabControl32SysTreeView32SysListView32-----@GUI_DRAGID@GUI_DROPID@GUI_DRAGFILEError text not found (please report)Q\EDEFINEUTF16)UTF)UCP)NO_AUTO_POSSESS)NO_START_OPT)LIMIT_MATCH=LIMIT_RECURSION=CR)LF)CRLF)ANY)ANYCRLF)BSR_ANYCRLF)BSR_UNICODE)argument is not a compiled regular expressionargument not compiled in 16 bit modeinternal error: opcode not recognizedinternal error: missing capturing bracketfailed to get memory
Source: file.exe	Binary or memory string: WIN_XPe
Source: file.exe	Binary or memory string: WIN_VISTA
Source: file.exe	Binary or memory string: WIN_7
Source: file.exe	Binary or memory string: WIN_8

Remote Access Functionality

Yara detected Credential Flusher

Source: Yara match	File source: 00000000.00000003.1745082520.000000000150F000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: file.exe PID: 6396, type: MEMORYSTR

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_007A1204 socket,WSAGetLastError,bind,WSAGetLastError,closesocket,listen,WSAGetLastError,closesocket,		0_2_007A1204
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_007A1806 socket,WSAGetLastError,bind,WSAGetLastError,closesocket,		0_2_007A1806

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	2 Valid Accounts	1 Windows Management Instrumentation	1 DLL Side-Loading	1 Exploitation for Privilege Escalation	2 Disable or Modify Tools	21 Input Capture	2 System Time Discovery	Remote Services	1 Archive Collected Data	2 Ingress Tool Transfer	Exfiltration Over Other Network Medium	1 System Shutdown/Reboot
Credentials	Domains	Default Accounts	1 Native API	2 Valid Accounts	1 DLL Side-Loading	1 Deobfuscate/Decode Files or Information	LSASS Memory	1 Account Discovery	Remote Desktop Protocol	21 Input Capture	12 Encrypted Channel	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	1 Extra Window Memory Injection	2 Obfuscated Files or Information	Security Account Manager	2 File and Directory Discovery	SMB/Windows Admin Shares	3 Clipboard Data	2 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	2 Valid Accounts	1 DLL Side-Loading	NTDS	16 System Information Discovery	Distributed Component Object Model	Input Capture	3 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	21 Access Token Manipulation	1 Extra Window Memory Injection	LSA Secrets	131 Security Software Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	2 Process Injection	1 Masquerading	Cached Domain Credentials	11 Virtualization/Sandbox Evasion	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	2 Valid Accounts	DCSync	3 Process Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	11 Virtualization/Sandbox Evasion	Proc Filesystem	1 Application Window Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement
Network Topology	Malvertising	Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	21 Access Token Manipulation	/etc/passwd and /etc/shadow	1 System Owner/User Discovery	Direct Cloud VM Connections	Data Staged	Web Protocols	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Internal Defacement
IP Addresses	Compromise Infrastructure	Supply Chain Compromise	PowerShell	Cron	Cron	2 Process Injection	Network Sniffing	Network Service Discovery	Shared Webroot	Local Data Staging	File Transfer Protocols	Exfiltration Over Asymmetric Encrypted Non-C2 Protocol	External Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
file.exe	36%	Virustotal		Browse
file.exe	100%	Joe Sandbox ML

Dropped Files

Source	Detection	Scanner	Label	Link
C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll (copy)	0%	ReversingLabs
C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll.tmp	0%	ReversingLabs

Unpacked PE Files

⊘No Antivirus matches

Domains

Source	Detection	Scanner	Link
example.org	0%	Virustotal	Browse
star-mini.c10r.facebook.com	0%	Virustotal	Browse
prod.classify-client.prod.webservices.mozgcp.net	0%	Virustotal	Browse
twitter.com	0%	Virustotal	Browse
prod.balrog.prod.cloudops.mozgcp.net	0%	Virustotal	Browse
prod.detectportal.prod.cloudops.mozgcp.net	0%	Virustotal	Browse
youtube.com	0%	Virustotal	Browse
youtube-ui.l.google.com	0%	Virustotal	Browse
reddit.map.fastly.net	0%	Virustotal	Browse
prod.remote-settings.prod.webservices.mozgcp.net	0%	Virustotal	Browse
us-west1.prod.sumo.prod.webservices.mozgcp.net	0%	Virustotal	Browse
services.addons.mozilla.org	0%	Virustotal	Browse
ipv4only.arpa	0%	Virustotal	Browse
dyna.wikimedia.org	0%	Virustotal	Browse
prod.content-signature-chains.prod.webservices.mozgcp.net	0%	Virustotal	Browse
contile.services.mozilla.com	0%	Virustotal	Browse
push.services.mozilla.com	0%	Virustotal	Browse
telemetry-incoming.r53-2.services.mozilla.com	0%	Virustotal	Browse
normandy-cdn.services.mozilla.com	0%	Virustotal	Browse
content-signature-2.cdn.mozilla.net	0%	Virustotal	Browse
www.reddit.com	0%	Virustotal	Browse
spocs.getpocket.com	0%	Virustotal	Browse
support.mozilla.org	0%	Virustotal	Browse
firefox.settings.services.mozilla.com	0%	Virustotal	Browse
prod.ads.prod.webservices.mozgcp.net	0%	Virustotal	Browse
normandy.cdn.mozilla.net	0%	Virustotal	Browse
shavar.services.mozilla.com	0%	Virustotal	Browse
detectportal.firefox.com	0%	Virustotal	Browse
www.wikipedia.org	0%	Virustotal	Browse
www.youtube.com	0%	Virustotal	Browse
www.facebook.com	0%	Virustotal	Browse

URLs

Source	Detection	Scanner	Label	Link
https://getpocket.cdn.mozilla.net/v3/firefox/trending-topics?version=2&consumer_key=$apiKey&locale_l	0%	URL Reputation	safe
https://services.addons.mozilla.org/api/v5/addons/browser-mappings/?browser=%BROWSER%	0%	URL Reputation	safe
http://www.mozilla.com0	0%	URL Reputation	safe
https://bridge.lga1.admarketplace.net/ctp?version=16.0.0&key=1696332238301000001.2&ci=1696332238417.	0%	URL Reputation	safe
https://developer.mozilla.org/en-US/docs/Web/Web_Components/Using_custom_elements#using_the_lifecycl	0%	URL Reputation	safe
https://merino.services.mozilla.com/api/v1/suggest	0%	URL Reputation	safe
https://monitor.firefox.com/oauth/init?entrypoint=protection_report_monitor&utm_source=about-protect	0%	URL Reputation	safe
https://www.leboncoin.fr/	0%	URL Reputation	safe
https://spocs.getpocket.com/spocs	0%	URL Reputation	safe
https://shavar.services.mozilla.com	0%	URL Reputation	safe
https://completion.amazon.com/search/complete?q=	0%	URL Reputation	safe
https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/social-media-tracking-report	0%	URL Reputation	safe
https://ads.stickyadstv.com/firefox-etp	0%	URL Reputation	safe
https://identity.mozilla.com/ids/ecosystem_telemetryU	0%	URL Reputation	safe
https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/send-tab	0%	URL Reputation	safe
https://monitor.firefox.com/breach-details/	0%	URL Reputation	safe
https://versioncheck-bg.addons.mozilla.org/update/VersionCheck.php?reqVersion=%REQ_VERSION%&id=%ITEM	0%	URL Reputation	safe
https://services.addons.mozilla.org/api/v4/addons/addon/	0%	URL Reputation	safe
https://tracking-protection-issues.herokuapp.com/new	0%	URL Reputation	safe
https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/password-manager-report	0%	URL Reputation	safe
https://app.adjust.com/167k4ih?campaign=firefox-desktop&adgroup=pb&creative=focus-omc172&redirect=ht	0%	URL Reputation	safe
https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/fingerprinters-report	0%	URL Reputation	safe
https://api.accounts.firefox.com/v1	0%	URL Reputation	safe
https://developer.mozilla.org/docs/Mozilla/Add-ons/WebExtensions/API/tabs/captureTabMozRequestFullSc	0%	URL Reputation	safe
https://monitor.firefox.com/?entrypoint=protection_report_monitor&utm_source=about-protections	0%	URL Reputation	safe
https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/shield	0%	URL Reputation	safe
https://MD8.mozilla.org/1/m	0%	URL Reputation	safe
https://getpocket.cdn.mozilla.net/v3/firefox/global-recs?version=3&consumer_key=$apiKey&locale_lang=	0%	URL Reputation	safe
https://bugzilla.mozilla.org/show_bug.cgi?id=1266220	0%	URL Reputation	safe
https://searchfox.org/mozilla-central/source/toolkit/components/search/SearchUtils.jsm#145-152	0%	URL Reputation	safe
https://bugzilla.mo	0%	URL Reputation	safe
https://mitmdetection.services.mozilla.com/	0%	URL Reputation	safe
https://static.adsafeprotected.com/firefox-etp-js	0%	URL Reputation	safe
https://developer.mozilla.org/docs/Web/API/Element/releasePointerCapture	0%	URL Reputation	safe
https://spocs.getpocket.com/	0%	URL Reputation	safe
https://services.addons.mozilla.org/api/v4/abuse/report/addon/	0%	URL Reputation	safe
https://services.addons.mozilla.org/api/v4/addons/search/?guid=%IDS%&lang=%LOCALE%	0%	URL Reputation	safe
https://color.firefox.com/?utm_source=firefox-browser&utm_medium=firefox-browser&utm_content=theme-f	0%	URL Reputation	safe
https://monitor.firefox.com/user/breach-stats?includeResolved=true	0%	URL Reputation	safe
https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/cross-site-tracking-report	0%	URL Reputation	safe
https://bugzilla.mozilla.org/show_bug.cgi?id=1584464	0%	URL Reputation	safe
https://safebrowsing.google.com/safebrowsing/diagnostic?site=	0%	URL Reputation	safe
https://monitor.firefox.com/user/dashboard	0%	URL Reputation	safe
https://versioncheck.addons.mozilla.org/update/VersionCheck.php?reqVersion=%REQ_VERSION%&id=%ITEM_ID	0%	URL Reputation	safe
https://monitor.firefox.com/about	0%	URL Reputation	safe
https://account.bellmedia.c	0%	URL Reputation	safe
https://login.microsoftonline.com	0%	URL Reputation	safe
https://coverage.mozilla.org	0%	URL Reputation	safe
http://crl.thawte.com/ThawteTimestampingCA.crl0	0%	URL Reputation	safe
https://www.zhihu.com/	0%	URL Reputation	safe
http://x1.c.lencr.org/0	0%	URL Reputation	safe
http://x1.i.lencr.org/0	0%	URL Reputation	safe
http://a9.com/-/spec/opensearch/1.1/	0%	URL Reputation	safe
https://infra.spec.whatwg.org/#ascii-whitespace	0%	URL Reputation	safe
https://blocked.cdn.mozilla.net/	0%	URL Reputation	safe
https://json-schema.org/draft/2019-09/schema	0%	URL Reputation	safe
https://profiler.firefox.com	0%	URL Reputation	safe
https://outlook.live.com/default.aspx?rru=compose&to=%s	0%	URL Reputation	safe
https://identity.mozilla.com/apps/relay	0%	URL Reputation	safe
https://mozilla.cloudflare-dns.com/dns-query	0%	URL Reputation	safe
https://support.mozilla.org/kb/refresh-firefox-reset-add-ons-and-settings2	0%	URL Reputation	safe
https://bugzilla.mozilla.org/show_bug.cgi?id=1678448	0%	URL Reputation	safe
https://contile-images.services.mozilla.com/0TegrVVRalreHILhR2WvtD_CFzj13HCDcLqqpvXSOuY.10862.jpg	0%	URL Reputation	safe
https://contile.services.mozilla.com/v1/tiles	0%	URL Reputation	safe
https://firefox.settings.services.mozilla.com/v1/buckets/main/collections/ms-language-packs/records/	0%	URL Reputation	safe
https://monitor.firefox.com/user/preferences	0%	URL Reputation	safe
https://screenshots.firefox.com/	0%	URL Reputation	safe
http://detectportal.firefox.com/	0%	Virustotal		Browse
https://play.google.com/store/apps/details?id=org.mozilla.firefox.vpn&referrer=utm_source%3Dfirefox-	0%	Virustotal		Browse
https://json-schema.org/draft/2019-09/schema.	0%	Virustotal		Browse
https://youtube.com/	0%	Virustotal		Browse
https://www.msn.com	0%	Virustotal		Browse
https://json-schema.org/draft/2020-12/schema/=	0%	Virustotal		Browse
https://www.amazon.com/exec/obidos/external-search/	0%	Virustotal		Browse
https://github.com/w3c/csswg-drafts/issues/4650	0%	Virustotal		Browse
https://www.amazon.com/	0%	Virustotal		Browse
https://github.com/mozilla-services/screenshots	0%	Virustotal		Browse
https://addons.mozilla.org/%LOCALE%/%APP%/blocked-addon/%addonID%/%addonVersion%/	0%	Virustotal		Browse
https://www.youtube.com/	0%	Virustotal		Browse

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
example.org	93.184.215.14	true	false	0%, Virustotal, Browse	unknown
star-mini.c10r.facebook.com	157.240.253.35	true	false	0%, Virustotal, Browse	unknown
prod.classify-client.prod.webservices.mozgcp.net	35.190.72.216	true	false	0%, Virustotal, Browse	unknown
prod.balrog.prod.cloudops.mozgcp.net	35.244.181.201	true	false	0%, Virustotal, Browse	unknown
twitter.com	104.244.42.129	true	false	0%, Virustotal, Browse	unknown
prod.detectportal.prod.cloudops.mozgcp.net	34.107.221.82	true	false	0%, Virustotal, Browse	unknown
services.addons.mozilla.org	52.222.236.120	true	false	0%, Virustotal, Browse	unknown
dyna.wikimedia.org	185.15.59.224	true	false	0%, Virustotal, Browse	unknown
prod.remote-settings.prod.webservices.mozgcp.net	34.149.100.209	true	false	0%, Virustotal, Browse	unknown
contile.services.mozilla.com	34.117.188.166	true	false	0%, Virustotal, Browse	unknown
youtube.com	216.58.206.46	true	false	0%, Virustotal, Browse	unknown
prod.content-signature-chains.prod.webservices.mozgcp.net	34.160.144.191	true	false	0%, Virustotal, Browse	unknown
youtube-ui.l.google.com	216.58.206.46	true	false	0%, Virustotal, Browse	unknown
us-west1.prod.sumo.prod.webservices.mozgcp.net	34.149.128.2	true	false	0%, Virustotal, Browse	unknown
reddit.map.fastly.net	151.101.1.140	true	false	0%, Virustotal, Browse	unknown
ipv4only.arpa	192.0.0.171	true	false	0%, Virustotal, Browse	unknown
prod.ads.prod.webservices.mozgcp.net	34.117.188.166	true	false	0%, Virustotal, Browse	unknown
push.services.mozilla.com	34.107.243.93	true	false	0%, Virustotal, Browse	unknown
normandy-cdn.services.mozilla.com	35.201.103.21	true	false	0%, Virustotal, Browse	unknown
telemetry-incoming.r53-2.services.mozilla.com	34.120.208.123	true	false	0%, Virustotal, Browse	unknown
www.reddit.com	unknown	unknown	false	0%, Virustotal, Browse	unknown
spocs.getpocket.com	unknown	unknown	false	0%, Virustotal, Browse	unknown
content-signature-2.cdn.mozilla.net	unknown	unknown	false	0%, Virustotal, Browse	unknown
support.mozilla.org	unknown	unknown	false	0%, Virustotal, Browse	unknown
firefox.settings.services.mozilla.com	unknown	unknown	false	0%, Virustotal, Browse	unknown
www.youtube.com	unknown	unknown	false	0%, Virustotal, Browse	unknown
www.facebook.com	unknown	unknown	false	0%, Virustotal, Browse	unknown
detectportal.firefox.com	unknown	unknown	false	0%, Virustotal, Browse	unknown
normandy.cdn.mozilla.net	unknown	unknown	false	0%, Virustotal, Browse	unknown
shavar.services.mozilla.com	unknown	unknown	false	0%, Virustotal, Browse	unknown
www.wikipedia.org	unknown	unknown	false	0%, Virustotal, Browse	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://play.google.com/store/apps/details?id=org.mozilla.firefox.vpn&referrer=utm_source%3Dfirefox-	firefox.exe, 0000000F.00000002.2955187748.00000225F44A0000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.2953935984.00000250882C0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.2954190404.000001DB68F80000.00000002.10000000.00040000.00000000.sdmp	false	0%, Virustotal, Browse	unknown
https://getpocket.cdn.mozilla.net/v3/firefox/trending-topics?version=2&consumer_key=$apiKey&locale_l	firefox.exe, 00000011.00000002.2954704604.000001DB691C4000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://detectportal.firefox.com/	firefox.exe, 0000000D.00000003.1892998957.00000207FC0D1000.00000004.00000800.00020000.00000000.sdmp	false	0%, Virustotal, Browse	unknown
https://services.addons.mozilla.org/api/v5/addons/browser-mappings/?browser=%BROWSER%	firefox.exe, 0000000F.00000002.2955187748.00000225F44A0000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.2953935984.00000250882C0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.2954190404.000001DB68F80000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.mozilla.com0	gmpopenh264.dll.tmp.13.dr	false	URL Reputation: safe	unknown
https://bridge.lga1.admarketplace.net/ctp?version=16.0.0&key=1696332238301000001.2&ci=1696332238417.	firefox.exe, 0000000F.00000002.2955923200.00000225F47E9000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000002.2954475347.00000250884E9000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000011.00000002.2959336551.000001DB69405000.00000004.00000800.00020000.00000000.sdmp, prefs-1.js.13.dr	false	URL Reputation: safe	unknown
https://developer.mozilla.org/en-US/docs/Web/Web_Components/Using_custom_elements#using_the_lifecycl	firefox.exe, 0000000D.00000003.1850061723.000002080294A000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1761973465.0000020802947000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://merino.services.mozilla.com/api/v1/suggest	firefox.exe, 00000010.00000002.2954475347.0000025088486000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000011.00000002.2954704604.000001DB6918F000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://json-schema.org/draft/2019-09/schema.	firefox.exe, 0000000D.00000003.1919336185.00000207FCC8D000.00000004.00000800.00020000.00000000.sdmp	false	0%, Virustotal, Browse	unknown
https://monitor.firefox.com/oauth/init?entrypoint=protection_report_monitor&utm_source=about-protect	firefox.exe, 0000000F.00000002.2955187748.00000225F44A0000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.2953935984.00000250882C0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.2954190404.000001DB68F80000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://www.leboncoin.fr/	firefox.exe, 0000000D.00000003.1767694124.0000020802C9F000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1885893427.0000020802CA0000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1872451798.0000020802CA0000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1891254850.0000020802CA9000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://spocs.getpocket.com/spocs	firefox.exe, 0000000D.00000003.1769029122.00000207FE3B5000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://shavar.services.mozilla.com	firefox.exe, 0000000D.00000003.1908769602.00000207FCA58000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1879570302.00000207FCA58000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://completion.amazon.com/search/complete?q=	firefox.exe, 0000000D.00000003.1727268674.00000207FA777000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1726540622.00000207FA73C000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1726734218.00000207FA75A000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1726217794.00000207FA500000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1726370216.00000207FA71F000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/social-media-tracking-report	firefox.exe, 0000000F.00000002.2955187748.00000225F44A0000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.2953935984.00000250882C0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.2954190404.000001DB68F80000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://ads.stickyadstv.com/firefox-etp	firefox.exe, 0000000D.00000003.1775487938.00000207FC0B9000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://identity.mozilla.com/ids/ecosystem_telemetryU	firefox.exe, 0000000D.00000003.1925603185.000002080611B000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/send-tab	firefox.exe, 0000000F.00000002.2955187748.00000225F44A0000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.2953935984.00000250882C0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.2954190404.000001DB68F80000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://monitor.firefox.com/breach-details/	firefox.exe, 0000000F.00000002.2955187748.00000225F44A0000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.2953935984.00000250882C0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.2954190404.000001DB68F80000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://github.com/w3c/csswg-drafts/issues/4650	firefox.exe, 0000000D.00000003.1875153523.000002080288A000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1901999232.000002080288A000.00000004.00000800.00020000.00000000.sdmp	false	0%, Virustotal, Browse	unknown
https://versioncheck-bg.addons.mozilla.org/update/VersionCheck.php?reqVersion=%REQ_VERSION%&id=%ITEM	firefox.exe, 0000000F.00000002.2955187748.00000225F44A0000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.2953935984.00000250882C0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.2954190404.000001DB68F80000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://www.amazon.com/exec/obidos/external-search/	firefox.exe, 0000000D.00000003.1727268674.00000207FA777000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1912747108.00000207FB5B0000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1783019221.00000207FC4D6000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1920738421.00000207FB5B0000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1726540622.00000207FA73C000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1726734218.00000207FA75A000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1789241793.00000207FC4D6000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1784235859.00000207FC4D6000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1834004093.00000207FC4D6000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1726217794.00000207FA500000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1726370216.00000207FA71F000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1786238818.00000207FC4D6000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1847964560.00000207FC4D6000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1784930046.00000207FC4D6000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1793981031.00000207FC4D6000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1785582025.00000207FC4D6000.00000004.00000800.00020000.00000000.sdmp	false	0%, Virustotal, Browse	unknown
https://www.msn.com	firefox.exe, 0000000D.00000003.1876772389.00000207FDE69000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1904437343.00000207FDE69000.00000004.00000800.00020000.00000000.sdmp	false	0%, Virustotal, Browse	unknown
https://github.com/mozilla-services/screenshots	firefox.exe, 0000000D.00000003.1727268674.00000207FA777000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1726540622.00000207FA73C000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1726734218.00000207FA75A000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1726217794.00000207FA500000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1726370216.00000207FA71F000.00000004.00000800.00020000.00000000.sdmp	false	0%, Virustotal, Browse	unknown
https://services.addons.mozilla.org/api/v4/addons/addon/	firefox.exe, 0000000F.00000002.2955187748.00000225F44A0000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.2953935984.00000250882C0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.2954190404.000001DB68F80000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://tracking-protection-issues.herokuapp.com/new	firefox.exe, 0000000F.00000002.2955187748.00000225F44A0000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.2953935984.00000250882C0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.2954190404.000001DB68F80000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/password-manager-report	firefox.exe, 0000000F.00000002.2955187748.00000225F44A0000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.2953935984.00000250882C0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.2954190404.000001DB68F80000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://youtube.com/	firefox.exe, 0000000D.00000003.1918388070.00000207FDE70000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1876772389.00000207FDE6F000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1904437343.00000207FDE6F000.00000004.00000800.00020000.00000000.sdmp	false	0%, Virustotal, Browse	unknown
https://json-schema.org/draft/2020-12/schema/=	firefox.exe, 0000000D.00000003.1919336185.00000207FCC8D000.00000004.00000800.00020000.00000000.sdmp	false	0%, Virustotal, Browse	unknown
https://www.amazon.com/?tag=admarketus-20&ref=pd_sl_7548d4575af019e4c148ccf1a78112802e66a0816a72fc94	firefox.exe, 0000000F.00000002.2955923200.00000225F47E9000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000002.2954475347.00000250884E9000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000011.00000002.2959336551.000001DB69405000.00000004.00000800.00020000.00000000.sdmp, prefs-1.js.13.dr	false		unknown
https://app.adjust.com/167k4ih?campaign=firefox-desktop&adgroup=pb&creative=focus-omc172&redirect=ht	firefox.exe, 0000000D.00000003.1901003525.0000020806096000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/fingerprinters-report	firefox.exe, 0000000F.00000002.2955187748.00000225F44A0000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.2953935984.00000250882C0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.2954190404.000001DB68F80000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://api.accounts.firefox.com/v1	firefox.exe, 0000000F.00000002.2955187748.00000225F44A0000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.2953935984.00000250882C0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.2954190404.000001DB68F80000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://www.amazon.com/	firefox.exe, 0000000D.00000003.1873569325.0000020802A88000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1872451798.0000020802CA0000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1891254850.0000020802CA9000.00000004.00000800.00020000.00000000.sdmp	false	0%, Virustotal, Browse	unknown
https://addons.mozilla.org/%LOCALE%/%APP%/blocked-addon/%addonID%/%addonVersion%/	firefox.exe, 0000000F.00000002.2955187748.00000225F44A0000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.2953935984.00000250882C0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.2954190404.000001DB68F80000.00000002.10000000.00040000.00000000.sdmp	false	0%, Virustotal, Browse	unknown
https://developer.mozilla.org/docs/Mozilla/Add-ons/WebExtensions/API/tabs/captureTabMozRequestFullSc	firefox.exe, 0000000D.00000003.1889311189.00000208044D5000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://monitor.firefox.com/?entrypoint=protection_report_monitor&utm_source=about-protections	firefox.exe, 0000000F.00000002.2955187748.00000225F44A0000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.2953935984.00000250882C0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.2954190404.000001DB68F80000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://bridge.lga1.ap01.net/ctp?version=16.0.0&key=1696332238301000001.1&ci=1696332238417.12791&cta	firefox.exe, 0000000F.00000002.2955923200.00000225F47E9000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000002.2954475347.00000250884E9000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000011.00000002.2959336551.000001DB69405000.00000004.00000800.00020000.00000000.sdmp, prefs-1.js.13.dr	false		unknown
https://www.youtube.com/	firefox.exe, 00000011.00000002.2954704604.000001DB6910C000.00000004.00000800.00020000.00000000.sdmp	false	0%, Virustotal, Browse	unknown
https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/shield	firefox.exe, 0000000F.00000002.2955187748.00000225F44A0000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.2953935984.00000250882C0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.2954190404.000001DB68F80000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://MD8.mozilla.org/1/m	firefox.exe, 0000000D.00000003.1875153523.0000020802884000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://www.bbc.co.uk/	firefox.exe, 0000000D.00000003.1767694124.0000020802C9F000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1885893427.0000020802CA0000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1872451798.0000020802CA0000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1891254850.0000020802CA9000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://addons.mozilla.org/firefox/addon/to-google-translate/	firefox.exe, 0000000D.00000003.1925885554.0000020806096000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1901003525.0000020806096000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://getpocket.cdn.mozilla.net/v3/firefox/global-recs?version=3&consumer_key=$apiKey&locale_lang=	firefox.exe, 00000011.00000002.2954704604.000001DB691C4000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://127.0.0.1:	firefox.exe, 0000000D.00000003.1918648050.00000207FCF67000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1907173343.00000207FCF4E000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1922676920.00000207FA46C000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1878872053.00000207FCF4E000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000F.00000002.2955187748.00000225F44A0000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.2953935984.00000250882C0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.2954190404.000001DB68F80000.00000002.10000000.00040000.00000000.sdmp	false		unknown
https://bugzilla.mozilla.org/show_bug.cgi?id=1266220	firefox.exe, 0000000D.00000003.1797465098.00000207FB4AA000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1797465098.00000207FB47C000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://searchfox.org/mozilla-central/source/toolkit/components/search/SearchUtils.jsm#145-152	firefox.exe, 0000000D.00000003.1828223577.00000207FC1BB000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://bugzilla.mo	firefox.exe, 0000000D.00000003.1915510466.00000208061B5000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://mitmdetection.services.mozilla.com/	firefox.exe, 0000000F.00000002.2955187748.00000225F44A0000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.2953935984.00000250882C0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.2954190404.000001DB68F80000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://static.adsafeprotected.com/firefox-etp-js	firefox.exe, 0000000D.00000003.1775487938.00000207FC0B9000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://youtube.com/account?=	recovery.jsonlz4.tmp.13.dr	false		unknown
https://shavar.services.mozilla.com/	firefox.exe, 0000000D.00000003.1915321820.00000207FCAEE000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://developer.mozilla.org/docs/Web/API/Element/releasePointerCapture	firefox.exe, 0000000D.00000003.1889311189.00000208044D5000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://spocs.getpocket.com/	firefox.exe, 0000000D.00000003.1920092773.00000207FBDE7000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1769029122.00000207FE3C2000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1904359344.00000207FE3C2000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1876658160.00000207FE3C2000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000002.2954475347.0000025088412000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000011.00000002.2954704604.000001DB69113000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://services.addons.mozilla.org/api/v4/abuse/report/addon/	firefox.exe, 0000000F.00000002.2955187748.00000225F44A0000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.2953935984.00000250882C0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.2954190404.000001DB68F80000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://services.addons.mozilla.org/api/v4/addons/search/?guid=%IDS%&lang=%LOCALE%	firefox.exe, 0000000F.00000002.2955187748.00000225F44A0000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.2953935984.00000250882C0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.2954190404.000001DB68F80000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://color.firefox.com/?utm_source=firefox-browser&utm_medium=firefox-browser&utm_content=theme-f	firefox.exe, 0000000F.00000002.2955187748.00000225F44A0000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.2953935984.00000250882C0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.2954190404.000001DB68F80000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://www.iqiyi.com/	firefox.exe, 0000000D.00000003.1767694124.0000020802C9F000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1885893427.0000020802CA0000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1872451798.0000020802CA0000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1891254850.0000020802CA9000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://play.google.com/store/apps/details?id=org.mozilla.firefox&referrer=utm_source%3Dprotection_r	firefox.exe, 0000000F.00000002.2955187748.00000225F44A0000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.2953935984.00000250882C0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.2954190404.000001DB68F80000.00000002.10000000.00040000.00000000.sdmp	false		unknown
https://monitor.firefox.com/user/breach-stats?includeResolved=true	firefox.exe, 0000000F.00000002.2955187748.00000225F44A0000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.2953935984.00000250882C0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.2954190404.000001DB68F80000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/cross-site-tracking-report	firefox.exe, 0000000F.00000002.2955187748.00000225F44A0000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.2953935984.00000250882C0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.2954190404.000001DB68F80000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://bugzilla.mozilla.org/show_bug.cgi?id=1584464	firefox.exe, 0000000D.00000003.1875153523.000002080288A000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1901999232.000002080288A000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://a9.com/-/spec/opensearch/1.0/	firefox.exe, 0000000D.00000003.1774900505.0000020802DCD000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1872117164.0000020802DCD000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://safebrowsing.google.com/safebrowsing/diagnostic?site=	firefox.exe, 0000000F.00000002.2955187748.00000225F44A0000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.2953935984.00000250882C0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.2954190404.000001DB68F80000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://monitor.firefox.com/user/dashboard	firefox.exe, 0000000F.00000002.2955187748.00000225F44A0000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.2953935984.00000250882C0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.2954190404.000001DB68F80000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://bugzilla.mozilla.org/show_bug.cgi?id=1170143	firefox.exe, 0000000D.00000003.1797465098.00000207FB48E000.00000004.00000800.00020000.00000000.sdmp	false		unknown
http://developer.mozilla.org/en/docs/DOM:element.addEventListenerUseOfReleaseEventsWarningUse	firefox.exe, 0000000D.00000003.1889311189.00000208044D5000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://versioncheck.addons.mozilla.org/update/VersionCheck.php?reqVersion=%REQ_VERSION%&id=%ITEM_ID	firefox.exe, 0000000F.00000002.2955187748.00000225F44A0000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.2953935984.00000250882C0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.2954190404.000001DB68F80000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://monitor.firefox.com/about	firefox.exe, 0000000F.00000002.2955187748.00000225F44A0000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.2953935984.00000250882C0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.2954190404.000001DB68F80000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
http://mozilla.org/MPL/2.0/.	firefox.exe, 0000000D.00000003.1768174855.0000020802A34000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1881627600.00000207FC22D000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1795450559.00000208060D0000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1853884130.00000207FA598000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1766140652.00000207FCB7B000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1865061190.00000207FC1B6000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1766140652.00000207FCB63000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1789241793.00000207FC480000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1840222676.000002080292E000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1834667647.00000207FC480000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1841955369.00000207FC480000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1875153523.00000208028AE000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1887081475.00000207FCB7B000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1904437343.00000207FDE4A000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1838330359.00000207FA5AB000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1891861503.00000207FE05A000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1889065392.00000207FC26D000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1914155470.0000020803136000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1874610939.0000020802A34000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1924373174.00000207F7864000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1876772389.00000207FDE4A000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://account.bellmedia.c	firefox.exe, 0000000D.00000003.1876772389.00000207FDE69000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1904437343.00000207FDE69000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://youtube.com/	firefox.exe, 0000000D.00000003.1774833478.0000020802DEA000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1885843859.0000020802DDE000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1872013618.0000020802DDE000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://login.microsoftonline.com	firefox.exe, 0000000D.00000003.1876772389.00000207FDE69000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1904437343.00000207FDE69000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://coverage.mozilla.org	firefox.exe, 0000000F.00000002.2955187748.00000225F44A0000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.2953935984.00000250882C0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.2954190404.000001DB68F80000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
http://crl.thawte.com/ThawteTimestampingCA.crl0	gmpopenh264.dll.tmp.13.dr	false	URL Reputation: safe	unknown
https://www.zhihu.com/	firefox.exe, 0000000D.00000003.1875945644.0000020802837000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1903073572.0000020802837000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://x1.c.lencr.org/0	firefox.exe, 0000000D.00000003.1884869676.0000020806483000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1870553438.0000020806483000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1876772389.00000207FDE6F000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://x1.i.lencr.org/0	firefox.exe, 0000000D.00000003.1884869676.0000020806483000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1870553438.0000020806483000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1876772389.00000207FDE6F000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://a9.com/-/spec/opensearch/1.1/	firefox.exe, 0000000D.00000003.1774900505.0000020802DCD000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1872117164.0000020802DCD000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://infra.spec.whatwg.org/#ascii-whitespace	firefox.exe, 0000000D.00000003.1850061723.000002080294A000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1761973465.0000020802947000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://blocked.cdn.mozilla.net/	firefox.exe, 0000000F.00000002.2955187748.00000225F44A0000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.2953935984.00000250882C0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.2954190404.000001DB68F80000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://developer.mozilla.org/en-US/docs/Glossary/speculative_parsingDocumentWriteIgnored	firefox.exe, 0000000D.00000003.1901999232.00000208028A2000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1875153523.000002080289C000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://json-schema.org/draft/2019-09/schema	firefox.exe, 0000000D.00000003.1767694124.0000020802C9F000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1766929216.00000207FBC66000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1885893427.0000020802CA0000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1872451798.0000020802CA0000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1891254850.0000020802CA9000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://duckduckgo.com/?t=ffab&q=	firefox.exe, 0000000D.00000003.1774900505.0000020802D95000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://contile.services.mozilla.comPC	firefox.exe, 0000000D.00000003.1768102300.0000020802A9B000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://profiler.firefox.com	firefox.exe, 0000000F.00000002.2955187748.00000225F44A0000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.2953935984.00000250882C0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.2954190404.000001DB68F80000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://outlook.live.com/default.aspx?rru=compose&to=%s	firefox.exe, 0000000D.00000003.1839781891.00000207FA31F000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1897931719.00000207FA333000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1732734841.00000207FA333000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1728929224.00000207FA333000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1730540286.00000207FA31E000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://bugzilla.mozilla.org/show_bug.cgi?id=793869	firefox.exe, 0000000D.00000003.1797465098.00000207FB48E000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://identity.mozilla.com/apps/relay	firefox.exe, 0000000D.00000003.1922676920.00000207FA46C000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://mozilla.cloudflare-dns.com/dns-query	firefox.exe, 0000000F.00000002.2955187748.00000225F44A0000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.2953935984.00000250882C0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.2954190404.000001DB68F80000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://support.mozilla.org/kb/refresh-firefox-reset-add-ons-and-settings2	firefox.exe, 0000000D.00000003.1918332744.00000207FDE88000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1876772389.00000207FDE6F000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1904437343.00000207FDE6F000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://bugzilla.mozilla.org/show_bug.cgi?id=1678448	firefox.exe, 0000000D.00000003.1797465098.00000207FB4BB000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1797465098.00000207FB48E000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://mail.yahoo.co.jp/compose/?To=%s	firefox.exe, 0000000D.00000003.1839781891.00000207FA31F000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1897931719.00000207FA333000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1732734841.00000207FA333000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1728929224.00000207FA333000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1730540286.00000207FA31E000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://addons.mozilla.org/firefox/addon/reddit-enhancement-suite/	firefox.exe, 0000000D.00000003.1925885554.0000020806096000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1901003525.0000020806096000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://contile-images.services.mozilla.com/0TegrVVRalreHILhR2WvtD_CFzj13HCDcLqqpvXSOuY.10862.jpg	firefox.exe, 0000000F.00000002.2955923200.00000225F47E9000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000002.2954475347.00000250884E9000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000011.00000002.2959336551.000001DB69405000.00000004.00000800.00020000.00000000.sdmp, prefs-1.js.13.dr	false	URL Reputation: safe	unknown
https://contile.services.mozilla.com/v1/tiles	firefox.exe, 0000000D.00000003.1873569325.0000020802A88000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000F.00000002.2955187748.00000225F44A0000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.2953935984.00000250882C0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.2954190404.000001DB68F80000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://www.amazon.co.uk/	firefox.exe, 0000000D.00000003.1767694124.0000020802C9F000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1885893427.0000020802CA0000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1872451798.0000020802CA0000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1891254850.0000020802CA9000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://firefox.settings.services.mozilla.com/v1/buckets/main/collections/ms-language-packs/records/	firefox.exe, 0000000D.00000003.1870927386.00000208061DA000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1900610092.00000208061DA000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://monitor.firefox.com/user/preferences	firefox.exe, 0000000F.00000002.2955187748.00000225F44A0000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.2953935984.00000250882C0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.2954190404.000001DB68F80000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://screenshots.firefox.com/	firefox.exe, 0000000D.00000003.1726370216.00000207FA71F000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
34.149.100.209	prod.remote-settings.prod.webservices.mozgcp.net	United States	2686	ATGS-MMD-ASUS	false
34.107.243.93	push.services.mozilla.com	United States	15169	GOOGLEUS	false
34.107.221.82	prod.detectportal.prod.cloudops.mozgcp.net	United States	15169	GOOGLEUS	false
216.58.206.46	youtube.com	United States	15169	GOOGLEUS	false
35.244.181.201	prod.balrog.prod.cloudops.mozgcp.net	United States	15169	GOOGLEUS	false
34.117.188.166	contile.services.mozilla.com	United States	139070	GOOGLE-AS-APGoogleAsiaPacificPteLtdSG	false
52.222.236.120	services.addons.mozilla.org	United States	16509	AMAZON-02US	false
35.201.103.21	normandy-cdn.services.mozilla.com	United States	15169	GOOGLEUS	false
35.190.72.216	prod.classify-client.prod.webservices.mozgcp.net	United States	15169	GOOGLEUS	false
34.160.144.191	prod.content-signature-chains.prod.webservices.mozgcp.net	United States	2686	ATGS-MMD-ASUS	false
34.120.208.123	telemetry-incoming.r53-2.services.mozilla.com	United States	15169	GOOGLEUS	false

Private

IP
127.0.0.1

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1532857
Start date and time:	2024-10-14 02:16:06 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 7m 4s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	22
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	file.exe
Detection:	MAL
Classification:	mal72.troj.evad.winEXE@34/34@68/12
EGA Information:	Successful, ratio: 50%
HCA Information:	Successful, ratio: 94% Number of executed functions: 38 Number of non-executed functions: 312
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, svchost.exe
Excluded IPs from analysis (whitelisted): 35.83.8.120, 52.26.161.5, 52.25.49.43, 142.250.185.138, 172.217.18.10, 142.250.186.110, 2.22.61.56, 2.22.61.59, 172.217.16.206
Excluded domains from analysis (whitelisted): fs.microsoft.com, shavar.prod.mozaws.net, ciscobinary.openh264.org, slscr.update.microsoft.com, otelrules.azureedge.net, incoming.telemetry.mozilla.org, ctldl.windowsupdate.com, a17.rackcdn.com.mdc.edgesuite.net, detectportal.prod.mozaws.net, aus5.mozilla.org, fe3cr.delivery.mp.microsoft.com, a19.dscg10.akamai.net, ocsp.digicert.com, redirector.gvt1.com, safebrowsing.googleapis.com, location.services.mozilla.com
Not all processes where analyzed, report is missing behavior information
Report size exceeded maximum capacity and may have missing disassembly code.
Report size getting too big, too many NtCreateFile calls found.
Report size getting too big, too many NtOpenFile calls found.

Simulations

Behavior and APIs

Time	Type	Description
20:17:09	API Interceptor	1x Sleep call for process: firefox.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
34.117.188.166	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	c5yDnHUmFv.exe	Get hash	malicious	Credential Flusher	Browse
	c5yDnHUmFv.exe	Get hash	malicious	Credential Flusher	Browse
	oUbgeGwOL8.exe	Get hash	malicious	LummaC, Amadey, Stealc	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
52.222.236.120	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	c5yDnHUmFv.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
34.149.100.209	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	c5yDnHUmFv.exe	Get hash	malicious	Credential Flusher	Browse
	c5yDnHUmFv.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
example.org	file.exe	Get hash	malicious	Credential Flusher	Browse	93.184.215.14
	file.exe	Get hash	malicious	Credential Flusher	Browse	93.184.215.14
	c5yDnHUmFv.exe	Get hash	malicious	Credential Flusher	Browse	93.184.215.14
	c5yDnHUmFv.exe	Get hash	malicious	Credential Flusher	Browse	93.184.215.14
	oUbgeGwOL8.exe	Get hash	malicious	LummaC, Amadey, Stealc	Browse	93.184.215.14
	file.exe	Get hash	malicious	Credential Flusher	Browse	93.184.215.14
	file.exe	Get hash	malicious	Credential Flusher	Browse	93.184.215.14
	file.exe	Get hash	malicious	Credential Flusher	Browse	93.184.215.14
	file.exe	Get hash	malicious	Credential Flusher	Browse	93.184.215.14
	file.exe	Get hash	malicious	Credential Flusher	Browse	93.184.215.14
twitter.com	file.exe	Get hash	malicious	Credential Flusher	Browse	104.244.42.65
twitter.com	file.exe	Get hash	malicious	Credential Flusher	Browse	104.244.42.193
star-mini.c10r.facebook.com	file.exe	Get hash	malicious	Credential Flusher	Browse	157.240.251.35
	file.exe	Get hash	malicious	Credential Flusher	Browse	157.240.253.35
	http://painel.simpatiafm.com.br/	Get hash	malicious	Unknown	Browse	157.240.0.35
	https://shawri.weebly.com/	Get hash	malicious	HTMLPhisher	Browse	157.240.0.35
	https://currenntlyattyah06.weebly.com/	Get hash	malicious	HTMLPhisher	Browse	157.240.253.35
	https://shawri.weebly.com/	Get hash	malicious	HTMLPhisher	Browse	157.240.251.35
	https://currenntlyattyah06.weebly.com/	Get hash	malicious	HTMLPhisher	Browse	157.240.251.35
	c5yDnHUmFv.exe	Get hash	malicious	Credential Flusher	Browse	157.240.253.35
	c5yDnHUmFv.exe	Get hash	malicious	Credential Flusher	Browse	157.240.253.35
	http://ernestlerma.com/	Get hash	malicious	Unknown	Browse	157.240.253.35

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
GOOGLE-AS-APGoogleAsiaPacificPteLtdSG	file.exe	Get hash	malicious	Credential Flusher	Browse	34.117.188.166
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.117.188.166
	SecuriteInfo.com.Win32.Trojan.Agent.1MWNV4.31044.30727.exe	Get hash	malicious	Unknown	Browse	34.117.223.223
	SecuriteInfo.com.Win32.Trojan.Agent.1MWNV4.31044.30727.exe	Get hash	malicious	Unknown	Browse	34.117.223.223
	http://bancolombia-personas-co.glitch.me/	Get hash	malicious	Unknown	Browse	34.117.59.81
	http://bancolombia-seguridad-co.glitch.me/	Get hash	malicious	Unknown	Browse	34.117.59.81
	http://telegiraum.club/	Get hash	malicious	Telegram Phisher	Browse	34.117.59.81
	SecuriteInfo.com.Trojan.PWS.Stealer.39881.18601.16388.exe	Get hash	malicious	Unknown	Browse	34.117.59.81
	http://bancolombia-seguridad-co.glitch.me/	Get hash	malicious	Unknown	Browse	34.117.59.81
	http://telegiraum.club/	Get hash	malicious	Telegram Phisher	Browse	34.117.59.81
AMAZON-02US	file.exe	Get hash	malicious	Credential Flusher	Browse	52.222.236.120
	file.exe	Get hash	malicious	Credential Flusher	Browse	52.222.236.120
	https://60ms64xz.r.eu-west-1.awstrack.me/L0/https:%2F%2Fnym1-ib.adnxs.com%2Fclick2%3Fe=wqT_3QKhAfCBoQAAAAMAxBkFAQj1xf22BhCN5rHDq8rIsXYY6OvVqs3R1c9aIPXtswsoykEwhx04AkDV-qXwAUiY1VJQAFoDVVNEYgNVU0RorAJw-gF4kfdrgAG5zAOIAQGQAQGYAQWgAQKpAVM7_DVZo44_sQHWE0zrJXyFP7kBAAAAwMzM7D_BAREUDMkBUDsJKDDYAQDgAQDwAdEO-AEA%2Fs=555aa6e5683ce51c048a98b83e6a923b5a8d9a2c%2Fbcr=AAAAAAAA8D8=%2Fcnd=%25218hVjbgiv18IdENX6pfABGJjVUiAAKAAxmpmZmZmZuT86CU5ZTTI6NTI1NECoR0kAAAAAAADwP1EAAAAAAAAAAFkAAAAAAAAAAGEAAAAAAAAAAGkAAAAAAAAAAHEAAAAAAAAAAHgAiQEAAAAAAADwPw..%2Fcca=MzcxOSNOWU0yOjUyNTQ=%2Fbn=58937%2Fclickenc=http%253A%252F%252Faa.ns.agingbydesignministry.org%3FMlcinsurance=grant.harpur@mlcinsurance.com.au/1/0102019284444055-c8ec5399-450a-413f-acab-546e07ef32e7-000000/Qxx4uNY6H1RoEfFUkvzFba2SPik=395	Get hash	malicious	HTMLPhisher	Browse	52.210.33.116
	https://60ms64xz.r.eu-west-1.awstrack.me/L0/https:%2F%2Fnym1-ib.adnxs.com%2Fclick2%3Fe=wqT_3QKhAfCBoQAAAAMAxBkFAQj1xf22BhCN5rHDq8rIsXYY6OvVqs3R1c9aIPXtswsoykEwhx04AkDV-qXwAUiY1VJQAFoDVVNEYgNVU0RorAJw-gF4kfdrgAG5zAOIAQGQAQGYAQWgAQKpAVM7_DVZo44_sQHWE0zrJXyFP7kBAAAAwMzM7D_BAREUDMkBUDsJKDDYAQDgAQDwAdEO-AEA%2Fs=555aa6e5683ce51c048a98b83e6a923b5a8d9a2c%2Fbcr=AAAAAAAA8D8=%2Fcnd=%25218hVjbgiv18IdENX6pfABGJjVUiAAKAAxmpmZmZmZuT86CU5ZTTI6NTI1NECoR0kAAAAAAADwP1EAAAAAAAAAAFkAAAAAAAAAAGEAAAAAAAAAAGkAAAAAAAAAAHEAAAAAAAAAAHgAiQEAAAAAAADwPw..%2Fcca=MzcxOSNOWU0yOjUyNTQ=%2Fbn=58937%2Fclickenc=http%253A%252F%252Faa.ns.agingbydesignministry.org%3FMlcinsurance=grant.harpur@mlcinsurance.com.au/1/0102019284444055-c8ec5399-450a-413f-acab-546e07ef32e7-000000/Qxx4uNY6H1RoEfFUkvzFba2SPik=395	Get hash	malicious	Unknown	Browse	52.210.33.116
	https://payrollruntimesheet.weebly.com/verify.html	Get hash	malicious	HTMLPhisher	Browse	50.112.173.192
	https://john17237.wixsite.com/my-site	Get hash	malicious	HTMLPhisher	Browse	108.156.60.94
	http://chwcs91azo1jf8f6b6acu6sf7da7lxazxwg6fo8epa.sbxaccountants.com.au/	Get hash	malicious	Captcha Phish	Browse	18.245.78.122
	SecuriteInfo.com.Win32.Trojan.Agent.1MWNV4.31044.30727.exe	Get hash	malicious	Unknown	Browse	52.36.31.154
	SecuriteInfo.com.Win32.Trojan.Agent.1MWNV4.31044.30727.exe	Get hash	malicious	Unknown	Browse	108.138.2.33
	https://fexegreuyauja-8124.vercel.app/mixc.html	Get hash	malicious	HTMLPhisher	Browse	76.76.21.22
ATGS-MMD-ASUS	file.exe	Get hash	malicious	Credential Flusher	Browse	34.160.144.191
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.160.144.191
	https://john17237.wixsite.com/my-site	Get hash	malicious	HTMLPhisher	Browse	34.149.206.255
	SecuriteInfo.com.Win32.Trojan.Agent.1MWNV4.31044.30727.exe	Get hash	malicious	Unknown	Browse	34.160.176.28
	SecuriteInfo.com.Win32.Trojan.Agent.1MWNV4.31044.30727.exe	Get hash	malicious	Unknown	Browse	34.160.176.28
	https://shawri.weebly.com/	Get hash	malicious	HTMLPhisher	Browse	34.49.241.189
	https://currenntlyattyah06.weebly.com/	Get hash	malicious	HTMLPhisher	Browse	34.170.150.109
	https://currenntlyattyah06.weebly.com/	Get hash	malicious	HTMLPhisher	Browse	34.160.46.1
	https://shawri.weebly.com/	Get hash	malicious	HTMLPhisher	Browse	34.49.241.189
	https://currenntlyattyah06.weebly.com/	Get hash	malicious	HTMLPhisher	Browse	34.160.46.1

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
fb0aa01abe9d8e4037eb3473ca6e2dca	file.exe	Get hash	malicious	Credential Flusher	Browse	52.222.236.120 35.244.181.201 34.149.100.209 34.160.144.191 34.120.208.123
	file.exe	Get hash	malicious	Credential Flusher	Browse	52.222.236.120 35.244.181.201 34.149.100.209 34.160.144.191 34.120.208.123
	c5yDnHUmFv.exe	Get hash	malicious	Credential Flusher	Browse	52.222.236.120 35.244.181.201 34.149.100.209 34.160.144.191 34.120.208.123
	c5yDnHUmFv.exe	Get hash	malicious	Credential Flusher	Browse	52.222.236.120 35.244.181.201 34.149.100.209 34.160.144.191 34.120.208.123
	oUbgeGwOL8.exe	Get hash	malicious	LummaC, Amadey, Stealc	Browse	52.222.236.120 35.244.181.201 34.149.100.209 34.160.144.191 34.120.208.123
	file.exe	Get hash	malicious	Credential Flusher	Browse	52.222.236.120 35.244.181.201 34.149.100.209 34.160.144.191 34.120.208.123
	file.exe	Get hash	malicious	Credential Flusher	Browse	52.222.236.120 35.244.181.201 34.149.100.209 34.160.144.191 34.120.208.123
	file.exe	Get hash	malicious	Credential Flusher	Browse	52.222.236.120 35.244.181.201 34.149.100.209 34.160.144.191 34.120.208.123
	file.exe	Get hash	malicious	Credential Flusher	Browse	52.222.236.120 35.244.181.201 34.149.100.209 34.160.144.191 34.120.208.123
	file.exe	Get hash	malicious	Credential Flusher	Browse	52.222.236.120 35.244.181.201 34.149.100.209 34.160.144.191 34.120.208.123

Dropped Files

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll (copy)	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	c5yDnHUmFv.exe	Get hash	malicious	Credential Flusher	Browse
	c5yDnHUmFv.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse

Created / dropped Files

C:\ProgramData\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\uninstall_ping_308046B0AF4A39CB_f64fc7df-04bd-4865-a08c-b911e3a04c55.json (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	7813
Entropy (8bit):	5.18045592514222
Encrypted:	false
SSDEEP:	192:zjMXmATcbhbVbTbfbRbObtbyEl7nMr6iJA6WnSrDtTUd/SkDr/:zYncNhnzFSJsrKBnSrDhUd/t
MD5:	C36DAF50D6CA87DD031413FDD1547FA1
SHA1:	988F425356705B2692E0B1020986EE4A12A63481
SHA-256:	DD9AF42A53A8846A7C4D953DE0EB52E31BC5CEE4606EB31531238A41BE580550
SHA-512:	CCA11A67077561713D52DACBDD1C014DE957032265426E511688D8496FD87C7A9FEAB98A85EB481C854A6CAA27CCB88000D826409AF02A60592C27077F750222
Malicious:	false
Preview:	{"type":"uninstall","id":"f64fc7df-04bd-4865-a08c-b911e3a04c55","creationDate":"2024-10-14T02:00:07.243Z","version":4,"application":{"architecture":"x86-64","buildId":"20230927232528","name":"Firefox","version":"118.0.1","displayVersion":"118.0.1","vendor":"Mozilla","platformVersion":"118.0.1","xpcomAbi":"x86_64-msvc","channel":"release"},"payload":{"otherInstalls":0},"clientId":"65e71c9e-6ac3-4903-9066-b134350de32c","environment":{"build":{"applicationId":"{ec8030f7-c20a-464f-9b0e-13a3a9e97384}","applicationName":"Firefox","architecture":"x86-64","buildId":"20230927232528","version":"118.0.1","vendor":"Mozilla","displayVersion":"118.0.1","platformVersion":"118.0.1","xpcomAbi":"x86_64-msvc","updaterAvailable":true},"partner":{"distributionId":null,"distributionVersion":null,"partnerId":null,"distributor":null,"distributorChannel":null,"partnerNames":[]},"system":{"memoryMB":8191,"virtualMaxMB":134217728,"cpu":{"isWindowsSMode":false,"count":4,"cores":2,"vendor":"GenuineIntel","name":"I

C:\ProgramData\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\uninstall_ping_308046B0AF4A39CB_f64fc7df-04bd-4865-a08c-b911e3a04c55.json.tmp

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	7813
Entropy (8bit):	5.18045592514222
Encrypted:	false
SSDEEP:	192:zjMXmATcbhbVbTbfbRbObtbyEl7nMr6iJA6WnSrDtTUd/SkDr/:zYncNhnzFSJsrKBnSrDhUd/t
MD5:	C36DAF50D6CA87DD031413FDD1547FA1
SHA1:	988F425356705B2692E0B1020986EE4A12A63481
SHA-256:	DD9AF42A53A8846A7C4D953DE0EB52E31BC5CEE4606EB31531238A41BE580550
SHA-512:	CCA11A67077561713D52DACBDD1C014DE957032265426E511688D8496FD87C7A9FEAB98A85EB481C854A6CAA27CCB88000D826409AF02A60592C27077F750222
Malicious:	false
Preview:	{"type":"uninstall","id":"f64fc7df-04bd-4865-a08c-b911e3a04c55","creationDate":"2024-10-14T02:00:07.243Z","version":4,"application":{"architecture":"x86-64","buildId":"20230927232528","name":"Firefox","version":"118.0.1","displayVersion":"118.0.1","vendor":"Mozilla","platformVersion":"118.0.1","xpcomAbi":"x86_64-msvc","channel":"release"},"payload":{"otherInstalls":0},"clientId":"65e71c9e-6ac3-4903-9066-b134350de32c","environment":{"build":{"applicationId":"{ec8030f7-c20a-464f-9b0e-13a3a9e97384}","applicationName":"Firefox","architecture":"x86-64","buildId":"20230927232528","version":"118.0.1","vendor":"Mozilla","displayVersion":"118.0.1","platformVersion":"118.0.1","xpcomAbi":"x86_64-msvc","updaterAvailable":true},"partner":{"distributionId":null,"distributionVersion":null,"partnerId":null,"distributor":null,"distributorChannel":null,"partnerNames":[]},"system":{"memoryMB":8191,"virtualMaxMB":134217728,"cpu":{"isWindowsSMode":false,"count":4,"cores":2,"vendor":"GenuineIntel","name":"I

C:\Users\user\AppData\Local\Temp\mozilla-temp-files\mozilla-temp-41

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	ISO Media, MP4 Base Media v1 [ISO 14496-12:2003]
Category:	dropped
Size (bytes):	32768
Entropy (8bit):	0.4593089050301797
Encrypted:	false
SSDEEP:	48:9SP0nUgwyZXYI65yFRX2D3GNTTfyn0Mk1iA:9SDKaIjo3UzyE1L
MD5:	D910AD167F0217587501FDCDB33CC544
SHA1:	2F57441CEFDC781011B53C1C5D29AC54835AFC1D
SHA-256:	E3699D9404A3FFC1AFF0CA8A3972DC0EF38BDAB927741E9F627C7C55CEA42E81
SHA-512:	F1871BF28FF25EE52BDB99C7A80AB715C7CAC164DCD2FD87E681168EE927FD2C5E80E03C91BB638D955A4627213BF575FF4D9EECAEDA7718C128CF2CE8F7CB3D
Malicious:	false
Preview:	... ftypisom....isomiso2avc1mp41....free....mdat..........E...H..,. .#..x264 - core 152 r2851 ba24899 - H.264/MPEG-4 AVC codec - Copyleft 2003-2017 - http://www.videolan.org/x264.html - options: cabac=1 ref=3 deblock=1:0:0 analyse=0x3:0x113 me=hex subme=7 psy=1 psy_rd=1.00:0.00 mixed_ref=1 me_range=16 chroma_me=1 trellis=1 8x8dct=1 cqm=0 deadzone=21,11 fast_pskip=1 chroma_qp_offset=-2 threads=4 lookahead_threads=1 sliced_threads=0 nr=0 decimate=1 interlaced=0 bluray_compat=0 constrained_intra=0 bframes=3 b_pyramid=2 b_adapt=1 b_bias=0 direct=1 weightb=1 open_gop=0 weightp=2 keyint=250 keyint_min=25 scenecut=40 intra_refresh=0 rc_lookahead=40 rc=crf mbtree=1 crf=23.0 qcomp=0.60 qpmin=0 qpmax=69 qpstep=4 ip_ratio=1.40 aq=1:1.00......e...+...s\|.kG3...'.u.."...,J.w.~.d\..(K....!.+..;....h....(.T.*...M......0..~L..8..B..A.y..R..,.zBP.';j.@.].w..........c......C=.'f....gI.$^.......m5V.L...{U..%V[....8......B..i..^,....:...,..5.m.%dA....moov...lmvhd...................(...........

C:\Users\user\AppData\Local\Temp\tmpaddon

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	Zip archive data, at least v2.0 to extract, compression method=deflate
Category:	dropped
Size (bytes):	453023
Entropy (8bit):	7.997718157581587
Encrypted:	true
SSDEEP:	12288:tESTeqTI2r4ZbCgUKWKNeRcPMb6qlV7hVZe3:tEsed2Xh9/bdzZe3
MD5:	85430BAED3398695717B0263807CF97C
SHA1:	FFFBEE923CEA216F50FCE5D54219A188A5100F41
SHA-256:	A9F4281F82B3579581C389E8583DC9F477C7FD0E20C9DFC91A2E611E21E3407E
SHA-512:	06511F1F6C6D44D076B3C593528C26A602348D9C41689DBF5FF716B671C3CA5756B12CB2E5869F836DEDCE27B1A5CFE79B93C707FD01F8E84B620923BB61B5F1
Malicious:	false
Preview:	PK.........bN...R..........gmpopenh264.dll..\|.E.0.=..I.....1....4f1q.`.........q.....'+....hm{.z..o_.{w........$..($A!...\|L...B&A2.s.{..Dd......c.U.U..9u.S...K.l`...../.d.-....\|.....&....9......wn..x......i.#O.+.Y.l......+....,3.3f..\..c.SSS,............N...GG...F.'.&.:'.K.Z&.>.@.g..M...M.`............ZR....^jg.G.Kb.o~va.....<Z..1.#.O.e.....D..X..i..$imBW..Q&.......P.....,M.,..:.c...-...\...........-i.K.I..4.a..6.....Ov=...W..F.CH.>...a.'.x...#@f...d..u.1....OV.1o}....g.5.._.3.J.Hi.Z.ipM....b.Z....%.G..F................/..3.q..J.....o...%.g.N..}..).3.N%.!..q........^I.m..~...6.#.~+.....A...I]r...x...<IYj....p0..`S.M@.E..f.=.;!.@.....E..E....... .0.n....Jd..d......uM.-.qI.lR..z..=}..r.D.XLZ....x.$..\|c.1.cUkM.&.Qn]..a]t.h...!.6 7..Jd.DvKJ"Wgd*%n...w...Jni.inmr.@M.$'Z.s....#)%..Rs..:.h....R....\..t.6..'.g.........Uj+F.cr:\|..!..K.W.Y...17......,....r.....>.N..3.R.Y.._\...Ir.DNJdM... .k...&V-....z.%...-...D..i..&...6....7.2T).>..0..%.&.

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\ExperimentStoreData.json (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	3621
Entropy (8bit):	4.9279493561552306
Encrypted:	false
SSDEEP:	48:YnSwkmrOfJNmPUFpOdwNIOdoWLEWLtkDLuuukx5FBvipA6kbbXjQthvLuhakNt9Q:8S+OfJQPUFpOdwNIOdYVjvYcXaNLqH8P
MD5:	97D39D4E0936409224DA513D6BB21929
SHA1:	CFCED1D12A54CF48D8B733462D3462C89C7FFDD2
SHA-256:	D4759D9B312BD14C037CD3C65E67631FCC34D56CD4972395EE8C3EE0F3265314
SHA-512:	78C20CCFF5965C6976517E4092E6A9EBA8EBB9F4132C17FAFE46475698162A7CE652BD2306633B7AB38EE16E5CEF25D50825782A7D3DDB1F9C15B0277393AA76
Malicious:	false
Preview:	{"csv-import-release-rollout":{"slug":"csv-import-release-rollout","branch":{"slug":"enable-csv-import","ratio":1,"feature":{"value":{},"enabled":false,"featureId":"this-is-included-for-desktop-pre-95-support"},"features":[{"value":{"csvImport":true},"enabled":true,"featureId":"cm-csv-import"}]},"active":true,"enrollmentId":"c5d95379-f4ee-4629-a507-6f15a0e93cd4","experimentType":"rollout","source":"rs-loader","userFacingName":"CSV Import (Release Rollout)","userFacingDescription":"This rollout enables users to import logins from a CSV file from the about:logins page.","lastSeen":"2023-10-03T11:50:29.548Z","featureIds":["cm-csv-import"],"prefs":[{"name":"signon.management.page.fileImport.enabled","branch":"default","featureId":"cm-csv-import","variable":"csvImport","originalValue":false}],"isRollout":true},"serp-ad-telemetry-rollout":{"slug":"serp-ad-telemetry-rollout","branch":{"slug":"control","ratio":1,"feature":{"value":{},"enabled":false,"featureId":"this-is-included-for-desktop-pr

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\ExperimentStoreData.json.tmp

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	3621
Entropy (8bit):	4.9279493561552306
Encrypted:	false
SSDEEP:	48:YnSwkmrOfJNmPUFpOdwNIOdoWLEWLtkDLuuukx5FBvipA6kbbXjQthvLuhakNt9Q:8S+OfJQPUFpOdwNIOdYVjvYcXaNLqH8P
MD5:	97D39D4E0936409224DA513D6BB21929
SHA1:	CFCED1D12A54CF48D8B733462D3462C89C7FFDD2
SHA-256:	D4759D9B312BD14C037CD3C65E67631FCC34D56CD4972395EE8C3EE0F3265314
SHA-512:	78C20CCFF5965C6976517E4092E6A9EBA8EBB9F4132C17FAFE46475698162A7CE652BD2306633B7AB38EE16E5CEF25D50825782A7D3DDB1F9C15B0277393AA76
Malicious:	false
Preview:	{"csv-import-release-rollout":{"slug":"csv-import-release-rollout","branch":{"slug":"enable-csv-import","ratio":1,"feature":{"value":{},"enabled":false,"featureId":"this-is-included-for-desktop-pre-95-support"},"features":[{"value":{"csvImport":true},"enabled":true,"featureId":"cm-csv-import"}]},"active":true,"enrollmentId":"c5d95379-f4ee-4629-a507-6f15a0e93cd4","experimentType":"rollout","source":"rs-loader","userFacingName":"CSV Import (Release Rollout)","userFacingDescription":"This rollout enables users to import logins from a CSV file from the about:logins page.","lastSeen":"2023-10-03T11:50:29.548Z","featureIds":["cm-csv-import"],"prefs":[{"name":"signon.management.page.fileImport.enabled","branch":"default","featureId":"cm-csv-import","variable":"csvImport","originalValue":false}],"isRollout":true},"serp-ad-telemetry-rollout":{"slug":"serp-ad-telemetry-rollout","branch":{"slug":"control","ratio":1,"feature":{"value":{},"enabled":false,"featureId":"this-is-included-for-desktop-pr

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\addonStartup.json.lz4 (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	Mozilla lz4 compressed data, originally 23432 bytes
Category:	dropped
Size (bytes):	5312
Entropy (8bit):	6.615424734763731
Encrypted:	false
SSDEEP:	96:V2YbKsKNU2xWrp327tGmD4wBON6h6cHaJVJuZMd0JGkkrw2D:VTx2x2t0FDJ4NpwZMd0EJws
MD5:	1B9C8056D3619CE5A8C59B0C09873F17
SHA1:	1015C630E1937AA63F6AB31743782ECB5D78CCD8
SHA-256:	A6AE5DE0733FED050AB570AD9374FF4593D554F695B5AE4E2495871D171D34A3
SHA-512:	B1DC9CC675D5476C270A2D5B214D3DF2B3856576ED7EFE92D9A606C2D9D34E781018902AE75CE9C1E25007BB7F8D8F7B52997E6F05B845EF44BAF22F614FE899
Malicious:	false
Preview:	mozLz40..[....{"app-system-defaults":{"addon....formautofill@mozilla.org&..Gdependencies":[],"enabled":true,"lastModifiedTime":1695865283000,"loader":null,"path":s.....xpi","recommendationStateA...rootURI":"jar:file:///C:/Program%20Files/M.......refox/browser/features/...... !/...unInSafeMode..wsignedD...telemetryKey..7%40R...:1.0.1","version":"..`},"pic..#in.....T.n..w...........S.......(.[......0....0"},"screenshots..T.r.....[.......(.V....-39.......},"webcompat-reporter...Ofals..&.z.....[.......(.]....=1.5.............<.)....p....d......1.z.!18...5.....startupData...pX.astentL..!er...webRequest%..onBefore...[[{"incognitoi.UtabId..!yp...."main_frame"],"url...."://login.microsoftonline.com/","..@us/L.dwindows...},["blocking"]],...Iimag...https://smartT.".f.....etp/facebook.svg",...Aplay....8`script...P.....-....-testbed.herokuapp\.`shims_..3.jsh.bexampl\|.......Pexten{..Q../?..s...S.J/_2..@&_3U..s7.addthis . ic...officialK......-angularjs/current/dist(..t.min.js...track.adB...net/s

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\addonStartup.json.lz4.tmp

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	Mozilla lz4 compressed data, originally 23432 bytes
Category:	dropped
Size (bytes):	5312
Entropy (8bit):	6.615424734763731
Encrypted:	false
SSDEEP:	96:V2YbKsKNU2xWrp327tGmD4wBON6h6cHaJVJuZMd0JGkkrw2D:VTx2x2t0FDJ4NpwZMd0EJws
MD5:	1B9C8056D3619CE5A8C59B0C09873F17
SHA1:	1015C630E1937AA63F6AB31743782ECB5D78CCD8
SHA-256:	A6AE5DE0733FED050AB570AD9374FF4593D554F695B5AE4E2495871D171D34A3
SHA-512:	B1DC9CC675D5476C270A2D5B214D3DF2B3856576ED7EFE92D9A606C2D9D34E781018902AE75CE9C1E25007BB7F8D8F7B52997E6F05B845EF44BAF22F614FE899
Malicious:	false
Preview:	mozLz40..[....{"app-system-defaults":{"addon....formautofill@mozilla.org&..Gdependencies":[],"enabled":true,"lastModifiedTime":1695865283000,"loader":null,"path":s.....xpi","recommendationStateA...rootURI":"jar:file:///C:/Program%20Files/M.......refox/browser/features/...... !/...unInSafeMode..wsignedD...telemetryKey..7%40R...:1.0.1","version":"..`},"pic..#in.....T.n..w...........S.......(.[......0....0"},"screenshots..T.r.....[.......(.V....-39.......},"webcompat-reporter...Ofals..&.z.....[.......(.]....=1.5.............<.)....p....d......1.z.!18...5.....startupData...pX.astentL..!er...webRequest%..onBefore...[[{"incognitoi.UtabId..!yp...."main_frame"],"url...."://login.microsoftonline.com/","..@us/L.dwindows...},["blocking"]],...Iimag...https://smartT.".f.....etp/facebook.svg",...Aplay....8`script...P.....-....-testbed.herokuapp\.`shims_..3.jsh.bexampl\|.......Pexten{..Q../?..s...S.J/_2..@&_3U..s7.addthis . ic...officialK......-angularjs/current/dist(..t.min.js...track.adB...net/s

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\addons.json (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	24
Entropy (8bit):	3.91829583405449
Encrypted:	false
SSDEEP:	3:YWGifTJE6iHQ:YWGif9EE
MD5:	3088F0272D29FAA42ED452C5E8120B08
SHA1:	C72AA542EF60AFA3DF5DFE1F9FCC06C0B135BE23
SHA-256:	D587CEC944023447DC91BC5F71E2291711BA5ADD337464837909A26F34BC5A06
SHA-512:	B662414EDD6DEF8589304904263584847586ECCA0B0E6296FB3ADB2192D92FB48697C99BD27C4375D192150E3F99102702AF2391117FFF50A9763C74C193D798
Malicious:	false
Preview:	{"schema":6,"addons":[]}

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\addons.json.tmp

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	24
Entropy (8bit):	3.91829583405449
Encrypted:	false
SSDEEP:	3:YWGifTJE6iHQ:YWGif9EE
MD5:	3088F0272D29FAA42ED452C5E8120B08
SHA1:	C72AA542EF60AFA3DF5DFE1F9FCC06C0B135BE23
SHA-256:	D587CEC944023447DC91BC5F71E2291711BA5ADD337464837909A26F34BC5A06
SHA-512:	B662414EDD6DEF8589304904263584847586ECCA0B0E6296FB3ADB2192D92FB48697C99BD27C4375D192150E3F99102702AF2391117FFF50A9763C74C193D798
Malicious:	false
Preview:	{"schema":6,"addons":[]}

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\content-prefs.sqlite

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	SQLite 3.x database, user version 5, last written using SQLite version 3042000, page size 32768, file counter 5, database pages 8, cookie 0x6, schema 4, largest root page 8, UTF-8, vacuum mode 1, version-valid-for 5
Category:	dropped
Size (bytes):	262144
Entropy (8bit):	0.04905391753567332
Encrypted:	false
SSDEEP:	24:DLivwae+Q8Uu50xj0aWe9LxYkKA25Q5tvAA:D6wae+QtMImelekKDa5
MD5:	DD9D28E87ED57D16E65B14501B4E54D1
SHA1:	793839B47326441BE2D1336BA9A61C9B948C578D
SHA-256:	BB4E6C58C50BD6399ED70468C02B584595C29F010B66F864CD4D6B427FA365BC
SHA-512:	A2626F6A3CBADE62E38DA5987729D99830D0C6AA134D4A9E615026A5F18ACBB11A2C3C80917DAD76DA90ED5BAA9B0454D4A3C2DD04436735E78C974BA1D035B1
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j......\|....~.}.}z}-\|.................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\crashes\store.json.mozlz4 (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	Mozilla lz4 compressed data, originally 56 bytes
Category:	dropped
Size (bytes):	66
Entropy (8bit):	4.837595020998689
Encrypted:	false
SSDEEP:	3:3fX/xH8IXl/I3v0lb7iioW:vXpH1RPXt
MD5:	A6338865EB252D0EF8FCF11FA9AF3F0D
SHA1:	CECDD4C4DCAE10C2FFC8EB938121B6231DE48CD3
SHA-256:	078648C042B9B08483CE246B7F01371072541A2E90D1BEB0C8009A6118CBD965
SHA-512:	D950227AC83F4E8246D73F9F35C19E88CE65D0CA5F1EF8CCBB02ED6EFC66B1B7E683E2BA0200279D7CA4B49831FD8C3CEB0584265B10ACCFF2611EC1CA8C0C6C
Malicious:	false
Preview:	mozLz40.8.....{"v":1,"crashes":{},"countsByDay....rruptDate":null}

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\crashes\store.json.mozlz4.tmp

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	Mozilla lz4 compressed data, originally 56 bytes
Category:	dropped
Size (bytes):	66
Entropy (8bit):	4.837595020998689
Encrypted:	false
SSDEEP:	3:3fX/xH8IXl/I3v0lb7iioW:vXpH1RPXt
MD5:	A6338865EB252D0EF8FCF11FA9AF3F0D
SHA1:	CECDD4C4DCAE10C2FFC8EB938121B6231DE48CD3
SHA-256:	078648C042B9B08483CE246B7F01371072541A2E90D1BEB0C8009A6118CBD965
SHA-512:	D950227AC83F4E8246D73F9F35C19E88CE65D0CA5F1EF8CCBB02ED6EFC66B1B7E683E2BA0200279D7CA4B49831FD8C3CEB0584265B10ACCFF2611EC1CA8C0C6C
Malicious:	false
Preview:	mozLz40.8.....{"v":1,"crashes":{},"countsByDay....rruptDate":null}

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\extensions.json (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	36830
Entropy (8bit):	5.185924656884556
Encrypted:	false
SSDEEP:	768:wI43DvfWXf4E6C4p4EC4Y4QfEWvM4B4QS4z4444XQ4U:wUfdvk
MD5:	5656BA69BD2966108A461AAE35F60226
SHA1:	9C2E5AE52D82CEA43C4A5FFF205A7700CF54D61C
SHA-256:	587596712960B26EAC18CB354CCD633FFDB218E374A9D59EFEA843914D7AB299
SHA-512:	38F715AD9156558B5D57CA2E75FB0FFE0C5C6728BD94484B8F15E090120DDD02DCE42DBC9CC7143AD6552460A5F3A40E577FAF1D76D5D40B25CDBE636F250054
Malicious:	false
Preview:	{"schemaVersion":35,"addons":[{"id":"formautofill@mozilla.org","syncGUID":"{60024e8e-cfd0-41e5-965d-7128c7dcf0e8}","version":"1.0.1","type":"extension","loader":null,"updateURL":null,"installOrigins":null,"manifestVersion":2,"optionsURL":null,"optionsType":null,"optionsBrowserStyle":true,"aboutURL":null,"defaultLocale":{"name":"Form Autofill","creator":null,"developers":null,"translators":null,"contributors":null},"visible":true,"active":true,"userDisabled":false,"appDisabled":false,"embedderDisabled":false,"installDate":1695865283000,"updateDate":1695865283000,"applyBackgroundUpdates":1,"path":"C:\\Program Files\\Mozilla Firefox\\browser\\features\\formautofill@mozilla.org.xpi","skinnable":false,"sourceURI":null,"releaseNotesURI":null,"softDisabled":false,"foreignInstall":false,"strictCompatibility":true,"locales":[],"targetApplications":[{"id":"toolkit@mozilla.org","minVersion":null,"maxVersion":null}],"targetPlatforms":[],"signedDate":null,"seen":true,"dependencies":[],"incognito":"

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\extensions.json.tmp

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	36830
Entropy (8bit):	5.185924656884556
Encrypted:	false
SSDEEP:	768:wI43DvfWXf4E6C4p4EC4Y4QfEWvM4B4QS4z4444XQ4U:wUfdvk
MD5:	5656BA69BD2966108A461AAE35F60226
SHA1:	9C2E5AE52D82CEA43C4A5FFF205A7700CF54D61C
SHA-256:	587596712960B26EAC18CB354CCD633FFDB218E374A9D59EFEA843914D7AB299
SHA-512:	38F715AD9156558B5D57CA2E75FB0FFE0C5C6728BD94484B8F15E090120DDD02DCE42DBC9CC7143AD6552460A5F3A40E577FAF1D76D5D40B25CDBE636F250054
Malicious:	false
Preview:	{"schemaVersion":35,"addons":[{"id":"formautofill@mozilla.org","syncGUID":"{60024e8e-cfd0-41e5-965d-7128c7dcf0e8}","version":"1.0.1","type":"extension","loader":null,"updateURL":null,"installOrigins":null,"manifestVersion":2,"optionsURL":null,"optionsType":null,"optionsBrowserStyle":true,"aboutURL":null,"defaultLocale":{"name":"Form Autofill","creator":null,"developers":null,"translators":null,"contributors":null},"visible":true,"active":true,"userDisabled":false,"appDisabled":false,"embedderDisabled":false,"installDate":1695865283000,"updateDate":1695865283000,"applyBackgroundUpdates":1,"path":"C:\\Program Files\\Mozilla Firefox\\browser\\features\\formautofill@mozilla.org.xpi","skinnable":false,"sourceURI":null,"releaseNotesURI":null,"softDisabled":false,"foreignInstall":false,"strictCompatibility":true,"locales":[],"targetApplications":[{"id":"toolkit@mozilla.org","minVersion":null,"maxVersion":null}],"targetPlatforms":[],"signedDate":null,"seen":true,"dependencies":[],"incognito":"

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\favicons.sqlite-shm

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	data
Category:	dropped
Size (bytes):	32768
Entropy (8bit):	0.017262956703125623
Encrypted:	false
SSDEEP:	3:G8lQs2TSlElQs2TtPRp//:G0QjSaQjrpX
MD5:	B7C14EC6110FA820CA6B65F5AEC85911
SHA1:	608EEB7488042453C9CA40F7E1398FC1A270F3F4
SHA-256:	FD4C9FDA9CD3F9AE7C962B0DDF37232294D55580E1AA165AA06129B8549389EB
SHA-512:	D8D75760F29B1E27AC9430BC4F4FFCEC39F1590BE5AEF2BFB5A535850302E067C288EF59CF3B2C5751009A22A6957733F9F80FA18F2B0D33D90C068A3F08F3B0
Malicious:	false
Preview:	..-.....................................8...5.....-.....................................8...5...........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	1021904
Entropy (8bit):	6.648417932394748
Encrypted:	false
SSDEEP:	12288:vYLdTfFKbNSjv92eFN+3wH+NYriA0Iq6lh6VawYIpAvwHN/Uf1h47HAfg1oet:vYLdTZ923NYrjwNpgwef1hzfg1x
MD5:	FE3355639648C417E8307C6D051E3E37
SHA1:	F54602D4B4778DA21BC97C7238FC66AA68C8EE34
SHA-256:	1ED7877024BE63A049DA98733FD282C16BD620530A4FB580DACEC3A78ACE914E
SHA-512:	8F4030BB2464B98ECCBEA6F06EB186D7216932702D94F6B84C56419E9CF65A18309711AB342D1513BF85AED402BC3535A70DB4395874828F0D35C278DD2EAC9C
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Joe Sandbox View:	Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: c5yDnHUmFv.exe, Detection: malicious, Browse Filename: c5yDnHUmFv.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......NH...)...)...)..eM...)..eM...)..eM..)..eM...)...)..i)..XA...)..XA..;)..XA...)...)..g)..cA...)..cA...)..Rich.)..........PE..d....z\.........." .....t................................................................`.........................................P...,...\|...(............P...H...z.................T...........................0...................p............................text...$s.......t.................. ..`.rdata...~...........x..............@..@.data....3..........................@....pdata...H...P...J..................@..@.rodata..............^..............@..@.reloc...............j..............@..B........................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll.tmp

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	1021904
Entropy (8bit):	6.648417932394748
Encrypted:	false
SSDEEP:	12288:vYLdTfFKbNSjv92eFN+3wH+NYriA0Iq6lh6VawYIpAvwHN/Uf1h47HAfg1oet:vYLdTZ923NYrjwNpgwef1hzfg1x
MD5:	FE3355639648C417E8307C6D051E3E37
SHA1:	F54602D4B4778DA21BC97C7238FC66AA68C8EE34
SHA-256:	1ED7877024BE63A049DA98733FD282C16BD620530A4FB580DACEC3A78ACE914E
SHA-512:	8F4030BB2464B98ECCBEA6F06EB186D7216932702D94F6B84C56419E9CF65A18309711AB342D1513BF85AED402BC3535A70DB4395874828F0D35C278DD2EAC9C
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......NH...)...)...)..eM...)..eM...)..eM..)..eM...)...)..i)..XA...)..XA..;)..XA...)...)..g)..cA...)..cA...)..Rich.)..........PE..d....z\.........." .....t................................................................`.........................................P...,...\|...(............P...H...z.................T...........................0...................p............................text...$s.......t.................. ..`.rdata...~...........x..............@..@.data....3..........................@....pdata...H...P...J..................@..@.rodata..............^..............@..@.reloc...............j..............@..B........................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.info (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	116
Entropy (8bit):	4.968220104601006
Encrypted:	false
SSDEEP:	3:C3OuN9RAM7VDXcEzq+rEakOvTMBv+FdBAIABv+FEn:0BDUmHlvAWeWEn
MD5:	3D33CDC0B3D281E67DD52E14435DD04F
SHA1:	4DB88689282FD4F9E9E6AB95FCBB23DF6E6485DB
SHA-256:	F526E9F98841D987606EFEAFF7F3E017BA9FD516C4BE83890C7F9A093EA4C47B
SHA-512:	A4A96743332CC8EF0F86BC2E6122618BFC75ED46781DADBAC9E580CD73DF89E74738638A2CCCB4CAA4CBBF393D771D7F2C73F825737CDB247362450A0D4A4BC1
Malicious:	false
Preview:	Name: gmpopenh264.Description: GMP Plugin for OpenH264..Version: 1.8.1.APIs: encode-video[h264], decode-video[h264].

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.info.tmp

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	116
Entropy (8bit):	4.968220104601006
Encrypted:	false
SSDEEP:	3:C3OuN9RAM7VDXcEzq+rEakOvTMBv+FdBAIABv+FEn:0BDUmHlvAWeWEn
MD5:	3D33CDC0B3D281E67DD52E14435DD04F
SHA1:	4DB88689282FD4F9E9E6AB95FCBB23DF6E6485DB
SHA-256:	F526E9F98841D987606EFEAFF7F3E017BA9FD516C4BE83890C7F9A093EA4C47B
SHA-512:	A4A96743332CC8EF0F86BC2E6122618BFC75ED46781DADBAC9E580CD73DF89E74738638A2CCCB4CAA4CBBF393D771D7F2C73F825737CDB247362450A0D4A4BC1
Malicious:	false
Preview:	Name: gmpopenh264.Description: GMP Plugin for OpenH264..Version: 1.8.1.APIs: encode-video[h264], decode-video[h264].

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\permissions.sqlite

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	SQLite 3.x database, user version 12, last written using SQLite version 3042000, page size 32768, file counter 4, database pages 3, cookie 0x2, schema 4, UTF-8, version-valid-for 4
Category:	dropped
Size (bytes):	98304
Entropy (8bit):	0.07330107161819789
Encrypted:	false
SSDEEP:	12:DBl/A0OWla0mwPxRymgObsCVR45wcYR4fmnsCVR4zkihERZl:DLhesh7Owd4+jieb
MD5:	B60F986596FB3CAB5742598FD8FB52DC
SHA1:	69F1AE42E52DDB5B885AE4CB7FBF2399D3844CB1
SHA-256:	89954156A4F9EA0D5DC1295AEE8AAD21C1FB814EDFB037698971DAC16954C9FC
SHA-512:	2E804A02FBA0619EA36115E1B5E1F23C2756927205E1CD9652ABACA5DC759CBCF2CB33B1B8140EF6AF7D6D9922EB165E7585D1F56F43548A7F1051381764CC51
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j......~s..F~s........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\places.sqlite-shm

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	data
Category:	dropped
Size (bytes):	32768
Entropy (8bit):	0.034635539126218286
Encrypted:	false
SSDEEP:	3:GtlstFWdinTAEylstFWdinTAEXllT89//alEl:GtWtUUc/WtUUcMJ89XuM
MD5:	13AEF8E6DF4463A6EE0C43DDB9E4E2E2
SHA1:	FDE63057D572F93725B5AA238AF101B1494D9042
SHA-256:	E0293273DC65C025DAB2E4322C3D7116A1B1241A0BD956119BAC530640A65767
SHA-512:	1A83F13B3E3466D91C931908E39246C1E695A5BD1D9CBB8B28369DEDCBAB47F02ED5567BAC11ACBD1BC3E227103FCE468F5E5B0195A1EF53B55488E71D1AD88D
Malicious:	false
Preview:	..-......................Q.$..Q..M.i.Ba.....G....-......................Q.$..Q..M.i.Ba.....G..........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\places.sqlite-wal

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	SQLite Write-Ahead Log, version 3007000
Category:	dropped
Size (bytes):	32824
Entropy (8bit):	0.03965353112274345
Encrypted:	false
SSDEEP:	3:Ol17FPNlAnoKWEvllrl8rEXsxdwhml8XW3R2:K1lCoKWGDl8dMhm93w
MD5:	F2AE2317CE7B748BBD2FB5FF86950ADC
SHA1:	9F3414F8997B08432E3E43B8205E0799F465A94D
SHA-256:	6B29A355159B4EA3C11F8844E8F3E084A8E7D454AF7AEE301A7C3B560D9BDA2C
SHA-512:	AAAE3EF26DDED92ACA6519F0953B9E495F1227337B7C4C7B8F148F6983A8CAD538522216ACDD64EA7DFDF11768CE35152D9E29110551679E96DE125FF2174132
Malicious:	false
Preview:	7....-...........M.i.Ba.?IP...j..........M.i.Ba.$.Q..Q..................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\prefs-1.js

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	ASCII text, with very long lines (1809), with CRLF line terminators
Category:	dropped
Size (bytes):	13254
Entropy (8bit):	5.493125672391919
Encrypted:	false
SSDEEP:	192:6WnaRtLYbBp6chj4qyaaX46KV24NC65RfGNBw8deSl:se2qcWTxcw90
MD5:	9D8C1F6395ADA3BE579A0D20C7693D80
SHA1:	39746674E4BE9A29CA38B853E237345BDCFC5F6F
SHA-256:	56389F03DEEAD4FBA1B7056E56439505EF896C81FB26B88AA9398D3659FB6FDA
SHA-512:	D75F9992BD01713BC781EC8C5622AC16B8E0F099AD5CB449ADBED96320D30212B36A5A8627F275224B1935598590E33DAA380E16863F1CF3847673CBEC96E361
Malicious:	false
Preview:	// Mozilla User Preferences....// DO NOT EDIT THIS FILE...//..// If you make changes to this file while the application is running,..// the changes will be overwritten when the application exits...//..// To change a preference value, you can either:..// - modify it via the UI (e.g. via about:config in the browser); or..// - set it within a user.js file in your profile.....user_pref("app.normandy.first_run", false);..user_pref("app.normandy.migrationsApplied", 12);..user_pref("app.normandy.user_id", "57f16a19-e119-4073-bf01-28f88011f783");..user_pref("app.update.auto.migrated", true);..user_pref("app.update.background.rolledout", true);..user_pref("app.update.backgroundErrors", 2);..user_pref("app.update.lastUpdateTime.addon-background-update-timer", 1728871177);..user_pref("app.update.lastUpdateTime.background-update-timer", 1728871177);..user_pref("app.update.lastUpdateTime.browser-cleanup-thumbnails", 1728871177);..user_pref("app.update.lastUpdateTime.recipe-client-addon-run", 172887

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\prefs.js (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	ASCII text, with very long lines (1809), with CRLF line terminators
Category:	dropped
Size (bytes):	13254
Entropy (8bit):	5.493125672391919
Encrypted:	false
SSDEEP:	192:6WnaRtLYbBp6chj4qyaaX46KV24NC65RfGNBw8deSl:se2qcWTxcw90
MD5:	9D8C1F6395ADA3BE579A0D20C7693D80
SHA1:	39746674E4BE9A29CA38B853E237345BDCFC5F6F
SHA-256:	56389F03DEEAD4FBA1B7056E56439505EF896C81FB26B88AA9398D3659FB6FDA
SHA-512:	D75F9992BD01713BC781EC8C5622AC16B8E0F099AD5CB449ADBED96320D30212B36A5A8627F275224B1935598590E33DAA380E16863F1CF3847673CBEC96E361
Malicious:	false
Preview:	// Mozilla User Preferences....// DO NOT EDIT THIS FILE...//..// If you make changes to this file while the application is running,..// the changes will be overwritten when the application exits...//..// To change a preference value, you can either:..// - modify it via the UI (e.g. via about:config in the browser); or..// - set it within a user.js file in your profile.....user_pref("app.normandy.first_run", false);..user_pref("app.normandy.migrationsApplied", 12);..user_pref("app.normandy.user_id", "57f16a19-e119-4073-bf01-28f88011f783");..user_pref("app.update.auto.migrated", true);..user_pref("app.update.background.rolledout", true);..user_pref("app.update.backgroundErrors", 2);..user_pref("app.update.lastUpdateTime.addon-background-update-timer", 1728871177);..user_pref("app.update.lastUpdateTime.background-update-timer", 1728871177);..user_pref("app.update.lastUpdateTime.browser-cleanup-thumbnails", 1728871177);..user_pref("app.update.lastUpdateTime.recipe-client-addon-run", 172887

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\protections.sqlite

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	SQLite 3.x database, user version 1, last written using SQLite version 3042000, page size 32768, file counter 5, database pages 2, cookie 0x1, schema 4, UTF-8, version-valid-for 5
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	0.04062825861060003
Encrypted:	false
SSDEEP:	6:ltBl/l4/WN1h4BEJYqWvLue3FMOrMZ0l:DBl/WuntfJiFxMZO
MD5:	18F65713B07CB441E6A98655B726D098
SHA1:	2CEFA32BC26B25BE81C411B60C9925CB0F1F8F88
SHA-256:	B6C268E48546B113551A5AF9CA86BB6A462A512DE6C9289315E125CEB0FD8621
SHA-512:	A6871076C7D7ED53B630F9F144ED04303AD54A2E60B94ECA2AA96964D1AB375EEFDCA86CE0D3EB0E9DBB81470C6BD159877125A080C95EB17E54A52427F805FB
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j.......x..x..........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\sessionCheckpoints.json (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	90
Entropy (8bit):	4.194538242412464
Encrypted:	false
SSDEEP:	3:YVXKQJAyiVLQwJtJDBA+AJ2LKZXJ3YFwHY:Y9KQOy6Lb1BA+m2L69Yr
MD5:	C4AB2EE59CA41B6D6A6EA911F35BDC00
SHA1:	5942CD6505FC8A9DABA403B082067E1CDEFDFBC4
SHA-256:	00AD9799527C3FD21F3A85012565EAE817490F3E0D417413BF9567BB5909F6A2
SHA-512:	71EA16900479E6AF161E0AAD08C8D1E9DED5868A8D848E7647272F3002E2F2013E16382B677ABE3C6F17792A26293B9E27EC78E16F00BD24BA3D21072BD1CAE2
Malicious:	false
Preview:	{"profile-after-change":true,"final-ui-startup":true,"sessionstore-windows-restored":true}

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\sessionCheckpoints.json.tmp

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	90
Entropy (8bit):	4.194538242412464
Encrypted:	false
SSDEEP:	3:YVXKQJAyiVLQwJtJDBA+AJ2LKZXJ3YFwHY:Y9KQOy6Lb1BA+m2L69Yr
MD5:	C4AB2EE59CA41B6D6A6EA911F35BDC00
SHA1:	5942CD6505FC8A9DABA403B082067E1CDEFDFBC4
SHA-256:	00AD9799527C3FD21F3A85012565EAE817490F3E0D417413BF9567BB5909F6A2
SHA-512:	71EA16900479E6AF161E0AAD08C8D1E9DED5868A8D848E7647272F3002E2F2013E16382B677ABE3C6F17792A26293B9E27EC78E16F00BD24BA3D21072BD1CAE2
Malicious:	false
Preview:	{"profile-after-change":true,"final-ui-startup":true,"sessionstore-windows-restored":true}

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\sessionstore-backups\recovery.baklz4 (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	Mozilla lz4 compressed data, originally 5861 bytes
Category:	dropped
Size (bytes):	1569
Entropy (8bit):	6.345861069243387
Encrypted:	false
SSDEEP:	24:v+USUGlcAxSWLXnIgE/pnxQwRlszT5sKtG3eHVMj2TyamhujJlOsIomNVr0aDge4:GUpOxTEnR6w3elTy4JlIquR4
MD5:	8245E0DA7F8D24E3E24B7C0F56EED380
SHA1:	4EBA35F86839D2BCF53F41F39E1F6DEA651844BB
SHA-256:	4888C663B887FAAB7EB95D3D63C170D8B129144ABB32825ECE960EBD91254638
SHA-512:	7E7A235C5EA88248FD1B0FFB4604110BD8EA66D258B3732EBC835E74219C6023051E0656B15A2138288BC50C4C63C24E108069E379008B9248BB5CFBBC97C13C
Malicious:	false
Preview:	mozLz40.......{"version":["ses....restore",1],"windows":[{"tab..bentrie....url":"https://youtube.com/account?=.....rs.googl%...v3/signin/challenge/pwd","title[.C..cacheKey":0,"ID":6,"docshellUU...D"{8c8f927d-02f1-4cd9-a24d-9ba9a54d3382}","resultPrincipalURI":null,"hasUserInteracte...true,"triggering8.p_base64z..\"3\":{}^...docIdentifier":7,"persistK..+}],"lastAccessed":1728871182312,"hidden":false,"searchMode...userContextId...attribut...{},"index":1...questedI..p0,"imag....chrome://global/skin/icons/warning.svg"..aselect...,"_closedTZ.@],"_...C..`GroupCF..":-1,"busy...t...Flags":2167541758....dth":1164,"height":891,"screenX":4...Y..Aizem..."maximize......BeforeMin...&..workspace9...1a5ccf63-1000-409f-b5c1-afec7f75d4d9","zD..1...Wm..l........j..:....1":{..mUpdate...startTim..P47028...centCrash..B0},".....Dcook.. hoc..."addons.mozilla.org","valu....8bad2467092e6ddeb0dfa9e5e....86d26790ca7ba2ce88d10cb4604fe726755","pa..p"/","na..a"taarI\|.Recure...,`.Donly..fexpiry...53574,"originA...."fi

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\sessionstore-backups\recovery.jsonlz4 (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	Mozilla lz4 compressed data, originally 5861 bytes
Category:	dropped
Size (bytes):	1569
Entropy (8bit):	6.345861069243387
Encrypted:	false
SSDEEP:	24:v+USUGlcAxSWLXnIgE/pnxQwRlszT5sKtG3eHVMj2TyamhujJlOsIomNVr0aDge4:GUpOxTEnR6w3elTy4JlIquR4
MD5:	8245E0DA7F8D24E3E24B7C0F56EED380
SHA1:	4EBA35F86839D2BCF53F41F39E1F6DEA651844BB
SHA-256:	4888C663B887FAAB7EB95D3D63C170D8B129144ABB32825ECE960EBD91254638
SHA-512:	7E7A235C5EA88248FD1B0FFB4604110BD8EA66D258B3732EBC835E74219C6023051E0656B15A2138288BC50C4C63C24E108069E379008B9248BB5CFBBC97C13C
Malicious:	false
Preview:	mozLz40.......{"version":["ses....restore",1],"windows":[{"tab..bentrie....url":"https://youtube.com/account?=.....rs.googl%...v3/signin/challenge/pwd","title[.C..cacheKey":0,"ID":6,"docshellUU...D"{8c8f927d-02f1-4cd9-a24d-9ba9a54d3382}","resultPrincipalURI":null,"hasUserInteracte...true,"triggering8.p_base64z..\"3\":{}^...docIdentifier":7,"persistK..+}],"lastAccessed":1728871182312,"hidden":false,"searchMode...userContextId...attribut...{},"index":1...questedI..p0,"imag....chrome://global/skin/icons/warning.svg"..aselect...,"_closedTZ.@],"_...C..`GroupCF..":-1,"busy...t...Flags":2167541758....dth":1164,"height":891,"screenX":4...Y..Aizem..."maximize......BeforeMin...&..workspace9...1a5ccf63-1000-409f-b5c1-afec7f75d4d9","zD..1...Wm..l........j..:....1":{..mUpdate...startTim..P47028...centCrash..B0},".....Dcook.. hoc..."addons.mozilla.org","valu....8bad2467092e6ddeb0dfa9e5e....86d26790ca7ba2ce88d10cb4604fe726755","pa..p"/","na..a"taarI\|.Recure...,`.Donly..fexpiry...53574,"originA...."fi

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\sessionstore-backups\recovery.jsonlz4.tmp

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	Mozilla lz4 compressed data, originally 5861 bytes
Category:	dropped
Size (bytes):	1569
Entropy (8bit):	6.345861069243387
Encrypted:	false
SSDEEP:	24:v+USUGlcAxSWLXnIgE/pnxQwRlszT5sKtG3eHVMj2TyamhujJlOsIomNVr0aDge4:GUpOxTEnR6w3elTy4JlIquR4
MD5:	8245E0DA7F8D24E3E24B7C0F56EED380
SHA1:	4EBA35F86839D2BCF53F41F39E1F6DEA651844BB
SHA-256:	4888C663B887FAAB7EB95D3D63C170D8B129144ABB32825ECE960EBD91254638
SHA-512:	7E7A235C5EA88248FD1B0FFB4604110BD8EA66D258B3732EBC835E74219C6023051E0656B15A2138288BC50C4C63C24E108069E379008B9248BB5CFBBC97C13C
Malicious:	false
Preview:	mozLz40.......{"version":["ses....restore",1],"windows":[{"tab..bentrie....url":"https://youtube.com/account?=.....rs.googl%...v3/signin/challenge/pwd","title[.C..cacheKey":0,"ID":6,"docshellUU...D"{8c8f927d-02f1-4cd9-a24d-9ba9a54d3382}","resultPrincipalURI":null,"hasUserInteracte...true,"triggering8.p_base64z..\"3\":{}^...docIdentifier":7,"persistK..+}],"lastAccessed":1728871182312,"hidden":false,"searchMode...userContextId...attribut...{},"index":1...questedI..p0,"imag....chrome://global/skin/icons/warning.svg"..aselect...,"_closedTZ.@],"_...C..`GroupCF..":-1,"busy...t...Flags":2167541758....dth":1164,"height":891,"screenX":4...Y..Aizem..."maximize......BeforeMin...&..workspace9...1a5ccf63-1000-409f-b5c1-afec7f75d4d9","zD..1...Wm..l........j..:....1":{..mUpdate...startTim..P47028...centCrash..B0},".....Dcook.. hoc..."addons.mozilla.org","valu....8bad2467092e6ddeb0dfa9e5e....86d26790ca7ba2ce88d10cb4604fe726755","pa..p"/","na..a"taarI\|.Recure...,`.Donly..fexpiry...53574,"originA...."fi

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\storage.sqlite

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	SQLite 3.x database, user version 131075, last written using SQLite version 3042000, page size 512, file counter 6, database pages 8, cookie 0x4, schema 4, UTF-8, version-valid-for 6
Category:	dropped
Size (bytes):	4096
Entropy (8bit):	2.0836444556178684
Encrypted:	false
SSDEEP:	24:JBwdh/cEUcR9PzNFPFHx/GJRBdkOrDcRB1trwDeAq2gRMyxr3:jnEUo9LXtR+JdkOnohYsl
MD5:	8B40B1534FF0F4B533AF767EB5639A05
SHA1:	63EDB539EA39AD09D701A36B535C4C087AE08CC9
SHA-256:	AF275A19A5C2C682139266065D90C237282274D11C5619A121B7BDBDB252861B
SHA-512:	54AF707698CED33C206B1B193DA414D630901762E88E37E99885A50D4D5F8DDC28367C9B401DFE251CF0552B4FA446EE28F78A97C9096AFB0F2898BFBB673B53
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\targeting.snapshot.json (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	4537
Entropy (8bit):	5.03382451998585
Encrypted:	false
SSDEEP:	48:YrSAYEL26UQZpExB1+anOsW4Vh351VxWRzzc8eYMsku7f86SLAVL7if5FtsfAcb5:yc7yTEr5QFRzzcMvbw6KkCrrc2Rn27
MD5:	BD095FF05D071C5EF00D599F3F54F791
SHA1:	CA019E4B411A788D87295AC2299A9D88857AA5BB
SHA-256:	CEDF790BB1BEC7BD525E0E457AEEDBADB4D663FA840777701F4E3DEBDE17BA93
SHA-512:	6E2A479D4F40BC9DA6B7910B5FD1291CA7DF3ABDB96BD1C128665B51795814F73730459FA9EB51A9D95BE879D2D97F6364267318EFC82DD45A82E1B3CD56F748
Malicious:	false
Preview:	{"environment":{"locale":"en-US","localeLanguageCode":"en","browserSettings":{"update":{"channel":"release","enabled":true,"autoDownload":true,"background":true}},"attributionData":{"campaign":"%2528not%2Bset%2529","content":"%2528not%2Bset%2529","dlsource":"mozorg","dltoken":"cd09ae95-e2cf-4b8b-8929-791b0dd48cdd","experiment":"%2528not%2Bset%2529","medium":"referral","source":"www.google.com","ua":"chrome","variation":"%2528not%2Bset%2529"},"currentDate":"2024-10-14T01:59:24.342Z","profileAgeCreated":1696333826043,"usesFirefoxSync":false,"isFxAEnabled":true,"isFxASignedIn":false,"sync":{"desktopDevices":0,"mobileDevices":0,"totalDevices":0},"xpinstallEnabled":true,"addonsInfo":{"addons":{"formautofill@mozilla.org":{"version":"1.0.1","type":"extension","isSystem":true,"isWebExtension":true,"name":"Form Autofill","userDisabled":false,"installDate":"2023-09-28T01:41:23.000Z"},"pictureinpicture@mozilla.org":{"version":"1.0.0","type":"extension","isSystem":true,"isWebExtension":true,"name"

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\targeting.snapshot.json.tmp

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	4537
Entropy (8bit):	5.03382451998585
Encrypted:	false
SSDEEP:	48:YrSAYEL26UQZpExB1+anOsW4Vh351VxWRzzc8eYMsku7f86SLAVL7if5FtsfAcb5:yc7yTEr5QFRzzcMvbw6KkCrrc2Rn27
MD5:	BD095FF05D071C5EF00D599F3F54F791
SHA1:	CA019E4B411A788D87295AC2299A9D88857AA5BB
SHA-256:	CEDF790BB1BEC7BD525E0E457AEEDBADB4D663FA840777701F4E3DEBDE17BA93
SHA-512:	6E2A479D4F40BC9DA6B7910B5FD1291CA7DF3ABDB96BD1C128665B51795814F73730459FA9EB51A9D95BE879D2D97F6364267318EFC82DD45A82E1B3CD56F748
Malicious:	false
Preview:	{"environment":{"locale":"en-US","localeLanguageCode":"en","browserSettings":{"update":{"channel":"release","enabled":true,"autoDownload":true,"background":true}},"attributionData":{"campaign":"%2528not%2Bset%2529","content":"%2528not%2Bset%2529","dlsource":"mozorg","dltoken":"cd09ae95-e2cf-4b8b-8929-791b0dd48cdd","experiment":"%2528not%2Bset%2529","medium":"referral","source":"www.google.com","ua":"chrome","variation":"%2528not%2Bset%2529"},"currentDate":"2024-10-14T01:59:24.342Z","profileAgeCreated":1696333826043,"usesFirefoxSync":false,"isFxAEnabled":true,"isFxASignedIn":false,"sync":{"desktopDevices":0,"mobileDevices":0,"totalDevices":0},"xpinstallEnabled":true,"addonsInfo":{"addons":{"formautofill@mozilla.org":{"version":"1.0.1","type":"extension","isSystem":true,"isWebExtension":true,"name":"Form Autofill","userDisabled":false,"installDate":"2023-09-28T01:41:23.000Z"},"pictureinpicture@mozilla.org":{"version":"1.0.0","type":"extension","isSystem":true,"isWebExtension":true,"name"

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	6.584680079355649
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	file.exe
File size:	919'552 bytes
MD5:	d29616a63cc243d71d01c45a8c366bf1
SHA1:	6870b92acb2d8849422cd18bb60a79135c7d17b9
SHA256:	301dc00582a54384072627f1ce837d6ce3059d4d10a71b2f53cd478933f4bd3f
SHA512:	6031fd857eed359dff5a52ec071b8afb524d61d420244abecd647745a20491e84eacec79ec3fc9e2c6c5188c336a867cdeb34fa2484d16b5939e1860f2879071
SSDEEP:	12288:6qDEvFo+yo4DdbbMWu/jrQu4M9lBAlKhQcDGB3cuBNGE6iOrpfe4JdaDga/T9:6qDEvCTbMWu7rQYlBQcBiT6rprG8ab9
TLSH:	B3159E0273D1C062FFAB92334B5AF6515BBC69260123E61F13981DB9BE701B1563E7A3
File Content Preview:	MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$.......................j:......j:..C...j:......@.*...............................n.......~.............{.......{.......{.........z....

File Icon


Icon Hash:	aaf3e3e3938382a0

Static PE Info

General

Entrypoint:	0x420577
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, TERMINAL_SERVER_AWARE
Time Stamp:	0x670C5F82 [Mon Oct 14 00:02:10 2024 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	5
OS Version Minor:	1
File Version Major:	5
File Version Minor:	1
Subsystem Version Major:	5
Subsystem Version Minor:	1
Import Hash:	948cc502fe9226992dce9417f952fce3

Entrypoint Preview

Instruction
call 00007F9C9D06C563h
jmp 00007F9C9D06BE6Fh
push ebp
mov ebp, esp
push esi
push dword ptr [ebp+08h]
mov esi, ecx
call 00007F9C9D06C04Dh
mov dword ptr [esi], 0049FDF0h
mov eax, esi
pop esi
pop ebp
retn 0004h
and dword ptr [ecx+04h], 00000000h
mov eax, ecx
and dword ptr [ecx+08h], 00000000h
mov dword ptr [ecx+04h], 0049FDF8h
mov dword ptr [ecx], 0049FDF0h
ret
push ebp
mov ebp, esp
push esi
push dword ptr [ebp+08h]
mov esi, ecx
call 00007F9C9D06C01Ah
mov dword ptr [esi], 0049FE0Ch
mov eax, esi
pop esi
pop ebp
retn 0004h
and dword ptr [ecx+04h], 00000000h
mov eax, ecx
and dword ptr [ecx+08h], 00000000h
mov dword ptr [ecx+04h], 0049FE14h
mov dword ptr [ecx], 0049FE0Ch
ret
push ebp
mov ebp, esp
push esi
mov esi, ecx
lea eax, dword ptr [esi+04h]
mov dword ptr [esi], 0049FDD0h
and dword ptr [eax], 00000000h
and dword ptr [eax+04h], 00000000h
push eax
mov eax, dword ptr [ebp+08h]
add eax, 04h
push eax
call 00007F9C9D06EC0Dh
pop ecx
pop ecx
mov eax, esi
pop esi
pop ebp
retn 0004h
lea eax, dword ptr [ecx+04h]
mov dword ptr [ecx], 0049FDD0h
push eax
call 00007F9C9D06EC58h
pop ecx
ret
push ebp
mov ebp, esp
push esi
mov esi, ecx
lea eax, dword ptr [esi+04h]
mov dword ptr [esi], 0049FDD0h
push eax
call 00007F9C9D06EC41h
test byte ptr [ebp+08h], 00000001h
pop ecx

Rich Headers

Programming Language:

[ C ] VS2008 SP1 build 30729
[IMP] VS2008 SP1 build 30729

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0xc8e64	0x17c	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0xd4000	0x9c28	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0xde000	0x7594	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0xb0ff0	0x1c	.rdata
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0xc3400	0x18	.rdata
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0xb1010	0x40	.rdata
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x9c000	0x894	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x9ab1d	0x9ac00	0a1473f3064dcbc32ef93c5c8a90f3a6	False	0.565500681542811	data	6.668273581389308	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x9c000	0x2fb82	0x2fc00	c9cf2468b60bf4f80f136ed54b3989fb	False	0.35289185209424084	data	5.691811547483722	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0xcc000	0x706c	0x4800	53b9025d545d65e23295e30afdbd16d9	False	0.04356553819444445	DOS executable (block device driver @\273\)	0.5846666986982398	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0xd4000	0x9c28	0x9e00	7410c4e1cba650451c8c98ea78ae9b89	False	0.31571400316455694	data	5.373862591074863	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0xde000	0x7594	0x7600	c68ee8931a32d45eb82dc450ee40efc3	False	0.7628111758474576	data	6.7972128181359786	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_ICON	0xd45a8	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 192	English	Great Britain	0.7466216216216216
RT_ICON	0xd46d0	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 128, 16 important colors	English	Great Britain	0.3277027027027027
RT_ICON	0xd47f8	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 192	English	Great Britain	0.3885135135135135
RT_ICON	0xd4920	0x2e8	Device independent bitmap graphic, 32 x 64 x 4, image size 0	English	Great Britain	0.3333333333333333
RT_ICON	0xd4c08	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 0	English	Great Britain	0.5
RT_ICON	0xd4d30	0xea8	Device independent bitmap graphic, 48 x 96 x 8, image size 0	English	Great Britain	0.2835820895522388
RT_ICON	0xd5bd8	0x8a8	Device independent bitmap graphic, 32 x 64 x 8, image size 0	English	Great Britain	0.37906137184115524
RT_ICON	0xd6480	0x568	Device independent bitmap graphic, 16 x 32 x 8, image size 0	English	Great Britain	0.23699421965317918
RT_ICON	0xd69e8	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 0	English	Great Britain	0.13858921161825727
RT_ICON	0xd8f90	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 0	English	Great Britain	0.25070356472795496
RT_ICON	0xda038	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 0	English	Great Britain	0.3173758865248227
RT_MENU	0xda4a0	0x50	data	English	Great Britain	0.9
RT_STRING	0xda4f0	0x594	data	English	Great Britain	0.3333333333333333
RT_STRING	0xdaa84	0x68a	data	English	Great Britain	0.2735961768219833
RT_STRING	0xdb110	0x490	data	English	Great Britain	0.3715753424657534
RT_STRING	0xdb5a0	0x5fc	data	English	Great Britain	0.3087467362924282
RT_STRING	0xdbb9c	0x65c	data	English	Great Britain	0.34336609336609336
RT_STRING	0xdc1f8	0x466	data	English	Great Britain	0.3605683836589698
RT_STRING	0xdc660	0x158	Matlab v4 mat-file (little endian) n, numeric, rows 0, columns 0	English	Great Britain	0.502906976744186
RT_RCDATA	0xdc7b8	0xef0	data			1.0028765690376569
RT_GROUP_ICON	0xdd6a8	0x76	data	English	Great Britain	0.6610169491525424
RT_GROUP_ICON	0xdd720	0x14	data	English	Great Britain	1.25
RT_GROUP_ICON	0xdd734	0x14	data	English	Great Britain	1.15
RT_GROUP_ICON	0xdd748	0x14	data	English	Great Britain	1.25
RT_VERSION	0xdd75c	0xdc	data	English	Great Britain	0.6181818181818182
RT_MANIFEST	0xdd838	0x3ef	ASCII text, with CRLF line terminators	English	Great Britain	0.5074478649453823

Imports

DLL	Import
WSOCK32.dll	gethostbyname, recv, send, socket, inet_ntoa, setsockopt, ntohs, WSACleanup, WSAStartup, sendto, htons, __WSAFDIsSet, select, accept, listen, bind, inet_addr, ioctlsocket, recvfrom, WSAGetLastError, closesocket, gethostname, connect
VERSION.dll	GetFileVersionInfoW, VerQueryValueW, GetFileVersionInfoSizeW
WINMM.dll	timeGetTime, waveOutSetVolume, mciSendStringW
COMCTL32.dll	ImageList_ReplaceIcon, ImageList_Destroy, ImageList_Remove, ImageList_SetDragCursorImage, ImageList_BeginDrag, ImageList_DragEnter, ImageList_DragLeave, ImageList_EndDrag, ImageList_DragMove, InitCommonControlsEx, ImageList_Create
MPR.dll	WNetGetConnectionW, WNetCancelConnection2W, WNetUseConnectionW, WNetAddConnection2W
WININET.dll	HttpOpenRequestW, InternetCloseHandle, InternetOpenW, InternetSetOptionW, InternetCrackUrlW, HttpQueryInfoW, InternetQueryOptionW, InternetConnectW, HttpSendRequestW, FtpOpenFileW, FtpGetFileSize, InternetOpenUrlW, InternetReadFile, InternetQueryDataAvailable
PSAPI.DLL	GetProcessMemoryInfo
IPHLPAPI.DLL	IcmpSendEcho, IcmpCloseHandle, IcmpCreateFile
USERENV.dll	DestroyEnvironmentBlock, LoadUserProfileW, CreateEnvironmentBlock, UnloadUserProfile
UxTheme.dll	IsThemeActive
KERNEL32.dll	DuplicateHandle, CreateThread, WaitForSingleObject, HeapAlloc, GetProcessHeap, HeapFree, Sleep, GetCurrentThreadId, MultiByteToWideChar, MulDiv, GetVersionExW, IsWow64Process, GetSystemInfo, FreeLibrary, LoadLibraryA, GetProcAddress, SetErrorMode, GetModuleFileNameW, WideCharToMultiByte, lstrcpyW, lstrlenW, GetModuleHandleW, QueryPerformanceCounter, VirtualFreeEx, OpenProcess, VirtualAllocEx, WriteProcessMemory, ReadProcessMemory, CreateFileW, SetFilePointerEx, SetEndOfFile, ReadFile, WriteFile, FlushFileBuffers, TerminateProcess, CreateToolhelp32Snapshot, Process32FirstW, Process32NextW, SetFileTime, GetFileAttributesW, FindFirstFileW, FindClose, GetLongPathNameW, GetShortPathNameW, DeleteFileW, IsDebuggerPresent, CopyFileExW, MoveFileW, CreateDirectoryW, RemoveDirectoryW, SetSystemPowerState, QueryPerformanceFrequency, LoadResource, LockResource, SizeofResource, OutputDebugStringW, GetTempPathW, GetTempFileNameW, DeviceIoControl, LoadLibraryW, GetLocalTime, CompareStringW, GetCurrentThread, EnterCriticalSection, LeaveCriticalSection, GetStdHandle, CreatePipe, InterlockedExchange, TerminateThread, LoadLibraryExW, FindResourceExW, CopyFileW, VirtualFree, FormatMessageW, GetExitCodeProcess, GetPrivateProfileStringW, WritePrivateProfileStringW, GetPrivateProfileSectionW, WritePrivateProfileSectionW, GetPrivateProfileSectionNamesW, FileTimeToLocalFileTime, FileTimeToSystemTime, SystemTimeToFileTime, LocalFileTimeToFileTime, GetDriveTypeW, GetDiskFreeSpaceExW, GetDiskFreeSpaceW, GetVolumeInformationW, SetVolumeLabelW, CreateHardLinkW, SetFileAttributesW, CreateEventW, SetEvent, GetEnvironmentVariableW, SetEnvironmentVariableW, GlobalLock, GlobalUnlock, GlobalAlloc, GetFileSize, GlobalFree, GlobalMemoryStatusEx, Beep, GetSystemDirectoryW, HeapReAlloc, HeapSize, GetComputerNameW, GetWindowsDirectoryW, GetCurrentProcessId, GetProcessIoCounters, CreateProcessW, GetProcessId, SetPriorityClass, VirtualAlloc, GetCurrentDirectoryW, lstrcmpiW, DecodePointer, GetLastError, RaiseException, InitializeCriticalSectionAndSpinCount, DeleteCriticalSection, InterlockedDecrement, InterlockedIncrement, ResetEvent, WaitForSingleObjectEx, IsProcessorFeaturePresent, UnhandledExceptionFilter, SetUnhandledExceptionFilter, GetCurrentProcess, CloseHandle, GetFullPathNameW, GetStartupInfoW, GetSystemTimeAsFileTime, InitializeSListHead, RtlUnwind, SetLastError, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, EncodePointer, ExitProcess, GetModuleHandleExW, ExitThread, ResumeThread, FreeLibraryAndExitThread, GetACP, GetDateFormatW, GetTimeFormatW, LCMapStringW, GetStringTypeW, GetFileType, SetStdHandle, GetConsoleCP, GetConsoleMode, ReadConsoleW, GetTimeZoneInformation, FindFirstFileExW, IsValidCodePage, GetOEMCP, GetCPInfo, GetCommandLineA, GetCommandLineW, GetEnvironmentStringsW, FreeEnvironmentStringsW, SetEnvironmentVariableA, SetCurrentDirectoryW, FindNextFileW, WriteConsoleW
USER32.dll	GetKeyboardLayoutNameW, IsCharAlphaW, IsCharAlphaNumericW, IsCharLowerW, IsCharUpperW, GetMenuStringW, GetSubMenu, GetCaretPos, IsZoomed, GetMonitorInfoW, SetWindowLongW, SetLayeredWindowAttributes, FlashWindow, GetClassLongW, TranslateAcceleratorW, IsDialogMessageW, GetSysColor, InflateRect, DrawFocusRect, DrawTextW, FrameRect, DrawFrameControl, FillRect, PtInRect, DestroyAcceleratorTable, CreateAcceleratorTableW, SetCursor, GetWindowDC, GetSystemMetrics, GetActiveWindow, CharNextW, wsprintfW, RedrawWindow, DrawMenuBar, DestroyMenu, SetMenu, GetWindowTextLengthW, CreateMenu, IsDlgButtonChecked, DefDlgProcW, CallWindowProcW, ReleaseCapture, SetCapture, PeekMessageW, GetInputState, UnregisterHotKey, CharLowerBuffW, MonitorFromPoint, MonitorFromRect, LoadImageW, mouse_event, ExitWindowsEx, SetActiveWindow, FindWindowExW, EnumThreadWindows, SetMenuDefaultItem, InsertMenuItemW, IsMenu, ClientToScreen, GetCursorPos, DeleteMenu, CheckMenuRadioItem, GetMenuItemID, GetMenuItemCount, SetMenuItemInfoW, GetMenuItemInfoW, SetForegroundWindow, IsIconic, FindWindowW, SystemParametersInfoW, LockWindowUpdate, SendInput, GetAsyncKeyState, SetKeyboardState, GetKeyboardState, GetKeyState, VkKeyScanW, LoadStringW, DialogBoxParamW, MessageBeep, EndDialog, SendDlgItemMessageW, GetDlgItem, SetWindowTextW, CopyRect, ReleaseDC, GetDC, EndPaint, BeginPaint, GetClientRect, GetMenu, DestroyWindow, EnumWindows, GetDesktopWindow, IsWindow, IsWindowEnabled, IsWindowVisible, EnableWindow, InvalidateRect, GetWindowLongW, GetWindowThreadProcessId, AttachThreadInput, GetFocus, GetWindowTextW, SendMessageTimeoutW, EnumChildWindows, CharUpperBuffW, GetClassNameW, GetParent, GetDlgCtrlID, SendMessageW, MapVirtualKeyW, PostMessageW, GetWindowRect, SetUserObjectSecurity, CloseDesktop, CloseWindowStation, OpenDesktopW, RegisterHotKey, GetCursorInfo, SetWindowPos, CopyImage, AdjustWindowRectEx, SetRect, SetClipboardData, EmptyClipboard, CountClipboardFormats, CloseClipboard, GetClipboardData, IsClipboardFormatAvailable, OpenClipboard, BlockInput, TrackPopupMenuEx, GetMessageW, SetProcessWindowStation, GetProcessWindowStation, OpenWindowStationW, GetUserObjectSecurity, MessageBoxW, DefWindowProcW, MoveWindow, SetFocus, PostQuitMessage, KillTimer, CreatePopupMenu, RegisterWindowMessageW, SetTimer, ShowWindow, CreateWindowExW, RegisterClassExW, LoadIconW, LoadCursorW, GetSysColorBrush, GetForegroundWindow, MessageBoxA, DestroyIcon, DispatchMessageW, keybd_event, TranslateMessage, ScreenToClient
GDI32.dll	EndPath, DeleteObject, GetTextExtentPoint32W, ExtCreatePen, StrokeAndFillPath, GetDeviceCaps, SetPixel, CloseFigure, LineTo, AngleArc, MoveToEx, Ellipse, CreateCompatibleBitmap, CreateCompatibleDC, PolyDraw, BeginPath, Rectangle, SetViewportOrgEx, GetObjectW, SetBkMode, RoundRect, SetBkColor, CreatePen, SelectObject, StretchBlt, CreateSolidBrush, SetTextColor, CreateFontW, GetTextFaceW, GetStockObject, CreateDCW, GetPixel, DeleteDC, GetDIBits, StrokePath
COMDLG32.dll	GetSaveFileNameW, GetOpenFileNameW
ADVAPI32.dll	GetAce, RegEnumValueW, RegDeleteValueW, RegDeleteKeyW, RegEnumKeyExW, RegSetValueExW, RegOpenKeyExW, RegCloseKey, RegQueryValueExW, RegConnectRegistryW, InitializeSecurityDescriptor, InitializeAcl, AdjustTokenPrivileges, OpenThreadToken, OpenProcessToken, LookupPrivilegeValueW, DuplicateTokenEx, CreateProcessAsUserW, CreateProcessWithLogonW, GetLengthSid, CopySid, LogonUserW, AllocateAndInitializeSid, CheckTokenMembership, FreeSid, GetTokenInformation, RegCreateKeyExW, GetSecurityDescriptorDacl, GetAclInformation, GetUserNameW, AddAce, SetSecurityDescriptorDacl, InitiateSystemShutdownExW
SHELL32.dll	DragFinish, DragQueryPoint, ShellExecuteExW, DragQueryFileW, SHEmptyRecycleBinW, SHGetPathFromIDListW, SHBrowseForFolderW, SHCreateShellItem, SHGetDesktopFolder, SHGetSpecialFolderLocation, SHGetFolderPathW, SHFileOperationW, ExtractIconExW, Shell_NotifyIconW, ShellExecuteW
ole32.dll	CoTaskMemAlloc, CoTaskMemFree, CLSIDFromString, ProgIDFromCLSID, CLSIDFromProgID, OleSetMenuDescriptor, MkParseDisplayName, OleSetContainedObject, CoCreateInstance, IIDFromString, StringFromGUID2, CreateStreamOnHGlobal, OleInitialize, OleUninitialize, CoInitialize, CoUninitialize, GetRunningObjectTable, CoGetInstanceFromFile, CoGetObject, CoInitializeSecurity, CoCreateInstanceEx, CoSetProxyBlanket
OLEAUT32.dll	CreateStdDispatch, CreateDispTypeInfo, UnRegisterTypeLib, UnRegisterTypeLibForUser, RegisterTypeLibForUser, RegisterTypeLib, LoadTypeLibEx, VariantCopyInd, SysReAllocString, SysFreeString, VariantChangeType, SafeArrayDestroyData, SafeArrayUnaccessData, SafeArrayAccessData, SafeArrayAllocData, SafeArrayAllocDescriptorEx, SafeArrayCreateVector, SysStringLen, QueryPathOfRegTypeLib, SysAllocString, VariantInit, VariantClear, DispCallFunc, VariantTimeToSystemTime, VarR8FromDec, SafeArrayGetVartype, SafeArrayDestroyDescriptor, VariantCopy, OleLoadPicture

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	Great Britain

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Oct 14, 2024 02:17:05.211410999 CEST	49736	443	192.168.2.4	35.190.72.216
Oct 14, 2024 02:17:05.211461067 CEST	443	49736	35.190.72.216	192.168.2.4
Oct 14, 2024 02:17:05.211595058 CEST	49736	443	192.168.2.4	35.190.72.216
Oct 14, 2024 02:17:05.215938091 CEST	49736	443	192.168.2.4	35.190.72.216
Oct 14, 2024 02:17:05.215961933 CEST	443	49736	35.190.72.216	192.168.2.4
Oct 14, 2024 02:17:05.728275061 CEST	443	49736	35.190.72.216	192.168.2.4
Oct 14, 2024 02:17:05.730324984 CEST	49736	443	192.168.2.4	35.190.72.216
Oct 14, 2024 02:17:05.737535000 CEST	49736	443	192.168.2.4	35.190.72.216
Oct 14, 2024 02:17:05.737556934 CEST	443	49736	35.190.72.216	192.168.2.4
Oct 14, 2024 02:17:05.737667084 CEST	49736	443	192.168.2.4	35.190.72.216
Oct 14, 2024 02:17:05.737812996 CEST	443	49736	35.190.72.216	192.168.2.4
Oct 14, 2024 02:17:05.738389015 CEST	49736	443	192.168.2.4	35.190.72.216
Oct 14, 2024 02:17:07.194289923 CEST	49738	443	192.168.2.4	216.58.206.46
Oct 14, 2024 02:17:07.194380999 CEST	443	49738	216.58.206.46	192.168.2.4
Oct 14, 2024 02:17:07.194971085 CEST	49738	443	192.168.2.4	216.58.206.46
Oct 14, 2024 02:17:07.196475983 CEST	49738	443	192.168.2.4	216.58.206.46
Oct 14, 2024 02:17:07.196556091 CEST	443	49738	216.58.206.46	192.168.2.4
Oct 14, 2024 02:17:07.387939930 CEST	49739	443	192.168.2.4	216.58.206.46
Oct 14, 2024 02:17:07.387983084 CEST	443	49739	216.58.206.46	192.168.2.4
Oct 14, 2024 02:17:07.389254093 CEST	49739	443	192.168.2.4	216.58.206.46
Oct 14, 2024 02:17:07.390778065 CEST	49739	443	192.168.2.4	216.58.206.46
Oct 14, 2024 02:17:07.390795946 CEST	443	49739	216.58.206.46	192.168.2.4
Oct 14, 2024 02:17:07.408910036 CEST	49740	80	192.168.2.4	34.107.221.82
Oct 14, 2024 02:17:07.414000988 CEST	80	49740	34.107.221.82	192.168.2.4
Oct 14, 2024 02:17:07.414191961 CEST	49740	80	192.168.2.4	34.107.221.82
Oct 14, 2024 02:17:07.414191961 CEST	49740	80	192.168.2.4	34.107.221.82
Oct 14, 2024 02:17:07.419217110 CEST	80	49740	34.107.221.82	192.168.2.4
Oct 14, 2024 02:17:07.592338085 CEST	49741	443	192.168.2.4	34.117.188.166
Oct 14, 2024 02:17:07.592401028 CEST	443	49741	34.117.188.166	192.168.2.4
Oct 14, 2024 02:17:07.593339920 CEST	49741	443	192.168.2.4	34.117.188.166
Oct 14, 2024 02:17:07.594769955 CEST	49741	443	192.168.2.4	34.117.188.166
Oct 14, 2024 02:17:07.594811916 CEST	443	49741	34.117.188.166	192.168.2.4
Oct 14, 2024 02:17:07.607696056 CEST	49742	443	192.168.2.4	34.117.188.166
Oct 14, 2024 02:17:07.607722044 CEST	443	49742	34.117.188.166	192.168.2.4
Oct 14, 2024 02:17:07.608112097 CEST	49742	443	192.168.2.4	34.117.188.166
Oct 14, 2024 02:17:07.609478951 CEST	49742	443	192.168.2.4	34.117.188.166
Oct 14, 2024 02:17:07.609507084 CEST	443	49742	34.117.188.166	192.168.2.4
Oct 14, 2024 02:17:07.610433102 CEST	49743	443	192.168.2.4	35.244.181.201
Oct 14, 2024 02:17:07.610466003 CEST	443	49743	35.244.181.201	192.168.2.4
Oct 14, 2024 02:17:07.611145973 CEST	49743	443	192.168.2.4	35.244.181.201
Oct 14, 2024 02:17:07.611248016 CEST	49743	443	192.168.2.4	35.244.181.201
Oct 14, 2024 02:17:07.611253977 CEST	443	49743	35.244.181.201	192.168.2.4
Oct 14, 2024 02:17:07.857937098 CEST	443	49738	216.58.206.46	192.168.2.4
Oct 14, 2024 02:17:07.858202934 CEST	49738	443	192.168.2.4	216.58.206.46
Oct 14, 2024 02:17:07.858942032 CEST	443	49738	216.58.206.46	192.168.2.4
Oct 14, 2024 02:17:07.859214067 CEST	49738	443	192.168.2.4	216.58.206.46
Oct 14, 2024 02:17:07.870045900 CEST	80	49740	34.107.221.82	192.168.2.4
Oct 14, 2024 02:17:07.919003963 CEST	49740	80	192.168.2.4	34.107.221.82
Oct 14, 2024 02:17:07.942624092 CEST	49738	443	192.168.2.4	216.58.206.46
Oct 14, 2024 02:17:07.942625046 CEST	49738	443	192.168.2.4	216.58.206.46
Oct 14, 2024 02:17:07.942708015 CEST	443	49738	216.58.206.46	192.168.2.4
Oct 14, 2024 02:17:07.943353891 CEST	443	49738	216.58.206.46	192.168.2.4
Oct 14, 2024 02:17:07.949656010 CEST	49738	443	192.168.2.4	216.58.206.46
Oct 14, 2024 02:17:08.030076981 CEST	443	49739	216.58.206.46	192.168.2.4
Oct 14, 2024 02:17:08.030164957 CEST	49739	443	192.168.2.4	216.58.206.46
Oct 14, 2024 02:17:08.030868053 CEST	443	49739	216.58.206.46	192.168.2.4
Oct 14, 2024 02:17:08.030937910 CEST	49739	443	192.168.2.4	216.58.206.46
Oct 14, 2024 02:17:08.079922915 CEST	443	49741	34.117.188.166	192.168.2.4
Oct 14, 2024 02:17:08.079978943 CEST	49741	443	192.168.2.4	34.117.188.166
Oct 14, 2024 02:17:08.103720903 CEST	443	49743	35.244.181.201	192.168.2.4
Oct 14, 2024 02:17:08.104455948 CEST	49743	443	192.168.2.4	35.244.181.201
Oct 14, 2024 02:17:08.118792057 CEST	443	49742	34.117.188.166	192.168.2.4
Oct 14, 2024 02:17:08.118861914 CEST	49742	443	192.168.2.4	34.117.188.166
Oct 14, 2024 02:17:08.215187073 CEST	49743	443	192.168.2.4	35.244.181.201
Oct 14, 2024 02:17:08.215209007 CEST	443	49743	35.244.181.201	192.168.2.4
Oct 14, 2024 02:17:08.215636969 CEST	443	49743	35.244.181.201	192.168.2.4
Oct 14, 2024 02:17:08.227083921 CEST	49739	443	192.168.2.4	216.58.206.46
Oct 14, 2024 02:17:08.227102041 CEST	443	49739	216.58.206.46	192.168.2.4
Oct 14, 2024 02:17:08.227256060 CEST	49739	443	192.168.2.4	216.58.206.46
Oct 14, 2024 02:17:08.227351904 CEST	443	49739	216.58.206.46	192.168.2.4
Oct 14, 2024 02:17:08.227535963 CEST	49745	443	192.168.2.4	216.58.206.46
Oct 14, 2024 02:17:08.227617979 CEST	443	49745	216.58.206.46	192.168.2.4
Oct 14, 2024 02:17:08.230201960 CEST	49743	443	192.168.2.4	35.244.181.201
Oct 14, 2024 02:17:08.230339050 CEST	49743	443	192.168.2.4	35.244.181.201
Oct 14, 2024 02:17:08.230407953 CEST	443	49743	35.244.181.201	192.168.2.4
Oct 14, 2024 02:17:08.232916117 CEST	49741	443	192.168.2.4	34.117.188.166
Oct 14, 2024 02:17:08.232959032 CEST	443	49741	34.117.188.166	192.168.2.4
Oct 14, 2024 02:17:08.233011007 CEST	49741	443	192.168.2.4	34.117.188.166
Oct 14, 2024 02:17:08.233304977 CEST	49746	443	192.168.2.4	34.117.188.166
Oct 14, 2024 02:17:08.233342886 CEST	443	49746	34.117.188.166	192.168.2.4
Oct 14, 2024 02:17:08.233448982 CEST	443	49741	34.117.188.166	192.168.2.4
Oct 14, 2024 02:17:08.235549927 CEST	49741	443	192.168.2.4	34.117.188.166
Oct 14, 2024 02:17:08.235569954 CEST	49739	443	192.168.2.4	216.58.206.46
Oct 14, 2024 02:17:08.235569954 CEST	49743	443	192.168.2.4	35.244.181.201
Oct 14, 2024 02:17:08.235569954 CEST	49746	443	192.168.2.4	34.117.188.166
Oct 14, 2024 02:17:08.235575914 CEST	49745	443	192.168.2.4	216.58.206.46
Oct 14, 2024 02:17:08.241322994 CEST	49745	443	192.168.2.4	216.58.206.46
Oct 14, 2024 02:17:08.241358042 CEST	443	49745	216.58.206.46	192.168.2.4
Oct 14, 2024 02:17:08.242855072 CEST	49746	443	192.168.2.4	34.117.188.166
Oct 14, 2024 02:17:08.242873907 CEST	443	49746	34.117.188.166	192.168.2.4
Oct 14, 2024 02:17:08.243665934 CEST	49742	443	192.168.2.4	34.117.188.166
Oct 14, 2024 02:17:08.243695974 CEST	443	49742	34.117.188.166	192.168.2.4
Oct 14, 2024 02:17:08.243757010 CEST	49742	443	192.168.2.4	34.117.188.166
Oct 14, 2024 02:17:08.244105101 CEST	49747	443	192.168.2.4	34.117.188.166
Oct 14, 2024 02:17:08.244143963 CEST	443	49747	34.117.188.166	192.168.2.4
Oct 14, 2024 02:17:08.244167089 CEST	443	49742	34.117.188.166	192.168.2.4
Oct 14, 2024 02:17:08.246418953 CEST	49742	443	192.168.2.4	34.117.188.166
Oct 14, 2024 02:17:08.246429920 CEST	49747	443	192.168.2.4	34.117.188.166
Oct 14, 2024 02:17:08.247915983 CEST	49747	443	192.168.2.4	34.117.188.166
Oct 14, 2024 02:17:08.247931957 CEST	443	49747	34.117.188.166	192.168.2.4
Oct 14, 2024 02:17:08.264862061 CEST	49748	80	192.168.2.4	34.107.221.82
Oct 14, 2024 02:17:08.269730091 CEST	80	49748	34.107.221.82	192.168.2.4
Oct 14, 2024 02:17:08.270106077 CEST	49748	80	192.168.2.4	34.107.221.82
Oct 14, 2024 02:17:08.270159006 CEST	49748	80	192.168.2.4	34.107.221.82
Oct 14, 2024 02:17:08.275064945 CEST	80	49748	34.107.221.82	192.168.2.4
Oct 14, 2024 02:17:08.306435108 CEST	49740	80	192.168.2.4	34.107.221.82
Oct 14, 2024 02:17:08.311825037 CEST	80	49740	34.107.221.82	192.168.2.4
Oct 14, 2024 02:17:08.311891079 CEST	49740	80	192.168.2.4	34.107.221.82
Oct 14, 2024 02:17:08.362241983 CEST	49749	443	192.168.2.4	34.160.144.191
Oct 14, 2024 02:17:08.362302065 CEST	443	49749	34.160.144.191	192.168.2.4
Oct 14, 2024 02:17:08.362741947 CEST	49749	443	192.168.2.4	34.160.144.191
Oct 14, 2024 02:17:08.362894058 CEST	49749	443	192.168.2.4	34.160.144.191
Oct 14, 2024 02:17:08.362920046 CEST	443	49749	34.160.144.191	192.168.2.4
Oct 14, 2024 02:17:08.373297930 CEST	49750	80	192.168.2.4	34.107.221.82
Oct 14, 2024 02:17:08.378081083 CEST	80	49750	34.107.221.82	192.168.2.4
Oct 14, 2024 02:17:08.380953074 CEST	49750	80	192.168.2.4	34.107.221.82
Oct 14, 2024 02:17:08.381119013 CEST	49750	80	192.168.2.4	34.107.221.82
Oct 14, 2024 02:17:08.386061907 CEST	80	49750	34.107.221.82	192.168.2.4
Oct 14, 2024 02:17:08.727519035 CEST	80	49748	34.107.221.82	192.168.2.4
Oct 14, 2024 02:17:08.727572918 CEST	443	49746	34.117.188.166	192.168.2.4
Oct 14, 2024 02:17:08.727658987 CEST	49746	443	192.168.2.4	34.117.188.166
Oct 14, 2024 02:17:08.727969885 CEST	49748	80	192.168.2.4	34.107.221.82
Oct 14, 2024 02:17:08.733002901 CEST	49746	443	192.168.2.4	34.117.188.166
Oct 14, 2024 02:17:08.733002901 CEST	49746	443	192.168.2.4	34.117.188.166
Oct 14, 2024 02:17:08.733017921 CEST	443	49746	34.117.188.166	192.168.2.4
Oct 14, 2024 02:17:08.733194113 CEST	80	49748	34.107.221.82	192.168.2.4
Oct 14, 2024 02:17:08.733387947 CEST	49748	80	192.168.2.4	34.107.221.82
Oct 14, 2024 02:17:08.733401060 CEST	443	49746	34.117.188.166	192.168.2.4
Oct 14, 2024 02:17:08.733467102 CEST	49746	443	192.168.2.4	34.117.188.166
Oct 14, 2024 02:17:08.746206999 CEST	443	49747	34.117.188.166	192.168.2.4
Oct 14, 2024 02:17:08.746381044 CEST	49747	443	192.168.2.4	34.117.188.166
Oct 14, 2024 02:17:08.840487957 CEST	443	49749	34.160.144.191	192.168.2.4
Oct 14, 2024 02:17:08.841370106 CEST	49749	443	192.168.2.4	34.160.144.191
Oct 14, 2024 02:17:08.844611883 CEST	80	49750	34.107.221.82	192.168.2.4
Oct 14, 2024 02:17:08.864773035 CEST	49749	443	192.168.2.4	34.160.144.191
Oct 14, 2024 02:17:08.864841938 CEST	443	49749	34.160.144.191	192.168.2.4
Oct 14, 2024 02:17:08.865322113 CEST	443	49749	34.160.144.191	192.168.2.4
Oct 14, 2024 02:17:08.872044086 CEST	49747	443	192.168.2.4	34.117.188.166
Oct 14, 2024 02:17:08.872118950 CEST	443	49747	34.117.188.166	192.168.2.4
Oct 14, 2024 02:17:08.872179985 CEST	49747	443	192.168.2.4	34.117.188.166
Oct 14, 2024 02:17:08.872251034 CEST	49749	443	192.168.2.4	34.160.144.191
Oct 14, 2024 02:17:08.872344017 CEST	49749	443	192.168.2.4	34.160.144.191
Oct 14, 2024 02:17:08.872613907 CEST	49751	443	192.168.2.4	34.160.144.191
Oct 14, 2024 02:17:08.872656107 CEST	443	49751	34.160.144.191	192.168.2.4
Oct 14, 2024 02:17:08.872723103 CEST	443	49749	34.160.144.191	192.168.2.4
Oct 14, 2024 02:17:08.872901917 CEST	443	49747	34.117.188.166	192.168.2.4
Oct 14, 2024 02:17:08.873857021 CEST	49747	443	192.168.2.4	34.117.188.166
Oct 14, 2024 02:17:08.873861074 CEST	49749	443	192.168.2.4	34.160.144.191
Oct 14, 2024 02:17:08.873920918 CEST	49751	443	192.168.2.4	34.160.144.191
Oct 14, 2024 02:17:08.873996973 CEST	49751	443	192.168.2.4	34.160.144.191
Oct 14, 2024 02:17:08.874003887 CEST	443	49751	34.160.144.191	192.168.2.4
Oct 14, 2024 02:17:08.884054899 CEST	49750	80	192.168.2.4	34.107.221.82
Oct 14, 2024 02:17:08.984607935 CEST	49752	80	192.168.2.4	34.107.221.82
Oct 14, 2024 02:17:08.986268997 CEST	443	49745	216.58.206.46	192.168.2.4
Oct 14, 2024 02:17:08.986284971 CEST	443	49745	216.58.206.46	192.168.2.4
Oct 14, 2024 02:17:08.987271070 CEST	443	49745	216.58.206.46	192.168.2.4
Oct 14, 2024 02:17:08.989639997 CEST	80	49752	34.107.221.82	192.168.2.4
Oct 14, 2024 02:17:08.997756958 CEST	49752	80	192.168.2.4	34.107.221.82
Oct 14, 2024 02:17:08.997769117 CEST	49745	443	192.168.2.4	216.58.206.46
Oct 14, 2024 02:17:08.997832060 CEST	443	49745	216.58.206.46	192.168.2.4
Oct 14, 2024 02:17:08.998980045 CEST	49752	80	192.168.2.4	34.107.221.82
Oct 14, 2024 02:17:09.003839970 CEST	80	49752	34.107.221.82	192.168.2.4
Oct 14, 2024 02:17:09.005270958 CEST	49745	443	192.168.2.4	216.58.206.46
Oct 14, 2024 02:17:09.005310059 CEST	443	49745	216.58.206.46	192.168.2.4
Oct 14, 2024 02:17:09.005342960 CEST	49745	443	192.168.2.4	216.58.206.46
Oct 14, 2024 02:17:09.005481005 CEST	443	49745	216.58.206.46	192.168.2.4
Oct 14, 2024 02:17:09.006064892 CEST	49745	443	192.168.2.4	216.58.206.46
Oct 14, 2024 02:17:09.358705044 CEST	443	49751	34.160.144.191	192.168.2.4
Oct 14, 2024 02:17:09.359761953 CEST	49751	443	192.168.2.4	34.160.144.191
Oct 14, 2024 02:17:09.397200108 CEST	49751	443	192.168.2.4	34.160.144.191
Oct 14, 2024 02:17:09.397226095 CEST	443	49751	34.160.144.191	192.168.2.4
Oct 14, 2024 02:17:09.398224115 CEST	443	49751	34.160.144.191	192.168.2.4
Oct 14, 2024 02:17:09.431746960 CEST	49751	443	192.168.2.4	34.160.144.191
Oct 14, 2024 02:17:09.431816101 CEST	49751	443	192.168.2.4	34.160.144.191
Oct 14, 2024 02:17:09.432578087 CEST	443	49751	34.160.144.191	192.168.2.4
Oct 14, 2024 02:17:09.440505981 CEST	49751	443	192.168.2.4	34.160.144.191
Oct 14, 2024 02:17:09.454452991 CEST	80	49752	34.107.221.82	192.168.2.4
Oct 14, 2024 02:17:09.501115084 CEST	49752	80	192.168.2.4	34.107.221.82
Oct 14, 2024 02:17:09.642890930 CEST	49754	443	192.168.2.4	34.117.188.166
Oct 14, 2024 02:17:09.642978907 CEST	443	49754	34.117.188.166	192.168.2.4
Oct 14, 2024 02:17:09.647221088 CEST	49754	443	192.168.2.4	34.117.188.166
Oct 14, 2024 02:17:09.648608923 CEST	49754	443	192.168.2.4	34.117.188.166
Oct 14, 2024 02:17:09.648633957 CEST	443	49754	34.117.188.166	192.168.2.4
Oct 14, 2024 02:17:09.683598995 CEST	49750	80	192.168.2.4	34.107.221.82
Oct 14, 2024 02:17:09.688528061 CEST	80	49750	34.107.221.82	192.168.2.4
Oct 14, 2024 02:17:09.782282114 CEST	80	49750	34.107.221.82	192.168.2.4
Oct 14, 2024 02:17:09.825552940 CEST	49750	80	192.168.2.4	34.107.221.82
Oct 14, 2024 02:17:10.043863058 CEST	49752	80	192.168.2.4	34.107.221.82
Oct 14, 2024 02:17:10.048823118 CEST	80	49752	34.107.221.82	192.168.2.4
Oct 14, 2024 02:17:10.115993023 CEST	49750	80	192.168.2.4	34.107.221.82
Oct 14, 2024 02:17:10.120830059 CEST	80	49750	34.107.221.82	192.168.2.4
Oct 14, 2024 02:17:10.140311956 CEST	80	49752	34.107.221.82	192.168.2.4
Oct 14, 2024 02:17:10.141011000 CEST	443	49754	34.117.188.166	192.168.2.4
Oct 14, 2024 02:17:10.141185045 CEST	49754	443	192.168.2.4	34.117.188.166
Oct 14, 2024 02:17:10.145869970 CEST	49754	443	192.168.2.4	34.117.188.166
Oct 14, 2024 02:17:10.145869970 CEST	49754	443	192.168.2.4	34.117.188.166
Oct 14, 2024 02:17:10.145898104 CEST	443	49754	34.117.188.166	192.168.2.4
Oct 14, 2024 02:17:10.146080017 CEST	49756	443	192.168.2.4	34.117.188.166
Oct 14, 2024 02:17:10.146120071 CEST	443	49756	34.117.188.166	192.168.2.4
Oct 14, 2024 02:17:10.146143913 CEST	443	49754	34.117.188.166	192.168.2.4
Oct 14, 2024 02:17:10.146244049 CEST	49756	443	192.168.2.4	34.117.188.166
Oct 14, 2024 02:17:10.146318913 CEST	49754	443	192.168.2.4	34.117.188.166
Oct 14, 2024 02:17:10.147481918 CEST	49756	443	192.168.2.4	34.117.188.166
Oct 14, 2024 02:17:10.147500038 CEST	443	49756	34.117.188.166	192.168.2.4
Oct 14, 2024 02:17:10.195487022 CEST	49752	80	192.168.2.4	34.107.221.82
Oct 14, 2024 02:17:10.214541912 CEST	80	49750	34.107.221.82	192.168.2.4
Oct 14, 2024 02:17:10.264508963 CEST	49750	80	192.168.2.4	34.107.221.82
Oct 14, 2024 02:17:10.640868902 CEST	443	49756	34.117.188.166	192.168.2.4
Oct 14, 2024 02:17:10.646563053 CEST	49756	443	192.168.2.4	34.117.188.166
Oct 14, 2024 02:17:10.657917976 CEST	49756	443	192.168.2.4	34.117.188.166
Oct 14, 2024 02:17:10.657946110 CEST	443	49756	34.117.188.166	192.168.2.4
Oct 14, 2024 02:17:10.658026934 CEST	49756	443	192.168.2.4	34.117.188.166
Oct 14, 2024 02:17:10.658185959 CEST	443	49756	34.117.188.166	192.168.2.4
Oct 14, 2024 02:17:10.658484936 CEST	49756	443	192.168.2.4	34.117.188.166
Oct 14, 2024 02:17:10.936780930 CEST	49752	80	192.168.2.4	34.107.221.82
Oct 14, 2024 02:17:10.941809893 CEST	80	49752	34.107.221.82	192.168.2.4
Oct 14, 2024 02:17:10.944346905 CEST	49757	443	192.168.2.4	34.107.243.93
Oct 14, 2024 02:17:10.944380999 CEST	443	49757	34.107.243.93	192.168.2.4
Oct 14, 2024 02:17:10.946537971 CEST	49757	443	192.168.2.4	34.107.243.93
Oct 14, 2024 02:17:10.948740959 CEST	49757	443	192.168.2.4	34.107.243.93
Oct 14, 2024 02:17:10.948755026 CEST	443	49757	34.107.243.93	192.168.2.4
Oct 14, 2024 02:17:11.033921003 CEST	80	49752	34.107.221.82	192.168.2.4
Oct 14, 2024 02:17:11.082364082 CEST	49752	80	192.168.2.4	34.107.221.82
Oct 14, 2024 02:17:11.450067043 CEST	443	49757	34.107.243.93	192.168.2.4
Oct 14, 2024 02:17:11.450474024 CEST	49757	443	192.168.2.4	34.107.243.93
Oct 14, 2024 02:17:11.455868006 CEST	49757	443	192.168.2.4	34.107.243.93
Oct 14, 2024 02:17:11.455868006 CEST	49757	443	192.168.2.4	34.107.243.93
Oct 14, 2024 02:17:11.455878973 CEST	443	49757	34.107.243.93	192.168.2.4
Oct 14, 2024 02:17:11.456129074 CEST	443	49757	34.107.243.93	192.168.2.4
Oct 14, 2024 02:17:11.456228018 CEST	49757	443	192.168.2.4	34.107.243.93
Oct 14, 2024 02:17:13.641237974 CEST	49750	80	192.168.2.4	34.107.221.82
Oct 14, 2024 02:17:13.646361113 CEST	80	49750	34.107.221.82	192.168.2.4
Oct 14, 2024 02:17:13.650278091 CEST	49758	443	192.168.2.4	35.244.181.201
Oct 14, 2024 02:17:13.650324106 CEST	443	49758	35.244.181.201	192.168.2.4
Oct 14, 2024 02:17:13.650516033 CEST	49758	443	192.168.2.4	35.244.181.201
Oct 14, 2024 02:17:13.650644064 CEST	49758	443	192.168.2.4	35.244.181.201
Oct 14, 2024 02:17:13.650659084 CEST	443	49758	35.244.181.201	192.168.2.4
Oct 14, 2024 02:17:13.740094900 CEST	80	49750	34.107.221.82	192.168.2.4
Oct 14, 2024 02:17:13.750091076 CEST	49752	80	192.168.2.4	34.107.221.82
Oct 14, 2024 02:17:13.753563881 CEST	49759	443	192.168.2.4	34.149.100.209
Oct 14, 2024 02:17:13.753659964 CEST	443	49759	34.149.100.209	192.168.2.4
Oct 14, 2024 02:17:13.754237890 CEST	49759	443	192.168.2.4	34.149.100.209
Oct 14, 2024 02:17:13.755072117 CEST	80	49752	34.107.221.82	192.168.2.4
Oct 14, 2024 02:17:13.755466938 CEST	49759	443	192.168.2.4	34.149.100.209
Oct 14, 2024 02:17:13.755542994 CEST	443	49759	34.149.100.209	192.168.2.4
Oct 14, 2024 02:17:13.756923914 CEST	49761	443	192.168.2.4	34.120.208.123
Oct 14, 2024 02:17:13.756978035 CEST	443	49761	34.120.208.123	192.168.2.4
Oct 14, 2024 02:17:13.759016037 CEST	49761	443	192.168.2.4	34.120.208.123
Oct 14, 2024 02:17:13.761337996 CEST	49761	443	192.168.2.4	34.120.208.123
Oct 14, 2024 02:17:13.761364937 CEST	443	49761	34.120.208.123	192.168.2.4
Oct 14, 2024 02:17:13.789381027 CEST	49750	80	192.168.2.4	34.107.221.82
Oct 14, 2024 02:17:13.846872091 CEST	80	49752	34.107.221.82	192.168.2.4
Oct 14, 2024 02:17:13.904289961 CEST	49752	80	192.168.2.4	34.107.221.82
Oct 14, 2024 02:17:14.163106918 CEST	443	49758	35.244.181.201	192.168.2.4
Oct 14, 2024 02:17:14.163204908 CEST	49758	443	192.168.2.4	35.244.181.201
Oct 14, 2024 02:17:14.165461063 CEST	49758	443	192.168.2.4	35.244.181.201
Oct 14, 2024 02:17:14.165471077 CEST	443	49758	35.244.181.201	192.168.2.4
Oct 14, 2024 02:17:14.165961027 CEST	443	49758	35.244.181.201	192.168.2.4
Oct 14, 2024 02:17:14.167253971 CEST	49758	443	192.168.2.4	35.244.181.201
Oct 14, 2024 02:17:14.167321920 CEST	49758	443	192.168.2.4	35.244.181.201
Oct 14, 2024 02:17:14.167453051 CEST	49758	443	192.168.2.4	35.244.181.201
Oct 14, 2024 02:17:14.265549898 CEST	443	49759	34.149.100.209	192.168.2.4
Oct 14, 2024 02:17:14.267801046 CEST	49759	443	192.168.2.4	34.149.100.209
Oct 14, 2024 02:17:14.276371956 CEST	443	49761	34.120.208.123	192.168.2.4
Oct 14, 2024 02:17:14.286428928 CEST	49761	443	192.168.2.4	34.120.208.123
Oct 14, 2024 02:17:14.303599119 CEST	49759	443	192.168.2.4	34.149.100.209
Oct 14, 2024 02:17:14.303599119 CEST	49759	443	192.168.2.4	34.149.100.209
Oct 14, 2024 02:17:14.303641081 CEST	443	49759	34.149.100.209	192.168.2.4
Oct 14, 2024 02:17:14.303999901 CEST	443	49759	34.149.100.209	192.168.2.4
Oct 14, 2024 02:17:14.303997993 CEST	49761	443	192.168.2.4	34.120.208.123
Oct 14, 2024 02:17:14.303998947 CEST	49761	443	192.168.2.4	34.120.208.123
Oct 14, 2024 02:17:14.304079056 CEST	443	49761	34.120.208.123	192.168.2.4
Oct 14, 2024 02:17:14.304128885 CEST	49759	443	192.168.2.4	34.149.100.209
Oct 14, 2024 02:17:14.304702997 CEST	443	49761	34.120.208.123	192.168.2.4
Oct 14, 2024 02:17:14.304805040 CEST	49761	443	192.168.2.4	34.120.208.123
Oct 14, 2024 02:17:17.653603077 CEST	49750	80	192.168.2.4	34.107.221.82
Oct 14, 2024 02:17:17.658610106 CEST	80	49750	34.107.221.82	192.168.2.4
Oct 14, 2024 02:17:17.665884018 CEST	49765	443	192.168.2.4	34.120.208.123
Oct 14, 2024 02:17:17.665970087 CEST	443	49765	34.120.208.123	192.168.2.4
Oct 14, 2024 02:17:17.666064978 CEST	49765	443	192.168.2.4	34.120.208.123
Oct 14, 2024 02:17:17.667254925 CEST	49765	443	192.168.2.4	34.120.208.123
Oct 14, 2024 02:17:17.667287111 CEST	443	49765	34.120.208.123	192.168.2.4
Oct 14, 2024 02:17:17.752077103 CEST	80	49750	34.107.221.82	192.168.2.4
Oct 14, 2024 02:17:17.805964947 CEST	49750	80	192.168.2.4	34.107.221.82
Oct 14, 2024 02:17:18.025723934 CEST	49767	443	192.168.2.4	34.120.208.123
Oct 14, 2024 02:17:18.025804043 CEST	443	49767	34.120.208.123	192.168.2.4
Oct 14, 2024 02:17:18.025901079 CEST	49752	80	192.168.2.4	34.107.221.82
Oct 14, 2024 02:17:18.025979996 CEST	49768	443	192.168.2.4	34.120.208.123
Oct 14, 2024 02:17:18.026072979 CEST	443	49768	34.120.208.123	192.168.2.4
Oct 14, 2024 02:17:18.027420044 CEST	49767	443	192.168.2.4	34.120.208.123
Oct 14, 2024 02:17:18.027467966 CEST	49768	443	192.168.2.4	34.120.208.123
Oct 14, 2024 02:17:18.027548075 CEST	49767	443	192.168.2.4	34.120.208.123
Oct 14, 2024 02:17:18.027568102 CEST	443	49767	34.120.208.123	192.168.2.4
Oct 14, 2024 02:17:18.027637959 CEST	49768	443	192.168.2.4	34.120.208.123
Oct 14, 2024 02:17:18.027673960 CEST	443	49768	34.120.208.123	192.168.2.4
Oct 14, 2024 02:17:18.031008005 CEST	80	49752	34.107.221.82	192.168.2.4
Oct 14, 2024 02:17:18.134270906 CEST	80	49752	34.107.221.82	192.168.2.4
Oct 14, 2024 02:17:18.175867081 CEST	49752	80	192.168.2.4	34.107.221.82
Oct 14, 2024 02:17:18.182697058 CEST	443	49765	34.120.208.123	192.168.2.4
Oct 14, 2024 02:17:18.182966948 CEST	49765	443	192.168.2.4	34.120.208.123
Oct 14, 2024 02:17:18.506171942 CEST	443	49767	34.120.208.123	192.168.2.4
Oct 14, 2024 02:17:18.506237984 CEST	49767	443	192.168.2.4	34.120.208.123
Oct 14, 2024 02:17:18.524986029 CEST	443	49768	34.120.208.123	192.168.2.4
Oct 14, 2024 02:17:18.526179075 CEST	49768	443	192.168.2.4	34.120.208.123
Oct 14, 2024 02:17:19.289808989 CEST	49768	443	192.168.2.4	34.120.208.123
Oct 14, 2024 02:17:19.289891005 CEST	443	49768	34.120.208.123	192.168.2.4
Oct 14, 2024 02:17:19.290414095 CEST	443	49768	34.120.208.123	192.168.2.4
Oct 14, 2024 02:17:19.291553974 CEST	49767	443	192.168.2.4	34.120.208.123
Oct 14, 2024 02:17:19.291589022 CEST	443	49767	34.120.208.123	192.168.2.4
Oct 14, 2024 02:17:19.292634964 CEST	443	49767	34.120.208.123	192.168.2.4
Oct 14, 2024 02:17:19.294490099 CEST	49765	443	192.168.2.4	34.120.208.123
Oct 14, 2024 02:17:19.294490099 CEST	49765	443	192.168.2.4	34.120.208.123
Oct 14, 2024 02:17:19.294574976 CEST	443	49765	34.120.208.123	192.168.2.4
Oct 14, 2024 02:17:19.294625998 CEST	49768	443	192.168.2.4	34.120.208.123
Oct 14, 2024 02:17:19.294951916 CEST	49768	443	192.168.2.4	34.120.208.123
Oct 14, 2024 02:17:19.295025110 CEST	443	49765	34.120.208.123	192.168.2.4
Oct 14, 2024 02:17:19.295181990 CEST	49767	443	192.168.2.4	34.120.208.123
Oct 14, 2024 02:17:19.295248032 CEST	49767	443	192.168.2.4	34.120.208.123
Oct 14, 2024 02:17:19.295763016 CEST	443	49767	34.120.208.123	192.168.2.4
Oct 14, 2024 02:17:19.297631979 CEST	49765	443	192.168.2.4	34.120.208.123
Oct 14, 2024 02:17:19.297636986 CEST	49767	443	192.168.2.4	34.120.208.123
Oct 14, 2024 02:17:19.622647047 CEST	49750	80	192.168.2.4	34.107.221.82
Oct 14, 2024 02:17:19.627631903 CEST	80	49750	34.107.221.82	192.168.2.4
Oct 14, 2024 02:17:19.721934080 CEST	80	49750	34.107.221.82	192.168.2.4
Oct 14, 2024 02:17:19.780483961 CEST	49750	80	192.168.2.4	34.107.221.82
Oct 14, 2024 02:17:20.147480011 CEST	49771	443	192.168.2.4	34.120.208.123
Oct 14, 2024 02:17:20.147599936 CEST	443	49771	34.120.208.123	192.168.2.4
Oct 14, 2024 02:17:20.148509026 CEST	49771	443	192.168.2.4	34.120.208.123
Oct 14, 2024 02:17:20.149728060 CEST	49771	443	192.168.2.4	34.120.208.123
Oct 14, 2024 02:17:20.149789095 CEST	443	49771	34.120.208.123	192.168.2.4
Oct 14, 2024 02:17:20.169234037 CEST	49772	443	192.168.2.4	34.107.243.93
Oct 14, 2024 02:17:20.169270992 CEST	443	49772	34.107.243.93	192.168.2.4
Oct 14, 2024 02:17:20.170522928 CEST	49772	443	192.168.2.4	34.107.243.93
Oct 14, 2024 02:17:20.171879053 CEST	49772	443	192.168.2.4	34.107.243.93
Oct 14, 2024 02:17:20.171899080 CEST	443	49772	34.107.243.93	192.168.2.4
Oct 14, 2024 02:17:20.184746027 CEST	49752	80	192.168.2.4	34.107.221.82
Oct 14, 2024 02:17:20.189744949 CEST	80	49752	34.107.221.82	192.168.2.4
Oct 14, 2024 02:17:20.281560898 CEST	80	49752	34.107.221.82	192.168.2.4
Oct 14, 2024 02:17:20.328782082 CEST	49752	80	192.168.2.4	34.107.221.82
Oct 14, 2024 02:17:20.633661985 CEST	443	49771	34.120.208.123	192.168.2.4
Oct 14, 2024 02:17:20.633898020 CEST	49771	443	192.168.2.4	34.120.208.123
Oct 14, 2024 02:17:20.665838957 CEST	443	49772	34.107.243.93	192.168.2.4
Oct 14, 2024 02:17:20.665901899 CEST	49772	443	192.168.2.4	34.107.243.93
Oct 14, 2024 02:17:20.782310963 CEST	49771	443	192.168.2.4	34.120.208.123
Oct 14, 2024 02:17:20.782310963 CEST	49771	443	192.168.2.4	34.120.208.123
Oct 14, 2024 02:17:20.782351017 CEST	49772	443	192.168.2.4	34.107.243.93
Oct 14, 2024 02:17:20.782378912 CEST	443	49772	34.107.243.93	192.168.2.4
Oct 14, 2024 02:17:20.782393932 CEST	443	49771	34.120.208.123	192.168.2.4
Oct 14, 2024 02:17:20.782402992 CEST	49772	443	192.168.2.4	34.107.243.93
Oct 14, 2024 02:17:20.782898903 CEST	443	49772	34.107.243.93	192.168.2.4
Oct 14, 2024 02:17:20.782947063 CEST	443	49771	34.120.208.123	192.168.2.4
Oct 14, 2024 02:17:20.782979965 CEST	49772	443	192.168.2.4	34.107.243.93
Oct 14, 2024 02:17:20.783123016 CEST	49771	443	192.168.2.4	34.120.208.123
Oct 14, 2024 02:17:20.947981119 CEST	49750	80	192.168.2.4	34.107.221.82
Oct 14, 2024 02:17:20.953001022 CEST	80	49750	34.107.221.82	192.168.2.4
Oct 14, 2024 02:17:21.046420097 CEST	80	49750	34.107.221.82	192.168.2.4
Oct 14, 2024 02:17:21.099824905 CEST	49750	80	192.168.2.4	34.107.221.82
Oct 14, 2024 02:17:21.225087881 CEST	49752	80	192.168.2.4	34.107.221.82
Oct 14, 2024 02:17:21.230040073 CEST	80	49752	34.107.221.82	192.168.2.4
Oct 14, 2024 02:17:21.322220087 CEST	80	49752	34.107.221.82	192.168.2.4
Oct 14, 2024 02:17:21.363042116 CEST	49752	80	192.168.2.4	34.107.221.82
Oct 14, 2024 02:17:30.952908993 CEST	49773	443	192.168.2.4	34.107.243.93
Oct 14, 2024 02:17:30.953001976 CEST	443	49773	34.107.243.93	192.168.2.4
Oct 14, 2024 02:17:30.953116894 CEST	49773	443	192.168.2.4	34.107.243.93
Oct 14, 2024 02:17:30.954392910 CEST	49773	443	192.168.2.4	34.107.243.93
Oct 14, 2024 02:17:30.954427958 CEST	443	49773	34.107.243.93	192.168.2.4
Oct 14, 2024 02:17:31.059448004 CEST	49750	80	192.168.2.4	34.107.221.82
Oct 14, 2024 02:17:31.064541101 CEST	80	49750	34.107.221.82	192.168.2.4
Oct 14, 2024 02:17:31.329001904 CEST	49752	80	192.168.2.4	34.107.221.82
Oct 14, 2024 02:17:31.334127903 CEST	80	49752	34.107.221.82	192.168.2.4
Oct 14, 2024 02:17:31.460624933 CEST	443	49773	34.107.243.93	192.168.2.4
Oct 14, 2024 02:17:31.460797071 CEST	49773	443	192.168.2.4	34.107.243.93
Oct 14, 2024 02:17:31.465095043 CEST	49773	443	192.168.2.4	34.107.243.93
Oct 14, 2024 02:17:31.465122938 CEST	443	49773	34.107.243.93	192.168.2.4
Oct 14, 2024 02:17:31.465192080 CEST	49773	443	192.168.2.4	34.107.243.93
Oct 14, 2024 02:17:31.465334892 CEST	443	49773	34.107.243.93	192.168.2.4
Oct 14, 2024 02:17:31.466315985 CEST	49773	443	192.168.2.4	34.107.243.93
Oct 14, 2024 02:17:31.468024969 CEST	49750	80	192.168.2.4	34.107.221.82
Oct 14, 2024 02:17:31.472912073 CEST	80	49750	34.107.221.82	192.168.2.4
Oct 14, 2024 02:17:31.566647053 CEST	80	49750	34.107.221.82	192.168.2.4
Oct 14, 2024 02:17:31.572318077 CEST	49752	80	192.168.2.4	34.107.221.82
Oct 14, 2024 02:17:31.577456951 CEST	80	49752	34.107.221.82	192.168.2.4
Oct 14, 2024 02:17:31.614290953 CEST	49750	80	192.168.2.4	34.107.221.82
Oct 14, 2024 02:17:31.669055939 CEST	80	49752	34.107.221.82	192.168.2.4
Oct 14, 2024 02:17:31.714582920 CEST	49752	80	192.168.2.4	34.107.221.82
Oct 14, 2024 02:17:33.770617008 CEST	49774	443	192.168.2.4	35.244.181.201
Oct 14, 2024 02:17:33.770706892 CEST	443	49774	35.244.181.201	192.168.2.4
Oct 14, 2024 02:17:33.779548883 CEST	49774	443	192.168.2.4	35.244.181.201
Oct 14, 2024 02:17:33.779678106 CEST	49774	443	192.168.2.4	35.244.181.201
Oct 14, 2024 02:17:33.779696941 CEST	443	49774	35.244.181.201	192.168.2.4
Oct 14, 2024 02:17:33.785891056 CEST	49775	443	192.168.2.4	34.149.100.209
Oct 14, 2024 02:17:33.785926104 CEST	443	49775	34.149.100.209	192.168.2.4
Oct 14, 2024 02:17:33.788403988 CEST	49776	443	192.168.2.4	35.190.72.216
Oct 14, 2024 02:17:33.788487911 CEST	443	49776	35.190.72.216	192.168.2.4
Oct 14, 2024 02:17:33.791038036 CEST	49775	443	192.168.2.4	34.149.100.209
Oct 14, 2024 02:17:33.791152954 CEST	49775	443	192.168.2.4	34.149.100.209
Oct 14, 2024 02:17:33.791162014 CEST	49776	443	192.168.2.4	35.190.72.216
Oct 14, 2024 02:17:33.791162968 CEST	443	49775	34.149.100.209	192.168.2.4
Oct 14, 2024 02:17:33.792680979 CEST	49776	443	192.168.2.4	35.190.72.216
Oct 14, 2024 02:17:33.792718887 CEST	443	49776	35.190.72.216	192.168.2.4
Oct 14, 2024 02:17:33.795196056 CEST	49777	443	192.168.2.4	52.222.236.120
Oct 14, 2024 02:17:33.795219898 CEST	443	49777	52.222.236.120	192.168.2.4
Oct 14, 2024 02:17:33.798048019 CEST	49777	443	192.168.2.4	52.222.236.120
Oct 14, 2024 02:17:33.798288107 CEST	49777	443	192.168.2.4	52.222.236.120
Oct 14, 2024 02:17:33.798314095 CEST	443	49777	52.222.236.120	192.168.2.4
Oct 14, 2024 02:17:33.799530029 CEST	49778	443	192.168.2.4	35.201.103.21
Oct 14, 2024 02:17:33.799557924 CEST	443	49778	35.201.103.21	192.168.2.4
Oct 14, 2024 02:17:33.800271988 CEST	49778	443	192.168.2.4	35.201.103.21
Oct 14, 2024 02:17:33.801688910 CEST	49778	443	192.168.2.4	35.201.103.21
Oct 14, 2024 02:17:33.801713943 CEST	443	49778	35.201.103.21	192.168.2.4
Oct 14, 2024 02:17:34.282489061 CEST	443	49774	35.244.181.201	192.168.2.4
Oct 14, 2024 02:17:34.282506943 CEST	443	49774	35.244.181.201	192.168.2.4
Oct 14, 2024 02:17:34.282659054 CEST	49774	443	192.168.2.4	35.244.181.201
Oct 14, 2024 02:17:34.284210920 CEST	443	49775	34.149.100.209	192.168.2.4
Oct 14, 2024 02:17:34.284291029 CEST	49775	443	192.168.2.4	34.149.100.209
Oct 14, 2024 02:17:34.286123037 CEST	49774	443	192.168.2.4	35.244.181.201
Oct 14, 2024 02:17:34.286150932 CEST	443	49774	35.244.181.201	192.168.2.4
Oct 14, 2024 02:17:34.286489964 CEST	443	49774	35.244.181.201	192.168.2.4
Oct 14, 2024 02:17:34.288525105 CEST	443	49778	35.201.103.21	192.168.2.4
Oct 14, 2024 02:17:34.289115906 CEST	49775	443	192.168.2.4	34.149.100.209
Oct 14, 2024 02:17:34.289124966 CEST	443	49775	34.149.100.209	192.168.2.4
Oct 14, 2024 02:17:34.289311886 CEST	49778	443	192.168.2.4	35.201.103.21
Oct 14, 2024 02:17:34.290013075 CEST	443	49775	34.149.100.209	192.168.2.4
Oct 14, 2024 02:17:34.294321060 CEST	49774	443	192.168.2.4	35.244.181.201
Oct 14, 2024 02:17:34.294503927 CEST	49774	443	192.168.2.4	35.244.181.201
Oct 14, 2024 02:17:34.294537067 CEST	443	49774	35.244.181.201	192.168.2.4
Oct 14, 2024 02:17:34.294943094 CEST	49774	443	192.168.2.4	35.244.181.201
Oct 14, 2024 02:17:34.295413971 CEST	49775	443	192.168.2.4	34.149.100.209
Oct 14, 2024 02:17:34.295468092 CEST	49775	443	192.168.2.4	34.149.100.209
Oct 14, 2024 02:17:34.295578003 CEST	49778	443	192.168.2.4	35.201.103.21
Oct 14, 2024 02:17:34.295593977 CEST	443	49778	35.201.103.21	192.168.2.4
Oct 14, 2024 02:17:34.295623064 CEST	49778	443	192.168.2.4	35.201.103.21
Oct 14, 2024 02:17:34.295845985 CEST	443	49775	34.149.100.209	192.168.2.4
Oct 14, 2024 02:17:34.295851946 CEST	443	49778	35.201.103.21	192.168.2.4
Oct 14, 2024 02:17:34.296144962 CEST	49775	443	192.168.2.4	34.149.100.209
Oct 14, 2024 02:17:34.296158075 CEST	49778	443	192.168.2.4	35.201.103.21
Oct 14, 2024 02:17:34.300081015 CEST	443	49776	35.190.72.216	192.168.2.4
Oct 14, 2024 02:17:34.300478935 CEST	49750	80	192.168.2.4	34.107.221.82
Oct 14, 2024 02:17:34.300890923 CEST	49776	443	192.168.2.4	35.190.72.216
Oct 14, 2024 02:17:34.304914951 CEST	49776	443	192.168.2.4	35.190.72.216
Oct 14, 2024 02:17:34.304923058 CEST	443	49776	35.190.72.216	192.168.2.4
Oct 14, 2024 02:17:34.304991007 CEST	49776	443	192.168.2.4	35.190.72.216
Oct 14, 2024 02:17:34.305136919 CEST	443	49776	35.190.72.216	192.168.2.4
Oct 14, 2024 02:17:34.305515051 CEST	80	49750	34.107.221.82	192.168.2.4
Oct 14, 2024 02:17:34.305522919 CEST	49776	443	192.168.2.4	35.190.72.216
Oct 14, 2024 02:17:34.310189009 CEST	49779	443	192.168.2.4	34.149.100.209
Oct 14, 2024 02:17:34.310220957 CEST	443	49779	34.149.100.209	192.168.2.4
Oct 14, 2024 02:17:34.310486078 CEST	49779	443	192.168.2.4	34.149.100.209
Oct 14, 2024 02:17:34.310606003 CEST	49779	443	192.168.2.4	34.149.100.209
Oct 14, 2024 02:17:34.310622931 CEST	443	49779	34.149.100.209	192.168.2.4
Oct 14, 2024 02:17:34.399003029 CEST	80	49750	34.107.221.82	192.168.2.4
Oct 14, 2024 02:17:34.402081013 CEST	49752	80	192.168.2.4	34.107.221.82
Oct 14, 2024 02:17:34.407068968 CEST	80	49752	34.107.221.82	192.168.2.4
Oct 14, 2024 02:17:34.453170061 CEST	49750	80	192.168.2.4	34.107.221.82
Oct 14, 2024 02:17:34.498569965 CEST	80	49752	34.107.221.82	192.168.2.4
Oct 14, 2024 02:17:34.538291931 CEST	443	49777	52.222.236.120	192.168.2.4
Oct 14, 2024 02:17:34.538491011 CEST	49777	443	192.168.2.4	52.222.236.120
Oct 14, 2024 02:17:34.541212082 CEST	49777	443	192.168.2.4	52.222.236.120
Oct 14, 2024 02:17:34.541239977 CEST	443	49777	52.222.236.120	192.168.2.4
Oct 14, 2024 02:17:34.541637897 CEST	443	49777	52.222.236.120	192.168.2.4
Oct 14, 2024 02:17:34.543226957 CEST	49777	443	192.168.2.4	52.222.236.120
Oct 14, 2024 02:17:34.543304920 CEST	49777	443	192.168.2.4	52.222.236.120
Oct 14, 2024 02:17:34.543425083 CEST	443	49777	52.222.236.120	192.168.2.4
Oct 14, 2024 02:17:34.545692921 CEST	49777	443	192.168.2.4	52.222.236.120
Oct 14, 2024 02:17:34.550635099 CEST	49780	443	192.168.2.4	35.244.181.201
Oct 14, 2024 02:17:34.550682068 CEST	443	49780	35.244.181.201	192.168.2.4
Oct 14, 2024 02:17:34.550940990 CEST	49780	443	192.168.2.4	35.244.181.201
Oct 14, 2024 02:17:34.551035881 CEST	49780	443	192.168.2.4	35.244.181.201
Oct 14, 2024 02:17:34.551044941 CEST	443	49780	35.244.181.201	192.168.2.4
Oct 14, 2024 02:17:34.552551031 CEST	49781	443	192.168.2.4	35.244.181.201
Oct 14, 2024 02:17:34.552642107 CEST	443	49781	35.244.181.201	192.168.2.4
Oct 14, 2024 02:17:34.552834034 CEST	49781	443	192.168.2.4	35.244.181.201
Oct 14, 2024 02:17:34.552944899 CEST	49781	443	192.168.2.4	35.244.181.201
Oct 14, 2024 02:17:34.552967072 CEST	443	49781	35.244.181.201	192.168.2.4
Oct 14, 2024 02:17:34.553409100 CEST	49752	80	192.168.2.4	34.107.221.82
Oct 14, 2024 02:17:34.554605007 CEST	49782	443	192.168.2.4	35.244.181.201
Oct 14, 2024 02:17:34.554627895 CEST	443	49782	35.244.181.201	192.168.2.4
Oct 14, 2024 02:17:34.554924965 CEST	49782	443	192.168.2.4	35.244.181.201
Oct 14, 2024 02:17:34.555016994 CEST	49782	443	192.168.2.4	35.244.181.201
Oct 14, 2024 02:17:34.555027962 CEST	443	49782	35.244.181.201	192.168.2.4
Oct 14, 2024 02:17:34.556157112 CEST	49750	80	192.168.2.4	34.107.221.82
Oct 14, 2024 02:17:34.560935974 CEST	80	49750	34.107.221.82	192.168.2.4
Oct 14, 2024 02:17:34.654752970 CEST	80	49750	34.107.221.82	192.168.2.4
Oct 14, 2024 02:17:34.659893036 CEST	49752	80	192.168.2.4	34.107.221.82
Oct 14, 2024 02:17:34.664877892 CEST	80	49752	34.107.221.82	192.168.2.4
Oct 14, 2024 02:17:34.700577974 CEST	49750	80	192.168.2.4	34.107.221.82
Oct 14, 2024 02:17:34.756783009 CEST	80	49752	34.107.221.82	192.168.2.4
Oct 14, 2024 02:17:34.783446074 CEST	443	49779	34.149.100.209	192.168.2.4
Oct 14, 2024 02:17:34.783552885 CEST	49779	443	192.168.2.4	34.149.100.209
Oct 14, 2024 02:17:34.786492109 CEST	49779	443	192.168.2.4	34.149.100.209
Oct 14, 2024 02:17:34.786516905 CEST	443	49779	34.149.100.209	192.168.2.4
Oct 14, 2024 02:17:34.786917925 CEST	443	49779	34.149.100.209	192.168.2.4
Oct 14, 2024 02:17:34.788542986 CEST	49779	443	192.168.2.4	34.149.100.209
Oct 14, 2024 02:17:34.788625956 CEST	49779	443	192.168.2.4	34.149.100.209
Oct 14, 2024 02:17:34.791176081 CEST	49750	80	192.168.2.4	34.107.221.82
Oct 14, 2024 02:17:34.796049118 CEST	80	49750	34.107.221.82	192.168.2.4
Oct 14, 2024 02:17:34.800875902 CEST	49752	80	192.168.2.4	34.107.221.82
Oct 14, 2024 02:17:34.889738083 CEST	80	49750	34.107.221.82	192.168.2.4
Oct 14, 2024 02:17:34.892955065 CEST	49752	80	192.168.2.4	34.107.221.82
Oct 14, 2024 02:17:34.898092985 CEST	80	49752	34.107.221.82	192.168.2.4
Oct 14, 2024 02:17:34.938925028 CEST	49750	80	192.168.2.4	34.107.221.82
Oct 14, 2024 02:17:34.990118980 CEST	80	49752	34.107.221.82	192.168.2.4
Oct 14, 2024 02:17:35.030880928 CEST	443	49781	35.244.181.201	192.168.2.4
Oct 14, 2024 02:17:35.030961990 CEST	49781	443	192.168.2.4	35.244.181.201
Oct 14, 2024 02:17:35.033346891 CEST	49781	443	192.168.2.4	35.244.181.201
Oct 14, 2024 02:17:35.033368111 CEST	443	49781	35.244.181.201	192.168.2.4
Oct 14, 2024 02:17:35.033700943 CEST	443	49781	35.244.181.201	192.168.2.4
Oct 14, 2024 02:17:35.035734892 CEST	49781	443	192.168.2.4	35.244.181.201
Oct 14, 2024 02:17:35.035816908 CEST	49781	443	192.168.2.4	35.244.181.201
Oct 14, 2024 02:17:35.035949945 CEST	443	49781	35.244.181.201	192.168.2.4
Oct 14, 2024 02:17:35.036163092 CEST	49781	443	192.168.2.4	35.244.181.201
Oct 14, 2024 02:17:35.036475897 CEST	443	49782	35.244.181.201	192.168.2.4
Oct 14, 2024 02:17:35.036565065 CEST	49782	443	192.168.2.4	35.244.181.201
Oct 14, 2024 02:17:35.039225101 CEST	49752	80	192.168.2.4	34.107.221.82
Oct 14, 2024 02:17:35.039283037 CEST	49782	443	192.168.2.4	35.244.181.201
Oct 14, 2024 02:17:35.039294958 CEST	443	49782	35.244.181.201	192.168.2.4
Oct 14, 2024 02:17:35.040292978 CEST	443	49782	35.244.181.201	192.168.2.4
Oct 14, 2024 02:17:35.041503906 CEST	49782	443	192.168.2.4	35.244.181.201
Oct 14, 2024 02:17:35.041577101 CEST	49782	443	192.168.2.4	35.244.181.201
Oct 14, 2024 02:17:35.041708946 CEST	443	49782	35.244.181.201	192.168.2.4
Oct 14, 2024 02:17:35.041861057 CEST	49782	443	192.168.2.4	35.244.181.201
Oct 14, 2024 02:17:35.043098927 CEST	49750	80	192.168.2.4	34.107.221.82
Oct 14, 2024 02:17:35.048023939 CEST	80	49750	34.107.221.82	192.168.2.4
Oct 14, 2024 02:17:35.050580978 CEST	443	49780	35.244.181.201	192.168.2.4
Oct 14, 2024 02:17:35.050656080 CEST	49780	443	192.168.2.4	35.244.181.201
Oct 14, 2024 02:17:35.053009987 CEST	49780	443	192.168.2.4	35.244.181.201
Oct 14, 2024 02:17:35.053020954 CEST	443	49780	35.244.181.201	192.168.2.4
Oct 14, 2024 02:17:35.053337097 CEST	443	49780	35.244.181.201	192.168.2.4
Oct 14, 2024 02:17:35.055417061 CEST	49780	443	192.168.2.4	35.244.181.201
Oct 14, 2024 02:17:35.055490017 CEST	49780	443	192.168.2.4	35.244.181.201
Oct 14, 2024 02:17:35.055588007 CEST	443	49780	35.244.181.201	192.168.2.4
Oct 14, 2024 02:17:35.057758093 CEST	49780	443	192.168.2.4	35.244.181.201
Oct 14, 2024 02:17:35.141792059 CEST	80	49750	34.107.221.82	192.168.2.4
Oct 14, 2024 02:17:35.144171000 CEST	49752	80	192.168.2.4	34.107.221.82
Oct 14, 2024 02:17:35.149065018 CEST	80	49752	34.107.221.82	192.168.2.4
Oct 14, 2024 02:17:35.186388016 CEST	49750	80	192.168.2.4	34.107.221.82
Oct 14, 2024 02:17:35.240957022 CEST	80	49752	34.107.221.82	192.168.2.4
Oct 14, 2024 02:17:35.286693096 CEST	49752	80	192.168.2.4	34.107.221.82
Oct 14, 2024 02:17:35.592788935 CEST	80	49752	34.107.221.82	192.168.2.4
Oct 14, 2024 02:17:35.592895031 CEST	49752	80	192.168.2.4	34.107.221.82
Oct 14, 2024 02:17:45.143524885 CEST	49750	80	192.168.2.4	34.107.221.82
Oct 14, 2024 02:17:45.148478031 CEST	80	49750	34.107.221.82	192.168.2.4
Oct 14, 2024 02:17:45.243799925 CEST	49752	80	192.168.2.4	34.107.221.82
Oct 14, 2024 02:17:45.248738050 CEST	80	49752	34.107.221.82	192.168.2.4
Oct 14, 2024 02:17:51.841850996 CEST	49784	443	192.168.2.4	34.107.243.93
Oct 14, 2024 02:17:51.841893911 CEST	443	49784	34.107.243.93	192.168.2.4
Oct 14, 2024 02:17:51.842245102 CEST	49784	443	192.168.2.4	34.107.243.93
Oct 14, 2024 02:17:51.843667984 CEST	49784	443	192.168.2.4	34.107.243.93
Oct 14, 2024 02:17:51.843682051 CEST	443	49784	34.107.243.93	192.168.2.4
Oct 14, 2024 02:17:52.322140932 CEST	443	49784	34.107.243.93	192.168.2.4
Oct 14, 2024 02:17:52.322237968 CEST	49784	443	192.168.2.4	34.107.243.93
Oct 14, 2024 02:17:52.326536894 CEST	49784	443	192.168.2.4	34.107.243.93
Oct 14, 2024 02:17:52.326544046 CEST	443	49784	34.107.243.93	192.168.2.4
Oct 14, 2024 02:17:52.326630116 CEST	49784	443	192.168.2.4	34.107.243.93
Oct 14, 2024 02:17:52.326744080 CEST	443	49784	34.107.243.93	192.168.2.4
Oct 14, 2024 02:17:52.327253103 CEST	49784	443	192.168.2.4	34.107.243.93
Oct 14, 2024 02:17:52.328989029 CEST	49750	80	192.168.2.4	34.107.221.82
Oct 14, 2024 02:17:52.333965063 CEST	80	49750	34.107.221.82	192.168.2.4
Oct 14, 2024 02:17:52.427586079 CEST	80	49750	34.107.221.82	192.168.2.4
Oct 14, 2024 02:17:52.429976940 CEST	49752	80	192.168.2.4	34.107.221.82
Oct 14, 2024 02:17:52.434886932 CEST	80	49752	34.107.221.82	192.168.2.4
Oct 14, 2024 02:17:52.478863955 CEST	49750	80	192.168.2.4	34.107.221.82
Oct 14, 2024 02:17:52.526715040 CEST	80	49752	34.107.221.82	192.168.2.4
Oct 14, 2024 02:17:52.579145908 CEST	49752	80	192.168.2.4	34.107.221.82
Oct 14, 2024 02:18:02.438684940 CEST	49750	80	192.168.2.4	34.107.221.82
Oct 14, 2024 02:18:02.445113897 CEST	80	49750	34.107.221.82	192.168.2.4
Oct 14, 2024 02:18:02.539019108 CEST	49752	80	192.168.2.4	34.107.221.82
Oct 14, 2024 02:18:02.544431925 CEST	80	49752	34.107.221.82	192.168.2.4
Oct 14, 2024 02:18:04.281492949 CEST	49827	443	192.168.2.4	34.120.208.123
Oct 14, 2024 02:18:04.281599998 CEST	443	49827	34.120.208.123	192.168.2.4
Oct 14, 2024 02:18:04.281692982 CEST	49828	443	192.168.2.4	34.120.208.123
Oct 14, 2024 02:18:04.281754017 CEST	443	49828	34.120.208.123	192.168.2.4
Oct 14, 2024 02:18:04.281801939 CEST	49829	443	192.168.2.4	34.120.208.123
Oct 14, 2024 02:18:04.281831980 CEST	443	49829	34.120.208.123	192.168.2.4
Oct 14, 2024 02:18:04.281886101 CEST	49827	443	192.168.2.4	34.120.208.123
Oct 14, 2024 02:18:04.281953096 CEST	49828	443	192.168.2.4	34.120.208.123
Oct 14, 2024 02:18:04.282011032 CEST	49827	443	192.168.2.4	34.120.208.123
Oct 14, 2024 02:18:04.282037020 CEST	443	49827	34.120.208.123	192.168.2.4
Oct 14, 2024 02:18:04.282157898 CEST	49828	443	192.168.2.4	34.120.208.123
Oct 14, 2024 02:18:04.282179117 CEST	443	49828	34.120.208.123	192.168.2.4
Oct 14, 2024 02:18:04.282334089 CEST	49829	443	192.168.2.4	34.120.208.123
Oct 14, 2024 02:18:04.282366037 CEST	49829	443	192.168.2.4	34.120.208.123
Oct 14, 2024 02:18:04.282383919 CEST	443	49829	34.120.208.123	192.168.2.4
Oct 14, 2024 02:18:04.758461952 CEST	443	49827	34.120.208.123	192.168.2.4
Oct 14, 2024 02:18:04.758886099 CEST	49827	443	192.168.2.4	34.120.208.123
Oct 14, 2024 02:18:04.761826992 CEST	49827	443	192.168.2.4	34.120.208.123
Oct 14, 2024 02:18:04.761852026 CEST	443	49827	34.120.208.123	192.168.2.4
Oct 14, 2024 02:18:04.762516022 CEST	443	49827	34.120.208.123	192.168.2.4
Oct 14, 2024 02:18:04.764209986 CEST	49827	443	192.168.2.4	34.120.208.123
Oct 14, 2024 02:18:04.764297962 CEST	49827	443	192.168.2.4	34.120.208.123
Oct 14, 2024 02:18:04.764385939 CEST	443	49827	34.120.208.123	192.168.2.4
Oct 14, 2024 02:18:04.764621973 CEST	49827	443	192.168.2.4	34.120.208.123
Oct 14, 2024 02:18:04.765692949 CEST	49827	443	192.168.2.4	34.120.208.123
Oct 14, 2024 02:18:04.768913984 CEST	49750	80	192.168.2.4	34.107.221.82
Oct 14, 2024 02:18:04.770941973 CEST	443	49828	34.120.208.123	192.168.2.4
Oct 14, 2024 02:18:04.773751020 CEST	80	49750	34.107.221.82	192.168.2.4
Oct 14, 2024 02:18:04.775204897 CEST	49828	443	192.168.2.4	34.120.208.123
Oct 14, 2024 02:18:04.778304100 CEST	49828	443	192.168.2.4	34.120.208.123
Oct 14, 2024 02:18:04.778326988 CEST	443	49828	34.120.208.123	192.168.2.4
Oct 14, 2024 02:18:04.778630018 CEST	443	49828	34.120.208.123	192.168.2.4
Oct 14, 2024 02:18:04.780363083 CEST	49828	443	192.168.2.4	34.120.208.123
Oct 14, 2024 02:18:04.780438900 CEST	49828	443	192.168.2.4	34.120.208.123
Oct 14, 2024 02:18:04.780524969 CEST	443	49828	34.120.208.123	192.168.2.4
Oct 14, 2024 02:18:04.780563116 CEST	49828	443	192.168.2.4	34.120.208.123
Oct 14, 2024 02:18:04.780613899 CEST	49828	443	192.168.2.4	34.120.208.123
Oct 14, 2024 02:18:04.790817976 CEST	443	49829	34.120.208.123	192.168.2.4
Oct 14, 2024 02:18:04.790913105 CEST	49829	443	192.168.2.4	34.120.208.123
Oct 14, 2024 02:18:04.793540001 CEST	49829	443	192.168.2.4	34.120.208.123
Oct 14, 2024 02:18:04.793549061 CEST	443	49829	34.120.208.123	192.168.2.4
Oct 14, 2024 02:18:04.793874979 CEST	443	49829	34.120.208.123	192.168.2.4
Oct 14, 2024 02:18:04.796380997 CEST	49829	443	192.168.2.4	34.120.208.123
Oct 14, 2024 02:18:04.796457052 CEST	49829	443	192.168.2.4	34.120.208.123
Oct 14, 2024 02:18:04.796546936 CEST	443	49829	34.120.208.123	192.168.2.4
Oct 14, 2024 02:18:04.796648979 CEST	49829	443	192.168.2.4	34.120.208.123
Oct 14, 2024 02:18:04.867629051 CEST	80	49750	34.107.221.82	192.168.2.4
Oct 14, 2024 02:18:04.889900923 CEST	49752	80	192.168.2.4	34.107.221.82
Oct 14, 2024 02:18:04.894880056 CEST	80	49752	34.107.221.82	192.168.2.4
Oct 14, 2024 02:18:04.915987968 CEST	49750	80	192.168.2.4	34.107.221.82
Oct 14, 2024 02:18:04.986112118 CEST	80	49752	34.107.221.82	192.168.2.4
Oct 14, 2024 02:18:05.038525105 CEST	49752	80	192.168.2.4	34.107.221.82
Oct 14, 2024 02:18:05.519063950 CEST	80	49752	34.107.221.82	192.168.2.4
Oct 14, 2024 02:18:05.519232988 CEST	80	49752	34.107.221.82	192.168.2.4
Oct 14, 2024 02:18:05.519344091 CEST	49752	80	192.168.2.4	34.107.221.82
Oct 14, 2024 02:18:05.519345045 CEST	49752	80	192.168.2.4	34.107.221.82
Oct 14, 2024 02:18:14.867482901 CEST	49750	80	192.168.2.4	34.107.221.82
Oct 14, 2024 02:18:14.872486115 CEST	80	49750	34.107.221.82	192.168.2.4
Oct 14, 2024 02:18:14.998863935 CEST	49752	80	192.168.2.4	34.107.221.82
Oct 14, 2024 02:18:15.004009008 CEST	80	49752	34.107.221.82	192.168.2.4
Oct 14, 2024 02:18:24.884533882 CEST	49750	80	192.168.2.4	34.107.221.82
Oct 14, 2024 02:18:24.889451981 CEST	80	49750	34.107.221.82	192.168.2.4
Oct 14, 2024 02:18:25.006946087 CEST	49752	80	192.168.2.4	34.107.221.82
Oct 14, 2024 02:18:25.011852026 CEST	80	49752	34.107.221.82	192.168.2.4
Oct 14, 2024 02:18:32.388226986 CEST	50005	443	192.168.2.4	34.107.243.93
Oct 14, 2024 02:18:32.388272047 CEST	443	50005	34.107.243.93	192.168.2.4
Oct 14, 2024 02:18:32.388475895 CEST	50005	443	192.168.2.4	34.107.243.93
Oct 14, 2024 02:18:32.390587091 CEST	50005	443	192.168.2.4	34.107.243.93
Oct 14, 2024 02:18:32.390619040 CEST	443	50005	34.107.243.93	192.168.2.4
Oct 14, 2024 02:18:32.890158892 CEST	443	50005	34.107.243.93	192.168.2.4
Oct 14, 2024 02:18:32.890259981 CEST	50005	443	192.168.2.4	34.107.243.93
Oct 14, 2024 02:18:32.895529032 CEST	50005	443	192.168.2.4	34.107.243.93
Oct 14, 2024 02:18:32.895543098 CEST	443	50005	34.107.243.93	192.168.2.4
Oct 14, 2024 02:18:32.895770073 CEST	443	50005	34.107.243.93	192.168.2.4
Oct 14, 2024 02:18:32.895773888 CEST	50005	443	192.168.2.4	34.107.243.93
Oct 14, 2024 02:18:32.895787001 CEST	443	50005	34.107.243.93	192.168.2.4
Oct 14, 2024 02:18:32.898502111 CEST	49750	80	192.168.2.4	34.107.221.82
Oct 14, 2024 02:18:32.903373957 CEST	80	49750	34.107.221.82	192.168.2.4
Oct 14, 2024 02:18:32.996983051 CEST	80	49750	34.107.221.82	192.168.2.4
Oct 14, 2024 02:18:33.000619888 CEST	49752	80	192.168.2.4	34.107.221.82
Oct 14, 2024 02:18:33.005397081 CEST	80	49752	34.107.221.82	192.168.2.4
Oct 14, 2024 02:18:33.046557903 CEST	49750	80	192.168.2.4	34.107.221.82
Oct 14, 2024 02:18:33.097300053 CEST	80	49752	34.107.221.82	192.168.2.4
Oct 14, 2024 02:18:33.103491068 CEST	443	50005	34.107.243.93	192.168.2.4
Oct 14, 2024 02:18:33.103702068 CEST	50005	443	192.168.2.4	34.107.243.93
Oct 14, 2024 02:18:33.146809101 CEST	49752	80	192.168.2.4	34.107.221.82
Oct 14, 2024 02:18:43.007266045 CEST	49750	80	192.168.2.4	34.107.221.82
Oct 14, 2024 02:18:43.012357950 CEST	80	49750	34.107.221.82	192.168.2.4
Oct 14, 2024 02:18:43.107570887 CEST	49752	80	192.168.2.4	34.107.221.82
Oct 14, 2024 02:18:43.112561941 CEST	80	49752	34.107.221.82	192.168.2.4
Oct 14, 2024 02:18:53.020018101 CEST	49750	80	192.168.2.4	34.107.221.82
Oct 14, 2024 02:18:53.025074005 CEST	80	49750	34.107.221.82	192.168.2.4
Oct 14, 2024 02:18:53.120373964 CEST	49752	80	192.168.2.4	34.107.221.82
Oct 14, 2024 02:18:53.125843048 CEST	80	49752	34.107.221.82	192.168.2.4
Oct 14, 2024 02:19:03.034322977 CEST	49750	80	192.168.2.4	34.107.221.82
Oct 14, 2024 02:19:03.039367914 CEST	80	49750	34.107.221.82	192.168.2.4
Oct 14, 2024 02:19:03.134543896 CEST	49752	80	192.168.2.4	34.107.221.82
Oct 14, 2024 02:19:03.139514923 CEST	80	49752	34.107.221.82	192.168.2.4

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Oct 14, 2024 02:17:05.212004900 CEST	60624	53	192.168.2.4	1.1.1.1
Oct 14, 2024 02:17:05.219472885 CEST	53	60624	1.1.1.1	192.168.2.4
Oct 14, 2024 02:17:05.220936060 CEST	56979	53	192.168.2.4	1.1.1.1
Oct 14, 2024 02:17:05.228365898 CEST	53	56979	1.1.1.1	192.168.2.4
Oct 14, 2024 02:17:07.176992893 CEST	58983	53	192.168.2.4	1.1.1.1
Oct 14, 2024 02:17:07.183990002 CEST	53	58983	1.1.1.1	192.168.2.4
Oct 14, 2024 02:17:07.194750071 CEST	51620	53	192.168.2.4	1.1.1.1
Oct 14, 2024 02:17:07.201562881 CEST	53	51620	1.1.1.1	192.168.2.4
Oct 14, 2024 02:17:07.215142012 CEST	60901	53	192.168.2.4	1.1.1.1
Oct 14, 2024 02:17:07.221937895 CEST	53	60901	1.1.1.1	192.168.2.4
Oct 14, 2024 02:17:07.365833044 CEST	57020	53	192.168.2.4	1.1.1.1
Oct 14, 2024 02:17:07.378551006 CEST	52102	53	192.168.2.4	1.1.1.1
Oct 14, 2024 02:17:07.386105061 CEST	53	52102	1.1.1.1	192.168.2.4
Oct 14, 2024 02:17:07.392736912 CEST	51806	53	192.168.2.4	1.1.1.1
Oct 14, 2024 02:17:07.400346994 CEST	53	51806	1.1.1.1	192.168.2.4
Oct 14, 2024 02:17:07.583782911 CEST	53180	53	192.168.2.4	1.1.1.1
Oct 14, 2024 02:17:07.590650082 CEST	53	53180	1.1.1.1	192.168.2.4
Oct 14, 2024 02:17:07.592751026 CEST	49863	53	192.168.2.4	1.1.1.1
Oct 14, 2024 02:17:07.595967054 CEST	55952	53	192.168.2.4	1.1.1.1
Oct 14, 2024 02:17:07.599618912 CEST	53	49863	1.1.1.1	192.168.2.4
Oct 14, 2024 02:17:07.602688074 CEST	53	55952	1.1.1.1	192.168.2.4
Oct 14, 2024 02:17:07.606734991 CEST	52657	53	192.168.2.4	1.1.1.1
Oct 14, 2024 02:17:07.608051062 CEST	58531	53	192.168.2.4	1.1.1.1
Oct 14, 2024 02:17:07.611146927 CEST	54670	53	192.168.2.4	1.1.1.1
Oct 14, 2024 02:17:07.613368034 CEST	53	52657	1.1.1.1	192.168.2.4
Oct 14, 2024 02:17:07.615439892 CEST	53	58531	1.1.1.1	192.168.2.4
Oct 14, 2024 02:17:07.617952108 CEST	53	54670	1.1.1.1	192.168.2.4
Oct 14, 2024 02:17:07.631213903 CEST	57609	53	192.168.2.4	1.1.1.1
Oct 14, 2024 02:17:07.632493019 CEST	52704	53	192.168.2.4	1.1.1.1
Oct 14, 2024 02:17:07.638495922 CEST	53	57609	1.1.1.1	192.168.2.4
Oct 14, 2024 02:17:07.639642954 CEST	53	52704	1.1.1.1	192.168.2.4
Oct 14, 2024 02:17:07.960252047 CEST	64909	53	192.168.2.4	1.1.1.1
Oct 14, 2024 02:17:07.960758924 CEST	50356	53	192.168.2.4	1.1.1.1
Oct 14, 2024 02:17:07.967237949 CEST	53	64909	1.1.1.1	192.168.2.4
Oct 14, 2024 02:17:07.967761040 CEST	53	50356	1.1.1.1	192.168.2.4
Oct 14, 2024 02:17:08.247077942 CEST	49572	53	192.168.2.4	1.1.1.1
Oct 14, 2024 02:17:08.350662947 CEST	64609	53	192.168.2.4	1.1.1.1
Oct 14, 2024 02:17:08.357414961 CEST	53	64609	1.1.1.1	192.168.2.4
Oct 14, 2024 02:17:08.362678051 CEST	52295	53	192.168.2.4	1.1.1.1
Oct 14, 2024 02:17:08.369266987 CEST	53	52295	1.1.1.1	192.168.2.4
Oct 14, 2024 02:17:08.370526075 CEST	57522	53	192.168.2.4	1.1.1.1
Oct 14, 2024 02:17:08.377219915 CEST	53	57522	1.1.1.1	192.168.2.4
Oct 14, 2024 02:17:10.116456985 CEST	61869	53	192.168.2.4	1.1.1.1
Oct 14, 2024 02:17:10.162869930 CEST	53	60907	1.1.1.1	192.168.2.4
Oct 14, 2024 02:17:10.473655939 CEST	53701	53	192.168.2.4	1.1.1.1
Oct 14, 2024 02:17:10.480554104 CEST	53	53701	1.1.1.1	192.168.2.4
Oct 14, 2024 02:17:10.484427929 CEST	60527	53	192.168.2.4	1.1.1.1
Oct 14, 2024 02:17:10.492611885 CEST	53	60527	1.1.1.1	192.168.2.4
Oct 14, 2024 02:17:10.493236065 CEST	59627	53	192.168.2.4	1.1.1.1
Oct 14, 2024 02:17:10.505341053 CEST	53	59627	1.1.1.1	192.168.2.4
Oct 14, 2024 02:17:13.643280983 CEST	50150	53	192.168.2.4	1.1.1.1
Oct 14, 2024 02:17:13.650013924 CEST	53	50150	1.1.1.1	192.168.2.4
Oct 14, 2024 02:17:13.683420897 CEST	53507	53	192.168.2.4	1.1.1.1
Oct 14, 2024 02:17:13.690861940 CEST	53	53507	1.1.1.1	192.168.2.4
Oct 14, 2024 02:17:13.691648960 CEST	51873	53	192.168.2.4	1.1.1.1
Oct 14, 2024 02:17:13.715276957 CEST	53	51873	1.1.1.1	192.168.2.4
Oct 14, 2024 02:17:13.715747118 CEST	52234	53	192.168.2.4	1.1.1.1
Oct 14, 2024 02:17:13.722670078 CEST	53	52234	1.1.1.1	192.168.2.4
Oct 14, 2024 02:17:13.743855953 CEST	65145	53	192.168.2.4	1.1.1.1
Oct 14, 2024 02:17:13.750715971 CEST	53	65145	1.1.1.1	192.168.2.4
Oct 14, 2024 02:17:13.758455992 CEST	54815	53	192.168.2.4	1.1.1.1
Oct 14, 2024 02:17:13.764813900 CEST	51563	53	192.168.2.4	1.1.1.1
Oct 14, 2024 02:17:13.768779039 CEST	53	54815	1.1.1.1	192.168.2.4
Oct 14, 2024 02:17:13.772824049 CEST	53	51563	1.1.1.1	192.168.2.4
Oct 14, 2024 02:17:13.776465893 CEST	52759	53	192.168.2.4	1.1.1.1
Oct 14, 2024 02:17:13.776901960 CEST	54626	53	192.168.2.4	1.1.1.1
Oct 14, 2024 02:17:13.783191919 CEST	53	52759	1.1.1.1	192.168.2.4
Oct 14, 2024 02:17:13.783637047 CEST	53	54626	1.1.1.1	192.168.2.4
Oct 14, 2024 02:17:20.148315907 CEST	64203	53	192.168.2.4	1.1.1.1
Oct 14, 2024 02:17:20.155637026 CEST	53	64203	1.1.1.1	192.168.2.4
Oct 14, 2024 02:17:20.169995070 CEST	61347	53	192.168.2.4	1.1.1.1
Oct 14, 2024 02:17:20.176629066 CEST	53	61347	1.1.1.1	192.168.2.4
Oct 14, 2024 02:17:25.730742931 CEST	61727	53	192.168.2.4	1.1.1.1
Oct 14, 2024 02:17:25.730742931 CEST	50033	53	192.168.2.4	1.1.1.1
Oct 14, 2024 02:17:25.730974913 CEST	54958	53	192.168.2.4	1.1.1.1
Oct 14, 2024 02:17:25.737857103 CEST	53	50033	1.1.1.1	192.168.2.4
Oct 14, 2024 02:17:25.737888098 CEST	53	61727	1.1.1.1	192.168.2.4
Oct 14, 2024 02:17:25.738375902 CEST	53	54958	1.1.1.1	192.168.2.4
Oct 14, 2024 02:17:25.738533974 CEST	51666	53	192.168.2.4	1.1.1.1
Oct 14, 2024 02:17:25.738605976 CEST	58726	53	192.168.2.4	1.1.1.1
Oct 14, 2024 02:17:25.739077091 CEST	64276	53	192.168.2.4	1.1.1.1
Oct 14, 2024 02:17:25.745250940 CEST	53	51666	1.1.1.1	192.168.2.4
Oct 14, 2024 02:17:25.745295048 CEST	53	58726	1.1.1.1	192.168.2.4
Oct 14, 2024 02:17:25.745832920 CEST	61494	53	192.168.2.4	1.1.1.1
Oct 14, 2024 02:17:25.745887041 CEST	57448	53	192.168.2.4	1.1.1.1
Oct 14, 2024 02:17:25.745924950 CEST	53	64276	1.1.1.1	192.168.2.4
Oct 14, 2024 02:17:25.746253014 CEST	54377	53	192.168.2.4	1.1.1.1
Oct 14, 2024 02:17:25.752732992 CEST	53	57448	1.1.1.1	192.168.2.4
Oct 14, 2024 02:17:25.753045082 CEST	53	61494	1.1.1.1	192.168.2.4
Oct 14, 2024 02:17:25.753277063 CEST	53282	53	192.168.2.4	1.1.1.1
Oct 14, 2024 02:17:25.753412008 CEST	53	54377	1.1.1.1	192.168.2.4
Oct 14, 2024 02:17:25.753628969 CEST	51294	53	192.168.2.4	1.1.1.1
Oct 14, 2024 02:17:26.074007034 CEST	53	51294	1.1.1.1	192.168.2.4
Oct 14, 2024 02:17:26.074182987 CEST	53	53282	1.1.1.1	192.168.2.4
Oct 14, 2024 02:17:26.075174093 CEST	51452	53	192.168.2.4	1.1.1.1
Oct 14, 2024 02:17:26.075294971 CEST	59749	53	192.168.2.4	1.1.1.1
Oct 14, 2024 02:17:26.082123041 CEST	53	59749	1.1.1.1	192.168.2.4
Oct 14, 2024 02:17:26.082252979 CEST	53	51452	1.1.1.1	192.168.2.4
Oct 14, 2024 02:17:26.082683086 CEST	51189	53	192.168.2.4	1.1.1.1
Oct 14, 2024 02:17:26.083309889 CEST	59108	53	192.168.2.4	1.1.1.1
Oct 14, 2024 02:17:26.089520931 CEST	53	51189	1.1.1.1	192.168.2.4
Oct 14, 2024 02:17:26.090236902 CEST	53	59108	1.1.1.1	192.168.2.4
Oct 14, 2024 02:17:30.951987982 CEST	56125	53	192.168.2.4	1.1.1.1
Oct 14, 2024 02:17:30.959094048 CEST	53	56125	1.1.1.1	192.168.2.4
Oct 14, 2024 02:17:30.960155010 CEST	63130	53	192.168.2.4	1.1.1.1
Oct 14, 2024 02:17:30.966932058 CEST	53	63130	1.1.1.1	192.168.2.4
Oct 14, 2024 02:17:33.763088942 CEST	58298	53	192.168.2.4	1.1.1.1
Oct 14, 2024 02:17:33.769860983 CEST	53	58298	1.1.1.1	192.168.2.4
Oct 14, 2024 02:17:33.782188892 CEST	60943	53	192.168.2.4	1.1.1.1
Oct 14, 2024 02:17:33.790884018 CEST	57464	53	192.168.2.4	1.1.1.1
Oct 14, 2024 02:17:33.793562889 CEST	53	60943	1.1.1.1	192.168.2.4
Oct 14, 2024 02:17:33.795622110 CEST	54887	53	192.168.2.4	1.1.1.1
Oct 14, 2024 02:17:33.798057079 CEST	53	57464	1.1.1.1	192.168.2.4
Oct 14, 2024 02:17:33.800040960 CEST	65309	53	192.168.2.4	1.1.1.1
Oct 14, 2024 02:17:33.805640936 CEST	53	54887	1.1.1.1	192.168.2.4
Oct 14, 2024 02:17:33.806869030 CEST	53	65309	1.1.1.1	192.168.2.4
Oct 14, 2024 02:17:33.817028046 CEST	51650	53	192.168.2.4	1.1.1.1
Oct 14, 2024 02:17:33.818465948 CEST	52170	53	192.168.2.4	1.1.1.1
Oct 14, 2024 02:17:33.824223995 CEST	53	51650	1.1.1.1	192.168.2.4
Oct 14, 2024 02:17:33.825203896 CEST	53	52170	1.1.1.1	192.168.2.4
Oct 14, 2024 02:17:34.300823927 CEST	57370	53	192.168.2.4	1.1.1.1
Oct 14, 2024 02:17:51.833538055 CEST	50839	53	192.168.2.4	1.1.1.1
Oct 14, 2024 02:17:51.840553999 CEST	53	50839	1.1.1.1	192.168.2.4
Oct 14, 2024 02:17:51.841070890 CEST	58487	53	192.168.2.4	1.1.1.1
Oct 14, 2024 02:17:51.847734928 CEST	53	58487	1.1.1.1	192.168.2.4
Oct 14, 2024 02:18:04.281636953 CEST	50650	53	192.168.2.4	1.1.1.1
Oct 14, 2024 02:18:04.288289070 CEST	53	50650	1.1.1.1	192.168.2.4
Oct 14, 2024 02:18:32.380196095 CEST	49769	53	192.168.2.4	1.1.1.1
Oct 14, 2024 02:18:32.386863947 CEST	53	49769	1.1.1.1	192.168.2.4
Oct 14, 2024 02:18:32.388394117 CEST	64361	53	192.168.2.4	1.1.1.1
Oct 14, 2024 02:18:32.395589113 CEST	53	64361	1.1.1.1	192.168.2.4
Oct 14, 2024 02:18:32.898727894 CEST	58665	53	192.168.2.4	1.1.1.1

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Oct 14, 2024 02:17:05.212004900 CEST	192.168.2.4	1.1.1.1	0xeff0	Standard query (0)	prod.classify-client.prod.webservices.mozgcp.net	A (IP address)	IN (0x0001)	false
Oct 14, 2024 02:17:05.220936060 CEST	192.168.2.4	1.1.1.1	0x20d7	Standard query (0)	prod.classify-client.prod.webservices.mozgcp.net	28	IN (0x0001)	false
Oct 14, 2024 02:17:07.176992893 CEST	192.168.2.4	1.1.1.1	0xf60d	Standard query (0)	youtube.com	A (IP address)	IN (0x0001)	false
Oct 14, 2024 02:17:07.194750071 CEST	192.168.2.4	1.1.1.1	0xeb16	Standard query (0)	youtube.com	A (IP address)	IN (0x0001)	false
Oct 14, 2024 02:17:07.215142012 CEST	192.168.2.4	1.1.1.1	0x2018	Standard query (0)	youtube.com	28	IN (0x0001)	false
Oct 14, 2024 02:17:07.365833044 CEST	192.168.2.4	1.1.1.1	0x9d75	Standard query (0)	detectportal.firefox.com	A (IP address)	IN (0x0001)	false
Oct 14, 2024 02:17:07.378551006 CEST	192.168.2.4	1.1.1.1	0x8ab2	Standard query (0)	prod.detectportal.prod.cloudops.mozgcp.net	A (IP address)	IN (0x0001)	false
Oct 14, 2024 02:17:07.392736912 CEST	192.168.2.4	1.1.1.1	0xbaa5	Standard query (0)	prod.detectportal.prod.cloudops.mozgcp.net	28	IN (0x0001)	false
Oct 14, 2024 02:17:07.583782911 CEST	192.168.2.4	1.1.1.1	0x8224	Standard query (0)	contile.services.mozilla.com	A (IP address)	IN (0x0001)	false
Oct 14, 2024 02:17:07.592751026 CEST	192.168.2.4	1.1.1.1	0x5c89	Standard query (0)	contile.services.mozilla.com	A (IP address)	IN (0x0001)	false
Oct 14, 2024 02:17:07.595967054 CEST	192.168.2.4	1.1.1.1	0x1059	Standard query (0)	spocs.getpocket.com	A (IP address)	IN (0x0001)	false
Oct 14, 2024 02:17:07.606734991 CEST	192.168.2.4	1.1.1.1	0x9ede	Standard query (0)	contile.services.mozilla.com	28	IN (0x0001)	false
Oct 14, 2024 02:17:07.608051062 CEST	192.168.2.4	1.1.1.1	0x761c	Standard query (0)	prod.ads.prod.webservices.mozgcp.net	A (IP address)	IN (0x0001)	false
Oct 14, 2024 02:17:07.611146927 CEST	192.168.2.4	1.1.1.1	0x74b3	Standard query (0)	prod.balrog.prod.cloudops.mozgcp.net	A (IP address)	IN (0x0001)	false
Oct 14, 2024 02:17:07.631213903 CEST	192.168.2.4	1.1.1.1	0x41e6	Standard query (0)	prod.ads.prod.webservices.mozgcp.net	28	IN (0x0001)	false
Oct 14, 2024 02:17:07.632493019 CEST	192.168.2.4	1.1.1.1	0x74de	Standard query (0)	prod.balrog.prod.cloudops.mozgcp.net	28	IN (0x0001)	false
Oct 14, 2024 02:17:07.960252047 CEST	192.168.2.4	1.1.1.1	0x216	Standard query (0)	example.org	A (IP address)	IN (0x0001)	false
Oct 14, 2024 02:17:07.960758924 CEST	192.168.2.4	1.1.1.1	0x2781	Standard query (0)	ipv4only.arpa	A (IP address)	IN (0x0001)	false
Oct 14, 2024 02:17:08.247077942 CEST	192.168.2.4	1.1.1.1	0xa021	Standard query (0)	detectportal.firefox.com	A (IP address)	IN (0x0001)	false
Oct 14, 2024 02:17:08.350662947 CEST	192.168.2.4	1.1.1.1	0x2c70	Standard query (0)	content-signature-2.cdn.mozilla.net	A (IP address)	IN (0x0001)	false
Oct 14, 2024 02:17:08.362678051 CEST	192.168.2.4	1.1.1.1	0x9283	Standard query (0)	prod.content-signature-chains.prod.webservices.mozgcp.net	A (IP address)	IN (0x0001)	false
Oct 14, 2024 02:17:08.370526075 CEST	192.168.2.4	1.1.1.1	0xe89f	Standard query (0)	prod.content-signature-chains.prod.webservices.mozgcp.net	28	IN (0x0001)	false
Oct 14, 2024 02:17:10.116456985 CEST	192.168.2.4	1.1.1.1	0x86d	Standard query (0)	shavar.services.mozilla.com	A (IP address)	IN (0x0001)	false
Oct 14, 2024 02:17:10.473655939 CEST	192.168.2.4	1.1.1.1	0x47e0	Standard query (0)	push.services.mozilla.com	A (IP address)	IN (0x0001)	false
Oct 14, 2024 02:17:10.484427929 CEST	192.168.2.4	1.1.1.1	0x7f8	Standard query (0)	push.services.mozilla.com	A (IP address)	IN (0x0001)	false
Oct 14, 2024 02:17:10.493236065 CEST	192.168.2.4	1.1.1.1	0x2fb1	Standard query (0)	push.services.mozilla.com	28	IN (0x0001)	false
Oct 14, 2024 02:17:13.643280983 CEST	192.168.2.4	1.1.1.1	0x1e67	Standard query (0)	prod.balrog.prod.cloudops.mozgcp.net	28	IN (0x0001)	false
Oct 14, 2024 02:17:13.683420897 CEST	192.168.2.4	1.1.1.1	0xbace	Standard query (0)	support.mozilla.org	A (IP address)	IN (0x0001)	false
Oct 14, 2024 02:17:13.691648960 CEST	192.168.2.4	1.1.1.1	0xd8c6	Standard query (0)	us-west1.prod.sumo.prod.webservices.mozgcp.net	A (IP address)	IN (0x0001)	false
Oct 14, 2024 02:17:13.715747118 CEST	192.168.2.4	1.1.1.1	0x8be7	Standard query (0)	us-west1.prod.sumo.prod.webservices.mozgcp.net	28	IN (0x0001)	false
Oct 14, 2024 02:17:13.743855953 CEST	192.168.2.4	1.1.1.1	0x3f41	Standard query (0)	firefox.settings.services.mozilla.com	A (IP address)	IN (0x0001)	false
Oct 14, 2024 02:17:13.758455992 CEST	192.168.2.4	1.1.1.1	0x4a4f	Standard query (0)	prod.remote-settings.prod.webservices.mozgcp.net	A (IP address)	IN (0x0001)	false
Oct 14, 2024 02:17:13.764813900 CEST	192.168.2.4	1.1.1.1	0xeeb9	Standard query (0)	telemetry-incoming.r53-2.services.mozilla.com	A (IP address)	IN (0x0001)	false
Oct 14, 2024 02:17:13.776465893 CEST	192.168.2.4	1.1.1.1	0xcb9d	Standard query (0)	prod.remote-settings.prod.webservices.mozgcp.net	28	IN (0x0001)	false
Oct 14, 2024 02:17:13.776901960 CEST	192.168.2.4	1.1.1.1	0x60bc	Standard query (0)	telemetry-incoming.r53-2.services.mozilla.com	28	IN (0x0001)	false
Oct 14, 2024 02:17:20.148315907 CEST	192.168.2.4	1.1.1.1	0xaa92	Standard query (0)	telemetry-incoming.r53-2.services.mozilla.com	28	IN (0x0001)	false
Oct 14, 2024 02:17:20.169995070 CEST	192.168.2.4	1.1.1.1	0x970d	Standard query (0)	push.services.mozilla.com	28	IN (0x0001)	false
Oct 14, 2024 02:17:25.730742931 CEST	192.168.2.4	1.1.1.1	0x8bb6	Standard query (0)	www.facebook.com	A (IP address)	IN (0x0001)	false
Oct 14, 2024 02:17:25.730742931 CEST	192.168.2.4	1.1.1.1	0x9429	Standard query (0)	www.youtube.com	A (IP address)	IN (0x0001)	false
Oct 14, 2024 02:17:25.730974913 CEST	192.168.2.4	1.1.1.1	0xef2f	Standard query (0)	www.wikipedia.org	A (IP address)	IN (0x0001)	false
Oct 14, 2024 02:17:25.738533974 CEST	192.168.2.4	1.1.1.1	0xc038	Standard query (0)	youtube-ui.l.google.com	A (IP address)	IN (0x0001)	false
Oct 14, 2024 02:17:25.738605976 CEST	192.168.2.4	1.1.1.1	0x9fb5	Standard query (0)	star-mini.c10r.facebook.com	A (IP address)	IN (0x0001)	false
Oct 14, 2024 02:17:25.739077091 CEST	192.168.2.4	1.1.1.1	0x90b7	Standard query (0)	dyna.wikimedia.org	A (IP address)	IN (0x0001)	false
Oct 14, 2024 02:17:25.745832920 CEST	192.168.2.4	1.1.1.1	0xf69d	Standard query (0)	star-mini.c10r.facebook.com	28	IN (0x0001)	false
Oct 14, 2024 02:17:25.745887041 CEST	192.168.2.4	1.1.1.1	0xa969	Standard query (0)	youtube-ui.l.google.com	28	IN (0x0001)	false
Oct 14, 2024 02:17:25.746253014 CEST	192.168.2.4	1.1.1.1	0xe04e	Standard query (0)	dyna.wikimedia.org	28	IN (0x0001)	false
Oct 14, 2024 02:17:25.753277063 CEST	192.168.2.4	1.1.1.1	0xae02	Standard query (0)	www.reddit.com	A (IP address)	IN (0x0001)	false
Oct 14, 2024 02:17:25.753628969 CEST	192.168.2.4	1.1.1.1	0xc526	Standard query (0)	twitter.com	A (IP address)	IN (0x0001)	false
Oct 14, 2024 02:17:26.075174093 CEST	192.168.2.4	1.1.1.1	0x3faa	Standard query (0)	reddit.map.fastly.net	A (IP address)	IN (0x0001)	false
Oct 14, 2024 02:17:26.075294971 CEST	192.168.2.4	1.1.1.1	0x714e	Standard query (0)	twitter.com	A (IP address)	IN (0x0001)	false
Oct 14, 2024 02:17:26.082683086 CEST	192.168.2.4	1.1.1.1	0x9c37	Standard query (0)	twitter.com	28	IN (0x0001)	false
Oct 14, 2024 02:17:26.083309889 CEST	192.168.2.4	1.1.1.1	0x2460	Standard query (0)	reddit.map.fastly.net	28	IN (0x0001)	false
Oct 14, 2024 02:17:30.951987982 CEST	192.168.2.4	1.1.1.1	0x9dae	Standard query (0)	push.services.mozilla.com	A (IP address)	IN (0x0001)	false
Oct 14, 2024 02:17:30.960155010 CEST	192.168.2.4	1.1.1.1	0xeaad	Standard query (0)	push.services.mozilla.com	28	IN (0x0001)	false
Oct 14, 2024 02:17:33.763088942 CEST	192.168.2.4	1.1.1.1	0xa0f9	Standard query (0)	prod.balrog.prod.cloudops.mozgcp.net	28	IN (0x0001)	false
Oct 14, 2024 02:17:33.782188892 CEST	192.168.2.4	1.1.1.1	0xd4a4	Standard query (0)	services.addons.mozilla.org	A (IP address)	IN (0x0001)	false
Oct 14, 2024 02:17:33.790884018 CEST	192.168.2.4	1.1.1.1	0xd08b	Standard query (0)	normandy.cdn.mozilla.net	A (IP address)	IN (0x0001)	false
Oct 14, 2024 02:17:33.795622110 CEST	192.168.2.4	1.1.1.1	0xe170	Standard query (0)	services.addons.mozilla.org	A (IP address)	IN (0x0001)	false
Oct 14, 2024 02:17:33.800040960 CEST	192.168.2.4	1.1.1.1	0x75ac	Standard query (0)	normandy-cdn.services.mozilla.com	A (IP address)	IN (0x0001)	false
Oct 14, 2024 02:17:33.817028046 CEST	192.168.2.4	1.1.1.1	0x7bd2	Standard query (0)	services.addons.mozilla.org	28	IN (0x0001)	false
Oct 14, 2024 02:17:33.818465948 CEST	192.168.2.4	1.1.1.1	0xdb7e	Standard query (0)	normandy-cdn.services.mozilla.com	28	IN (0x0001)	false
Oct 14, 2024 02:17:34.300823927 CEST	192.168.2.4	1.1.1.1	0xccae	Standard query (0)	detectportal.firefox.com	A (IP address)	IN (0x0001)	false
Oct 14, 2024 02:17:51.833538055 CEST	192.168.2.4	1.1.1.1	0xd2b7	Standard query (0)	push.services.mozilla.com	A (IP address)	IN (0x0001)	false
Oct 14, 2024 02:17:51.841070890 CEST	192.168.2.4	1.1.1.1	0x7f0b	Standard query (0)	push.services.mozilla.com	28	IN (0x0001)	false
Oct 14, 2024 02:18:04.281636953 CEST	192.168.2.4	1.1.1.1	0x1012	Standard query (0)	telemetry-incoming.r53-2.services.mozilla.com	28	IN (0x0001)	false
Oct 14, 2024 02:18:32.380196095 CEST	192.168.2.4	1.1.1.1	0xb42f	Standard query (0)	push.services.mozilla.com	A (IP address)	IN (0x0001)	false
Oct 14, 2024 02:18:32.388394117 CEST	192.168.2.4	1.1.1.1	0x75c8	Standard query (0)	push.services.mozilla.com	28	IN (0x0001)	false
Oct 14, 2024 02:18:32.898727894 CEST	192.168.2.4	1.1.1.1	0xfaa	Standard query (0)	detectportal.firefox.com	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Oct 14, 2024 02:17:05.189372063 CEST	1.1.1.1	192.168.2.4	0xccf1	No error (0)	prod.classify-client.prod.webservices.mozgcp.net		35.190.72.216	A (IP address)	IN (0x0001)	false
Oct 14, 2024 02:17:05.219472885 CEST	1.1.1.1	192.168.2.4	0xeff0	No error (0)	prod.classify-client.prod.webservices.mozgcp.net		35.190.72.216	A (IP address)	IN (0x0001)	false
Oct 14, 2024 02:17:07.183990002 CEST	1.1.1.1	192.168.2.4	0xf60d	No error (0)	youtube.com		216.58.206.46	A (IP address)	IN (0x0001)	false
Oct 14, 2024 02:17:07.201562881 CEST	1.1.1.1	192.168.2.4	0xeb16	No error (0)	youtube.com		172.217.16.206	A (IP address)	IN (0x0001)	false
Oct 14, 2024 02:17:07.221937895 CEST	1.1.1.1	192.168.2.4	0x2018	No error (0)	youtube.com			28	IN (0x0001)	false
Oct 14, 2024 02:17:07.372747898 CEST	1.1.1.1	192.168.2.4	0x9d75	No error (0)	detectportal.firefox.com	detectportal.prod.mozaws.net		CNAME (Canonical name)	IN (0x0001)	false
Oct 14, 2024 02:17:07.372747898 CEST	1.1.1.1	192.168.2.4	0x9d75	No error (0)	prod.detectportal.prod.cloudops.mozgcp.net		34.107.221.82	A (IP address)	IN (0x0001)	false
Oct 14, 2024 02:17:07.386105061 CEST	1.1.1.1	192.168.2.4	0x8ab2	No error (0)	prod.detectportal.prod.cloudops.mozgcp.net		34.107.221.82	A (IP address)	IN (0x0001)	false
Oct 14, 2024 02:17:07.400346994 CEST	1.1.1.1	192.168.2.4	0xbaa5	No error (0)	prod.detectportal.prod.cloudops.mozgcp.net			28	IN (0x0001)	false
Oct 14, 2024 02:17:07.590650082 CEST	1.1.1.1	192.168.2.4	0x8224	No error (0)	contile.services.mozilla.com		34.117.188.166	A (IP address)	IN (0x0001)	false
Oct 14, 2024 02:17:07.599618912 CEST	1.1.1.1	192.168.2.4	0x5c89	No error (0)	contile.services.mozilla.com		34.117.188.166	A (IP address)	IN (0x0001)	false
Oct 14, 2024 02:17:07.602688074 CEST	1.1.1.1	192.168.2.4	0x1059	No error (0)	spocs.getpocket.com	prod.ads.prod.webservices.mozgcp.net		CNAME (Canonical name)	IN (0x0001)	false
Oct 14, 2024 02:17:07.602688074 CEST	1.1.1.1	192.168.2.4	0x1059	No error (0)	prod.ads.prod.webservices.mozgcp.net		34.117.188.166	A (IP address)	IN (0x0001)	false
Oct 14, 2024 02:17:07.608280897 CEST	1.1.1.1	192.168.2.4	0x370f	No error (0)	balrog-aus5.r53-2.services.mozilla.com	prod.balrog.prod.cloudops.mozgcp.net		CNAME (Canonical name)	IN (0x0001)	false
Oct 14, 2024 02:17:07.608280897 CEST	1.1.1.1	192.168.2.4	0x370f	No error (0)	prod.balrog.prod.cloudops.mozgcp.net		35.244.181.201	A (IP address)	IN (0x0001)	false
Oct 14, 2024 02:17:07.615439892 CEST	1.1.1.1	192.168.2.4	0x761c	No error (0)	prod.ads.prod.webservices.mozgcp.net		34.117.188.166	A (IP address)	IN (0x0001)	false
Oct 14, 2024 02:17:07.617952108 CEST	1.1.1.1	192.168.2.4	0x74b3	No error (0)	prod.balrog.prod.cloudops.mozgcp.net		35.244.181.201	A (IP address)	IN (0x0001)	false
Oct 14, 2024 02:17:07.967237949 CEST	1.1.1.1	192.168.2.4	0x216	No error (0)	example.org		93.184.215.14	A (IP address)	IN (0x0001)	false
Oct 14, 2024 02:17:07.967761040 CEST	1.1.1.1	192.168.2.4	0x2781	No error (0)	ipv4only.arpa		192.0.0.171	A (IP address)	IN (0x0001)	false
Oct 14, 2024 02:17:07.967761040 CEST	1.1.1.1	192.168.2.4	0x2781	No error (0)	ipv4only.arpa		192.0.0.170	A (IP address)	IN (0x0001)	false
Oct 14, 2024 02:17:08.253711939 CEST	1.1.1.1	192.168.2.4	0xa021	No error (0)	detectportal.firefox.com	detectportal.prod.mozaws.net		CNAME (Canonical name)	IN (0x0001)	false
Oct 14, 2024 02:17:08.253711939 CEST	1.1.1.1	192.168.2.4	0xa021	No error (0)	prod.detectportal.prod.cloudops.mozgcp.net		34.107.221.82	A (IP address)	IN (0x0001)	false
Oct 14, 2024 02:17:08.357414961 CEST	1.1.1.1	192.168.2.4	0x2c70	No error (0)	content-signature-2.cdn.mozilla.net	content-signature-chains.prod.autograph.services.mozaws.net		CNAME (Canonical name)	IN (0x0001)	false
Oct 14, 2024 02:17:08.357414961 CEST	1.1.1.1	192.168.2.4	0x2c70	No error (0)	content-signature-chains.prod.autograph.services.mozaws.net	prod.content-signature-chains.prod.webservices.mozgcp.net		CNAME (Canonical name)	IN (0x0001)	false
Oct 14, 2024 02:17:08.357414961 CEST	1.1.1.1	192.168.2.4	0x2c70	No error (0)	prod.content-signature-chains.prod.webservices.mozgcp.net		34.160.144.191	A (IP address)	IN (0x0001)	false
Oct 14, 2024 02:17:08.369266987 CEST	1.1.1.1	192.168.2.4	0x9283	No error (0)	prod.content-signature-chains.prod.webservices.mozgcp.net		34.160.144.191	A (IP address)	IN (0x0001)	false
Oct 14, 2024 02:17:08.377219915 CEST	1.1.1.1	192.168.2.4	0xe89f	No error (0)	prod.content-signature-chains.prod.webservices.mozgcp.net			28	IN (0x0001)	false
Oct 14, 2024 02:17:10.133105993 CEST	1.1.1.1	192.168.2.4	0x86d	No error (0)	shavar.services.mozilla.com	shavar.prod.mozaws.net		CNAME (Canonical name)	IN (0x0001)	false
Oct 14, 2024 02:17:10.480554104 CEST	1.1.1.1	192.168.2.4	0x47e0	No error (0)	push.services.mozilla.com		34.107.243.93	A (IP address)	IN (0x0001)	false
Oct 14, 2024 02:17:10.492611885 CEST	1.1.1.1	192.168.2.4	0x7f8	No error (0)	push.services.mozilla.com		34.107.243.93	A (IP address)	IN (0x0001)	false
Oct 14, 2024 02:17:13.649518967 CEST	1.1.1.1	192.168.2.4	0x395b	No error (0)	balrog-aus5.r53-2.services.mozilla.com	prod.balrog.prod.cloudops.mozgcp.net		CNAME (Canonical name)	IN (0x0001)	false
Oct 14, 2024 02:17:13.649518967 CEST	1.1.1.1	192.168.2.4	0x395b	No error (0)	prod.balrog.prod.cloudops.mozgcp.net		35.244.181.201	A (IP address)	IN (0x0001)	false
Oct 14, 2024 02:17:13.690861940 CEST	1.1.1.1	192.168.2.4	0xbace	No error (0)	support.mozilla.org	prod.sumo.prod.webservices.mozgcp.net		CNAME (Canonical name)	IN (0x0001)	false
Oct 14, 2024 02:17:13.690861940 CEST	1.1.1.1	192.168.2.4	0xbace	No error (0)	prod.sumo.prod.webservices.mozgcp.net	us-west1.prod.sumo.prod.webservices.mozgcp.net		CNAME (Canonical name)	IN (0x0001)	false
Oct 14, 2024 02:17:13.690861940 CEST	1.1.1.1	192.168.2.4	0xbace	No error (0)	us-west1.prod.sumo.prod.webservices.mozgcp.net		34.149.128.2	A (IP address)	IN (0x0001)	false
Oct 14, 2024 02:17:13.715276957 CEST	1.1.1.1	192.168.2.4	0xd8c6	No error (0)	us-west1.prod.sumo.prod.webservices.mozgcp.net		34.149.128.2	A (IP address)	IN (0x0001)	false
Oct 14, 2024 02:17:13.747049093 CEST	1.1.1.1	192.168.2.4	0xfb67	No error (0)	telemetry-incoming.r53-2.services.mozilla.com		34.120.208.123	A (IP address)	IN (0x0001)	false
Oct 14, 2024 02:17:13.750715971 CEST	1.1.1.1	192.168.2.4	0x3f41	No error (0)	firefox.settings.services.mozilla.com	prod.remote-settings.prod.webservices.mozgcp.net		CNAME (Canonical name)	IN (0x0001)	false
Oct 14, 2024 02:17:13.750715971 CEST	1.1.1.1	192.168.2.4	0x3f41	No error (0)	prod.remote-settings.prod.webservices.mozgcp.net		34.149.100.209	A (IP address)	IN (0x0001)	false
Oct 14, 2024 02:17:13.768779039 CEST	1.1.1.1	192.168.2.4	0x4a4f	No error (0)	prod.remote-settings.prod.webservices.mozgcp.net		34.149.100.209	A (IP address)	IN (0x0001)	false
Oct 14, 2024 02:17:13.772824049 CEST	1.1.1.1	192.168.2.4	0xeeb9	No error (0)	telemetry-incoming.r53-2.services.mozilla.com		34.120.208.123	A (IP address)	IN (0x0001)	false
Oct 14, 2024 02:17:17.663544893 CEST	1.1.1.1	192.168.2.4	0x25a3	No error (0)	telemetry-incoming.r53-2.services.mozilla.com		34.120.208.123	A (IP address)	IN (0x0001)	false
Oct 14, 2024 02:17:25.737857103 CEST	1.1.1.1	192.168.2.4	0x9429	No error (0)	www.youtube.com	youtube-ui.l.google.com		CNAME (Canonical name)	IN (0x0001)	false
Oct 14, 2024 02:17:25.737857103 CEST	1.1.1.1	192.168.2.4	0x9429	No error (0)	youtube-ui.l.google.com		216.58.206.46	A (IP address)	IN (0x0001)	false
Oct 14, 2024 02:17:25.737857103 CEST	1.1.1.1	192.168.2.4	0x9429	No error (0)	youtube-ui.l.google.com		142.250.185.78	A (IP address)	IN (0x0001)	false
Oct 14, 2024 02:17:25.737857103 CEST	1.1.1.1	192.168.2.4	0x9429	No error (0)	youtube-ui.l.google.com		142.250.185.110	A (IP address)	IN (0x0001)	false
Oct 14, 2024 02:17:25.737857103 CEST	1.1.1.1	192.168.2.4	0x9429	No error (0)	youtube-ui.l.google.com		142.250.185.206	A (IP address)	IN (0x0001)	false
Oct 14, 2024 02:17:25.737857103 CEST	1.1.1.1	192.168.2.4	0x9429	No error (0)	youtube-ui.l.google.com		142.250.186.110	A (IP address)	IN (0x0001)	false
Oct 14, 2024 02:17:25.737857103 CEST	1.1.1.1	192.168.2.4	0x9429	No error (0)	youtube-ui.l.google.com		142.250.185.238	A (IP address)	IN (0x0001)	false
Oct 14, 2024 02:17:25.737857103 CEST	1.1.1.1	192.168.2.4	0x9429	No error (0)	youtube-ui.l.google.com		142.250.185.142	A (IP address)	IN (0x0001)	false
Oct 14, 2024 02:17:25.737857103 CEST	1.1.1.1	192.168.2.4	0x9429	No error (0)	youtube-ui.l.google.com		142.250.184.238	A (IP address)	IN (0x0001)	false
Oct 14, 2024 02:17:25.737857103 CEST	1.1.1.1	192.168.2.4	0x9429	No error (0)	youtube-ui.l.google.com		142.250.186.142	A (IP address)	IN (0x0001)	false
Oct 14, 2024 02:17:25.737857103 CEST	1.1.1.1	192.168.2.4	0x9429	No error (0)	youtube-ui.l.google.com		172.217.18.14	A (IP address)	IN (0x0001)	false
Oct 14, 2024 02:17:25.737857103 CEST	1.1.1.1	192.168.2.4	0x9429	No error (0)	youtube-ui.l.google.com		172.217.23.110	A (IP address)	IN (0x0001)	false
Oct 14, 2024 02:17:25.737857103 CEST	1.1.1.1	192.168.2.4	0x9429	No error (0)	youtube-ui.l.google.com		142.250.186.78	A (IP address)	IN (0x0001)	false
Oct 14, 2024 02:17:25.737857103 CEST	1.1.1.1	192.168.2.4	0x9429	No error (0)	youtube-ui.l.google.com		142.250.186.46	A (IP address)	IN (0x0001)	false
Oct 14, 2024 02:17:25.737857103 CEST	1.1.1.1	192.168.2.4	0x9429	No error (0)	youtube-ui.l.google.com		172.217.16.206	A (IP address)	IN (0x0001)	false
Oct 14, 2024 02:17:25.737857103 CEST	1.1.1.1	192.168.2.4	0x9429	No error (0)	youtube-ui.l.google.com		142.250.185.174	A (IP address)	IN (0x0001)	false
Oct 14, 2024 02:17:25.737857103 CEST	1.1.1.1	192.168.2.4	0x9429	No error (0)	youtube-ui.l.google.com		142.250.181.238	A (IP address)	IN (0x0001)	false
Oct 14, 2024 02:17:25.737888098 CEST	1.1.1.1	192.168.2.4	0x8bb6	No error (0)	www.facebook.com	star-mini.c10r.facebook.com		CNAME (Canonical name)	IN (0x0001)	false
Oct 14, 2024 02:17:25.737888098 CEST	1.1.1.1	192.168.2.4	0x8bb6	No error (0)	star-mini.c10r.facebook.com		157.240.253.35	A (IP address)	IN (0x0001)	false
Oct 14, 2024 02:17:25.738375902 CEST	1.1.1.1	192.168.2.4	0xef2f	No error (0)	www.wikipedia.org	dyna.wikimedia.org		CNAME (Canonical name)	IN (0x0001)	false
Oct 14, 2024 02:17:25.738375902 CEST	1.1.1.1	192.168.2.4	0xef2f	No error (0)	dyna.wikimedia.org		185.15.59.224	A (IP address)	IN (0x0001)	false
Oct 14, 2024 02:17:25.745250940 CEST	1.1.1.1	192.168.2.4	0xc038	No error (0)	youtube-ui.l.google.com		172.217.16.206	A (IP address)	IN (0x0001)	false
Oct 14, 2024 02:17:25.745250940 CEST	1.1.1.1	192.168.2.4	0xc038	No error (0)	youtube-ui.l.google.com		142.250.185.110	A (IP address)	IN (0x0001)	false
Oct 14, 2024 02:17:25.745250940 CEST	1.1.1.1	192.168.2.4	0xc038	No error (0)	youtube-ui.l.google.com		142.250.185.206	A (IP address)	IN (0x0001)	false
Oct 14, 2024 02:17:25.745250940 CEST	1.1.1.1	192.168.2.4	0xc038	No error (0)	youtube-ui.l.google.com		142.250.186.110	A (IP address)	IN (0x0001)	false
Oct 14, 2024 02:17:25.745250940 CEST	1.1.1.1	192.168.2.4	0xc038	No error (0)	youtube-ui.l.google.com		142.250.184.206	A (IP address)	IN (0x0001)	false
Oct 14, 2024 02:17:25.745250940 CEST	1.1.1.1	192.168.2.4	0xc038	No error (0)	youtube-ui.l.google.com		142.250.181.238	A (IP address)	IN (0x0001)	false
Oct 14, 2024 02:17:25.745250940 CEST	1.1.1.1	192.168.2.4	0xc038	No error (0)	youtube-ui.l.google.com		142.250.185.142	A (IP address)	IN (0x0001)	false
Oct 14, 2024 02:17:25.745250940 CEST	1.1.1.1	192.168.2.4	0xc038	No error (0)	youtube-ui.l.google.com		142.250.186.46	A (IP address)	IN (0x0001)	false
Oct 14, 2024 02:17:25.745250940 CEST	1.1.1.1	192.168.2.4	0xc038	No error (0)	youtube-ui.l.google.com		142.250.184.238	A (IP address)	IN (0x0001)	false
Oct 14, 2024 02:17:25.745250940 CEST	1.1.1.1	192.168.2.4	0xc038	No error (0)	youtube-ui.l.google.com		142.250.186.174	A (IP address)	IN (0x0001)	false
Oct 14, 2024 02:17:25.745250940 CEST	1.1.1.1	192.168.2.4	0xc038	No error (0)	youtube-ui.l.google.com		216.58.206.46	A (IP address)	IN (0x0001)	false
Oct 14, 2024 02:17:25.745250940 CEST	1.1.1.1	192.168.2.4	0xc038	No error (0)	youtube-ui.l.google.com		142.250.186.142	A (IP address)	IN (0x0001)	false
Oct 14, 2024 02:17:25.745250940 CEST	1.1.1.1	192.168.2.4	0xc038	No error (0)	youtube-ui.l.google.com		172.217.18.14	A (IP address)	IN (0x0001)	false
Oct 14, 2024 02:17:25.745250940 CEST	1.1.1.1	192.168.2.4	0xc038	No error (0)	youtube-ui.l.google.com		142.250.185.238	A (IP address)	IN (0x0001)	false
Oct 14, 2024 02:17:25.745250940 CEST	1.1.1.1	192.168.2.4	0xc038	No error (0)	youtube-ui.l.google.com		216.58.206.78	A (IP address)	IN (0x0001)	false
Oct 14, 2024 02:17:25.745250940 CEST	1.1.1.1	192.168.2.4	0xc038	No error (0)	youtube-ui.l.google.com		142.250.185.78	A (IP address)	IN (0x0001)	false
Oct 14, 2024 02:17:25.745295048 CEST	1.1.1.1	192.168.2.4	0x9fb5	No error (0)	star-mini.c10r.facebook.com		157.240.0.35	A (IP address)	IN (0x0001)	false
Oct 14, 2024 02:17:25.745924950 CEST	1.1.1.1	192.168.2.4	0x90b7	No error (0)	dyna.wikimedia.org		185.15.59.224	A (IP address)	IN (0x0001)	false
Oct 14, 2024 02:17:25.752732992 CEST	1.1.1.1	192.168.2.4	0xa969	No error (0)	youtube-ui.l.google.com			28	IN (0x0001)	false
Oct 14, 2024 02:17:25.752732992 CEST	1.1.1.1	192.168.2.4	0xa969	No error (0)	youtube-ui.l.google.com			28	IN (0x0001)	false
Oct 14, 2024 02:17:25.752732992 CEST	1.1.1.1	192.168.2.4	0xa969	No error (0)	youtube-ui.l.google.com			28	IN (0x0001)	false
Oct 14, 2024 02:17:25.752732992 CEST	1.1.1.1	192.168.2.4	0xa969	No error (0)	youtube-ui.l.google.com			28	IN (0x0001)	false
Oct 14, 2024 02:17:25.753045082 CEST	1.1.1.1	192.168.2.4	0xf69d	No error (0)	star-mini.c10r.facebook.com			28	IN (0x0001)	false
Oct 14, 2024 02:17:25.753412008 CEST	1.1.1.1	192.168.2.4	0xe04e	No error (0)	dyna.wikimedia.org			28	IN (0x0001)	false
Oct 14, 2024 02:17:26.074007034 CEST	1.1.1.1	192.168.2.4	0xc526	No error (0)	twitter.com		104.244.42.129	A (IP address)	IN (0x0001)	false
Oct 14, 2024 02:17:26.074182987 CEST	1.1.1.1	192.168.2.4	0xae02	No error (0)	www.reddit.com	reddit.map.fastly.net		CNAME (Canonical name)	IN (0x0001)	false
Oct 14, 2024 02:17:26.074182987 CEST	1.1.1.1	192.168.2.4	0xae02	No error (0)	reddit.map.fastly.net		151.101.1.140	A (IP address)	IN (0x0001)	false
Oct 14, 2024 02:17:26.074182987 CEST	1.1.1.1	192.168.2.4	0xae02	No error (0)	reddit.map.fastly.net		151.101.129.140	A (IP address)	IN (0x0001)	false
Oct 14, 2024 02:17:26.074182987 CEST	1.1.1.1	192.168.2.4	0xae02	No error (0)	reddit.map.fastly.net		151.101.65.140	A (IP address)	IN (0x0001)	false
Oct 14, 2024 02:17:26.074182987 CEST	1.1.1.1	192.168.2.4	0xae02	No error (0)	reddit.map.fastly.net		151.101.193.140	A (IP address)	IN (0x0001)	false
Oct 14, 2024 02:17:26.082123041 CEST	1.1.1.1	192.168.2.4	0x714e	No error (0)	twitter.com		104.244.42.129	A (IP address)	IN (0x0001)	false
Oct 14, 2024 02:17:26.082252979 CEST	1.1.1.1	192.168.2.4	0x3faa	No error (0)	reddit.map.fastly.net		151.101.193.140	A (IP address)	IN (0x0001)	false
Oct 14, 2024 02:17:26.082252979 CEST	1.1.1.1	192.168.2.4	0x3faa	No error (0)	reddit.map.fastly.net		151.101.1.140	A (IP address)	IN (0x0001)	false
Oct 14, 2024 02:17:26.082252979 CEST	1.1.1.1	192.168.2.4	0x3faa	No error (0)	reddit.map.fastly.net		151.101.65.140	A (IP address)	IN (0x0001)	false
Oct 14, 2024 02:17:26.082252979 CEST	1.1.1.1	192.168.2.4	0x3faa	No error (0)	reddit.map.fastly.net		151.101.129.140	A (IP address)	IN (0x0001)	false
Oct 14, 2024 02:17:30.959094048 CEST	1.1.1.1	192.168.2.4	0x9dae	No error (0)	push.services.mozilla.com		34.107.243.93	A (IP address)	IN (0x0001)	false
Oct 14, 2024 02:17:33.769820929 CEST	1.1.1.1	192.168.2.4	0xad10	No error (0)	balrog-aus5.r53-2.services.mozilla.com	prod.balrog.prod.cloudops.mozgcp.net		CNAME (Canonical name)	IN (0x0001)	false
Oct 14, 2024 02:17:33.769820929 CEST	1.1.1.1	192.168.2.4	0xad10	No error (0)	prod.balrog.prod.cloudops.mozgcp.net		35.244.181.201	A (IP address)	IN (0x0001)	false
Oct 14, 2024 02:17:33.793562889 CEST	1.1.1.1	192.168.2.4	0xd4a4	No error (0)	services.addons.mozilla.org		52.222.236.120	A (IP address)	IN (0x0001)	false
Oct 14, 2024 02:17:33.793562889 CEST	1.1.1.1	192.168.2.4	0xd4a4	No error (0)	services.addons.mozilla.org		52.222.236.80	A (IP address)	IN (0x0001)	false
Oct 14, 2024 02:17:33.793562889 CEST	1.1.1.1	192.168.2.4	0xd4a4	No error (0)	services.addons.mozilla.org		52.222.236.23	A (IP address)	IN (0x0001)	false
Oct 14, 2024 02:17:33.793562889 CEST	1.1.1.1	192.168.2.4	0xd4a4	No error (0)	services.addons.mozilla.org		52.222.236.48	A (IP address)	IN (0x0001)	false
Oct 14, 2024 02:17:33.798057079 CEST	1.1.1.1	192.168.2.4	0xd08b	No error (0)	normandy.cdn.mozilla.net	normandy-cdn.services.mozilla.com		CNAME (Canonical name)	IN (0x0001)	false
Oct 14, 2024 02:17:33.798057079 CEST	1.1.1.1	192.168.2.4	0xd08b	No error (0)	normandy-cdn.services.mozilla.com		35.201.103.21	A (IP address)	IN (0x0001)	false
Oct 14, 2024 02:17:33.805640936 CEST	1.1.1.1	192.168.2.4	0xe170	No error (0)	services.addons.mozilla.org		52.222.236.48	A (IP address)	IN (0x0001)	false
Oct 14, 2024 02:17:33.805640936 CEST	1.1.1.1	192.168.2.4	0xe170	No error (0)	services.addons.mozilla.org		52.222.236.23	A (IP address)	IN (0x0001)	false
Oct 14, 2024 02:17:33.805640936 CEST	1.1.1.1	192.168.2.4	0xe170	No error (0)	services.addons.mozilla.org		52.222.236.80	A (IP address)	IN (0x0001)	false
Oct 14, 2024 02:17:33.805640936 CEST	1.1.1.1	192.168.2.4	0xe170	No error (0)	services.addons.mozilla.org		52.222.236.120	A (IP address)	IN (0x0001)	false
Oct 14, 2024 02:17:33.806869030 CEST	1.1.1.1	192.168.2.4	0x75ac	No error (0)	normandy-cdn.services.mozilla.com		35.201.103.21	A (IP address)	IN (0x0001)	false
Oct 14, 2024 02:17:34.307915926 CEST	1.1.1.1	192.168.2.4	0xccae	No error (0)	detectportal.firefox.com	detectportal.prod.mozaws.net		CNAME (Canonical name)	IN (0x0001)	false
Oct 14, 2024 02:17:34.307915926 CEST	1.1.1.1	192.168.2.4	0xccae	No error (0)	prod.detectportal.prod.cloudops.mozgcp.net		34.107.221.82	A (IP address)	IN (0x0001)	false
Oct 14, 2024 02:17:35.067270041 CEST	1.1.1.1	192.168.2.4	0xa960	No error (0)	a21ed24aedde648804e7-228765c84088fef4ff5e70f2710398e9.r17.cf1.rackcdn.com	a17.rackcdn.com		CNAME (Canonical name)	IN (0x0001)	false
Oct 14, 2024 02:17:35.067270041 CEST	1.1.1.1	192.168.2.4	0xa960	No error (0)	a17.rackcdn.com	a17.rackcdn.com.mdc.edgesuite.net		CNAME (Canonical name)	IN (0x0001)	false
Oct 14, 2024 02:17:51.840553999 CEST	1.1.1.1	192.168.2.4	0xd2b7	No error (0)	push.services.mozilla.com		34.107.243.93	A (IP address)	IN (0x0001)	false
Oct 14, 2024 02:18:04.280395031 CEST	1.1.1.1	192.168.2.4	0x72e0	No error (0)	telemetry-incoming.r53-2.services.mozilla.com		34.120.208.123	A (IP address)	IN (0x0001)	false
Oct 14, 2024 02:18:32.386863947 CEST	1.1.1.1	192.168.2.4	0xb42f	No error (0)	push.services.mozilla.com		34.107.243.93	A (IP address)	IN (0x0001)	false
Oct 14, 2024 02:18:32.905752897 CEST	1.1.1.1	192.168.2.4	0xfaa	No error (0)	detectportal.firefox.com	detectportal.prod.mozaws.net		CNAME (Canonical name)	IN (0x0001)	false
Oct 14, 2024 02:18:32.905752897 CEST	1.1.1.1	192.168.2.4	0xfaa	No error (0)	prod.detectportal.prod.cloudops.mozgcp.net		34.107.221.82	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

detectportal.firefox.com

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.4	49740	34.107.221.82	80	4500	C:\Program Files\Mozilla Firefox\firefox.exe

Timestamp	Bytes transferred	Direction	Data
Oct 14, 2024 02:17:07.414191961 CEST	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Oct 14, 2024 02:17:07.870045900 CEST	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Sun, 13 Oct 2024 02:10:33 GMT Age: 79594 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.4	49748	34.107.221.82	80	4500	C:\Program Files\Mozilla Firefox\firefox.exe

Timestamp	Bytes transferred	Direction	Data
Oct 14, 2024 02:17:08.270159006 CEST	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Oct 14, 2024 02:17:08.727519035 CEST	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Sun, 13 Oct 2024 17:52:56 GMT Age: 23052 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.4	49750	34.107.221.82	80	4500	C:\Program Files\Mozilla Firefox\firefox.exe

Timestamp	Bytes transferred	Direction	Data
Oct 14, 2024 02:17:08.381119013 CEST	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Oct 14, 2024 02:17:08.844611883 CEST	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Sun, 13 Oct 2024 00:21:31 GMT Age: 86137 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Oct 14, 2024 02:17:09.683598995 CEST	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Oct 14, 2024 02:17:09.782282114 CEST	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Sun, 13 Oct 2024 00:21:31 GMT Age: 86138 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Oct 14, 2024 02:17:10.115993023 CEST	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Oct 14, 2024 02:17:10.214541912 CEST	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Sun, 13 Oct 2024 00:21:31 GMT Age: 86139 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Oct 14, 2024 02:17:13.641237974 CEST	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Oct 14, 2024 02:17:13.740094900 CEST	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Sun, 13 Oct 2024 00:21:31 GMT Age: 86142 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Oct 14, 2024 02:17:17.653603077 CEST	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Oct 14, 2024 02:17:17.752077103 CEST	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Sun, 13 Oct 2024 00:21:31 GMT Age: 86146 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Oct 14, 2024 02:17:19.622647047 CEST	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Oct 14, 2024 02:17:19.721934080 CEST	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Sun, 13 Oct 2024 00:21:31 GMT Age: 86148 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Oct 14, 2024 02:17:20.947981119 CEST	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Oct 14, 2024 02:17:21.046420097 CEST	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Sun, 13 Oct 2024 00:21:31 GMT Age: 86150 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Oct 14, 2024 02:17:31.059448004 CEST	6	OUT	Data Raw: 00 Data Ascii:
Oct 14, 2024 02:17:31.468024969 CEST	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Oct 14, 2024 02:17:31.566647053 CEST	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Sun, 13 Oct 2024 00:21:31 GMT Age: 86160 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Oct 14, 2024 02:17:34.300478935 CEST	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Oct 14, 2024 02:17:34.399003029 CEST	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Sun, 13 Oct 2024 00:21:31 GMT Age: 86163 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Oct 14, 2024 02:17:34.556157112 CEST	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Oct 14, 2024 02:17:34.654752970 CEST	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Sun, 13 Oct 2024 00:21:31 GMT Age: 86163 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Oct 14, 2024 02:17:34.791176081 CEST	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Oct 14, 2024 02:17:34.889738083 CEST	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Sun, 13 Oct 2024 00:21:31 GMT Age: 86163 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Oct 14, 2024 02:17:35.043098927 CEST	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Oct 14, 2024 02:17:35.141792059 CEST	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Sun, 13 Oct 2024 00:21:31 GMT Age: 86164 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Oct 14, 2024 02:17:45.143524885 CEST	6	OUT	Data Raw: 00 Data Ascii:
Oct 14, 2024 02:17:52.328989029 CEST	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Oct 14, 2024 02:17:52.427586079 CEST	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Sun, 13 Oct 2024 00:21:31 GMT Age: 86181 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Oct 14, 2024 02:18:02.438684940 CEST	6	OUT	Data Raw: 00 Data Ascii:
Oct 14, 2024 02:18:04.768913984 CEST	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Oct 14, 2024 02:18:04.867629051 CEST	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Sun, 13 Oct 2024 00:21:31 GMT Age: 86193 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Oct 14, 2024 02:18:14.867482901 CEST	6	OUT	Data Raw: 00 Data Ascii:
Oct 14, 2024 02:18:24.884533882 CEST	6	OUT	Data Raw: 00 Data Ascii:
Oct 14, 2024 02:18:32.898502111 CEST	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Oct 14, 2024 02:18:32.996983051 CEST	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Sun, 13 Oct 2024 00:21:31 GMT Age: 86221 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Oct 14, 2024 02:18:43.007266045 CEST	6	OUT	Data Raw: 00 Data Ascii:
Oct 14, 2024 02:18:53.020018101 CEST	6	OUT	Data Raw: 00 Data Ascii:
Oct 14, 2024 02:19:03.034322977 CEST	6	OUT	Data Raw: 00 Data Ascii:

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
3	192.168.2.4	49752	34.107.221.82	80	4500	C:\Program Files\Mozilla Firefox\firefox.exe

Timestamp	Bytes transferred	Direction	Data
Oct 14, 2024 02:17:08.998980045 CEST	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Oct 14, 2024 02:17:09.454452991 CEST	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Sun, 13 Oct 2024 17:52:56 GMT Age: 23053 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Oct 14, 2024 02:17:10.043863058 CEST	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Oct 14, 2024 02:17:10.140311956 CEST	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Sun, 13 Oct 2024 17:52:56 GMT Age: 23054 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Oct 14, 2024 02:17:10.936780930 CEST	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Oct 14, 2024 02:17:11.033921003 CEST	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Sun, 13 Oct 2024 17:52:56 GMT Age: 23054 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Oct 14, 2024 02:17:13.750091076 CEST	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Oct 14, 2024 02:17:13.846872091 CEST	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Sun, 13 Oct 2024 17:52:56 GMT Age: 23057 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Oct 14, 2024 02:17:18.025901079 CEST	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Oct 14, 2024 02:17:18.134270906 CEST	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Sun, 13 Oct 2024 17:52:56 GMT Age: 23062 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Oct 14, 2024 02:17:20.184746027 CEST	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Oct 14, 2024 02:17:20.281560898 CEST	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Sun, 13 Oct 2024 17:52:56 GMT Age: 23064 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Oct 14, 2024 02:17:21.225087881 CEST	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Oct 14, 2024 02:17:21.322220087 CEST	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Sun, 13 Oct 2024 17:52:56 GMT Age: 23065 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Oct 14, 2024 02:17:31.329001904 CEST	6	OUT	Data Raw: 00 Data Ascii:
Oct 14, 2024 02:17:31.572318077 CEST	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Oct 14, 2024 02:17:31.669055939 CEST	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Sun, 13 Oct 2024 17:52:56 GMT Age: 23075 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Oct 14, 2024 02:17:34.402081013 CEST	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Oct 14, 2024 02:17:34.498569965 CEST	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Sun, 13 Oct 2024 17:52:56 GMT Age: 23078 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Oct 14, 2024 02:17:34.659893036 CEST	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Oct 14, 2024 02:17:34.756783009 CEST	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Sun, 13 Oct 2024 17:52:56 GMT Age: 23078 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Oct 14, 2024 02:17:34.892955065 CEST	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Oct 14, 2024 02:17:34.990118980 CEST	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Sun, 13 Oct 2024 17:52:56 GMT Age: 23078 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Oct 14, 2024 02:17:35.144171000 CEST	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Oct 14, 2024 02:17:35.240957022 CEST	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Sun, 13 Oct 2024 17:52:56 GMT Age: 23079 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Oct 14, 2024 02:17:35.592788935 CEST	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Sun, 13 Oct 2024 17:52:56 GMT Age: 23079 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Oct 14, 2024 02:17:45.243799925 CEST	6	OUT	Data Raw: 00 Data Ascii:
Oct 14, 2024 02:17:52.429976940 CEST	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Oct 14, 2024 02:17:52.526715040 CEST	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Sun, 13 Oct 2024 17:52:56 GMT Age: 23096 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Oct 14, 2024 02:18:02.539019108 CEST	6	OUT	Data Raw: 00 Data Ascii:
Oct 14, 2024 02:18:04.889900923 CEST	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Oct 14, 2024 02:18:04.986112118 CEST	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Sun, 13 Oct 2024 17:52:56 GMT Age: 23108 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Oct 14, 2024 02:18:05.519063950 CEST	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Sun, 13 Oct 2024 17:52:56 GMT Age: 23108 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Oct 14, 2024 02:18:05.519232988 CEST	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Sun, 13 Oct 2024 17:52:56 GMT Age: 23108 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Oct 14, 2024 02:18:14.998863935 CEST	6	OUT	Data Raw: 00 Data Ascii:
Oct 14, 2024 02:18:25.006946087 CEST	6	OUT	Data Raw: 00 Data Ascii:
Oct 14, 2024 02:18:33.000619888 CEST	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Oct 14, 2024 02:18:33.097300053 CEST	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Sun, 13 Oct 2024 17:52:56 GMT Age: 23137 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Oct 14, 2024 02:18:43.107570887 CEST	6	OUT	Data Raw: 00 Data Ascii:
Oct 14, 2024 02:18:53.120373964 CEST	6	OUT	Data Raw: 00 Data Ascii:
Oct 14, 2024 02:19:03.134543896 CEST	6	OUT	Data Raw: 00 Data Ascii:

Target ID:	0
Start time:	20:16:58
Start date:	13/10/2024
Path:	C:\Users\user\Desktop\file.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\file.exe"
Imagebase:	0x720000
File size:	919'552 bytes
MD5 hash:	D29616A63CC243D71D01C45A8C366BF1
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_CredentialFlusher, Description: Yara detected Credential Flusher, Source: 00000000.00000003.1745082520.000000000150F000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	1
Start time:	20:16:59
Start date:	13/10/2024
Path:	C:\Windows\SysWOW64\taskkill.exe
Wow64 process (32bit):	true
Commandline:	taskkill /F /IM firefox.exe /T
Imagebase:	0x650000
File size:	74'240 bytes
MD5 hash:	CA313FD7E6C2A778FFD21CFB5C1C56CD
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	2
Start time:	20:16:59
Start date:	13/10/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	3
Start time:	20:17:01
Start date:	13/10/2024
Path:	C:\Windows\SysWOW64\taskkill.exe
Wow64 process (32bit):	true
Commandline:	taskkill /F /IM chrome.exe /T
Imagebase:	0x650000
File size:	74'240 bytes
MD5 hash:	CA313FD7E6C2A778FFD21CFB5C1C56CD
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	4
Start time:	20:17:01
Start date:	13/10/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	5
Start time:	20:17:01
Start date:	13/10/2024
Path:	C:\Windows\SysWOW64\taskkill.exe
Wow64 process (32bit):	true
Commandline:	taskkill /F /IM msedge.exe /T
Imagebase:	0x650000
File size:	74'240 bytes
MD5 hash:	CA313FD7E6C2A778FFD21CFB5C1C56CD
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	6
Start time:	20:17:01
Start date:	13/10/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	7
Start time:	20:17:01
Start date:	13/10/2024
Path:	C:\Windows\SysWOW64\taskkill.exe
Wow64 process (32bit):	true
Commandline:	taskkill /F /IM opera.exe /T
Imagebase:	0x650000
File size:	74'240 bytes
MD5 hash:	CA313FD7E6C2A778FFD21CFB5C1C56CD
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	8
Start time:	20:17:01
Start date:	13/10/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	9
Start time:	20:17:01
Start date:	13/10/2024
Path:	C:\Windows\SysWOW64\taskkill.exe
Wow64 process (32bit):	true
Commandline:	taskkill /F /IM brave.exe /T
Imagebase:	0x650000
File size:	74'240 bytes
MD5 hash:	CA313FD7E6C2A778FFD21CFB5C1C56CD
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	10
Start time:	20:17:01
Start date:	13/10/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	11
Start time:	20:17:01
Start date:	13/10/2024
Path:	C:\Program Files\Mozilla Firefox\firefox.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk "https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd" --no-default-browser-check --disable-popup-blocking
Imagebase:	0x7ff6bf500000
File size:	676'768 bytes
MD5 hash:	C86B1BE9ED6496FE0E0CBE73F81D8045
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	12
Start time:	20:17:02
Start date:	13/10/2024
Path:	C:\Program Files\Mozilla Firefox\firefox.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd --no-default-browser-check --disable-popup-blocking --attempting-deelevation
Imagebase:	0x7ff6bf500000
File size:	676'768 bytes
MD5 hash:	C86B1BE9ED6496FE0E0CBE73F81D8045
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	13
Start time:	20:17:02
Start date:	13/10/2024
Path:	C:\Program Files\Mozilla Firefox\firefox.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd --no-default-browser-check --disable-popup-blocking
Imagebase:	0x7ff6bf500000
File size:	676'768 bytes
MD5 hash:	C86B1BE9ED6496FE0E0CBE73F81D8045
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Target ID:	15
Start time:	20:17:02
Start date:	13/10/2024
Path:	C:\Program Files\Mozilla Firefox\firefox.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2284 -parentBuildID 20230927232528 -prefsHandle 2228 -prefMapHandle 2220 -prefsLen 25359 -prefMapSize 237879 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {fed7d3f9-3f84-4124-88f8-77ce22b2e84c} 4500 "\\.\pipe\gecko-crash-server-pipe.4500" 207eab70110 socket
Imagebase:	0x7ff6bf500000
File size:	676'768 bytes
MD5 hash:	C86B1BE9ED6496FE0E0CBE73F81D8045
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Target ID:	16
Start time:	20:17:04
Start date:	13/10/2024
Path:	C:\Program Files\Mozilla Firefox\firefox.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4124 -parentBuildID 20230927232528 -prefsHandle 1436 -prefMapHandle 1440 -prefsLen 26374 -prefMapSize 237879 -appDir "C:\Program Files\Mozilla Firefox\browser" - {db1543cd-8414-42c4-bb43-4630dcef5d4a} 4500 "\\.\pipe\gecko-crash-server-pipe.4500" 207fa65b510 rdd
Imagebase:	0x7ff6bf500000
File size:	676'768 bytes
MD5 hash:	C86B1BE9ED6496FE0E0CBE73F81D8045
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Target ID:	17
Start time:	20:17:13
Start date:	13/10/2024
Path:	C:\Program Files\Mozilla Firefox\firefox.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5044 -parentBuildID 20230927232528 -sandboxingKind 0 -prefsHandle 5036 -prefMapHandle 4932 -prefsLen 33185 -prefMapSize 237879 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {65da813e-ccec-4f64-88d9-a37c36bab38f} 4500 "\\.\pipe\gecko-crash-server-pipe.4500" 208064bcf10 utility
Imagebase:	0x7ff6bf500000
File size:	676'768 bytes
MD5 hash:	C86B1BE9ED6496FE0E0CBE73F81D8045
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Execution Graph

Execution Coverage:	2.1%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	4.8%
Total number of Nodes:	1512
Total number of Limit Nodes:	55

Executed Functions

Function 007242DE Relevance: 21.2, APIs: 9, Strings: 3, Instructions: 235
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetVersionExW.KERNEL32(?), ref: 0072430D

Part of subcall function 00726B57: _wcslen.LIBCMT ref: 00726B6A

GetCurrentProcess.KERNEL32(?,007BCB64,00000000,?,?), ref: 00724422
IsWow64Process.KERNEL32(00000000,?,?), ref: 00724429
LoadLibraryA.KERNEL32(kernel32.dll,?,?), ref: 00724454
GetProcAddress.KERNEL32(00000000,GetNativeSystemInfo), ref: 00724466
GetNativeSystemInfo.KERNELBASE(?,?,?), ref: 00724474
FreeLibrary.KERNEL32(00000000,?,?), ref: 0072447B
GetSystemInfo.KERNEL32(?,?,?), ref: 007244A0

Strings

|O, xrefs: 007636F8
GetNativeSystemInfo, xrefs: 00724460
kernel32.dll, xrefs: 0072444F

Memory Dump Source

Source File: 00000000.00000002.1745867193.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true

Associated: 00000000.00000002.1745836741.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746071756.00000000007BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746071756.00000000007E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746152188.00000000007EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746185289.00000000007F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_720000_file.jbxd

Similarity

API ID: InfoLibraryProcessSystem$AddressCurrentFreeLoadNativeProcVersionWow64_wcslen
String ID: GetNativeSystemInfo$kernel32.dll$|O
API String ID: 3290436268-3101561225
Opcode ID: f902f13b2c1899890fba82d93ab3f64d3e5d0f993230a005efafad1f771ed1df
Instruction ID: c8d1e2d4b949a932aa2a8ed207e9cbec3f177ef42452b1ecac9425bd3a5fb38d
Opcode Fuzzy Hash: f902f13b2c1899890fba82d93ab3f64d3e5d0f993230a005efafad1f771ed1df
Instruction Fuzzy Hash: 2DA1937690A2D4DFC712D76DBC856B57FE46F36300F98D8A9D48593A22D23C4608CB2D

Function 007242A2 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 61
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateStreamOnHGlobal.COMBASE(00000000,00000001,?,?,?,?,?,007250AA,?,?,00000000,00000000), ref: 007242B2
FindResourceExW.KERNEL32(?,0000000A,SCRIPT,00000000,?,?,007250AA,?,?,00000000,00000000), ref: 007242C9
LoadResource.KERNEL32(?,00000000,?,?,007250AA,?,?,00000000,00000000,?,?,?,?,?,?,00724F20), ref: 007635BE
SizeofResource.KERNEL32(?,00000000,?,?,007250AA,?,?,00000000,00000000,?,?,?,?,?,?,00724F20), ref: 007635D3
LockResource.KERNEL32(007250AA,?,?,007250AA,?,?,00000000,00000000,?,?,?,?,?,?,00724F20,?), ref: 007635E6

Strings

SCRIPT, xrefs: 007242BF

Memory Dump Source

Source File: 00000000.00000002.1745867193.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true

Associated: 00000000.00000002.1745836741.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746071756.00000000007BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746071756.00000000007E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746152188.00000000007EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746185289.00000000007F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_720000_file.jbxd

Similarity

API ID: Resource$CreateFindGlobalLoadLockSizeofStream
String ID: SCRIPT
API String ID: 3051347437-3967369404
Opcode ID: 2ce7ab4081e2a6c447f27ae9aa3d24e5cb3768d782398a50ea21fd75600a7b82
Instruction ID: 2ebce564676b447562d207669c883d56f89e96743ec9bf5d1b5e1868c5f2f734
Opcode Fuzzy Hash: 2ce7ab4081e2a6c447f27ae9aa3d24e5cb3768d782398a50ea21fd75600a7b82
Instruction Fuzzy Hash: 5C113C71200711FFDB228B66EC49F677BB9FBC5B51F148269B406D6250DB75DC009670

Function 00762BA5 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 62
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetCurrentDirectoryW.KERNEL32(?), ref: 00722B6B

Part of subcall function 00723A5A: GetModuleFileNameW.KERNEL32(00000000,?,00007FFF,007F1418,?,00722E7F,?,?,?,00000000), ref: 00723A78

Part of subcall function 00729CB3: _wcslen.LIBCMT ref: 00729CBD

GetForegroundWindow.USER32(runas,?,?,?,?,?,007E2224), ref: 00762C10
ShellExecuteW.SHELL32(00000000,?,?,007E2224), ref: 00762C17

Strings

runas, xrefs: 00762C0B

Memory Dump Source

Source File: 00000000.00000002.1745867193.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true

Associated: 00000000.00000002.1745836741.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746071756.00000000007BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746071756.00000000007E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746152188.00000000007EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746185289.00000000007F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_720000_file.jbxd

Similarity

API ID: CurrentDirectoryExecuteFileForegroundModuleNameShellWindow_wcslen
String ID: runas
API String ID: 448630720-4000483414
Opcode ID: 726bae685b6968d0726863647ff01b7aabd99b75ca428a3532d67a146aea61ee
Instruction ID: 20bc5a98b93de211c06de6e692841e395a45a50e661725c05dc2678d1e3a19bf
Opcode Fuzzy Hash: 726bae685b6968d0726863647ff01b7aabd99b75ca428a3532d67a146aea61ee
Instruction Fuzzy Hash: 7D110671208395EAC714FF60F859DBEB7A8ABD4300F48482DF186170A3DF2D8A4AC712

Function 0078D4DC Relevance: 6.1, APIs: 4, Instructions: 86
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateToolhelp32Snapshot.KERNEL32 ref: 0078D501
Process32FirstW.KERNEL32(00000000,?), ref: 0078D50F
Process32NextW.KERNEL32(00000000,?), ref: 0078D52F
CloseHandle.KERNELBASE(00000000), ref: 0078D5DC

Memory Dump Source

Source File: 00000000.00000002.1745867193.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true

Associated: 00000000.00000002.1745836741.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746071756.00000000007BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746071756.00000000007E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746152188.00000000007EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746185289.00000000007F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_720000_file.jbxd

Similarity

API ID: Process32$CloseCreateFirstHandleNextSnapshotToolhelp32
String ID:
API String ID: 420147892-0
Opcode ID: b480af3dedc14eaf02ba11b54844831212d42abbb7368f9cd6140e770bf032ce
Instruction ID: 46ebd2bad62f20633bb877a18dfc751a37aa7ceab84be8208878adc0a277866a
Opcode Fuzzy Hash: b480af3dedc14eaf02ba11b54844831212d42abbb7368f9cd6140e770bf032ce
Instruction Fuzzy Hash: BD31B171008304DFD311EF54D889EAFBBE8EF99354F14492DF581921A1EB759948CBA2

Function 0078DBBE Relevance: 6.0, APIs: 4, Instructions: 29
filestringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

lstrlenW.KERNEL32(?,00765222), ref: 0078DBCE
GetFileAttributesW.KERNELBASE(?), ref: 0078DBDD
FindFirstFileW.KERNEL32(?,?), ref: 0078DBEE
FindClose.KERNEL32(00000000), ref: 0078DBFA

Memory Dump Source

Source File: 00000000.00000002.1745867193.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true

Associated: 00000000.00000002.1745836741.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746071756.00000000007BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746071756.00000000007E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746152188.00000000007EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746185289.00000000007F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_720000_file.jbxd

Similarity

API ID: FileFind$AttributesCloseFirstlstrlen
String ID:
API String ID: 2695905019-0
Opcode ID: 106e2c03fc25f79306996e6f682a61dbb351f58b54c1487ba7da8afded9bcdb1
Instruction ID: ff589d564d9033de721c1137a94fb0da77cd748aa1cc778f7a0da08e7eafab48
Opcode Fuzzy Hash: 106e2c03fc25f79306996e6f682a61dbb351f58b54c1487ba7da8afded9bcdb1
Instruction Fuzzy Hash: 9EF0A0308509145B9231BB7CAC0D9AA376CAE01334F10C702F836C20E0EBB85D5486A9

Function 00744CE8 Relevance: 4.5, APIs: 3, Instructions: 20COMMONLIBRARYCODE

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(007528E9,?,00744CBE,007528E9,007E88B8,0000000C,00744E15,007528E9,00000002,00000000,?,007528E9), ref: 00744D09
TerminateProcess.KERNEL32(00000000,?,00744CBE,007528E9,007E88B8,0000000C,00744E15,007528E9,00000002,00000000,?,007528E9), ref: 00744D10
ExitProcess.KERNEL32 ref: 00744D22

Memory Dump Source

Source File: 00000000.00000002.1745867193.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true

Associated: 00000000.00000002.1745836741.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746071756.00000000007BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746071756.00000000007E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746152188.00000000007EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746185289.00000000007F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_720000_file.jbxd

Similarity

API ID: Process$CurrentExitTerminate
String ID:
API String ID: 1703294689-0
Opcode ID: 507bed53f00e7e72bcedf458f7a0adeecd3cf86e63ec3cd54c6a15fd31a6d920
Instruction ID: 5a80d977b009f50edb8bd3595c16f1ab132b7a68868ee0299b65b81772e57ffc
Opcode Fuzzy Hash: 507bed53f00e7e72bcedf458f7a0adeecd3cf86e63ec3cd54c6a15fd31a6d920
Instruction Fuzzy Hash: 17E0B631500548ABCF12AF64DD09F583BA9EB41781B50C118FD059B132CB7DDD42DE84

Function 007AAFF9 Relevance: 24.4, APIs: 16, Instructions: 418
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_wcslen.LIBCMT ref: 007AB198
GetSystemDirectoryW.KERNEL32(00000000,00000000), ref: 007AB1B0
GetSystemDirectoryW.KERNEL32(00000000,00000000), ref: 007AB1D4
_wcslen.LIBCMT ref: 007AB200
GetCurrentDirectoryW.KERNEL32(00000000,00000000), ref: 007AB214
GetCurrentDirectoryW.KERNEL32(00000000,00000000), ref: 007AB236
_wcslen.LIBCMT ref: 007AB332

Part of subcall function 007905A7: GetStdHandle.KERNEL32(000000F6), ref: 007905C6

_wcslen.LIBCMT ref: 007AB34B
_wcslen.LIBCMT ref: 007AB366
CreateProcessW.KERNELBASE(00000000,?,00000000,00000000,?,?,00000000,?,?,?), ref: 007AB3B6
GetLastError.KERNEL32(00000000), ref: 007AB407
CloseHandle.KERNEL32(?), ref: 007AB439
CloseHandle.KERNEL32(00000000), ref: 007AB44A
CloseHandle.KERNEL32(00000000), ref: 007AB45C
CloseHandle.KERNEL32(00000000), ref: 007AB46E
CloseHandle.KERNEL32(?), ref: 007AB4E3

Memory Dump Source

Source File: 00000000.00000002.1745867193.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true

Associated: 00000000.00000002.1745836741.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746071756.00000000007BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746071756.00000000007E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746152188.00000000007EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746185289.00000000007F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_720000_file.jbxd

Similarity

API ID: Handle$Close_wcslen$Directory$CurrentSystem$CreateErrorLastProcess
String ID:
API String ID: 2178637699-0
Opcode ID: 9e7e4b4beb5cc8960129704cb3d54e9288532f591869ab59a7ec00b16d98fb50
Instruction ID: fac0e82384fe7c0ff06aa9393bbfb3e8c6764cef624df5bafd96e4264112c4f7
Opcode Fuzzy Hash: 9e7e4b4beb5cc8960129704cb3d54e9288532f591869ab59a7ec00b16d98fb50
Instruction Fuzzy Hash: 24F19C31508350DFCB14EF24D895B6EBBE5AF86310F14865DF8899B2A2CB39EC44CB52

Function 0072D730 Relevance: 21.6, APIs: 14, Instructions: 631sleepsynchronizationtimeCOMMON

Download Yara Rule

APIs

GetInputState.USER32 ref: 0072D807
timeGetTime.WINMM ref: 0072DA07
Sleep.KERNELBASE(0000000A), ref: 0072DBB1
Sleep.KERNEL32(0000000A), ref: 00772B76
GetExitCodeProcess.KERNEL32(?,?), ref: 00772C11
WaitForSingleObject.KERNEL32(?,00000000), ref: 00772C29
CloseHandle.KERNEL32(?), ref: 00772C3D
Sleep.KERNEL32(?,CCCCCCCC,00000000), ref: 00772CA9

Memory Dump Source

Source File: 00000000.00000002.1745867193.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true

Associated: 00000000.00000002.1745836741.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746071756.00000000007BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746071756.00000000007E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746152188.00000000007EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746185289.00000000007F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_720000_file.jbxd

Similarity

API ID: Sleep$CloseCodeExitHandleInputObjectProcessSingleStateTimeWaittime
String ID:
API String ID: 388478766-0
Opcode ID: 586e6a62c2011161c68ef3e31da03b91cffd6efc393bf124eb08f66ad56c9c12
Instruction ID: 6113fa0cb12c6cc222c48194a9cc4d75bf88114bb0477b145eca2ddcf0a1ebb8
Opcode Fuzzy Hash: 586e6a62c2011161c68ef3e31da03b91cffd6efc393bf124eb08f66ad56c9c12
Instruction Fuzzy Hash: A942DE70608251DFDB39CF24D858BAAB7A1BF85300F54C619E4A987292D77CEC85CB92

Function 00722CD4 Relevance: 19.3, APIs: 7, Strings: 4, Instructions: 53
windowregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSysColorBrush.USER32(0000000F), ref: 00722D07
RegisterClassExW.USER32(00000030), ref: 00722D31
RegisterWindowMessageW.USER32(TaskbarCreated), ref: 00722D42
InitCommonControlsEx.COMCTL32(?), ref: 00722D5F
ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 00722D6F
LoadIconW.USER32(000000A9), ref: 00722D85
ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 00722D94

Strings

+, xrefs: 00722CF0
AutoIt v3 GUI, xrefs: 00722D23
0, xrefs: 00722CE9
TaskbarCreated, xrefs: 00722D37

Memory Dump Source

Source File: 00000000.00000002.1745867193.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true

Associated: 00000000.00000002.1745836741.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746071756.00000000007BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746071756.00000000007E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746152188.00000000007EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746185289.00000000007F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_720000_file.jbxd

Similarity

API ID: IconImageList_Register$BrushClassColorCommonControlsCreateInitLoadMessageReplaceWindow
String ID: +$0$AutoIt v3 GUI$TaskbarCreated
API String ID: 2914291525-1005189915
Opcode ID: 06dd06aa01317eafe0786cd8d5e1b1ee4c124fa52bc50bcdb7cebc309166a320
Instruction ID: 3390620c4d28192796d540927520a0b8a533137ade6a1f54eed73119a89a4cc3
Opcode Fuzzy Hash: 06dd06aa01317eafe0786cd8d5e1b1ee4c124fa52bc50bcdb7cebc309166a320
Instruction Fuzzy Hash: 4621E3B1901248EFDB01DFA4EC89BEDBBB4FB08700F00C21AF551A62A0D7B95540CF98

Function 0076065B Relevance: 17.8, APIs: 9, Strings: 1, Instructions: 272
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 0076039A: CreateFileW.KERNELBASE(00000000,00000000,?,00760704,?,?,00000000,?,00760704,00000000,0000000C), ref: 007603B7

GetLastError.KERNEL32 ref: 0076076F
__dosmaperr.LIBCMT ref: 00760776
GetFileType.KERNELBASE(00000000), ref: 00760782
GetLastError.KERNEL32 ref: 0076078C
__dosmaperr.LIBCMT ref: 00760795
CloseHandle.KERNEL32(00000000), ref: 007607B5
CloseHandle.KERNEL32(?), ref: 007608FF
GetLastError.KERNEL32 ref: 00760931
__dosmaperr.LIBCMT ref: 00760938

Strings

H, xrefs: 007608BD

Memory Dump Source

Source File: 00000000.00000002.1745867193.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true

Associated: 00000000.00000002.1745836741.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746071756.00000000007BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746071756.00000000007E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746152188.00000000007EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746185289.00000000007F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_720000_file.jbxd

Similarity

API ID: ErrorLast__dosmaperr$CloseFileHandle$CreateType
String ID: H
API String ID: 4237864984-2852464175
Opcode ID: fca185340ae4979225542883ef82a1a0118ae34b2d704771e19e0459aa602bd2
Instruction ID: 5f588f9084845882dd785aeee614efdd45709330a0f459ba79fcf233a4c0ae52
Opcode Fuzzy Hash: fca185340ae4979225542883ef82a1a0118ae34b2d704771e19e0459aa602bd2
Instruction Fuzzy Hash: 9EA12632A141098FDF19EF68D855BAE3BE0AB06320F14415DFC169B392DB399D12CBD2

Function 0072344D Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 201
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00723A5A: GetModuleFileNameW.KERNEL32(00000000,?,00007FFF,007F1418,?,00722E7F,?,?,?,00000000), ref: 00723A78

Part of subcall function 00723357: GetFullPathNameW.KERNEL32(?,00007FFF,?,?), ref: 00723379

RegOpenKeyExW.KERNELBASE(80000001,Software\AutoIt v3\AutoIt,00000000,00000001,?,?,\Include\), ref: 0072356A
RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,00000000,?), ref: 0076318D
RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,?,?,00000000), ref: 007631CE
RegCloseKey.ADVAPI32(?), ref: 00763210
_wcslen.LIBCMT ref: 00763277
_wcslen.LIBCMT ref: 00763286

Strings

Software\AutoIt v3\AutoIt, xrefs: 00723560
\Include\, xrefs: 00723527
Include, xrefs: 00763184, 007631C5
\, xrefs: 0076328C

Memory Dump Source

Source File: 00000000.00000002.1745867193.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true

Associated: 00000000.00000002.1745836741.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746071756.00000000007BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746071756.00000000007E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746152188.00000000007EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746185289.00000000007F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_720000_file.jbxd

Similarity

API ID: NameQueryValue_wcslen$CloseFileFullModuleOpenPath
String ID: Include$Software\AutoIt v3\AutoIt$\$\Include\
API String ID: 98802146-2727554177
Opcode ID: 603d5c45146273cbe0789e4dff280e46e21e268c8f49e1146c05d93aa21ec500
Instruction ID: f65f74c83e052af104cc488cc11002fb9a003ebf4aeba75fc6498ae772ee4125
Opcode Fuzzy Hash: 603d5c45146273cbe0789e4dff280e46e21e268c8f49e1146c05d93aa21ec500
Instruction Fuzzy Hash: 12718CB1404315AFC314EF29EC859ABBBE8FF85740F40842EF54587162EB3C9A49CB66

Function 00722B83 Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 63
windowregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSysColorBrush.USER32(0000000F), ref: 00722B8E
LoadCursorW.USER32(00000000,00007F00), ref: 00722B9D
LoadIconW.USER32(00000063), ref: 00722BB3
LoadIconW.USER32(000000A4), ref: 00722BC5
LoadIconW.USER32(000000A2), ref: 00722BD7
LoadImageW.USER32(00000063,00000001,00000010,00000010,00000000), ref: 00722BEF
RegisterClassExW.USER32(?), ref: 00722C40

Part of subcall function 00722CD4: GetSysColorBrush.USER32(0000000F), ref: 00722D07
Part of subcall function 00722CD4: RegisterClassExW.USER32(00000030), ref: 00722D31
Part of subcall function 00722CD4: RegisterWindowMessageW.USER32(TaskbarCreated), ref: 00722D42
Part of subcall function 00722CD4: InitCommonControlsEx.COMCTL32(?), ref: 00722D5F
Part of subcall function 00722CD4: ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 00722D6F
Part of subcall function 00722CD4: LoadIconW.USER32(000000A9), ref: 00722D85
Part of subcall function 00722CD4: ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 00722D94

Strings

#, xrefs: 00722C16
0, xrefs: 00722C0F
AutoIt v3, xrefs: 00722C2F

Memory Dump Source

Source File: 00000000.00000002.1745867193.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true

Associated: 00000000.00000002.1745836741.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746071756.00000000007BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746071756.00000000007E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746152188.00000000007EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746185289.00000000007F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_720000_file.jbxd

Similarity

API ID: Load$Icon$ImageRegister$BrushClassColorList_$CommonControlsCreateCursorInitMessageReplaceWindow
String ID: #$0$AutoIt v3
API String ID: 423443420-4155596026
Opcode ID: d5abf2e1cda7d3df26ac4c3d7a3ad39139b669692e6e82097eb983cd8f0cc24e
Instruction ID: cb4cc6ec46db0b637048ea7a8e423426bb28679888bff5694a73e5488d225db3
Opcode Fuzzy Hash: d5abf2e1cda7d3df26ac4c3d7a3ad39139b669692e6e82097eb983cd8f0cc24e
Instruction Fuzzy Hash: 8B214970E00318EBDB119FA6EC59BAA7FB4FF48B50F40C02AF500A66A0D7B90544CF99

Function 00723170 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 145
windowtimeregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DefWindowProcW.USER32(?,?,?,?,?,?,?,?,?,0072316A,?,?), ref: 007231D8
KillTimer.USER32(?,00000001,?,?,?,?,?,0072316A,?,?), ref: 00723204
SetTimer.USER32(?,00000001,000002EE,00000000), ref: 00723227
RegisterWindowMessageW.USER32(TaskbarCreated,?,?,?,?,?,0072316A,?,?), ref: 00723232
CreatePopupMenu.USER32 ref: 00723246
PostQuitMessage.USER32(00000000), ref: 00723267

Strings

TaskbarCreated, xrefs: 0072322D

Memory Dump Source

Source File: 00000000.00000002.1745867193.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true

Associated: 00000000.00000002.1745836741.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746071756.00000000007BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746071756.00000000007E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746152188.00000000007EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746185289.00000000007F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_720000_file.jbxd

Similarity

API ID: MessageTimerWindow$CreateKillMenuPopupPostProcQuitRegister
String ID: TaskbarCreated
API String ID: 129472671-2362178303
Opcode ID: cc5675a41b6ca15d9f1bec5637d2f423b1044677300b68b51e8bea06c5cc0b37
Instruction ID: 5f52cafda3e0aa371b50fb7e3422e4372a84facd51b6b59217eb992b6db6a02e
Opcode Fuzzy Hash: cc5675a41b6ca15d9f1bec5637d2f423b1044677300b68b51e8bea06c5cc0b37
Instruction Fuzzy Hash: 61416831240268E7DB155B78BC0DB793B69FB05340F448125F942962A2CB7EDA01D7A5

Function 00721410 Relevance: 14.3, APIs: 7, Strings: 1, Instructions: 332
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

mciSendStringW.WINMM(close all,00000000,00000000,00000000), ref: 00721459
CoUninitialize.COMBASE ref: 007214F8
UnregisterHotKey.USER32(?), ref: 007216DD
DestroyWindow.USER32(?), ref: 007624B9
FreeLibrary.KERNEL32(?), ref: 0076251E
VirtualFree.KERNEL32(?,00000000,00008000), ref: 0076254B

Strings

close all, xrefs: 00721454

Memory Dump Source

Source File: 00000000.00000002.1745867193.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true

Associated: 00000000.00000002.1745836741.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746071756.00000000007BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746071756.00000000007E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746152188.00000000007EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746185289.00000000007F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_720000_file.jbxd

Similarity

API ID: Free$DestroyLibrarySendStringUninitializeUnregisterVirtualWindow
String ID: close all
API String ID: 469580280-3243417748
Opcode ID: 0c39c30382e8c4f7084a6ac891c161fc5c41953d7beb415e0cc937bda0869b57
Instruction ID: 0c042aa72a7440c28014c503a9db873f0522b695569b53e2ba47eabc9fd91222
Opcode Fuzzy Hash: 0c39c30382e8c4f7084a6ac891c161fc5c41953d7beb415e0cc937bda0869b57
Instruction Fuzzy Hash: B4D15E31701622CFDB29EF15D499A29F7A0BF15700F5481ADE84B6B262DB38AD23CF51

Function 00722C63 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 44
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateWindowExW.USER32(00000000,AutoIt v3,AutoIt v3,00CF0000,80000000,80000000,0000012C,00000064,00000000,00000000,00000000,00000001), ref: 00722C91
CreateWindowExW.USER32(00000000,edit,00000000,50B008C4,00000000,00000000,00000000,00000000,00000000,00000001,00000000), ref: 00722CB2
ShowWindow.USER32(00000000,?,?,?,?,?,?,00721CAD,?), ref: 00722CC6
ShowWindow.USER32(00000000,?,?,?,?,?,?,00721CAD,?), ref: 00722CCF

Strings

edit, xrefs: 00722CAC
AutoIt v3, xrefs: 00722C89, 00722C8E, 00722C8F

Memory Dump Source

Source File: 00000000.00000002.1745867193.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true

Associated: 00000000.00000002.1745836741.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746071756.00000000007BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746071756.00000000007E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746152188.00000000007EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746185289.00000000007F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_720000_file.jbxd

Similarity

API ID: Window$CreateShow
String ID: AutoIt v3$edit
API String ID: 1584632944-3779509399
Opcode ID: 9f76eef8d5e629ea30ebfc2871bbdd783a59ac970424b8b37c3dbce3f904ecd7
Instruction ID: 91f5d9841d3d6f522be1225caf1a6e8f3fbdabd323edf60c6b50e8fedd30314f
Opcode Fuzzy Hash: 9f76eef8d5e629ea30ebfc2871bbdd783a59ac970424b8b37c3dbce3f904ecd7
Instruction Fuzzy Hash: 36F0DA76540290BAEB311717AC08FB72FBDEBC7F60F40805AF900A65A0C6691850DAB8

Function 00723B1C Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 58
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RegOpenKeyExW.KERNELBASE(80000001,Control Panel\Mouse,00000000,00000001,00000000,?,?,80000001,80000001,?,00723B0F,SwapMouseButtons,00000004,?), ref: 00723B40
RegQueryValueExW.KERNELBASE(00000000,00000000,00000000,00000000,?,?,?,?,?,80000001,80000001,?,00723B0F,SwapMouseButtons,00000004,?), ref: 00723B61
RegCloseKey.KERNELBASE(00000000,?,?,?,80000001,80000001,?,00723B0F,SwapMouseButtons,00000004,?), ref: 00723B83

Strings

Control Panel\Mouse, xrefs: 00723B3E

Memory Dump Source

Source File: 00000000.00000002.1745867193.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true

Associated: 00000000.00000002.1745836741.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746071756.00000000007BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746071756.00000000007E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746152188.00000000007EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746185289.00000000007F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_720000_file.jbxd

Similarity

API ID: CloseOpenQueryValue
String ID: Control Panel\Mouse
API String ID: 3677997916-824357125
Opcode ID: 7cb4a3db43f3b861f09aa1ae88ac4ccae78065330f8126ebdecad70a99325254
Instruction ID: 04d77e192a6958401f2ee389c901895f426ea9c31c3a88b6cf8ced05c85c5bf0
Opcode Fuzzy Hash: 7cb4a3db43f3b861f09aa1ae88ac4ccae78065330f8126ebdecad70a99325254
Instruction Fuzzy Hash: 74113CB5511218FFDB21CFA5EC44EAFB7B8EF04744B108559F805D7110E2399F409B64

Function 00723923 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 94windowCOMMON

Download Yara Rule

APIs

LoadStringW.USER32(00000065,?,0000007F,00000104), ref: 007633A2

Part of subcall function 00726B57: _wcslen.LIBCMT ref: 00726B6A

Shell_NotifyIconW.SHELL32(00000001,?), ref: 00723A04

Strings

Line: , xrefs: 007633EB

Memory Dump Source

Source File: 00000000.00000002.1745867193.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true

Associated: 00000000.00000002.1745836741.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746071756.00000000007BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746071756.00000000007E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746152188.00000000007EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746185289.00000000007F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_720000_file.jbxd

Similarity

API ID: IconLoadNotifyShell_String_wcslen
String ID: Line:
API String ID: 2289894680-1585850449
Opcode ID: 6a9556f3a570ff58158e13ee822ddb96c9deaeeb87fbcb2d19ff28512f1638c7
Instruction ID: b48c4435345498e48cc8086aa46799009977f596edd0bf8f8718595c615fa9b7
Opcode Fuzzy Hash: 6a9556f3a570ff58158e13ee822ddb96c9deaeeb87fbcb2d19ff28512f1638c7
Instruction Fuzzy Hash: 0D31D671508324EAC725EB10EC49FEBB7E8AF45714F00892AF59983191DB7CAB48C7C6

Function 00722DE3 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 64COMMON

Download Yara Rule

APIs

GetOpenFileNameW.COMDLG32(?), ref: 00762C8C

Part of subcall function 00723AA2: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00723A97,?,?,00722E7F,?,?,?,00000000), ref: 00723AC2

Part of subcall function 00722DA5: GetLongPathNameW.KERNELBASE(?,?,00007FFF), ref: 00722DC4

Strings

X, xrefs: 00762C5A
`e~, xrefs: 00762C85

Memory Dump Source

Source File: 00000000.00000002.1745867193.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true

Associated: 00000000.00000002.1745836741.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746071756.00000000007BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746071756.00000000007E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746152188.00000000007EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746185289.00000000007F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_720000_file.jbxd

Similarity

API ID: Name$Path$FileFullLongOpen
String ID: X$`e~
API String ID: 779396738-116474759
Opcode ID: a62d3a87dfe1d2cdf1bb1ff7017ee34f0b11e24fbbc79165cd2d65d9f770560f
Instruction ID: 0e81d08a930ebbd188800462949c1d3f7e69b1b53ccfe3cc2f5748dbdd16d890
Opcode Fuzzy Hash: a62d3a87dfe1d2cdf1bb1ff7017ee34f0b11e24fbbc79165cd2d65d9f770560f
Instruction Fuzzy Hash: 7021A871E00298DFCB41EF94D849BEE7BF89F59314F108059E405B7241DBBC9A498FA1

Function 0073FDDB Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 43COMMON

Download Yara Rule

APIs

__CxxThrowException@8.LIBVCRUNTIME ref: 00740668

Part of subcall function 007432A4: RaiseException.KERNEL32(?,?,?,0074068A,?,007F1444,?,?,?,?,?,?,0074068A,00721129,007E8738,00721129), ref: 00743304

__CxxThrowException@8.LIBVCRUNTIME ref: 00740685

Strings

Unknown exception, xrefs: 00740692

Memory Dump Source

Source File: 00000000.00000002.1745867193.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true

Associated: 00000000.00000002.1745836741.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746071756.00000000007BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746071756.00000000007E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746152188.00000000007EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746185289.00000000007F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_720000_file.jbxd

Similarity

API ID: Exception@8Throw$ExceptionRaise
String ID: Unknown exception
API String ID: 3476068407-410509341
Opcode ID: a41c68bd28f83587730a56f1b1a1f86ea88a564edf709494e6f197edbccb4c7d
Instruction ID: a501e48105a08dabe7d77c2cae4c0ae13dbdf1e7dca25dbfdcfa5a82cde4229a
Opcode Fuzzy Hash: a41c68bd28f83587730a56f1b1a1f86ea88a564edf709494e6f197edbccb4c7d
Instruction Fuzzy Hash: E9F0C234A0020DF78B04BAA4E85ED9E776CAE40350B604571FA28D6592EF79DA25C9C1

Function 007210F3 Relevance: 4.7, APIs: 3, Instructions: 153comCOMMON

Download Yara Rule

APIs

Part of subcall function 00721BC3: MapVirtualKeyW.USER32(0000005B,00000000), ref: 00721BF4
Part of subcall function 00721BC3: MapVirtualKeyW.USER32(00000010,00000000), ref: 00721BFC
Part of subcall function 00721BC3: MapVirtualKeyW.USER32(000000A0,00000000), ref: 00721C07
Part of subcall function 00721BC3: MapVirtualKeyW.USER32(000000A1,00000000), ref: 00721C12
Part of subcall function 00721BC3: MapVirtualKeyW.USER32(00000011,00000000), ref: 00721C1A
Part of subcall function 00721BC3: MapVirtualKeyW.USER32(00000012,00000000), ref: 00721C22

Part of subcall function 00721B4A: RegisterWindowMessageW.USER32(00000004,?,007212C4), ref: 00721BA2

GetStdHandle.KERNEL32(000000F6,00000000,00000000), ref: 0072136A
OleInitialize.OLE32 ref: 00721388
CloseHandle.KERNEL32(00000000,00000000), ref: 007624AB

Memory Dump Source

Source File: 00000000.00000002.1745867193.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true

Associated: 00000000.00000002.1745836741.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746071756.00000000007BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746071756.00000000007E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746152188.00000000007EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746185289.00000000007F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_720000_file.jbxd

Similarity

API ID: Virtual$Handle$CloseInitializeMessageRegisterWindow
String ID:
API String ID: 1986988660-0
Opcode ID: 3c6ed16ce67ff6fa11e112c06a5988ff0e582659edac748fd48be6266f620f26
Instruction ID: bf62d18c0ec71db43896bf1f69eaadb855d99c551bab93adb811885103527df7
Opcode Fuzzy Hash: 3c6ed16ce67ff6fa11e112c06a5988ff0e582659edac748fd48be6266f620f26
Instruction Fuzzy Hash: 4971BAB4911244CFC384EF7AA9496B53BE0BB98394FD4C23A901ACB361EB3C5464CF59

Function 0078C161 Relevance: 4.6, APIs: 3, Instructions: 74timewindowCOMMON

Download Yara Rule

APIs

Part of subcall function 00723923: Shell_NotifyIconW.SHELL32(00000001,?), ref: 00723A04

Shell_NotifyIconW.SHELL32(00000001,000003A8), ref: 0078C259
KillTimer.USER32(?,00000001,?,?), ref: 0078C261
SetTimer.USER32(?,00000001,000002EE,00000000), ref: 0078C270

Memory Dump Source

Source File: 00000000.00000002.1745867193.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true

Associated: 00000000.00000002.1745836741.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746071756.00000000007BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746071756.00000000007E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746152188.00000000007EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746185289.00000000007F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_720000_file.jbxd

Similarity

API ID: IconNotifyShell_Timer$Kill
String ID:
API String ID: 3500052701-0
Opcode ID: 771d10865722aef5ff67cac04bf1f0ef1f0072783b787b7587bf70bc17ea5e72
Instruction ID: a5d2e9b89efe0365298e6ef654930c98209d175e6c7dfdbf52e29f0156daddd4
Opcode Fuzzy Hash: 771d10865722aef5ff67cac04bf1f0ef1f0072783b787b7587bf70bc17ea5e72
Instruction Fuzzy Hash: A931C570944354AFEB63DF648895BE7BBECAF06304F00449AD2DA97281C7785A84CB61

Function 007586AE Relevance: 4.6, APIs: 3, Instructions: 61COMMONLIBRARYCODE

Download Yara Rule

APIs

CloseHandle.KERNELBASE(00000000,00000000,?,?,007585CC,?,007E8CC8,0000000C), ref: 00758704
GetLastError.KERNEL32(?,007585CC,?,007E8CC8,0000000C), ref: 0075870E
__dosmaperr.LIBCMT ref: 00758739

Memory Dump Source

Source File: 00000000.00000002.1745867193.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true

Associated: 00000000.00000002.1745836741.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746071756.00000000007BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746071756.00000000007E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746152188.00000000007EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746185289.00000000007F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_720000_file.jbxd

Similarity

API ID: CloseErrorHandleLast__dosmaperr
String ID:
API String ID: 2583163307-0
Opcode ID: 2b687e4edb5f2f8d4800d429dca7a008ef7a5e5009c69f419ef6d4cf832491fc
Instruction ID: 272203a1b18634cf762b54a6057a686ebee5238308768226784257c439a15874
Opcode Fuzzy Hash: 2b687e4edb5f2f8d4800d429dca7a008ef7a5e5009c69f419ef6d4cf832491fc
Instruction Fuzzy Hash: 9B016F32A0512057D3E062345849BFE27858F8177AF390119FC08AB1D3DEEC8C89C196

Function 0072DB38 Relevance: 4.5, APIs: 3, Instructions: 29windowsleepCOMMON

Download Yara Rule

APIs

TranslateMessage.USER32(?), ref: 0072DB7B
DispatchMessageW.USER32(?), ref: 0072DB89
PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 0072DB9F
Sleep.KERNELBASE(0000000A), ref: 0072DBB1
TranslateAcceleratorW.USER32(?,?,?), ref: 00771CC9

Memory Dump Source

Source File: 00000000.00000002.1745867193.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true

Associated: 00000000.00000002.1745836741.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746071756.00000000007BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746071756.00000000007E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746152188.00000000007EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746185289.00000000007F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_720000_file.jbxd

Similarity

API ID: Message$Translate$AcceleratorDispatchPeekSleep
String ID:
API String ID: 3288985973-0
Opcode ID: 557ebf54fa5325152ce14f9dcf714e2bdf6ebc96a101b6bf3af1b576eee1e00e
Instruction ID: 0f55269cc50eb36be42bb04360b9ab28896978b7dce2d384297f1c662120ce28
Opcode Fuzzy Hash: 557ebf54fa5325152ce14f9dcf714e2bdf6ebc96a101b6bf3af1b576eee1e00e
Instruction Fuzzy Hash: 40F0FE70644344DBEB31CBA49D59FEA73A8EF45350F50CA19E65AC70D0DB389448DB29

Function 00731310 Relevance: 4.0, APIs: 1, Strings: 1, Instructions: 531COMMON

Download Yara Rule

APIs

__Init_thread_footer.LIBCMT ref: 007317F6

Strings

CALL, xrefs: 007317C6

Memory Dump Source

Source File: 00000000.00000002.1745867193.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true

Associated: 00000000.00000002.1745836741.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746071756.00000000007BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746071756.00000000007E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746152188.00000000007EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746185289.00000000007F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_720000_file.jbxd

Similarity

API ID: Init_thread_footer
String ID: CALL
API String ID: 1385522511-4196123274
Opcode ID: e6a3f3376ea49457cc3535de2fb46cd33c544628da6d9dcc871644399b1c75d8
Instruction ID: 7f8201e6b445e19e7f75915679012978b02eb561c58deb4f45d7b4d4e9937579
Opcode Fuzzy Hash: e6a3f3376ea49457cc3535de2fb46cd33c544628da6d9dcc871644399b1c75d8
Instruction Fuzzy Hash: DB229C70608241DFE714CF24C494B2ABBF1BF89354F58896DF49A8B362D739E851CB92

Function 00723837 Relevance: 3.1, APIs: 2, Instructions: 77windowCOMMON

Download Yara Rule

APIs

Shell_NotifyIconW.SHELL32(00000000,?), ref: 00723908

Memory Dump Source

Source File: 00000000.00000002.1745867193.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true

Associated: 00000000.00000002.1745836741.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746071756.00000000007BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746071756.00000000007E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746152188.00000000007EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746185289.00000000007F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_720000_file.jbxd

Similarity

API ID: IconNotifyShell_
String ID:
API String ID: 1144537725-0
Opcode ID: 459b450fecee3764ca4d17f1518b5a85eed5326184c59f056ea0e7b44d1b3def
Instruction ID: fa460d3dd64a4316ec8cbd49538652c644c161a2cd25f493a84aaacb94951948
Opcode Fuzzy Hash: 459b450fecee3764ca4d17f1518b5a85eed5326184c59f056ea0e7b44d1b3def
Instruction Fuzzy Hash: 1D318E70604311DFD721DF25E885BA7BBE8FF49708F00492EF99A87240E779AA44CB56

Function 0073F645 Relevance: 3.0, APIs: 2, Instructions: 29sleeptimeCOMMON

Download Yara Rule

APIs

timeGetTime.WINMM ref: 0073F661

Part of subcall function 0072D730: GetInputState.USER32 ref: 0072D807

Sleep.KERNEL32(00000000), ref: 0077F2DE

Memory Dump Source

Source File: 00000000.00000002.1745867193.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true

Associated: 00000000.00000002.1745836741.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746071756.00000000007BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746071756.00000000007E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746152188.00000000007EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746185289.00000000007F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_720000_file.jbxd

Similarity

API ID: InputSleepStateTimetime
String ID:
API String ID: 4149333218-0
Opcode ID: 5a6b6c4e973cc10af156f8164da7f2b20be3bab83d21e45be226ff46925173b6
Instruction ID: 1d92f43675a7e71344c89c67e290719f396be40df362727a3a056ed659f30b8b
Opcode Fuzzy Hash: 5a6b6c4e973cc10af156f8164da7f2b20be3bab83d21e45be226ff46925173b6
Instruction Fuzzy Hash: 28F08C71240615EFD310EF69E44AF6AB7E8FF49760F00816AE859CB361DB74AC10CB94

Function 00724ECB Relevance: 1.6, APIs: 1, Instructions: 65libraryCOMMON

Download Yara Rule

APIs

Part of subcall function 00724E90: LoadLibraryA.KERNEL32(kernel32.dll,?,?,00724EDD,?,007F1418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00724E9C
Part of subcall function 00724E90: GetProcAddress.KERNEL32(00000000,Wow64DisableWow64FsRedirection), ref: 00724EAE
Part of subcall function 00724E90: FreeLibrary.KERNEL32(00000000,?,?,00724EDD,?,007F1418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00724EC0

LoadLibraryExW.KERNEL32(?,00000000,00000002,?,007F1418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00724EFD

Part of subcall function 00724E59: LoadLibraryA.KERNEL32(kernel32.dll,?,?,00763CDE,?,007F1418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00724E62
Part of subcall function 00724E59: GetProcAddress.KERNEL32(00000000,Wow64RevertWow64FsRedirection), ref: 00724E74
Part of subcall function 00724E59: FreeLibrary.KERNEL32(00000000,?,?,00763CDE,?,007F1418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00724E87

Memory Dump Source

Source File: 00000000.00000002.1745867193.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true

Associated: 00000000.00000002.1745836741.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746071756.00000000007BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746071756.00000000007E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746152188.00000000007EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746185289.00000000007F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_720000_file.jbxd

Similarity

API ID: Library$Load$AddressFreeProc
String ID:
API String ID: 2632591731-0
Opcode ID: e6e3be6caeeccae3712aee2345af125ce12833e698611f99a5b2a43241148e08
Instruction ID: 792520d4ce130af3ad5b2cb0a2eb972d193aae8a1bc702f94d6bd84fdb2cd0f6
Opcode Fuzzy Hash: e6e3be6caeeccae3712aee2345af125ce12833e698611f99a5b2a43241148e08
Instruction Fuzzy Hash: 7711E731610215EADF25BB64ED0AFAD77A5AF90710F10842DF542A61C1EE789E059B50

Function 00758402 Relevance: 1.6, APIs: 1, Instructions: 54COMMON

Download Yara Rule

APIs

__wsopen_s.LIBCMT ref: 00758440

Memory Dump Source

Source File: 00000000.00000002.1745867193.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true

Associated: 00000000.00000002.1745836741.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746071756.00000000007BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746071756.00000000007E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746152188.00000000007EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746185289.00000000007F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_720000_file.jbxd

Similarity

API ID: __wsopen_s
String ID:
API String ID: 3347428461-0
Opcode ID: 0be54f061a4d07580ff62ac5d7c21ed8655c96a761a097c4f7228b90c9b487bd
Instruction ID: a6d0d05193b950543cf54989aefba84e13f022b071544477369722613eb0c184
Opcode Fuzzy Hash: 0be54f061a4d07580ff62ac5d7c21ed8655c96a761a097c4f7228b90c9b487bd
Instruction Fuzzy Hash: 8C11487190420AAFCB05DF58E9449DA7BF9EF48300F104059FC09AB312DA71EA15CBA5

Function 0074E602 Relevance: 1.5, APIs: 1, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1745867193.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true

Associated: 00000000.00000002.1745836741.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746071756.00000000007BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746071756.00000000007E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746152188.00000000007EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746185289.00000000007F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_720000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d6c69ec2a70ac845cc05b5f137181c3f07394ab8b33ef369e8c7ef627d5c9574
Instruction ID: 69a0a7e3601e63cdcea36509edf19cd8a34e53b274920e3b19ab4e53bb975271
Opcode Fuzzy Hash: d6c69ec2a70ac845cc05b5f137181c3f07394ab8b33ef369e8c7ef627d5c9574
Instruction Fuzzy Hash: 4CF0F932510A10D7C7313A759C0DB9A339CAF52335F120715F925A21D2CBBCA80686A7

Function 00753820 Relevance: 1.5, APIs: 1, Instructions: 32memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(00000000,?,007F1444,?,0073FDF5,?,?,0072A976,00000010,007F1440,007213FC,?,007213C6,?,00721129), ref: 00753852

Memory Dump Source

Source File: 00000000.00000002.1745867193.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true

Associated: 00000000.00000002.1745836741.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746071756.00000000007BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746071756.00000000007E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746152188.00000000007EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746185289.00000000007F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_720000_file.jbxd

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: de1abf2d43b0123203a80c4fb8a9696e76f74c92494bb81c92b260fdaf1972ff
Instruction ID: 88b945eb180b9cafa0bf354ff7fc03565c177b51ab7697b8ea8cedbfe7eabcc5
Opcode Fuzzy Hash: de1abf2d43b0123203a80c4fb8a9696e76f74c92494bb81c92b260fdaf1972ff
Instruction Fuzzy Hash: 4BE0E532500228AAE73526669C05BDA3748AF427F2F090122BC14A34A0CBDDFD0581F0

Function 00724F39 Relevance: 1.5, APIs: 1, Instructions: 28COMMON

Download Yara Rule

APIs

FreeLibrary.KERNEL32(?,?,007F1418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00724F6D

Memory Dump Source

Source File: 00000000.00000002.1745867193.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true

Associated: 00000000.00000002.1745836741.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746071756.00000000007BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746071756.00000000007E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746152188.00000000007EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746185289.00000000007F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_720000_file.jbxd

Similarity

API ID: FreeLibrary
String ID:
API String ID: 3664257935-0
Opcode ID: 452f2ff7eb37e712b640b12028eedd5683a8d8b079dc831339d2725e0562ca98
Instruction ID: 90f191250c7b339309a274112f986e6df8d903bbafffb3302b1b970ee3edf238
Opcode Fuzzy Hash: 452f2ff7eb37e712b640b12028eedd5683a8d8b079dc831339d2725e0562ca98
Instruction Fuzzy Hash: E1F03971105762CFDB349F64E594C22BBE4FF543293288A7EE2EA82621C7399884DF10

Function 007B2A55 Relevance: 1.5, APIs: 1, Instructions: 25COMMON

Download Yara Rule

APIs

IsWindow.USER32(00000000), ref: 007B2A66

Memory Dump Source

Source File: 00000000.00000002.1745867193.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true

Associated: 00000000.00000002.1745836741.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746071756.00000000007BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746071756.00000000007E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746152188.00000000007EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746185289.00000000007F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_720000_file.jbxd

Similarity

API ID: Window
String ID:
API String ID: 2353593579-0
Opcode ID: 973b2bbd7f1e3431ecb522f2095c795a77d01f18c7e80018c680a01a3e87bc1a
Instruction ID: ff2bdf32d73a172d98b0d1083b73d7acd8bac8d060a503fe276f5440e535ed12
Opcode Fuzzy Hash: 973b2bbd7f1e3431ecb522f2095c795a77d01f18c7e80018c680a01a3e87bc1a
Instruction Fuzzy Hash: B0E04F3679111AAAC714EA30EC84AFA775CEB503957108536EC2AC2101DB38999686A0

Function 007230F2 Relevance: 1.5, APIs: 1, Instructions: 24windowCOMMON

Download Yara Rule

APIs

Shell_NotifyIconW.SHELL32(00000002,?), ref: 0072314E

Memory Dump Source

Source File: 00000000.00000002.1745867193.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true

Associated: 00000000.00000002.1745836741.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746071756.00000000007BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746071756.00000000007E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746152188.00000000007EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746185289.00000000007F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_720000_file.jbxd

Similarity

API ID: IconNotifyShell_
String ID:
API String ID: 1144537725-0
Opcode ID: dd1dfe66974ca7e2e36c2799939f387c6a1374af680a8a58150750eac0f45a84
Instruction ID: 26d7a9ab65a6e31a9314141fd4f71ba0b8ee36373dddb7dc232c7731105c4e9a
Opcode Fuzzy Hash: dd1dfe66974ca7e2e36c2799939f387c6a1374af680a8a58150750eac0f45a84
Instruction Fuzzy Hash: E0F0A770900318DFE7529F24DC4ABE57BBCAB01708F0040E5A14896182D7784B88CF45

Function 00722DA5 Relevance: 1.5, APIs: 1, Instructions: 23COMMON

Download Yara Rule

APIs

GetLongPathNameW.KERNELBASE(?,?,00007FFF), ref: 00722DC4

Part of subcall function 00726B57: _wcslen.LIBCMT ref: 00726B6A

Memory Dump Source

Source File: 00000000.00000002.1745867193.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true

Associated: 00000000.00000002.1745836741.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746071756.00000000007BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746071756.00000000007E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746152188.00000000007EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746185289.00000000007F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_720000_file.jbxd

Similarity

API ID: LongNamePath_wcslen
String ID:
API String ID: 541455249-0
Opcode ID: ba5ed9a122d7e4c10f8f6f3be3c02674822e77c155be43ad9e0f89b29f44064d
Instruction ID: a315f2fbb7393806e6f5bc61f226c0af8ab3838a18b11e02195121071117a1d4
Opcode Fuzzy Hash: ba5ed9a122d7e4c10f8f6f3be3c02674822e77c155be43ad9e0f89b29f44064d
Instruction Fuzzy Hash: 55E0CD726001245BC72192589C09FDA77DDDFC8790F044172FD09D7248D964AD808550

Function 00722B3D Relevance: 1.5, APIs: 1, Instructions: 22COMMON

Download Yara Rule

APIs

Part of subcall function 00723837: Shell_NotifyIconW.SHELL32(00000000,?), ref: 00723908

Part of subcall function 0072D730: GetInputState.USER32 ref: 0072D807

SetCurrentDirectoryW.KERNEL32(?), ref: 00722B6B

Part of subcall function 007230F2: Shell_NotifyIconW.SHELL32(00000002,?), ref: 0072314E

Memory Dump Source

Source File: 00000000.00000002.1745867193.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true

Associated: 00000000.00000002.1745836741.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746071756.00000000007BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746071756.00000000007E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746152188.00000000007EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746185289.00000000007F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_720000_file.jbxd

Similarity

API ID: IconNotifyShell_$CurrentDirectoryInputState
String ID:
API String ID: 3667716007-0
Opcode ID: af052c0efd621c90ee1b738fd22517f554186df529e579312af25402eca8db6c
Instruction ID: ecb8cdc546d72738508fb1cf8a20fc211e26273305a5aeff68f24394540ada12
Opcode Fuzzy Hash: af052c0efd621c90ee1b738fd22517f554186df529e579312af25402eca8db6c
Instruction Fuzzy Hash: 5BE07D21300268C3CB04BB74B85E57DF349DBD1351F80553EF14243263CF2C89458362

Function 0076039A Relevance: 1.5, APIs: 1, Instructions: 15fileCOMMONLIBRARYCODE

Download Yara Rule

APIs

CreateFileW.KERNELBASE(00000000,00000000,?,00760704,?,?,00000000,?,00760704,00000000,0000000C), ref: 007603B7

Memory Dump Source

Source File: 00000000.00000002.1745867193.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true

Associated: 00000000.00000002.1745836741.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746071756.00000000007BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746071756.00000000007E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746152188.00000000007EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746185289.00000000007F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_720000_file.jbxd

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: d97694007988fc07dc1aa681f7cbaac3945861818c18b0236136c3b024a00991
Instruction ID: 3ced104ee232b417ed0445bbfbd3999aa959d3a7fb51f659969d9bf4d9b468e6
Opcode Fuzzy Hash: d97694007988fc07dc1aa681f7cbaac3945861818c18b0236136c3b024a00991
Instruction Fuzzy Hash: 87D06C3204010DBBDF028F84DD06EDA3BAAFB48714F018100BE1866020C736E821AB94

Function 00721CAD Relevance: 1.5, APIs: 1, Instructions: 8COMMON

Download Yara Rule

APIs

SystemParametersInfoW.USER32(00002001,00000000,00000002), ref: 00721CBC

Memory Dump Source

Source File: 00000000.00000002.1745867193.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true

Associated: 00000000.00000002.1745836741.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746071756.00000000007BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746071756.00000000007E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746152188.00000000007EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746185289.00000000007F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_720000_file.jbxd

Similarity

API ID: InfoParametersSystem
String ID:
API String ID: 3098949447-0
Opcode ID: d58304b879fc9876a710e779fb262a8247f1de00d3129cca0a45220fd4d9bc7c
Instruction ID: 9317a7e43876a6d8625db476f9b0fc5de4d8c27586b67dee229e74fdc081b869
Opcode Fuzzy Hash: d58304b879fc9876a710e779fb262a8247f1de00d3129cca0a45220fd4d9bc7c
Instruction Fuzzy Hash: 06C09B36280305DFF2154780BC5AF207754A748B00F54C001F609555E3C3A51430D658

Non-executed Functions

Function 007B9576 Relevance: 72.4, APIs: 39, Strings: 2, Instructions: 625windowkeyboardCOMMON

Download Yara Rule

APIs

Part of subcall function 00739BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00739BB2

DefDlgProcW.USER32(?,0000004E,?,?,?,?,?,?), ref: 007B961A
SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 007B965B
GetWindowLongW.USER32(FFFFFDD9,000000F0), ref: 007B969F
SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 007B96C9
SendMessageW.USER32 ref: 007B96F2
GetKeyState.USER32(00000011), ref: 007B978B
GetKeyState.USER32(00000009), ref: 007B9798
SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 007B97AE
GetKeyState.USER32(00000010), ref: 007B97B8
SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 007B97E9
SendMessageW.USER32 ref: 007B9810
SendMessageW.USER32(?,00001030,?,007B7E95), ref: 007B9918
ImageList_SetDragCursorImage.COMCTL32(00000000,00000000,00000000,?,?,?), ref: 007B992E
ImageList_BeginDrag.COMCTL32(00000000,000000F8,000000F0), ref: 007B9941
SetCapture.USER32(?), ref: 007B994A
ClientToScreen.USER32(?,?), ref: 007B99AF
ImageList_DragEnter.COMCTL32(00000000,?,?), ref: 007B99BC
InvalidateRect.USER32(?,00000000,00000001,?,?,?), ref: 007B99D6
ReleaseCapture.USER32 ref: 007B99E1
GetCursorPos.USER32(?), ref: 007B9A19
ScreenToClient.USER32(?,?), ref: 007B9A26
SendMessageW.USER32(?,00001012,00000000,?), ref: 007B9A80
SendMessageW.USER32 ref: 007B9AAE
SendMessageW.USER32(?,00001111,00000000,?), ref: 007B9AEB
SendMessageW.USER32 ref: 007B9B1A
SendMessageW.USER32(?,0000110B,00000009,00000000), ref: 007B9B3B
SendMessageW.USER32(?,0000110B,00000009,?), ref: 007B9B4A
GetCursorPos.USER32(?), ref: 007B9B68
ScreenToClient.USER32(?,?), ref: 007B9B75
GetParent.USER32(?), ref: 007B9B93
SendMessageW.USER32(?,00001012,00000000,?), ref: 007B9BFA
SendMessageW.USER32 ref: 007B9C2B
ClientToScreen.USER32(?,?), ref: 007B9C84
TrackPopupMenuEx.USER32(?,00000000,?,?,?,00000000), ref: 007B9CB4
SendMessageW.USER32(?,00001111,00000000,?), ref: 007B9CDE
SendMessageW.USER32 ref: 007B9D01
ClientToScreen.USER32(?,?), ref: 007B9D4E
TrackPopupMenuEx.USER32(?,00000080,?,?,?,00000000), ref: 007B9D82

Part of subcall function 00739944: GetWindowLongW.USER32(?,000000EB), ref: 00739952

GetWindowLongW.USER32(?,000000F0), ref: 007B9E05

Strings

@GUI_DRAGID, xrefs: 007B997D
F, xrefs: 007B9D07

Memory Dump Source

Source File: 00000000.00000002.1745867193.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true

Associated: 00000000.00000002.1745836741.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746071756.00000000007BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746071756.00000000007E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746152188.00000000007EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746185289.00000000007F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_720000_file.jbxd

Similarity

API ID: MessageSend$ClientScreen$ImageLongWindow$CursorDragList_State$CaptureMenuPopupTrack$BeginEnterInvalidateParentProcRectRelease
String ID: @GUI_DRAGID$F
API String ID: 3429851547-4164748364
Opcode ID: fe166a663b864230e7f765ebc40b89e92d7363c095776964856095184f303871
Instruction ID: 3ee384870f50b21147b78cb656f57412aef2c1a5c2a3f30461adbf583b136868
Opcode Fuzzy Hash: fe166a663b864230e7f765ebc40b89e92d7363c095776964856095184f303871
Instruction Fuzzy Hash: D3428930204250EFDB25CF24CC48FAABBE5EF49314F108659F7A9872A1D779E850CB95

Function 007B4873 Relevance: 60.1, APIs: 33, Strings: 1, Instructions: 566windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000408,00000000,00000000), ref: 007B48F3
SendMessageW.USER32(00000000,00000188,00000000,00000000), ref: 007B4908
SendMessageW.USER32(00000000,0000018A,00000000,00000000), ref: 007B4927
SendMessageW.USER32(?,00000148,00000000,00000000), ref: 007B494B
SendMessageW.USER32(00000000,00000147,00000000,00000000), ref: 007B495C
SendMessageW.USER32(00000000,00000149,00000000,00000000), ref: 007B497B
SendMessageW.USER32(00000000,0000130B,00000000,00000000), ref: 007B49AE
SendMessageW.USER32(00000000,0000133C,00000000,?), ref: 007B49D4
SendMessageW.USER32(00000000,0000110A,00000009,00000000), ref: 007B4A0F
SendMessageW.USER32(00000000,0000113E,00000000,00000004), ref: 007B4A56
SendMessageW.USER32(00000000,0000113E,00000000,00000004), ref: 007B4A7E
IsMenu.USER32(?), ref: 007B4A97
GetMenuItemInfoW.USER32(?,?,00000000,?), ref: 007B4AF2
GetMenuItemInfoW.USER32(?,?,00000000,?), ref: 007B4B20
GetWindowLongW.USER32(?,000000F0), ref: 007B4B94
SendMessageW.USER32(?,0000113E,00000000,00000008), ref: 007B4BE3
SendMessageW.USER32(00000000,00001001,00000000,?), ref: 007B4C82
wsprintfW.USER32 ref: 007B4CAE
SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 007B4CC9
GetWindowTextW.USER32(?,00000000,00000001), ref: 007B4CF1
SendMessageW.USER32(00000000,000000F0,00000000,00000000), ref: 007B4D13
SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 007B4D33
GetWindowTextW.USER32(?,00000000,00000001), ref: 007B4D5A

Strings

%d/%02d/%02d, xrefs: 007B4CA8

Memory Dump Source

Source File: 00000000.00000002.1745867193.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true

Associated: 00000000.00000002.1745836741.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746071756.00000000007BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746071756.00000000007E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746152188.00000000007EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746185289.00000000007F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_720000_file.jbxd

Similarity

API ID: MessageSend$MenuWindow$InfoItemText$Longwsprintf
String ID: %d/%02d/%02d
API String ID: 4054740463-328681919
Opcode ID: abcf0b6ca048d6d3c924c6f63ead770d13ad1cfd379e92307a0909aa023b8c60
Instruction ID: 16862e48ed9dadf8b630a6d4b30a7296d924fe8e38a2734cc5758ccf1278058e
Opcode Fuzzy Hash: abcf0b6ca048d6d3c924c6f63ead770d13ad1cfd379e92307a0909aa023b8c60
Instruction Fuzzy Hash: 0C12CE71600214ABEB258F28CC49FEE7BF8EF49714F148269F515EB2E2DB789941CB50

Function 0073F98E Relevance: 43.9, APIs: 24, Strings: 1, Instructions: 130keyboardthreadwindowCOMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32(00000000,00000000,00000000), ref: 0073F998
FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 0077F474
IsIconic.USER32(00000000), ref: 0077F47D
ShowWindow.USER32(00000000,00000009), ref: 0077F48A
SetForegroundWindow.USER32(00000000), ref: 0077F494
GetWindowThreadProcessId.USER32(00000000,00000000), ref: 0077F4AA
GetCurrentThreadId.KERNEL32 ref: 0077F4B1
GetWindowThreadProcessId.USER32(00000000,00000000), ref: 0077F4BD
AttachThreadInput.USER32(?,00000000,00000001), ref: 0077F4CE
AttachThreadInput.USER32(?,00000000,00000001), ref: 0077F4D6
AttachThreadInput.USER32(00000000,000000FF,00000001), ref: 0077F4DE
SetForegroundWindow.USER32(00000000), ref: 0077F4E1
MapVirtualKeyW.USER32(00000012,00000000), ref: 0077F4F6
keybd_event.USER32(00000012,00000000), ref: 0077F501
MapVirtualKeyW.USER32(00000012,00000000), ref: 0077F50B
keybd_event.USER32(00000012,00000000), ref: 0077F510
MapVirtualKeyW.USER32(00000012,00000000), ref: 0077F519
keybd_event.USER32(00000012,00000000), ref: 0077F51E
MapVirtualKeyW.USER32(00000012,00000000), ref: 0077F528
keybd_event.USER32(00000012,00000000), ref: 0077F52D
SetForegroundWindow.USER32(00000000), ref: 0077F530
AttachThreadInput.USER32(?,000000FF,00000000), ref: 0077F557

Strings

Shell_TrayWnd, xrefs: 0077F46F

Memory Dump Source

Source File: 00000000.00000002.1745867193.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true

Associated: 00000000.00000002.1745836741.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746071756.00000000007BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746071756.00000000007E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746152188.00000000007EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746185289.00000000007F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_720000_file.jbxd

Similarity

API ID: Window$Thread$AttachForegroundInputVirtualkeybd_event$Process$CurrentFindIconicShow
String ID: Shell_TrayWnd
API String ID: 4125248594-2988720461
Opcode ID: d6531acb4fc9e86d12dee80d5d74a96a60beb7c237aab988f312bb782671927d
Instruction ID: 21608366442e62f1e8b9abd90398136b58e6625cbcb8ab0a6365630245b3ed05
Opcode Fuzzy Hash: d6531acb4fc9e86d12dee80d5d74a96a60beb7c237aab988f312bb782671927d
Instruction Fuzzy Hash: 1931A671A40218BFEF316BB58C4AFBF7E6CEB44B50F208165FA04E61D1C6B85D10AA64

Function 00781201 Relevance: 40.5, APIs: 19, Strings: 4, Instructions: 241COMMON

Download Yara Rule

APIs

Part of subcall function 007816C3: LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 0078170D
Part of subcall function 007816C3: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 0078173A
Part of subcall function 007816C3: GetLastError.KERNEL32 ref: 0078174A

LogonUserW.ADVAPI32(?,?,?,00000000,00000000,?), ref: 00781286
DuplicateTokenEx.ADVAPI32(?,00000000,00000000,00000002,00000001,?), ref: 007812A8
CloseHandle.KERNEL32(?), ref: 007812B9
OpenWindowStationW.USER32(winsta0,00000000,00060000), ref: 007812D1
GetProcessWindowStation.USER32 ref: 007812EA
SetProcessWindowStation.USER32(00000000), ref: 007812F4
OpenDesktopW.USER32(default,00000000,00000000,00060081), ref: 00781310

Part of subcall function 007810BF: AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000,?,007811FC), ref: 007810D4
Part of subcall function 007810BF: CloseHandle.KERNEL32(?,?,007811FC), ref: 007810E9

Strings

Z~, xrefs: 00781392
winsta0, xrefs: 007812CC
, xrefs: 0078125A
default, xrefs: 0078130B

Memory Dump Source

Source File: 00000000.00000002.1745867193.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true

Associated: 00000000.00000002.1745836741.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746071756.00000000007BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746071756.00000000007E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746152188.00000000007EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746185289.00000000007F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_720000_file.jbxd

Similarity

API ID: StationTokenWindow$AdjustCloseHandleOpenPrivilegesProcess$DesktopDuplicateErrorLastLogonLookupPrivilegeUserValue
String ID: $default$winsta0$Z~
API String ID: 22674027-1148668839
Opcode ID: 654b77d8e2a0f8e9ea20f8826641e3e27bb064221603edc1bd4a762fc0fc5c10
Instruction ID: bd0c77eaf8f605e99064137aa48fba016182c84998f065300489766a9782aafe
Opcode Fuzzy Hash: 654b77d8e2a0f8e9ea20f8826641e3e27bb064221603edc1bd4a762fc0fc5c10
Instruction Fuzzy Hash: A581ADB1940249AFDF21AFA4DC49FEE7BBDEF04704F148129F915E61A0D7398946CB24

Function 00780B62 Relevance: 31.7, APIs: 21, Instructions: 202memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 007810F9: GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 00781114
Part of subcall function 007810F9: GetLastError.KERNEL32(?,00000000,00000000,?,?,00780B9B,?,?,?), ref: 00781120
Part of subcall function 007810F9: GetProcessHeap.KERNEL32(00000008,?,?,00000000,00000000,?,?,00780B9B,?,?,?), ref: 0078112F
Part of subcall function 007810F9: HeapAlloc.KERNEL32(00000000,?,00000000,00000000,?,?,00780B9B,?,?,?), ref: 00781136
Part of subcall function 007810F9: GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 0078114D

GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 00780BCC
GetAclInformation.ADVAPI32(?,?,0000000C,00000002), ref: 00780C00
GetLengthSid.ADVAPI32(?), ref: 00780C17
GetAce.ADVAPI32(?,00000000,?), ref: 00780C51
AddAce.ADVAPI32(?,00000002,000000FF,?,?), ref: 00780C6D
GetLengthSid.ADVAPI32(?), ref: 00780C84
GetProcessHeap.KERNEL32(00000008,00000008), ref: 00780C8C
HeapAlloc.KERNEL32(00000000), ref: 00780C93
GetLengthSid.ADVAPI32(?,00000008,?), ref: 00780CB4
CopySid.ADVAPI32(00000000), ref: 00780CBB
AddAce.ADVAPI32(?,00000002,000000FF,00000000,?), ref: 00780CEA
SetSecurityDescriptorDacl.ADVAPI32(?,00000001,?,00000000), ref: 00780D0C
SetUserObjectSecurity.USER32(?,00000004,?), ref: 00780D1E
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00780D45
HeapFree.KERNEL32(00000000), ref: 00780D4C
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00780D55
HeapFree.KERNEL32(00000000), ref: 00780D5C
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00780D65
HeapFree.KERNEL32(00000000), ref: 00780D6C
GetProcessHeap.KERNEL32(00000000,?), ref: 00780D78
HeapFree.KERNEL32(00000000), ref: 00780D7F

Part of subcall function 00781193: GetProcessHeap.KERNEL32(00000008,00780BB1,?,00000000,?,00780BB1,?), ref: 007811A1
Part of subcall function 00781193: HeapAlloc.KERNEL32(00000000,?,00000000,?,00780BB1,?), ref: 007811A8
Part of subcall function 00781193: InitializeSecurityDescriptor.ADVAPI32(00000000,00000001,?,00000000,?,00780BB1,?), ref: 007811B7

Memory Dump Source

Source File: 00000000.00000002.1745867193.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true

Associated: 00000000.00000002.1745836741.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746071756.00000000007BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746071756.00000000007E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746152188.00000000007EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746185289.00000000007F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_720000_file.jbxd

Similarity

API ID: Heap$Process$Security$Free$AllocDescriptorLengthObjectUser$Dacl$CopyErrorInformationInitializeLast
String ID:
API String ID: 4175595110-0
Opcode ID: 4ba9f82c9ee5f0b1f98d23574ac002ee5ac439c4d2565b2b26f061744e2afe33
Instruction ID: def28d6cd5c1dd21b05bc3d52f1bdd514e765c2cc126ac4eab5155f12269b750
Opcode Fuzzy Hash: 4ba9f82c9ee5f0b1f98d23574ac002ee5ac439c4d2565b2b26f061744e2afe33
Instruction Fuzzy Hash: 78715FB2A4020AAFDF51EFA4DC45FEEBBB8BF04310F048615E914A7191D779A905CBB0

Function 0079EAFF Relevance: 30.2, APIs: 20, Instructions: 191clipboardfileCOMMON

Download Yara Rule

APIs

OpenClipboard.USER32(007BCC08), ref: 0079EB29
IsClipboardFormatAvailable.USER32(0000000D), ref: 0079EB37
GetClipboardData.USER32(0000000D), ref: 0079EB43
CloseClipboard.USER32 ref: 0079EB4F
GlobalLock.KERNEL32(00000000), ref: 0079EB87
CloseClipboard.USER32 ref: 0079EB91
GlobalUnlock.KERNEL32(00000000), ref: 0079EBBC
IsClipboardFormatAvailable.USER32(00000001), ref: 0079EBC9
GetClipboardData.USER32(00000001), ref: 0079EBD1
GlobalLock.KERNEL32(00000000), ref: 0079EBE2
GlobalUnlock.KERNEL32(00000000), ref: 0079EC22
IsClipboardFormatAvailable.USER32(0000000F), ref: 0079EC38
GetClipboardData.USER32(0000000F), ref: 0079EC44
GlobalLock.KERNEL32(00000000), ref: 0079EC55
DragQueryFileW.SHELL32(00000000,000000FF,00000000,00000000), ref: 0079EC77
DragQueryFileW.SHELL32(00000000,?,?,00000104), ref: 0079EC94
DragQueryFileW.SHELL32(00000000,?,?,00000104), ref: 0079ECD2
GlobalUnlock.KERNEL32(00000000), ref: 0079ECF3
CountClipboardFormats.USER32 ref: 0079ED14
CloseClipboard.USER32 ref: 0079ED59

Memory Dump Source

Source File: 00000000.00000002.1745867193.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true

Associated: 00000000.00000002.1745836741.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746071756.00000000007BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746071756.00000000007E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746152188.00000000007EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746185289.00000000007F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_720000_file.jbxd

Similarity

API ID: Clipboard$Global$AvailableCloseDataDragFileFormatLockQueryUnlock$CountFormatsOpen
String ID:
API String ID: 420908878-0
Opcode ID: dd1852789a24522260d7b745c7f761e13cb24f23ef9aab3facdd0127f0f65e57
Instruction ID: c4438605e01d71875d72c5ff74942cae020d25665d46bc6de8a49e5452cc0f4b
Opcode Fuzzy Hash: dd1852789a24522260d7b745c7f761e13cb24f23ef9aab3facdd0127f0f65e57
Instruction Fuzzy Hash: DC61E174204202AFD701EF24E889F6AB7A4FF84714F08861DF496972A2DB39DD45CB62

Function 0079698F Relevance: 21.4, APIs: 7, Strings: 5, Instructions: 363timefileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?), ref: 007969BE
FindClose.KERNEL32(00000000), ref: 00796A12
FileTimeToLocalFileTime.KERNEL32(?,?), ref: 00796A4E
FileTimeToLocalFileTime.KERNEL32(?,?), ref: 00796A75

Part of subcall function 00729CB3: _wcslen.LIBCMT ref: 00729CBD

FileTimeToSystemTime.KERNEL32(?,?), ref: 00796AB2
FileTimeToSystemTime.KERNEL32(?,?), ref: 00796ADF

Strings

%4d%02d%02d%02d%02d%02d%03d, xrefs: 00796B32
%02d, xrefs: 00796C00, 00796C0A, 00796C5A, 00796CAA, 00796CFA, 00796D4A
%03d, xrefs: 00796DA2
%4d, xrefs: 00796BB1
%4d%02d%02d%02d%02d%02d, xrefs: 00796B6A

Memory Dump Source

Source File: 00000000.00000002.1745867193.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true

Associated: 00000000.00000002.1745836741.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746071756.00000000007BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746071756.00000000007E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746152188.00000000007EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746185289.00000000007F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_720000_file.jbxd

Similarity

API ID: Time$File$FindLocalSystem$CloseFirst_wcslen
String ID: %02d$%03d$%4d$%4d%02d%02d%02d%02d%02d$%4d%02d%02d%02d%02d%02d%03d
API String ID: 3830820486-3289030164
Opcode ID: b433b74c95c71d464e88f4ad717c2211d961b6a7612e5bada2844c6cedbdc76b
Instruction ID: ca5ba2188af8f39cc5f240905f7855a4998788bd9ff42b47a945a4f0734dcb50
Opcode Fuzzy Hash: b433b74c95c71d464e88f4ad717c2211d961b6a7612e5bada2844c6cedbdc76b
Instruction Fuzzy Hash: 6DD17DB2508350AFC714EBA0D985EAFB7ECBF98704F04491DF585D6191EB38DA48CB62

Function 00799642 Relevance: 21.1, APIs: 11, Strings: 1, Instructions: 118fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?,74DE8FB0,?,00000000), ref: 00799663
GetFileAttributesW.KERNEL32(?), ref: 007996A1
SetFileAttributesW.KERNEL32(?,?), ref: 007996BB
FindNextFileW.KERNEL32(00000000,?), ref: 007996D3
FindClose.KERNEL32(00000000), ref: 007996DE
FindFirstFileW.KERNEL32(*.*,?), ref: 007996FA
SetCurrentDirectoryW.KERNEL32(?), ref: 0079974A
SetCurrentDirectoryW.KERNEL32(007E6B7C), ref: 00799768
FindNextFileW.KERNEL32(00000000,00000010), ref: 00799772
FindClose.KERNEL32(00000000), ref: 0079977F
FindClose.KERNEL32(00000000), ref: 0079978F

Strings

*.*, xrefs: 007996F5

Memory Dump Source

Source File: 00000000.00000002.1745867193.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true

Associated: 00000000.00000002.1745836741.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746071756.00000000007BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746071756.00000000007E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746152188.00000000007EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746185289.00000000007F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_720000_file.jbxd

Similarity

API ID: Find$File$Close$AttributesCurrentDirectoryFirstNext
String ID: *.*
API String ID: 1409584000-438819550
Opcode ID: 03caa61e070da386a6d8657b923d4c8516370d07434eb9474bb783ff8699cc9c
Instruction ID: 21cee312af3148bd59469745ab4eb51600209bf1f7cf8dc403c563da9a0131e5
Opcode Fuzzy Hash: 03caa61e070da386a6d8657b923d4c8516370d07434eb9474bb783ff8699cc9c
Instruction Fuzzy Hash: 1431D5725016196BEF15EFF9EC48EDE77ACAF49320F14825AFA05E2190DB7CDD408A24

Function 0079979D Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 111fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?,74DE8FB0,?,00000000), ref: 007997BE
FindNextFileW.KERNEL32(00000000,?), ref: 00799819
FindClose.KERNEL32(00000000), ref: 00799824
FindFirstFileW.KERNEL32(*.*,?), ref: 00799840
SetCurrentDirectoryW.KERNEL32(?), ref: 00799890
SetCurrentDirectoryW.KERNEL32(007E6B7C), ref: 007998AE
FindNextFileW.KERNEL32(00000000,00000010), ref: 007998B8
FindClose.KERNEL32(00000000), ref: 007998C5
FindClose.KERNEL32(00000000), ref: 007998D5

Part of subcall function 0078DAE5: CreateFileW.KERNEL32(?,40000000,00000001,00000000,00000003,02000080,00000000), ref: 0078DB00

Strings

*.*, xrefs: 0079983B

Memory Dump Source

Source File: 00000000.00000002.1745867193.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true

Associated: 00000000.00000002.1745836741.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746071756.00000000007BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746071756.00000000007E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746152188.00000000007EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746185289.00000000007F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_720000_file.jbxd

Similarity

API ID: Find$File$Close$CurrentDirectoryFirstNext$Create
String ID: *.*
API String ID: 2640511053-438819550
Opcode ID: f5288f6b06fe2652e6e524d5c57fd3e5c4b87fc72154f3fef429dbc7c429a1fb
Instruction ID: f48256c7f42bbc8ce0bf98e659447779cd4128925ebdc3f87f3d8b4b8adc5911
Opcode Fuzzy Hash: f5288f6b06fe2652e6e524d5c57fd3e5c4b87fc72154f3fef429dbc7c429a1fb
Instruction Fuzzy Hash: AF31D671501219ABEF11EFB9EC48EDE77ACAF0A320F14815DE910A2191DB78DD44CB24

Function 007ABE44 Relevance: 17.0, APIs: 11, Instructions: 456registryCOMMON

Download Yara Rule

APIs

Part of subcall function 007AC998: CharUpperBuffW.USER32(?,?,?,?,?,?,?,007AB6AE,?,?), ref: 007AC9B5
Part of subcall function 007AC998: _wcslen.LIBCMT ref: 007AC9F1
Part of subcall function 007AC998: _wcslen.LIBCMT ref: 007ACA68
Part of subcall function 007AC998: _wcslen.LIBCMT ref: 007ACA9E

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 007ABF3E
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?,?,?), ref: 007ABFA9
RegCloseKey.ADVAPI32(00000000), ref: 007ABFCD
RegQueryValueExW.ADVAPI32(?,?,00000000,?,00000000,?), ref: 007AC02C
RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,?,00000008), ref: 007AC0E7
RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,?,?,?,00000000), ref: 007AC154
RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,?,?,?,00000000), ref: 007AC1E9
RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,00000000,?,?,?,00000000), ref: 007AC23A
RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,?,?,?,00000000), ref: 007AC2E3
RegCloseKey.ADVAPI32(?,?,00000000), ref: 007AC382
RegCloseKey.ADVAPI32(00000000), ref: 007AC38F

Memory Dump Source

Source File: 00000000.00000002.1745867193.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true

Associated: 00000000.00000002.1745836741.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746071756.00000000007BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746071756.00000000007E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746152188.00000000007EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746185289.00000000007F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_720000_file.jbxd

Similarity

API ID: QueryValue$Close_wcslen$BuffCharConnectOpenRegistryUpper
String ID:
API String ID: 3102970594-0
Opcode ID: be7d16c8c9107b3c85db27c24ddbb4068d6fd431c6f0bfc7ff8938c667ac356d
Instruction ID: 959b22f2c257792341d173a57a8235e0dfd0c55dc9080e1a1047300914b3a256
Opcode Fuzzy Hash: be7d16c8c9107b3c85db27c24ddbb4068d6fd431c6f0bfc7ff8938c667ac356d
Instruction Fuzzy Hash: 78023A71604200EFD715DF28C895E2ABBE5AF89308F18C59DF84A9B2A2D735EC45CB52

Function 00798195 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 186timeCOMMON

Download Yara Rule

APIs

GetLocalTime.KERNEL32(?), ref: 00798257
SystemTimeToFileTime.KERNEL32(?,?), ref: 00798267
LocalFileTimeToFileTime.KERNEL32(?,?), ref: 00798273
GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 00798310
SetCurrentDirectoryW.KERNEL32(?), ref: 00798324
SetCurrentDirectoryW.KERNEL32(?), ref: 00798356
SetCurrentDirectoryW.KERNEL32(?,?,?,?,?), ref: 0079838C
SetCurrentDirectoryW.KERNEL32(?), ref: 00798395

Strings

*.*, xrefs: 0079839B

Memory Dump Source

Source File: 00000000.00000002.1745867193.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true

Associated: 00000000.00000002.1745836741.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746071756.00000000007BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746071756.00000000007E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746152188.00000000007EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746185289.00000000007F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_720000_file.jbxd

Similarity

API ID: CurrentDirectoryTime$File$Local$System
String ID: *.*
API String ID: 1464919966-438819550
Opcode ID: fb861fabdb1ef781cc6dae4e90299b4b75e4cbb04970bd3cd54cc5af5e848c33
Instruction ID: b10b9128437fd08a4d9699a412cde634a33aa0571ca4173193297e0e072a647d
Opcode Fuzzy Hash: fb861fabdb1ef781cc6dae4e90299b4b75e4cbb04970bd3cd54cc5af5e848c33
Instruction Fuzzy Hash: 86616BB25043059FCB10EF64D8459AEB3E8FF89310F04892EF989D7251EB39E945CB92

Function 0078D076 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 172fileCOMMON

Download Yara Rule

APIs

Part of subcall function 00723AA2: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00723A97,?,?,00722E7F,?,?,?,00000000), ref: 00723AC2

Part of subcall function 0078E199: GetFileAttributesW.KERNEL32(?,0078CF95), ref: 0078E19A

FindFirstFileW.KERNEL32(?,?), ref: 0078D122
DeleteFileW.KERNEL32(?,?,?,?,?,00000000,?,?,?), ref: 0078D1DD
MoveFileW.KERNEL32(?,?), ref: 0078D1F0
DeleteFileW.KERNEL32(?,?,?,?), ref: 0078D20D
FindNextFileW.KERNEL32(00000000,00000010), ref: 0078D237

Part of subcall function 0078D29C: CopyFileExW.KERNEL32(?,?,00000000,00000000,00000000,00000008,?,?,0078D21C,?,?), ref: 0078D2B2

FindClose.KERNEL32(00000000,?,?,?), ref: 0078D253
FindClose.KERNEL32(00000000), ref: 0078D264

Strings

\*.*, xrefs: 0078D0CD, 0078D0D6, 0078D0EB

Memory Dump Source

Source File: 00000000.00000002.1745867193.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true

Associated: 00000000.00000002.1745836741.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746071756.00000000007BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746071756.00000000007E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746152188.00000000007EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746185289.00000000007F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_720000_file.jbxd

Similarity

API ID: File$Find$CloseDelete$AttributesCopyFirstFullMoveNameNextPath
String ID: \*.*
API String ID: 1946585618-1173974218
Opcode ID: a649dbab3d0e604dfe40764f7f2c8be11d04b8afb68785ffdab89555be0717a5
Instruction ID: 8880517c6258d30ea73d3b9e99ba95dcf47fec660564fcf7c82e9f8d2ee447d6
Opcode Fuzzy Hash: a649dbab3d0e604dfe40764f7f2c8be11d04b8afb68785ffdab89555be0717a5
Instruction Fuzzy Hash: 14612831C4111DEBCF15FBA0E99A9EDB7B5AF55300F248169E40277192EB38AF09CB61

Function 0079ED6A Relevance: 13.6, APIs: 9, Instructions: 102clipboardmemoryCOMMON

Download Yara Rule

APIs

OpenClipboard.USER32 ref: 0079ED91
EmptyClipboard.USER32 ref: 0079ED97
GlobalAlloc.KERNEL32(00000002,?), ref: 0079EDAC
CloseClipboard.USER32 ref: 0079EEA3

Memory Dump Source

Source File: 00000000.00000002.1745867193.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true

Associated: 00000000.00000002.1745836741.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746071756.00000000007BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746071756.00000000007E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746152188.00000000007EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746185289.00000000007F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_720000_file.jbxd

Similarity

API ID: Clipboard$AllocCloseEmptyGlobalOpen
String ID:
API String ID: 1737998785-0
Opcode ID: 76085aa88b542b4204e8270459583f14b86e0644f970505a3245fec08b281553
Instruction ID: 639a9e3dd387772c823bbb8ff89cd034bdc5b5ba27cfe299efd16854346593eb
Opcode Fuzzy Hash: 76085aa88b542b4204e8270459583f14b86e0644f970505a3245fec08b281553
Instruction Fuzzy Hash: 9B419C35604611EFEB21DF15E888F2ABBE5FF44328F14C199E4158BA62C739EC42CB94

Function 0078E8F6 Relevance: 12.3, APIs: 3, Strings: 4, Instructions: 57shutdownCOMMON

Download Yara Rule

APIs

Part of subcall function 007816C3: LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 0078170D
Part of subcall function 007816C3: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 0078173A
Part of subcall function 007816C3: GetLastError.KERNEL32 ref: 0078174A

ExitWindowsEx.USER32(?,00000000), ref: 0078E932

Strings

@, xrefs: 0078E925
SeShutdownPrivilege, xrefs: 0078E902
, xrefs: 0078E920
, xrefs: 0078E95C

Memory Dump Source

Source File: 00000000.00000002.1745867193.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true

Associated: 00000000.00000002.1745836741.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746071756.00000000007BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746071756.00000000007E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746152188.00000000007EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746185289.00000000007F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_720000_file.jbxd

Similarity

API ID: AdjustErrorExitLastLookupPrivilegePrivilegesTokenValueWindows
String ID: $ $@$SeShutdownPrivilege
API String ID: 2234035333-3163812486
Opcode ID: d019d657b5079dfb49ca17cff688f42ce30cf8f7363eaccaa8a7089cd2be61e2
Instruction ID: ee0b580b3c10167713b342f42728f0353284a0bc3f7ac4f872305736dbaf623c
Opcode Fuzzy Hash: d019d657b5079dfb49ca17cff688f42ce30cf8f7363eaccaa8a7089cd2be61e2
Instruction Fuzzy Hash: 2001F972690211ABEB6476B49C8AFBF725CAB14750F158521FC13E21E2E7ECBC4083A5

Function 007A1204 Relevance: 12.1, APIs: 8, Instructions: 113networkCOMMON

Download Yara Rule

APIs

socket.WSOCK32(00000002,00000001,00000006,?,00000002,00000000), ref: 007A1276
WSAGetLastError.WSOCK32 ref: 007A1283
bind.WSOCK32(00000000,?,00000010), ref: 007A12BA
WSAGetLastError.WSOCK32 ref: 007A12C5
closesocket.WSOCK32(00000000), ref: 007A12F4
listen.WSOCK32(00000000,00000005), ref: 007A1303
WSAGetLastError.WSOCK32 ref: 007A130D
closesocket.WSOCK32(00000000), ref: 007A133C

Memory Dump Source

Source File: 00000000.00000002.1745867193.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true

Associated: 00000000.00000002.1745836741.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746071756.00000000007BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746071756.00000000007E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746152188.00000000007EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746185289.00000000007F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_720000_file.jbxd

Similarity

API ID: ErrorLast$closesocket$bindlistensocket
String ID:
API String ID: 540024437-0
Opcode ID: 6edda8d26f99480c005b6a69ab0949cf9bbe2d83ca330b77b6f2e338ae55120e
Instruction ID: 49d1193f7e45db8c5d3e43bb1ccd47120ba31ac548907904658b3047ac0c9884
Opcode Fuzzy Hash: 6edda8d26f99480c005b6a69ab0949cf9bbe2d83ca330b77b6f2e338ae55120e
Instruction Fuzzy Hash: 3D4183316001109FE710DF64D588B29BBE5BF86318F58C298E8569F2D2C779ED81CBE1

Function 0078D3A9 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 91fileCOMMON

Download Yara Rule

APIs

Part of subcall function 00723AA2: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00723A97,?,?,00722E7F,?,?,?,00000000), ref: 00723AC2

Part of subcall function 0078E199: GetFileAttributesW.KERNEL32(?,0078CF95), ref: 0078E19A

FindFirstFileW.KERNEL32(?,?), ref: 0078D420
DeleteFileW.KERNEL32(?,?,?,?), ref: 0078D470
FindNextFileW.KERNEL32(00000000,00000010), ref: 0078D481
FindClose.KERNEL32(00000000), ref: 0078D498
FindClose.KERNEL32(00000000), ref: 0078D4A1

Strings

\*.*, xrefs: 0078D3F2

Memory Dump Source

Source File: 00000000.00000002.1745867193.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true

Associated: 00000000.00000002.1745836741.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746071756.00000000007BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746071756.00000000007E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746152188.00000000007EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746185289.00000000007F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_720000_file.jbxd

Similarity

API ID: FileFind$Close$AttributesDeleteFirstFullNameNextPath
String ID: \*.*
API String ID: 2649000838-1173974218
Opcode ID: 402f6c924f64fdbf195b31d47dfa1321afb878e6fd71fc17c584147dad2712ae
Instruction ID: b189f10d33ecf33be44552172df0165fc7de1e6610decb1c99f81eb93cd96317
Opcode Fuzzy Hash: 402f6c924f64fdbf195b31d47dfa1321afb878e6fd71fc17c584147dad2712ae
Instruction Fuzzy Hash: 3E318F71008395ABC215FF60D8559AFB7A8BE91300F448A1DF8D552191EB38AE098B63

Function 0075E4FF Relevance: 10.1, APIs: 1, Strings: 4, Instructions: 1381COMMON

Download Yara Rule

APIs

__floor_pentium4.LIBCMT ref: 0075E645

Strings

1#SNAN, xrefs: 0075F844
1#INF, xrefs: 0075F852
1#IND, xrefs: 0075F83D
1#QNAN, xrefs: 0075F84B

Memory Dump Source

Source File: 00000000.00000002.1745867193.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true

Associated: 00000000.00000002.1745836741.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746071756.00000000007BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746071756.00000000007E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746152188.00000000007EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746185289.00000000007F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_720000_file.jbxd

Similarity

API ID: __floor_pentium4
String ID: 1#IND$1#INF$1#QNAN$1#SNAN
API String ID: 4168288129-2761157908
Opcode ID: 2e7192699359e16b1f8d8800399be1657a00b017f29b0a89243a74262d405cc8
Instruction ID: 2478150c2400caa2512688c3535c58e070d07e4aeab099761260f35769ff96d3
Opcode Fuzzy Hash: 2e7192699359e16b1f8d8800399be1657a00b017f29b0a89243a74262d405cc8
Instruction Fuzzy Hash: F4C26071E046288FDB69CF28DD447E9B7B5EB44306F1441EAD84DE7241E7B8AE858F40

Function 0079648E Relevance: 9.1, APIs: 4, Strings: 1, Instructions: 367comCOMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 007964DC
CoInitialize.OLE32(00000000), ref: 00796639
CoCreateInstance.OLE32(007BFCF8,00000000,00000001,007BFB68,?), ref: 00796650
CoUninitialize.OLE32 ref: 007968D4

Strings

.lnk, xrefs: 007964BA, 00796524, 007965E0

Memory Dump Source

Source File: 00000000.00000002.1745867193.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true

Associated: 00000000.00000002.1745836741.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746071756.00000000007BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746071756.00000000007E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746152188.00000000007EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746185289.00000000007F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_720000_file.jbxd

Similarity

API ID: CreateInitializeInstanceUninitialize_wcslen
String ID: .lnk
API String ID: 886957087-24824748
Opcode ID: 5807e88795efce3e2894dd3c6c8151e7203a033a6d53a2bf6c8b0ce334b87891
Instruction ID: e3d5e3ff212350a04d889bafaca28abe4e0841f8978c097e30835e3e0093778e
Opcode Fuzzy Hash: 5807e88795efce3e2894dd3c6c8151e7203a033a6d53a2bf6c8b0ce334b87891
Instruction Fuzzy Hash: 64D16771508211AFC714EF24D895E6BB7E8FF98704F04492DF5958B2A1EB34ED09CBA2

Function 007A22DA Relevance: 9.1, APIs: 6, Instructions: 103COMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32(?,?,00000000), ref: 007A22E8

Part of subcall function 0079E4EC: GetWindowRect.USER32(?,?), ref: 0079E504

GetDesktopWindow.USER32 ref: 007A2312
GetWindowRect.USER32(00000000), ref: 007A2319
mouse_event.USER32(00008001,?,?,00000002,00000002), ref: 007A2355
GetCursorPos.USER32(?), ref: 007A2381
mouse_event.USER32(00008001,?,?,00000000,00000000), ref: 007A23DF

Memory Dump Source

Source File: 00000000.00000002.1745867193.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true

Associated: 00000000.00000002.1745836741.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746071756.00000000007BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746071756.00000000007E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746152188.00000000007EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746185289.00000000007F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_720000_file.jbxd

Similarity

API ID: Window$Rectmouse_event$CursorDesktopForeground
String ID:
API String ID: 2387181109-0
Opcode ID: c32e6eb4a576da1d72a4ffac54088f8151172a7314fe3f4d18d680d590477372
Instruction ID: 097ca024150b0b18ccc1f96dc77f1d67b3851a5f4849f48660757b56db3f1018
Opcode Fuzzy Hash: c32e6eb4a576da1d72a4ffac54088f8151172a7314fe3f4d18d680d590477372
Instruction Fuzzy Hash: 0631E272504315AFCB21DF18C849F5BB7A9FFC6314F004A19F98597192DB38E909CB96

Function 00799B2B Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 119filesleepCOMMON

Download Yara Rule

APIs

Part of subcall function 00729CB3: _wcslen.LIBCMT ref: 00729CBD

FindFirstFileW.KERNEL32(00000001,?,*.*,?,?,00000000,00000000), ref: 00799B78
FindClose.KERNEL32(00000000,?,00000000,00000000), ref: 00799C8B

Part of subcall function 00793874: GetInputState.USER32 ref: 007938CB
Part of subcall function 00793874: PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00793966

Sleep.KERNEL32(0000000A,?,00000000,00000000), ref: 00799BA8
FindNextFileW.KERNEL32(?,?,?,00000000,00000000), ref: 00799C75

Strings

*.*, xrefs: 00799B5D

Memory Dump Source

Source File: 00000000.00000002.1745867193.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true

Associated: 00000000.00000002.1745836741.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746071756.00000000007BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746071756.00000000007E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746152188.00000000007EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746185289.00000000007F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_720000_file.jbxd

Similarity

API ID: Find$File$CloseFirstInputMessageNextPeekSleepState_wcslen
String ID: *.*
API String ID: 1972594611-438819550
Opcode ID: 69208f7a08f0951c43414a9d637ff7c7a4f156f78d27bc6eb0f548311930bcc8
Instruction ID: d08f2ebce0fe05c58e8b46225dd0c91418498e8bd6043f1c73b5bd39158e37c4
Opcode Fuzzy Hash: 69208f7a08f0951c43414a9d637ff7c7a4f156f78d27bc6eb0f548311930bcc8
Instruction Fuzzy Hash: 40414FB190461ADBDF15DF68DC49AEEBBB8EF05310F24815AE505A2191DB389E44CB60

Function 0073997D Relevance: 7.9, APIs: 5, Instructions: 375COMMON

Download Yara Rule

APIs

Part of subcall function 00739BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00739BB2

DefDlgProcW.USER32(?,?,?,?,?), ref: 00739A4E
GetSysColor.USER32(0000000F), ref: 00739B23
SetBkColor.GDI32(?,00000000), ref: 00739B36

Memory Dump Source

Source File: 00000000.00000002.1745867193.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true

Associated: 00000000.00000002.1745836741.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746071756.00000000007BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746071756.00000000007E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746152188.00000000007EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746185289.00000000007F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_720000_file.jbxd

Similarity

API ID: Color$LongProcWindow
String ID:
API String ID: 3131106179-0
Opcode ID: 7b74c25605d1a36fe4fcbf1eb41f91f1d72c38befa90153df6bdae8fce1c800e
Instruction ID: a0c2dff73acac03b0f77e3b9a2081203d8e53b415a43659bf1812bb2cff71e55
Opcode Fuzzy Hash: 7b74c25605d1a36fe4fcbf1eb41f91f1d72c38befa90153df6bdae8fce1c800e
Instruction Fuzzy Hash: B5A11BB1108444FEFB2D9A3D8C9DEBB265DDB42390F15C209F312C6697CAAD9D01C2B6

Function 007A1806 Relevance: 7.7, APIs: 5, Instructions: 153networkCOMMON

Download Yara Rule

APIs

Part of subcall function 007A304E: inet_addr.WSOCK32(?,?,?,?,?,00000000), ref: 007A307A
Part of subcall function 007A304E: _wcslen.LIBCMT ref: 007A309B

socket.WSOCK32(00000002,00000002,00000011,?,?,00000000), ref: 007A185D
WSAGetLastError.WSOCK32 ref: 007A1884
bind.WSOCK32(00000000,?,00000010), ref: 007A18DB
WSAGetLastError.WSOCK32 ref: 007A18E6
closesocket.WSOCK32(00000000), ref: 007A1915

Memory Dump Source

Source File: 00000000.00000002.1745867193.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true

Associated: 00000000.00000002.1745836741.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746071756.00000000007BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746071756.00000000007E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746152188.00000000007EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746185289.00000000007F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_720000_file.jbxd

Similarity

API ID: ErrorLast$_wcslenbindclosesocketinet_addrsocket
String ID:
API String ID: 1601658205-0
Opcode ID: 6943bcd9b54120e02c507cc2fd32911740c249508aecf2d6a06da1f87074af05
Instruction ID: 838f7cd27a4fa760258ac1157dbb02168984bec1dccc036f989ef74adae8f4c4
Opcode Fuzzy Hash: 6943bcd9b54120e02c507cc2fd32911740c249508aecf2d6a06da1f87074af05
Instruction Fuzzy Hash: 3951B371A002109FE710AF24D88AF2A77E5AB89718F48C158F9055F3C3C779AD41CBE1

Function 007B1C41 Relevance: 7.6, APIs: 5, Instructions: 83windowCOMMON

Download Yara Rule

APIs

IsWindowVisible.USER32 ref: 007B1CC0
IsWindowEnabled.USER32 ref: 007B1CCE
GetForegroundWindow.USER32(?,?,00000001,?), ref: 007B1CDB
IsIconic.USER32 ref: 007B1CE9
IsZoomed.USER32 ref: 007B1CF7

Memory Dump Source

Source File: 00000000.00000002.1745867193.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true

Associated: 00000000.00000002.1745836741.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746071756.00000000007BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746071756.00000000007E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746152188.00000000007EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746185289.00000000007F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_720000_file.jbxd

Similarity

API ID: Window$EnabledForegroundIconicVisibleZoomed
String ID:
API String ID: 292994002-0
Opcode ID: 07a34d8db7631740e09cbe9c444a88979f8191bafa4465d21d4802e5350b2726
Instruction ID: dcc4bca1376b10d6e5072f6ce361db21acfd74a644d6790de928d3478abd77d1
Opcode Fuzzy Hash: 07a34d8db7631740e09cbe9c444a88979f8191bafa4465d21d4802e5350b2726
Instruction Fuzzy Hash: CC21D6317402109FD7218F1AC868FAA7FA5EF95314F99C058E845CB351DB79DC42CBA4

Function 00728060 Relevance: 7.4, Strings: 5, Instructions: 1151COMMON

Download Yara Rule

Strings

ERCP, xrefs: 0072813C
VUUU, xrefs: 00765DF0
VUUU, xrefs: 0072843C
VUUU, xrefs: 007283FA
VUUU, xrefs: 007283E8

Memory Dump Source

Source File: 00000000.00000002.1745867193.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true

Associated: 00000000.00000002.1745836741.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746071756.00000000007BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746071756.00000000007E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746152188.00000000007EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746185289.00000000007F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_720000_file.jbxd

Similarity

API ID:
String ID: ERCP$VUUU$VUUU$VUUU$VUUU
API String ID: 0-1546025612
Opcode ID: f20a6a66615cb74623dda34b1624a8e783ff0f9abaa38804de17055287aa7200
Instruction ID: af313c0fcb9a8b0994209e0ad0032b4620686e192b53088a92af6412df0dfa81
Opcode Fuzzy Hash: f20a6a66615cb74623dda34b1624a8e783ff0f9abaa38804de17055287aa7200
Instruction Fuzzy Hash: 42A28F70E0122ACBDF64CF58D8407ADB7B1BF54310F6481AADC16A7385EB399D81DB91

Function 00788298 Relevance: 6.6, APIs: 1, Strings: 3, Instructions: 568stringCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(?,?,?,00000000), ref: 007882AA

Strings

tb~, xrefs: 007884F4
(, xrefs: 007882F0
|, xrefs: 007882DA

Memory Dump Source

Source File: 00000000.00000002.1745867193.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true

Associated: 00000000.00000002.1745836741.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746071756.00000000007BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746071756.00000000007E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746152188.00000000007EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746185289.00000000007F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_720000_file.jbxd

Similarity

API ID: lstrlen
String ID: ($tb~$|
API String ID: 1659193697-2521436105
Opcode ID: bf86b13cc168af022c73ce4e54ca467b076561ea0f27968db52019df25a4bdb9
Instruction ID: 6c08e91f643e30667230034066238f9bb9ec6cae92b5f130402f153a4fb9f427
Opcode Fuzzy Hash: bf86b13cc168af022c73ce4e54ca467b076561ea0f27968db52019df25a4bdb9
Instruction Fuzzy Hash: 3C324574A00605DFCB68DF59C080A6AB7F0FF48710B51C56EE49ADB7A1EB74E981CB40

Function 0078AA57 Relevance: 6.1, APIs: 4, Instructions: 107keyboardwindowCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?,00000001,00000040,00000000), ref: 0078AAAC
SetKeyboardState.USER32(00000080), ref: 0078AAC8
PostMessageW.USER32(?,00000102,00000001,00000001), ref: 0078AB36
SendInput.USER32(00000001,?,0000001C,00000001,00000040,00000000), ref: 0078AB88

Memory Dump Source

Source File: 00000000.00000002.1745867193.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true

Associated: 00000000.00000002.1745836741.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746071756.00000000007BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746071756.00000000007E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746152188.00000000007EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746185289.00000000007F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_720000_file.jbxd

Similarity

API ID: KeyboardState$InputMessagePostSend
String ID:
API String ID: 432972143-0
Opcode ID: 816b85097dda6aa515cf1910af49866dbc8348aae945fdde76611e842ad32a45
Instruction ID: eb7e5913cb1f724e8359a89c218ab22230c6a6be9024d861cae5e3d76db74b4b
Opcode Fuzzy Hash: 816b85097dda6aa515cf1910af49866dbc8348aae945fdde76611e842ad32a45
Instruction Fuzzy Hash: 1231F8B0AC0248BEFF35AA648C05BFA7FA6AB44310F04821BF581965D1D37D8981C766

Function 0075BB6F Relevance: 6.1, APIs: 4, Instructions: 90timeCOMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 0075BB7F

Part of subcall function 007529C8: RtlFreeHeap.NTDLL(00000000,00000000,?,0075D7D1,00000000,00000000,00000000,00000000,?,0075D7F8,00000000,00000007,00000000,?,0075DBF5,00000000), ref: 007529DE
Part of subcall function 007529C8: GetLastError.KERNEL32(00000000,?,0075D7D1,00000000,00000000,00000000,00000000,?,0075D7F8,00000000,00000007,00000000,?,0075DBF5,00000000,00000000), ref: 007529F0

GetTimeZoneInformation.KERNEL32 ref: 0075BB91
WideCharToMultiByte.KERNEL32(00000000,?,007F121C,000000FF,?,0000003F,?,?), ref: 0075BC09
WideCharToMultiByte.KERNEL32(00000000,?,007F1270,000000FF,?,0000003F,?,?,?,007F121C,000000FF,?,0000003F,?,?), ref: 0075BC36

Memory Dump Source

Source File: 00000000.00000002.1745867193.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true

Associated: 00000000.00000002.1745836741.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746071756.00000000007BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746071756.00000000007E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746152188.00000000007EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746185289.00000000007F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_720000_file.jbxd

Similarity

API ID: ByteCharMultiWide$ErrorFreeHeapInformationLastTimeZone_free
String ID:
API String ID: 806657224-0
Opcode ID: 3cf33f03f03cb3b702ea5f0bc282ba8da4a1db4d1afcda6c166b788bbd179780
Instruction ID: 6e5050a42514e34b40d5d7b02e472d90a89a41820e48ca99c2fe3cbef8d52f68
Opcode Fuzzy Hash: 3cf33f03f03cb3b702ea5f0bc282ba8da4a1db4d1afcda6c166b788bbd179780
Instruction Fuzzy Hash: 2231C670A04205DFCB11DFA9DC809BDBBB8FF45351B54826AE850E72B1D7B89D05CB64

Function 0079CE44 Relevance: 6.1, APIs: 4, Instructions: 75filenetworkCOMMON

Download Yara Rule

APIs

InternetReadFile.WININET(?,?,00000400,?), ref: 0079CE89
GetLastError.KERNEL32(?,00000000), ref: 0079CEEA
SetEvent.KERNEL32(?,?,00000000), ref: 0079CEFE

Memory Dump Source

Source File: 00000000.00000002.1745867193.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true

Associated: 00000000.00000002.1745836741.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746071756.00000000007BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746071756.00000000007E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746152188.00000000007EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746185289.00000000007F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_720000_file.jbxd

Similarity

API ID: ErrorEventFileInternetLastRead
String ID:
API String ID: 234945975-0
Opcode ID: 5ace0a5dd490223abd024d0ceb1aa88e18f8fbf413c157b41e78b356bf2e602b
Instruction ID: 646b5deaa7fe9491cec19df4627f127704c76a2aab369d18d06a2bc0d4d81486
Opcode Fuzzy Hash: 5ace0a5dd490223abd024d0ceb1aa88e18f8fbf413c157b41e78b356bf2e602b
Instruction Fuzzy Hash: CD21BAB2500705ABEF22CFA5E948BA6B7F8EB50354F10842EE546D2151E778EE048B64

Function 00795C97 Relevance: 4.6, APIs: 3, Instructions: 138fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?), ref: 00795CC1
FindNextFileW.KERNEL32(00000000,?), ref: 00795D17
FindClose.KERNEL32(?), ref: 00795D5F

Memory Dump Source

Source File: 00000000.00000002.1745867193.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true

Associated: 00000000.00000002.1745836741.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746071756.00000000007BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746071756.00000000007E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746152188.00000000007EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746185289.00000000007F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_720000_file.jbxd

Similarity

API ID: Find$File$CloseFirstNext
String ID:
API String ID: 3541575487-0
Opcode ID: 6da5054452da60b7d6f4d146fc627b6399cb1b622b26d8f983d376187a7f319e
Instruction ID: 243740f4c91d7dca967977403e3248ff25a6cbda361a25c7d0f715699bf7b39e
Opcode Fuzzy Hash: 6da5054452da60b7d6f4d146fc627b6399cb1b622b26d8f983d376187a7f319e
Instruction Fuzzy Hash: B6519A75604A11DFCB15CF28E498E9AB7E4FF09314F14855EE95A8B3A2CB38EC04CB91

Function 00752622 Relevance: 4.6, APIs: 3, Instructions: 78COMMONLIBRARYCODE

Download Yara Rule

APIs

IsDebuggerPresent.KERNEL32 ref: 0075271A
SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 00752724
UnhandledExceptionFilter.KERNEL32(?), ref: 00752731

Memory Dump Source

Source File: 00000000.00000002.1745867193.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true

Associated: 00000000.00000002.1745836741.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746071756.00000000007BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746071756.00000000007E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746152188.00000000007EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746185289.00000000007F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_720000_file.jbxd

Similarity

API ID: ExceptionFilterUnhandled$DebuggerPresent
String ID:
API String ID: 3906539128-0
Opcode ID: 6333fb0212086040a00f2cc20e64c12dd96019aed935608089e5c6cf05f7413d
Instruction ID: e986e7090e366332569026321a389fcb1f126a986349fa2cef03d40109e656c6
Opcode Fuzzy Hash: 6333fb0212086040a00f2cc20e64c12dd96019aed935608089e5c6cf05f7413d
Instruction Fuzzy Hash: CA31D7749112189BCB21DF64DC88BDCBBB8AF08310F5081DAE90CA7261E7749F858F85

Function 007951CD Relevance: 4.6, APIs: 3, Instructions: 76COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 007951DA
GetDiskFreeSpaceExW.KERNEL32(?,?,?,?), ref: 00795238
SetErrorMode.KERNEL32(00000000), ref: 007952A1

Memory Dump Source

Source File: 00000000.00000002.1745867193.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true

Associated: 00000000.00000002.1745836741.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746071756.00000000007BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746071756.00000000007E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746152188.00000000007EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746185289.00000000007F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_720000_file.jbxd

Similarity

API ID: ErrorMode$DiskFreeSpace
String ID:
API String ID: 1682464887-0
Opcode ID: f64b5e25778cc7b9a4c8daa9f151959cc0f8dda0a28efa60e8e40efe4d771f61
Instruction ID: 63e75fe7ab4f26b1878bbd5869afc91e72d2020f3e3e0551fa5ada25795b1253
Opcode Fuzzy Hash: f64b5e25778cc7b9a4c8daa9f151959cc0f8dda0a28efa60e8e40efe4d771f61
Instruction Fuzzy Hash: 61315E75A00518DFDB01DF54D888FADBBB5FF48314F088099E805AB3A2DB39E855CB90

Function 007816C3 Relevance: 4.6, APIs: 3, Instructions: 68COMMON

Download Yara Rule

APIs

Part of subcall function 0073FDDB: __CxxThrowException@8.LIBVCRUNTIME ref: 00740668
Part of subcall function 0073FDDB: __CxxThrowException@8.LIBVCRUNTIME ref: 00740685

LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 0078170D
AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 0078173A
GetLastError.KERNEL32 ref: 0078174A

Memory Dump Source

Source File: 00000000.00000002.1745867193.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true

Associated: 00000000.00000002.1745836741.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746071756.00000000007BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746071756.00000000007E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746152188.00000000007EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746185289.00000000007F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_720000_file.jbxd

Similarity

API ID: Exception@8Throw$AdjustErrorLastLookupPrivilegePrivilegesTokenValue
String ID:
API String ID: 577356006-0
Opcode ID: ca64428c77e463326ca17e2d979d64ca48f0526059af3eb7e4dd9a2f1cacc1cb
Instruction ID: dc2764cbec5f097c7e8644dba00fee147e98290c4b944fcc7f5a2b3312f6c746
Opcode Fuzzy Hash: ca64428c77e463326ca17e2d979d64ca48f0526059af3eb7e4dd9a2f1cacc1cb
Instruction Fuzzy Hash: C611C1B2910304AFE718AF54DC8AE6AB7BDEF44754B20C52EF05653241EB74BC428B24

Function 0078D5EB Relevance: 4.6, APIs: 3, Instructions: 58fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(?,00000080,00000003,00000000,00000003,00000080,00000000), ref: 0078D608
DeviceIoControl.KERNEL32(00000000,002D1400,?,0000000C,?,00000028,?,00000000), ref: 0078D645
CloseHandle.KERNEL32(?,?,00000080,00000003,00000000,00000003,00000080,00000000), ref: 0078D650

Memory Dump Source

Source File: 00000000.00000002.1745867193.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true

Associated: 00000000.00000002.1745836741.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746071756.00000000007BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746071756.00000000007E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746152188.00000000007EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746185289.00000000007F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_720000_file.jbxd

Similarity

API ID: CloseControlCreateDeviceFileHandle
String ID:
API String ID: 33631002-0
Opcode ID: 95ab950d0e953bcfbcf2bd6467f36e1aa545fdd3e62aa5d7d6eeacdb65862a36
Instruction ID: 48d689aca92df759344ecd2ca20fd807e1fb697c511932f47c10bec2a4b16d1f
Opcode Fuzzy Hash: 95ab950d0e953bcfbcf2bd6467f36e1aa545fdd3e62aa5d7d6eeacdb65862a36
Instruction Fuzzy Hash: 7D118E71E05228BFDB208F98EC44FAFBBBCEB45B50F108121F904E7290D2744E018BA1

Function 00781663 Relevance: 4.5, APIs: 3, Instructions: 40memoryCOMMON

Download Yara Rule

APIs

AllocateAndInitializeSid.ADVAPI32(?,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,?,?), ref: 0078168C
CheckTokenMembership.ADVAPI32(00000000,?,?), ref: 007816A1
FreeSid.ADVAPI32(?), ref: 007816B1

Memory Dump Source

Source File: 00000000.00000002.1745867193.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true

Associated: 00000000.00000002.1745836741.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746071756.00000000007BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746071756.00000000007E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746152188.00000000007EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746185289.00000000007F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_720000_file.jbxd

Similarity

API ID: AllocateCheckFreeInitializeMembershipToken
String ID:
API String ID: 3429775523-0
Opcode ID: 4d069e1de398c7a1fbc616e2edd21329417aae0402294b4c34d2b2887374670a
Instruction ID: 2049e8a2d95439dc5693051186badbde66f1e28f2f643f3bdabd34217b6f1556
Opcode Fuzzy Hash: 4d069e1de398c7a1fbc616e2edd21329417aae0402294b4c34d2b2887374670a
Instruction Fuzzy Hash: 96F0F971950309FBDB00DFE49C89EAEBBBCFB04604F508565E501E2181E774AA448B54

Function 0077D27A Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 10COMMON

Download Yara Rule

APIs

GetUserNameW.ADVAPI32(?,?), ref: 0077D28C

Strings

X64, xrefs: 0077D2A8

Memory Dump Source

Source File: 00000000.00000002.1745867193.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true

Associated: 00000000.00000002.1745836741.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746071756.00000000007BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746071756.00000000007E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746152188.00000000007EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746185289.00000000007F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_720000_file.jbxd

Similarity

API ID: NameUser
String ID: X64
API String ID: 2645101109-893830106
Opcode ID: e995d0f10e24d725868f0ae9f196bd22b9d8adf46856d78a600f1b6e2126d66e
Instruction ID: 3db44e3d7d2b5956dd2066069acc7073982f9f31d23ce6681d4f2ec00e4ffa6c
Opcode Fuzzy Hash: e995d0f10e24d725868f0ae9f196bd22b9d8adf46856d78a600f1b6e2126d66e
Instruction Fuzzy Hash: 3FD0C9B480111DEBCFA4DB90EC88DDDB37CBB04345F108252F506A2000DB7899498F10

Function 0074CAA0 Relevance: 3.5, APIs: 2, Instructions: 464COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1745867193.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true

Associated: 00000000.00000002.1745836741.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746071756.00000000007BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746071756.00000000007E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746152188.00000000007EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746185289.00000000007F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_720000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2fbdbeface8d474e65e3d830227d731b015bc4fe83c76ff0107a9da6199ccf29
Instruction ID: 666869d21be1a20637665201f9c2d00282ae92fcb63e1fdb710b4ba707bb2db9
Opcode Fuzzy Hash: 2fbdbeface8d474e65e3d830227d731b015bc4fe83c76ff0107a9da6199ccf29
Instruction Fuzzy Hash: D5024D72E012299FDF55CFA9C8806ADFBF1EF48314F258169D919E7380D734AA41CB90

Function 007968EE Relevance: 3.1, APIs: 2, Instructions: 57fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?), ref: 00796918
FindClose.KERNEL32(00000000), ref: 00796961

Memory Dump Source

Source File: 00000000.00000002.1745867193.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true

Associated: 00000000.00000002.1745836741.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746071756.00000000007BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746071756.00000000007E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746152188.00000000007EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746185289.00000000007F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_720000_file.jbxd

Similarity

API ID: Find$CloseFileFirst
String ID:
API String ID: 2295610775-0
Opcode ID: 19bd2132c21cd531e75bb29fd9dafe56d02d0c1281abbbe4afb038c4635f5f66
Instruction ID: 848903037ac7f17d1e73b70e0abe907dae1db8ab4f5ec9b1df36810e383335e5
Opcode Fuzzy Hash: 19bd2132c21cd531e75bb29fd9dafe56d02d0c1281abbbe4afb038c4635f5f66
Instruction Fuzzy Hash: 551193716046109FDB10DF29D488A16BBE5FF89328F14C69DE4698F6A2C734EC05CB91

Function 007937B5 Relevance: 3.0, APIs: 2, Instructions: 33windowCOMMON

Download Yara Rule

APIs

GetLastError.KERNEL32(00000000,?,00000FFF,00000000,?,?,?,007A4891,?,?,00000035,?), ref: 007937E4
FormatMessageW.KERNEL32(00001000,00000000,?,00000000,?,00000FFF,00000000,?,?,?,007A4891,?,?,00000035,?), ref: 007937F4

Memory Dump Source

Source File: 00000000.00000002.1745867193.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true

Associated: 00000000.00000002.1745836741.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746071756.00000000007BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746071756.00000000007E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746152188.00000000007EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746185289.00000000007F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_720000_file.jbxd

Similarity

API ID: ErrorFormatLastMessage
String ID:
API String ID: 3479602957-0
Opcode ID: c472490ba1bb4f952266bb727d26925018600f767a042951794ea38fd64491af
Instruction ID: 14d6aa6a177272330a4d266d94bd68d7202ca9ad3a3abe1b5a11271d6c15b2a1
Opcode Fuzzy Hash: c472490ba1bb4f952266bb727d26925018600f767a042951794ea38fd64491af
Instruction Fuzzy Hash: 5EF0E5B06052286AEB2017B69C8DFEB3AAEEFC4761F004265F509D2291D9749944C6B0

Function 0078B226 Relevance: 3.0, APIs: 2, Instructions: 29keyboardCOMMON

Download Yara Rule

APIs

SendInput.USER32(00000001,?,0000001C,?,?,00000002), ref: 0078B25D
keybd_event.USER32(?,75C0C0D0,?,00000000), ref: 0078B270

Memory Dump Source

Source File: 00000000.00000002.1745867193.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true

Associated: 00000000.00000002.1745836741.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746071756.00000000007BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746071756.00000000007E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746152188.00000000007EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746185289.00000000007F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_720000_file.jbxd

Similarity

API ID: InputSendkeybd_event
String ID:
API String ID: 3536248340-0
Opcode ID: a86689f8a26fe22b0f6ca4a8f936945bb3ddc364aef6dba1be9492eeb17823a1
Instruction ID: de0ebf2ea54612b13143e0f2286f36c32a79c4346424897dd37e9fafa41f6eca
Opcode Fuzzy Hash: a86689f8a26fe22b0f6ca4a8f936945bb3ddc364aef6dba1be9492eeb17823a1
Instruction Fuzzy Hash: 1DF01D7184424DABDB159FA4C805BEE7BB4FF08305F10C019F955A5191C77D96119F98

Function 007810BF Relevance: 3.0, APIs: 2, Instructions: 24COMMON

Download Yara Rule

APIs

AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000,?,007811FC), ref: 007810D4
CloseHandle.KERNEL32(?,?,007811FC), ref: 007810E9

Memory Dump Source

Source File: 00000000.00000002.1745867193.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true

Associated: 00000000.00000002.1745836741.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746071756.00000000007BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746071756.00000000007E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746152188.00000000007EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746185289.00000000007F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_720000_file.jbxd

Similarity

API ID: AdjustCloseHandlePrivilegesToken
String ID:
API String ID: 81990902-0
Opcode ID: 6896822ffcb4cad0a6fc156613653bf7ac792e442c1806fb0de569b9349708e1
Instruction ID: 9711dd500a4275dd5c424b79cd38cf3c9a738e7406b4743cb7117ef8916a122c
Opcode Fuzzy Hash: 6896822ffcb4cad0a6fc156613653bf7ac792e442c1806fb0de569b9349708e1
Instruction Fuzzy Hash: F4E01A32418600EEF7262B11FC09E7377A9EB04310F10C92DF4A5804B1DA666C909B54

Function 0072CAF0 Relevance: 1.9, Strings: 1, Instructions: 659COMMON

Download Yara Rule

Strings

Variable is not of type 'Object'., xrefs: 00770C40

Memory Dump Source

Source File: 00000000.00000002.1745867193.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true

Associated: 00000000.00000002.1745836741.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746071756.00000000007BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746071756.00000000007E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746152188.00000000007EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746185289.00000000007F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_720000_file.jbxd

Similarity

API ID:
String ID: Variable is not of type 'Object'.
API String ID: 0-1840281001
Opcode ID: 8b4d7007cd58b5d5fdd8d613c5851c0d8aa9d1fa282c4b862a708ce893e2d620
Instruction ID: 767e8d78102283a825e3b44303155aae8f5775dea1ecd4552051abc0dff8afce
Opcode Fuzzy Hash: 8b4d7007cd58b5d5fdd8d613c5851c0d8aa9d1fa282c4b862a708ce893e2d620
Instruction Fuzzy Hash: E832CF70A00228DFDF15DF90E985AEDB7B5FF15344F148059E80AAB292C77DAE45CBA0

Function 0075676B Relevance: 1.8, APIs: 1, Instructions: 269COMMONLIBRARYCODE

Download Yara Rule

APIs

RaiseException.KERNEL32(C000000D,00000000,00000001,?,?,00000008,?,?,00756766,?,?,00000008,?,?,0075FEFE,00000000), ref: 00756998

Memory Dump Source

Source File: 00000000.00000002.1745867193.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true

Associated: 00000000.00000002.1745836741.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746071756.00000000007BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746071756.00000000007E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746152188.00000000007EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746185289.00000000007F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_720000_file.jbxd

Similarity

API ID: ExceptionRaise
String ID:
API String ID: 3997070919-0
Opcode ID: 2eb21259c349a01977b90e2985cc753be775a352dd065aeec83f117e58fcd6ac
Instruction ID: b61aa611b9341cc6dc50e8837ad785e0643028e0abb3a94879216add429bb80d
Opcode Fuzzy Hash: 2eb21259c349a01977b90e2985cc753be775a352dd065aeec83f117e58fcd6ac
Instruction Fuzzy Hash: C0B15A316106089FD715CF28C48ABA47BA0FF05366F65C658E899CF2A2C779E989CB40

Function 0073B119 Relevance: 1.8, Strings: 1, Instructions: 511COMMON

Download Yara Rule

Strings

, xrefs: 0077851F

Memory Dump Source

Source File: 00000000.00000002.1745867193.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true

Associated: 00000000.00000002.1745836741.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746071756.00000000007BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746071756.00000000007E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746152188.00000000007EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746185289.00000000007F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_720000_file.jbxd

Similarity

API ID:
String ID:
API String ID: 0-3916222277
Opcode ID: 424e2a9e985432672899556e67d3f71ae381eb8f714f46759166dcdcccc237bb
Instruction ID: 7cb43d43e642971df5c973f34b03d44aa4b36fb5b5a313e2923c0552ec0d4b32
Opcode Fuzzy Hash: 424e2a9e985432672899556e67d3f71ae381eb8f714f46759166dcdcccc237bb
Instruction Fuzzy Hash: 49126071900229DBDF54CF58C8857EEB7B5FF48310F14819AE949EB252EB389A81CB91

Function 0079EAA2 Relevance: 1.5, APIs: 1, Instructions: 25keyboardCOMMON

Download Yara Rule

APIs

BlockInput.USER32(00000001), ref: 0079EABD

Memory Dump Source

Source File: 00000000.00000002.1745867193.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true

Associated: 00000000.00000002.1745836741.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746071756.00000000007BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746071756.00000000007E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746152188.00000000007EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746185289.00000000007F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_720000_file.jbxd

Similarity

API ID: BlockInput
String ID:
API String ID: 3456056419-0
Opcode ID: fdb807d5a8188c6cfba06eeaf07be5154ad325400adf1291606ef20e05bb1001
Instruction ID: 0e462d36e2c0c5a3a0b0a65ed104f2c21d5eaf1fc1272741dc31097323271d68
Opcode Fuzzy Hash: fdb807d5a8188c6cfba06eeaf07be5154ad325400adf1291606ef20e05bb1001
Instruction Fuzzy Hash: B0E048312002149FD710DF59E404E5AF7D9EF58760F04C416FC45C7361D774E8418B90

Function 007409D5 Relevance: 1.5, APIs: 1, Instructions: 3COMMON

Download Yara Rule

APIs

SetUnhandledExceptionFilter.KERNEL32(Function_000209E1,007403EE), ref: 007409DA

Memory Dump Source

Source File: 00000000.00000002.1745867193.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true

Associated: 00000000.00000002.1745836741.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746071756.00000000007BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746071756.00000000007E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746152188.00000000007EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746185289.00000000007F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_720000_file.jbxd

Similarity

API ID: ExceptionFilterUnhandled
String ID:
API String ID: 3192549508-0
Opcode ID: ccf1d5320391fff2c61cc9659056aba368f6be25a446189441d28fb75375da43
Instruction ID: 29fe2376ac5792f278a8671674742071707236a63d6550adbde7fba0851e7ba7
Opcode Fuzzy Hash: ccf1d5320391fff2c61cc9659056aba368f6be25a446189441d28fb75375da43
Instruction Fuzzy Hash:

Function 0074781B Relevance: 1.5, Strings: 1, Instructions: 214COMMON

Download Yara Rule

Strings

0, xrefs: 0074798B

Memory Dump Source

Source File: 00000000.00000002.1745867193.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true

Associated: 00000000.00000002.1745836741.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746071756.00000000007BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746071756.00000000007E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746152188.00000000007EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746185289.00000000007F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_720000_file.jbxd

Similarity

API ID:
String ID: 0
API String ID: 0-4108050209
Opcode ID: 9084b4e029052128895840c3c28e948f6724b1d83b91d22a18243ac96ad56844
Instruction ID: 637fe3c72124a291d423546a6128a6370a1ca75ba874acdd4331d16c018a3f52
Opcode Fuzzy Hash: 9084b4e029052128895840c3c28e948f6724b1d83b91d22a18243ac96ad56844
Instruction Fuzzy Hash: CC51797160C7499BDF3C8978889EBBF639D9B12340F184919D882DB282CB1DFE45D356

Function 00756DD9 Relevance: .6, Instructions: 637COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1745867193.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true

Associated: 00000000.00000002.1745836741.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746071756.00000000007BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746071756.00000000007E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746152188.00000000007EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746185289.00000000007F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_720000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3494343bd8239e1f70aa5c927ecf6be87ce756aef31565cc48dd4865bd391f3b
Instruction ID: a415ede6cac3a46892aee063550fefa7c619cf99ab7b31ecec1bf598f97a3132
Opcode Fuzzy Hash: 3494343bd8239e1f70aa5c927ecf6be87ce756aef31565cc48dd4865bd391f3b
Instruction Fuzzy Hash: 74321221D29F414DD7279634D8223356389AFB73C6F14D73BE81AB59AAEF6DC4838100

Function 0073CC39 Relevance: .6, Instructions: 635COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1745867193.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true

Associated: 00000000.00000002.1745836741.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746071756.00000000007BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746071756.00000000007E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746152188.00000000007EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746185289.00000000007F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_720000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 597ee76bf5ec47bbfd97f4c68dd32d807a7c3346afa635cb6a79226257d89c55
Instruction ID: 6f515a338d2267f7d597d79bc806a1d0c3b33be1e35ad3129c9e214a9cfdf1bf
Opcode Fuzzy Hash: 597ee76bf5ec47bbfd97f4c68dd32d807a7c3346afa635cb6a79226257d89c55
Instruction Fuzzy Hash: 41321531A001458BDF2ACE28C4D467D77A1EB4D380F29D56ED88EDB292E63CDD82DB51

Function 00727920 Relevance: .6, Instructions: 563COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1745867193.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true

Associated: 00000000.00000002.1745836741.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746071756.00000000007BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746071756.00000000007E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746152188.00000000007EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746185289.00000000007F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_720000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5b7d81ad36a892542ede73f8b5d1595467841c56c4c3c41506b5e083fb9708d0
Instruction ID: 98899d52edc8e497fca9dca294a1646098ae47b58eaf3c650752b48f6199326e
Opcode Fuzzy Hash: 5b7d81ad36a892542ede73f8b5d1595467841c56c4c3c41506b5e083fb9708d0
Instruction Fuzzy Hash: AB22E3B0A0061ADFDF14CF69D985AAEB7F6FF44300F144529E812AB291EB3DAD14DB50

Function 007291C0 Relevance: .5, Instructions: 475COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1745867193.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true

Associated: 00000000.00000002.1745836741.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746071756.00000000007BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746071756.00000000007E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746152188.00000000007EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746185289.00000000007F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_720000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7b82a30fe0b37979d845bf09e3da050838514d81dd5a8705f8fc2eeae45bdda5
Instruction ID: 7ffc1f8f5f6525b791ac1bd4e4cee6d44fb0ef5d467fa13141038f1ff056c1c7
Opcode Fuzzy Hash: 7b82a30fe0b37979d845bf09e3da050838514d81dd5a8705f8fc2eeae45bdda5
Instruction Fuzzy Hash: BF02C7B1E00215EFDF04DF64D885AAEB7B1FF44340F148169E916DB291EB39AE20CB95

Function 00759EEE Relevance: .3, Instructions: 294COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1745867193.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true

Associated: 00000000.00000002.1745836741.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746071756.00000000007BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746071756.00000000007E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746152188.00000000007EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746185289.00000000007F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_720000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1838b5ec90da44c046c66e51190e9b6a3c4eaca2effb09fab5cd1945e3f0e224
Instruction ID: a5f6ba3a7710a37d83f85246b9e7162b00965180542cb4761a23ee0b5722a87d
Opcode Fuzzy Hash: 1838b5ec90da44c046c66e51190e9b6a3c4eaca2effb09fab5cd1945e3f0e224
Instruction Fuzzy Hash: 1BB11220D2AF814DD32396398831336B75CAFBB6D5F91D31BFC2674D22EB2A86834144

Function 00741C77 Relevance: .3, Instructions: 254COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1745867193.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true

Associated: 00000000.00000002.1745836741.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746071756.00000000007BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746071756.00000000007E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746152188.00000000007EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746185289.00000000007F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_720000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 93657a121f16255c59120ad0d08fdbba6372c273009ad596b4ecdf6e8f3c6909
Instruction ID: 60f0dccfe692bfaa53e8eb65a2d17a30e73618a4e8c347e4f36a9fcefb793ece
Opcode Fuzzy Hash: 93657a121f16255c59120ad0d08fdbba6372c273009ad596b4ecdf6e8f3c6909
Instruction Fuzzy Hash: 98918A726090E34ADB2D563E857403EFFE15A923A235A079DD4F2CB1C5FF28D994DA20

Function 00741F32 Relevance: .2, Instructions: 244COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1745867193.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true

Associated: 00000000.00000002.1745836741.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746071756.00000000007BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746071756.00000000007E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746152188.00000000007EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746185289.00000000007F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_720000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 05e0b846b00456d0f1e87463b9d189974beed2fe63262d4392584e128a114ea2
Instruction ID: 47a4332a44819fdae05e6094677c3255cac54be8daddf6ad1c25ab3e52ae5f13
Opcode Fuzzy Hash: 05e0b846b00456d0f1e87463b9d189974beed2fe63262d4392584e128a114ea2
Instruction Fuzzy Hash: 179178722090E349DB6D4239857403EFFE15A923A135A079DF4F2CB1D6EF28D9A9D620

Function 007419B0 Relevance: .2, Instructions: 240COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1745867193.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true

Associated: 00000000.00000002.1745836741.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746071756.00000000007BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746071756.00000000007E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746152188.00000000007EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746185289.00000000007F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_720000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 40101273f58913c3cb3bc7eb54df01d47b4121c3e67d19f11ec2cb23d33ea445
Instruction ID: 1a4b742814bff77ab45cfb4b086892dbc7556aac039a76b687b82141c6e4aa92
Opcode Fuzzy Hash: 40101273f58913c3cb3bc7eb54df01d47b4121c3e67d19f11ec2cb23d33ea445
Instruction Fuzzy Hash: 139165722090E34EDB2D567A857403EFFE19A923A135A479ED4F2CA1C1FF28D5D4D620

Function 00747A4A Relevance: .2, Instructions: 237COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1745867193.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true

Associated: 00000000.00000002.1745836741.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746071756.00000000007BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746071756.00000000007E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746152188.00000000007EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746185289.00000000007F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_720000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ab067fe42e69452b9097b0ee81d0046e4b5d87c138194fd95e2a8b2745782a7c
Instruction ID: 408f96699d0d55f3c1d4ffdb98f95bc77a2ab12cb66f5430751bc3d2bd621174
Opcode Fuzzy Hash: ab067fe42e69452b9097b0ee81d0046e4b5d87c138194fd95e2a8b2745782a7c
Instruction Fuzzy Hash: 15617CF170874996DE3C9A2C8D99BBE2399DF41700F14891DE983DB281D71D9E42C3A6

Function 00747CA7 Relevance: .2, Instructions: 237COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1745867193.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true

Associated: 00000000.00000002.1745836741.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746071756.00000000007BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746071756.00000000007E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746152188.00000000007EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746185289.00000000007F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_720000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 52ff4841a90a7641bf14d5bd438e224fee44c44b8c13b6cff2d8a4dde6720b4a
Instruction ID: 82561ea852da12286ba108ac04b82ada60b82d0e9635c79ba1bad4d79df0b7bb
Opcode Fuzzy Hash: 52ff4841a90a7641bf14d5bd438e224fee44c44b8c13b6cff2d8a4dde6720b4a
Instruction Fuzzy Hash: 0C617B31B18759E7DE3C5A284D95BBF2388DF42704F100A59E943DF281D71EAD42CA56

Function 00741706 Relevance: .2, Instructions: 232COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1745867193.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true

Associated: 00000000.00000002.1745836741.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746071756.00000000007BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746071756.00000000007E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746152188.00000000007EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746185289.00000000007F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_720000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 70da388f96bbbf26b230a155b4728740b34f0d100ea60ab2bbadb9d7d0befbf0
Instruction ID: d02ae38109cf96b21f5d245c01553272d954f8cfbdacf00fe5c72dc8fb5212cf
Opcode Fuzzy Hash: 70da388f96bbbf26b230a155b4728740b34f0d100ea60ab2bbadb9d7d0befbf0
Instruction Fuzzy Hash: 468184326080E34EDB6E923A853403EFFE15A923B135A079DD4F2CB1C1EF28D594E620

Function 00792046 Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1745867193.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true

Associated: 00000000.00000002.1745836741.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746071756.00000000007BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746071756.00000000007E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746152188.00000000007EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746185289.00000000007F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_720000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 67f7543ff1e3034d448f0998cd9e7559608e2d084a69f2bb6018833f64cd94a4
Instruction ID: e0ee46a7af63e2c752ba9679098de9970d7839ec4e238ae77b2c95ca023344dc
Opcode Fuzzy Hash: 67f7543ff1e3034d448f0998cd9e7559608e2d084a69f2bb6018833f64cd94a4
Instruction Fuzzy Hash: 7821A5326206158BDB28CF79D82367E73E5A754320F15862EE4A7C37D1DE39A905CB84

Function 007A2ADE Relevance: 77.5, APIs: 40, Strings: 4, Instructions: 486filecommemoryCOMMON

Download Yara Rule

APIs

DeleteObject.GDI32(00000000), ref: 007A2B30
DeleteObject.GDI32(00000000), ref: 007A2B43
DestroyWindow.USER32 ref: 007A2B52
GetDesktopWindow.USER32 ref: 007A2B6D
GetWindowRect.USER32(00000000), ref: 007A2B74
SetRect.USER32(?,00000000,00000000,00000007,00000002), ref: 007A2CA3
AdjustWindowRectEx.USER32(?,88C00000,00000000,?), ref: 007A2CB1
CreateWindowExW.USER32(?,AutoIt v3,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 007A2CF8
GetClientRect.USER32(00000000,?), ref: 007A2D04
CreateWindowExW.USER32(00000000,static,00000000,5000000E,00000000,00000000,?,?,00000000,00000000,00000000), ref: 007A2D40
CreateFileW.KERNEL32(?,80000000,00000000,00000000,00000003,00000000,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 007A2D62
GetFileSize.KERNEL32(00000000,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 007A2D75
GlobalAlloc.KERNEL32(00000002,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 007A2D80
GlobalLock.KERNEL32(00000000), ref: 007A2D89
ReadFile.KERNEL32(00000000,00000000,00000000,?,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 007A2D98
GlobalUnlock.KERNEL32(00000000), ref: 007A2DA1
CloseHandle.KERNEL32(00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 007A2DA8
GlobalFree.KERNEL32(00000000), ref: 007A2DB3
CreateStreamOnHGlobal.OLE32(00000000,00000001,?,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 007A2DC5
OleLoadPicture.OLEAUT32(?,00000000,00000000,007BFC38,00000000), ref: 007A2DDB
GlobalFree.KERNEL32(00000000), ref: 007A2DEB
CopyImage.USER32(00000007,00000000,00000000,00000000,00002000), ref: 007A2E11
SendMessageW.USER32(00000000,00000172,00000000,00000007), ref: 007A2E30
SetWindowPos.USER32(00000000,00000000,00000000,00000000,?,?,00000020,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 007A2E52
ShowWindow.USER32(00000004,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 007A303F

Strings

, xrefs: 007A2FC5
static, xrefs: 007A2D3A, 007A2E91
AutoIt v3, xrefs: 007A2CF2
DISPLAY, xrefs: 007A2EA2

Memory Dump Source

Source File: 00000000.00000002.1745867193.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true

Associated: 00000000.00000002.1745836741.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746071756.00000000007BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746071756.00000000007E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746152188.00000000007EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746185289.00000000007F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_720000_file.jbxd

Similarity

API ID: Window$Global$CreateRect$File$DeleteFreeObject$AdjustAllocClientCloseCopyDesktopDestroyHandleImageLoadLockMessagePictureReadSendShowSizeStreamUnlock
String ID: $AutoIt v3$DISPLAY$static
API String ID: 2211948467-2373415609
Opcode ID: 06a580c5971601d1d79896dfb4bec445bafbb78f555a3222789097665181a39d
Instruction ID: 72f42631053a80df1efeaff4fe14c527aae98cf4657e9864a03ff8d3e36e69aa
Opcode Fuzzy Hash: 06a580c5971601d1d79896dfb4bec445bafbb78f555a3222789097665181a39d
Instruction Fuzzy Hash: 69025C71500219EFDB15DF68CC89EAE7BB9FF49710F008258F915AB2A1DB78AD01CB64

Function 007B70D5 Relevance: 49.8, APIs: 33, Instructions: 273COMMON

Download Yara Rule

APIs

SetTextColor.GDI32(?,00000000), ref: 007B712F
GetSysColorBrush.USER32(0000000F), ref: 007B7160
GetSysColor.USER32(0000000F), ref: 007B716C
SetBkColor.GDI32(?,000000FF), ref: 007B7186
SelectObject.GDI32(?,?), ref: 007B7195
InflateRect.USER32(?,000000FF,000000FF), ref: 007B71C0
GetSysColor.USER32(00000010), ref: 007B71C8
CreateSolidBrush.GDI32(00000000), ref: 007B71CF
FrameRect.USER32(?,?,00000000), ref: 007B71DE
DeleteObject.GDI32(00000000), ref: 007B71E5
InflateRect.USER32(?,000000FE,000000FE), ref: 007B7230
FillRect.USER32(?,?,?), ref: 007B7262
GetWindowLongW.USER32(?,000000F0), ref: 007B7284

Part of subcall function 007B73E8: GetSysColor.USER32(00000012), ref: 007B7421
Part of subcall function 007B73E8: SetTextColor.GDI32(?,?), ref: 007B7425
Part of subcall function 007B73E8: GetSysColorBrush.USER32(0000000F), ref: 007B743B
Part of subcall function 007B73E8: GetSysColor.USER32(0000000F), ref: 007B7446
Part of subcall function 007B73E8: GetSysColor.USER32(00000011), ref: 007B7463
Part of subcall function 007B73E8: CreatePen.GDI32(00000000,00000001,00743C00), ref: 007B7471
Part of subcall function 007B73E8: SelectObject.GDI32(?,00000000), ref: 007B7482
Part of subcall function 007B73E8: SetBkColor.GDI32(?,00000000), ref: 007B748B
Part of subcall function 007B73E8: SelectObject.GDI32(?,?), ref: 007B7498
Part of subcall function 007B73E8: InflateRect.USER32(?,000000FF,000000FF), ref: 007B74B7
Part of subcall function 007B73E8: RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 007B74CE
Part of subcall function 007B73E8: GetWindowLongW.USER32(00000000,000000F0), ref: 007B74DB

Memory Dump Source

Source File: 00000000.00000002.1745867193.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true

Associated: 00000000.00000002.1745836741.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746071756.00000000007BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746071756.00000000007E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746152188.00000000007EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746185289.00000000007F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_720000_file.jbxd

Similarity

API ID: Color$Rect$Object$BrushInflateSelect$CreateLongTextWindow$DeleteFillFrameRoundSolid
String ID:
API String ID: 4124339563-0
Opcode ID: 181a36deba66caec2556807751a32fb2e8da82d23b74301a699963b5eb488b11
Instruction ID: 33144d3114ddf1052657c67df1e470e9487b8ab0e7ef4be054dbd2aa5779990f
Opcode Fuzzy Hash: 181a36deba66caec2556807751a32fb2e8da82d23b74301a699963b5eb488b11
Instruction Fuzzy Hash: 25A19F72008305EFD7159F64DC48F9B7BA9FF88320F108B19F9A2A61A1D739E944CB65

Function 00738D85 Relevance: 47.7, APIs: 26, Strings: 1, Instructions: 480windowCOMMON

Download Yara Rule

APIs

DestroyWindow.USER32(?,?), ref: 00738E14
SendMessageW.USER32(?,00001308,?,00000000), ref: 00776AC5
ImageList_Remove.COMCTL32(?,000000FF,?), ref: 00776AFE
MoveWindow.USER32(?,?,?,?,?,00000000), ref: 00776F43

Part of subcall function 00738F62: InvalidateRect.USER32(?,00000000,00000001,?,?,?,00738BE8,?,00000000,?,?,?,?,00738BBA,00000000,?), ref: 00738FC5

SendMessageW.USER32(?,00001053), ref: 00776F7F
SendMessageW.USER32(?,00001008,000000FF,00000000), ref: 00776F96
ImageList_Destroy.COMCTL32(00000000,?), ref: 00776FAC
ImageList_Destroy.COMCTL32(00000000,?), ref: 00776FB7

Strings

0, xrefs: 00776DCF

Memory Dump Source

Source File: 00000000.00000002.1745867193.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true

Associated: 00000000.00000002.1745836741.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746071756.00000000007BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746071756.00000000007E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746152188.00000000007EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746185289.00000000007F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_720000_file.jbxd

Similarity

API ID: DestroyImageList_MessageSend$Window$InvalidateMoveRectRemove
String ID: 0
API String ID: 2760611726-4108050209
Opcode ID: e0742ca5e2a692638711361f0a68d53b43e58c39436c63067d67fda6968fc5a6
Instruction ID: 5ee095da5adf49f5063edf0bd45c74d319e0a758161bb6ad21c6c78857131196
Opcode Fuzzy Hash: e0742ca5e2a692638711361f0a68d53b43e58c39436c63067d67fda6968fc5a6
Instruction Fuzzy Hash: 7E12AD30200641DFDB25CF24C848BB6BBA5FB45340F54C5A9F489CB266CB79EC51DBA6

Function 007A2711 Relevance: 45.8, APIs: 22, Strings: 4, Instructions: 330windowCOMMON

Download Yara Rule

APIs

DestroyWindow.USER32(00000000), ref: 007A273E
SystemParametersInfoW.USER32(00000030,00000000,?,00000000), ref: 007A286A
SetRect.USER32(?,00000000,00000000,0000012C,?), ref: 007A28A9
AdjustWindowRectEx.USER32(?,88C00000,00000000,00000008), ref: 007A28B9
CreateWindowExW.USER32(00000008,AutoIt v3,?,88C00000,000000FF,?,?,?,00000000,00000000,00000000), ref: 007A2900
GetClientRect.USER32(00000000,?), ref: 007A290C
CreateWindowExW.USER32(00000000,static,?,50000000,?,00000004,00000500,-00000017,00000000,00000000,00000000), ref: 007A2955
CreateDCW.GDI32(DISPLAY,00000000,00000000,00000000), ref: 007A2964
GetStockObject.GDI32(00000011), ref: 007A2974
SelectObject.GDI32(00000000,00000000), ref: 007A2978
GetTextFaceW.GDI32(00000000,00000040,?,?,50000000,?,00000004,00000500,-00000017,00000000,00000000,00000000,?,88C00000,000000FF,?), ref: 007A2988
GetDeviceCaps.GDI32(00000000,0000005A), ref: 007A2991
DeleteDC.GDI32(00000000), ref: 007A299A
CreateFontW.GDI32(00000000,00000000,00000000,00000000,00000258,00000000,00000000,00000000,00000001,00000004,00000000,00000002,00000000,?), ref: 007A29C6
SendMessageW.USER32(00000030,00000000,00000001), ref: 007A29DD
CreateWindowExW.USER32(00000200,msctls_progress32,00000000,50000001,?,-0000001D,00000104,00000014,00000000,00000000,00000000), ref: 007A2A1D
SendMessageW.USER32(00000000,00000401,00000000,00640000), ref: 007A2A31
SendMessageW.USER32(00000404,00000001,00000000), ref: 007A2A42
CreateWindowExW.USER32(00000000,static,?,50000000,?,00000041,00000500,-00000027,00000000,00000000,00000000), ref: 007A2A77
GetStockObject.GDI32(00000011), ref: 007A2A82
SendMessageW.USER32(00000030,00000000,?,50000000), ref: 007A2A8D
ShowWindow.USER32(00000004,?,50000000,?,00000004,00000500,-00000017,00000000,00000000,00000000,?,88C00000,000000FF,?,?,?), ref: 007A2A97

Strings

msctls_progress32, xrefs: 007A2A13
static, xrefs: 007A294F, 007A2A71
AutoIt v3, xrefs: 007A28F8
DISPLAY, xrefs: 007A295A

Memory Dump Source

Source File: 00000000.00000002.1745867193.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true

Associated: 00000000.00000002.1745836741.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746071756.00000000007BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746071756.00000000007E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746152188.00000000007EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746185289.00000000007F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_720000_file.jbxd

Similarity

API ID: Window$Create$MessageSend$ObjectRect$Stock$AdjustCapsClientDeleteDestroyDeviceFaceFontInfoParametersSelectShowSystemText
String ID: AutoIt v3$DISPLAY$msctls_progress32$static
API String ID: 2910397461-517079104
Opcode ID: 4af45f38d3a1c0bfb70c2df52cf66dad29d6b5002c31d7cf3424c2447dcbcf3e
Instruction ID: ca99f011eed4761d9fcd9b6dd7eea49b7ee804ca3b9f4f9c6ce87028c7a37991
Opcode Fuzzy Hash: 4af45f38d3a1c0bfb70c2df52cf66dad29d6b5002c31d7cf3424c2447dcbcf3e
Instruction Fuzzy Hash: 20B14DB1A00219AFEB14DF69DC49FAE7BA9EF49710F008214F915EB291D778ED40CB64

Function 00794ADF Relevance: 45.7, APIs: 3, Strings: 23, Instructions: 191COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 00794AED
GetDriveTypeW.KERNEL32(?,007BCB68,?,\\.\,007BCC08), ref: 00794BCA
SetErrorMode.KERNEL32(00000000,007BCB68,?,\\.\,007BCC08), ref: 00794D36

Strings

ATAPI, xrefs: 00794C91
FileBackedVirtual, xrefs: 00794CEC
SATA, xrefs: 00794CD0
RAMDisk, xrefs: 00794BF4
1394, xrefs: 00794C9F
SCSI, xrefs: 00794C8A
Removable, xrefs: 00794C10, 00794C15
USB, xrefs: 00794CB4
ATA, xrefs: 00794C98
PhysicalDrive, xrefs: 00794B76
RAID, xrefs: 00794CBB
SSA, xrefs: 00794CA6
iSCSI, xrefs: 00794CC2
SSD, xrefs: 00794C4A
Unknown, xrefs: 00794BED, 00794C83
\\.\, xrefs: 00794B3F
SAS, xrefs: 00794CC9
Fibre, xrefs: 00794CAD
MMC, xrefs: 00794CDE
Virtual, xrefs: 00794CE5
Fixed, xrefs: 00794C09
CDROM, xrefs: 00794BFB
Network, xrefs: 00794C02

Memory Dump Source

Source File: 00000000.00000002.1745867193.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true

Associated: 00000000.00000002.1745836741.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746071756.00000000007BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746071756.00000000007E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746152188.00000000007EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746185289.00000000007F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_720000_file.jbxd

Similarity

API ID: ErrorMode$DriveType
String ID: 1394$ATA$ATAPI$CDROM$Fibre$FileBackedVirtual$Fixed$MMC$Network$PhysicalDrive$RAID$RAMDisk$Removable$SAS$SATA$SCSI$SSA$SSD$USB$Unknown$Virtual$\\.\$iSCSI
API String ID: 2907320926-4222207086
Opcode ID: df6dcdfe54598140826b9d83ef977da784b4d7af2fffa9b73c2b9a50f7634366
Instruction ID: 76b744ce3e481f11c768785e159aee9edd7e552a4fe3622293eb1efee69f5c9a
Opcode Fuzzy Hash: df6dcdfe54598140826b9d83ef977da784b4d7af2fffa9b73c2b9a50f7634366
Instruction Fuzzy Hash: 4061F470706149DFCF04DF25EA96D6CB7F1AB19380B248065F806AB291DB3DED42DB61

Function 007B73E8 Relevance: 39.2, APIs: 26, Instructions: 201windowCOMMON

Download Yara Rule

APIs

GetSysColor.USER32(00000012), ref: 007B7421
SetTextColor.GDI32(?,?), ref: 007B7425
GetSysColorBrush.USER32(0000000F), ref: 007B743B
GetSysColor.USER32(0000000F), ref: 007B7446
CreateSolidBrush.GDI32(?), ref: 007B744B
GetSysColor.USER32(00000011), ref: 007B7463
CreatePen.GDI32(00000000,00000001,00743C00), ref: 007B7471
SelectObject.GDI32(?,00000000), ref: 007B7482
SetBkColor.GDI32(?,00000000), ref: 007B748B
SelectObject.GDI32(?,?), ref: 007B7498
InflateRect.USER32(?,000000FF,000000FF), ref: 007B74B7
RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 007B74CE
GetWindowLongW.USER32(00000000,000000F0), ref: 007B74DB
SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 007B752A
GetWindowTextW.USER32(00000000,00000000,00000001), ref: 007B7554
InflateRect.USER32(?,000000FD,000000FD), ref: 007B7572
DrawFocusRect.USER32(?,?), ref: 007B757D
GetSysColor.USER32(00000011), ref: 007B758E
SetTextColor.GDI32(?,00000000), ref: 007B7596
DrawTextW.USER32(?,007B70F5,000000FF,?,00000000), ref: 007B75A8
SelectObject.GDI32(?,?), ref: 007B75BF
DeleteObject.GDI32(?), ref: 007B75CA
SelectObject.GDI32(?,?), ref: 007B75D0
DeleteObject.GDI32(?), ref: 007B75D5
SetTextColor.GDI32(?,?), ref: 007B75DB
SetBkColor.GDI32(?,?), ref: 007B75E5

Memory Dump Source

Source File: 00000000.00000002.1745867193.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true

Associated: 00000000.00000002.1745836741.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746071756.00000000007BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746071756.00000000007E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746152188.00000000007EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746185289.00000000007F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_720000_file.jbxd

Similarity

API ID: Color$Object$Text$RectSelect$BrushCreateDeleteDrawInflateWindow$FocusLongMessageRoundSendSolid
String ID:
API String ID: 1996641542-0
Opcode ID: 35e358f236784cf6154fa9bb64e00307aa142e9f9b3f20c0a16126a4ba92759b
Instruction ID: e84a6f5ce9bc4135c4d21a71b58498c49d3a40ea4e300591bf8e8d1f7457661a
Opcode Fuzzy Hash: 35e358f236784cf6154fa9bb64e00307aa142e9f9b3f20c0a16126a4ba92759b
Instruction Fuzzy Hash: 6C616F72904218AFDB159FA8DC49FEE7F79EF48320F108215F911BB2A1D7789940CBA0

Function 007B0FF3 Relevance: 37.0, APIs: 18, Strings: 3, Instructions: 284windowCOMMON

Download Yara Rule

APIs

GetCursorPos.USER32(?), ref: 007B1128
GetDesktopWindow.USER32 ref: 007B113D
GetWindowRect.USER32(00000000), ref: 007B1144
GetWindowLongW.USER32(?,000000F0), ref: 007B1199
DestroyWindow.USER32(?), ref: 007B11B9
CreateWindowExW.USER32(00000008,tooltips_class32,00000000,7FFFFFFD,80000000,80000000,80000000,80000000,00000000,00000000,00000000,00000000), ref: 007B11ED
SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 007B120B
SendMessageW.USER32(00000000,00000418,00000000,?), ref: 007B121D
SendMessageW.USER32(00000000,00000421,?,?), ref: 007B1232
SendMessageW.USER32(00000000,0000041D,00000000,00000000), ref: 007B1245
IsWindowVisible.USER32(00000000), ref: 007B12A1
SendMessageW.USER32(00000000,00000412,00000000,D8F0D8F0), ref: 007B12BC
SendMessageW.USER32(00000000,00000411,00000001,00000030), ref: 007B12D0
GetWindowRect.USER32(00000000,?), ref: 007B12E8
MonitorFromPoint.USER32(?,?,00000002), ref: 007B130E
GetMonitorInfoW.USER32(00000000,?), ref: 007B1328
CopyRect.USER32(?,?), ref: 007B133F
SendMessageW.USER32(00000000,00000412,00000000), ref: 007B13AA

Strings

(, xrefs: 007B131B
tooltips_class32, xrefs: 007B11E6
0, xrefs: 007B10D3

Memory Dump Source

Source File: 00000000.00000002.1745867193.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true

Associated: 00000000.00000002.1745836741.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746071756.00000000007BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746071756.00000000007E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746152188.00000000007EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746185289.00000000007F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_720000_file.jbxd

Similarity

API ID: MessageSendWindow$Rect$Monitor$CopyCreateCursorDesktopDestroyFromInfoLongPointVisible
String ID: ($0$tooltips_class32
API String ID: 698492251-4156429822
Opcode ID: 9c1f8ba366ac6b2cfe0192a235d3561d784ab77d496fc70330b7c4560fd1130e
Instruction ID: 4bfbe778fd1b89862685aea8cb0ab30c29ed8223fb6d34f325a778d4954dafa5
Opcode Fuzzy Hash: 9c1f8ba366ac6b2cfe0192a235d3561d784ab77d496fc70330b7c4560fd1130e
Instruction Fuzzy Hash: 77B18B71604351AFD714DF64C898FAABBE4FF88344F80891CF9999B2A1D735E844CB92

Function 00738891 Relevance: 33.5, APIs: 18, Strings: 1, Instructions: 282windowtimeCOMMON

Download Yara Rule

APIs

SystemParametersInfoW.USER32(00000030,00000000,000000FF,00000000), ref: 00738968
GetSystemMetrics.USER32(00000007), ref: 00738970
SystemParametersInfoW.USER32(00000030,00000000,000000FF,00000000), ref: 0073899B
GetSystemMetrics.USER32(00000008), ref: 007389A3
GetSystemMetrics.USER32(00000004), ref: 007389C8
SetRect.USER32(000000FF,00000000,00000000,000000FF,000000FF), ref: 007389E5
AdjustWindowRectEx.USER32(000000FF,?,00000000,?), ref: 007389F5
CreateWindowExW.USER32(?,AutoIt v3 GUI,?,?,?,000000FF,000000FF,000000FF,?,00000000,00000000), ref: 00738A28
SetWindowLongW.USER32(00000000,000000EB,00000000), ref: 00738A3C
GetClientRect.USER32(00000000,000000FF), ref: 00738A5A
GetStockObject.GDI32(00000011), ref: 00738A76
SendMessageW.USER32(00000000,00000030,00000000), ref: 00738A81

Part of subcall function 0073912D: GetCursorPos.USER32(?), ref: 00739141
Part of subcall function 0073912D: ScreenToClient.USER32(00000000,?), ref: 0073915E
Part of subcall function 0073912D: GetAsyncKeyState.USER32(00000001), ref: 00739183
Part of subcall function 0073912D: GetAsyncKeyState.USER32(00000002), ref: 0073919D

SetTimer.USER32(00000000,00000000,00000028,007390FC), ref: 00738AA8

Strings

AutoIt v3 GUI, xrefs: 00738A20

Memory Dump Source

Source File: 00000000.00000002.1745867193.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true

Associated: 00000000.00000002.1745836741.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746071756.00000000007BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746071756.00000000007E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746152188.00000000007EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746185289.00000000007F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_720000_file.jbxd

Similarity

API ID: System$MetricsRectWindow$AsyncClientInfoParametersState$AdjustCreateCursorLongMessageObjectScreenSendStockTimer
String ID: AutoIt v3 GUI
API String ID: 1458621304-248962490
Opcode ID: 31ea6b409900bc516f1d10fff308eceacacf0f8b3e2aebe469a37b73b8126fca
Instruction ID: 7e1388a18b031cb0a653e78bf9ef5ad7ad2ef9a8cabbad51797910096f22ac8a
Opcode Fuzzy Hash: 31ea6b409900bc516f1d10fff308eceacacf0f8b3e2aebe469a37b73b8126fca
Instruction Fuzzy Hash: 4BB16C75A00209DFDF14DFA8CD49FAE3BB5FB48354F108229FA15AB294DB78A840CB55

Function 00780D8B Relevance: 31.7, APIs: 21, Instructions: 202memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 007810F9: GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 00781114
Part of subcall function 007810F9: GetLastError.KERNEL32(?,00000000,00000000,?,?,00780B9B,?,?,?), ref: 00781120
Part of subcall function 007810F9: GetProcessHeap.KERNEL32(00000008,?,?,00000000,00000000,?,?,00780B9B,?,?,?), ref: 0078112F
Part of subcall function 007810F9: HeapAlloc.KERNEL32(00000000,?,00000000,00000000,?,?,00780B9B,?,?,?), ref: 00781136
Part of subcall function 007810F9: GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 0078114D

GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 00780DF5
GetAclInformation.ADVAPI32(?,?,0000000C,00000002), ref: 00780E29
GetLengthSid.ADVAPI32(?), ref: 00780E40
GetAce.ADVAPI32(?,00000000,?), ref: 00780E7A
AddAce.ADVAPI32(?,00000002,000000FF,?,?), ref: 00780E96
GetLengthSid.ADVAPI32(?), ref: 00780EAD
GetProcessHeap.KERNEL32(00000008,00000008), ref: 00780EB5
HeapAlloc.KERNEL32(00000000), ref: 00780EBC
GetLengthSid.ADVAPI32(?,00000008,?), ref: 00780EDD
CopySid.ADVAPI32(00000000), ref: 00780EE4
AddAce.ADVAPI32(?,00000002,000000FF,00000000,?), ref: 00780F13
SetSecurityDescriptorDacl.ADVAPI32(?,00000001,?,00000000), ref: 00780F35
SetUserObjectSecurity.USER32(?,00000004,?), ref: 00780F47
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00780F6E
HeapFree.KERNEL32(00000000), ref: 00780F75
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00780F7E
HeapFree.KERNEL32(00000000), ref: 00780F85
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00780F8E
HeapFree.KERNEL32(00000000), ref: 00780F95
GetProcessHeap.KERNEL32(00000000,?), ref: 00780FA1
HeapFree.KERNEL32(00000000), ref: 00780FA8

Part of subcall function 00781193: GetProcessHeap.KERNEL32(00000008,00780BB1,?,00000000,?,00780BB1,?), ref: 007811A1
Part of subcall function 00781193: HeapAlloc.KERNEL32(00000000,?,00000000,?,00780BB1,?), ref: 007811A8
Part of subcall function 00781193: InitializeSecurityDescriptor.ADVAPI32(00000000,00000001,?,00000000,?,00780BB1,?), ref: 007811B7

Memory Dump Source

Source File: 00000000.00000002.1745867193.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true

Associated: 00000000.00000002.1745836741.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746071756.00000000007BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746071756.00000000007E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746152188.00000000007EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746185289.00000000007F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_720000_file.jbxd

Similarity

API ID: Heap$Process$Security$Free$AllocDescriptorLengthObjectUser$Dacl$CopyErrorInformationInitializeLast
String ID:
API String ID: 4175595110-0
Opcode ID: 200c58db37e655a9d70dc05cece1813c45f181940686bc489458bf7f1d7358d0
Instruction ID: cc3886ecf07f678b3c4822f9ca829036eeac60e4bb77994ffb4c08ed0de96001
Opcode Fuzzy Hash: 200c58db37e655a9d70dc05cece1813c45f181940686bc489458bf7f1d7358d0
Instruction Fuzzy Hash: 7671507194020AEBDF61AFA5DC49FAEBBB8BF04340F04C215FA15E6151D7399A09CBA0

Function 007AC3B7 Relevance: 30.2, APIs: 11, Strings: 6, Instructions: 495registryCOMMON

Download Yara Rule

APIs

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 007AC4BD
RegCreateKeyExW.ADVAPI32(?,?,00000000,007BCC08,00000000,?,00000000,?,?), ref: 007AC544
RegCloseKey.ADVAPI32(00000000,00000000,00000000), ref: 007AC5A4
_wcslen.LIBCMT ref: 007AC5F4
_wcslen.LIBCMT ref: 007AC66F
RegSetValueExW.ADVAPI32(00000001,?,00000000,00000001,?,?), ref: 007AC6B2
RegSetValueExW.ADVAPI32(00000001,?,00000000,00000007,?,?), ref: 007AC7C1
RegSetValueExW.ADVAPI32(00000001,?,00000000,0000000B,?,00000008), ref: 007AC84D
RegCloseKey.ADVAPI32(?), ref: 007AC881
RegCloseKey.ADVAPI32(00000000), ref: 007AC88E
RegSetValueExW.ADVAPI32(00000001,?,00000000,00000003,00000000,00000000), ref: 007AC960

Strings

REG_SZ, xrefs: 007AC644
REG_EXPAND_SZ, xrefs: 007AC5CD
REG_DWORD, xrefs: 007AC804
REG_BINARY, xrefs: 007AC913
REG_QWORD, xrefs: 007AC8C3
REG_MULTI_SZ, xrefs: 007AC6F5

Memory Dump Source

Source File: 00000000.00000002.1745867193.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true

Associated: 00000000.00000002.1745836741.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746071756.00000000007BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746071756.00000000007E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746152188.00000000007EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746185289.00000000007F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_720000_file.jbxd

Similarity

API ID: Value$Close$_wcslen$ConnectCreateRegistry
String ID: REG_BINARY$REG_DWORD$REG_EXPAND_SZ$REG_MULTI_SZ$REG_QWORD$REG_SZ
API String ID: 9721498-966354055
Opcode ID: e281de31bbff4e0ac6f30a7101b56cce9631d05acc1d5069392b2597877f1c09
Instruction ID: 4c8e2799fb696e268cb70730a2744a8ea0d5203dcffcbcde270ac71675761c61
Opcode Fuzzy Hash: e281de31bbff4e0ac6f30a7101b56cce9631d05acc1d5069392b2597877f1c09
Instruction Fuzzy Hash: CF126735604210EFD715DF14D885A2AB7E5FF89714F08899CF88A9B3A2DB39EC41CB81

Function 007B091E Relevance: 30.1, APIs: 6, Strings: 11, Instructions: 372windowCOMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?), ref: 007B09C6
_wcslen.LIBCMT ref: 007B0A01
SendMessageW.USER32(?,00001105,00000000,00000000), ref: 007B0A54
_wcslen.LIBCMT ref: 007B0A8A
_wcslen.LIBCMT ref: 007B0B06
_wcslen.LIBCMT ref: 007B0B81

Part of subcall function 0073F9F2: _wcslen.LIBCMT ref: 0073F9FD

Part of subcall function 00782BE8: SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 00782BFA

Strings

EXPAND, xrefs: 007B0BF8
GETTEXT, xrefs: 007B0C97
GETSELECTED, xrefs: 007B0C4E
GETTOTALCOUNT, xrefs: 007B09F2, 007B0A17
CHECK, xrefs: 007B0A85, 007B0AA0
GETITEMCOUNT, xrefs: 007B0C1E
ISCHECKED, xrefs: 007B0CE1
UNCHECK, xrefs: 007B0D3E
EXISTS, xrefs: 007B0B7C, 007B0B97
SELECT, xrefs: 007B0D11
COLLAPSE, xrefs: 007B0B01, 007B0B1C

Memory Dump Source

Source File: 00000000.00000002.1745867193.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true

Associated: 00000000.00000002.1745836741.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746071756.00000000007BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746071756.00000000007E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746152188.00000000007EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746185289.00000000007F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_720000_file.jbxd

Similarity

API ID: _wcslen$MessageSend$BuffCharUpper
String ID: CHECK$COLLAPSE$EXISTS$EXPAND$GETITEMCOUNT$GETSELECTED$GETTEXT$GETTOTALCOUNT$ISCHECKED$SELECT$UNCHECK
API String ID: 1103490817-4258414348
Opcode ID: 0e2816a18dfb672e2dd0fec391b63465cc7f377333b9d69d7c50ceca17ac0512
Instruction ID: 98fa1e4a1b39e94f753225d6c06c2e947abf1665c0f738d678868feb341672b1
Opcode Fuzzy Hash: 0e2816a18dfb672e2dd0fec391b63465cc7f377333b9d69d7c50ceca17ac0512
Instruction Fuzzy Hash: 77E19971208301CFC714DF25C454AABB7E1BF98314B14895DF896AB3A2DB38ED46CB81

Function 007AC998 Relevance: 30.0, APIs: 7, Strings: 10, Instructions: 242COMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?,?,?,?,?,?,007AB6AE,?,?), ref: 007AC9B5
_wcslen.LIBCMT ref: 007AC9F1
_wcslen.LIBCMT ref: 007ACA68
_wcslen.LIBCMT ref: 007ACA9E
_wcslen.LIBCMT ref: 007ACAF9
_wcslen.LIBCMT ref: 007ACB2F
_wcslen.LIBCMT ref: 007ACB7F

Strings

HKEY_LOCAL_MACHINE, xrefs: 007ACA62, 007ACA67
HKEY_CURRENT_CONFIG, xrefs: 007ACB79, 007ACB7E
HKCR, xrefs: 007ACB29, 007ACB2E
HKCU, xrefs: 007ACBCE
HKLM, xrefs: 007ACA98, 007ACA9D
HKEY_CURRENT_USER, xrefs: 007ACBBD
HKEY_CLASSES_ROOT, xrefs: 007ACAF3, 007ACAF8
HKEY_USERS, xrefs: 007ACBDF
HKU, xrefs: 007ACBF0
HKCC, xrefs: 007ACBAC

Memory Dump Source

Source File: 00000000.00000002.1745867193.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true

Associated: 00000000.00000002.1745836741.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746071756.00000000007BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746071756.00000000007E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746152188.00000000007EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746185289.00000000007F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_720000_file.jbxd

Similarity

API ID: _wcslen$BuffCharUpper
String ID: HKCC$HKCR$HKCU$HKEY_CLASSES_ROOT$HKEY_CURRENT_CONFIG$HKEY_CURRENT_USER$HKEY_LOCAL_MACHINE$HKEY_USERS$HKLM$HKU
API String ID: 1256254125-909552448
Opcode ID: f9ed10dac8014516f4365e00ceded8c5dbe54345f34f570ff898185bb5648f86
Instruction ID: 52e3bce9478c956128ca105ba6406a99837d4408c6009f0de1ea3935acd2bfa9
Opcode Fuzzy Hash: f9ed10dac8014516f4365e00ceded8c5dbe54345f34f570ff898185bb5648f86
Instruction Fuzzy Hash: DC71057360016AABCB22DF7CCD416BA3391AFE6764F154324F8569B284EA3DDD45C3A0

Function 007B833C Relevance: 29.9, APIs: 14, Strings: 3, Instructions: 196windowlibraryCOMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 007B835A
_wcslen.LIBCMT ref: 007B836E
_wcslen.LIBCMT ref: 007B8391
_wcslen.LIBCMT ref: 007B83B4
LoadImageW.USER32(00000000,?,00000001,?,?,00002010), ref: 007B83F2
LoadLibraryExW.KERNEL32(?,00000000,00000032,?,?,00000001,?,?,?,007B361A,?), ref: 007B844E
LoadImageW.USER32(?,?,00000001,?,?,00000000), ref: 007B8487
LoadImageW.USER32(00000000,?,00000001,?,?,00000000), ref: 007B84CA
LoadImageW.USER32(?,?,00000001,?,?,00000000), ref: 007B8501
FreeLibrary.KERNEL32(?), ref: 007B850D
ExtractIconExW.SHELL32(?,00000000,00000000,00000000,00000001), ref: 007B851D
DestroyIcon.USER32(?), ref: 007B852C
SendMessageW.USER32(?,00000170,00000000,00000000), ref: 007B8549
SendMessageW.USER32(?,00000064,00000172,00000001), ref: 007B8555

Strings

.dll, xrefs: 007B83AB
.exe, xrefs: 007B8388
.icl, xrefs: 007B8368

Memory Dump Source

Source File: 00000000.00000002.1745867193.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true

Associated: 00000000.00000002.1745836741.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746071756.00000000007BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746071756.00000000007E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746152188.00000000007EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746185289.00000000007F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_720000_file.jbxd

Similarity

API ID: Load$Image_wcslen$IconLibraryMessageSend$DestroyExtractFree
String ID: .dll$.exe$.icl
API String ID: 799131459-1154884017
Opcode ID: 9b874f671d51ba92d4aa09ca0b090cb40fba3d343ddb2e117acabbcdf02147cc
Instruction ID: 9d8c03e45bd2f39646867966b3a096d1a91815b69bf2fb67ed97ac23a20b6197
Opcode Fuzzy Hash: 9b874f671d51ba92d4aa09ca0b090cb40fba3d343ddb2e117acabbcdf02147cc
Instruction Fuzzy Hash: E1619E71500215FAEB259F64DC85BFE77ACBF08711F108609F815E61D1DF78A990D7A0

Function 00727778 Relevance: 28.3, APIs: 1, Strings: 15, Instructions: 273COMMON

Download Yara Rule

Strings

#pragma compile, xrefs: 007277D3
#comments-start, xrefs: 0072785F, 007278B1
#requireadmin, xrefs: 007277FF
#include, xrefs: 00727847
Bad directive syntax error, xrefs: 0076519A
#OnAutoItStartRegister, xrefs: 00727817
#notrayicon, xrefs: 007277E7
#ce, xrefs: 007278ED
#cs, xrefs: 00727873, 007278C5
', xrefs: 00765169
", xrefs: 00765153
Unterminated group of comments, xrefs: 0076528C
#include-once, xrefs: 0072782F
#comments-end, xrefs: 007278D9
Cannot parse #include, xrefs: 00765279

Memory Dump Source

Source File: 00000000.00000002.1745867193.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true

Associated: 00000000.00000002.1745836741.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746071756.00000000007BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746071756.00000000007E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746152188.00000000007EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746185289.00000000007F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_720000_file.jbxd

Similarity

API ID:
String ID: "$#OnAutoItStartRegister$#ce$#comments-end$#comments-start$#cs$#include$#include-once$#notrayicon$#pragma compile$#requireadmin$'$Bad directive syntax error$Cannot parse #include$Unterminated group of comments
API String ID: 0-1645009161
Opcode ID: 7036a69e5561f60b75cae65b64695910d2bbdd6c2939d9cff7497fffb7da62bc
Instruction ID: 0b47aba2eb98cc8f7855811a1bc92af389c7f477fa9af8e7fd118787df3e5e40
Opcode Fuzzy Hash: 7036a69e5561f60b75cae65b64695910d2bbdd6c2939d9cff7497fffb7da62bc
Instruction Fuzzy Hash: BC812AB1640229FBDB29AF60DD46FAE37A8AF15300F044024FD05AB292EB7CD951D7A1

Function 00793E79 Relevance: 28.2, APIs: 8, Strings: 8, Instructions: 205COMMON

Download Yara Rule

APIs

CharLowerBuffW.USER32(?,?), ref: 00793EF8
_wcslen.LIBCMT ref: 00793F03
_wcslen.LIBCMT ref: 00793F5A
_wcslen.LIBCMT ref: 00793F98
GetDriveTypeW.KERNEL32(?), ref: 00793FD6
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 0079401E
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 00794059
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 00794087

Strings

open , xrefs: 00793FE5
close cd wait, xrefs: 00794072
wait, xrefs: 00794044
open, xrefs: 00793F54, 00793F59
type cdaudio alias cd wait, xrefs: 00794001
close, xrefs: 00793EFE, 00793F18
set cd door , xrefs: 00794028
closed, xrefs: 00793F08, 00793F2D, 00793F46, 00793F7E, 00793F97

Memory Dump Source

Source File: 00000000.00000002.1745867193.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true

Associated: 00000000.00000002.1745836741.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746071756.00000000007BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746071756.00000000007E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746152188.00000000007EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746185289.00000000007F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_720000_file.jbxd

Similarity

API ID: SendString_wcslen$BuffCharDriveLowerType
String ID: type cdaudio alias cd wait$ wait$close$close cd wait$closed$open$open $set cd door
API String ID: 1839972693-4113822522
Opcode ID: db45e958b2e202acfec54d08b247bc98b200d25967f07e9d3dfd88784061e640
Instruction ID: a3d4cbfa71f06b3fcffab40586097454ef45051c22a2048987c6e33b7791be76
Opcode Fuzzy Hash: db45e958b2e202acfec54d08b247bc98b200d25967f07e9d3dfd88784061e640
Instruction Fuzzy Hash: 4071F2726042119FCB10EF24D88096AB7F5EFA8754F10492DF89597261EB38EE46CB91

Function 00785A1B Relevance: 27.2, APIs: 18, Instructions: 198windowtimeCOMMON

Download Yara Rule

APIs

LoadIconW.USER32(00000063), ref: 00785A2E
SendMessageW.USER32(?,00000080,00000000,00000000), ref: 00785A40
SetWindowTextW.USER32(?,?), ref: 00785A57
GetDlgItem.USER32(?,000003EA), ref: 00785A6C
SetWindowTextW.USER32(00000000,?), ref: 00785A72
GetDlgItem.USER32(?,000003E9), ref: 00785A82
SetWindowTextW.USER32(00000000,?), ref: 00785A88
SendDlgItemMessageW.USER32(?,000003E9,000000CC,?,00000000), ref: 00785AA9
SendDlgItemMessageW.USER32(?,000003E9,000000C5,00000000,00000000), ref: 00785AC3
GetWindowRect.USER32(?,?), ref: 00785ACC
_wcslen.LIBCMT ref: 00785B33
SetWindowTextW.USER32(?,?), ref: 00785B6F
GetDesktopWindow.USER32 ref: 00785B75
GetWindowRect.USER32(00000000), ref: 00785B7C
MoveWindow.USER32(?,?,00000080,00000000,?,00000000), ref: 00785BD3
GetClientRect.USER32(?,?), ref: 00785BE0
PostMessageW.USER32(?,00000005,00000000,?), ref: 00785C05
SetTimer.USER32(?,0000040A,00000000,00000000), ref: 00785C2F

Memory Dump Source

Source File: 00000000.00000002.1745867193.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true

Associated: 00000000.00000002.1745836741.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746071756.00000000007BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746071756.00000000007E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746152188.00000000007EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746185289.00000000007F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_720000_file.jbxd

Similarity

API ID: Window$ItemMessageText$RectSend$ClientDesktopIconLoadMovePostTimer_wcslen
String ID:
API String ID: 895679908-0
Opcode ID: 9101f35c828813c73e202422b4149719aa96ad73445ce6a3b26555fbc7f6f2a7
Instruction ID: 19d166b642aaaeba49c86b729a109d813c974faa9738711f74913c8e2040202f
Opcode Fuzzy Hash: 9101f35c828813c73e202422b4149719aa96ad73445ce6a3b26555fbc7f6f2a7
Instruction Fuzzy Hash: 26717E71900B05AFDB21EFA8CD85F6EBBF5FF48704F108618E142A25A0D779A900CB14

Function 0079FE0E Relevance: 27.1, APIs: 18, Instructions: 128COMMON

Download Yara Rule

APIs

LoadCursorW.USER32(00000000,00007F89), ref: 0079FE27
LoadCursorW.USER32(00000000,00007F8A), ref: 0079FE32
LoadCursorW.USER32(00000000,00007F00), ref: 0079FE3D
LoadCursorW.USER32(00000000,00007F03), ref: 0079FE48
LoadCursorW.USER32(00000000,00007F8B), ref: 0079FE53
LoadCursorW.USER32(00000000,00007F01), ref: 0079FE5E
LoadCursorW.USER32(00000000,00007F81), ref: 0079FE69
LoadCursorW.USER32(00000000,00007F88), ref: 0079FE74
LoadCursorW.USER32(00000000,00007F80), ref: 0079FE7F
LoadCursorW.USER32(00000000,00007F86), ref: 0079FE8A
LoadCursorW.USER32(00000000,00007F83), ref: 0079FE95
LoadCursorW.USER32(00000000,00007F85), ref: 0079FEA0
LoadCursorW.USER32(00000000,00007F82), ref: 0079FEAB
LoadCursorW.USER32(00000000,00007F84), ref: 0079FEB6
LoadCursorW.USER32(00000000,00007F04), ref: 0079FEC1
LoadCursorW.USER32(00000000,00007F02), ref: 0079FECC
GetCursorInfo.USER32(?), ref: 0079FEDC
GetLastError.KERNEL32 ref: 0079FF1E

Memory Dump Source

Source File: 00000000.00000002.1745867193.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true

Associated: 00000000.00000002.1745836741.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746071756.00000000007BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746071756.00000000007E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746152188.00000000007EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746185289.00000000007F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_720000_file.jbxd

Similarity

API ID: Cursor$Load$ErrorInfoLast
String ID:
API String ID: 3215588206-0
Opcode ID: 1ed2e3b49a04f234f8e17591327bd6775b2e23ebbbddb88f47e1b6c9161cad57
Instruction ID: 1b7ffc14ffc242bb513aeb5df8aee74070bb75e0d533d6aa1511dc2b64842c77
Opcode Fuzzy Hash: 1ed2e3b49a04f234f8e17591327bd6775b2e23ebbbddb88f47e1b6c9161cad57
Instruction Fuzzy Hash: C74154B0D04319AADB10DFBA9C89C5EBFE9FF04354B54852AF11DE7281DB789901CE91

Function 007830F7 Relevance: 26.6, APIs: 8, Strings: 7, Instructions: 400COMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 0078318D
_wcslen.LIBCMT ref: 007831F8

Strings

NAME, xrefs: 00783335, 00783346
CLASSNN, xrefs: 007831F3, 00783204
REGEXPCLASS, xrefs: 00783255, 00783266
CLASS, xrefs: 00783188, 007831A5
[~, xrefs: 0078339A
TEXT, xrefs: 0078347C
INSTANCE, xrefs: 00783453

Memory Dump Source

Source File: 00000000.00000002.1745867193.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true

Associated: 00000000.00000002.1745836741.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746071756.00000000007BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746071756.00000000007E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746152188.00000000007EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746185289.00000000007F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_720000_file.jbxd

Similarity

API ID: _wcslen
String ID: CLASS$CLASSNN$INSTANCE$NAME$REGEXPCLASS$TEXT$[~
API String ID: 176396367-1468205893
Opcode ID: 1fb6792ac8f3fe8505e48393dcd91d8f3b531641b3056a801bcc3d8314a4b7f1
Instruction ID: aac31d703fce7ba62c01b73a45df5658a85bc1ff8bf4fb9e88b48f3d9cd16429
Opcode Fuzzy Hash: 1fb6792ac8f3fe8505e48393dcd91d8f3b531641b3056a801bcc3d8314a4b7f1
Instruction Fuzzy Hash: 06E1B432A4051AEBCB14AF7CC455BFEBBB0BF54B10F548129E456F7240DB38AE859790

Function 007400C6 Relevance: 26.3, APIs: 10, Strings: 5, Instructions: 81COMMON

Download Yara Rule

APIs

__scrt_initialize_thread_safe_statics_platform_specific.LIBCMT ref: 007400C6

Part of subcall function 007400ED: InitializeCriticalSectionAndSpinCount.KERNEL32(007F070C,00000FA0,6D10C793,?,?,?,?,007623B3,000000FF), ref: 0074011C
Part of subcall function 007400ED: GetModuleHandleW.KERNEL32(api-ms-win-core-synch-l1-2-0.dll,?,?,?,?,007623B3,000000FF), ref: 00740127
Part of subcall function 007400ED: GetModuleHandleW.KERNEL32(kernel32.dll,?,?,?,?,007623B3,000000FF), ref: 00740138
Part of subcall function 007400ED: GetProcAddress.KERNEL32(00000000,InitializeConditionVariable), ref: 0074014E
Part of subcall function 007400ED: GetProcAddress.KERNEL32(00000000,SleepConditionVariableCS), ref: 0074015C
Part of subcall function 007400ED: GetProcAddress.KERNEL32(00000000,WakeAllConditionVariable), ref: 0074016A
Part of subcall function 007400ED: __crt_fast_encode_pointer.LIBVCRUNTIME ref: 00740195
Part of subcall function 007400ED: __crt_fast_encode_pointer.LIBVCRUNTIME ref: 007401A0

___scrt_fastfail.LIBCMT ref: 007400E7

Part of subcall function 007400A3: __onexit.LIBCMT ref: 007400A9

Strings

InitializeConditionVariable, xrefs: 00740148
WakeAllConditionVariable, xrefs: 00740162
kernel32.dll, xrefs: 00740133
SleepConditionVariableCS, xrefs: 00740154
api-ms-win-core-synch-l1-2-0.dll, xrefs: 00740122

Memory Dump Source

Source File: 00000000.00000002.1745867193.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true

Associated: 00000000.00000002.1745836741.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746071756.00000000007BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746071756.00000000007E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746152188.00000000007EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746185289.00000000007F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_720000_file.jbxd

Similarity

API ID: AddressProc$HandleModule__crt_fast_encode_pointer$CountCriticalInitializeSectionSpin___scrt_fastfail__onexit__scrt_initialize_thread_safe_statics_platform_specific
String ID: InitializeConditionVariable$SleepConditionVariableCS$WakeAllConditionVariable$api-ms-win-core-synch-l1-2-0.dll$kernel32.dll
API String ID: 66158676-1714406822
Opcode ID: 624d1af65b8c1955ca8845e08dde6da9a400af0ce51f11593785b8f2bcc9c931
Instruction ID: 96ba22cd96f01d6de4e853e9d8a1d4cf2a9ad0b871ecd37ba59633672a89e789
Opcode Fuzzy Hash: 624d1af65b8c1955ca8845e08dde6da9a400af0ce51f11593785b8f2bcc9c931
Instruction Fuzzy Hash: EC21C9B2A44718ABEB116B74AC49F6D7398DB45F51F048265FA01A7392DB7C98008AE4

Function 007944C0 Relevance: 24.8, APIs: 7, Strings: 7, Instructions: 309COMMON

Download Yara Rule

APIs

CharLowerBuffW.USER32(00000000,00000000,007BCC08), ref: 00794527
_wcslen.LIBCMT ref: 0079453B
_wcslen.LIBCMT ref: 00794599
_wcslen.LIBCMT ref: 007945F4
_wcslen.LIBCMT ref: 0079463F
_wcslen.LIBCMT ref: 007946A7

Part of subcall function 0073F9F2: _wcslen.LIBCMT ref: 0073F9FD

GetDriveTypeW.KERNEL32(?,007E6BF0,00000061), ref: 00794743

Strings

removable, xrefs: 007945EA, 007945EF
all, xrefs: 00794531, 00794536
unknown, xrefs: 00794708
network, xrefs: 0079469D, 007946A2
cdrom, xrefs: 0079458F, 00794594
ramdisk, xrefs: 007946F1
fixed, xrefs: 00794635, 0079463A

Memory Dump Source

Source File: 00000000.00000002.1745867193.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true

Associated: 00000000.00000002.1745836741.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746071756.00000000007BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746071756.00000000007E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746152188.00000000007EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746185289.00000000007F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_720000_file.jbxd

Similarity

API ID: _wcslen$BuffCharDriveLowerType
String ID: all$cdrom$fixed$network$ramdisk$removable$unknown
API String ID: 2055661098-1000479233
Opcode ID: 36c5255c05ca707699705c5822563e4cb1814b2e420e9ad51b8e04529ed91dc5
Instruction ID: 17b55ecdfc1f8cb4edb86098bc765ab101b9246d0857bf5555e93e63353cf645
Opcode Fuzzy Hash: 36c5255c05ca707699705c5822563e4cb1814b2e420e9ad51b8e04529ed91dc5
Instruction Fuzzy Hash: 1FB125716083029FCB10DF28E894E6EB7E5BFA9760F50491DF496C7291D738D846CB62

Function 007A3FE9 Relevance: 23.2, APIs: 11, Strings: 2, Instructions: 478libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,?,007BCC08), ref: 007A40BB
GetProcAddress.KERNEL32(00000000,GetModuleHandleExW), ref: 007A40CD
GetModuleFileNameW.KERNEL32(?,?,00000104,?,?,?,007BCC08), ref: 007A40F2
FreeLibrary.KERNEL32(00000000,?,007BCC08), ref: 007A413E
StringFromGUID2.OLE32(?,?,00000028,?,007BCC08), ref: 007A41A8
SysFreeString.OLEAUT32(00000009), ref: 007A4262
QueryPathOfRegTypeLib.OLEAUT32(?,?,?,?,?), ref: 007A42C8
SysFreeString.OLEAUT32(?), ref: 007A42F2

Strings

GetModuleHandleExW, xrefs: 007A40C7
kernel32.dll, xrefs: 007A40B6

Memory Dump Source

Source File: 00000000.00000002.1745867193.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true

Associated: 00000000.00000002.1745836741.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746071756.00000000007BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746071756.00000000007E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746152188.00000000007EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746185289.00000000007F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_720000_file.jbxd

Similarity

API ID: FreeString$Library$AddressFileFromLoadModuleNamePathProcQueryType
String ID: GetModuleHandleExW$kernel32.dll
API String ID: 354098117-199464113
Opcode ID: 7deeb81c3a15910fbc8071a15b1c9de89b17e452c0aff9b7fbc471afd1309c5b
Instruction ID: 19266f796c0f3551fb01676a6dc0800f4f5390546d611559cf4eb8a82fde834d
Opcode Fuzzy Hash: 7deeb81c3a15910fbc8071a15b1c9de89b17e452c0aff9b7fbc471afd1309c5b
Instruction Fuzzy Hash: 85123C75A00119EFDB14CF54C884EAEB7B5FFC9314F248198E905AB251D776ED42CBA0

Function 0072326F Relevance: 23.0, APIs: 12, Strings: 1, Instructions: 214windowCOMMON

Download Yara Rule

APIs

GetMenuItemCount.USER32(007F1990), ref: 00762F8D
GetMenuItemCount.USER32(007F1990), ref: 0076303D
GetCursorPos.USER32(?), ref: 00763081
SetForegroundWindow.USER32(00000000), ref: 0076308A
TrackPopupMenuEx.USER32(007F1990,00000000,?,00000000,00000000,00000000), ref: 0076309D
PostMessageW.USER32(00000000,00000000,00000000,00000000), ref: 007630A9

Strings

0, xrefs: 0072327D

Memory Dump Source

Source File: 00000000.00000002.1745867193.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true

Associated: 00000000.00000002.1745836741.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746071756.00000000007BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746071756.00000000007E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746152188.00000000007EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746185289.00000000007F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_720000_file.jbxd

Similarity

API ID: Menu$CountItem$CursorForegroundMessagePopupPostTrackWindow
String ID: 0
API String ID: 36266755-4108050209
Opcode ID: e1b5c0281f0175df99292707bf80cb78c4ea33593498ff170f0ab4452cf82ba4
Instruction ID: 0b1978ca282b006a0270469675c50c408c27716fcd676af8b593413780bb5b38
Opcode Fuzzy Hash: e1b5c0281f0175df99292707bf80cb78c4ea33593498ff170f0ab4452cf82ba4
Instruction Fuzzy Hash: A0711970644615FEEB219F24DC49FEABFA9FF04324F204216F925A61E1C7BDA914CB90

Function 007B6CD9 Relevance: 22.9, APIs: 11, Strings: 2, Instructions: 194windowCOMMON

Download Yara Rule

APIs

DestroyWindow.USER32(00000000,?), ref: 007B6DEB

Part of subcall function 00726B57: _wcslen.LIBCMT ref: 00726B6A

CreateWindowExW.USER32(00000008,tooltips_class32,00000000,?,80000000,80000000,80000000,80000000,?,00000000,00000000,?), ref: 007B6E5F
SendMessageW.USER32(00000000,00000433,00000000,00000030), ref: 007B6E81
SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 007B6E94
DestroyWindow.USER32(?), ref: 007B6EB5
CreateWindowExW.USER32(00000008,tooltips_class32,00000000,?,80000000,80000000,80000000,80000000,?,00000000,00720000,00000000), ref: 007B6EE4
SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 007B6EFD
GetDesktopWindow.USER32 ref: 007B6F16
GetWindowRect.USER32(00000000), ref: 007B6F1D
SendMessageW.USER32(00000000,00000418,00000000,?), ref: 007B6F35
SendMessageW.USER32(00000000,00000421,?,00000000), ref: 007B6F4D

Part of subcall function 00739944: GetWindowLongW.USER32(?,000000EB), ref: 00739952

Strings

tooltips_class32, xrefs: 007B6E58, 007B6EDD
0, xrefs: 007B6D98

Memory Dump Source

Source File: 00000000.00000002.1745867193.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true

Associated: 00000000.00000002.1745836741.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746071756.00000000007BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746071756.00000000007E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746152188.00000000007EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746185289.00000000007F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_720000_file.jbxd

Similarity

API ID: Window$MessageSend$CreateDestroy$DesktopLongRect_wcslen
String ID: 0$tooltips_class32
API String ID: 2429346358-3619404913
Opcode ID: 426347dfd63f4811d89c6baa0aec2922e1b7a5ce5ee1143c477e5b9692849bb5
Instruction ID: 68dc88e13b88b40e393d37e9fe0e32d3d6f76dd3eec519ebf0ccbb7f6a242e7a
Opcode Fuzzy Hash: 426347dfd63f4811d89c6baa0aec2922e1b7a5ce5ee1143c477e5b9692849bb5
Instruction Fuzzy Hash: 32717871504284AFDB21CF28DC48FBABBE9FB89304F44855EFA8987261C778E905CB15

Function 007B911E Relevance: 22.9, APIs: 10, Strings: 3, Instructions: 181windowfileCOMMON

Download Yara Rule

APIs

Part of subcall function 00739BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00739BB2

DragQueryPoint.SHELL32(?,?), ref: 007B9147

Part of subcall function 007B7674: ClientToScreen.USER32(?,?), ref: 007B769A
Part of subcall function 007B7674: GetWindowRect.USER32(?,?), ref: 007B7710
Part of subcall function 007B7674: PtInRect.USER32(?,?,007B8B89), ref: 007B7720

SendMessageW.USER32(?,000000B0,?,?), ref: 007B91B0
DragQueryFileW.SHELL32(?,000000FF,00000000,00000000), ref: 007B91BB
DragQueryFileW.SHELL32(?,00000000,?,00000104), ref: 007B91DE
SendMessageW.USER32(?,000000C2,00000001,?), ref: 007B9225
SendMessageW.USER32(?,000000B0,?,?), ref: 007B923E
SendMessageW.USER32(?,000000B1,?,?), ref: 007B9255
SendMessageW.USER32(?,000000B1,?,?), ref: 007B9277
DragFinish.SHELL32(?), ref: 007B927E
DefDlgProcW.USER32(?,00000233,?,00000000,?,?,?), ref: 007B9371

Strings

@GUI_DRAGFILE, xrefs: 007B9320
@GUI_DRAGID, xrefs: 007B92E9
@GUI_DROPID, xrefs: 007B929E

Memory Dump Source

Source File: 00000000.00000002.1745867193.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true

Associated: 00000000.00000002.1745836741.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746071756.00000000007BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746071756.00000000007E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746152188.00000000007EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746185289.00000000007F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_720000_file.jbxd

Similarity

API ID: MessageSend$Drag$Query$FileRectWindow$ClientFinishLongPointProcScreen
String ID: @GUI_DRAGFILE$@GUI_DRAGID$@GUI_DROPID
API String ID: 221274066-3440237614
Opcode ID: 4b4c6a2c4270295b98aab1177cb1e66288a21f6a3c71741ec6011b94cc1413f8
Instruction ID: 3f7c4962b8806dd0a75ea0e9ccb273ef62ca95ca08d399195b76ce95f245d1a4
Opcode Fuzzy Hash: 4b4c6a2c4270295b98aab1177cb1e66288a21f6a3c71741ec6011b94cc1413f8
Instruction Fuzzy Hash: 3D618D71108301AFC701DF64DC89EAFBBE8EF89350F044A2DF691931A1DB789A45CB62

Function 0079C476 Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 143networkCOMMON

Download Yara Rule

APIs

InternetConnectW.WININET(?,?,?,?,?,?,00000000,00000000), ref: 0079C4B0
GetLastError.KERNEL32(?,00000003,?,?,?,?,?,?), ref: 0079C4C3
SetEvent.KERNEL32(?,?,00000003,?,?,?,?,?,?), ref: 0079C4D7
HttpOpenRequestW.WININET(00000000,00000000,?,00000000,00000000,00000000,?,00000000), ref: 0079C4F0
InternetQueryOptionW.WININET(00000000,0000001F,?,?), ref: 0079C533
InternetSetOptionW.WININET(00000000,0000001F,00000100,00000004), ref: 0079C549
HttpSendRequestW.WININET(00000000,00000000,00000000,00000000,00000000), ref: 0079C554
HttpQueryInfoW.WININET(00000000,00000005,?,?,?), ref: 0079C584
GetLastError.KERNEL32(?,00000003,?,?,?,?,?,?), ref: 0079C5DC
SetEvent.KERNEL32(?,?,00000003,?,?,?,?,?,?), ref: 0079C5F0
InternetCloseHandle.WININET(00000000), ref: 0079C5FB

Strings

, xrefs: 0079C575

Memory Dump Source

Source File: 00000000.00000002.1745867193.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true

Associated: 00000000.00000002.1745836741.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746071756.00000000007BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746071756.00000000007E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746152188.00000000007EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746185289.00000000007F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_720000_file.jbxd

Similarity

API ID: Internet$Http$ErrorEventLastOptionQueryRequest$CloseConnectHandleInfoOpenSend
String ID:
API String ID: 3800310941-3916222277
Opcode ID: 45b090f6fbd4d79948dd18ef365d114959c84cfeb46194065fe375a850e03de0
Instruction ID: d13e546a70bbf6d22f633913ebcb6e383af162a42ddc0edadf3bbaccec2a0f9c
Opcode Fuzzy Hash: 45b090f6fbd4d79948dd18ef365d114959c84cfeb46194065fe375a850e03de0
Instruction Fuzzy Hash: 0C514AB1600208BFEF228F65D988FAB7BFCFF08754F108519F94696250DB38E9549B60

Function 007B856F Relevance: 22.6, APIs: 15, Instructions: 131filecommemoryCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(?,80000000,00000000,00000000,00000003,00000000,00000000,?,00000000,?), ref: 007B8592
GetFileSize.KERNEL32(00000000,00000000), ref: 007B85A2
GlobalAlloc.KERNEL32(00000002,00000000), ref: 007B85AD
CloseHandle.KERNEL32(00000000), ref: 007B85BA
GlobalLock.KERNEL32(00000000), ref: 007B85C8
ReadFile.KERNEL32(00000000,00000000,00000000,?,00000000), ref: 007B85D7
GlobalUnlock.KERNEL32(00000000), ref: 007B85E0
CloseHandle.KERNEL32(00000000), ref: 007B85E7
CreateStreamOnHGlobal.OLE32(00000000,00000001,?), ref: 007B85F8
OleLoadPicture.OLEAUT32(?,00000000,00000000,007BFC38,?), ref: 007B8611
GlobalFree.KERNEL32(00000000), ref: 007B8621
GetObjectW.GDI32(?,00000018,000000FF), ref: 007B8641
CopyImage.USER32(?,00000000,00000000,?,00002000), ref: 007B8671
DeleteObject.GDI32(00000000), ref: 007B8699
SendMessageW.USER32(?,00000172,00000000,00000000), ref: 007B86AF

Memory Dump Source

Source File: 00000000.00000002.1745867193.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true

Associated: 00000000.00000002.1745836741.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746071756.00000000007BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746071756.00000000007E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746152188.00000000007EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746185289.00000000007F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_720000_file.jbxd

Similarity

API ID: Global$File$CloseCreateHandleObject$AllocCopyDeleteFreeImageLoadLockMessagePictureReadSendSizeStreamUnlock
String ID:
API String ID: 3840717409-0
Opcode ID: b93e83c3a2ed70aa3bccf97c2747e3248b15ac69d2bc4ce760af100aebd1ec68
Instruction ID: c3ce62273fceedfe38b189c2b7e89219ca3d74aca092c3d14ef32463276ef44e
Opcode Fuzzy Hash: b93e83c3a2ed70aa3bccf97c2747e3248b15ac69d2bc4ce760af100aebd1ec68
Instruction Fuzzy Hash: 3B411975600209AFDB129FA5CC48FAA7BBCFF89B15F108159F905E7260DB389D01CB65

Function 007914BD Relevance: 21.4, APIs: 10, Strings: 2, Instructions: 360timeCOMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(00000000), ref: 00791502
VariantCopy.OLEAUT32(?,?), ref: 0079150B
VariantClear.OLEAUT32(?), ref: 00791517
VariantTimeToSystemTime.OLEAUT32(?,?,?), ref: 007915FB
VarR8FromDec.OLEAUT32(?,?), ref: 00791657
VariantInit.OLEAUT32(?), ref: 00791708
SysFreeString.OLEAUT32(?), ref: 0079178C
VariantClear.OLEAUT32(?), ref: 007917D8
VariantClear.OLEAUT32(?), ref: 007917E7
VariantInit.OLEAUT32(00000000), ref: 00791823

Strings

Default, xrefs: 007916AF
%4d%02d%02d%02d%02d%02d, xrefs: 00791625

Memory Dump Source

Source File: 00000000.00000002.1745867193.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true

Associated: 00000000.00000002.1745836741.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746071756.00000000007BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746071756.00000000007E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746152188.00000000007EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746185289.00000000007F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_720000_file.jbxd

Similarity

API ID: Variant$ClearInit$Time$CopyFreeFromStringSystem
String ID: %4d%02d%02d%02d%02d%02d$Default
API String ID: 1234038744-3931177956
Opcode ID: 190121f527ce1a003578760f173e8cdfca630f793149d668aa01d2eeb2ecbc5c
Instruction ID: 6a02f2f5e7305a7668cac71facd4f1ae07a2c4ba86bfe8ee4788dd169485f9e0
Opcode Fuzzy Hash: 190121f527ce1a003578760f173e8cdfca630f793149d668aa01d2eeb2ecbc5c
Instruction Fuzzy Hash: 11D11172A00116EBEF009F65E889B7DB7B1BF44700F968056F446AB281DB3CED61DB61

Function 007AB60E Relevance: 21.3, APIs: 10, Strings: 2, Instructions: 285registrylibraryloaderCOMMON

Download Yara Rule

APIs

Part of subcall function 00729CB3: _wcslen.LIBCMT ref: 00729CBD

Part of subcall function 007AC998: CharUpperBuffW.USER32(?,?,?,?,?,?,?,007AB6AE,?,?), ref: 007AC9B5
Part of subcall function 007AC998: _wcslen.LIBCMT ref: 007AC9F1
Part of subcall function 007AC998: _wcslen.LIBCMT ref: 007ACA68
Part of subcall function 007AC998: _wcslen.LIBCMT ref: 007ACA9E

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 007AB6F4
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 007AB772
RegDeleteValueW.ADVAPI32(?,?), ref: 007AB80A
RegCloseKey.ADVAPI32(?), ref: 007AB87E
RegCloseKey.ADVAPI32(?), ref: 007AB89C
LoadLibraryA.KERNEL32(advapi32.dll), ref: 007AB8F2
GetProcAddress.KERNEL32(00000000,RegDeleteKeyExW), ref: 007AB904
RegDeleteKeyW.ADVAPI32(?,?), ref: 007AB922
FreeLibrary.KERNEL32(00000000), ref: 007AB983
RegCloseKey.ADVAPI32(00000000), ref: 007AB994

Strings

advapi32.dll, xrefs: 007AB8ED
RegDeleteKeyExW, xrefs: 007AB8FE

Memory Dump Source

Source File: 00000000.00000002.1745867193.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true

Associated: 00000000.00000002.1745836741.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746071756.00000000007BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746071756.00000000007E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746152188.00000000007EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746185289.00000000007F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_720000_file.jbxd

Similarity

API ID: _wcslen$Close$DeleteLibrary$AddressBuffCharConnectFreeLoadOpenProcRegistryUpperValue
String ID: RegDeleteKeyExW$advapi32.dll
API String ID: 146587525-4033151799
Opcode ID: 262a18cb1664456f7927fd5bcacf239612fbb71364775bc5eae52cbc3c0309f3
Instruction ID: 784b72c70469ae42e9145e9e0487e95f539595172501b5078277299edf48fa65
Opcode Fuzzy Hash: 262a18cb1664456f7927fd5bcacf239612fbb71364775bc5eae52cbc3c0309f3
Instruction Fuzzy Hash: 63C16B31208241EFD715DF14C498F2ABBE5BF85308F18869CF59A4B2A3CB79E845CB91

Function 007A255C Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 169windowCOMMON

Download Yara Rule

APIs

GetDC.USER32(00000000), ref: 007A25D8
CreateCompatibleBitmap.GDI32(00000000,?,?), ref: 007A25E8
CreateCompatibleDC.GDI32(?), ref: 007A25F4
SelectObject.GDI32(00000000,?), ref: 007A2601
StretchBlt.GDI32(?,00000000,00000000,?,?,?,00000006,?,?,?,00CC0020), ref: 007A266D
GetDIBits.GDI32(?,?,00000000,00000000,00000000,00000028,00000000), ref: 007A26AC
GetDIBits.GDI32(?,?,00000000,?,00000000,00000028,00000000), ref: 007A26D0
SelectObject.GDI32(?,?), ref: 007A26D8
DeleteObject.GDI32(?), ref: 007A26E1
DeleteDC.GDI32(?), ref: 007A26E8
ReleaseDC.USER32(00000000,?), ref: 007A26F3

Strings

(, xrefs: 007A268D

Memory Dump Source

Source File: 00000000.00000002.1745867193.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true

Associated: 00000000.00000002.1745836741.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746071756.00000000007BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746071756.00000000007E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746152188.00000000007EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746185289.00000000007F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_720000_file.jbxd

Similarity

API ID: Object$BitsCompatibleCreateDeleteSelect$BitmapReleaseStretch
String ID: (
API String ID: 2598888154-3887548279
Opcode ID: d57f46ffde5674f9ae749db263ea32ece3e050a426b2618806baef771f1cb504
Instruction ID: bccc53d52304e004a19c2510d6a61c4c40d3d18b2e9937f99da774290556a3f0
Opcode Fuzzy Hash: d57f46ffde5674f9ae749db263ea32ece3e050a426b2618806baef771f1cb504
Instruction Fuzzy Hash: 876102B5D00219EFCF05CFA8D884EAEBBB5FF48310F208629E955A7251D774A941CF64

Function 0075DA5D Relevance: 19.6, APIs: 13, Instructions: 114COMMONLIBRARYCODE

Download Yara Rule

APIs

___free_lconv_mon.LIBCMT ref: 0075DAA1

Part of subcall function 0075D63C: _free.LIBCMT ref: 0075D659
Part of subcall function 0075D63C: _free.LIBCMT ref: 0075D66B
Part of subcall function 0075D63C: _free.LIBCMT ref: 0075D67D
Part of subcall function 0075D63C: _free.LIBCMT ref: 0075D68F
Part of subcall function 0075D63C: _free.LIBCMT ref: 0075D6A1
Part of subcall function 0075D63C: _free.LIBCMT ref: 0075D6B3
Part of subcall function 0075D63C: _free.LIBCMT ref: 0075D6C5
Part of subcall function 0075D63C: _free.LIBCMT ref: 0075D6D7
Part of subcall function 0075D63C: _free.LIBCMT ref: 0075D6E9
Part of subcall function 0075D63C: _free.LIBCMT ref: 0075D6FB
Part of subcall function 0075D63C: _free.LIBCMT ref: 0075D70D
Part of subcall function 0075D63C: _free.LIBCMT ref: 0075D71F
Part of subcall function 0075D63C: _free.LIBCMT ref: 0075D731

_free.LIBCMT ref: 0075DA96

Part of subcall function 007529C8: RtlFreeHeap.NTDLL(00000000,00000000,?,0075D7D1,00000000,00000000,00000000,00000000,?,0075D7F8,00000000,00000007,00000000,?,0075DBF5,00000000), ref: 007529DE
Part of subcall function 007529C8: GetLastError.KERNEL32(00000000,?,0075D7D1,00000000,00000000,00000000,00000000,?,0075D7F8,00000000,00000007,00000000,?,0075DBF5,00000000,00000000), ref: 007529F0

_free.LIBCMT ref: 0075DAB8
_free.LIBCMT ref: 0075DACD
_free.LIBCMT ref: 0075DAD8
_free.LIBCMT ref: 0075DAFA
_free.LIBCMT ref: 0075DB0D
_free.LIBCMT ref: 0075DB1B
_free.LIBCMT ref: 0075DB26
_free.LIBCMT ref: 0075DB5E
_free.LIBCMT ref: 0075DB65
_free.LIBCMT ref: 0075DB82
_free.LIBCMT ref: 0075DB9A

Memory Dump Source

Source File: 00000000.00000002.1745867193.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true

Associated: 00000000.00000002.1745836741.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746071756.00000000007BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746071756.00000000007E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746152188.00000000007EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746185289.00000000007F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_720000_file.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast___free_lconv_mon
String ID:
API String ID: 161543041-0
Opcode ID: d67d0d60ea89408022e2be68ddb14557a5d24b1b20e5dbb00568cd3fc0dd7a7e
Instruction ID: 73c1547ee706c310883f3f631d832046f4075b9546ecd42ba7ee2f79591ad5e0
Opcode Fuzzy Hash: d67d0d60ea89408022e2be68ddb14557a5d24b1b20e5dbb00568cd3fc0dd7a7e
Instruction Fuzzy Hash: 3E315D71604204DFEB31AA39D849BD677E9FF01312F114419E848E72A2DFB9BC49CB20

Function 0078365B Relevance: 19.5, APIs: 10, Strings: 1, Instructions: 267windowtimeCOMMON

Download Yara Rule

APIs

GetClassNameW.USER32(?,?,00000100), ref: 0078369C
_wcslen.LIBCMT ref: 007836A7
SendMessageTimeoutW.USER32(?,?,00000101,00000000,00000002,00001388,?), ref: 00783797
GetClassNameW.USER32(?,?,00000400), ref: 0078380C
GetDlgCtrlID.USER32(?), ref: 0078385D
GetWindowRect.USER32(?,?), ref: 00783882
GetParent.USER32(?), ref: 007838A0
ScreenToClient.USER32(00000000), ref: 007838A7
GetClassNameW.USER32(?,?,00000100), ref: 00783921
GetWindowTextW.USER32(?,?,00000400), ref: 0078395D

Strings

%s%u, xrefs: 00783734

Memory Dump Source

Source File: 00000000.00000002.1745867193.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true

Associated: 00000000.00000002.1745836741.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746071756.00000000007BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746071756.00000000007E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746152188.00000000007EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746185289.00000000007F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_720000_file.jbxd

Similarity

API ID: ClassName$Window$ClientCtrlMessageParentRectScreenSendTextTimeout_wcslen
String ID: %s%u
API String ID: 4010501982-679674701
Opcode ID: 84a7c91310d954022160e495fd3ad7673fab72799383b77ece4ae2ecfa98f367
Instruction ID: 02c3be9732b3903fa16a0e11ae651467531de7f58b68404413d136c4e32ea355
Opcode Fuzzy Hash: 84a7c91310d954022160e495fd3ad7673fab72799383b77ece4ae2ecfa98f367
Instruction Fuzzy Hash: 0E91D771244706EFD715EF28C889FAAF7A8FF44754F008619F999C2190DB38EA45CBA1

Function 00784954 Relevance: 19.5, APIs: 10, Strings: 1, Instructions: 253COMMON

Download Yara Rule

APIs

GetClassNameW.USER32(?,?,00000400), ref: 00784994
GetWindowTextW.USER32(?,?,00000400), ref: 007849DA
_wcslen.LIBCMT ref: 007849EB
CharUpperBuffW.USER32(?,00000000), ref: 007849F7
_wcsstr.LIBVCRUNTIME ref: 00784A2C
GetClassNameW.USER32(00000018,?,00000400), ref: 00784A64
GetWindowTextW.USER32(?,?,00000400), ref: 00784A9D
GetClassNameW.USER32(00000018,?,00000400), ref: 00784AE6
GetClassNameW.USER32(?,?,00000400), ref: 00784B20
GetWindowRect.USER32(?,?), ref: 00784B8B

Strings

ThumbnailClass, xrefs: 00784A6F, 00784AF1

Memory Dump Source

Source File: 00000000.00000002.1745867193.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true

Associated: 00000000.00000002.1745836741.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746071756.00000000007BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746071756.00000000007E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746152188.00000000007EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746185289.00000000007F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_720000_file.jbxd

Similarity

API ID: ClassName$Window$Text$BuffCharRectUpper_wcslen_wcsstr
String ID: ThumbnailClass
API String ID: 1311036022-1241985126
Opcode ID: 9aad1e5cc99a51f83b93fe988e13b8b7399b3877cf975f0eb8938756d34633ac
Instruction ID: 32aaddaa3fb3cba811fab8e3eb4214543a6a686838de53581dbfa091f9035002
Opcode Fuzzy Hash: 9aad1e5cc99a51f83b93fe988e13b8b7399b3877cf975f0eb8938756d34633ac
Instruction Fuzzy Hash: 1D91E271044206DFDB05EF14C989FAA7BE8FF44314F04846AFD859A096DBB8ED45CBA1

Function 0078BF30 Relevance: 19.4, APIs: 10, Strings: 1, Instructions: 190windowsleepCOMMON

Download Yara Rule

APIs

GetMenuItemInfoW.USER32(007F1990,000000FF,00000000,00000030), ref: 0078BFAC
SetMenuItemInfoW.USER32(007F1990,00000004,00000000,00000030), ref: 0078BFE1
Sleep.KERNEL32(000001F4), ref: 0078BFF3
GetMenuItemCount.USER32(?), ref: 0078C039
GetMenuItemID.USER32(?,00000000), ref: 0078C056
GetMenuItemID.USER32(?,-00000001), ref: 0078C082
GetMenuItemID.USER32(?,?), ref: 0078C0C9
CheckMenuRadioItem.USER32(?,00000000,?,00000000,00000400), ref: 0078C10F
GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 0078C124
SetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 0078C145

Strings

0, xrefs: 0078BF3D

Memory Dump Source

Source File: 00000000.00000002.1745867193.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true

Associated: 00000000.00000002.1745836741.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746071756.00000000007BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746071756.00000000007E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746152188.00000000007EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746185289.00000000007F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_720000_file.jbxd

Similarity

API ID: ItemMenu$Info$CheckCountRadioSleep
String ID: 0
API String ID: 1460738036-4108050209
Opcode ID: a014f749362ef963eb9588473a6ab1ede3d64a1d4cf8d45db137be15047008ca
Instruction ID: 14fa6cccb5cbc720e2a82b87e7e4bb8ce44640ea2e381b2d008313dea5c58181
Opcode Fuzzy Hash: a014f749362ef963eb9588473a6ab1ede3d64a1d4cf8d45db137be15047008ca
Instruction Fuzzy Hash: DA6181B094024AEFDF12EF68DC88EAE7BB8EF05344F104155E951A3291D739AD15CB70

Function 007ACC34 Relevance: 19.4, APIs: 9, Strings: 2, Instructions: 104registryCOMMON

Download Yara Rule

APIs

RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?,?,?,00000000), ref: 007ACC64
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?,?,?,00000000), ref: 007ACC8D
FreeLibrary.KERNEL32(00000000,?,?,00000000), ref: 007ACD48

Part of subcall function 007ACC34: RegCloseKey.ADVAPI32(?,?,?,00000000), ref: 007ACCAA
Part of subcall function 007ACC34: LoadLibraryA.KERNEL32(advapi32.dll,?,?,00000000), ref: 007ACCBD
Part of subcall function 007ACC34: GetProcAddress.KERNEL32(00000000,RegDeleteKeyExW), ref: 007ACCCF
Part of subcall function 007ACC34: FreeLibrary.KERNEL32(00000000,?,?,00000000), ref: 007ACD05
Part of subcall function 007ACC34: RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?,?,?,00000000), ref: 007ACD28

RegDeleteKeyW.ADVAPI32(?,?), ref: 007ACCF3

Strings

advapi32.dll, xrefs: 007ACCB8
RegDeleteKeyExW, xrefs: 007ACCC9

Memory Dump Source

Source File: 00000000.00000002.1745867193.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true

Associated: 00000000.00000002.1745836741.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746071756.00000000007BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746071756.00000000007E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746152188.00000000007EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746185289.00000000007F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_720000_file.jbxd

Similarity

API ID: Library$EnumFree$AddressCloseDeleteLoadOpenProc
String ID: RegDeleteKeyExW$advapi32.dll
API String ID: 2734957052-4033151799
Opcode ID: fa38340de883a4dbd4891d3239ea7b635051fa736f753bd6187a866d8f343519
Instruction ID: 29b07094388228592ef23cca2253cd7e1fe88c9dbdfb2cdb11ebf4b5b7737539
Opcode Fuzzy Hash: fa38340de883a4dbd4891d3239ea7b635051fa736f753bd6187a866d8f343519
Instruction Fuzzy Hash: D931A1B1A0112CBBD7229B55DC88EFFBB7CEF46750F008265F905E2200DB788A45DAB4

Function 00793D1E Relevance: 19.4, APIs: 8, Strings: 3, Instructions: 101fileCOMMON

Download Yara Rule

APIs

GetFullPathNameW.KERNEL32(?,00007FFF,?,?), ref: 00793D40
_wcslen.LIBCMT ref: 00793D6D
CreateDirectoryW.KERNEL32(?,00000000), ref: 00793D9D
CreateFileW.KERNEL32(?,40000000,00000000,00000000,00000003,02200000,00000000), ref: 00793DBE
RemoveDirectoryW.KERNEL32(?), ref: 00793DCE
DeviceIoControl.KERNEL32(00000000,000900A4,?,?,00000000,00000000,?,00000000), ref: 00793E55
CloseHandle.KERNEL32(00000000), ref: 00793E60
CloseHandle.KERNEL32(00000000), ref: 00793E6B

Strings

:, xrefs: 00793D82
\??\%s, xrefs: 00793D5B
\, xrefs: 00793D77

Memory Dump Source

Source File: 00000000.00000002.1745867193.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true

Associated: 00000000.00000002.1745836741.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746071756.00000000007BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746071756.00000000007E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746152188.00000000007EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746185289.00000000007F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_720000_file.jbxd

Similarity

API ID: CloseCreateDirectoryHandle$ControlDeviceFileFullNamePathRemove_wcslen
String ID: :$\$\??\%s
API String ID: 1149970189-3457252023
Opcode ID: 4a38d4a85e353fe953346540f954ee46bea81f6a5a57ca48dc4e76af1ec15c9f
Instruction ID: 274c1cb042a4bfefe7df22d65eb9f8ea5f86a8963f9f7a7f62b035fa47d998db
Opcode Fuzzy Hash: 4a38d4a85e353fe953346540f954ee46bea81f6a5a57ca48dc4e76af1ec15c9f
Instruction Fuzzy Hash: E231A1B5A04209ABDB219FA0DC49FEB37BCEF88700F5081B5F519D6160EB7897448B24

Function 0078E6B0 Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 72sleepwindowtimeCOMMON

Download Yara Rule

APIs

timeGetTime.WINMM ref: 0078E6B4

Part of subcall function 0073E551: timeGetTime.WINMM(?,?,0078E6D4), ref: 0073E555

Sleep.KERNEL32(0000000A), ref: 0078E6E1
EnumThreadWindows.USER32(?,Function_0006E665,00000000), ref: 0078E705
FindWindowExW.USER32(00000000,00000000,BUTTON,00000000), ref: 0078E727
SetActiveWindow.USER32 ref: 0078E746
SendMessageW.USER32(00000000,000000F5,00000000,00000000), ref: 0078E754
SendMessageW.USER32(00000010,00000000,00000000), ref: 0078E773
Sleep.KERNEL32(000000FA), ref: 0078E77E
IsWindow.USER32 ref: 0078E78A
EndDialog.USER32(00000000), ref: 0078E79B

Strings

BUTTON, xrefs: 0078E719

Memory Dump Source

Source File: 00000000.00000002.1745867193.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true

Associated: 00000000.00000002.1745836741.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746071756.00000000007BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746071756.00000000007E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746152188.00000000007EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746185289.00000000007F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_720000_file.jbxd

Similarity

API ID: Window$MessageSendSleepTimetime$ActiveDialogEnumFindThreadWindows
String ID: BUTTON
API String ID: 1194449130-3405671355
Opcode ID: db2c0ec71005de3fd06be516f3fc8d4592ab7069736579116962f54a6f4f6ff4
Instruction ID: 75ec5a467338ba0f48a0502832a2b73fca094506c7b5334e95f7d4e55d91579a
Opcode Fuzzy Hash: db2c0ec71005de3fd06be516f3fc8d4592ab7069736579116962f54a6f4f6ff4
Instruction Fuzzy Hash: 0F215EB0340204AFEB116F25EC89F363B69AB54B58F10C525F501C15A2DB7DAC11DB28

Function 0078E9FC Relevance: 19.3, APIs: 5, Strings: 6, Instructions: 71COMMON

Download Yara Rule

APIs

Part of subcall function 00729CB3: _wcslen.LIBCMT ref: 00729CBD

mciSendStringW.WINMM(status PlayMe mode,?,00000100,00000000), ref: 0078EA5D
mciSendStringW.WINMM(close PlayMe,00000000,00000000,00000000), ref: 0078EA73
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 0078EA84
mciSendStringW.WINMM(play PlayMe wait,00000000,00000000,00000000), ref: 0078EA96
mciSendStringW.WINMM(play PlayMe,00000000,00000000,00000000), ref: 0078EAA7

Strings

open , xrefs: 0078EA0C
alias PlayMe, xrefs: 0078EA36
play PlayMe wait, xrefs: 0078EA91
close PlayMe, xrefs: 0078EA6E, 0078EA9B
play PlayMe, xrefs: 0078EAA2
status PlayMe mode, xrefs: 0078EA58

Memory Dump Source

Source File: 00000000.00000002.1745867193.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true

Associated: 00000000.00000002.1745836741.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746071756.00000000007BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746071756.00000000007E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746152188.00000000007EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746185289.00000000007F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_720000_file.jbxd

Similarity

API ID: SendString$_wcslen
String ID: alias PlayMe$close PlayMe$open $play PlayMe$play PlayMe wait$status PlayMe mode
API String ID: 2420728520-1007645807
Opcode ID: 63acf51b6848b41c7c1aaba72e2e0782c8cb7c3ae357232a10b1c2272e699a2c
Instruction ID: 00e07ecf6be67790347b81034879415c2c924de0a5e8463be9c4a2923b6ab739
Opcode Fuzzy Hash: 63acf51b6848b41c7c1aaba72e2e0782c8cb7c3ae357232a10b1c2272e699a2c
Instruction Fuzzy Hash: 9D11A771691269B9D724F762DC4ADFF6A7CEBE5F40F004429B401A20D1DF781944C6B1

Function 00789F91 Relevance: 18.2, APIs: 12, Instructions: 188keyboardCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?), ref: 0078A012
SetKeyboardState.USER32(?), ref: 0078A07D
GetAsyncKeyState.USER32(000000A0), ref: 0078A09D
GetKeyState.USER32(000000A0), ref: 0078A0B4
GetAsyncKeyState.USER32(000000A1), ref: 0078A0E3
GetKeyState.USER32(000000A1), ref: 0078A0F4
GetAsyncKeyState.USER32(00000011), ref: 0078A120
GetKeyState.USER32(00000011), ref: 0078A12E
GetAsyncKeyState.USER32(00000012), ref: 0078A157
GetKeyState.USER32(00000012), ref: 0078A165
GetAsyncKeyState.USER32(0000005B), ref: 0078A18E
GetKeyState.USER32(0000005B), ref: 0078A19C

Memory Dump Source

Source File: 00000000.00000002.1745867193.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true

Associated: 00000000.00000002.1745836741.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746071756.00000000007BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746071756.00000000007E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746152188.00000000007EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746185289.00000000007F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_720000_file.jbxd

Similarity

API ID: State$Async$Keyboard
String ID:
API String ID: 541375521-0
Opcode ID: 491c86833b4680b6328f6f0bdf9a19978f402a7d50136030f082e73a2b2598a3
Instruction ID: d193a9be3efcb58186edbeeffacd5fca9feeb02f6788a7459117695b49d3d88c
Opcode Fuzzy Hash: 491c86833b4680b6328f6f0bdf9a19978f402a7d50136030f082e73a2b2598a3
Instruction Fuzzy Hash: 6A51AC2098478879FB35FB704819BEABFB55F11340F0C859AD6C2571C2EA5C9E4CC762

Function 00785CC6 Relevance: 18.2, APIs: 12, Instructions: 173COMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,00000001), ref: 00785CE2
GetWindowRect.USER32(00000000,?), ref: 00785CFB
MoveWindow.USER32(?,0000000A,00000004,?,?,00000004,00000000), ref: 00785D59
GetDlgItem.USER32(?,00000002), ref: 00785D69
GetWindowRect.USER32(00000000,?), ref: 00785D7B
MoveWindow.USER32(?,?,00000004,00000000,?,00000004,00000000), ref: 00785DCF
GetDlgItem.USER32(?,000003E9), ref: 00785DDD
GetWindowRect.USER32(00000000,?), ref: 00785DEF
MoveWindow.USER32(?,0000000A,00000000,?,00000004,00000000), ref: 00785E31
GetDlgItem.USER32(?,000003EA), ref: 00785E44
MoveWindow.USER32(00000000,0000000A,0000000A,?,-00000005,00000000), ref: 00785E5A
InvalidateRect.USER32(?,00000000,00000001), ref: 00785E67

Memory Dump Source

Source File: 00000000.00000002.1745867193.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true

Associated: 00000000.00000002.1745836741.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746071756.00000000007BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746071756.00000000007E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746152188.00000000007EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746185289.00000000007F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_720000_file.jbxd

Similarity

API ID: Window$ItemMoveRect$Invalidate
String ID:
API String ID: 3096461208-0
Opcode ID: 052a7faccbeae75bc6d06364fe9c4b32caec0cb2aaf41c5952c4aa4533a55e16
Instruction ID: 112325be65d54980d4909239fedef50b1c31ee3c14fe97ffb0db566097676a5a
Opcode Fuzzy Hash: 052a7faccbeae75bc6d06364fe9c4b32caec0cb2aaf41c5952c4aa4533a55e16
Instruction Fuzzy Hash: 2C510D71B40609AFDF19DF68DD89EAEBBB5FB48300F148229F915E6290D7749E04CB60

Function 00738BCD Relevance: 18.2, APIs: 12, Instructions: 168timeCOMMON

Download Yara Rule

APIs

Part of subcall function 00738F62: InvalidateRect.USER32(?,00000000,00000001,?,?,?,00738BE8,?,00000000,?,?,?,?,00738BBA,00000000,?), ref: 00738FC5

DestroyWindow.USER32(?), ref: 00738C81
KillTimer.USER32(00000000,?,?,?,?,00738BBA,00000000,?), ref: 00738D1B
DestroyAcceleratorTable.USER32(00000000), ref: 00776973
ImageList_Destroy.COMCTL32(00000000,?,?,?,?,?,?,00000000,?,?,?,?,00738BBA,00000000,?), ref: 007769A1
ImageList_Destroy.COMCTL32(?,?,?,?,?,?,?,00000000,?,?,?,?,00738BBA,00000000,?), ref: 007769B8
ImageList_Destroy.COMCTL32(00000000,?,?,?,?,?,?,?,?,00000000,?,?,?,?,00738BBA,00000000), ref: 007769D4
DeleteObject.GDI32(00000000), ref: 007769E6

Memory Dump Source

Source File: 00000000.00000002.1745867193.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true

Associated: 00000000.00000002.1745836741.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746071756.00000000007BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746071756.00000000007E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746152188.00000000007EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746185289.00000000007F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_720000_file.jbxd

Similarity

API ID: Destroy$ImageList_$AcceleratorDeleteInvalidateKillObjectRectTableTimerWindow
String ID:
API String ID: 641708696-0
Opcode ID: 1e92bc228a375edb3e720a0fa9dab184b464823c59287db3593ce23ee8d9f9e6
Instruction ID: 4d7955839fc807bd068384877ec3dab5cf593645f7d54ae81a59b6498daf630e
Opcode Fuzzy Hash: 1e92bc228a375edb3e720a0fa9dab184b464823c59287db3593ce23ee8d9f9e6
Instruction Fuzzy Hash: F7618830102B00DFEB669F24CA48B35B7B1FB40362F55D658E0469A565CB7DB980CFAA

Function 00739838 Relevance: 18.1, APIs: 12, Instructions: 137COMMON

Download Yara Rule

APIs

Part of subcall function 00739944: GetWindowLongW.USER32(?,000000EB), ref: 00739952

GetSysColor.USER32(0000000F), ref: 00739862

Memory Dump Source

Source File: 00000000.00000002.1745867193.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true

Associated: 00000000.00000002.1745836741.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746071756.00000000007BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746071756.00000000007E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746152188.00000000007EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746185289.00000000007F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_720000_file.jbxd

Similarity

API ID: ColorLongWindow
String ID:
API String ID: 259745315-0
Opcode ID: 1beff462834abe51a474b6446de02671321d4870e64d3afcf997738a10bc25b5
Instruction ID: b19f15f895fa34892c60256672892b05e70fb92dffcf42cb7abf4dad6b2785c5
Opcode Fuzzy Hash: 1beff462834abe51a474b6446de02671321d4870e64d3afcf997738a10bc25b5
Instruction Fuzzy Hash: 8041C331104644AFEF215F3C9C88BFA3B65AB86370F148605FAE29B1E2D7B99C41DB10

Function 00758D45 Relevance: 17.8, APIs: 9, Strings: 1, Instructions: 300COMMONLIBRARYCODE

Download Yara Rule

Strings

.t, xrefs: 0075903A, 00758FD0, 00758FF2

Memory Dump Source

Source File: 00000000.00000002.1745867193.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true

Associated: 00000000.00000002.1745836741.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746071756.00000000007BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746071756.00000000007E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746152188.00000000007EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746185289.00000000007F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_720000_file.jbxd

Similarity

API ID:
String ID: .t
API String ID: 0-4274973675
Opcode ID: 6e36193523b843eea32abb5b42bd7d505b029ea4a4678f3ff928d6fdb7f11937
Instruction ID: 70c0fccb7ef3b6b3453d4934ebf2b2f1881200f4a543be01cc104e760a4567bf
Opcode Fuzzy Hash: 6e36193523b843eea32abb5b42bd7d505b029ea4a4678f3ff928d6fdb7f11937
Instruction Fuzzy Hash: C6C1E27490424AEFCF51DFA8C845BEDBBB0BF09311F044159E919A73D2CBB89945CB62

Function 007896E2 Relevance: 17.6, APIs: 5, Strings: 5, Instructions: 137windowCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,?,00000FFF,00000001,00000000,?,?,0076F7F8,00000001,0000138C,00000001,?,00000001,00000000,?,?), ref: 00789717
LoadStringW.USER32(00000000,?,0076F7F8,00000001), ref: 00789720

Part of subcall function 00729CB3: _wcslen.LIBCMT ref: 00729CBD

GetModuleHandleW.KERNEL32(00000000,00000001,?,00000FFF,?,?,0076F7F8,00000001,0000138C,00000001,?,00000001,00000000,?,?,00000000), ref: 00789742
LoadStringW.USER32(00000000,?,0076F7F8,00000001), ref: 00789745
MessageBoxW.USER32(00000000,00000000,?,00011010), ref: 00789866

Strings

Line %d:, xrefs: 007897A0
%s (%d) : ==> %s: %s %s, xrefs: 0078984A
Error: , xrefs: 0078981D
^ ERROR, xrefs: 007897FB
Line %d (File "%s"):, xrefs: 0078978F

Memory Dump Source

Source File: 00000000.00000002.1745867193.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true

Associated: 00000000.00000002.1745836741.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746071756.00000000007BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746071756.00000000007E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746152188.00000000007EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746185289.00000000007F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_720000_file.jbxd

Similarity

API ID: HandleLoadModuleString$Message_wcslen
String ID: Error: $%s (%d) : ==> %s: %s %s$Line %d (File "%s"):$Line %d:$^ ERROR
API String ID: 747408836-2268648507
Opcode ID: f7cf91151f87266488170c50f973c6d9c940a2dc7517990c7b40e9e6285800ad
Instruction ID: 3723a85f63e78985a7183217e2991c7ce5769a6318017e6a2ba728f6119db9c3
Opcode Fuzzy Hash: f7cf91151f87266488170c50f973c6d9c940a2dc7517990c7b40e9e6285800ad
Instruction Fuzzy Hash: 6B412DB2800219EADB05FBE0ED5AEEEB778AF55340F544425F60572092EA3D6F48CB61

Function 007806DE Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 127registryshareCOMMON

Download Yara Rule

APIs

Part of subcall function 00726B57: _wcslen.LIBCMT ref: 00726B6A

WNetAddConnection2W.MPR(?,?,?,00000000), ref: 007807A2
RegConnectRegistryW.ADVAPI32(?,80000002,?), ref: 007807BE
RegOpenKeyExW.ADVAPI32(?,?,00000000,00020019,?,?,SOFTWARE\Classes\), ref: 007807DA
RegQueryValueExW.ADVAPI32(?,00000000,00000000,00000000,?,?,?,SOFTWARE\Classes\), ref: 00780804
CLSIDFromString.OLE32(?,000001FE,?,SOFTWARE\Classes\), ref: 0078082C
RegCloseKey.ADVAPI32(?,?,SOFTWARE\Classes\), ref: 00780837
RegCloseKey.ADVAPI32(?,?,SOFTWARE\Classes\), ref: 0078083C

Strings

\IPC$, xrefs: 00780784
\CLSID, xrefs: 00780724
SOFTWARE\Classes\, xrefs: 0078070E

Memory Dump Source

Source File: 00000000.00000002.1745867193.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true

Associated: 00000000.00000002.1745836741.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746071756.00000000007BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746071756.00000000007E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746152188.00000000007EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746185289.00000000007F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_720000_file.jbxd

Similarity

API ID: Close$ConnectConnection2FromOpenQueryRegistryStringValue_wcslen
String ID: SOFTWARE\Classes\$\CLSID$\IPC$
API String ID: 323675364-22481851
Opcode ID: 2f7a2decd1d216c356ab2b92781a5142bfe57166b90687d808dc84b9cdf1706e
Instruction ID: e9d359adcfef0a4db706c1ea288262af288ff4a20b40dd7d02e638baf87ead7f
Opcode Fuzzy Hash: 2f7a2decd1d216c356ab2b92781a5142bfe57166b90687d808dc84b9cdf1706e
Instruction Fuzzy Hash: 96410972C10229EBDF15EBA4DC99DEDB778BF04750F144129E905A7161EB386E48CBA0

Function 007B3F98 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 101windowCOMMON

Download Yara Rule

APIs

MoveWindow.USER32(?,?,?,000000FF,000000FF,00000000,?,?,000000FF,000000FF,?,?,static,00000000,00000000,?), ref: 007B403B
CreateCompatibleDC.GDI32(00000000), ref: 007B4042
SendMessageW.USER32(?,00000173,00000000,00000000), ref: 007B4055
SelectObject.GDI32(00000000,00000000), ref: 007B405D
GetPixel.GDI32(00000000,00000000,00000000), ref: 007B4068
DeleteDC.GDI32(00000000), ref: 007B4072
GetWindowLongW.USER32(?,000000EC), ref: 007B407C
SetLayeredWindowAttributes.USER32(?,?,00000000,00000001,?,00000000,?), ref: 007B4092
DestroyWindow.USER32(?,?,?,000000FF,000000FF,?,?,static,00000000,00000000,?,?,00000000,00000000,?), ref: 007B409E

Strings

static, xrefs: 007B3FD3

Memory Dump Source

Source File: 00000000.00000002.1745867193.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true

Associated: 00000000.00000002.1745836741.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746071756.00000000007BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746071756.00000000007E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746152188.00000000007EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746185289.00000000007F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_720000_file.jbxd

Similarity

API ID: Window$AttributesCompatibleCreateDeleteDestroyLayeredLongMessageMoveObjectPixelSelectSend
String ID: static
API String ID: 2559357485-2160076837
Opcode ID: c57ca568fec418424323fe486776ddd00c03ffa1d59ca407c9234a64d13744f0
Instruction ID: 4b4f47dba845a6a97a4d6da27015711340610cd17a0d871bda9d45b87400efc8
Opcode Fuzzy Hash: c57ca568fec418424323fe486776ddd00c03ffa1d59ca407c9234a64d13744f0
Instruction Fuzzy Hash: F1316072501219AFDF229F68DC09FDA3B68EF0D324F118311FA54E61A1D779D850DB64

Function 007A3C30 Relevance: 16.8, APIs: 11, Instructions: 344fileCOMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 007A3C5C
CoInitialize.OLE32(00000000), ref: 007A3C8A
CoUninitialize.OLE32 ref: 007A3C94
_wcslen.LIBCMT ref: 007A3D2D
GetRunningObjectTable.OLE32(00000000,?), ref: 007A3DB1
SetErrorMode.KERNEL32(00000001,00000029), ref: 007A3ED5
CoGetInstanceFromFile.OLE32(00000000,?,00000000,00000015,00000002,?,00000001,?), ref: 007A3F0E
CoGetObject.OLE32(?,00000000,007BFB98,?), ref: 007A3F2D
SetErrorMode.KERNEL32(00000000), ref: 007A3F40
SetErrorMode.KERNEL32(00000000,00000000,00000000,00000000,00000000), ref: 007A3FC4
VariantClear.OLEAUT32(?), ref: 007A3FD8

Memory Dump Source

Source File: 00000000.00000002.1745867193.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true

Associated: 00000000.00000002.1745836741.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746071756.00000000007BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746071756.00000000007E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746152188.00000000007EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746185289.00000000007F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_720000_file.jbxd

Similarity

API ID: ErrorMode$ObjectVariant$ClearFileFromInitInitializeInstanceRunningTableUninitialize_wcslen
String ID:
API String ID: 429561992-0
Opcode ID: a798627a1f2e6c995aa9f52edd17e798bde08cca736b0b4cf4b2bcc89e71a660
Instruction ID: 8f6dfff10fb2a789ae9f03df38a2034ec148876a65ffef2419e800d39c08e065
Opcode Fuzzy Hash: a798627a1f2e6c995aa9f52edd17e798bde08cca736b0b4cf4b2bcc89e71a660
Instruction Fuzzy Hash: 9FC11371608205DFD700DF68C88492BBBE9FF8A744F144A1DF98A9B250D739EE45CB52

Function 00797A96 Relevance: 16.8, APIs: 11, Instructions: 298comCOMMON

Download Yara Rule

APIs

CoInitialize.OLE32(00000000), ref: 00797AF3
SHGetSpecialFolderLocation.SHELL32(00000000,00000000,?), ref: 00797B8F
SHGetDesktopFolder.SHELL32(?), ref: 00797BA3
CoCreateInstance.OLE32(007BFD08,00000000,00000001,007E6E6C,?), ref: 00797BEF
SHCreateShellItem.SHELL32(00000000,00000000,?,00000003), ref: 00797C74
CoTaskMemFree.OLE32(?,?), ref: 00797CCC
SHBrowseForFolderW.SHELL32(?), ref: 00797D57
SHGetPathFromIDListW.SHELL32(00000000,?), ref: 00797D7A
CoTaskMemFree.OLE32(00000000), ref: 00797D81
CoTaskMemFree.OLE32(00000000), ref: 00797DD6
CoUninitialize.OLE32 ref: 00797DDC

Memory Dump Source

Source File: 00000000.00000002.1745867193.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true

Associated: 00000000.00000002.1745836741.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746071756.00000000007BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746071756.00000000007E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746152188.00000000007EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746185289.00000000007F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_720000_file.jbxd

Similarity

API ID: FolderFreeTask$Create$BrowseDesktopFromInitializeInstanceItemListLocationPathShellSpecialUninitialize
String ID:
API String ID: 2762341140-0
Opcode ID: 06cccdea86cb28a44ea51285362d3f9b2ed8871f53e40841ef55997410ba42a6
Instruction ID: 59faa344f0fc74c5cd6bd5e980aa199cdcec74fe3f4840ac437ec7113d11cd9e
Opcode Fuzzy Hash: 06cccdea86cb28a44ea51285362d3f9b2ed8871f53e40841ef55997410ba42a6
Instruction Fuzzy Hash: 47C13975A04119EFCB14DFA4D888DAEBBF9FF48304B148599F81A9B261D734EE41CB90

Function 007B541D Relevance: 16.7, APIs: 11, Instructions: 191windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00000158,000000FF,00000158), ref: 007B5504
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 007B5515
CharNextW.USER32(00000158), ref: 007B5544
SendMessageW.USER32(?,0000014B,00000000,00000000), ref: 007B5585
SendMessageW.USER32(?,00000158,000000FF,0000014E), ref: 007B559B
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 007B55AC

Memory Dump Source

Source File: 00000000.00000002.1745867193.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true

Associated: 00000000.00000002.1745836741.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746071756.00000000007BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746071756.00000000007E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746152188.00000000007EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746185289.00000000007F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_720000_file.jbxd

Similarity

API ID: MessageSend$CharNext
String ID:
API String ID: 1350042424-0
Opcode ID: 34207b23b0ee59a1a3d255c3defa1e115c01d0e463ee5cf8ff5025dd59b1c3ef
Instruction ID: 2510ed6cde5d861081bedeb4550a4188dc45ddf87378884f88fc5d4e1cf42035
Opcode Fuzzy Hash: 34207b23b0ee59a1a3d255c3defa1e115c01d0e463ee5cf8ff5025dd59b1c3ef
Instruction Fuzzy Hash: 02616C70904608EFDF219F54CC85FFE7BB9EF09725F108145F925AA290D7789A81DB60

Function 0077FA88 Relevance: 16.6, APIs: 11, Instructions: 122memoryCOMMON

Download Yara Rule

APIs

SafeArrayAllocDescriptorEx.OLEAUT32(0000000C,?,?), ref: 0077FAAF
SafeArrayAllocData.OLEAUT32(?), ref: 0077FB08
VariantInit.OLEAUT32(?), ref: 0077FB1A
SafeArrayAccessData.OLEAUT32(?,?), ref: 0077FB3A
VariantCopy.OLEAUT32(?,?), ref: 0077FB8D
SafeArrayUnaccessData.OLEAUT32(?), ref: 0077FBA1
VariantClear.OLEAUT32(?), ref: 0077FBB6
SafeArrayDestroyData.OLEAUT32(?), ref: 0077FBC3
SafeArrayDestroyDescriptor.OLEAUT32(?), ref: 0077FBCC
VariantClear.OLEAUT32(?), ref: 0077FBDE
SafeArrayDestroyDescriptor.OLEAUT32(?), ref: 0077FBE9

Memory Dump Source

Source File: 00000000.00000002.1745867193.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true

Associated: 00000000.00000002.1745836741.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746071756.00000000007BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746071756.00000000007E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746152188.00000000007EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746185289.00000000007F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_720000_file.jbxd

Similarity

API ID: ArraySafe$DataVariant$DescriptorDestroy$AllocClear$AccessCopyInitUnaccess
String ID:
API String ID: 2706829360-0
Opcode ID: 585386fe174bd59f027eacef5b9704f98426aba4eb8738a52cb832375dbbb0a1
Instruction ID: 65cd6d9b01c6cfae8bd7817a447f467e8c369c661365505ece5cf0841ec63416
Opcode Fuzzy Hash: 585386fe174bd59f027eacef5b9704f98426aba4eb8738a52cb832375dbbb0a1
Instruction Fuzzy Hash: 45415275A00219DFCF01DF64D958EAEBBB9EF48354F00C065E959A7261CB38AA45CFA0

Function 00789C79 Relevance: 16.6, APIs: 11, Instructions: 119keyboardCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?), ref: 00789CA1
GetAsyncKeyState.USER32(000000A0), ref: 00789D22
GetKeyState.USER32(000000A0), ref: 00789D3D
GetAsyncKeyState.USER32(000000A1), ref: 00789D57
GetKeyState.USER32(000000A1), ref: 00789D6C
GetAsyncKeyState.USER32(00000011), ref: 00789D84
GetKeyState.USER32(00000011), ref: 00789D96
GetAsyncKeyState.USER32(00000012), ref: 00789DAE
GetKeyState.USER32(00000012), ref: 00789DC0
GetAsyncKeyState.USER32(0000005B), ref: 00789DD8
GetKeyState.USER32(0000005B), ref: 00789DEA

Memory Dump Source

Source File: 00000000.00000002.1745867193.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true

Associated: 00000000.00000002.1745836741.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746071756.00000000007BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746071756.00000000007E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746152188.00000000007EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746185289.00000000007F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_720000_file.jbxd

Similarity

API ID: State$Async$Keyboard
String ID:
API String ID: 541375521-0
Opcode ID: 7e5dd046407c1e991014fb6dc90fd71ee3114be5fbb3751f85d6243ed147cb9c
Instruction ID: fe6937e03e8bc1e3fcd96deb4c8b7d7351a74dbd94ca6030b12659601f11594d
Opcode Fuzzy Hash: 7e5dd046407c1e991014fb6dc90fd71ee3114be5fbb3751f85d6243ed147cb9c
Instruction Fuzzy Hash: E541B5346847C96DFF71A670C8047B5BEA06F11344F0C805ADBC6566C2EBAD99C8C7B6

Function 007A055B Relevance: 16.0, APIs: 8, Strings: 1, Instructions: 207networkfileCOMMON

Download Yara Rule

APIs

WSAStartup.WSOCK32(00000101,?), ref: 007A05BC
inet_addr.WSOCK32(?), ref: 007A061C
gethostbyname.WSOCK32(?), ref: 007A0628
IcmpCreateFile.IPHLPAPI ref: 007A0636
IcmpSendEcho.IPHLPAPI(?,?,?,00000005,00000000,?,00000029,00000FA0), ref: 007A06C6
IcmpSendEcho.IPHLPAPI(00000000,00000000,?,00000005,00000000,?,00000029,00000FA0), ref: 007A06E5
IcmpCloseHandle.IPHLPAPI(?), ref: 007A07B9
WSACleanup.WSOCK32 ref: 007A07BF

Strings

Ping, xrefs: 007A0676

Memory Dump Source

Source File: 00000000.00000002.1745867193.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true

Associated: 00000000.00000002.1745836741.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746071756.00000000007BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746071756.00000000007E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746152188.00000000007EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746185289.00000000007F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_720000_file.jbxd

Similarity

API ID: Icmp$EchoSend$CleanupCloseCreateFileHandleStartupgethostbynameinet_addr
String ID: Ping
API String ID: 1028309954-2246546115
Opcode ID: 76c10dfcc2d5eeffb355c5b4d17f29866ac58f9ff098486a0a56c2e44907fa0d
Instruction ID: 6976dd7e33b5170a5552e33b47088d5edcf843206d38f39bf310ad5a0881d9ae
Opcode Fuzzy Hash: 76c10dfcc2d5eeffb355c5b4d17f29866ac58f9ff098486a0a56c2e44907fa0d
Instruction Fuzzy Hash: 42918E75604201DFD720CF19D489F1ABBE0AF89318F148AA9F4699B6A2C738ED45CFD1

Function 007A8CD3 Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 193COMMON

Download Yara Rule

APIs

CharLowerBuffW.USER32(?,?,00000000,?), ref: 007A8CF3

Part of subcall function 00788E54: _wcslen.LIBCMT ref: 00788E77

_wcslen.LIBCMT ref: 007A8D4E
_wcslen.LIBCMT ref: 007A8D9C
_wcslen.LIBCMT ref: 007A8DDC
_wcslen.LIBCMT ref: 007A8E6E

Strings

cdecl, xrefs: 007A8D48, 007A8D4D
stdcall, xrefs: 007A8DD6, 007A8DDB
winapi, xrefs: 007A8D96, 007A8D9B
none, xrefs: 007A8E65, 007A8E6A

Memory Dump Source

Source File: 00000000.00000002.1745867193.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true

Associated: 00000000.00000002.1745836741.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746071756.00000000007BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746071756.00000000007E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746152188.00000000007EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746185289.00000000007F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_720000_file.jbxd

Similarity

API ID: _wcslen$BuffCharLower
String ID: cdecl$none$stdcall$winapi
API String ID: 707087890-567219261
Opcode ID: dcb601c86f0e342a2216e7f522e585ea4549ec7158f9a59e20c6461a2b5e3546
Instruction ID: d3345507d4924033d871f410b7ddc94e3e4dcd4b7313450028352f3c7f8ba137
Opcode Fuzzy Hash: dcb601c86f0e342a2216e7f522e585ea4549ec7158f9a59e20c6461a2b5e3546
Instruction Fuzzy Hash: 2E51B231A05116DBCF54DF68C9409BEB7A5BFAA724B244329E426E72C4EF38DD40C791

Function 007A372C Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 187comCOMMON

Download Yara Rule

APIs

CoInitialize.OLE32 ref: 007A3774
CoUninitialize.OLE32 ref: 007A377F
CoCreateInstance.OLE32(?,00000000,00000017,007BFB78,?), ref: 007A37D9
IIDFromString.OLE32(?,?), ref: 007A384C
VariantInit.OLEAUT32(?), ref: 007A38E4
VariantClear.OLEAUT32(?), ref: 007A3936

Strings

NULL Pointer assignment, xrefs: 007A381E
Invalid parameter, xrefs: 007A3865
Failed to create object, xrefs: 007A37E4, 007A389A

Memory Dump Source

Source File: 00000000.00000002.1745867193.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true

Associated: 00000000.00000002.1745836741.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746071756.00000000007BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746071756.00000000007E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746152188.00000000007EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746185289.00000000007F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_720000_file.jbxd

Similarity

API ID: Variant$ClearCreateFromInitInitializeInstanceStringUninitialize
String ID: Failed to create object$Invalid parameter$NULL Pointer assignment
API String ID: 636576611-1287834457
Opcode ID: 51f834cd3045b21bca2ea7d646f13ba999db82dbd41edd837546e9e5dcd789fe
Instruction ID: 59c30cc3493b1271e4169c30cc54dbc5f75e2a4c3e7be5aa9dec70dec46502dc
Opcode Fuzzy Hash: 51f834cd3045b21bca2ea7d646f13ba999db82dbd41edd837546e9e5dcd789fe
Instruction Fuzzy Hash: 4861B1B0608311EFD311DF54D889F5AB7E8EF8A714F104A09F5859B291C778EE48CBA2

Function 00793388 Relevance: 15.9, APIs: 3, Strings: 6, Instructions: 149COMMON

Download Yara Rule

APIs

LoadStringW.USER32(00000066,?,00000FFF,?), ref: 007933CF

Part of subcall function 00729CB3: _wcslen.LIBCMT ref: 00729CBD

LoadStringW.USER32(00000072,?,00000FFF,?), ref: 007933F0

Strings

Incorrect parameters to object property !, xrefs: 007934AB
Error: , xrefs: 007934D1
"%s" (%d) : ==> %s:%s%s, xrefs: 00793504
^ ERROR , xrefs: 0079349E
"%s" (%d) : ==> %s:, xrefs: 00793522
Line %d (File "%s"):, xrefs: 00793443, 0079345C

Memory Dump Source

Source File: 00000000.00000002.1745867193.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true

Associated: 00000000.00000002.1745836741.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746071756.00000000007BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746071756.00000000007E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746152188.00000000007EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746185289.00000000007F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_720000_file.jbxd

Similarity

API ID: LoadString$_wcslen
String ID: Error: $"%s" (%d) : ==> %s:$"%s" (%d) : ==> %s:%s%s$Incorrect parameters to object property !$Line %d (File "%s"):$^ ERROR
API String ID: 4099089115-3080491070
Opcode ID: 17e9cfefd4c7fcfb4a7598e7ff43190ea2211e7eb3a5daa2f35eff7cbba88997
Instruction ID: 04bc9fc99f7d13148acb943aecf5031aee85a8a60a72dba73220f24d07e8f497
Opcode Fuzzy Hash: 17e9cfefd4c7fcfb4a7598e7ff43190ea2211e7eb3a5daa2f35eff7cbba88997
Instruction Fuzzy Hash: 875170B1900259EADF15EBA0ED4AEFEB778AF18340F244165F50572052EB3D6F58CB60

Function 0078B5C8 Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 142COMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?), ref: 0078B5FC
_wcslen.LIBCMT ref: 0078B608
_wcslen.LIBCMT ref: 0078B64D
_wcslen.LIBCMT ref: 0078B68C
_wcslen.LIBCMT ref: 0078B6C7

Strings

APPEND, xrefs: 0078B6C1, 0078B6C6
KEYS, xrefs: 0078B647, 0078B64C
EXISTS, xrefs: 0078B686, 0078B68B
REMOVE, xrefs: 0078B602, 0078B607

Memory Dump Source

Source File: 00000000.00000002.1745867193.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true

Associated: 00000000.00000002.1745836741.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746071756.00000000007BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746071756.00000000007E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746152188.00000000007EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746185289.00000000007F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_720000_file.jbxd

Similarity

API ID: _wcslen$BuffCharUpper
String ID: APPEND$EXISTS$KEYS$REMOVE
API String ID: 1256254125-769500911
Opcode ID: d168e12d11bd18e2847d4f329de552d183a07907866750ab984f1ae2e212c33b
Instruction ID: 8e010c785d2efe8db13127b8301b4cfe1bcad8d5b34425cceeb4e11a84404901
Opcode Fuzzy Hash: d168e12d11bd18e2847d4f329de552d183a07907866750ab984f1ae2e212c33b
Instruction Fuzzy Hash: 5141D632B41127DBCB207F7D88905BE77A5BFA4794B24412AE421D7284F739DD81C790

Function 00795393 Relevance: 15.9, APIs: 4, Strings: 5, Instructions: 103COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 007953A0
GetDiskFreeSpaceW.KERNEL32(?,?,?,?,?,00000002,00000001), ref: 00795416
GetLastError.KERNEL32 ref: 00795420
SetErrorMode.KERNEL32(00000000,READY), ref: 007954A7

Strings

INVALID, xrefs: 00795459
NOTREADY, xrefs: 0079544B
READONLY, xrefs: 00795452
READY, xrefs: 00795460, 00795468
UNKNOWN, xrefs: 00795444

Memory Dump Source

Source File: 00000000.00000002.1745867193.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true

Associated: 00000000.00000002.1745836741.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746071756.00000000007BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746071756.00000000007E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746152188.00000000007EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746185289.00000000007F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_720000_file.jbxd

Similarity

API ID: Error$Mode$DiskFreeLastSpace
String ID: INVALID$NOTREADY$READONLY$READY$UNKNOWN
API String ID: 4194297153-14809454
Opcode ID: 829116e7a7f11f942af50603dcd6c82f30ba0b89fc0669a3b8ac110173da561a
Instruction ID: 29c6c3bf00ff4a817d361455dae01da196f98ed18520e2ebd1ca0f2ae1f9204a
Opcode Fuzzy Hash: 829116e7a7f11f942af50603dcd6c82f30ba0b89fc0669a3b8ac110173da561a
Instruction Fuzzy Hash: D431D375A00558DFCB52DF68E888FA9BBB4FF44305F188169E501DB2A2D738DD82CB90

Function 007B3C46 Relevance: 15.9, APIs: 7, Strings: 2, Instructions: 101windowCOMMON

Download Yara Rule

APIs

CreateMenu.USER32 ref: 007B3C79
SetMenu.USER32(?,00000000), ref: 007B3C88
GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 007B3D10
IsMenu.USER32(?), ref: 007B3D24
CreatePopupMenu.USER32 ref: 007B3D2E
InsertMenuItemW.USER32(?,?,00000001,00000030), ref: 007B3D5B
DrawMenuBar.USER32 ref: 007B3D63

Strings

F, xrefs: 007B3D4E
0, xrefs: 007B3C54

Memory Dump Source

Source File: 00000000.00000002.1745867193.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true

Associated: 00000000.00000002.1745836741.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746071756.00000000007BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746071756.00000000007E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746152188.00000000007EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746185289.00000000007F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_720000_file.jbxd

Similarity

API ID: Menu$CreateItem$DrawInfoInsertPopup
String ID: 0$F
API String ID: 161812096-3044882817
Opcode ID: 43f6ae1367fa81cb98d76e6f33958778218aabea7f57576b475f560fe1582553
Instruction ID: 2a2b538d99f8cbc4c103582629e288f53119d69b0d9c62fe5a8d67a25cf9b2e5
Opcode Fuzzy Hash: 43f6ae1367fa81cb98d76e6f33958778218aabea7f57576b475f560fe1582553
Instruction Fuzzy Hash: 5A416A75A01209EFDB24CF64D844FEA7BB5FF49350F148129F946A7360D778AA10CBA4

Function 00781EDF Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 78windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00729CB3: _wcslen.LIBCMT ref: 00729CBD

Part of subcall function 00783CA7: GetClassNameW.USER32(?,?,000000FF), ref: 00783CCA

SendMessageW.USER32(?,0000018C,000000FF,00020000), ref: 00781F64
GetDlgCtrlID.USER32 ref: 00781F6F
GetParent.USER32 ref: 00781F8B
SendMessageW.USER32(00000000,?,00000111,?), ref: 00781F8E
GetDlgCtrlID.USER32(?), ref: 00781F97
GetParent.USER32(?), ref: 00781FAB
SendMessageW.USER32(00000000,?,00000111,?), ref: 00781FAE

Strings

ListBox, xrefs: 00781F21
ComboBox, xrefs: 00781EEC

Memory Dump Source

Source File: 00000000.00000002.1745867193.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true

Associated: 00000000.00000002.1745836741.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746071756.00000000007BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746071756.00000000007E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746152188.00000000007EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746185289.00000000007F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_720000_file.jbxd

Similarity

API ID: MessageSend$CtrlParent$ClassName_wcslen
String ID: ComboBox$ListBox
API String ID: 711023334-1403004172
Opcode ID: 803e703e8f449c3db9851f643a7584a3e80470227e9c624e0a50ff59c2b8b5de
Instruction ID: 51fd53e34d9d230efa793e7dc0bcc54147bacec62e9f66c5d471f6bd15fced5c
Opcode Fuzzy Hash: 803e703e8f449c3db9851f643a7584a3e80470227e9c624e0a50ff59c2b8b5de
Instruction Fuzzy Hash: 5321B374940118FBCF05AFA0DC49EEEBBB8AF09314F044155BA61672D1DB7C5905DB64

Function 00781FC0 Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 77windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00729CB3: _wcslen.LIBCMT ref: 00729CBD

Part of subcall function 00783CA7: GetClassNameW.USER32(?,?,000000FF), ref: 00783CCA

SendMessageW.USER32(?,00000186,00020000,00000000), ref: 00782043
GetDlgCtrlID.USER32 ref: 0078204E
GetParent.USER32 ref: 0078206A
SendMessageW.USER32(00000000,?,00000111,?), ref: 0078206D
GetDlgCtrlID.USER32(?), ref: 00782076
GetParent.USER32(?), ref: 0078208A
SendMessageW.USER32(00000000,?,00000111,?), ref: 0078208D

Strings

ListBox, xrefs: 00782002
ComboBox, xrefs: 00781FCD

Memory Dump Source

Source File: 00000000.00000002.1745867193.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true

Associated: 00000000.00000002.1745836741.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746071756.00000000007BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746071756.00000000007E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746152188.00000000007EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746185289.00000000007F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_720000_file.jbxd

Similarity

API ID: MessageSend$CtrlParent$ClassName_wcslen
String ID: ComboBox$ListBox
API String ID: 711023334-1403004172
Opcode ID: 8bd19c7573ebd6e5481ca98ec1c96d5cc50b17e02d2f3d0df0aeeef1a1bad6a9
Instruction ID: ff28828d6e32e2132c1c69e7f91e6ecef57f19df637ad352f03f86147cb343cc
Opcode Fuzzy Hash: 8bd19c7573ebd6e5481ca98ec1c96d5cc50b17e02d2f3d0df0aeeef1a1bad6a9
Instruction Fuzzy Hash: 782101B1D40218FBCF01BFA0DC89EEEBBB8EF08304F108056B951A31A2CA7D4905CB60

Function 007B3A23 Relevance: 15.2, APIs: 10, Instructions: 182windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,0000101F,00000000,00000000), ref: 007B3A9D
SendMessageW.USER32(00000000,?,0000101F,00000000), ref: 007B3AA0
GetWindowLongW.USER32(?,000000F0), ref: 007B3AC7
SendMessageW.USER32(?,00001004,00000000,00000000), ref: 007B3AEA
SendMessageW.USER32(?,0000104D,00000000,00000007), ref: 007B3B62
SendMessageW.USER32(?,00001074,00000000,00000007), ref: 007B3BAC
SendMessageW.USER32(?,00001057,00000000,00000000), ref: 007B3BC7
SendMessageW.USER32(?,0000101D,00001004,00000000), ref: 007B3BE2
SendMessageW.USER32(?,0000101E,00001004,00000000), ref: 007B3BF6
SendMessageW.USER32(?,00001008,00000000,00000007), ref: 007B3C13

Memory Dump Source

Source File: 00000000.00000002.1745867193.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true

Associated: 00000000.00000002.1745836741.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746071756.00000000007BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746071756.00000000007E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746152188.00000000007EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746185289.00000000007F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_720000_file.jbxd

Similarity

API ID: MessageSend$LongWindow
String ID:
API String ID: 312131281-0
Opcode ID: c83e8f80e4d17892f3e604dc0f853260c54be5060168f47986c6f74956bac550
Instruction ID: 6a2e575dfcc5b177739557acef278f0f974829695d8de2aa08136a1c80e04996
Opcode Fuzzy Hash: c83e8f80e4d17892f3e604dc0f853260c54be5060168f47986c6f74956bac550
Instruction Fuzzy Hash: 83617A75900248EFDB10DFA8CC85FEE77B8EB09714F104199FA15A72A1C778AE85DB60

Function 0078B12F Relevance: 15.1, APIs: 10, Instructions: 88threadCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 0078B151
GetForegroundWindow.USER32(00000000,?,?,?,?,?,0078A1E1,?,00000001), ref: 0078B165
GetWindowThreadProcessId.USER32(00000000), ref: 0078B16C
AttachThreadInput.USER32(00000000,00000000,00000001,?,?,?,?,?,0078A1E1,?,00000001), ref: 0078B17B
GetWindowThreadProcessId.USER32(?,00000000), ref: 0078B18D
AttachThreadInput.USER32(?,00000000,00000001,?,?,?,?,?,0078A1E1,?,00000001), ref: 0078B1A6
AttachThreadInput.USER32(00000000,00000000,00000001,?,?,?,?,?,0078A1E1,?,00000001), ref: 0078B1B8
AttachThreadInput.USER32(00000000,00000000,?,?,?,?,?,0078A1E1,?,00000001), ref: 0078B1FD
AttachThreadInput.USER32(?,?,00000000,?,?,?,?,?,0078A1E1,?,00000001), ref: 0078B212
AttachThreadInput.USER32(00000000,?,00000000,?,?,?,?,?,0078A1E1,?,00000001), ref: 0078B21D

Memory Dump Source

Source File: 00000000.00000002.1745867193.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true

Associated: 00000000.00000002.1745836741.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746071756.00000000007BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746071756.00000000007E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746152188.00000000007EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746185289.00000000007F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_720000_file.jbxd

Similarity

API ID: Thread$AttachInput$Window$Process$CurrentForeground
String ID:
API String ID: 2156557900-0
Opcode ID: 1727c230e202a32b53f0527d427fc6a56c4a036354d431cee084db40deb2fd20
Instruction ID: 76dc437e5c294199c0ebfbe3b3e937edff098675fca1c0393fd6b68ece378176
Opcode Fuzzy Hash: 1727c230e202a32b53f0527d427fc6a56c4a036354d431cee084db40deb2fd20
Instruction Fuzzy Hash: 0B3171B5980208BFDB11AF64DC49F7D7BAABB51315F10C116FA05DA190DBBCAA40CF68

Function 00752C80 Relevance: 15.1, APIs: 10, Instructions: 54COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 00752C94

Part of subcall function 007529C8: RtlFreeHeap.NTDLL(00000000,00000000,?,0075D7D1,00000000,00000000,00000000,00000000,?,0075D7F8,00000000,00000007,00000000,?,0075DBF5,00000000), ref: 007529DE
Part of subcall function 007529C8: GetLastError.KERNEL32(00000000,?,0075D7D1,00000000,00000000,00000000,00000000,?,0075D7F8,00000000,00000007,00000000,?,0075DBF5,00000000,00000000), ref: 007529F0

_free.LIBCMT ref: 00752CA0
_free.LIBCMT ref: 00752CAB
_free.LIBCMT ref: 00752CB6
_free.LIBCMT ref: 00752CC1
_free.LIBCMT ref: 00752CCC
_free.LIBCMT ref: 00752CD7
_free.LIBCMT ref: 00752CE2
_free.LIBCMT ref: 00752CED
_free.LIBCMT ref: 00752CFB

Memory Dump Source

Source File: 00000000.00000002.1745867193.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true

Associated: 00000000.00000002.1745836741.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746071756.00000000007BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746071756.00000000007E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746152188.00000000007EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746185289.00000000007F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_720000_file.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: a1b3dfc703f5f652365997941f5cce8c536b321c477286a7d9d93dfcf21475a2
Instruction ID: e5aee6e9c921b72c07c088c810b14150c61c11a65832d5168619c94e51f320d4
Opcode Fuzzy Hash: a1b3dfc703f5f652365997941f5cce8c536b321c477286a7d9d93dfcf21475a2
Instruction Fuzzy Hash: 9E11AF76100108EFCB02EF54D886CDD3BA5BF06351F9144A4FA48AB232DB75EA559B90

Function 00797DF0 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 230COMMON

Download Yara Rule

APIs

GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 00797FAD
SetCurrentDirectoryW.KERNEL32(?), ref: 00797FC1
GetFileAttributesW.KERNEL32(?), ref: 00797FEB
SetFileAttributesW.KERNEL32(?,00000000), ref: 00798005
SetCurrentDirectoryW.KERNEL32(?), ref: 00798017
SetCurrentDirectoryW.KERNEL32(?), ref: 00798060
SetCurrentDirectoryW.KERNEL32(?,?,?,?,?), ref: 007980B0

Strings

*.*, xrefs: 00798066

Memory Dump Source

Source File: 00000000.00000002.1745867193.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true

Associated: 00000000.00000002.1745836741.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746071756.00000000007BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746071756.00000000007E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746152188.00000000007EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746185289.00000000007F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_720000_file.jbxd

Similarity

API ID: CurrentDirectory$AttributesFile
String ID: *.*
API String ID: 769691225-438819550
Opcode ID: 2a9749bafaa3d4943602a2b98adf224319229eb4f77ef4c93e72c6ccf5365ab7
Instruction ID: 1c3d0ae2e3abe1a288a9a5aaa658e3a623b439193199f95fdf8c1fc1f760c722
Opcode Fuzzy Hash: 2a9749bafaa3d4943602a2b98adf224319229eb4f77ef4c93e72c6ccf5365ab7
Instruction Fuzzy Hash: 4E819172518245DBCF28EF14D845AAEB3E8BF89310F58485EF885D7250EB38DD45CB92

Function 00725BEA Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 184windowCOMMON

Download Yara Rule

APIs

SetWindowLongW.USER32(?,000000EB), ref: 00725C7A

Part of subcall function 00725D0A: GetClientRect.USER32(?,?), ref: 00725D30
Part of subcall function 00725D0A: GetWindowRect.USER32(?,?), ref: 00725D71
Part of subcall function 00725D0A: ScreenToClient.USER32(?,?), ref: 00725D99

GetDC.USER32 ref: 007646F5
SendMessageW.USER32(?,00000031,00000000,00000000), ref: 00764708
SelectObject.GDI32(00000000,00000000), ref: 00764716
SelectObject.GDI32(00000000,00000000), ref: 0076472B
ReleaseDC.USER32(?,00000000), ref: 00764733
MoveWindow.USER32(?,?,?,?,?,?,?,00000031,00000000,00000000), ref: 007647C4

Strings

U, xrefs: 00764693

Memory Dump Source

Source File: 00000000.00000002.1745867193.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true

Associated: 00000000.00000002.1745836741.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746071756.00000000007BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746071756.00000000007E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746152188.00000000007EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746185289.00000000007F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_720000_file.jbxd

Similarity

API ID: Window$ClientObjectRectSelect$LongMessageMoveReleaseScreenSend
String ID: U
API String ID: 4009187628-3372436214
Opcode ID: 17c09dc52d8434eb14964c770349f639bbe596f71f7e0508885e47472c35b0f2
Instruction ID: 1f7dad4f0522ba4aec1e692f8977925250383fdd23d812f0e79e9e7027e680cd
Opcode Fuzzy Hash: 17c09dc52d8434eb14964c770349f639bbe596f71f7e0508885e47472c35b0f2
Instruction Fuzzy Hash: 5271E131400205DFCF21CF64C984AFA3BB6FF4A364F148269ED565A1A6D7399C81DF60

Function 0079359C Relevance: 14.2, APIs: 3, Strings: 5, Instructions: 150COMMON

Download Yara Rule

APIs

LoadStringW.USER32(00000066,?,00000FFF,00000000), ref: 007935E4

Part of subcall function 00729CB3: _wcslen.LIBCMT ref: 00729CBD

LoadStringW.USER32(007F2390,?,00000FFF,?), ref: 0079360A

Strings

Error: , xrefs: 007936EF
"%s" (%d) : ==> %s:%s%s, xrefs: 00793724
"%s" (%d) : ==> %s:, xrefs: 00793742
^ ERROR, xrefs: 007936C9
Line %d (File "%s"):, xrefs: 0079366B

Memory Dump Source

Source File: 00000000.00000002.1745867193.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true

Associated: 00000000.00000002.1745836741.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746071756.00000000007BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746071756.00000000007E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746152188.00000000007EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746185289.00000000007F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_720000_file.jbxd

Similarity

API ID: LoadString$_wcslen
String ID: Error: $"%s" (%d) : ==> %s:$"%s" (%d) : ==> %s:%s%s$Line %d (File "%s"):$^ ERROR
API String ID: 4099089115-2391861430
Opcode ID: 212888266b241c6a96cbf2dae4ef8e782650cf402470d098b78f5ec7f1fb5257
Instruction ID: bd718e7f3b9bfc2c99c02765a21798afefe6bcc624c7712cd9b224ac55298390
Opcode Fuzzy Hash: 212888266b241c6a96cbf2dae4ef8e782650cf402470d098b78f5ec7f1fb5257
Instruction Fuzzy Hash: 08516EB1800259FADF15EBE0EC8AEEDBB74AF14340F184125F205720A2DB391B98DF61

Function 0079C253 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 94networkCOMMON

Download Yara Rule

APIs

InternetOpenUrlW.WININET(?,?,00000000,00000000,?,00000000), ref: 0079C272
HttpSendRequestW.WININET(00000000,00000000,00000000,00000000,00000000), ref: 0079C29A
HttpQueryInfoW.WININET(00000000,00000005,?,?,?), ref: 0079C2CA
GetLastError.KERNEL32 ref: 0079C322
SetEvent.KERNEL32(?), ref: 0079C336
InternetCloseHandle.WININET(00000000), ref: 0079C341

Strings

, xrefs: 0079C2BB

Memory Dump Source

Source File: 00000000.00000002.1745867193.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true

Associated: 00000000.00000002.1745836741.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746071756.00000000007BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746071756.00000000007E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746152188.00000000007EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746185289.00000000007F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_720000_file.jbxd

Similarity

API ID: HttpInternet$CloseErrorEventHandleInfoLastOpenQueryRequestSend
String ID:
API String ID: 3113390036-3916222277
Opcode ID: 11ac72216aa7046e48b7dff52ee4e9c8b8e75b385c7f5924b125207748e2e17a
Instruction ID: 7ca3da7115d943ef4476bcbbb471c416cc6d829be2b24a85d047ebc5ed288e0d
Opcode Fuzzy Hash: 11ac72216aa7046e48b7dff52ee4e9c8b8e75b385c7f5924b125207748e2e17a
Instruction Fuzzy Hash: A4317CB1600208AFDF229F64AC88EAB7BFCEB49744F14851EF446D2200DB38DD049B66

Function 0078989B Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 74windowCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,?,?,00000FFF,00000000,?,00763AAF,?,?,Bad directive syntax error,007BCC08,00000000,00000010,?,?,>>>AUTOIT SCRIPT<<<), ref: 007898BC
LoadStringW.USER32(00000000,?,00763AAF,?), ref: 007898C3

Part of subcall function 00729CB3: _wcslen.LIBCMT ref: 00729CBD

MessageBoxW.USER32(00000000,00000001,00000001,00011010), ref: 00789987

Strings

., xrefs: 0078996D
Line %d:, xrefs: 00789912
%s (%d) : ==> %s.: %s %s, xrefs: 007898F1
Error: , xrefs: 00789955
Line %d (File "%s"):, xrefs: 0078992D

Memory Dump Source

Source File: 00000000.00000002.1745867193.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true

Associated: 00000000.00000002.1745836741.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746071756.00000000007BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746071756.00000000007E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746152188.00000000007EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746185289.00000000007F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_720000_file.jbxd

Similarity

API ID: HandleLoadMessageModuleString_wcslen
String ID: Error: $%s (%d) : ==> %s.: %s %s$.$Line %d (File "%s"):$Line %d:
API String ID: 858772685-4153970271
Opcode ID: 8cc938f0b73ebc5277de5f596283e0aeb8b0e2d033394567dc3f2237739d9fcb
Instruction ID: 4244b63c9be1f225169f5a6c721048a0cea4fa5c47db67df716482dd29e63aa3
Opcode Fuzzy Hash: 8cc938f0b73ebc5277de5f596283e0aeb8b0e2d033394567dc3f2237739d9fcb
Instruction Fuzzy Hash: 4C218271C4025DEBDF12EF90DC0AEED7735BF18340F084425F615610A2DB79A618DB20

Function 0078209F Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 71windowCOMMON

Download Yara Rule

APIs

GetParent.USER32 ref: 007820AB
GetClassNameW.USER32(00000000,?,00000100), ref: 007820C0
SendMessageW.USER32(00000000,00000111,0000702B,00000000), ref: 0078214D

Strings

list, xrefs: 0078212F
largeicons, xrefs: 007820E1
details, xrefs: 007820FB
SHELLDLL_DefView, xrefs: 007820CC
smallicons, xrefs: 00782115

Memory Dump Source

Source File: 00000000.00000002.1745867193.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true

Associated: 00000000.00000002.1745836741.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746071756.00000000007BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746071756.00000000007E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746152188.00000000007EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746185289.00000000007F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_720000_file.jbxd

Similarity

API ID: ClassMessageNameParentSend
String ID: SHELLDLL_DefView$details$largeicons$list$smallicons
API String ID: 1290815626-3381328864
Opcode ID: 77df9ef017bc63558bdddb24340e6549ae2c4da542b5ce3639f0e1997a314e7f
Instruction ID: 1710872383be3d1b12360def64a39db7e4afbb3c39cebb74267148f7aade0297
Opcode Fuzzy Hash: 77df9ef017bc63558bdddb24340e6549ae2c4da542b5ce3639f0e1997a314e7f
Instruction Fuzzy Hash: 5F11A7B6AC470AFAF60176259C0EEA6379CDB09729B304116F704A51D2FAAD58425714

Function 0075CE90 Relevance: 13.7, APIs: 9, Instructions: 209COMMON

Download Yara Rule

APIs

___from_strstr_to_strchr.LIBCMT ref: 0075CEB7
_free.LIBCMT ref: 0075CF22
_free.LIBCMT ref: 0075CF48
_free.LIBCMT ref: 0075CF71
_free.LIBCMT ref: 0075CFA9
_free.LIBCMT ref: 0075CFDA
_free.LIBCMT ref: 0075D01B
SetEnvironmentVariableA.KERNEL32(00000000,00000000), ref: 0075D09C
_free.LIBCMT ref: 0075D0B5

Memory Dump Source

Source File: 00000000.00000002.1745867193.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true

Associated: 00000000.00000002.1745836741.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746071756.00000000007BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746071756.00000000007E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746152188.00000000007EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746185289.00000000007F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_720000_file.jbxd

Similarity

API ID: _free$EnvironmentVariable___from_strstr_to_strchr
String ID:
API String ID: 1282221369-0
Opcode ID: 3e79dee993b28fb51388479743162ebdafe8355bfbc1ed580950f026cf8aa971
Instruction ID: aaa5c89a0f6c42d31aa2669ba978f0fb33a760c492dc4703498e9db3599f3665
Opcode Fuzzy Hash: 3e79dee993b28fb51388479743162ebdafe8355bfbc1ed580950f026cf8aa971
Instruction Fuzzy Hash: AE61F772A04304AFDB32AFB49845BED7BA5AF05312F04416DED44A72C2D7BD9D09C790

Function 007B50D4 Relevance: 13.7, APIs: 9, Instructions: 162windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00002001,00000000,00000000), ref: 007B5186
ShowWindow.USER32(?,00000000), ref: 007B51C7
ShowWindow.USER32(?,00000005,?,00000000), ref: 007B51CD
SetFocus.USER32(?,?,00000005,?,00000000), ref: 007B51D1

Part of subcall function 007B6FBA: DeleteObject.GDI32(00000000), ref: 007B6FE6

GetWindowLongW.USER32(?,000000F0), ref: 007B520D
SetWindowLongW.USER32(?,000000F0,00000000), ref: 007B521A
InvalidateRect.USER32(?,00000000,00000001,?,00000001), ref: 007B524D
SendMessageW.USER32(?,00001001,00000000,000000FE), ref: 007B5287
SendMessageW.USER32(?,00001026,00000000,000000FE), ref: 007B5296

Memory Dump Source

Source File: 00000000.00000002.1745867193.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true

Associated: 00000000.00000002.1745836741.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746071756.00000000007BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746071756.00000000007E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746152188.00000000007EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746185289.00000000007F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_720000_file.jbxd

Similarity

API ID: Window$MessageSend$LongShow$DeleteFocusInvalidateObjectRect
String ID:
API String ID: 3210457359-0
Opcode ID: 8916785aae84100497b0b013da880c32a467e6992bf3773c2902cc0aa33d79bd
Instruction ID: 1738c9c485b7607fe10417ce0df08eb5afcf96ef043af6f7dba92df4a8fa5f39
Opcode Fuzzy Hash: 8916785aae84100497b0b013da880c32a467e6992bf3773c2902cc0aa33d79bd
Instruction Fuzzy Hash: B5519B70A42A0CFFEF259F28DC4AFD83B65BB05321F148112F625962E1C7BDA980DB41

Function 00738B06 Relevance: 13.7, APIs: 9, Instructions: 155windowCOMMON

Download Yara Rule

APIs

LoadImageW.USER32(00000000,?,?,00000010,00000010,00000010), ref: 00776890
ExtractIconExW.SHELL32(?,?,00000000,00000000,00000001), ref: 007768A9
LoadImageW.USER32(00000000,?,00000001,00000000,00000000,00000050), ref: 007768B9
ExtractIconExW.SHELL32(?,?,?,00000000,00000001), ref: 007768D1
SendMessageW.USER32(00000000,00000080,00000000,00000000), ref: 007768F2
DestroyIcon.USER32(00000000,?,00000010,00000010,00000010,?,?,?,?,?,00738874,00000000,00000000,00000000,000000FF,00000000), ref: 00776901
SendMessageW.USER32(00000000,00000080,00000001,00000000), ref: 0077691E
DestroyIcon.USER32(00000000,?,00000010,00000010,00000010,?,?,?,?,?,00738874,00000000,00000000,00000000,000000FF,00000000), ref: 0077692D

Memory Dump Source

Source File: 00000000.00000002.1745867193.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true

Associated: 00000000.00000002.1745836741.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746071756.00000000007BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746071756.00000000007E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746152188.00000000007EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746185289.00000000007F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_720000_file.jbxd

Similarity

API ID: Icon$DestroyExtractImageLoadMessageSend
String ID:
API String ID: 1268354404-0
Opcode ID: 3a75bf5c8a36453edae5c80440bc1c5e31184c89cea737aef958f679b19dd2e2
Instruction ID: bcc7254d6a7e5c6eedefbd87d19c2c9c27660bedacf6441076ef161b1659cfbf
Opcode Fuzzy Hash: 3a75bf5c8a36453edae5c80440bc1c5e31184c89cea737aef958f679b19dd2e2
Instruction Fuzzy Hash: 4E516BB060070AEFEB20CF24CC55FAA7BB5EF48760F148518FA56972A0DB78E950DB50

Function 0079C143 Relevance: 13.6, APIs: 9, Instructions: 95networkCOMMON

Download Yara Rule

APIs

InternetConnectW.WININET(?,?,?,?,?,?,00000000,00000000), ref: 0079C182
GetLastError.KERNEL32 ref: 0079C195
SetEvent.KERNEL32(?), ref: 0079C1A9

Part of subcall function 0079C253: InternetOpenUrlW.WININET(?,?,00000000,00000000,?,00000000), ref: 0079C272
Part of subcall function 0079C253: GetLastError.KERNEL32 ref: 0079C322
Part of subcall function 0079C253: SetEvent.KERNEL32(?), ref: 0079C336
Part of subcall function 0079C253: InternetCloseHandle.WININET(00000000), ref: 0079C341

Memory Dump Source

Source File: 00000000.00000002.1745867193.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true

Associated: 00000000.00000002.1745836741.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746071756.00000000007BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746071756.00000000007E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746152188.00000000007EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746185289.00000000007F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_720000_file.jbxd

Similarity

API ID: Internet$ErrorEventLast$CloseConnectHandleOpen
String ID:
API String ID: 337547030-0
Opcode ID: 58c8c2fefe0d19242dfffb97260cf709defa9cd32081e14bd7ea5231fbb54849
Instruction ID: f59ebac94774305581382e10b08f5d0a85001172e356f89b44c67f5e50e602d4
Opcode Fuzzy Hash: 58c8c2fefe0d19242dfffb97260cf709defa9cd32081e14bd7ea5231fbb54849
Instruction Fuzzy Hash: DC318B71200705EFDF229FA5EC48AA6BBF9FF58300B14852DF95687610DB38E814DBA0

Function 007825A2 Relevance: 13.6, APIs: 9, Instructions: 60sleepkeyboardwindowCOMMON

Download Yara Rule

APIs

Part of subcall function 00783A3D: GetWindowThreadProcessId.USER32(?,00000000), ref: 00783A57
Part of subcall function 00783A3D: GetCurrentThreadId.KERNEL32 ref: 00783A5E
Part of subcall function 00783A3D: AttachThreadInput.USER32(00000000,?,00000000,00000000,?,007825B3), ref: 00783A65

MapVirtualKeyW.USER32(00000025,00000000), ref: 007825BD
PostMessageW.USER32(?,00000100,00000025,00000000), ref: 007825DB
Sleep.KERNEL32(00000000,?,00000100,00000025,00000000), ref: 007825DF
MapVirtualKeyW.USER32(00000025,00000000), ref: 007825E9
PostMessageW.USER32(?,00000100,00000027,00000000), ref: 00782601
Sleep.KERNEL32(00000000,?,00000100,00000027,00000000), ref: 00782605
MapVirtualKeyW.USER32(00000025,00000000), ref: 0078260F
PostMessageW.USER32(?,00000101,00000027,00000000), ref: 00782623
Sleep.KERNEL32(00000000,?,00000101,00000027,00000000,?,00000100,00000027,00000000), ref: 00782627

Memory Dump Source

Source File: 00000000.00000002.1745867193.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true

Associated: 00000000.00000002.1745836741.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746071756.00000000007BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746071756.00000000007E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746152188.00000000007EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746185289.00000000007F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_720000_file.jbxd

Similarity

API ID: MessagePostSleepThreadVirtual$AttachCurrentInputProcessWindow
String ID:
API String ID: 2014098862-0
Opcode ID: afb610a5c9adc95a2926714fa319c3552b4c7f197da74ad18783097966c5b322
Instruction ID: 1b2d567fd798b078e3c6fbe67abbc196d2c2efe3c43b054ebe4188e68808bf08
Opcode Fuzzy Hash: afb610a5c9adc95a2926714fa319c3552b4c7f197da74ad18783097966c5b322
Instruction Fuzzy Hash: 6901D4703D0218BBFB1077689C8EF593F59DB4EB12F108142F358AE0D1C9FA28458A6E

Function 00781803 Relevance: 13.5, APIs: 9, Instructions: 49memorythreadCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000008,0000000C,?,00000000,?,00781449,?,?,00000000), ref: 0078180C
HeapAlloc.KERNEL32(00000000,?,00781449,?,?,00000000), ref: 00781813
GetCurrentProcess.KERNEL32(00000000,00000000,00000000,00000002,?,00781449,?,?,00000000), ref: 00781828
GetCurrentProcess.KERNEL32(?,00000000,?,00781449,?,?,00000000), ref: 00781830
DuplicateHandle.KERNEL32(00000000,?,00781449,?,?,00000000), ref: 00781833
GetCurrentProcess.KERNEL32(00000000,00000000,00000000,00000002,?,00781449,?,?,00000000), ref: 00781843
GetCurrentProcess.KERNEL32(00781449,00000000,?,00781449,?,?,00000000), ref: 0078184B
DuplicateHandle.KERNEL32(00000000,?,00781449,?,?,00000000), ref: 0078184E
CreateThread.KERNEL32(00000000,00000000,00781874,00000000,00000000,00000000), ref: 00781868

Memory Dump Source

Source File: 00000000.00000002.1745867193.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true

Associated: 00000000.00000002.1745836741.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746071756.00000000007BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746071756.00000000007E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746152188.00000000007EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746185289.00000000007F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_720000_file.jbxd

Similarity

API ID: Process$Current$DuplicateHandleHeap$AllocCreateThread
String ID:
API String ID: 1957940570-0
Opcode ID: f25cf4c25217fb2455fab9c5d59c4a66e7a1f0da94ef715cbca7cd2dd5b76d42
Instruction ID: 444db369636bcb4f440d7d91ca61c97e792ff0c30c4d8f3dcd8c0af17166bc9b
Opcode Fuzzy Hash: f25cf4c25217fb2455fab9c5d59c4a66e7a1f0da94ef715cbca7cd2dd5b76d42
Instruction Fuzzy Hash: 2C01ACB524030CBFE611AFA5DC4AF573BACEB89B11F41C511FA05EB191C67498008B24

Function 00753E80 Relevance: 12.6, APIs: 4, Strings: 3, Instructions: 305COMMON

Download Yara Rule

APIs

_strrchr.LIBCMT ref: 00753F0B
__alldvrm.LIBCMT ref: 0075410C
__alldvrm.LIBCMT ref: 0075412E

Strings

}}t, xrefs: 00753E96, 00753EF1, 00753F0A, 00754090
}}t, xrefs: 007540CD
}}t, xrefs: 00753E8A

Memory Dump Source

Source File: 00000000.00000002.1745867193.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true

Associated: 00000000.00000002.1745836741.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746071756.00000000007BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746071756.00000000007E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746152188.00000000007EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746185289.00000000007F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_720000_file.jbxd

Similarity

API ID: __alldvrm$_strrchr
String ID: }}t$}}t$}}t
API String ID: 1036877536-86296138
Opcode ID: 190bec492484a18a97fe5f025dcdb3e473ceac46589bc02d4dbe4f94f5be8f6e
Instruction ID: 0b20ee78428c7639822370cb9d455256695bedee26db96aaf42c1bcaec9b85ab
Opcode Fuzzy Hash: 190bec492484a18a97fe5f025dcdb3e473ceac46589bc02d4dbe4f94f5be8f6e
Instruction Fuzzy Hash: 35A16B72E007869FE711CF18C8817EEBBE4EF61395F2841ADED459B281C2BC8989C750

Function 007AA0E2 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 160COMMON

Download Yara Rule

APIs

Part of subcall function 0078D4DC: CreateToolhelp32Snapshot.KERNEL32 ref: 0078D501
Part of subcall function 0078D4DC: Process32FirstW.KERNEL32(00000000,?), ref: 0078D50F
Part of subcall function 0078D4DC: CloseHandle.KERNELBASE(00000000), ref: 0078D5DC

OpenProcess.KERNEL32(00000001,00000000,?), ref: 007AA16D
GetLastError.KERNEL32 ref: 007AA180
OpenProcess.KERNEL32(00000001,00000000,?), ref: 007AA1B3
TerminateProcess.KERNEL32(00000000,00000000), ref: 007AA268
GetLastError.KERNEL32(00000000), ref: 007AA273
CloseHandle.KERNEL32(00000000), ref: 007AA2C4

Strings

SeDebugPrivilege, xrefs: 007AA18F

Memory Dump Source

Source File: 00000000.00000002.1745867193.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true

Associated: 00000000.00000002.1745836741.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746071756.00000000007BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746071756.00000000007E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746152188.00000000007EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746185289.00000000007F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_720000_file.jbxd

Similarity

API ID: Process$CloseErrorHandleLastOpen$CreateFirstProcess32SnapshotTerminateToolhelp32
String ID: SeDebugPrivilege
API String ID: 2533919879-2896544425
Opcode ID: 553690606925c80c46513ded22e9bb286eb6fe9490c048e8febefe076ea047c6
Instruction ID: 7f2d997d5d91a41dd767a9f00150da22114cd2b4c2e6b3a7deba528c5f292968
Opcode Fuzzy Hash: 553690606925c80c46513ded22e9bb286eb6fe9490c048e8febefe076ea047c6
Instruction Fuzzy Hash: 9361AF71204242AFD721DF18C498F1ABBE1AF95318F18C59CE4568B7A3C77AEC45CB92

Function 007B3886 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 141windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00001036,00000010,00000010), ref: 007B3925
SendMessageW.USER32(00000000,00001036,00000000,?), ref: 007B393A
SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000013), ref: 007B3954
_wcslen.LIBCMT ref: 007B3999
SendMessageW.USER32(?,00001057,00000000,?), ref: 007B39C6
SendMessageW.USER32(?,00001061,?,0000000F), ref: 007B39F4

Strings

SysListView32, xrefs: 007B38F7

Memory Dump Source

Source File: 00000000.00000002.1745867193.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true

Associated: 00000000.00000002.1745836741.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746071756.00000000007BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746071756.00000000007E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746152188.00000000007EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746185289.00000000007F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_720000_file.jbxd

Similarity

API ID: MessageSend$Window_wcslen
String ID: SysListView32
API String ID: 2147712094-78025650
Opcode ID: 180acf57b25f244aa8f518c05cc6ac325330fc64409ddfea726983310df98324
Instruction ID: 4c46dec969999a4a7cd2478faa1671457bf2afecf9d97b73718d60da9a6dd654
Opcode Fuzzy Hash: 180acf57b25f244aa8f518c05cc6ac325330fc64409ddfea726983310df98324
Instruction Fuzzy Hash: 5141B771A00319EBEF219F64CC49FEA77A9EF08354F104566F958E7281D7B9AD80CB90

Function 0078BC5E Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 137windowCOMMON

Download Yara Rule

APIs

GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 0078BCFD
IsMenu.USER32(00000000), ref: 0078BD1D
CreatePopupMenu.USER32 ref: 0078BD53
GetMenuItemCount.USER32(015057E0), ref: 0078BDA4
InsertMenuItemW.USER32(015057E0,?,00000001,00000030), ref: 0078BDCC

Strings

0, xrefs: 0078BCA8
2, xrefs: 0078BD37

Memory Dump Source

Source File: 00000000.00000002.1745867193.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true

Associated: 00000000.00000002.1745836741.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746071756.00000000007BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746071756.00000000007E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746152188.00000000007EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746185289.00000000007F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_720000_file.jbxd

Similarity

API ID: Menu$Item$CountCreateInfoInsertPopup
String ID: 0$2
API String ID: 93392585-3793063076
Opcode ID: 9f5ba5ecf993527b6aa3029c94c9e9c343235e8184627a6527471ac18822bc7c
Instruction ID: 77f4bd88fee6a8185eaa8cf90c9a02b7172198138dcbc2564b091dd3a633f487
Opcode Fuzzy Hash: 9f5ba5ecf993527b6aa3029c94c9e9c343235e8184627a6527471ac18822bc7c
Instruction Fuzzy Hash: 3A51D070B40205EBDF21EFA8D888BAEBBF4BF45324F248219E411D7291D778A945CB71

Function 00742D20 Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 117COMMON

Download Yara Rule

APIs

_ValidateLocalCookies.LIBCMT ref: 00742D4B
___except_validate_context_record.LIBVCRUNTIME ref: 00742D53
_ValidateLocalCookies.LIBCMT ref: 00742DE1
__IsNonwritableInCurrentImage.LIBCMT ref: 00742E0C
_ValidateLocalCookies.LIBCMT ref: 00742E61

Strings

&Ht, xrefs: 00742DFE, 00742E07, 00742E18
csm, xrefs: 00742DF6

Memory Dump Source

Source File: 00000000.00000002.1745867193.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true

Associated: 00000000.00000002.1745836741.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746071756.00000000007BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746071756.00000000007E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746152188.00000000007EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746185289.00000000007F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_720000_file.jbxd

Similarity

API ID: CookiesLocalValidate$CurrentImageNonwritable___except_validate_context_record
String ID: &Ht$csm
API String ID: 1170836740-1510349557
Opcode ID: b435ad77a395d11f0b4a149c7be0c280beaccd5c27294a9bbfffa0e7b581ec6c
Instruction ID: 8520967a8038174d6dfc3cd88d2f9c731ab929c932172edf729b90b5e652c50c
Opcode Fuzzy Hash: b435ad77a395d11f0b4a149c7be0c280beaccd5c27294a9bbfffa0e7b581ec6c
Instruction Fuzzy Hash: 67418334E00219EBCF14DF68C849A9EBBA5BF44324F548155F815AB253D7399A26CFD0

Function 0078C874 Relevance: 12.3, APIs: 2, Strings: 5, Instructions: 81windowCOMMON

Download Yara Rule

APIs

LoadIconW.USER32(00000000,00007F03), ref: 0078C913

Strings

warning, xrefs: 0078C8FC
stop, xrefs: 0078C8E4
question, xrefs: 0078C8CC
blank, xrefs: 0078C895
info, xrefs: 0078C8B4

Memory Dump Source

Source File: 00000000.00000002.1745867193.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true

Associated: 00000000.00000002.1745836741.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746071756.00000000007BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746071756.00000000007E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746152188.00000000007EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746185289.00000000007F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_720000_file.jbxd

Similarity

API ID: IconLoad
String ID: blank$info$question$stop$warning
API String ID: 2457776203-404129466
Opcode ID: f1bce1b8ff60579d04f34bb9574d4f944de50256a007a7f85c3e024f05918a1b
Instruction ID: 275f59c14402f75787acc01a841c9de431d7ac4b45b9fbdee57815b336b50a50
Opcode Fuzzy Hash: f1bce1b8ff60579d04f34bb9574d4f944de50256a007a7f85c3e024f05918a1b
Instruction Fuzzy Hash: CE110D317C9746BEE7027B559C83DAA679CDF25364B20406BF500B6282E77C6E405379

Function 0078DE27 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 70networkCOMMON

Download Yara Rule

APIs

WSAStartup.WSOCK32(00000101,?), ref: 0078DE42
gethostname.WSOCK32(?,00000100), ref: 0078DE5C
gethostbyname.WSOCK32(?), ref: 0078DE69
inet_ntoa.WSOCK32(?), ref: 0078DEAB
_strcat.LIBCMT ref: 0078DEB9
WSACleanup.WSOCK32 ref: 0078DEDE

Strings

0.0.0.0, xrefs: 0078DE87

Memory Dump Source

Source File: 00000000.00000002.1745867193.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true

Associated: 00000000.00000002.1745836741.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746071756.00000000007BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746071756.00000000007E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746152188.00000000007EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746185289.00000000007F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_720000_file.jbxd

Similarity

API ID: CleanupStartup_strcatgethostbynamegethostnameinet_ntoa
String ID: 0.0.0.0
API String ID: 642191829-3771769585
Opcode ID: 382e402ec9ebed0a00446f9a6e81e01e9ec14caaa816b16eec0bd814ba8baac4
Instruction ID: c61f43a55b8eea64ca71020d246f5ffba9f85f3219a12365f25dee700164f1e3
Opcode Fuzzy Hash: 382e402ec9ebed0a00446f9a6e81e01e9ec14caaa816b16eec0bd814ba8baac4
Instruction Fuzzy Hash: 2211E1B1944114ABDB31BB249C4EEEE77ACDB14710F0042A9F545AA091EF7C9E819B60

Function 007B9F86 Relevance: 12.3, APIs: 8, Instructions: 260windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00739BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00739BB2

GetSystemMetrics.USER32(0000000F), ref: 007B9FC7
GetSystemMetrics.USER32(0000000F), ref: 007B9FE7
MoveWindow.USER32(00000003,?,?,?,?,00000000,?,?,?), ref: 007BA224
SendMessageW.USER32(00000003,00000142,00000000,0000FFFF), ref: 007BA242
SendMessageW.USER32(00000003,00000469,?,00000000), ref: 007BA263
ShowWindow.USER32(00000003,00000000), ref: 007BA282
InvalidateRect.USER32(?,00000000,00000001), ref: 007BA2A7
DefDlgProcW.USER32(?,00000005,?,?), ref: 007BA2CA

Memory Dump Source

Source File: 00000000.00000002.1745867193.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true

Associated: 00000000.00000002.1745836741.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746071756.00000000007BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746071756.00000000007E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746152188.00000000007EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746185289.00000000007F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_720000_file.jbxd

Similarity

API ID: Window$MessageMetricsSendSystem$InvalidateLongMoveProcRectShow
String ID:
API String ID: 1211466189-0
Opcode ID: ef83dad963a27d7819882bf6fa26a0e99f18f18e173cc2af3abe2b15a0c23b7f
Instruction ID: 37c2d730e4a44ae3c9883fff7f652b4f8be9c63a29d8d2c3fe4a219825a6a210
Opcode Fuzzy Hash: ef83dad963a27d7819882bf6fa26a0e99f18f18e173cc2af3abe2b15a0c23b7f
Instruction Fuzzy Hash: A8B1A931600219EFDF14DF68C989BEA3BB2BF88701F08C069ED459B295D739A940CB51

Function 0078ED19 Relevance: 12.1, APIs: 8, Instructions: 137timeCOMMON

Download Yara Rule

APIs

GetLocalTime.KERNEL32 ref: 0078ED2A
_wcslen.LIBCMT ref: 0078ED3B
_wcslen.LIBCMT ref: 0078ED79
_wcslen.LIBCMT ref: 0078EDAF
_wcslen.LIBCMT ref: 0078EDDF
_wcslen.LIBCMT ref: 0078EDEF
_wcslen.LIBCMT ref: 0078EE2B
_wcslen.LIBCMT ref: 0078EE5A

Memory Dump Source

Source File: 00000000.00000002.1745867193.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true

Associated: 00000000.00000002.1745836741.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746071756.00000000007BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746071756.00000000007E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746152188.00000000007EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746185289.00000000007F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_720000_file.jbxd

Similarity

API ID: _wcslen$LocalTime
String ID:
API String ID: 952045576-0
Opcode ID: 018785979d2dc84fde5ab56a04416fe4740a6c1ebd78a56df7f71e0a8463548a
Instruction ID: 571b2e75465c340810d79e8351570e15e728104464bfdd2c85634f543bbf47a1
Opcode Fuzzy Hash: 018785979d2dc84fde5ab56a04416fe4740a6c1ebd78a56df7f71e0a8463548a
Instruction Fuzzy Hash: 95419366C10218B5DB11FBF4888EACFB7A8AF45710F508562E514F3122FB38E655C3A6

Function 0073F8D8 Relevance: 12.1, APIs: 8, Instructions: 124COMMON

Download Yara Rule

APIs

ShowWindow.USER32(FFFFFFFF,000000FF,?,00000000,?,0077682C,00000004,00000000,00000000), ref: 0073F953
ShowWindow.USER32(FFFFFFFF,00000006,?,00000000,?,0077682C,00000004,00000000,00000000), ref: 0077F3D1
ShowWindow.USER32(FFFFFFFF,000000FF,?,00000000,?,0077682C,00000004,00000000,00000000), ref: 0077F454

Memory Dump Source

Source File: 00000000.00000002.1745867193.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true

Associated: 00000000.00000002.1745836741.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746071756.00000000007BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746071756.00000000007E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746152188.00000000007EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746185289.00000000007F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_720000_file.jbxd

Similarity

API ID: ShowWindow
String ID:
API String ID: 1268545403-0
Opcode ID: 787731a7b0421b7a5ebdf590620dc5ce21a747edea14f759350c20f9ed6d9e3d
Instruction ID: 7e5c37f3bb2d3b3808e4c69d1477b63010db65524b133f3d221a44e14146b1b1
Opcode Fuzzy Hash: 787731a7b0421b7a5ebdf590620dc5ce21a747edea14f759350c20f9ed6d9e3d
Instruction Fuzzy Hash: 9141EB31904680FFEB359B298988B7A7B91AF563A4F14C53CE04BD6662C67DB880C711

Function 007B2D03 Relevance: 12.1, APIs: 8, Instructions: 95windowCOMMON

Download Yara Rule

APIs

DeleteObject.GDI32(00000000), ref: 007B2D1B
GetDC.USER32(00000000), ref: 007B2D23
GetDeviceCaps.GDI32(00000000,0000005A), ref: 007B2D2E
ReleaseDC.USER32(00000000,00000000), ref: 007B2D3A
CreateFontW.GDI32(?,00000000,00000000,00000000,?,00000000,00000000,00000000,00000001,00000004,00000000,?,00000000,?), ref: 007B2D76
SendMessageW.USER32(?,00000030,00000000,00000001), ref: 007B2D87
MoveWindow.USER32(?,?,?,?,?,00000000,?,?,007B5A65,?,?,000000FF,00000000,?,000000FF,?), ref: 007B2DC2
SendMessageW.USER32(?,00000142,00000000,00000000), ref: 007B2DE1

Memory Dump Source

Source File: 00000000.00000002.1745867193.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true

Associated: 00000000.00000002.1745836741.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746071756.00000000007BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746071756.00000000007E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746152188.00000000007EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746185289.00000000007F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_720000_file.jbxd

Similarity

API ID: MessageSend$CapsCreateDeleteDeviceFontMoveObjectReleaseWindow
String ID:
API String ID: 3864802216-0
Opcode ID: 9fd22ca21511447f562bd1c05631854b15189a70388a5a46d48bb4d890d630ea
Instruction ID: 63ff16b98a27a6efd8284a251588f4b744320b0dc790b6a1e40ff34477ebd2ae
Opcode Fuzzy Hash: 9fd22ca21511447f562bd1c05631854b15189a70388a5a46d48bb4d890d630ea
Instruction Fuzzy Hash: 7A317C72201214BFEB158F54CC8AFEB3BADEF49715F048155FE089A291C6799C51CBB4

Function 00785622 Relevance: 12.1, APIs: 8, Instructions: 92COMMON

Download Yara Rule

APIs

_memcmp.LIBVCRUNTIME ref: 00785637
_memcmp.LIBVCRUNTIME ref: 00785659
_memcmp.LIBVCRUNTIME ref: 00785671
_memcmp.LIBVCRUNTIME ref: 00785684
_memcmp.LIBVCRUNTIME ref: 0078569E
_memcmp.LIBVCRUNTIME ref: 007856B1
_memcmp.LIBVCRUNTIME ref: 007856C9
_memcmp.LIBVCRUNTIME ref: 007856E4

Memory Dump Source

Source File: 00000000.00000002.1745867193.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true

Associated: 00000000.00000002.1745836741.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746071756.00000000007BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746071756.00000000007E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746152188.00000000007EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746185289.00000000007F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_720000_file.jbxd

Similarity

API ID: _memcmp
String ID:
API String ID: 2931989736-0
Opcode ID: f13ac2a0b8fad4d0e4763e16a8f00779fd2859e5bd3dddfc881a08a602fcc419
Instruction ID: 59420ea1c0f3ea72afa94706da5c2025f2c87428eac55b5af9e54eb295dd8be9
Opcode Fuzzy Hash: f13ac2a0b8fad4d0e4763e16a8f00779fd2859e5bd3dddfc881a08a602fcc419
Instruction Fuzzy Hash: 3521C6B17D0A09BBD6147A208E86FFB335CAF21B94F844020FD049A681F72DED5183B9

Function 007A4FAE Relevance: 10.9, APIs: 4, Strings: 2, Instructions: 359COMMON

Download Yara Rule

Strings

Not an Object type, xrefs: 007A5007
NULL Pointer assignment, xrefs: 007A502E, 007A5383

Memory Dump Source

Source File: 00000000.00000002.1745867193.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true

Associated: 00000000.00000002.1745836741.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746071756.00000000007BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746071756.00000000007E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746152188.00000000007EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746185289.00000000007F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_720000_file.jbxd

Similarity

API ID:
String ID: NULL Pointer assignment$Not an Object type
API String ID: 0-572801152
Opcode ID: 8dca6ef9b4c99b4f627f89f88c706d8e21aa2df6293b06f54280c1a1519a6aea
Instruction ID: 4ed23c5628f3587228b315e64c7416f7008e24e8c4114f3114c545e0bb5ae0a3
Opcode Fuzzy Hash: 8dca6ef9b4c99b4f627f89f88c706d8e21aa2df6293b06f54280c1a1519a6aea
Instruction Fuzzy Hash: 5ED1D571A0060A9FDF10CFA8C885FAEB7B5FF89344F148269E915AB281E774DD45CB90

Function 00761522 Relevance: 10.8, APIs: 7, Instructions: 268COMMON

Download Yara Rule

APIs

GetCPInfo.KERNEL32(?,?), ref: 007615CE
MultiByteToWideChar.KERNEL32(?,00000009,?,?,00000000,00000000), ref: 00761651
MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 007616E4
MultiByteToWideChar.KERNEL32(?,00000009,?,?,00000000,00000000), ref: 007616FB

Part of subcall function 00753820: RtlAllocateHeap.NTDLL(00000000,?,007F1444,?,0073FDF5,?,?,0072A976,00000010,007F1440,007213FC,?,007213C6,?,00721129), ref: 00753852

MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 00761777
__freea.LIBCMT ref: 007617A2
__freea.LIBCMT ref: 007617AE

Memory Dump Source

Source File: 00000000.00000002.1745867193.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true

Associated: 00000000.00000002.1745836741.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746071756.00000000007BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746071756.00000000007E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746152188.00000000007EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746185289.00000000007F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_720000_file.jbxd

Similarity

API ID: ByteCharMultiWide$__freea$AllocateHeapInfo
String ID:
API String ID: 2829977744-0
Opcode ID: 2b4cc3fdd5dbd0286b0e41d1923f8d258b17bb688b2cebfa4848967705dd78ec
Instruction ID: 81f6125f09f286949c74203ab88e68fb6067ac912db1a60338c995ae543d079f
Opcode Fuzzy Hash: 2b4cc3fdd5dbd0286b0e41d1923f8d258b17bb688b2cebfa4848967705dd78ec
Instruction Fuzzy Hash: DB91A271E0021A9ADB218E74CC99AEEBBB5AF49310F9C4659EC03E7151DB3DDD44CBA0

Function 007A4523 Relevance: 10.8, APIs: 4, Strings: 2, Instructions: 262COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 007A4648
VariantInit.OLEAUT32(?), ref: 007A4749
VariantClear.OLEAUT32(?), ref: 007A4753
VariantClear.OLEAUT32(?), ref: 007A47B0

Strings

Incorrect Object type in FOR..IN loop, xrefs: 007A472C
Null Object assignment in FOR..IN loop, xrefs: 007A45D8, 007A4706, 007A47BE

Memory Dump Source

Source File: 00000000.00000002.1745867193.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true

Associated: 00000000.00000002.1745836741.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746071756.00000000007BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746071756.00000000007E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746152188.00000000007EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746185289.00000000007F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_720000_file.jbxd

Similarity

API ID: Variant$ClearInit
String ID: Incorrect Object type in FOR..IN loop$Null Object assignment in FOR..IN loop
API String ID: 2610073882-625585964
Opcode ID: 1af7cba3807ce7fe30e422b2f9d83f98a991803aa0634a1dc550cd85c08e8868
Instruction ID: e58512cd4526bf6a018c6c117d8c4f55c443b3cf1b1a067a982e2f056e20b4d3
Opcode Fuzzy Hash: 1af7cba3807ce7fe30e422b2f9d83f98a991803aa0634a1dc550cd85c08e8868
Instruction Fuzzy Hash: 3291B371A00215EBDF24CFA5CC48FAE7BB8EFC6710F108259F505AB281D7B99941CBA0

Function 00791187 Relevance: 10.8, APIs: 7, Instructions: 254COMMON

Download Yara Rule

APIs

SafeArrayGetVartype.OLEAUT32(00000001,?), ref: 0079125C
SafeArrayAccessData.OLEAUT32(00000000,?), ref: 00791284
SafeArrayUnaccessData.OLEAUT32(00000001), ref: 007912A8
SafeArrayAccessData.OLEAUT32(00000001,?), ref: 007912D8
SafeArrayAccessData.OLEAUT32(00000001,?), ref: 0079135F
SafeArrayAccessData.OLEAUT32(00000001,?), ref: 007913C4
SafeArrayAccessData.OLEAUT32(00000001,?), ref: 00791430

Memory Dump Source

Source File: 00000000.00000002.1745867193.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true

Associated: 00000000.00000002.1745836741.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746071756.00000000007BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746071756.00000000007E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746152188.00000000007EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746185289.00000000007F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_720000_file.jbxd

Similarity

API ID: ArraySafe$Data$Access$UnaccessVartype
String ID:
API String ID: 2550207440-0
Opcode ID: f5fa7e7b777c37b7cc49730bc3e2ce8d70b3d279224257824126a5acce246865
Instruction ID: 48c32d7a6b02094bde78717c9d23b941c28cfe1b09463a6d5743364e6985da64
Opcode Fuzzy Hash: f5fa7e7b777c37b7cc49730bc3e2ce8d70b3d279224257824126a5acce246865
Instruction Fuzzy Hash: 5A91C175A0021AAFDF01DF94E889BBE77B5FF45325F508029E900EB291D77CA951CB90

Function 0073948A Relevance: 10.8, APIs: 7, Instructions: 254COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1745867193.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true

Associated: 00000000.00000002.1745836741.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746071756.00000000007BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746071756.00000000007E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746152188.00000000007EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746185289.00000000007F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_720000_file.jbxd

Similarity

API ID: ObjectSelect$BeginCreatePath
String ID:
API String ID: 3225163088-0
Opcode ID: 6b4d6fa4ce1ded5a2d2bcdd09feaf323784cc2152745e226a33726d83a867006
Instruction ID: cda3f06f8a79ba974b10cdae8f16f46841bc2ccdf9f30e3a0ee981f282effe2f
Opcode Fuzzy Hash: 6b4d6fa4ce1ded5a2d2bcdd09feaf323784cc2152745e226a33726d83a867006
Instruction Fuzzy Hash: 93914971D00219EFDB15CFA9CC88AEEBBB8FF48320F148155E515B7292D378A991CB60

Function 007A3947 Relevance: 10.7, APIs: 4, Strings: 2, Instructions: 240COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 007A396B
CharUpperBuffW.USER32(?,?), ref: 007A3A7A
_wcslen.LIBCMT ref: 007A3A8A
VariantClear.OLEAUT32(?), ref: 007A3C1F

Part of subcall function 00790CDF: VariantInit.OLEAUT32(00000000), ref: 00790D1F
Part of subcall function 00790CDF: VariantCopy.OLEAUT32(?,?), ref: 00790D28
Part of subcall function 00790CDF: VariantClear.OLEAUT32(?), ref: 00790D34

Strings

AUTOIT.ERROR, xrefs: 007A3A80, 007A3A85
Incorrect Parameter format, xrefs: 007A39A6, 007A3BA1

Memory Dump Source

Source File: 00000000.00000002.1745867193.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true

Associated: 00000000.00000002.1745836741.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746071756.00000000007BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746071756.00000000007E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746152188.00000000007EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746185289.00000000007F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_720000_file.jbxd

Similarity

API ID: Variant$ClearInit$BuffCharCopyUpper_wcslen
String ID: AUTOIT.ERROR$Incorrect Parameter format
API String ID: 4137639002-1221869570
Opcode ID: 9d2fcee85345da94d3e8502b6a142fa017c36a5f12951e780ec91dca5ea2e72f
Instruction ID: c96623a931e033c13835b18f27b7a5466119019b5e09280d084aadf4b1a5cb17
Opcode Fuzzy Hash: 9d2fcee85345da94d3e8502b6a142fa017c36a5f12951e780ec91dca5ea2e72f
Instruction Fuzzy Hash: AC915574A08345DFC704EF24C48496AB7E5BF89314F148A2DF88A9B351DB38EE05CB92

Function 007A4BAD Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 236COMMON

Download Yara Rule

APIs

Part of subcall function 0078000E: CLSIDFromProgID.OLE32(?,?,?,00000000,?,?,?,-C000001E,00000001,?,0077FF41,80070057,?,?,?,0078035E), ref: 0078002B
Part of subcall function 0078000E: ProgIDFromCLSID.OLE32(?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,0077FF41,80070057,?,?), ref: 00780046
Part of subcall function 0078000E: lstrcmpiW.KERNEL32(?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,0077FF41,80070057,?,?), ref: 00780054
Part of subcall function 0078000E: CoTaskMemFree.OLE32(00000000,?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,0077FF41,80070057,?), ref: 00780064

CoInitializeSecurity.OLE32(00000000,000000FF,00000000,00000000,00000002,00000003,00000000,00000000,00000000,00000001,?,?), ref: 007A4C51
_wcslen.LIBCMT ref: 007A4D59
CoCreateInstanceEx.OLE32(?,00000000,00000015,?,00000001,?), ref: 007A4DCF
CoTaskMemFree.OLE32(?), ref: 007A4DDA

Strings

NULL Pointer assignment, xrefs: 007A4E23, 007A4E52

Memory Dump Source

Source File: 00000000.00000002.1745867193.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true

Associated: 00000000.00000002.1745836741.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746071756.00000000007BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746071756.00000000007E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746152188.00000000007EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746185289.00000000007F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_720000_file.jbxd

Similarity

API ID: FreeFromProgTask$CreateInitializeInstanceSecurity_wcslenlstrcmpi
String ID: NULL Pointer assignment
API String ID: 614568839-2785691316
Opcode ID: a5588060f6081f1993898fc73178940c5f32158e12ed8d93f7daae4ebd54665d
Instruction ID: 59537cfa370cd70910058b4b26ae49ec779ab7c7af7dfbc49cfa931d901f1d0d
Opcode Fuzzy Hash: a5588060f6081f1993898fc73178940c5f32158e12ed8d93f7daae4ebd54665d
Instruction Fuzzy Hash: 67913971D0022DEFDF14DFA4D884AEEB7B8BF49310F108269E915A7241DB795A44CFA0

Function 007B20FD Relevance: 10.7, APIs: 7, Instructions: 196windowCOMMON

Download Yara Rule

APIs

GetMenu.USER32(?), ref: 007B2183
GetMenuItemCount.USER32(00000000), ref: 007B21B5
GetMenuStringW.USER32(00000000,00000000,?,00007FFF,00000400), ref: 007B21DD
_wcslen.LIBCMT ref: 007B2213
GetMenuItemID.USER32(?,?), ref: 007B224D
GetSubMenu.USER32(?,?), ref: 007B225B

Part of subcall function 00783A3D: GetWindowThreadProcessId.USER32(?,00000000), ref: 00783A57
Part of subcall function 00783A3D: GetCurrentThreadId.KERNEL32 ref: 00783A5E
Part of subcall function 00783A3D: AttachThreadInput.USER32(00000000,?,00000000,00000000,?,007825B3), ref: 00783A65

PostMessageW.USER32(?,00000111,00000000,00000000), ref: 007B22E3

Part of subcall function 0078E97B: Sleep.KERNEL32 ref: 0078E9F3

Memory Dump Source

Source File: 00000000.00000002.1745867193.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true

Associated: 00000000.00000002.1745836741.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746071756.00000000007BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746071756.00000000007E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746152188.00000000007EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746185289.00000000007F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_720000_file.jbxd

Similarity

API ID: Menu$Thread$Item$AttachCountCurrentInputMessagePostProcessSleepStringWindow_wcslen
String ID:
API String ID: 4196846111-0
Opcode ID: b0069b98a74c206d931a8fa755548a686345a2db4d181aba767dcb5ab2934307
Instruction ID: 2aafed275a45d65c6b27eb73b98222cb64bf5ca7adc66224aed34974c08c399e
Opcode Fuzzy Hash: b0069b98a74c206d931a8fa755548a686345a2db4d181aba767dcb5ab2934307
Instruction Fuzzy Hash: AB714C75A00219EFCB15EF68C845BEEB7F5BF48310F158459E816EB352DB38AD428B90

Function 007B7E9E Relevance: 10.7, APIs: 7, Instructions: 193windowCOMMON

Download Yara Rule

APIs

IsWindow.USER32(01505880), ref: 007B7F37
IsWindowEnabled.USER32(01505880), ref: 007B7F43
SendMessageW.USER32(00000000,0000041C,00000000,00000000), ref: 007B801E
SendMessageW.USER32(01505880,000000B0,?,?), ref: 007B8051
IsDlgButtonChecked.USER32(?,?), ref: 007B8089
GetWindowLongW.USER32(01505880,000000EC), ref: 007B80AB
SendMessageW.USER32(?,000000A1,00000002,00000000), ref: 007B80C3

Memory Dump Source

Source File: 00000000.00000002.1745867193.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true

Associated: 00000000.00000002.1745836741.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746071756.00000000007BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746071756.00000000007E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746152188.00000000007EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746185289.00000000007F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_720000_file.jbxd

Similarity

API ID: MessageSendWindow$ButtonCheckedEnabledLong
String ID:
API String ID: 4072528602-0
Opcode ID: c08524028c94720b20de3ab823e48027e389d8f14d4f3d2c65c12dc7fb1ca0fa
Instruction ID: 8defdec4fcd6360440e0220c67cb78085a344b3d00c2c5b11a21f293161136a8
Opcode Fuzzy Hash: c08524028c94720b20de3ab823e48027e389d8f14d4f3d2c65c12dc7fb1ca0fa
Instruction Fuzzy Hash: 7E71B034609204EFEB29DF54CC94FFABBB9EF49340F144499F945972A1CB39A846CB14

Function 0078AEBA Relevance: 10.7, APIs: 7, Instructions: 162windowCOMMON

Download Yara Rule

APIs

GetParent.USER32(?), ref: 0078AEF9
GetKeyboardState.USER32(?), ref: 0078AF0E
SetKeyboardState.USER32(?), ref: 0078AF6F
PostMessageW.USER32(?,00000101,00000010,?), ref: 0078AF9D
PostMessageW.USER32(?,00000101,00000011,?), ref: 0078AFBC
PostMessageW.USER32(?,00000101,00000012,?), ref: 0078AFFD
PostMessageW.USER32(?,00000101,0000005B,?), ref: 0078B020

Memory Dump Source

Source File: 00000000.00000002.1745867193.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true

Associated: 00000000.00000002.1745836741.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746071756.00000000007BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746071756.00000000007E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746152188.00000000007EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746185289.00000000007F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_720000_file.jbxd

Similarity

API ID: MessagePost$KeyboardState$Parent
String ID:
API String ID: 87235514-0
Opcode ID: e9b133c763a1a9d0613380ca62e75a777083e42f56f60d811e6742e0420b6d63
Instruction ID: 6c38018d61786a148ecff2977c8ef4a87ce658d81615273a840021583bdb9a8c
Opcode Fuzzy Hash: e9b133c763a1a9d0613380ca62e75a777083e42f56f60d811e6742e0420b6d63
Instruction Fuzzy Hash: 6151F4A06847D53DFB3762348C49BBABEE95B06304F08858AE2D9954C2D3DCECD4D751

Function 0078ACDA Relevance: 10.7, APIs: 7, Instructions: 161windowCOMMON

Download Yara Rule

APIs

GetParent.USER32(00000000), ref: 0078AD19
GetKeyboardState.USER32(?), ref: 0078AD2E
SetKeyboardState.USER32(?), ref: 0078AD8F
PostMessageW.USER32(00000000,00000100,00000010,?), ref: 0078ADBB
PostMessageW.USER32(00000000,00000100,00000011,?), ref: 0078ADD8
PostMessageW.USER32(00000000,00000100,00000012,?), ref: 0078AE17
PostMessageW.USER32(00000000,00000100,0000005B,?), ref: 0078AE38

Memory Dump Source

Source File: 00000000.00000002.1745867193.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true

Associated: 00000000.00000002.1745836741.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746071756.00000000007BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746071756.00000000007E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746152188.00000000007EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746185289.00000000007F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_720000_file.jbxd

Similarity

API ID: MessagePost$KeyboardState$Parent
String ID:
API String ID: 87235514-0
Opcode ID: 9098567c04c3bf6a27a18e879dd233bceabe55c92f2e3e6b8ffb590939ed35c8
Instruction ID: 81d1e9c31193449cc3bad31743ea78325b013885ae3a934f910ecc42d792ee2f
Opcode Fuzzy Hash: 9098567c04c3bf6a27a18e879dd233bceabe55c92f2e3e6b8ffb590939ed35c8
Instruction Fuzzy Hash: 5751F9A16847D53DFB37A3348C56B7ABE986B45301F08898AE1D5868C3D39CEC84D762

Function 0075542E Relevance: 10.7, APIs: 7, Instructions: 152fileCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetConsoleCP.KERNEL32(00763CD6,?,?,?,?,?,?,?,?,00755BA3,?,?,00763CD6,?,?), ref: 00755470
__fassign.LIBCMT ref: 007554EB
__fassign.LIBCMT ref: 00755506
WideCharToMultiByte.KERNEL32(?,00000000,?,00000001,00763CD6,00000005,00000000,00000000), ref: 0075552C
WriteFile.KERNEL32(?,00763CD6,00000000,00755BA3,00000000,?,?,?,?,?,?,?,?,?,00755BA3,?), ref: 0075554B
WriteFile.KERNEL32(?,?,00000001,00755BA3,00000000,?,?,?,?,?,?,?,?,?,00755BA3,?), ref: 00755584

Memory Dump Source

Source File: 00000000.00000002.1745867193.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true

Associated: 00000000.00000002.1745836741.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746071756.00000000007BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746071756.00000000007E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746152188.00000000007EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746185289.00000000007F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_720000_file.jbxd

Similarity

API ID: FileWrite__fassign$ByteCharConsoleMultiWide
String ID:
API String ID: 1324828854-0
Opcode ID: 9c600777bf0be978f425cef61f8ee0ac3afeaca624b1d442ea5a9bcf592e3c01
Instruction ID: 5928705cd9eda42ea91fe13c173679e5d9e46dae4ee6ab206ee41f8a217e0748
Opcode Fuzzy Hash: 9c600777bf0be978f425cef61f8ee0ac3afeaca624b1d442ea5a9bcf592e3c01
Instruction Fuzzy Hash: F05117B09006489FCB10CFA8D855AEEBBF6EF08301F14411AF945E3291E7749A55CB60

Function 007A10B8 Relevance: 10.6, APIs: 7, Instructions: 110networkCOMMON

Download Yara Rule

APIs

Part of subcall function 007A304E: inet_addr.WSOCK32(?,?,?,?,?,00000000), ref: 007A307A
Part of subcall function 007A304E: _wcslen.LIBCMT ref: 007A309B

socket.WSOCK32(00000002,00000001,00000006,?,?,00000000), ref: 007A1112
WSAGetLastError.WSOCK32 ref: 007A1121
WSAGetLastError.WSOCK32 ref: 007A11C9
closesocket.WSOCK32(00000000), ref: 007A11F9

Memory Dump Source

Source File: 00000000.00000002.1745867193.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true

Associated: 00000000.00000002.1745836741.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746071756.00000000007BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746071756.00000000007E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746152188.00000000007EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746185289.00000000007F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_720000_file.jbxd

Similarity

API ID: ErrorLast$_wcslenclosesocketinet_addrsocket
String ID:
API String ID: 2675159561-0
Opcode ID: 5b8a6673c6a66f588a3968d7de3c453e2ff47facd7c8e8d3b5b2424373af58e4
Instruction ID: fe31dd9cf1fd5373e017f0a13c10afd7367773765b8707dc5d4d0c060a07b797
Opcode Fuzzy Hash: 5b8a6673c6a66f588a3968d7de3c453e2ff47facd7c8e8d3b5b2424373af58e4
Instruction Fuzzy Hash: CE412531200218AFEB119F14C888BAAB7E9EF86324F14C259FD059B291D778ED41CBE1

Function 0078CF00 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 108filestringCOMMON

Download Yara Rule

APIs

Part of subcall function 0078DDE0: GetFullPathNameW.KERNEL32(00000000,00007FFF,?,?,?,?,?,?,0078CF22,?), ref: 0078DDFD

Part of subcall function 0078DDE0: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,?,0078CF22,?), ref: 0078DE16

lstrcmpiW.KERNEL32(?,?), ref: 0078CF45
MoveFileW.KERNEL32(?,?), ref: 0078CF7F
_wcslen.LIBCMT ref: 0078D005
_wcslen.LIBCMT ref: 0078D01B
SHFileOperationW.SHELL32(?), ref: 0078D061

Strings

\*.*, xrefs: 0078CFF3

Memory Dump Source

Source File: 00000000.00000002.1745867193.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true

Associated: 00000000.00000002.1745836741.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746071756.00000000007BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746071756.00000000007E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746152188.00000000007EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746185289.00000000007F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_720000_file.jbxd

Similarity

API ID: FileFullNamePath_wcslen$MoveOperationlstrcmpi
String ID: \*.*
API String ID: 3164238972-1173974218
Opcode ID: 79549c03d92698338081e1a72f394aa4375c7adba3bb0381937c1d43f92136ab
Instruction ID: 099215e34638f7141786c5868e12c02cabc87e7eea6892bc13cf71609aa75838
Opcode Fuzzy Hash: 79549c03d92698338081e1a72f394aa4375c7adba3bb0381937c1d43f92136ab
Instruction Fuzzy Hash: 1F4137729452189FDF13FBA4D985EDEB7B9AF08340F1440E6E605EB141EB38AA44CF60

Function 007B2DFD Relevance: 10.6, APIs: 7, Instructions: 99windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,000000F0,00000000,00000000), ref: 007B2E1C
GetWindowLongW.USER32(?,000000F0), ref: 007B2E4F
GetWindowLongW.USER32(?,000000F0), ref: 007B2E84
SendMessageW.USER32(?,000000F1,00000000,00000000), ref: 007B2EB6
SendMessageW.USER32(?,000000F1,00000001,00000000), ref: 007B2EE0
GetWindowLongW.USER32(?,000000F0), ref: 007B2EF1
SetWindowLongW.USER32(?,000000F0,00000000), ref: 007B2F0B

Memory Dump Source

Source File: 00000000.00000002.1745867193.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true

Associated: 00000000.00000002.1745836741.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746071756.00000000007BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746071756.00000000007E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746152188.00000000007EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746185289.00000000007F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_720000_file.jbxd

Similarity

API ID: LongWindow$MessageSend
String ID:
API String ID: 2178440468-0
Opcode ID: fd4891c85bd576f11b651be26609e207249e66fc1ecb0f8d0609ff8f7923a696
Instruction ID: cf8fe9bb766b8d622de2d97ff344467a4366ae5d97d09813d9a79dea9a1922c2
Opcode Fuzzy Hash: fd4891c85bd576f11b651be26609e207249e66fc1ecb0f8d0609ff8f7923a696
Instruction Fuzzy Hash: 5F31F430606190EFDB22CF59DC88FA537E5EB5A710F1581A4F900CB2B2CBB9E841DB55

Function 00787726 Relevance: 10.6, APIs: 7, Instructions: 94memoryCOMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 00787769
MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 0078778F
SysAllocString.OLEAUT32(00000000), ref: 00787792
SysAllocString.OLEAUT32(?), ref: 007877B0
SysFreeString.OLEAUT32(?), ref: 007877B9
StringFromGUID2.OLE32(?,?,00000028), ref: 007877DE
SysAllocString.OLEAUT32(?), ref: 007877EC

Memory Dump Source

Source File: 00000000.00000002.1745867193.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true

Associated: 00000000.00000002.1745836741.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746071756.00000000007BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746071756.00000000007E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746152188.00000000007EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746185289.00000000007F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_720000_file.jbxd

Similarity

API ID: String$Alloc$ByteCharMultiWide$FreeFrom
String ID:
API String ID: 3761583154-0
Opcode ID: 3247bd53da60ec2e19d59dd41cabfed9c6c25b8bb670fe7a3e770a8f7aa7b240
Instruction ID: 73947a9645392c096769afb95705e67de38fdfbb161256064a47e535fb3d885c
Opcode Fuzzy Hash: 3247bd53da60ec2e19d59dd41cabfed9c6c25b8bb670fe7a3e770a8f7aa7b240
Instruction Fuzzy Hash: AD210376608209AFDF00EFA8CC88DBB77ACEB08364B10C125FA06DB250D678DD41C764

Function 007877FD Relevance: 10.6, APIs: 7, Instructions: 89memoryCOMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 00787842
MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 00787868
SysAllocString.OLEAUT32(00000000), ref: 0078786B
SysAllocString.OLEAUT32 ref: 0078788C
SysFreeString.OLEAUT32 ref: 00787895
StringFromGUID2.OLE32(?,?,00000028), ref: 007878AF
SysAllocString.OLEAUT32(?), ref: 007878BD

Memory Dump Source

Source File: 00000000.00000002.1745867193.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true

Associated: 00000000.00000002.1745836741.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746071756.00000000007BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746071756.00000000007E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746152188.00000000007EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746185289.00000000007F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_720000_file.jbxd

Similarity

API ID: String$Alloc$ByteCharMultiWide$FreeFrom
String ID:
API String ID: 3761583154-0
Opcode ID: 1ff4dc50e90a24756f50773f3fae69ea0475657a63fb89e183d9830a766b8b51
Instruction ID: 0907d0e63c5118ba457fbee59bec894a83069a572c60b5dc7210c47b20bf48af
Opcode Fuzzy Hash: 1ff4dc50e90a24756f50773f3fae69ea0475657a63fb89e183d9830a766b8b51
Instruction Fuzzy Hash: 51217471648204AFDB14AFA8DC8CDAA77ECEB09760720C125F915CB2A1DA78DD41CB74

Function 007904D2 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 80pipeCOMMON

Download Yara Rule

APIs

GetStdHandle.KERNEL32(0000000C), ref: 007904F2
CreatePipe.KERNEL32(?,?,0000000C,00000000), ref: 0079052E

Strings

nul, xrefs: 00790567

Memory Dump Source

Source File: 00000000.00000002.1745867193.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true

Associated: 00000000.00000002.1745836741.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746071756.00000000007BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746071756.00000000007E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746152188.00000000007EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746185289.00000000007F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_720000_file.jbxd

Similarity

API ID: CreateHandlePipe
String ID: nul
API String ID: 1424370930-2873401336
Opcode ID: e9c81b1d10bbd9b5f11fa8a414b654f0abda017f2c18073d46cfcb480557a732
Instruction ID: 15bababe178df5ab0c7813babfb41d344cc8e46e18db72475c1ad4c4b0140776
Opcode Fuzzy Hash: e9c81b1d10bbd9b5f11fa8a414b654f0abda017f2c18073d46cfcb480557a732
Instruction Fuzzy Hash: F8218071510305AFDF209F29EC08E9A77B8BF44724F618A29F8A1D72E0D7749960CFA0

Function 007905A7 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 80pipeCOMMON

Download Yara Rule

APIs

GetStdHandle.KERNEL32(000000F6), ref: 007905C6
CreatePipe.KERNEL32(?,?,0000000C,00000000), ref: 00790601

Strings

nul, xrefs: 00790639

Memory Dump Source

Source File: 00000000.00000002.1745867193.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true

Associated: 00000000.00000002.1745836741.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746071756.00000000007BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746071756.00000000007E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746152188.00000000007EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746185289.00000000007F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_720000_file.jbxd

Similarity

API ID: CreateHandlePipe
String ID: nul
API String ID: 1424370930-2873401336
Opcode ID: 2af71c4cfb5090fdf6bb524e756541f145176be8d031dffbeaba912f2857be0a
Instruction ID: 44129fb7c13cdbcf9ad0d7eff8d66ccb623264f3c3c4bb1ad14fa8f83c19a34e
Opcode Fuzzy Hash: 2af71c4cfb5090fdf6bb524e756541f145176be8d031dffbeaba912f2857be0a
Instruction Fuzzy Hash: C92181755103059FDF209F69AC08E9A77E8BF95720F204B19F8A1E72E0D7749960CBA4

Function 007B40AD Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 75windowCOMMON

Download Yara Rule

APIs

Part of subcall function 0072600E: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 0072604C
Part of subcall function 0072600E: GetStockObject.GDI32(00000011), ref: 00726060
Part of subcall function 0072600E: SendMessageW.USER32(00000000,00000030,00000000), ref: 0072606A

SendMessageW.USER32(00000000,00002001,00000000,FF000000), ref: 007B4112
SendMessageW.USER32(?,00000409,00000000,FF000000), ref: 007B411F
SendMessageW.USER32(?,00000402,00000000,00000000), ref: 007B412A
SendMessageW.USER32(?,00000401,00000000,00640000), ref: 007B4139
SendMessageW.USER32(?,00000404,00000001,00000000), ref: 007B4145

Strings

Msctls_Progress32, xrefs: 007B40E3

Memory Dump Source

Source File: 00000000.00000002.1745867193.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true

Associated: 00000000.00000002.1745836741.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746071756.00000000007BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746071756.00000000007E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746152188.00000000007EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746185289.00000000007F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_720000_file.jbxd

Similarity

API ID: MessageSend$CreateObjectStockWindow
String ID: Msctls_Progress32
API String ID: 1025951953-3636473452
Opcode ID: 2362430c1cca439768a530c5a4284f2fbff27d597b6dd47f20408378d1c52be9
Instruction ID: 24f8b63a49e8956172b17104e294e16487086cf33fbb55289ce78666a1596151
Opcode Fuzzy Hash: 2362430c1cca439768a530c5a4284f2fbff27d597b6dd47f20408378d1c52be9
Instruction Fuzzy Hash: 1611B2B215021DBEEF119F68CC85EE77F9DEF08798F008111BA18A2050C6769C21DBA4

Function 0075D7DF Relevance: 10.6, APIs: 7, Instructions: 65COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 0075D7A3: _free.LIBCMT ref: 0075D7CC

_free.LIBCMT ref: 0075D82D

Part of subcall function 007529C8: RtlFreeHeap.NTDLL(00000000,00000000,?,0075D7D1,00000000,00000000,00000000,00000000,?,0075D7F8,00000000,00000007,00000000,?,0075DBF5,00000000), ref: 007529DE
Part of subcall function 007529C8: GetLastError.KERNEL32(00000000,?,0075D7D1,00000000,00000000,00000000,00000000,?,0075D7F8,00000000,00000007,00000000,?,0075DBF5,00000000,00000000), ref: 007529F0

_free.LIBCMT ref: 0075D838
_free.LIBCMT ref: 0075D843
_free.LIBCMT ref: 0075D897
_free.LIBCMT ref: 0075D8A2
_free.LIBCMT ref: 0075D8AD
_free.LIBCMT ref: 0075D8B8

Memory Dump Source

Source File: 00000000.00000002.1745867193.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true

Associated: 00000000.00000002.1745836741.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746071756.00000000007BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746071756.00000000007E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746152188.00000000007EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746185289.00000000007F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_720000_file.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: d5e9bbcb1dbdafe4c8d3bd98f36014f41f46dc5d4a3df644b036f3c2391e0fc8
Instruction ID: 183e0d6d6c11e5c6a56bb4a11d40991b08678e97d8e7e3f172385b9369051ac2
Opcode Fuzzy Hash: d5e9bbcb1dbdafe4c8d3bd98f36014f41f46dc5d4a3df644b036f3c2391e0fc8
Instruction Fuzzy Hash: C011E271541704EAD531BFB0CC4BFCB7BDCAF05702F404C15BA99B65A3DBA9B9094A50

Function 0078DA5A Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 46windowCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,?,?,00000100,00000000), ref: 0078DA74
LoadStringW.USER32(00000000), ref: 0078DA7B
GetModuleHandleW.KERNEL32(00000000,00001389,?,00000100), ref: 0078DA91
LoadStringW.USER32(00000000), ref: 0078DA98
MessageBoxW.USER32(00000000,?,?,00011010), ref: 0078DADC

Strings

%s (%d) : ==> %s: %s %s, xrefs: 0078DAB9

Memory Dump Source

Source File: 00000000.00000002.1745867193.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true

Associated: 00000000.00000002.1745836741.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746071756.00000000007BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746071756.00000000007E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746152188.00000000007EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746185289.00000000007F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_720000_file.jbxd

Similarity

API ID: HandleLoadModuleString$Message
String ID: %s (%d) : ==> %s: %s %s
API String ID: 4072794657-3128320259
Opcode ID: 7e8dd8be26bd5a33c1ba5fbc7e12da3646047985156042900f7abf9034a56dd0
Instruction ID: 888be6492a21c1eb0219b74eb910c487caeb95389d0f039eabdf39f3550f0d30
Opcode Fuzzy Hash: 7e8dd8be26bd5a33c1ba5fbc7e12da3646047985156042900f7abf9034a56dd0
Instruction Fuzzy Hash: 5E0162F29402087FE712ABA49D89FE7376CE708705F408591B706E2081EA789E844F79

Function 0079096B Relevance: 10.5, APIs: 7, Instructions: 35synchronizationthreadCOMMON

Download Yara Rule

APIs

InterlockedExchange.KERNEL32(014FE210,014FE210), ref: 0079097B
EnterCriticalSection.KERNEL32(014FE1F0,00000000), ref: 0079098D
TerminateThread.KERNEL32(?,000001F6), ref: 0079099B
WaitForSingleObject.KERNEL32(?,000003E8), ref: 007909A9
CloseHandle.KERNEL32(?), ref: 007909B8
InterlockedExchange.KERNEL32(014FE210,000001F6), ref: 007909C8
LeaveCriticalSection.KERNEL32(014FE1F0), ref: 007909CF

Memory Dump Source

Source File: 00000000.00000002.1745867193.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true

Associated: 00000000.00000002.1745836741.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746071756.00000000007BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746071756.00000000007E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746152188.00000000007EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746185289.00000000007F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_720000_file.jbxd

Similarity

API ID: CriticalExchangeInterlockedSection$CloseEnterHandleLeaveObjectSingleTerminateThreadWait
String ID:
API String ID: 3495660284-0
Opcode ID: 9df1c3246016dc72cee38fdc1ba1632a6121d34a6f47223a7008b68f55bad408
Instruction ID: d4896579bb45cce2ff879ff5df65bd01129de3b9557b4674531d960e443b818a
Opcode Fuzzy Hash: 9df1c3246016dc72cee38fdc1ba1632a6121d34a6f47223a7008b68f55bad408
Instruction Fuzzy Hash: A9F03131442512BFDB465F94EE8DFD67B35FF01712F409126F101908A0C778A865CF94

Function 00725D0A Relevance: 9.3, APIs: 6, Instructions: 276COMMON

Download Yara Rule

APIs

GetClientRect.USER32(?,?), ref: 00725D30
GetWindowRect.USER32(?,?), ref: 00725D71
ScreenToClient.USER32(?,?), ref: 00725D99
GetClientRect.USER32(?,?), ref: 00725ED7
GetWindowRect.USER32(?,?), ref: 00725EF8

Memory Dump Source

Source File: 00000000.00000002.1745867193.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true

Associated: 00000000.00000002.1745836741.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746071756.00000000007BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746071756.00000000007E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746152188.00000000007EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746185289.00000000007F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_720000_file.jbxd

Similarity

API ID: Rect$Client$Window$Screen
String ID:
API String ID: 1296646539-0
Opcode ID: 91031e587ec9514480d3ffd52336ecebb4adc12bf8b95496b44d81b53e850617
Instruction ID: fe0414c999cdfb3a7a5f899c6ab5c5b55b97dd8960509526ba6fccb8309edff9
Opcode Fuzzy Hash: 91031e587ec9514480d3ffd52336ecebb4adc12bf8b95496b44d81b53e850617
Instruction Fuzzy Hash: F1B16834A00B5ADBDB14CFA9C4807EEB7F1FF58310F14851AE8AAD7250DB38AA51DB54

Function 007501B7 Relevance: 9.3, APIs: 6, Instructions: 269COMMON

Download Yara Rule

APIs

__allrem.LIBCMT ref: 007500BA
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 007500D6
__allrem.LIBCMT ref: 007500ED
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 0075010B
__allrem.LIBCMT ref: 00750122
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00750140

Memory Dump Source

Source File: 00000000.00000002.1745867193.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true

Associated: 00000000.00000002.1745836741.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746071756.00000000007BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746071756.00000000007E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746152188.00000000007EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746185289.00000000007F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_720000_file.jbxd

Similarity

API ID: Unothrow_t@std@@@__allrem__ehfuncinfo$??2@
String ID:
API String ID: 1992179935-0
Opcode ID: c0aa086816e9a6b10c8594d9af3fc1b6618250ddc70608c46d0048b3e4fbc764
Instruction ID: a4b87c9d8fcd12ef7a3177351bda77a7b6836b3de99fdc443e1446303e4d0861
Opcode Fuzzy Hash: c0aa086816e9a6b10c8594d9af3fc1b6618250ddc70608c46d0048b3e4fbc764
Instruction Fuzzy Hash: 86810872A00B06DBE7209F28CC45BAF73E8AF45325F24453AF911D66C1E7F8D9088B91

Function 007A1D10 Relevance: 9.3, APIs: 6, Instructions: 254networkCOMMON

Download Yara Rule

APIs

Part of subcall function 007A3149: select.WSOCK32(00000000,?,00000000,00000000,?,?,?,00000000,?,?,?,007A101C,00000000,?,?,00000000), ref: 007A3195

__WSAFDIsSet.WSOCK32(00000000,?,00000000,00000000,?,00000064,00000000), ref: 007A1DC0
#17.WSOCK32(00000000,?,?,00000000,?,00000010), ref: 007A1DE1
WSAGetLastError.WSOCK32 ref: 007A1DF2
inet_ntoa.WSOCK32(?), ref: 007A1E8C
htons.WSOCK32(?,?,?,?,?), ref: 007A1EDB
_strlen.LIBCMT ref: 007A1F35

Part of subcall function 007839E8: _strlen.LIBCMT ref: 007839F2

Part of subcall function 00726D9E: MultiByteToWideChar.KERNEL32(00000000,00000001,?,?,00000000,00000000,00000002,?,?,?,?,0073CF58,?,?,?), ref: 00726DBA
Part of subcall function 00726D9E: MultiByteToWideChar.KERNEL32(00000000,00000001,?,?,00000000,?,?,?,0073CF58,?,?,?), ref: 00726DED

Memory Dump Source

Source File: 00000000.00000002.1745867193.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true

Associated: 00000000.00000002.1745836741.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746071756.00000000007BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746071756.00000000007E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746152188.00000000007EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746185289.00000000007F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_720000_file.jbxd

Similarity

API ID: ByteCharMultiWide_strlen$ErrorLasthtonsinet_ntoaselect
String ID:
API String ID: 1923757996-0
Opcode ID: e57991fc7cbe14ec42c95d31208726ffc8872fd3ccd794452659f5d92f9e01f1
Instruction ID: 8e0167df5d07882bccde716239b5e7afd2d6ca76f376a3230e2bef234762cd5e
Opcode Fuzzy Hash: e57991fc7cbe14ec42c95d31208726ffc8872fd3ccd794452659f5d92f9e01f1
Instruction Fuzzy Hash: BEA1C031604350AFE314DF24C899F2A77E5AFC5318F948A4CF4565B2A2CB39ED46CB91

Function 007561FE Relevance: 9.2, APIs: 6, Instructions: 216COMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000001,00000000,?,?,00000000,00000000,?,007482D9,007482D9,?,?,?,0075644F,00000001,00000001,8BE85006), ref: 00756258
MultiByteToWideChar.KERNEL32(00000001,00000001,?,?,00000000,?,?,?,?,0075644F,00000001,00000001,8BE85006,?,?,?), ref: 007562DE
WideCharToMultiByte.KERNEL32(00000001,00000000,00000000,00000000,?,8BE85006,00000000,00000000,?,00000400,00000000,?,00000000,00000000,00000000,00000000), ref: 007563D8
__freea.LIBCMT ref: 007563E5

Part of subcall function 00753820: RtlAllocateHeap.NTDLL(00000000,?,007F1444,?,0073FDF5,?,?,0072A976,00000010,007F1440,007213FC,?,007213C6,?,00721129), ref: 00753852

__freea.LIBCMT ref: 007563EE
__freea.LIBCMT ref: 00756413

Memory Dump Source

Source File: 00000000.00000002.1745867193.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true

Associated: 00000000.00000002.1745836741.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746071756.00000000007BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746071756.00000000007E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746152188.00000000007EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746185289.00000000007F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_720000_file.jbxd

Similarity

API ID: ByteCharMultiWide__freea$AllocateHeap
String ID:
API String ID: 1414292761-0
Opcode ID: 9568bd59f708cc5476cc93b9c5b19a5d27763eed3ac33116d5f12e814746283e
Instruction ID: 9b090226b57922ecab1b486c67c8d7311d2dc51461755347aaa2e97588dd95bb
Opcode Fuzzy Hash: 9568bd59f708cc5476cc93b9c5b19a5d27763eed3ac33116d5f12e814746283e
Instruction Fuzzy Hash: 3451E072A00216ABEB258F64CC85EFF77AAEB44752F544629FC05D7150EBBCDC48C6A0

Function 007ABBDB Relevance: 9.2, APIs: 6, Instructions: 191registryCOMMON

Download Yara Rule

APIs

Part of subcall function 00729CB3: _wcslen.LIBCMT ref: 00729CBD

Part of subcall function 007AC998: CharUpperBuffW.USER32(?,?,?,?,?,?,?,007AB6AE,?,?), ref: 007AC9B5
Part of subcall function 007AC998: _wcslen.LIBCMT ref: 007AC9F1
Part of subcall function 007AC998: _wcslen.LIBCMT ref: 007ACA68
Part of subcall function 007AC998: _wcslen.LIBCMT ref: 007ACA9E

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 007ABCCA
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 007ABD25
RegCloseKey.ADVAPI32(00000000), ref: 007ABD6A
RegEnumValueW.ADVAPI32(?,-00000001,?,?,00000000,?,00000000,00000000), ref: 007ABD99
RegCloseKey.ADVAPI32(?,?,00000000), ref: 007ABDF3
RegCloseKey.ADVAPI32(?), ref: 007ABDFF

Memory Dump Source

Source File: 00000000.00000002.1745867193.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true

Associated: 00000000.00000002.1745836741.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746071756.00000000007BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746071756.00000000007E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746152188.00000000007EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746185289.00000000007F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_720000_file.jbxd

Similarity

API ID: _wcslen$Close$BuffCharConnectEnumOpenRegistryUpperValue
String ID:
API String ID: 1120388591-0
Opcode ID: b8286b8894672287c0411b146ff957cd2f8eb6b59083f717c9177c861bfcc685
Instruction ID: 2a3a003dbe0f27376ef71a25d76f79e87e57a442315d39358fbf65ea6ca278b6
Opcode Fuzzy Hash: b8286b8894672287c0411b146ff957cd2f8eb6b59083f717c9177c861bfcc685
Instruction Fuzzy Hash: 4F81B230208241EFD714DF24C895E2ABBE5FF85308F148A5CF5994B2A2DB39ED45CB92

Function 0077F7AD Relevance: 9.2, APIs: 6, Instructions: 183memoryCOMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(00000035), ref: 0077F7B9
SysAllocString.OLEAUT32(00000001), ref: 0077F860
VariantCopy.OLEAUT32(0077FA64,00000000), ref: 0077F889
VariantClear.OLEAUT32(0077FA64), ref: 0077F8AD
VariantCopy.OLEAUT32(0077FA64,00000000), ref: 0077F8B1
VariantClear.OLEAUT32(?), ref: 0077F8BB

Memory Dump Source

Source File: 00000000.00000002.1745867193.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true

Associated: 00000000.00000002.1745836741.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746071756.00000000007BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746071756.00000000007E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746152188.00000000007EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746185289.00000000007F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_720000_file.jbxd

Similarity

API ID: Variant$ClearCopy$AllocInitString
String ID:
API String ID: 3859894641-0
Opcode ID: e09dc7f8b8bf374a3add506ce9fcc0080b3c9f94724c181dd2e3516f38888b14
Instruction ID: 2881f656ba3099c8aa461d24695683d14b38252184f599485173581e13f9ce11
Opcode Fuzzy Hash: e09dc7f8b8bf374a3add506ce9fcc0080b3c9f94724c181dd2e3516f38888b14
Instruction Fuzzy Hash: F7511931600310FACF10AB65D999B69B3A4EF45350F24C467F909EF292DB7C9C40CB66

Function 0079910C Relevance: 9.1, APIs: 4, Strings: 1, Instructions: 383COMMON

Download Yara Rule

APIs

Part of subcall function 00727620: _wcslen.LIBCMT ref: 00727625

Part of subcall function 00726B57: _wcslen.LIBCMT ref: 00726B6A

GetOpenFileNameW.COMDLG32(00000058), ref: 007994E5
_wcslen.LIBCMT ref: 00799506
_wcslen.LIBCMT ref: 0079952D
GetSaveFileNameW.COMDLG32(00000058), ref: 00799585

Strings

X, xrefs: 00799412

Memory Dump Source

Source File: 00000000.00000002.1745867193.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true

Associated: 00000000.00000002.1745836741.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746071756.00000000007BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746071756.00000000007E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746152188.00000000007EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746185289.00000000007F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_720000_file.jbxd

Similarity

API ID: _wcslen$FileName$OpenSave
String ID: X
API String ID: 83654149-3081909835
Opcode ID: fb00e2dd7d55c3548befd628ebb4df65459dca8a58752229e3e20a85de0da260
Instruction ID: 2aaea082ca2d582e15f161dc5bf554b611279ab41bfff83bc39d78ed044f313d
Opcode Fuzzy Hash: fb00e2dd7d55c3548befd628ebb4df65459dca8a58752229e3e20a85de0da260
Instruction Fuzzy Hash: 00E1C331508350DFDB24DF29D885B6AB7E4BF84310F04896DF9899B2A2DB39DD05CB92

Function 0073920C Relevance: 9.1, APIs: 6, Instructions: 113COMMON

Download Yara Rule

APIs

Part of subcall function 00739BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00739BB2

BeginPaint.USER32(?,?,?), ref: 00739241
GetWindowRect.USER32(?,?), ref: 007392A5
ScreenToClient.USER32(?,?), ref: 007392C2
SetViewportOrgEx.GDI32(00000000,?,?,00000000), ref: 007392D3
EndPaint.USER32(?,?,?,?,?), ref: 00739321
Rectangle.GDI32(00000000,00000000,00000000,?,?), ref: 007771EA

Part of subcall function 00739339: BeginPath.GDI32(00000000), ref: 00739357

Memory Dump Source

Source File: 00000000.00000002.1745867193.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true

Associated: 00000000.00000002.1745836741.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746071756.00000000007BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746071756.00000000007E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746152188.00000000007EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746185289.00000000007F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_720000_file.jbxd

Similarity

API ID: BeginPaintWindow$ClientLongPathRectRectangleScreenViewport
String ID:
API String ID: 3050599898-0
Opcode ID: 44da590761ac95d03450f9d1397f93f6e3b763ca72dd77be30fe65f3ce253a01
Instruction ID: c6943f57b7d1019aa3466acea7e850fcba41cc7e85c5895fd1f62aaee689b715
Opcode Fuzzy Hash: 44da590761ac95d03450f9d1397f93f6e3b763ca72dd77be30fe65f3ce253a01
Instruction Fuzzy Hash: 9B41B070104300EFE711DF24CC84FBA7BA8EB85364F148269FA95972A2C7B9A845DB61

Function 007907EF Relevance: 9.1, APIs: 6, Instructions: 107fileCOMMON

Download Yara Rule

APIs

InterlockedExchange.KERNEL32(?,000001F5), ref: 0079080C
ReadFile.KERNEL32(?,?,0000FFFF,?,00000000), ref: 00790847
EnterCriticalSection.KERNEL32(?), ref: 00790863
LeaveCriticalSection.KERNEL32(?), ref: 007908DC
ReadFile.KERNEL32(?,?,0000FFFF,00000000,00000000), ref: 007908F3
InterlockedExchange.KERNEL32(?,000001F6), ref: 00790921

Memory Dump Source

Source File: 00000000.00000002.1745867193.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true

Associated: 00000000.00000002.1745836741.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746071756.00000000007BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746071756.00000000007E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746152188.00000000007EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746185289.00000000007F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_720000_file.jbxd

Similarity

API ID: CriticalExchangeFileInterlockedReadSection$EnterLeave
String ID:
API String ID: 3368777196-0
Opcode ID: c2c62d791ef7049759bd1c61ca38441e2dd881dfe8597a5a4b5e7f4357de8e4e
Instruction ID: a4ca0d265851bb6deea0882997f7c560a857ce80d70e86546f180d20f2c1ba2b
Opcode Fuzzy Hash: c2c62d791ef7049759bd1c61ca38441e2dd881dfe8597a5a4b5e7f4357de8e4e
Instruction Fuzzy Hash: 88415C71A00205EFEF15AF54DC85AAA7778FF04310F1480A9ED04AE297D738EE65DBA4

Function 007B81DB Relevance: 9.1, APIs: 6, Instructions: 104windowCOMMON

Download Yara Rule

APIs

ShowWindow.USER32(FFFFFFFF,00000000,?,00000000,00000000,?,0077F3AB,00000000,?,?,00000000,?,0077682C,00000004,00000000,00000000), ref: 007B824C
EnableWindow.USER32(?,00000000), ref: 007B8272
ShowWindow.USER32(FFFFFFFF,00000000), ref: 007B82D1
ShowWindow.USER32(?,00000004), ref: 007B82E5
EnableWindow.USER32(?,00000001), ref: 007B830B
SendMessageW.USER32(?,0000130C,00000000,00000000), ref: 007B832F

Memory Dump Source

Source File: 00000000.00000002.1745867193.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true

Associated: 00000000.00000002.1745836741.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746071756.00000000007BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746071756.00000000007E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746152188.00000000007EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746185289.00000000007F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_720000_file.jbxd

Similarity

API ID: Window$Show$Enable$MessageSend
String ID:
API String ID: 642888154-0
Opcode ID: 007784d0136285919b846fcd0429ef58505a15ea33c151fb54c4bc9aff0fc0a9
Instruction ID: 7ac4e797b56725ef87ddd96524989e5f0aabec1fcc351346e24c26e331f5431f
Opcode Fuzzy Hash: 007784d0136285919b846fcd0429ef58505a15ea33c151fb54c4bc9aff0fc0a9
Instruction Fuzzy Hash: EA41B834601644EFDB52CF15C899FE87BE4FB0A714F1882A9E5088F272CB79AC41CB55

Function 00784C7D Relevance: 9.1, APIs: 6, Instructions: 87windowCOMMON

Download Yara Rule

APIs

IsWindowVisible.USER32(?), ref: 00784C95
SendMessageW.USER32(?,0000000E,00000000,00000000), ref: 00784CB2
SendMessageW.USER32(?,0000000D,00000001,00000000), ref: 00784CEA
_wcslen.LIBCMT ref: 00784D08
CharUpperBuffW.USER32(00000000,00000000,?,?,?,?), ref: 00784D10
_wcsstr.LIBVCRUNTIME ref: 00784D1A

Memory Dump Source

Source File: 00000000.00000002.1745867193.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true

Associated: 00000000.00000002.1745836741.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746071756.00000000007BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746071756.00000000007E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746152188.00000000007EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746185289.00000000007F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_720000_file.jbxd

Similarity

API ID: MessageSend$BuffCharUpperVisibleWindow_wcslen_wcsstr
String ID:
API String ID: 72514467-0
Opcode ID: 9a3b89220309d246287d03f3ab629999588090b3f209177d0c900f6317375ed3
Instruction ID: 20fd3fe6d3550596751da48c1c0eb75016f0c89ecca7ab2925c19e0e697a09e2
Opcode Fuzzy Hash: 9a3b89220309d246287d03f3ab629999588090b3f209177d0c900f6317375ed3
Instruction Fuzzy Hash: A2212932644201BBEB166B39DC09E7B7B9CDF45754F108069F905CA192EAA9DC0193B0

Function 0079581E Relevance: 9.1, APIs: 4, Strings: 1, Instructions: 336comCOMMON

Download Yara Rule

APIs

Part of subcall function 00723AA2: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00723A97,?,?,00722E7F,?,?,?,00000000), ref: 00723AC2

_wcslen.LIBCMT ref: 0079587B
CoInitialize.OLE32(00000000), ref: 00795995
CoCreateInstance.OLE32(007BFCF8,00000000,00000001,007BFB68,?), ref: 007959AE
CoUninitialize.OLE32 ref: 007959CC

Strings

.lnk, xrefs: 00795876, 007958C1, 00795985

Memory Dump Source

Source File: 00000000.00000002.1745867193.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true

Associated: 00000000.00000002.1745836741.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746071756.00000000007BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746071756.00000000007E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746152188.00000000007EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746185289.00000000007F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_720000_file.jbxd

Similarity

API ID: CreateFullInitializeInstanceNamePathUninitialize_wcslen
String ID: .lnk
API String ID: 3172280962-24824748
Opcode ID: 15171f2d431b727ed5bdc791022d9799b45508269fffa32fd2d201f01991d4ac
Instruction ID: 81471ffa5075d6d874251366716aab0e5b6a12cf3833c9078c79c72db2a67f0e
Opcode Fuzzy Hash: 15171f2d431b727ed5bdc791022d9799b45508269fffa32fd2d201f01991d4ac
Instruction Fuzzy Hash: DDD173B1604620DFCB15DF25D484A2ABBE1FF89720F14885DF8899B361DB39EC45CB92

Function 0078175D Relevance: 9.1, APIs: 6, Instructions: 68memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 00780FB4: GetTokenInformation.ADVAPI32(?,00000002,?,00000000,?), ref: 00780FCA
Part of subcall function 00780FB4: GetLastError.KERNEL32(?,00000002,?,00000000,?), ref: 00780FD6
Part of subcall function 00780FB4: GetProcessHeap.KERNEL32(00000008,?,?,00000002,?,00000000,?), ref: 00780FE5
Part of subcall function 00780FB4: HeapAlloc.KERNEL32(00000000,?,00000002,?,00000000,?), ref: 00780FEC
Part of subcall function 00780FB4: GetTokenInformation.ADVAPI32(?,00000002,00000000,?,?,?,00000002,?,00000000,?), ref: 00781002

GetLengthSid.ADVAPI32(?,00000000,00781335), ref: 007817AE
GetProcessHeap.KERNEL32(00000008,00000000), ref: 007817BA
HeapAlloc.KERNEL32(00000000), ref: 007817C1
CopySid.ADVAPI32(00000000,00000000,?), ref: 007817DA
GetProcessHeap.KERNEL32(00000000,00000000,00781335), ref: 007817EE
HeapFree.KERNEL32(00000000), ref: 007817F5

Memory Dump Source

Source File: 00000000.00000002.1745867193.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true

Associated: 00000000.00000002.1745836741.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746071756.00000000007BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746071756.00000000007E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746152188.00000000007EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746185289.00000000007F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_720000_file.jbxd

Similarity

API ID: Heap$Process$AllocInformationToken$CopyErrorFreeLastLength
String ID:
API String ID: 3008561057-0
Opcode ID: 9196e360a7695af65339a792e66b6d39b4852b437eb7160c4e821aa24e1c2c72
Instruction ID: 1a5be5933ff4b3c0742fe2ab2815bf70e47e6bdeca9dca196322bba651177801
Opcode Fuzzy Hash: 9196e360a7695af65339a792e66b6d39b4852b437eb7160c4e821aa24e1c2c72
Instruction Fuzzy Hash: 1711A9B2640209EFDB11AFA8DC49FAE7BADEB41355F50C11DF481A7210D73AA945CB60

Function 007814CE Relevance: 9.1, APIs: 6, Instructions: 64processCOMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(0000000A,00000004), ref: 007814FF
OpenProcessToken.ADVAPI32(00000000), ref: 00781506
CreateEnvironmentBlock.USERENV(?,00000004,00000001), ref: 00781515
CloseHandle.KERNEL32(00000004), ref: 00781520
CreateProcessWithLogonW.ADVAPI32(?,?,?,00000000,00000000,?,?,00000000,?,?,?), ref: 0078154F
DestroyEnvironmentBlock.USERENV(00000000), ref: 00781563

Memory Dump Source

Source File: 00000000.00000002.1745867193.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true

Associated: 00000000.00000002.1745836741.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746071756.00000000007BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746071756.00000000007E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746152188.00000000007EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746185289.00000000007F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_720000_file.jbxd

Similarity

API ID: Process$BlockCreateEnvironment$CloseCurrentDestroyHandleLogonOpenTokenWith
String ID:
API String ID: 1413079979-0
Opcode ID: e55d5282b5c09af1aa007a5f52305276489d5b1c99a5f9ebd50976dbde54b37b
Instruction ID: f4cd126bd816a4907c9defea32d11b7f694c44f8bfa53dce9a908ff25e678575
Opcode Fuzzy Hash: e55d5282b5c09af1aa007a5f52305276489d5b1c99a5f9ebd50976dbde54b37b
Instruction Fuzzy Hash: D5115672504249ABDF129FA8ED49FDE7BADEF48704F048124FA05A2060C3798E61DB60

Function 00743382 Relevance: 9.1, APIs: 6, Instructions: 60COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,00743379,00742FE5), ref: 00743390
___vcrt_FlsGetValue.LIBVCRUNTIME ref: 0074339E
___vcrt_FlsSetValue.LIBVCRUNTIME ref: 007433B7
SetLastError.KERNEL32(00000000,?,00743379,00742FE5), ref: 00743409

Memory Dump Source

Source File: 00000000.00000002.1745867193.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true

Associated: 00000000.00000002.1745836741.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746071756.00000000007BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746071756.00000000007E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746152188.00000000007EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746185289.00000000007F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_720000_file.jbxd

Similarity

API ID: ErrorLastValue___vcrt_
String ID:
API String ID: 3852720340-0
Opcode ID: d16a2bd43bbd73c41b6954daca9e304e53777d87f48360d1bf6e001852aeac3e
Instruction ID: d81751c2584d564d701fba8f48fefcb59910d1fbd79ea62212922639a49a7961
Opcode Fuzzy Hash: d16a2bd43bbd73c41b6954daca9e304e53777d87f48360d1bf6e001852aeac3e
Instruction Fuzzy Hash: 2C01FC33609312FFA61A2B747CC9A772A94EB097797208329F428891F1EF1D4E025548

Function 00752D74 Relevance: 9.0, APIs: 6, Instructions: 50COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,00755686,00763CD6,?,00000000,?,00755B6A,?,?,?,?,?,0074E6D1,?,007E8A48), ref: 00752D78
_free.LIBCMT ref: 00752DAB
_free.LIBCMT ref: 00752DD3
SetLastError.KERNEL32(00000000,?,?,?,?,0074E6D1,?,007E8A48,00000010,00724F4A,?,?,00000000,00763CD6), ref: 00752DE0
SetLastError.KERNEL32(00000000,?,?,?,?,0074E6D1,?,007E8A48,00000010,00724F4A,?,?,00000000,00763CD6), ref: 00752DEC
_abort.LIBCMT ref: 00752DF2

Memory Dump Source

Source File: 00000000.00000002.1745867193.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true

Associated: 00000000.00000002.1745836741.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746071756.00000000007BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746071756.00000000007E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746152188.00000000007EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746185289.00000000007F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_720000_file.jbxd

Similarity

API ID: ErrorLast$_free$_abort
String ID:
API String ID: 3160817290-0
Opcode ID: ea7236557e8775262b25e6f629dfd078299e7be50d189b6c8efa3f8b9213008e
Instruction ID: 5ef367ab7b7532920c7a8582a4dc0ba4a81523e97574272f44f1c46cc51710a8
Opcode Fuzzy Hash: ea7236557e8775262b25e6f629dfd078299e7be50d189b6c8efa3f8b9213008e
Instruction Fuzzy Hash: 69F0A936605B00B7C25327346C0EEDA26656BC37A3F24851DFC24A72A3EFEC980F4161

Function 007B8A24 Relevance: 9.0, APIs: 6, Instructions: 49COMMON

Download Yara Rule

APIs

Part of subcall function 00739639: ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 00739693
Part of subcall function 00739639: SelectObject.GDI32(?,00000000), ref: 007396A2
Part of subcall function 00739639: BeginPath.GDI32(?), ref: 007396B9
Part of subcall function 00739639: SelectObject.GDI32(?,00000000), ref: 007396E2

MoveToEx.GDI32(?,-00000002,00000000,00000000), ref: 007B8A4E
LineTo.GDI32(?,00000003,00000000), ref: 007B8A62
MoveToEx.GDI32(?,00000000,-00000002,00000000), ref: 007B8A70
LineTo.GDI32(?,00000000,00000003), ref: 007B8A80
EndPath.GDI32(?), ref: 007B8A90
StrokePath.GDI32(?), ref: 007B8AA0

Memory Dump Source

Source File: 00000000.00000002.1745867193.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true

Associated: 00000000.00000002.1745836741.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746071756.00000000007BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746071756.00000000007E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746152188.00000000007EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746185289.00000000007F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_720000_file.jbxd

Similarity

API ID: Path$LineMoveObjectSelect$BeginCreateStroke
String ID:
API String ID: 43455801-0
Opcode ID: 5568e602bc7fa9c1b12aae38d3e34f2029636b97aa321552339b30b9593ed261
Instruction ID: 209225c18783b75852587a51690f04bae72d54e6c35a90a5bc1a66a5dcbf3e24
Opcode Fuzzy Hash: 5568e602bc7fa9c1b12aae38d3e34f2029636b97aa321552339b30b9593ed261
Instruction Fuzzy Hash: 6811F37640014DFFEB129F94DC88FAA7F6CEB08350F00C122FA199A1A1C776AD55DBA4

Function 007851FD Relevance: 9.0, APIs: 6, Instructions: 49COMMON

Download Yara Rule

APIs

GetDC.USER32(00000000), ref: 00785218
GetDeviceCaps.GDI32(00000000,00000058), ref: 00785229
GetDeviceCaps.GDI32(00000000,0000005A), ref: 00785230
ReleaseDC.USER32(00000000,00000000), ref: 00785238
MulDiv.KERNEL32(000009EC,?,00000000), ref: 0078524F
MulDiv.KERNEL32(000009EC,00000001,?), ref: 00785261

Memory Dump Source

Source File: 00000000.00000002.1745867193.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true

Associated: 00000000.00000002.1745836741.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746071756.00000000007BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746071756.00000000007E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746152188.00000000007EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746185289.00000000007F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_720000_file.jbxd

Similarity

API ID: CapsDevice$Release
String ID:
API String ID: 1035833867-0
Opcode ID: 202bc9d54030c9c658359f10a268b2dc3570f2608e10a20d37d84b781c615e9f
Instruction ID: 9e842426126638b8b425a961582dd0ae88a8e4dd229c24e6d4c3bef1d67effff
Opcode Fuzzy Hash: 202bc9d54030c9c658359f10a268b2dc3570f2608e10a20d37d84b781c615e9f
Instruction Fuzzy Hash: BA0184B5E40708BBEB116BA99C49F4EBFB8FB44351F048165FA04A7280DA749800CB64

Function 00721BC3 Relevance: 9.0, APIs: 6, Instructions: 44keyboardCOMMON

Download Yara Rule

APIs

MapVirtualKeyW.USER32(0000005B,00000000), ref: 00721BF4
MapVirtualKeyW.USER32(00000010,00000000), ref: 00721BFC
MapVirtualKeyW.USER32(000000A0,00000000), ref: 00721C07
MapVirtualKeyW.USER32(000000A1,00000000), ref: 00721C12
MapVirtualKeyW.USER32(00000011,00000000), ref: 00721C1A
MapVirtualKeyW.USER32(00000012,00000000), ref: 00721C22

Memory Dump Source

Source File: 00000000.00000002.1745867193.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true

Associated: 00000000.00000002.1745836741.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746071756.00000000007BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746071756.00000000007E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746152188.00000000007EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746185289.00000000007F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_720000_file.jbxd

Similarity

API ID: Virtual
String ID:
API String ID: 4278518827-0
Opcode ID: c036453b504d3d7accffbfa8535c03efda531f506c854cecf3e6d91d679031da
Instruction ID: ac511b47bb4cf4415f651f7ed637b65bac3b9a0595adc988a823d483d82ca389
Opcode Fuzzy Hash: c036453b504d3d7accffbfa8535c03efda531f506c854cecf3e6d91d679031da
Instruction Fuzzy Hash: F80167B0902B5ABDE3008F6A8C85B52FFA8FF19354F00415BA15C4BA42C7F5A864CBE5

Function 0078EB20 Relevance: 9.0, APIs: 6, Instructions: 42windowtimethreadCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,00000010,00000000,00000000), ref: 0078EB30
SendMessageTimeoutW.USER32(?,00000010,00000000,00000000,00000002,000001F4,?), ref: 0078EB46
GetWindowThreadProcessId.USER32(?,?), ref: 0078EB55
OpenProcess.KERNEL32(001F0FFF,00000000,?,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 0078EB64
TerminateProcess.KERNEL32(00000000,00000000,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 0078EB6E
CloseHandle.KERNEL32(00000000,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 0078EB75

Memory Dump Source

Source File: 00000000.00000002.1745867193.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true

Associated: 00000000.00000002.1745836741.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746071756.00000000007BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746071756.00000000007E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746152188.00000000007EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746185289.00000000007F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_720000_file.jbxd

Similarity

API ID: Process$Message$CloseHandleOpenPostSendTerminateThreadTimeoutWindow
String ID:
API String ID: 839392675-0
Opcode ID: c74ee00f1e58482bcc20129ce25c6d74009131c727ddd7dee129c34dc703ed68
Instruction ID: 0fe5b4c6b82d570f322f16ce9a719a7594519f4a03cc103d32dcd48c18bbc457
Opcode Fuzzy Hash: c74ee00f1e58482bcc20129ce25c6d74009131c727ddd7dee129c34dc703ed68
Instruction Fuzzy Hash: 79F01272140158BBD62257569C0DFEB3A7CEBCAB15F008259F501E1091A7A45A0186B9

Function 00777439 Relevance: 9.0, APIs: 6, Instructions: 37windowCOMMON

Download Yara Rule

APIs

GetClientRect.USER32(?), ref: 00777452
SendMessageW.USER32(?,00001328,00000000,?), ref: 00777469
GetWindowDC.USER32(?), ref: 00777475
GetPixel.GDI32(00000000,?,?), ref: 00777484
ReleaseDC.USER32(?,00000000), ref: 00777496
GetSysColor.USER32(00000005), ref: 007774B0

Memory Dump Source

Source File: 00000000.00000002.1745867193.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true

Associated: 00000000.00000002.1745836741.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746071756.00000000007BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746071756.00000000007E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746152188.00000000007EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746185289.00000000007F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_720000_file.jbxd

Similarity

API ID: ClientColorMessagePixelRectReleaseSendWindow
String ID:
API String ID: 272304278-0
Opcode ID: 733c58fd871cedc7a941eb32d9fb5342ade40b354e590434f993b8b0c776f119
Instruction ID: 94bfb534175642a172356b3fba62e305fc85685a87870762dea1bd953628b960
Opcode Fuzzy Hash: 733c58fd871cedc7a941eb32d9fb5342ade40b354e590434f993b8b0c776f119
Instruction Fuzzy Hash: E1014B31400215EFEB525FA4DC08FEA7BB5FF04351F61C264F919A61A1CB391E51EB54

Function 00781874 Relevance: 9.0, APIs: 6, Instructions: 23memorysynchronizationCOMMON

Download Yara Rule

APIs

WaitForSingleObject.KERNEL32(?,000000FF), ref: 0078187F
UnloadUserProfile.USERENV(?,?), ref: 0078188B
CloseHandle.KERNEL32(?), ref: 00781894
CloseHandle.KERNEL32(?), ref: 0078189C
GetProcessHeap.KERNEL32(00000000,?), ref: 007818A5
HeapFree.KERNEL32(00000000), ref: 007818AC

Memory Dump Source

Source File: 00000000.00000002.1745867193.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true

Associated: 00000000.00000002.1745836741.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746071756.00000000007BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746071756.00000000007E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746152188.00000000007EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746185289.00000000007F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_720000_file.jbxd

Similarity

API ID: CloseHandleHeap$FreeObjectProcessProfileSingleUnloadUserWait
String ID:
API String ID: 146765662-0
Opcode ID: 3efc394a6337e466c2e43327af04d316e1a10c10094824b25e092df6c8e099e5
Instruction ID: ff1b32a93369d2d5a7effba65bbc861e4568cdbcfcf8d2da68b2226337cf0a01
Opcode Fuzzy Hash: 3efc394a6337e466c2e43327af04d316e1a10c10094824b25e092df6c8e099e5
Instruction Fuzzy Hash: F6E0C2B6004109BBDA025FA5ED0CE0ABB69FB49B22B50C321F225D1070CB369820DB68

Function 007A7B7E Relevance: 9.0, APIs: 1, Strings: 4, Instructions: 230COMMON

Download Yara Rule

APIs

Part of subcall function 00740242: EnterCriticalSection.KERNEL32(007F070C,007F1884,?,?,0073198B,007F2518,?,?,?,007212F9,00000000), ref: 0074024D
Part of subcall function 00740242: LeaveCriticalSection.KERNEL32(007F070C,?,0073198B,007F2518,?,?,?,007212F9,00000000), ref: 0074028A

Part of subcall function 00729CB3: _wcslen.LIBCMT ref: 00729CBD

Part of subcall function 007400A3: __onexit.LIBCMT ref: 007400A9

__Init_thread_footer.LIBCMT ref: 007A7BFB

Part of subcall function 007401F8: EnterCriticalSection.KERNEL32(007F070C,?,?,00738747,007F2514), ref: 00740202
Part of subcall function 007401F8: LeaveCriticalSection.KERNEL32(007F070C,?,00738747,007F2514), ref: 00740235

Strings

+Tw, xrefs: 007A7E2E
Variable must be of type 'Object'., xrefs: 007A7C3A
5, xrefs: 007A7C78
G, xrefs: 007A7C7F

Memory Dump Source

Source File: 00000000.00000002.1745867193.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true

Associated: 00000000.00000002.1745836741.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746071756.00000000007BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746071756.00000000007E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746152188.00000000007EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746185289.00000000007F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_720000_file.jbxd

Similarity

API ID: CriticalSection$EnterLeave$Init_thread_footer__onexit_wcslen
String ID: +Tw$5$G$Variable must be of type 'Object'.
API String ID: 535116098-2516738615
Opcode ID: 0fcdeb298bac78a905b956ebea51d951db8823868a28f1b688ac80fe08469e24
Instruction ID: 885df511b3719666fd8ca1bfba977ca229c09eba259296382d395133e82e6a65
Opcode Fuzzy Hash: 0fcdeb298bac78a905b956ebea51d951db8823868a28f1b688ac80fe08469e24
Instruction Fuzzy Hash: EA91BF71A04209EFCB08EF54D895DBDB7B5FF8A300F148159F8069B292DB79AE41CB61

Function 0078C5D0 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 191windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00727620: _wcslen.LIBCMT ref: 00727625

GetMenuItemInfoW.USER32(?,?,00000000,?), ref: 0078C6EE
_wcslen.LIBCMT ref: 0078C735
SetMenuItemInfoW.USER32(?,?,00000000,?), ref: 0078C79C
SetMenuDefaultItem.USER32(?,000000FF,00000000), ref: 0078C7CA

Strings

0, xrefs: 0078C6AF

Memory Dump Source

Source File: 00000000.00000002.1745867193.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true

Associated: 00000000.00000002.1745836741.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746071756.00000000007BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746071756.00000000007E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746152188.00000000007EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746185289.00000000007F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_720000_file.jbxd

Similarity

API ID: ItemMenu$Info_wcslen$Default
String ID: 0
API String ID: 1227352736-4108050209
Opcode ID: 1e214dfec5059738f8d69e74e4f8bf3f300dc038e3c68cc828219b84d2ced019
Instruction ID: e6ed3808087997d3f3096fbd36bdd03d3512f9afefdb02783d8fe01be2eeef2f
Opcode Fuzzy Hash: 1e214dfec5059738f8d69e74e4f8bf3f300dc038e3c68cc828219b84d2ced019
Instruction Fuzzy Hash: 9C51CF716943019BD716EF28C889B6B77E8AF49310F040A39FA95D32A1DB7CD904CB66

Function 007AAD64 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 176COMMON

Download Yara Rule

APIs

ShellExecuteExW.SHELL32(0000003C), ref: 007AAEA3

Part of subcall function 00727620: _wcslen.LIBCMT ref: 00727625

GetProcessId.KERNEL32(00000000), ref: 007AAF38
CloseHandle.KERNEL32(00000000), ref: 007AAF67

Strings

@, xrefs: 007AAE72
<, xrefs: 007AAE6B

Memory Dump Source

Source File: 00000000.00000002.1745867193.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true

Associated: 00000000.00000002.1745836741.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746071756.00000000007BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746071756.00000000007E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746152188.00000000007EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746185289.00000000007F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_720000_file.jbxd

Similarity

API ID: CloseExecuteHandleProcessShell_wcslen
String ID: <$@
API String ID: 146682121-1426351568
Opcode ID: 048a7bf7bdc98f760e5edb147c523f5e0f78c38fd3bf55fb45bb38d721585a02
Instruction ID: 797af0b9fab433c31fca15e93bcf66f3ad02570c87a6eb159303e2c6285d7288
Opcode Fuzzy Hash: 048a7bf7bdc98f760e5edb147c523f5e0f78c38fd3bf55fb45bb38d721585a02
Instruction Fuzzy Hash: A071AD71A00629EFCB18DF54D489A9EBBF0FF49310F048599E856AB352C778ED41CB91

Function 0078719E Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 120comlibraryloaderCOMMON

Download Yara Rule

APIs

CoCreateInstance.OLE32(?,00000000,00000005,?,?,?,?,?,?,?,?,?,?,?), ref: 00787206
SetErrorMode.KERNEL32(00000001,?,?,?,?,?,?,?,?,?), ref: 0078723C
GetProcAddress.KERNEL32(?,DllGetClassObject), ref: 0078724D
SetErrorMode.KERNEL32(00000000,?,?,?,?,?,?,?,?,?), ref: 007872CF

Strings

DllGetClassObject, xrefs: 00787242

Memory Dump Source

Source File: 00000000.00000002.1745867193.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true

Associated: 00000000.00000002.1745836741.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746071756.00000000007BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746071756.00000000007E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746152188.00000000007EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746185289.00000000007F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_720000_file.jbxd

Similarity

API ID: ErrorMode$AddressCreateInstanceProc
String ID: DllGetClassObject
API String ID: 753597075-1075368562
Opcode ID: 55b0f3153644ac5bb04eca8b4408e733bc71917cc80ea320bdcf2e32a5eac4c7
Instruction ID: b46efc129e0bbe8a2131000ac7f174617ebb63b26a7691f636622514d32a88ee
Opcode Fuzzy Hash: 55b0f3153644ac5bb04eca8b4408e733bc71917cc80ea320bdcf2e32a5eac4c7
Instruction Fuzzy Hash: 224153B1644204DFDB19DF54C884B9A7BB9FF48310F2480A9FD0A9F21AD7B9D944DBA0

Function 007B3D7C Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 101windowCOMMON

Download Yara Rule

APIs

GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 007B3E35
IsMenu.USER32(?), ref: 007B3E4A
InsertMenuItemW.USER32(?,?,00000001,00000030), ref: 007B3E92
DrawMenuBar.USER32 ref: 007B3EA5

Strings

0, xrefs: 007B3D89

Memory Dump Source

Source File: 00000000.00000002.1745867193.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true

Associated: 00000000.00000002.1745836741.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746071756.00000000007BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746071756.00000000007E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746152188.00000000007EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746185289.00000000007F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_720000_file.jbxd

Similarity

API ID: Menu$Item$DrawInfoInsert
String ID: 0
API String ID: 3076010158-4108050209
Opcode ID: 78e1dc78d69d643a7d2c84e874c42b73690d80bde33d111e79f497664d16a986
Instruction ID: 9c8572bc47cfed2b178f39d660b0aa00e954deb736a510533a69963a893955c6
Opcode Fuzzy Hash: 78e1dc78d69d643a7d2c84e874c42b73690d80bde33d111e79f497664d16a986
Instruction Fuzzy Hash: 52413875A00209EFDB10DF50D884EEABBB5FF48350F04812AF915AB250D738EE94CBA0

Function 00781DE2 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 93windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00729CB3: _wcslen.LIBCMT ref: 00729CBD

Part of subcall function 00783CA7: GetClassNameW.USER32(?,?,000000FF), ref: 00783CCA

SendMessageW.USER32(?,00000188,00000000,00000000), ref: 00781E66
SendMessageW.USER32(?,0000018A,00000000,00000000), ref: 00781E79
SendMessageW.USER32(?,00000189,?,00000000), ref: 00781EA9

Part of subcall function 00726B57: _wcslen.LIBCMT ref: 00726B6A

Strings

ListBox, xrefs: 00781E25
ComboBox, xrefs: 00781DF0

Memory Dump Source

Source File: 00000000.00000002.1745867193.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true

Associated: 00000000.00000002.1745836741.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746071756.00000000007BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746071756.00000000007E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746152188.00000000007EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746185289.00000000007F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_720000_file.jbxd

Similarity

API ID: MessageSend$_wcslen$ClassName
String ID: ComboBox$ListBox
API String ID: 2081771294-1403004172
Opcode ID: ed6c9eab48f684c1c25253a019b0cb0fa46c996274b6a0d28f5b5b4866124429
Instruction ID: 653601d0e57bbc39563da61dbeac42278d455d8d55b00811b860eb3da92b20d9
Opcode Fuzzy Hash: ed6c9eab48f684c1c25253a019b0cb0fa46c996274b6a0d28f5b5b4866124429
Instruction Fuzzy Hash: 4521F3B1A40108EADB14AB65EC49CFFB7BCEF45364F588129F825A71E1DB7C490A8720

Function 007AC9EA Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 91COMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 007AC9F1
_wcslen.LIBCMT ref: 007ACA68
_wcslen.LIBCMT ref: 007ACA9E
_wcslen.LIBCMT ref: 007ACAF9
_wcslen.LIBCMT ref: 007ACB2F
_wcslen.LIBCMT ref: 007ACB7F

Strings

HKEY_LOCAL_MACHINE, xrefs: 007ACA62, 007ACA67
HKLM, xrefs: 007ACA98, 007ACA9D

Memory Dump Source

Source File: 00000000.00000002.1745867193.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true

Associated: 00000000.00000002.1745836741.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746071756.00000000007BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746071756.00000000007E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746152188.00000000007EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746185289.00000000007F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_720000_file.jbxd

Similarity

API ID: _wcslen
String ID: HKEY_LOCAL_MACHINE$HKLM
API String ID: 176396367-4004644295
Opcode ID: 942aa0132bbfeb827533d1a5dff6a6d94f71886c3b2786707184bb59e2ffbef7
Instruction ID: a97ab412709cabf2c8c959e6f7997113d8c88a1348dc71883d3a88d0e95f75ff
Opcode Fuzzy Hash: 942aa0132bbfeb827533d1a5dff6a6d94f71886c3b2786707184bb59e2ffbef7
Instruction Fuzzy Hash: 47312873A0056DABCB22DF6D98401BE33915BE3754F05C229E845AB344EA7CCD40D3A0

Function 007B2F17 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 78windowlibraryCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000467,00000000,?), ref: 007B2F8D
LoadLibraryW.KERNEL32(?), ref: 007B2F94
SendMessageW.USER32(?,00000467,00000000,00000000), ref: 007B2FA9
DestroyWindow.USER32(?), ref: 007B2FB1

Strings

SysAnimate32, xrefs: 007B2F68

Memory Dump Source

Source File: 00000000.00000002.1745867193.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true

Associated: 00000000.00000002.1745836741.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746071756.00000000007BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746071756.00000000007E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746152188.00000000007EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746185289.00000000007F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_720000_file.jbxd

Similarity

API ID: MessageSend$DestroyLibraryLoadWindow
String ID: SysAnimate32
API String ID: 3529120543-1011021900
Opcode ID: 08b38e1e0af812c43a676439048323d2e9d54dcdb43a94763ee95871d9c9105b
Instruction ID: b1f781c3db6c9e6d95c4981ed1c740a86c17045f45033f9e185d9e221d9be7c8
Opcode Fuzzy Hash: 08b38e1e0af812c43a676439048323d2e9d54dcdb43a94763ee95871d9c9105b
Instruction Fuzzy Hash: D321DC71201205AFEF118F64DC84FFB37B9EB58368F108618FA10D20A1C779DC429760

Function 00744D6D Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 38libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,?,?,?,00744D1E,007528E9,?,00744CBE,007528E9,007E88B8,0000000C,00744E15,007528E9,00000002), ref: 00744D8D
GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 00744DA0
FreeLibrary.KERNEL32(00000000,?,?,?,00744D1E,007528E9,?,00744CBE,007528E9,007E88B8,0000000C,00744E15,007528E9,00000002,00000000), ref: 00744DC3

Strings

mscoree.dll, xrefs: 00744D86
CorExitProcess, xrefs: 00744D98

Memory Dump Source

Source File: 00000000.00000002.1745867193.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true

Associated: 00000000.00000002.1745836741.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746071756.00000000007BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746071756.00000000007E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746152188.00000000007EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746185289.00000000007F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_720000_file.jbxd

Similarity

API ID: AddressFreeHandleLibraryModuleProc
String ID: CorExitProcess$mscoree.dll
API String ID: 4061214504-1276376045
Opcode ID: 5701a7d95c4e4dd2075b832fc7519b56d14210939dfc57767a32926c9e5e53e4
Instruction ID: 031827f62289b3a56910950fdd0cd8bfe786010b45b5554a58ca8755447254a0
Opcode Fuzzy Hash: 5701a7d95c4e4dd2075b832fc7519b56d14210939dfc57767a32926c9e5e53e4
Instruction Fuzzy Hash: DFF0AF34A0020CFBDB129F94DC49FADBBB9EF04711F0081A8F909A2260CB789940DED4

Function 0077D3A0 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 29libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32 ref: 0077D3AD
GetProcAddress.KERNEL32(00000000,GetSystemWow64DirectoryW), ref: 0077D3BF
FreeLibrary.KERNEL32(00000000), ref: 0077D3E5

Strings

GetSystemWow64DirectoryW, xrefs: 0077D3B9
X64, xrefs: 0077D2A8

Memory Dump Source

Source File: 00000000.00000002.1745867193.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true

Associated: 00000000.00000002.1745836741.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746071756.00000000007BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746071756.00000000007E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746152188.00000000007EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746185289.00000000007F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_720000_file.jbxd

Similarity

API ID: Library$AddressFreeLoadProc
String ID: GetSystemWow64DirectoryW$X64
API String ID: 145871493-2590602151
Opcode ID: b517334126dd9c6242f3a7ec46b108469715e00797ff8e7a27d8f803ac69b590
Instruction ID: 8c95c33b7cd66a500bd43bfa4e722298c021493f86943aab534d529c0072ac79
Opcode Fuzzy Hash: b517334126dd9c6242f3a7ec46b108469715e00797ff8e7a27d8f803ac69b590
Instruction Fuzzy Hash: ADF055B0802628CBEF3223148C48E7D7234BF10B81FA5C268F80EF2042EB6CCD418693

Function 00724E90 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 24libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,?,?,00724EDD,?,007F1418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00724E9C
GetProcAddress.KERNEL32(00000000,Wow64DisableWow64FsRedirection), ref: 00724EAE
FreeLibrary.KERNEL32(00000000,?,?,00724EDD,?,007F1418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00724EC0

Strings

Wow64DisableWow64FsRedirection, xrefs: 00724EA8
kernel32.dll, xrefs: 00724E94

Memory Dump Source

Source File: 00000000.00000002.1745867193.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true

Associated: 00000000.00000002.1745836741.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746071756.00000000007BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746071756.00000000007E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746152188.00000000007EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746185289.00000000007F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_720000_file.jbxd

Similarity

API ID: Library$AddressFreeLoadProc
String ID: Wow64DisableWow64FsRedirection$kernel32.dll
API String ID: 145871493-3689287502
Opcode ID: be0de4a8cd8200089072660da218173315f7eeb7530205a834972ace23ffee48
Instruction ID: b5b960e0f60750f2f47836ddec805665a6a4702ecb100ea3214bf232018e0367
Opcode Fuzzy Hash: be0de4a8cd8200089072660da218173315f7eeb7530205a834972ace23ffee48
Instruction Fuzzy Hash: B2E0CDB5E026365BE2331729BC1CF5F6558AF81F627068255FC00F3200DBACCD0240B4

Function 00724E59 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 22libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,?,?,00763CDE,?,007F1418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00724E62
GetProcAddress.KERNEL32(00000000,Wow64RevertWow64FsRedirection), ref: 00724E74
FreeLibrary.KERNEL32(00000000,?,?,00763CDE,?,007F1418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00724E87

Strings

Wow64RevertWow64FsRedirection, xrefs: 00724E6E
kernel32.dll, xrefs: 00724E5B

Memory Dump Source

Source File: 00000000.00000002.1745867193.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true

Associated: 00000000.00000002.1745836741.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746071756.00000000007BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746071756.00000000007E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746152188.00000000007EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746185289.00000000007F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_720000_file.jbxd

Similarity

API ID: Library$AddressFreeLoadProc
String ID: Wow64RevertWow64FsRedirection$kernel32.dll
API String ID: 145871493-1355242751
Opcode ID: de8c265dd4a047a7844ea3d4975d5935163e0e4d61bfba6284365fb08ca9a1fb
Instruction ID: 429081468398f225ce5247db8aaf82186386ceb398bebef78ad6331c6b8a0a0a
Opcode Fuzzy Hash: de8c265dd4a047a7844ea3d4975d5935163e0e4d61bfba6284365fb08ca9a1fb
Instruction Fuzzy Hash: D8D0C271902676576A231B297C0CF8F2A18AF85B11306C650F800B2120CF6CCD0281E4

Function 00792947 Relevance: 7.8, APIs: 5, Instructions: 313fileCOMMON

Download Yara Rule

APIs

DeleteFileW.KERNEL32(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 00792C05
DeleteFileW.KERNEL32(?), ref: 00792C87
CopyFileW.KERNEL32(?,?,00000000,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001), ref: 00792C9D
DeleteFileW.KERNEL32(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 00792CAE
DeleteFileW.KERNEL32(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 00792CC0

Memory Dump Source

Source File: 00000000.00000002.1745867193.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true

Associated: 00000000.00000002.1745836741.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746071756.00000000007BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746071756.00000000007E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746152188.00000000007EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746185289.00000000007F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_720000_file.jbxd

Similarity

API ID: File$Delete$Copy
String ID:
API String ID: 3226157194-0
Opcode ID: 9c3e111814de5b879a7ae63338887d8befaf58d7388afcf23e3ac217e1da5724
Instruction ID: 9bc39b1b9592b27e2df98c11fbb260f3bf17e9bc51247bd8b631f9fcd71edbcd
Opcode Fuzzy Hash: 9c3e111814de5b879a7ae63338887d8befaf58d7388afcf23e3ac217e1da5724
Instruction Fuzzy Hash: 7FB15F71D00119EBDF21EBA4DC89EDEB7BDEF09350F1040A6F509E6152EB389E458B61

Function 007AA387 Relevance: 7.8, APIs: 5, Instructions: 256COMMON

Download Yara Rule

APIs

GetCurrentProcessId.KERNEL32 ref: 007AA427
OpenProcess.KERNEL32(00000410,00000000,00000000), ref: 007AA435
GetProcessIoCounters.KERNEL32(00000000,?), ref: 007AA468
CloseHandle.KERNEL32(?), ref: 007AA63D

Memory Dump Source

Source File: 00000000.00000002.1745867193.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true

Associated: 00000000.00000002.1745836741.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746071756.00000000007BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746071756.00000000007E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746152188.00000000007EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746185289.00000000007F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_720000_file.jbxd

Similarity

API ID: Process$CloseCountersCurrentHandleOpen
String ID:
API String ID: 3488606520-0
Opcode ID: 2190516ab0da1ecfaba49020886ebe5e5e50fd4287f4311796d2150f119d4fed
Instruction ID: ef56ee554b0e0fba8ec85dc5591e6135c1fe4852adc4a0f02acee5427ac4d945
Opcode Fuzzy Hash: 2190516ab0da1ecfaba49020886ebe5e5e50fd4287f4311796d2150f119d4fed
Instruction Fuzzy Hash: BDA1B171604300AFE720DF24D886F2AB7E5AF88714F14891DF55A9B2D2D7B8EC41CB92

Function 0078E3FB Relevance: 7.7, APIs: 5, Instructions: 167filestringCOMMON

Download Yara Rule

APIs

Part of subcall function 0078DDE0: GetFullPathNameW.KERNEL32(00000000,00007FFF,?,?,?,?,?,?,0078CF22,?), ref: 0078DDFD

Part of subcall function 0078DDE0: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,?,0078CF22,?), ref: 0078DE16

Part of subcall function 0078E199: GetFileAttributesW.KERNEL32(?,0078CF95), ref: 0078E19A

lstrcmpiW.KERNEL32(?,?), ref: 0078E473
MoveFileW.KERNEL32(?,?), ref: 0078E4AC
_wcslen.LIBCMT ref: 0078E5EB
_wcslen.LIBCMT ref: 0078E603
SHFileOperationW.SHELL32(?,?,?,?,?,?), ref: 0078E650

Memory Dump Source

Source File: 00000000.00000002.1745867193.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true

Associated: 00000000.00000002.1745836741.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746071756.00000000007BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746071756.00000000007E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746152188.00000000007EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746185289.00000000007F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_720000_file.jbxd

Similarity

API ID: File$FullNamePath_wcslen$AttributesMoveOperationlstrcmpi
String ID:
API String ID: 3183298772-0
Opcode ID: a2a95a336fb2412cf1c97b166a7355aa6619e4bcc70365841f489a017150000f
Instruction ID: 90870cc5a121b7a377f3cd3183f94a16dda1eb7a0b816d76c730288d6df16933
Opcode Fuzzy Hash: a2a95a336fb2412cf1c97b166a7355aa6619e4bcc70365841f489a017150000f
Instruction Fuzzy Hash: 0A5155B25483859BC734EBA0DC959DFB3DCAF84340F04492EF689D3151EF78A6888766

Function 007AB9C9 Relevance: 7.7, APIs: 5, Instructions: 167registryCOMMON

Download Yara Rule

APIs

Part of subcall function 00729CB3: _wcslen.LIBCMT ref: 00729CBD

Part of subcall function 007AC998: CharUpperBuffW.USER32(?,?,?,?,?,?,?,007AB6AE,?,?), ref: 007AC9B5
Part of subcall function 007AC998: _wcslen.LIBCMT ref: 007AC9F1
Part of subcall function 007AC998: _wcslen.LIBCMT ref: 007ACA68
Part of subcall function 007AC998: _wcslen.LIBCMT ref: 007ACA9E

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 007ABAA5
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 007ABB00
RegEnumKeyExW.ADVAPI32(?,-00000001,?,?,00000000,00000000,00000000,?), ref: 007ABB63
RegCloseKey.ADVAPI32(?,?), ref: 007ABBA6
RegCloseKey.ADVAPI32(00000000), ref: 007ABBB3

Memory Dump Source

Source File: 00000000.00000002.1745867193.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true

Associated: 00000000.00000002.1745836741.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746071756.00000000007BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746071756.00000000007E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746152188.00000000007EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746185289.00000000007F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_720000_file.jbxd

Similarity

API ID: _wcslen$Close$BuffCharConnectEnumOpenRegistryUpper
String ID:
API String ID: 826366716-0
Opcode ID: f0aa048fa2b29a23cf75884ee59887143b921a952a080bbdd978c3ae03ac50b1
Instruction ID: 3bc9f7a291219497d1d99f78f23f11a6b7de8625c68461eff2c186468ca763f5
Opcode Fuzzy Hash: f0aa048fa2b29a23cf75884ee59887143b921a952a080bbdd978c3ae03ac50b1
Instruction Fuzzy Hash: 1B619171208241EFD314DF64C894E2ABBE5FF85308F54865CF4994B2A2DB39ED45CBA2

Function 00788BB0 Relevance: 7.7, APIs: 5, Instructions: 159COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 00788BCD
VariantClear.OLEAUT32 ref: 00788C3E
VariantClear.OLEAUT32 ref: 00788C9D
VariantClear.OLEAUT32(?), ref: 00788D10
VariantChangeType.OLEAUT32(?,?,00000000,00000013), ref: 00788D3B

Memory Dump Source

Source File: 00000000.00000002.1745867193.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true

Associated: 00000000.00000002.1745836741.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746071756.00000000007BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746071756.00000000007E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746152188.00000000007EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746185289.00000000007F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_720000_file.jbxd

Similarity

API ID: Variant$Clear$ChangeInitType
String ID:
API String ID: 4136290138-0
Opcode ID: a0810203a0209a67dec63c14a53c84df2ec22bbbeb07277c238cdc27862ccbb5
Instruction ID: c52f08977227172f06e19f373d7e5547c878188552fa5827db47889cd34411e6
Opcode Fuzzy Hash: a0810203a0209a67dec63c14a53c84df2ec22bbbeb07277c238cdc27862ccbb5
Instruction Fuzzy Hash: CA5169B5A00219EFCB10DF68C894AAABBF8FF8D310B158559E915DB354E734E911CBA0

Function 00798AFB Relevance: 7.6, APIs: 5, Instructions: 143COMMON

Download Yara Rule

APIs

GetPrivateProfileSectionW.KERNEL32(00000003,?,00007FFF,?), ref: 00798BAE
GetPrivateProfileSectionW.KERNEL32(?,00000003,00000003,?), ref: 00798BDA
WritePrivateProfileSectionW.KERNEL32(?,?,?), ref: 00798C32
WritePrivateProfileStringW.KERNEL32(00000003,00000000,00000000,?), ref: 00798C57
WritePrivateProfileStringW.KERNEL32(00000000,00000000,00000000,?), ref: 00798C5F

Memory Dump Source

Source File: 00000000.00000002.1745867193.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true

Associated: 00000000.00000002.1745836741.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746071756.00000000007BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746071756.00000000007E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746152188.00000000007EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746185289.00000000007F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_720000_file.jbxd

Similarity

API ID: PrivateProfile$SectionWrite$String
String ID:
API String ID: 2832842796-0
Opcode ID: 3a1057a3161cb7b975ed828e3756dd75f8f2dd6733333574c759c7ee9c6df1f8
Instruction ID: b0ae21c332abf4485d91572ae6c08e388a8c0174af9bd144525513d4e94ff636
Opcode Fuzzy Hash: 3a1057a3161cb7b975ed828e3756dd75f8f2dd6733333574c759c7ee9c6df1f8
Instruction Fuzzy Hash: 8A514835A00215DFCB05DF65D885EA9BBF5FF49314F088098E849AB362CB39ED51CBA1

Function 007A8EE4 Relevance: 7.6, APIs: 5, Instructions: 143libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryW.KERNEL32(?,00000000,?), ref: 007A8F40
GetProcAddress.KERNEL32(00000000,?), ref: 007A8FD0
GetProcAddress.KERNEL32(00000000,00000000), ref: 007A8FEC
GetProcAddress.KERNEL32(00000000,?), ref: 007A9032
FreeLibrary.KERNEL32(00000000), ref: 007A9052

Part of subcall function 0073F6C9: WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,00000000,00000000,00000000,?,00000000,?,?,?,00791043,?,753CE610), ref: 0073F6E6
Part of subcall function 0073F6C9: WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,0077FA64,00000000,00000000,?,?,00791043,?,753CE610,?,0077FA64), ref: 0073F70D

Memory Dump Source

Source File: 00000000.00000002.1745867193.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true

Associated: 00000000.00000002.1745836741.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746071756.00000000007BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746071756.00000000007E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746152188.00000000007EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746185289.00000000007F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_720000_file.jbxd

Similarity

API ID: AddressProc$ByteCharLibraryMultiWide$FreeLoad
String ID:
API String ID: 666041331-0
Opcode ID: a56ac84f880e0997dd49050f93fa04abb1cd2e6ee42bc415771a7f0bead98ea1
Instruction ID: d5111dd762f46972b1fdd73bc5b650eb5e8dc0d1eb0c7fb88cb2e2248bb3c911
Opcode Fuzzy Hash: a56ac84f880e0997dd49050f93fa04abb1cd2e6ee42bc415771a7f0bead98ea1
Instruction Fuzzy Hash: 65512935600216DFC715DF58C4848ADBBB1FF8A314F0881A9E906AB362DB39ED85CB91

Function 007B6B76 Relevance: 7.6, APIs: 5, Instructions: 131windowCOMMON

Download Yara Rule

APIs

SetWindowLongW.USER32(00000002,000000F0,?), ref: 007B6C33
SetWindowLongW.USER32(?,000000EC,?), ref: 007B6C4A
SendMessageW.USER32(00000002,00001036,00000000,?), ref: 007B6C73
ShowWindow.USER32(00000002,00000000,00000002,00000002,?,?,?,?,?,?,?,0079AB79,00000000,00000000), ref: 007B6C98
SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000027,00000002,?,00000001,00000002,00000002,?,?,?), ref: 007B6CC7

Memory Dump Source

Source File: 00000000.00000002.1745867193.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true

Associated: 00000000.00000002.1745836741.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746071756.00000000007BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746071756.00000000007E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746152188.00000000007EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746185289.00000000007F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_720000_file.jbxd

Similarity

API ID: Window$Long$MessageSendShow
String ID:
API String ID: 3688381893-0
Opcode ID: 1cdc1ea2ab8dfac5c3649f3cca93b4c425dbc5ac6aa9265e81d15ad1ff556a86
Instruction ID: 9afc4c55a34692bb891f178e77d61d6bd670ba1d5753f42be34968cd663ed353
Opcode Fuzzy Hash: 1cdc1ea2ab8dfac5c3649f3cca93b4c425dbc5ac6aa9265e81d15ad1ff556a86
Instruction Fuzzy Hash: 4A41A175604104AFD725DF28CC58FEA7FA5EB09350F154268FA95A72A0C37DFD41CAA0

Function 00752051 Relevance: 7.6, APIs: 5, Instructions: 129COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 007520C3
_free.LIBCMT ref: 007520E3

Memory Dump Source

Source File: 00000000.00000002.1745867193.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true

Associated: 00000000.00000002.1745836741.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746071756.00000000007BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746071756.00000000007E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746152188.00000000007EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746185289.00000000007F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_720000_file.jbxd

Similarity

API ID: _free
String ID:
API String ID: 269201875-0
Opcode ID: f19496d70bf9421c794406415dcc8802661431dc558e8d49edac373e0127d245
Instruction ID: 50429f23c3c09b3f07c5a99ec7357538106af295c2b6fcf58125cabdda5960c8
Opcode Fuzzy Hash: f19496d70bf9421c794406415dcc8802661431dc558e8d49edac373e0127d245
Instruction Fuzzy Hash: 8941E732E00604DFDB20DF78C884A9EB3A5EF8A310F154568E915EB392D775AD06CB80

Function 0073912D Relevance: 7.6, APIs: 5, Instructions: 121keyboardCOMMON

Download Yara Rule

APIs

GetCursorPos.USER32(?), ref: 00739141
ScreenToClient.USER32(00000000,?), ref: 0073915E
GetAsyncKeyState.USER32(00000001), ref: 00739183
GetAsyncKeyState.USER32(00000002), ref: 0073919D

Memory Dump Source

Source File: 00000000.00000002.1745867193.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true

Associated: 00000000.00000002.1745836741.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746071756.00000000007BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746071756.00000000007E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746152188.00000000007EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746185289.00000000007F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_720000_file.jbxd

Similarity

API ID: AsyncState$ClientCursorScreen
String ID:
API String ID: 4210589936-0
Opcode ID: 64b076af6ad029d22899d2699da1cf7d02415b82dba00dbd0432b54ef698c70a
Instruction ID: cffef765d72a10866f7a2ef4f2a1c17373aee9f3bc59249a496000f5b1e2ad62
Opcode Fuzzy Hash: 64b076af6ad029d22899d2699da1cf7d02415b82dba00dbd0432b54ef698c70a
Instruction Fuzzy Hash: 4D417031A0850AFBDF199F64C848BEEB774FF45360F208215E529A3291D7785D50CFA1

Function 00793874 Relevance: 7.6, APIs: 5, Instructions: 101windowCOMMON

Download Yara Rule

APIs

GetInputState.USER32 ref: 007938CB
TranslateAcceleratorW.USER32(?,00000000,?), ref: 00793922
TranslateMessage.USER32(?), ref: 0079394B
DispatchMessageW.USER32(?), ref: 00793955
PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00793966

Memory Dump Source

Source File: 00000000.00000002.1745867193.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true

Associated: 00000000.00000002.1745836741.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746071756.00000000007BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746071756.00000000007E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746152188.00000000007EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746185289.00000000007F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_720000_file.jbxd

Similarity

API ID: Message$Translate$AcceleratorDispatchInputPeekState
String ID:
API String ID: 2256411358-0
Opcode ID: 0b6e6e3918f5c072504b3a50e4875ff01af4499974d6e195f2a3660a3765d471
Instruction ID: d0f28cad6a2ed45b39c04083c1944e1dd4c5038f03de4caab33a353e635b8751
Opcode Fuzzy Hash: 0b6e6e3918f5c072504b3a50e4875ff01af4499974d6e195f2a3660a3765d471
Instruction Fuzzy Hash: CB31D370904341DEEF35CB34A848FB637E8AB15328F54856DE466C61A0E7FCBA85CB25

Function 0079CF1A Relevance: 7.6, APIs: 5, Instructions: 93networkfileCOMMON

Download Yara Rule

APIs

InternetQueryDataAvailable.WININET(?,?,00000000,00000000,00000000,?,00000000,?,?,?,0079C21E,00000000), ref: 0079CF38
InternetReadFile.WININET(?,00000000,?,?), ref: 0079CF6F
GetLastError.KERNEL32(?,00000000,?,?,?,0079C21E,00000000), ref: 0079CFB4
SetEvent.KERNEL32(?,?,00000000,?,?,?,0079C21E,00000000), ref: 0079CFC8
SetEvent.KERNEL32(?,?,00000000,?,?,?,0079C21E,00000000), ref: 0079CFF2

Memory Dump Source

Source File: 00000000.00000002.1745867193.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true

Associated: 00000000.00000002.1745836741.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746071756.00000000007BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746071756.00000000007E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746152188.00000000007EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746185289.00000000007F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_720000_file.jbxd

Similarity

API ID: EventInternet$AvailableDataErrorFileLastQueryRead
String ID:
API String ID: 3191363074-0
Opcode ID: 1b2dd289a3082a6ab5adbda0146bd451e396d0bd35b3ad8b2a7a58563189bb2d
Instruction ID: 7a0f57ba10aa781232d290cf3493358287948895d909c79cfefc281f310821b9
Opcode Fuzzy Hash: 1b2dd289a3082a6ab5adbda0146bd451e396d0bd35b3ad8b2a7a58563189bb2d
Instruction Fuzzy Hash: F2315272500605EFDF21DFA5D888EABBBFAEB14350B10842EF506D2141DB38AE41DB60

Function 00781901 Relevance: 7.6, APIs: 5, Instructions: 93sleepwindowCOMMON

Download Yara Rule

APIs

GetWindowRect.USER32(?,?), ref: 00781915
PostMessageW.USER32(00000001,00000201,00000001), ref: 007819C1
Sleep.KERNEL32(00000000,?,?,?), ref: 007819C9
PostMessageW.USER32(00000001,00000202,00000000), ref: 007819DA
Sleep.KERNEL32(00000000,?,?,?,?), ref: 007819E2

Memory Dump Source

Source File: 00000000.00000002.1745867193.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true

Associated: 00000000.00000002.1745836741.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746071756.00000000007BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746071756.00000000007E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746152188.00000000007EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746185289.00000000007F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_720000_file.jbxd

Similarity

API ID: MessagePostSleep$RectWindow
String ID:
API String ID: 3382505437-0
Opcode ID: 778750a0b28f438cb3deea7ff0d50102e45ccaedc31b4883c7f0670183ee6f8b
Instruction ID: 9c733c10f6a04c1e18200353bfa3039af6ca0dea9a80162bb050ff006a4307e0
Opcode Fuzzy Hash: 778750a0b28f438cb3deea7ff0d50102e45ccaedc31b4883c7f0670183ee6f8b
Instruction Fuzzy Hash: 9231AF71900259EFCB00DFA8C999FEE3BB9EB04315F108265F961A72D1C774A945CB90

Function 007B5706 Relevance: 7.6, APIs: 5, Instructions: 82windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00001053,000000FF,?), ref: 007B5745
SendMessageW.USER32(?,00001074,?,00000001), ref: 007B579D
_wcslen.LIBCMT ref: 007B57AF
_wcslen.LIBCMT ref: 007B57BA
SendMessageW.USER32(?,00001002,00000000,?), ref: 007B5816

Memory Dump Source

Source File: 00000000.00000002.1745867193.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true

Associated: 00000000.00000002.1745836741.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746071756.00000000007BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746071756.00000000007E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746152188.00000000007EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746185289.00000000007F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_720000_file.jbxd

Similarity

API ID: MessageSend$_wcslen
String ID:
API String ID: 763830540-0
Opcode ID: f872720a58d7e2fe1f27497fa7be34e33b30cc17c4804e0db6040c6b0a1ca4b4
Instruction ID: bebd7708ea7ef648e7e409f75d49848502ec40beb1ed3413ae19222a0630dd91
Opcode Fuzzy Hash: f872720a58d7e2fe1f27497fa7be34e33b30cc17c4804e0db6040c6b0a1ca4b4
Instruction Fuzzy Hash: 72217171904618EADB209FA0CC85FEE77B8FF04724F108256E929EB180D7789985CF50

Function 007A0930 Relevance: 7.6, APIs: 5, Instructions: 69COMMON

Download Yara Rule

APIs

IsWindow.USER32(00000000), ref: 007A0951
GetForegroundWindow.USER32 ref: 007A0968
GetDC.USER32(00000000), ref: 007A09A4
GetPixel.GDI32(00000000,?,00000003), ref: 007A09B0
ReleaseDC.USER32(00000000,00000003), ref: 007A09E8

Memory Dump Source

Source File: 00000000.00000002.1745867193.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true

Associated: 00000000.00000002.1745836741.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746071756.00000000007BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746071756.00000000007E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746152188.00000000007EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746185289.00000000007F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_720000_file.jbxd

Similarity

API ID: Window$ForegroundPixelRelease
String ID:
API String ID: 4156661090-0
Opcode ID: 4ee21d99db91e0adc0782435ab4d9b506744863c0d0d58810ab5b11b39148100
Instruction ID: e267dcb19fe6f1802830d442b00411d86023c2a66fbb6d9bcc68435a4ff560e0
Opcode Fuzzy Hash: 4ee21d99db91e0adc0782435ab4d9b506744863c0d0d58810ab5b11b39148100
Instruction Fuzzy Hash: 33215035600214AFD704EF69D849E5EB7E5EF49700F04C568E84697752DB38AC04CB90

Function 0075CDBD Relevance: 7.6, APIs: 5, Instructions: 68COMMON

Download Yara Rule

APIs

GetEnvironmentStringsW.KERNEL32 ref: 0075CDC6
WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 0075CDE9

Part of subcall function 00753820: RtlAllocateHeap.NTDLL(00000000,?,007F1444,?,0073FDF5,?,?,0072A976,00000010,007F1440,007213FC,?,007213C6,?,00721129), ref: 00753852

WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,00000000,00000000), ref: 0075CE0F
_free.LIBCMT ref: 0075CE22
FreeEnvironmentStringsW.KERNEL32(00000000), ref: 0075CE31

Memory Dump Source

Source File: 00000000.00000002.1745867193.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true

Associated: 00000000.00000002.1745836741.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746071756.00000000007BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746071756.00000000007E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746152188.00000000007EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746185289.00000000007F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_720000_file.jbxd

Similarity

API ID: ByteCharEnvironmentMultiStringsWide$AllocateFreeHeap_free
String ID:
API String ID: 336800556-0
Opcode ID: 7046873e4ed4c6b04393a22e6fbde66e150d05c3a6c1ed6dad60c9b1424a9287
Instruction ID: 1bac424b209bd1bb2857e2af7e0765165afdf9344067c19d7be2c939c0d066c5
Opcode Fuzzy Hash: 7046873e4ed4c6b04393a22e6fbde66e150d05c3a6c1ed6dad60c9b1424a9287
Instruction Fuzzy Hash: F501D8726013157F2323167A6C4EEBB696DDEC6BA2315422DFD05D7201DAA98D0581F4

Function 00739639 Relevance: 7.6, APIs: 5, Instructions: 66COMMON

Download Yara Rule

APIs

ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 00739693
SelectObject.GDI32(?,00000000), ref: 007396A2
BeginPath.GDI32(?), ref: 007396B9
SelectObject.GDI32(?,00000000), ref: 007396E2

Memory Dump Source

Source File: 00000000.00000002.1745867193.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true

Associated: 00000000.00000002.1745836741.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746071756.00000000007BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746071756.00000000007E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746152188.00000000007EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746185289.00000000007F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_720000_file.jbxd

Similarity

API ID: ObjectSelect$BeginCreatePath
String ID:
API String ID: 3225163088-0
Opcode ID: 8c9ab1c3ea3fb35337b0fb9b9274ca7986687dc6eb38bd72aa7a1d4d4428a3b1
Instruction ID: 4b8c061836a6d7f397d51b95b9293608b87ff1e5231cecd9e7e80dff5a2e17cd
Opcode Fuzzy Hash: 8c9ab1c3ea3fb35337b0fb9b9274ca7986687dc6eb38bd72aa7a1d4d4428a3b1
Instruction Fuzzy Hash: EA217F70812349EBEB11DF29DC19BB93BA8BB10355F50C216F510A61A1D3FDA891CFD8

Function 00785711 Relevance: 7.6, APIs: 5, Instructions: 61COMMON

Download Yara Rule

APIs

_memcmp.LIBVCRUNTIME ref: 00785726
_memcmp.LIBVCRUNTIME ref: 00785744
_memcmp.LIBVCRUNTIME ref: 00785757
_memcmp.LIBVCRUNTIME ref: 0078576F
_memcmp.LIBVCRUNTIME ref: 00785787

Memory Dump Source

Source File: 00000000.00000002.1745867193.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true

Associated: 00000000.00000002.1745836741.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746071756.00000000007BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746071756.00000000007E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746152188.00000000007EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746185289.00000000007F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_720000_file.jbxd

Similarity

API ID: _memcmp
String ID:
API String ID: 2931989736-0
Opcode ID: eeab76b49a454d986e66c545d25b536c13031d50805624880bdf397992c594cb
Instruction ID: 0d03a29348e136600162944b7bcfb63e78b9a296ed619dee8e973d97198efb47
Opcode Fuzzy Hash: eeab76b49a454d986e66c545d25b536c13031d50805624880bdf397992c594cb
Instruction Fuzzy Hash: FD01B5A5681A09FBE2087520DD82FFB735D9B21794F808030FD049A241F76CED5083B4

Function 00752DF8 Relevance: 7.6, APIs: 5, Instructions: 53COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,?,0074F2DE,00753863,007F1444,?,0073FDF5,?,?,0072A976,00000010,007F1440,007213FC,?,007213C6), ref: 00752DFD
_free.LIBCMT ref: 00752E32
_free.LIBCMT ref: 00752E59
SetLastError.KERNEL32(00000000,00721129), ref: 00752E66
SetLastError.KERNEL32(00000000,00721129), ref: 00752E6F

Memory Dump Source

Source File: 00000000.00000002.1745867193.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true

Associated: 00000000.00000002.1745836741.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746071756.00000000007BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746071756.00000000007E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746152188.00000000007EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746185289.00000000007F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_720000_file.jbxd

Similarity

API ID: ErrorLast$_free
String ID:
API String ID: 3170660625-0
Opcode ID: 2f7ed96dda1f34a1493e33403ac6f941240fe5cd062e0b1d52ac7af488cb5f3f
Instruction ID: ac3a3e29572318b8a1947201ed4458e58d50231b596723f5169d2e30e778012b
Opcode Fuzzy Hash: 2f7ed96dda1f34a1493e33403ac6f941240fe5cd062e0b1d52ac7af488cb5f3f
Instruction Fuzzy Hash: C8014E71205540A7C61323742C4FDEB1659ABD33A7B248118FC21A3293EFFC9C0F0064

Function 0078000E Relevance: 7.5, APIs: 5, Instructions: 47stringCOMMON

Download Yara Rule

APIs

CLSIDFromProgID.OLE32(?,?,?,00000000,?,?,?,-C000001E,00000001,?,0077FF41,80070057,?,?,?,0078035E), ref: 0078002B
ProgIDFromCLSID.OLE32(?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,0077FF41,80070057,?,?), ref: 00780046
lstrcmpiW.KERNEL32(?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,0077FF41,80070057,?,?), ref: 00780054
CoTaskMemFree.OLE32(00000000,?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,0077FF41,80070057,?), ref: 00780064
CLSIDFromString.OLE32(?,?,?,?,?,00000000,?,?,?,-C000001E,00000001,?,0077FF41,80070057,?,?), ref: 00780070

Memory Dump Source

Source File: 00000000.00000002.1745867193.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true

Associated: 00000000.00000002.1745836741.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746071756.00000000007BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746071756.00000000007E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746152188.00000000007EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746185289.00000000007F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_720000_file.jbxd

Similarity

API ID: From$Prog$FreeStringTasklstrcmpi
String ID:
API String ID: 3897988419-0
Opcode ID: 79d98ab33adffdb3d0987e1d818ebc433b04995c148b338e6f71876145d82386
Instruction ID: f598adfdb1dc87b93d065fa2ace0545e758a3fb57eb6f8e3e0fd9dd02fd39f3b
Opcode Fuzzy Hash: 79d98ab33adffdb3d0987e1d818ebc433b04995c148b338e6f71876145d82386
Instruction Fuzzy Hash: 9401AD76640204BFDB526F68DC08FAA7AEDEF447A2F148224F905D6210E779DD44ABA0

Function 0078E97B Relevance: 7.5, APIs: 5, Instructions: 47sleepCOMMON

Download Yara Rule

APIs

QueryPerformanceCounter.KERNEL32(?), ref: 0078E997
QueryPerformanceFrequency.KERNEL32(?), ref: 0078E9A5
Sleep.KERNEL32(00000000), ref: 0078E9AD
QueryPerformanceCounter.KERNEL32(?), ref: 0078E9B7
Sleep.KERNEL32 ref: 0078E9F3

Memory Dump Source

Source File: 00000000.00000002.1745867193.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true

Associated: 00000000.00000002.1745836741.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746071756.00000000007BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746071756.00000000007E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746152188.00000000007EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746185289.00000000007F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_720000_file.jbxd

Similarity

API ID: PerformanceQuery$CounterSleep$Frequency
String ID:
API String ID: 2833360925-0
Opcode ID: dc681bec15db1c71f620f226cff581ada5678b6ff43b9f5cf2453b8127de77cf
Instruction ID: dce7435ffc16c791129e1211ac86fb7d7d24f1faebec45abce25430d3892a83b
Opcode Fuzzy Hash: dc681bec15db1c71f620f226cff581ada5678b6ff43b9f5cf2453b8127de77cf
Instruction Fuzzy Hash: B2018C71C4162DDBCF00AFE9DC49AEDBB78FF08301F008646E942B2241DB78A550CBA6

Function 007810F9 Relevance: 7.5, APIs: 5, Instructions: 46memoryCOMMON

Download Yara Rule

APIs

GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 00781114
GetLastError.KERNEL32(?,00000000,00000000,?,?,00780B9B,?,?,?), ref: 00781120
GetProcessHeap.KERNEL32(00000008,?,?,00000000,00000000,?,?,00780B9B,?,?,?), ref: 0078112F
HeapAlloc.KERNEL32(00000000,?,00000000,00000000,?,?,00780B9B,?,?,?), ref: 00781136
GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 0078114D

Memory Dump Source

Source File: 00000000.00000002.1745867193.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true

Associated: 00000000.00000002.1745836741.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746071756.00000000007BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746071756.00000000007E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746152188.00000000007EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746185289.00000000007F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_720000_file.jbxd

Similarity

API ID: HeapObjectSecurityUser$AllocErrorLastProcess
String ID:
API String ID: 842720411-0
Opcode ID: d6083e36e7d803d1af07ab6ebaa7fa4ed8c045cb926c1ce8289377550139841c
Instruction ID: eb1d99279d5ad8b21f2e2907185f83f3d74b9f33c1142855b3155b13e8e5b49c
Opcode Fuzzy Hash: d6083e36e7d803d1af07ab6ebaa7fa4ed8c045cb926c1ce8289377550139841c
Instruction Fuzzy Hash: 720181B5500209BFDB125F68DC5DEAA3F6EEF85360B508415FA41D3350DB35DC008B60

Function 00780FB4 Relevance: 7.5, APIs: 5, Instructions: 43memoryCOMMON

Download Yara Rule

APIs

GetTokenInformation.ADVAPI32(?,00000002,?,00000000,?), ref: 00780FCA
GetLastError.KERNEL32(?,00000002,?,00000000,?), ref: 00780FD6
GetProcessHeap.KERNEL32(00000008,?,?,00000002,?,00000000,?), ref: 00780FE5
HeapAlloc.KERNEL32(00000000,?,00000002,?,00000000,?), ref: 00780FEC
GetTokenInformation.ADVAPI32(?,00000002,00000000,?,?,?,00000002,?,00000000,?), ref: 00781002

Memory Dump Source

Source File: 00000000.00000002.1745867193.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true

Associated: 00000000.00000002.1745836741.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746071756.00000000007BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746071756.00000000007E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746152188.00000000007EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746185289.00000000007F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_720000_file.jbxd

Similarity

API ID: HeapInformationToken$AllocErrorLastProcess
String ID:
API String ID: 44706859-0
Opcode ID: 26ba83a6bde2a143b3473f99b4f411bae63e2ee00c05f3863dadcc5e983941f3
Instruction ID: d09b77d96878492983c82642a3a1cbab3fb79b25404a195776e676b63674eee5
Opcode Fuzzy Hash: 26ba83a6bde2a143b3473f99b4f411bae63e2ee00c05f3863dadcc5e983941f3
Instruction Fuzzy Hash: 37F0CD75240305EBDB222FA8DC4EF563BADEF89762F508425FA05D7250CA38DC408B60

Function 00781014 Relevance: 7.5, APIs: 5, Instructions: 43memoryCOMMON

Download Yara Rule

APIs

GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),?,00000000,?), ref: 0078102A
GetLastError.KERNEL32(?,TokenIntegrityLevel,?,00000000,?), ref: 00781036
GetProcessHeap.KERNEL32(00000008,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00781045
HeapAlloc.KERNEL32(00000000,?,TokenIntegrityLevel,?,00000000,?), ref: 0078104C
GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),00000000,?,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00781062

Memory Dump Source

Source File: 00000000.00000002.1745867193.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true

Associated: 00000000.00000002.1745836741.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746071756.00000000007BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746071756.00000000007E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746152188.00000000007EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746185289.00000000007F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_720000_file.jbxd

Similarity

API ID: HeapInformationToken$AllocErrorLastProcess
String ID:
API String ID: 44706859-0
Opcode ID: 2ca08fdfb0a959d6be35738519d15547dfbf8f21e44be99b8cf8993b293a579b
Instruction ID: 7c66f5d7b5b03702b8929683c9805caf2af82c40779845653cb16edb86c167ea
Opcode Fuzzy Hash: 2ca08fdfb0a959d6be35738519d15547dfbf8f21e44be99b8cf8993b293a579b
Instruction Fuzzy Hash: F9F0CD75240305EBDB222FA8EC49F573BADEF89761F508425FA05D7250CA38DC408B60

Function 0079030F Relevance: 7.5, APIs: 6, Instructions: 41COMMON

Download Yara Rule

APIs

CloseHandle.KERNEL32(?,?,?,?,0079017D,?,007932FC,?,00000001,00762592,?), ref: 00790324
CloseHandle.KERNEL32(?,?,?,?,0079017D,?,007932FC,?,00000001,00762592,?), ref: 00790331
CloseHandle.KERNEL32(?,?,?,?,0079017D,?,007932FC,?,00000001,00762592,?), ref: 0079033E
CloseHandle.KERNEL32(?,?,?,?,0079017D,?,007932FC,?,00000001,00762592,?), ref: 0079034B
CloseHandle.KERNEL32(?,?,?,?,0079017D,?,007932FC,?,00000001,00762592,?), ref: 00790358
CloseHandle.KERNEL32(?,?,?,?,0079017D,?,007932FC,?,00000001,00762592,?), ref: 00790365

Memory Dump Source

Source File: 00000000.00000002.1745867193.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true

Associated: 00000000.00000002.1745836741.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746071756.00000000007BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746071756.00000000007E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746152188.00000000007EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746185289.00000000007F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_720000_file.jbxd

Similarity

API ID: CloseHandle
String ID:
API String ID: 2962429428-0
Opcode ID: bcb0998b2e88feb9d077635b63748a2d72bf47fa7a12773e6cff99e416e8f149
Instruction ID: c287ba9b296ff9df263adf976c8d7f779b7cdf612228e983ea43010f63b6eb35
Opcode Fuzzy Hash: bcb0998b2e88feb9d077635b63748a2d72bf47fa7a12773e6cff99e416e8f149
Instruction Fuzzy Hash: B701AE72810B159FCB30AF66E880812FBF9BF603153158A3FD19652931C3B5A958DF80

Function 0075D73A Relevance: 7.5, APIs: 5, Instructions: 40COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 0075D752

Part of subcall function 007529C8: RtlFreeHeap.NTDLL(00000000,00000000,?,0075D7D1,00000000,00000000,00000000,00000000,?,0075D7F8,00000000,00000007,00000000,?,0075DBF5,00000000), ref: 007529DE
Part of subcall function 007529C8: GetLastError.KERNEL32(00000000,?,0075D7D1,00000000,00000000,00000000,00000000,?,0075D7F8,00000000,00000007,00000000,?,0075DBF5,00000000,00000000), ref: 007529F0

_free.LIBCMT ref: 0075D764
_free.LIBCMT ref: 0075D776
_free.LIBCMT ref: 0075D788
_free.LIBCMT ref: 0075D79A

Memory Dump Source

Source File: 00000000.00000002.1745867193.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true

Associated: 00000000.00000002.1745836741.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746071756.00000000007BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746071756.00000000007E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746152188.00000000007EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746185289.00000000007F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_720000_file.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: 22c48e723459bf40ebf952e5fa7ec50046c0349a99d6378c2a2343eced8f928e
Instruction ID: 15de1e76c1e408ee1adf3d0377898d6f27dd5d0575b500f5e0fc947ef5bdb233
Opcode Fuzzy Hash: 22c48e723459bf40ebf952e5fa7ec50046c0349a99d6378c2a2343eced8f928e
Instruction Fuzzy Hash: 07F04F32501248AB8636EB64F9C5CD67BDDBB0D3127A54C05F848FB612CBACFC858A64

Function 00785C44 Relevance: 7.5, APIs: 5, Instructions: 40windowtimeCOMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,000003E9), ref: 00785C58
GetWindowTextW.USER32(00000000,?,00000100), ref: 00785C6F
MessageBeep.USER32(00000000), ref: 00785C87
KillTimer.USER32(?,0000040A), ref: 00785CA3
EndDialog.USER32(?,00000001), ref: 00785CBD

Memory Dump Source

Source File: 00000000.00000002.1745867193.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true

Associated: 00000000.00000002.1745836741.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746071756.00000000007BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746071756.00000000007E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746152188.00000000007EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746185289.00000000007F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_720000_file.jbxd

Similarity

API ID: BeepDialogItemKillMessageTextTimerWindow
String ID:
API String ID: 3741023627-0
Opcode ID: b9db91b1a468ec9d66b1cdb90fcd1ea54b57f23a09ee486e72d0b407f4481514
Instruction ID: 1af06f1740ce138ac49f6eb6b0d9feeb73aed48c2803056396eddec84d817a6b
Opcode Fuzzy Hash: b9db91b1a468ec9d66b1cdb90fcd1ea54b57f23a09ee486e72d0b407f4481514
Instruction Fuzzy Hash: 7101A970540B05ABEB326B10DD4EFA677B8BF00B05F005659B583A14E1DBF8AD84CFA4

Function 007522A0 Relevance: 7.5, APIs: 5, Instructions: 30COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 007522BE

Part of subcall function 007529C8: RtlFreeHeap.NTDLL(00000000,00000000,?,0075D7D1,00000000,00000000,00000000,00000000,?,0075D7F8,00000000,00000007,00000000,?,0075DBF5,00000000), ref: 007529DE
Part of subcall function 007529C8: GetLastError.KERNEL32(00000000,?,0075D7D1,00000000,00000000,00000000,00000000,?,0075D7F8,00000000,00000007,00000000,?,0075DBF5,00000000,00000000), ref: 007529F0

_free.LIBCMT ref: 007522D0
_free.LIBCMT ref: 007522E3
_free.LIBCMT ref: 007522F4
_free.LIBCMT ref: 00752305

Memory Dump Source

Source File: 00000000.00000002.1745867193.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true

Associated: 00000000.00000002.1745836741.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746071756.00000000007BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746071756.00000000007E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746152188.00000000007EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746185289.00000000007F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_720000_file.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: 33e969a4c00ba35876b01ccf1c5b6a54972ed10d8329ee3d10b722b90ce9a5eb
Instruction ID: c9c0f5d13590514f276258a82de53e46846b1a294670ac00dc7a83e85498672e
Opcode Fuzzy Hash: 33e969a4c00ba35876b01ccf1c5b6a54972ed10d8329ee3d10b722b90ce9a5eb
Instruction Fuzzy Hash: CCF03078501110DB8613AF94BC458E83BA4B719752B418506F820F6373C77D1417DFED

Function 007395C5 Relevance: 7.5, APIs: 5, Instructions: 29COMMON

Download Yara Rule

APIs

EndPath.GDI32(?), ref: 007395D4
StrokeAndFillPath.GDI32(?,?,007771F7,00000000,?,?,?), ref: 007395F0
SelectObject.GDI32(?,00000000), ref: 00739603
DeleteObject.GDI32 ref: 00739616
StrokePath.GDI32(?), ref: 00739631

Memory Dump Source

Source File: 00000000.00000002.1745867193.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true

Associated: 00000000.00000002.1745836741.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746071756.00000000007BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746071756.00000000007E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746152188.00000000007EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746185289.00000000007F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_720000_file.jbxd

Similarity

API ID: Path$ObjectStroke$DeleteFillSelect
String ID:
API String ID: 2625713937-0
Opcode ID: d946ce43b5ebc77e33619c27ba8880d5268121d6d909dee357cd1b7b12fac38f
Instruction ID: 311ad0614b5f9b0dee9fd264a9b48468d3ad431513a50e63c0d51fdd83ef34f6
Opcode Fuzzy Hash: d946ce43b5ebc77e33619c27ba8880d5268121d6d909dee357cd1b7b12fac38f
Instruction Fuzzy Hash: 21F03C30006248EBEB12AF69ED1CBB93B65AB10322F44C314F565550F1D7BC99A1DFA8

Function 00750F47 Relevance: 7.4, APIs: 2, Strings: 2, Instructions: 389COMMONLIBRARYCODE

Download Yara Rule

APIs

__freea.LIBCMT ref: 007510F9
__freea.LIBCMT ref: 00751117

Part of subcall function 00751537: _free.LIBCMT ref: 0075154F

Strings

a/p, xrefs: 007511DE
am/pm, xrefs: 0075117A

Memory Dump Source

Source File: 00000000.00000002.1745867193.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true

Associated: 00000000.00000002.1745836741.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746071756.00000000007BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746071756.00000000007E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746152188.00000000007EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746185289.00000000007F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_720000_file.jbxd

Similarity

API ID: __freea$_free
String ID: a/p$am/pm
API String ID: 3432400110-3206640213
Opcode ID: a79772a35bf5fc50644e8b24c218d6378b8b3d64deae9b5fc29133748f8b6b2e
Instruction ID: b84e304e25fb932b186e69065875ca311cee8813cb64a0216421c6ccbe3a2c19
Opcode Fuzzy Hash: a79772a35bf5fc50644e8b24c218d6378b8b3d64deae9b5fc29133748f8b6b2e
Instruction Fuzzy Hash: AED1F431A00205DADB249F68C8A5BFAB7B1FF06703FA44159ED059B690D3FD9D88CB91

Function 00755AA9 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 186COMMONLIBRARYCODE

Download Yara Rule

Strings

JOr, xrefs: 00755BA8, 00755C6C

Memory Dump Source

Source File: 00000000.00000002.1745867193.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true

Associated: 00000000.00000002.1745836741.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746071756.00000000007BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746071756.00000000007E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746152188.00000000007EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746185289.00000000007F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_720000_file.jbxd

Similarity

API ID:
String ID: JOr
API String ID: 0-1269207774
Opcode ID: 00adb33148c61a3a6e0246936c20daf1128fb8e9700a20de53db96de589f33ab
Instruction ID: 756c582cc12c92b87c3dbda2d79df1213260dc63627d7814b3c678c3db1f8073
Opcode Fuzzy Hash: 00adb33148c61a3a6e0246936c20daf1128fb8e9700a20de53db96de589f33ab
Instruction Fuzzy Hash: 6A51A1B1D0060ADFDB119FA8C859FEE7BB4AF05312F14015AFC05AB291D7BD9A09CB61

Function 00758A61 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 124COMMONLIBRARYCODE

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(0000FDE9,00000000,?,00000002,00000000,?,?,?,00000000,?,?,?,?), ref: 00758B6E
GetLastError.KERNEL32(?,?,00000000,?,?,?,?,?,?,?,?,00000000,00001000,?), ref: 00758B7A
__dosmaperr.LIBCMT ref: 00758B81

Strings

.t, xrefs: 00758A63

Memory Dump Source

Source File: 00000000.00000002.1745867193.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true

Associated: 00000000.00000002.1745836741.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746071756.00000000007BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746071756.00000000007E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746152188.00000000007EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746185289.00000000007F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_720000_file.jbxd

Similarity

API ID: ByteCharErrorLastMultiWide__dosmaperr
String ID: .t
API String ID: 2434981716-4274973675
Opcode ID: 5ed62ff79a197f54f913e68f6035b269d79900e3e4631d1e252ef86289471f9f
Instruction ID: e1ba877f1fd24ad6cf51e13bd03fbef856a3f85919c8a9d56c10487120b2dd3d
Opcode Fuzzy Hash: 5ed62ff79a197f54f913e68f6035b269d79900e3e4631d1e252ef86289471f9f
Instruction Fuzzy Hash: E841AEF0604045AFDB659F24C880AFD3FE9EB45301F28C199FC55AB252DEB98C068796

Function 00782716 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 121windowCOMMON

Download Yara Rule

APIs

Part of subcall function 0078B403: WriteProcessMemory.KERNEL32(?,?,?,00000000,00000000,00000000,?,007821D0,?,?,00000034,00000800,?,00000034), ref: 0078B42D

SendMessageW.USER32(?,00001104,00000000,00000000), ref: 00782760

Part of subcall function 0078B3CE: ReadProcessMemory.KERNEL32(?,?,?,00000000,00000000,00000000,?,007821FF,?,?,00000800,?,00001073,00000000,?,?), ref: 0078B3F8

Part of subcall function 0078B32A: GetWindowThreadProcessId.USER32(?,?), ref: 0078B355
Part of subcall function 0078B32A: OpenProcess.KERNEL32(00000438,00000000,?,?,?,00782194,00000034,?,?,00001004,00000000,00000000), ref: 0078B365
Part of subcall function 0078B32A: VirtualAllocEx.KERNEL32(00000000,00000000,?,00001000,00000004,?,?,00782194,00000034,?,?,00001004,00000000,00000000), ref: 0078B37B

SendMessageW.USER32(?,00001111,00000000,00000000), ref: 007827CD
SendMessageW.USER32(?,00001111,00000000,00000000), ref: 0078281A

Strings

@, xrefs: 00782832

Memory Dump Source

Source File: 00000000.00000002.1745867193.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true

Associated: 00000000.00000002.1745836741.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746071756.00000000007BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746071756.00000000007E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746152188.00000000007EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746185289.00000000007F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_720000_file.jbxd

Similarity

API ID: Process$MessageSend$Memory$AllocOpenReadThreadVirtualWindowWrite
String ID: @
API String ID: 4150878124-2766056989
Opcode ID: d7e91c8785e5ff4b474decf0771db3342c1716bc38ec6d1e095ff7991e9639c8
Instruction ID: bafad3fbc6653a5c68954aed5f457d149513720d66a30d7dbe604412b08e71c1
Opcode Fuzzy Hash: d7e91c8785e5ff4b474decf0771db3342c1716bc38ec6d1e095ff7991e9639c8
Instruction Fuzzy Hash: 14411B72940218BFDB11EBA4CD46EEEBBB8EF09700F108095FA55B7181DB746E45CBA1

Function 0075172E Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 115COMMON

Download Yara Rule

APIs

GetModuleFileNameW.KERNEL32(00000000,C:\Users\user\Desktop\file.exe,00000104), ref: 00751769
_free.LIBCMT ref: 00751834
_free.LIBCMT ref: 0075183E

Strings

C:\Users\user\Desktop\file.exe, xrefs: 00751760, 00751767, 00751796, 007517CE

Memory Dump Source

Source File: 00000000.00000002.1745867193.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true

Associated: 00000000.00000002.1745836741.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746071756.00000000007BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746071756.00000000007E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746152188.00000000007EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746185289.00000000007F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_720000_file.jbxd

Similarity

API ID: _free$FileModuleName
String ID: C:\Users\user\Desktop\file.exe
API String ID: 2506810119-1957095476
Opcode ID: 8d0925e993c6ac76dd70f8e29482be2adc1dfdff558ff076f91a33c1bb7c1a9d
Instruction ID: 4300b0a0c23fc570bcdf80ff50d572f9e5356d3f89800e91a56a7162d581042c
Opcode Fuzzy Hash: 8d0925e993c6ac76dd70f8e29482be2adc1dfdff558ff076f91a33c1bb7c1a9d
Instruction Fuzzy Hash: 5E319175A00218EFDB21DB999C85EEEBBFCEB89312F904166F81497211D7F85E44CB90

Function 0078C27D Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 114windowCOMMON

Download Yara Rule

APIs

GetMenuItemInfoW.USER32(00000004,00000000,00000000,?), ref: 0078C306
DeleteMenu.USER32(?,00000007,00000000), ref: 0078C34C
DeleteMenu.USER32(?,00000000,00000000,?,00000000,00000000,007F1990,015057E0), ref: 0078C395

Strings

0, xrefs: 0078C2DF

Memory Dump Source

Source File: 00000000.00000002.1745867193.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true

Associated: 00000000.00000002.1745836741.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746071756.00000000007BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746071756.00000000007E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746152188.00000000007EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746185289.00000000007F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_720000_file.jbxd

Similarity

API ID: Menu$Delete$InfoItem
String ID: 0
API String ID: 135850232-4108050209
Opcode ID: ff33ec16602b79ac98a0630f84090c415185e601ee0790e5c03efab2387dd957
Instruction ID: 91d2a0e2f8cead7ac7e8409fd5828144c0b82a0ea811e0cc31d1f800e5153353
Opcode Fuzzy Hash: ff33ec16602b79ac98a0630f84090c415185e601ee0790e5c03efab2387dd957
Instruction Fuzzy Hash: CF418D31244301DFD722EF25D885B5ABBE8EF85320F148A2DF9A5972D1D738A905CB62

Function 007B4416 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 106COMMON

Download Yara Rule

APIs

SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000013,?,?,SysTreeView32,007BCC08,00000000,?,?,?,?), ref: 007B44AA
GetWindowLongW.USER32 ref: 007B44C7
SetWindowLongW.USER32(?,000000F0,00000000), ref: 007B44D7

Strings

SysTreeView32, xrefs: 007B447C

Memory Dump Source

Source File: 00000000.00000002.1745867193.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true

Associated: 00000000.00000002.1745836741.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746071756.00000000007BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746071756.00000000007E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746152188.00000000007EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746185289.00000000007F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_720000_file.jbxd

Similarity

API ID: Window$Long
String ID: SysTreeView32
API String ID: 847901565-1698111956
Opcode ID: 2bd6f53a887443ac6ab5f932afa4588f2229ad924355a91be73b449175e580a0
Instruction ID: 0e46389410d32e01587f13cccd5b6dd7f34f8f5e23978a184be3c1c1179f4a23
Opcode Fuzzy Hash: 2bd6f53a887443ac6ab5f932afa4588f2229ad924355a91be73b449175e580a0
Instruction Fuzzy Hash: 14319C72210645AFDB218E38DC45FEA7BA9EF08334F208715F975921D1D778EC609760

Function 00786E71 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 92memoryCOMMON

Download Yara Rule

APIs

SysReAllocString.OLEAUT32(?,?), ref: 00786EED
VariantCopyInd.OLEAUT32(?,?), ref: 00786F08
VariantClear.OLEAUT32(?), ref: 00786F12

Strings

*jx, xrefs: 00786E8B, 00786E90, 00786EF8

Memory Dump Source

Source File: 00000000.00000002.1745867193.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true

Associated: 00000000.00000002.1745836741.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746071756.00000000007BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746071756.00000000007E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746152188.00000000007EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746185289.00000000007F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_720000_file.jbxd

Similarity

API ID: Variant$AllocClearCopyString
String ID: *jx
API String ID: 2173805711-190275591
Opcode ID: bf4a379d50d68a6727a1dd3e4a864f055556b053cfa0ffd12045a6b5a0377b11
Instruction ID: 92301d31ae2265664dc1574d9f837515c37342cb323d7aa6a2dbc6fbe7cb4d87
Opcode Fuzzy Hash: bf4a379d50d68a6727a1dd3e4a864f055556b053cfa0ffd12045a6b5a0377b11
Instruction Fuzzy Hash: 50319172604255EFCB05BFA4E8559BE7776FF89700B1044A8FA025B2A1C73CD911DB94

Function 007A304E Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 90networkCOMMON

Download Yara Rule

APIs

Part of subcall function 007A335B: WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,00000000,00000000,00000000,?,?,?,?,?,007A3077,?,?), ref: 007A3378

inet_addr.WSOCK32(?,?,?,?,?,00000000), ref: 007A307A
_wcslen.LIBCMT ref: 007A309B
htons.WSOCK32(00000000,?,?,00000000), ref: 007A3106

Strings

255.255.255.255, xrefs: 007A3095, 007A309A

Memory Dump Source

Source File: 00000000.00000002.1745867193.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true

Associated: 00000000.00000002.1745836741.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746071756.00000000007BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746071756.00000000007E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746152188.00000000007EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746185289.00000000007F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_720000_file.jbxd

Similarity

API ID: ByteCharMultiWide_wcslenhtonsinet_addr
String ID: 255.255.255.255
API String ID: 946324512-2422070025
Opcode ID: a18b8806118a572fdecfa29f4a067e793ac77717e8d71e4be517b6144beae180
Instruction ID: ab47bc4a0683e20a10601a94b405a52faabba2d938a29f92365ce836bed00e6c
Opcode Fuzzy Hash: a18b8806118a572fdecfa29f4a067e793ac77717e8d71e4be517b6144beae180
Instruction Fuzzy Hash: 6131D339204205DFCB10CF68C486EAA77E1EF96318F24C259F9158B392DB3AEE41C760

Function 007B3EB8 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 89windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00001009,00000000,?), ref: 007B3F40
SetWindowPos.USER32(?,00000000,?,?,?,?,00000004), ref: 007B3F54
SendMessageW.USER32(?,00001002,00000000,?), ref: 007B3F78

Strings

SysMonthCal32, xrefs: 007B3F0B

Memory Dump Source

Source File: 00000000.00000002.1745867193.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true

Associated: 00000000.00000002.1745836741.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746071756.00000000007BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746071756.00000000007E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746152188.00000000007EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746185289.00000000007F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_720000_file.jbxd

Similarity

API ID: MessageSend$Window
String ID: SysMonthCal32
API String ID: 2326795674-1439706946
Opcode ID: fac10c0529f09e9ff2d82c0d4df0dec1223890b0d3529d3fd043708b8cb30ae2
Instruction ID: 075e511c4561503cdae8c4d9edcd2d281422ef4d4ff8ea51c2802013c50652ce
Opcode Fuzzy Hash: fac10c0529f09e9ff2d82c0d4df0dec1223890b0d3529d3fd043708b8cb30ae2
Instruction Fuzzy Hash: 9221BC32600219BFDF229F94CC46FEA3B79EB48724F114215FA156B1D0D6B9A990CBA0

Function 007B4653 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 87windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000469,?,00000000), ref: 007B4705
SendMessageW.USER32(00000000,00000465,00000000,80017FFF), ref: 007B4713
DestroyWindow.USER32(00000000,00000000,?,?,?,00000000,msctls_updown32,00000000,00000000,00000000,00000000,00000000,00000000,?,?,00000000), ref: 007B471A

Strings

msctls_updown32, xrefs: 007B4684

Memory Dump Source

Source File: 00000000.00000002.1745867193.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true

Associated: 00000000.00000002.1745836741.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746071756.00000000007BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746071756.00000000007E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746152188.00000000007EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746185289.00000000007F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_720000_file.jbxd

Similarity

API ID: MessageSend$DestroyWindow
String ID: msctls_updown32
API String ID: 4014797782-2298589950
Opcode ID: acfc8b8dd1ddd0316edc303d4c64f63996971de8ca371b92a24bac3771a0d1da
Instruction ID: 620a86cdd3d0ad0e1e1755230590eff1a9eca9f3f95c00cefd710512481ae71f
Opcode Fuzzy Hash: acfc8b8dd1ddd0316edc303d4c64f63996971de8ca371b92a24bac3771a0d1da
Instruction Fuzzy Hash: BA2160B5600248AFDB11DF64DCC5EB737BDEB5A3A8B044059FA009B252CB79EC11CA60

Function 007895AD Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 85COMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 0078961D

Strings

#requireadmin, xrefs: 007895D9
#OnAutoItStartRegister, xrefs: 007895F3
#notrayicon, xrefs: 007895B7

Memory Dump Source

Source File: 00000000.00000002.1745867193.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true

Associated: 00000000.00000002.1745836741.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746071756.00000000007BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746071756.00000000007E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746152188.00000000007EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746185289.00000000007F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_720000_file.jbxd

Similarity

API ID: _wcslen
String ID: #OnAutoItStartRegister$#notrayicon$#requireadmin
API String ID: 176396367-2734436370
Opcode ID: 0827cb80a4563b3cad28132ac7ab1c6794e45b946d5aaa4c65819f6b880580cc
Instruction ID: 5c19055e23542b067b24c7fe9129151da999639f222bc659046e8c4fc9e910b0
Opcode Fuzzy Hash: 0827cb80a4563b3cad28132ac7ab1c6794e45b946d5aaa4c65819f6b880580cc
Instruction Fuzzy Hash: D9213572284620E6D331BA249C0AFBB73989F91710F184026FA59D7181FB6DAD51C3A5

Function 007B37B7 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 84windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000180,00000000,?), ref: 007B3840
SendMessageW.USER32(?,00000186,00000000,00000000), ref: 007B3850
MoveWindow.USER32(00000000,?,?,?,?,00000000,?,?,Listbox,00000000,00000000,?,?,?,?,?), ref: 007B3876

Strings

Listbox, xrefs: 007B380F

Memory Dump Source

Source File: 00000000.00000002.1745867193.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true

Associated: 00000000.00000002.1745836741.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746071756.00000000007BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746071756.00000000007E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746152188.00000000007EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746185289.00000000007F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_720000_file.jbxd

Similarity

API ID: MessageSend$MoveWindow
String ID: Listbox
API String ID: 3315199576-2633736733
Opcode ID: 3b7704d0ecbc8d8a76ee1f5c42dd005456b5ca44230f3ec819db748f07737a5a
Instruction ID: aedd6953d6663e9d5241cf31fa9f77cf3730c60cb673fdad2091c66f7d289b24
Opcode Fuzzy Hash: 3b7704d0ecbc8d8a76ee1f5c42dd005456b5ca44230f3ec819db748f07737a5a
Instruction Fuzzy Hash: 6621BE72610218BBEB218F54DC85FFB376EEF89760F108124F9049B190CA79DC9287A0

Function 007949F4 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 78COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 00794A08
GetVolumeInformationW.KERNEL32(?,?,00007FFF,?,00000000,00000000,00000000,00000000), ref: 00794A5C
SetErrorMode.KERNEL32(00000000,?,?,007BCC08), ref: 00794AD0

Strings

%lu, xrefs: 00794A6F

Memory Dump Source

Source File: 00000000.00000002.1745867193.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true

Associated: 00000000.00000002.1745836741.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746071756.00000000007BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746071756.00000000007E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746152188.00000000007EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746185289.00000000007F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_720000_file.jbxd

Similarity

API ID: ErrorMode$InformationVolume
String ID: %lu
API String ID: 2507767853-685833217
Opcode ID: a24eb642be6bff4a704b82201b32fbe943b2fc6a43b378478a58ee5ae83298f4
Instruction ID: b87b411c81d5b3212401b1948ae76effddb158888324bb82dc030dcb50240fa1
Opcode Fuzzy Hash: a24eb642be6bff4a704b82201b32fbe943b2fc6a43b378478a58ee5ae83298f4
Instruction Fuzzy Hash: F6315271A00108EFDB10DF64D885EAA77F8EF04304F148099F505DB252D779ED45CB61

Function 007B41EB Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 67windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000405,00000000,00000000), ref: 007B424F
SendMessageW.USER32(?,00000406,00000000,00640000), ref: 007B4264
SendMessageW.USER32(?,00000414,0000000A,00000000), ref: 007B4271

Strings

msctls_trackbar32, xrefs: 007B4226

Memory Dump Source

Source File: 00000000.00000002.1745867193.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true

Associated: 00000000.00000002.1745836741.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746071756.00000000007BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746071756.00000000007E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746152188.00000000007EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746185289.00000000007F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_720000_file.jbxd

Similarity

API ID: MessageSend
String ID: msctls_trackbar32
API String ID: 3850602802-1010561917
Opcode ID: ccc0eb4254e1c8365547209f38290c758a0254099cd26e5ea1b32ee779bebbe5
Instruction ID: 64420513b07e352d64067b8686df7eed3ccf02ef9548fdbb72cf65573203758a
Opcode Fuzzy Hash: ccc0eb4254e1c8365547209f38290c758a0254099cd26e5ea1b32ee779bebbe5
Instruction Fuzzy Hash: 8811E371240248BEEF209E29CC06FEB3BACEF95B64F014114FA55E2091D275DC11DB50

Function 00782F52 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 67windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00726B57: _wcslen.LIBCMT ref: 00726B6A

Part of subcall function 00782DA7: SendMessageTimeoutW.USER32(?,00000000,00000000,00000000,00000002,00001388,?), ref: 00782DC5
Part of subcall function 00782DA7: GetWindowThreadProcessId.USER32(?,00000000), ref: 00782DD6
Part of subcall function 00782DA7: GetCurrentThreadId.KERNEL32 ref: 00782DDD
Part of subcall function 00782DA7: AttachThreadInput.USER32(00000000,?,00000000,00000000), ref: 00782DE4

GetFocus.USER32 ref: 00782F78

Part of subcall function 00782DEE: GetParent.USER32(00000000), ref: 00782DF9

GetClassNameW.USER32(?,?,00000100), ref: 00782FC3
EnumChildWindows.USER32(?,0078303B), ref: 00782FEB

Strings

%s%d, xrefs: 00782FFF

Memory Dump Source

Source File: 00000000.00000002.1745867193.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true

Associated: 00000000.00000002.1745836741.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746071756.00000000007BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746071756.00000000007E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746152188.00000000007EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746185289.00000000007F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_720000_file.jbxd

Similarity

API ID: Thread$AttachChildClassCurrentEnumFocusInputMessageNameParentProcessSendTimeoutWindowWindows_wcslen
String ID: %s%d
API String ID: 1272988791-1110647743
Opcode ID: 65f8a4938ca0eeac5c23516c7f44bf41eb24805a7eeb791f3c8855bd37e4b613
Instruction ID: 77d2f1eb9f03c23071a2d2b082e1945336fc3ff4b1913b27b62ef107ce71d015
Opcode Fuzzy Hash: 65f8a4938ca0eeac5c23516c7f44bf41eb24805a7eeb791f3c8855bd37e4b613
Instruction Fuzzy Hash: 3811E4B1700205ABCF557F749C89FED376AAF84304F048076F9099B252DE3899068B70

Function 007B5882 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 47windowCOMMON

Download Yara Rule

APIs

GetMenuItemInfoW.USER32(?,?,?,00000030), ref: 007B58C1
SetMenuItemInfoW.USER32(?,?,?,00000030), ref: 007B58EE
DrawMenuBar.USER32(?), ref: 007B58FD

Strings

0, xrefs: 007B588F

Memory Dump Source

Source File: 00000000.00000002.1745867193.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true

Associated: 00000000.00000002.1745836741.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746071756.00000000007BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746071756.00000000007E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746152188.00000000007EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746185289.00000000007F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_720000_file.jbxd

Similarity

API ID: Menu$InfoItem$Draw
String ID: 0
API String ID: 3227129158-4108050209
Opcode ID: f6aeaa9c8ae48b98b56364202a183f570d668569cf0fa77154b89292e27113db
Instruction ID: 3f3c02f8a5e6d3e326392647fd13d3a27a0cb48b37af3ac341bd1d5fd56a2b05
Opcode Fuzzy Hash: f6aeaa9c8ae48b98b56364202a183f570d668569cf0fa77154b89292e27113db
Instruction Fuzzy Hash: 2C011B31500218EEDB219F11DC48FEEBBB4FF45361F14C0AAE849D6151DB389A94DF21

Function 0078007F Relevance: 6.3, APIs: 4, Instructions: 322COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1745867193.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true

Associated: 00000000.00000002.1745836741.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746071756.00000000007BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746071756.00000000007E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746152188.00000000007EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746185289.00000000007F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_720000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7229d9bb49d975b8044a7205e94e1acd5902bd50d89692805df608e686c37868
Instruction ID: beb5c999b15340eb66565049f4104d4823313905532ab39e39f5f0e445e32de4
Opcode Fuzzy Hash: 7229d9bb49d975b8044a7205e94e1acd5902bd50d89692805df608e686c37868
Instruction Fuzzy Hash: FDC17A75A0020AEFDB54DFA8C888EAEB7B5FF48314F208598E405EB251D774EE45DB90

Function 007A342E Relevance: 6.3, APIs: 4, Instructions: 257COMMON

Download Yara Rule

APIs

CoInitialize.OLE32(00000000), ref: 007A3459
CoUninitialize.OLE32 ref: 007A3463
VariantInit.OLEAUT32(?), ref: 007A346E
VariantClear.OLEAUT32(?), ref: 007A371B

Memory Dump Source

Source File: 00000000.00000002.1745867193.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true

Associated: 00000000.00000002.1745836741.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746071756.00000000007BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746071756.00000000007E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746152188.00000000007EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746185289.00000000007F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_720000_file.jbxd

Similarity

API ID: Variant$ClearInitInitializeUninitialize
String ID:
API String ID: 1998397398-0
Opcode ID: e8969c6c5458568d3a2edce163c74e59332a31620c22c69d967eeae93917e457
Instruction ID: f623266eebdf462cbd0b529958e12822c187bae7847e0ff6fba8f80464d020ee
Opcode Fuzzy Hash: e8969c6c5458568d3a2edce163c74e59332a31620c22c69d967eeae93917e457
Instruction Fuzzy Hash: 8DA14B75604310DFC704DF29C589A2AB7E5FF89714F048959F98A9B362DB38EE01CB91

Function 00780436 Relevance: 6.2, APIs: 4, Instructions: 230COMMON

Download Yara Rule

APIs

ProgIDFromCLSID.OLE32(?,00000000,?,00000000,00000800,00000000,?,007BFC08,?), ref: 007805F0
CoTaskMemFree.OLE32(00000000,00000000,?,00000000,00000800,00000000,?,007BFC08,?), ref: 00780608
CLSIDFromProgID.OLE32(?,?,00000000,007BCC40,000000FF,?,00000000,00000800,00000000,?,007BFC08,?), ref: 0078062D
_memcmp.LIBVCRUNTIME ref: 0078064E

Memory Dump Source

Source File: 00000000.00000002.1745867193.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true

Associated: 00000000.00000002.1745836741.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746071756.00000000007BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746071756.00000000007E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746152188.00000000007EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746185289.00000000007F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_720000_file.jbxd

Similarity

API ID: FromProg$FreeTask_memcmp
String ID:
API String ID: 314563124-0
Opcode ID: 72c388ec5e4eb6141d4d926b97dc8f737ba19ce2185524f38239986395cbef3f
Instruction ID: 9512a3450d646296760a982eed8076d5cb3263b5e906222142e74f4992c5e534
Opcode Fuzzy Hash: 72c388ec5e4eb6141d4d926b97dc8f737ba19ce2185524f38239986395cbef3f
Instruction Fuzzy Hash: C3811E71A00109EFCB44DF94C984EEEB7B9FF89315F144558F506AB250DB75AE0ACBA0

Function 007AA67C Relevance: 6.2, APIs: 4, Instructions: 175processCOMMON

Download Yara Rule

APIs

CreateToolhelp32Snapshot.KERNEL32 ref: 007AA6AC
Process32FirstW.KERNEL32(00000000,?), ref: 007AA6BA

Part of subcall function 00729CB3: _wcslen.LIBCMT ref: 00729CBD

Process32NextW.KERNEL32(00000000,?), ref: 007AA79C
CloseHandle.KERNEL32(00000000), ref: 007AA7AB

Part of subcall function 0073CE60: CompareStringW.KERNEL32(00000409,00000001,?,00000000,00000000,?,?,00000000,?,00763303,?), ref: 0073CE8A

Memory Dump Source

Source File: 00000000.00000002.1745867193.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true

Associated: 00000000.00000002.1745836741.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746071756.00000000007BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746071756.00000000007E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746152188.00000000007EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746185289.00000000007F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_720000_file.jbxd

Similarity

API ID: Process32$CloseCompareCreateFirstHandleNextSnapshotStringToolhelp32_wcslen
String ID:
API String ID: 1991900642-0
Opcode ID: 31849a4f6fa83141e5498818b906d940f2ed6c76a652c2c4917f9a0ea47f7d4c
Instruction ID: 9678dfd305ece0c81be0e0baccc2d1e197e49cedc36992415d92b166dddedf96
Opcode Fuzzy Hash: 31849a4f6fa83141e5498818b906d940f2ed6c76a652c2c4917f9a0ea47f7d4c
Instruction Fuzzy Hash: 84512A71508350EFD710EF24D88AA6BBBE8FF89754F04892DF58597252EB38D904CB92

Function 00761391 Relevance: 6.2, APIs: 4, Instructions: 152COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 007614C0

Memory Dump Source

Source File: 00000000.00000002.1745867193.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true

Associated: 00000000.00000002.1745836741.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746071756.00000000007BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746071756.00000000007E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746152188.00000000007EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746185289.00000000007F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_720000_file.jbxd

Similarity

API ID: _free
String ID:
API String ID: 269201875-0
Opcode ID: 7bba1f49bc5fee3ced2c5de7b978bcda941197425a3b69ed4308fb7efb591f2b
Instruction ID: 6739694941d0a3961cdfc15a57b241c6ac8feaa4f2d21008d1935b52e1ad0504
Opcode Fuzzy Hash: 7bba1f49bc5fee3ced2c5de7b978bcda941197425a3b69ed4308fb7efb591f2b
Instruction Fuzzy Hash: F8410A31900150EBDB21ABB98C4EAEE3EA4EF41370F5C4225FC1BD7292EB7C8C455661

Function 007B6278 Relevance: 6.1, APIs: 4, Instructions: 138COMMON

Download Yara Rule

APIs

GetWindowRect.USER32(?,?), ref: 007B62E2
ScreenToClient.USER32(?,?), ref: 007B6315
MoveWindow.USER32(?,?,?,?,000000FF,00000001,?,?,?,?,?), ref: 007B6382

Memory Dump Source

Source File: 00000000.00000002.1745867193.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true

Associated: 00000000.00000002.1745836741.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746071756.00000000007BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746071756.00000000007E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746152188.00000000007EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746185289.00000000007F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_720000_file.jbxd

Similarity

API ID: Window$ClientMoveRectScreen
String ID:
API String ID: 3880355969-0
Opcode ID: 5048564e02823b29da9f3da317de4ddd09ec810b36a569024d0c6c05d6c38e21
Instruction ID: d6d6e9f7a03788afd8f2c38de2a9f86d9ff363aa38065f5a75de8cf0c261372c
Opcode Fuzzy Hash: 5048564e02823b29da9f3da317de4ddd09ec810b36a569024d0c6c05d6c38e21
Instruction Fuzzy Hash: 3D512975A00249EFDF10DF58D884AEE7BB5FB55360F108269FA1597290D738AD41CB90

Function 007A1AD6 Relevance: 6.1, APIs: 4, Instructions: 138networkCOMMON

Download Yara Rule

APIs

socket.WSOCK32(00000002,00000002,00000011), ref: 007A1AFD
WSAGetLastError.WSOCK32 ref: 007A1B0B
#21.WSOCK32(?,0000FFFF,00000020,00000002,00000004), ref: 007A1B8A
WSAGetLastError.WSOCK32 ref: 007A1B94

Memory Dump Source

Source File: 00000000.00000002.1745867193.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true

Associated: 00000000.00000002.1745836741.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746071756.00000000007BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746071756.00000000007E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746152188.00000000007EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746185289.00000000007F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_720000_file.jbxd

Similarity

API ID: ErrorLast$socket
String ID:
API String ID: 1881357543-0
Opcode ID: 7a346e272ef8ddd36f6f7a729ee117333f0b6ac9d00f1f4b56ec64a8283a074f
Instruction ID: 239d05657207aefb71424f822b33d6c0ec5db70007da3ecae57e3770b2ee2bea
Opcode Fuzzy Hash: 7a346e272ef8ddd36f6f7a729ee117333f0b6ac9d00f1f4b56ec64a8283a074f
Instruction Fuzzy Hash: A041D074600210AFE720AF20D88AF2977E5AB89718F54C548F91A9F7D3D77ADD41CB90

Function 0075B41F Relevance: 6.1, APIs: 4, Instructions: 133COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1745867193.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true

Associated: 00000000.00000002.1745836741.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746071756.00000000007BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746071756.00000000007E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746152188.00000000007EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746185289.00000000007F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_720000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2baab0df64a12aff78bf10559e7009687292d649066a7a6d75706ad40749df49
Instruction ID: d965b91143fe29a9e8beb6996d9b3f5e86bd18d3cd57efbc07e681049b0fc9aa
Opcode Fuzzy Hash: 2baab0df64a12aff78bf10559e7009687292d649066a7a6d75706ad40749df49
Instruction Fuzzy Hash: CE410A72A00354FFD7249F38CC45BBA7BA9EB88711F10452EF951DB682D7B9A9058780

Function 007956D9 Relevance: 6.1, APIs: 4, Instructions: 110fileCOMMON

Download Yara Rule

APIs

CreateHardLinkW.KERNEL32(00000002,?,00000000), ref: 00795783
GetLastError.KERNEL32(?,00000000), ref: 007957A9
DeleteFileW.KERNEL32(00000002,?,00000000), ref: 007957CE
CreateHardLinkW.KERNEL32(00000002,?,00000000,?,00000000), ref: 007957FA

Memory Dump Source

Source File: 00000000.00000002.1745867193.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true

Associated: 00000000.00000002.1745836741.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746071756.00000000007BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746071756.00000000007E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746152188.00000000007EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746185289.00000000007F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_720000_file.jbxd

Similarity

API ID: CreateHardLink$DeleteErrorFileLast
String ID:
API String ID: 3321077145-0
Opcode ID: a715b505fc00ed2fb884f1bcc6b7509c8b8284920c2124999bddef6ce041242f
Instruction ID: b5ed94fc9e3696c42ed684681634d1d600ca7dc0594febc4d0ef77155e6fc297
Opcode Fuzzy Hash: a715b505fc00ed2fb884f1bcc6b7509c8b8284920c2124999bddef6ce041242f
Instruction Fuzzy Hash: 02411E35600620DFCB15EF55D548A5EBBF2EF89320B19C488E84A6B362CB38FD40CB91

Function 0075D8C3 Relevance: 6.1, APIs: 4, Instructions: 110COMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(?,00000000,?,00746D71,00000000,00000000,007482D9,?,007482D9,?,00000001,00746D71,?,00000001,007482D9,007482D9), ref: 0075D910
MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 0075D999
GetStringTypeW.KERNEL32(?,00000000,00000000,?), ref: 0075D9AB
__freea.LIBCMT ref: 0075D9B4

Part of subcall function 00753820: RtlAllocateHeap.NTDLL(00000000,?,007F1444,?,0073FDF5,?,?,0072A976,00000010,007F1440,007213FC,?,007213C6,?,00721129), ref: 00753852

Memory Dump Source

Source File: 00000000.00000002.1745867193.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true

Associated: 00000000.00000002.1745836741.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746071756.00000000007BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746071756.00000000007E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746152188.00000000007EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746185289.00000000007F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_720000_file.jbxd

Similarity

API ID: ByteCharMultiWide$AllocateHeapStringType__freea
String ID:
API String ID: 2652629310-0
Opcode ID: 5736278f94538e1ea60fbe2997ffca0493be35a9c8b40ba6ab99ba92b75e54ed
Instruction ID: 5bdf96d7c003cb2630716edce391471ce8788b1938cd883311bff4dd54aa4213
Opcode Fuzzy Hash: 5736278f94538e1ea60fbe2997ffca0493be35a9c8b40ba6ab99ba92b75e54ed
Instruction Fuzzy Hash: 5831D072A0020AABDF35DF64DC45EEE7BA5EB41311B054268FC04E7151EB79ED58CBA0

Function 007B52C1 Relevance: 6.1, APIs: 4, Instructions: 104windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00001024,00000000,?), ref: 007B5352
GetWindowLongW.USER32(?,000000F0), ref: 007B5375
SetWindowLongW.USER32(?,000000F0,00000000), ref: 007B5382
InvalidateRect.USER32(?,00000000,00000001,?,?,?), ref: 007B53A8

Memory Dump Source

Source File: 00000000.00000002.1745867193.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true

Associated: 00000000.00000002.1745836741.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746071756.00000000007BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746071756.00000000007E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746152188.00000000007EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746185289.00000000007F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_720000_file.jbxd

Similarity

API ID: LongWindow$InvalidateMessageRectSend
String ID:
API String ID: 3340791633-0
Opcode ID: e9a07a5e068beff87f24d7fdc2b7f55e7ea57e204befc1345e9737972ca70295
Instruction ID: ebc9f6b9fbdc799d460b1c7cc0a3a9108322b3431349c98687aeefee402f6974
Opcode Fuzzy Hash: e9a07a5e068beff87f24d7fdc2b7f55e7ea57e204befc1345e9737972ca70295
Instruction Fuzzy Hash: 1331C234A55A08EFEB309E14CC59FE877E5AB04398F588102FA11973E1C7BDA980DB41

Function 0078AB9C Relevance: 6.1, APIs: 4, Instructions: 103keyboardwindowCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?,75C0C0D0,?,00008000), ref: 0078ABF1
SetKeyboardState.USER32(00000080,?,00008000), ref: 0078AC0D
PostMessageW.USER32(00000000,00000101,00000000), ref: 0078AC74
SendInput.USER32(00000001,?,0000001C,75C0C0D0,?,00008000), ref: 0078ACC6

Memory Dump Source

Source File: 00000000.00000002.1745867193.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true

Associated: 00000000.00000002.1745836741.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746071756.00000000007BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746071756.00000000007E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746152188.00000000007EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746185289.00000000007F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_720000_file.jbxd

Similarity

API ID: KeyboardState$InputMessagePostSend
String ID:
API String ID: 432972143-0
Opcode ID: 540670645f68193e7f0772893d4f3cfdc271fce73083d521a0c7e37200a812ee
Instruction ID: 80121e8bd82f29ad926f4620428e598d7aef460a170390323d6b536e479ab5de
Opcode Fuzzy Hash: 540670645f68193e7f0772893d4f3cfdc271fce73083d521a0c7e37200a812ee
Instruction Fuzzy Hash: 62310970A80718BFFF35EB658C08BFA7BA5AB49310F08831BE585521D1D37D89858772

Function 007B7674 Relevance: 6.1, APIs: 4, Instructions: 102windowCOMMON

Download Yara Rule

APIs

ClientToScreen.USER32(?,?), ref: 007B769A
GetWindowRect.USER32(?,?), ref: 007B7710
PtInRect.USER32(?,?,007B8B89), ref: 007B7720
MessageBeep.USER32(00000000), ref: 007B778C

Memory Dump Source

Source File: 00000000.00000002.1745867193.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true

Associated: 00000000.00000002.1745836741.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746071756.00000000007BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746071756.00000000007E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746152188.00000000007EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746185289.00000000007F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_720000_file.jbxd

Similarity

API ID: Rect$BeepClientMessageScreenWindow
String ID:
API String ID: 1352109105-0
Opcode ID: 2521de080df93f1277eb67ea10d5ff486fe8f83104f845da42c2e6d5029a5c5d
Instruction ID: 6b0bfea419620c27f265380b84ec77ef6ed7deeb2103d5ef5332ca96c57490cc
Opcode Fuzzy Hash: 2521de080df93f1277eb67ea10d5ff486fe8f83104f845da42c2e6d5029a5c5d
Instruction Fuzzy Hash: A7419A34A09254DFCB19CF58C898FE9B7F4FF88314F5981A8E8159B261CB78E941CB90

Function 007B16DA Relevance: 6.1, APIs: 4, Instructions: 101COMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32 ref: 007B16EB

Part of subcall function 00783A3D: GetWindowThreadProcessId.USER32(?,00000000), ref: 00783A57
Part of subcall function 00783A3D: GetCurrentThreadId.KERNEL32 ref: 00783A5E
Part of subcall function 00783A3D: AttachThreadInput.USER32(00000000,?,00000000,00000000,?,007825B3), ref: 00783A65

GetCaretPos.USER32(?), ref: 007B16FF
ClientToScreen.USER32(00000000,?), ref: 007B174C
GetForegroundWindow.USER32 ref: 007B1752

Memory Dump Source

Source File: 00000000.00000002.1745867193.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true

Associated: 00000000.00000002.1745836741.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746071756.00000000007BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746071756.00000000007E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746152188.00000000007EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746185289.00000000007F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_720000_file.jbxd

Similarity

API ID: ThreadWindow$Foreground$AttachCaretClientCurrentInputProcessScreen
String ID:
API String ID: 2759813231-0
Opcode ID: 46801c79989b75fda6bb4e5bd4a88097eb635a7baa742fa2fa9d4c31a7264359
Instruction ID: ccb5e6daf79c39eb91e75e179e7a48981add1a5e38fa9a1995c0c8eda4400a1c
Opcode Fuzzy Hash: 46801c79989b75fda6bb4e5bd4a88097eb635a7baa742fa2fa9d4c31a7264359
Instruction Fuzzy Hash: D3318F71D00148EFCB04EFA9D885DEEBBF9EF48304B5480AAE415E7211DB389E45CBA0

Function 0078DF95 Relevance: 6.1, APIs: 4, Instructions: 87COMMON

Download Yara Rule

APIs

Part of subcall function 00727620: _wcslen.LIBCMT ref: 00727625

_wcslen.LIBCMT ref: 0078DFCB
_wcslen.LIBCMT ref: 0078DFE2
_wcslen.LIBCMT ref: 0078E00D
GetTextExtentPoint32W.GDI32(?,00000000,00000000,?), ref: 0078E018

Memory Dump Source

Source File: 00000000.00000002.1745867193.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true

Associated: 00000000.00000002.1745836741.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746071756.00000000007BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746071756.00000000007E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746152188.00000000007EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746185289.00000000007F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_720000_file.jbxd

Similarity

API ID: _wcslen$ExtentPoint32Text
String ID:
API String ID: 3763101759-0
Opcode ID: 899987b64ce8e4a6935cdbe7cc144711e86ee51123a5e4e50fd18a5b94de6558
Instruction ID: a95618c95a5e69a818029822797783e85cb36f94b58e6f311a7c3b7501e8f4a9
Opcode Fuzzy Hash: 899987b64ce8e4a6935cdbe7cc144711e86ee51123a5e4e50fd18a5b94de6558
Instruction Fuzzy Hash: CC21D371940214EFCB20AFA8D985BAEB7F8EF45750F104064E904BB285D7789E41CBA1

Function 007B8FC9 Relevance: 6.1, APIs: 4, Instructions: 78windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00739BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00739BB2

GetCursorPos.USER32(?), ref: 007B9001
TrackPopupMenuEx.USER32(?,00000000,?,?,?,00000000,?,00777711,?,?,?,?,?), ref: 007B9016
GetCursorPos.USER32(?), ref: 007B905E
DefDlgProcW.USER32(?,0000007B,?,?,?,?,?,?,?,?,?,?,00777711,?,?,?), ref: 007B9094

Memory Dump Source

Source File: 00000000.00000002.1745867193.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true

Associated: 00000000.00000002.1745836741.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746071756.00000000007BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746071756.00000000007E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746152188.00000000007EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746185289.00000000007F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_720000_file.jbxd

Similarity

API ID: Cursor$LongMenuPopupProcTrackWindow
String ID:
API String ID: 2864067406-0
Opcode ID: 2280be6ce295730424608a077dbb00e95dcbc7c0eea3b58582e105f244ba384c
Instruction ID: 6a09516849854c49cfd470b1d7fead2c31df6e78ed1971f7e12fb451c844e7ea
Opcode Fuzzy Hash: 2280be6ce295730424608a077dbb00e95dcbc7c0eea3b58582e105f244ba384c
Instruction Fuzzy Hash: 6321BF31600018EFDB26DF94C898FFA7BB9EF8A360F108165FB1547261C379A950DB60

Function 0078D2C1 Relevance: 6.1, APIs: 4, Instructions: 78COMMON

Download Yara Rule

APIs

GetFileAttributesW.KERNEL32(?,007BCB68), ref: 0078D2FB
GetLastError.KERNEL32 ref: 0078D30A
CreateDirectoryW.KERNEL32(?,00000000), ref: 0078D319
CreateDirectoryW.KERNEL32(?,00000000,00000000,000000FF,007BCB68), ref: 0078D376

Memory Dump Source

Source File: 00000000.00000002.1745867193.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true

Associated: 00000000.00000002.1745836741.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746071756.00000000007BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746071756.00000000007E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746152188.00000000007EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746185289.00000000007F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_720000_file.jbxd

Similarity

API ID: CreateDirectory$AttributesErrorFileLast
String ID:
API String ID: 2267087916-0
Opcode ID: c97db43c610ac57886f807fbc0b7d17fe9d736708ca10d25714b1eecb1c790ff
Instruction ID: fae74dde8452c25d0df3ed90d7e1c12657d12e9fad77aba1baa14eae2b1810d1
Opcode Fuzzy Hash: c97db43c610ac57886f807fbc0b7d17fe9d736708ca10d25714b1eecb1c790ff
Instruction Fuzzy Hash: EC218D70548201DF8720EF28D8859AEB7E4BE5A324F148A1DF499C72E1E7389D45CB93

Function 00781571 Relevance: 6.1, APIs: 4, Instructions: 78memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 00781014: GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),?,00000000,?), ref: 0078102A
Part of subcall function 00781014: GetLastError.KERNEL32(?,TokenIntegrityLevel,?,00000000,?), ref: 00781036
Part of subcall function 00781014: GetProcessHeap.KERNEL32(00000008,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00781045
Part of subcall function 00781014: HeapAlloc.KERNEL32(00000000,?,TokenIntegrityLevel,?,00000000,?), ref: 0078104C
Part of subcall function 00781014: GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),00000000,?,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00781062

LookupPrivilegeValueW.ADVAPI32(00000000,?,?), ref: 007815BE
_memcmp.LIBVCRUNTIME ref: 007815E1
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00781617
HeapFree.KERNEL32(00000000), ref: 0078161E

Memory Dump Source

Source File: 00000000.00000002.1745867193.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true

Associated: 00000000.00000002.1745836741.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746071756.00000000007BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746071756.00000000007E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746152188.00000000007EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746185289.00000000007F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_720000_file.jbxd

Similarity

API ID: Heap$InformationProcessToken$AllocErrorFreeLastLookupPrivilegeValue_memcmp
String ID:
API String ID: 1592001646-0
Opcode ID: a53d4f7af5bad62f3c8a386a2adfe0c6e4fd33cc6b14df297fb13f5538b04f01
Instruction ID: 5f244c7a0dbd0743eca8a61793298a7d0eefa072aa2153d3a11165bd0402facf
Opcode Fuzzy Hash: a53d4f7af5bad62f3c8a386a2adfe0c6e4fd33cc6b14df297fb13f5538b04f01
Instruction Fuzzy Hash: 80218E71E40108EFDF00EFA4C949BEEB7B8FF44344F498459E441AB241EB38AA06CB60

Function 007B2782 Relevance: 6.1, APIs: 4, Instructions: 75COMMON

Download Yara Rule

APIs

GetWindowLongW.USER32(?,000000EC), ref: 007B280A
SetWindowLongW.USER32(?,000000EC,00000000), ref: 007B2824
SetWindowLongW.USER32(?,000000EC,00000000), ref: 007B2832
SetLayeredWindowAttributes.USER32(?,00000000,?,00000002), ref: 007B2840

Memory Dump Source

Source File: 00000000.00000002.1745867193.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true

Associated: 00000000.00000002.1745836741.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746071756.00000000007BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746071756.00000000007E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746152188.00000000007EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746185289.00000000007F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_720000_file.jbxd

Similarity

API ID: Window$Long$AttributesLayered
String ID:
API String ID: 2169480361-0
Opcode ID: 489cdd5b63d9d1683826df7923625516100f8dcef6d59c5fea1b889ff41a2ec8
Instruction ID: 2110a0366a82bf026af0a19d57cdfc5fa0e949a76919cedcc2bd5df9990ea11c
Opcode Fuzzy Hash: 489cdd5b63d9d1683826df7923625516100f8dcef6d59c5fea1b889ff41a2ec8
Instruction Fuzzy Hash: E721B331206511AFD7159B24C845FEA7B99AF49324F248258F4268B6E3CB79FC42C7D4

Function 007878F5 Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 71stringCOMMON

Download Yara Rule

APIs

Part of subcall function 00788D7D: lstrlenW.KERNEL32(?,00000002,000000FF,?,?,?,0078790A,?,000000FF,?,00788754,00000000,?,0000001C,?,?), ref: 00788D8C
Part of subcall function 00788D7D: lstrcpyW.KERNEL32(00000000,?,?,0078790A,?,000000FF,?,00788754,00000000,?,0000001C,?,?,00000000), ref: 00788DB2
Part of subcall function 00788D7D: lstrcmpiW.KERNEL32(00000000,?,0078790A,?,000000FF,?,00788754,00000000,?,0000001C,?,?), ref: 00788DE3

lstrlenW.KERNEL32(?,00000002,000000FF,?,000000FF,?,00788754,00000000,?,0000001C,?,?,00000000), ref: 00787923
lstrcpyW.KERNEL32(00000000,?,?,00788754,00000000,?,0000001C,?,?,00000000), ref: 00787949
lstrcmpiW.KERNEL32(00000002,cdecl,?,00788754,00000000,?,0000001C,?,?,00000000), ref: 00787984

Strings

cdecl, xrefs: 0078797B

Memory Dump Source

Source File: 00000000.00000002.1745867193.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true

Associated: 00000000.00000002.1745836741.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746071756.00000000007BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746071756.00000000007E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746152188.00000000007EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746185289.00000000007F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_720000_file.jbxd

Similarity

API ID: lstrcmpilstrcpylstrlen
String ID: cdecl
API String ID: 4031866154-3896280584
Opcode ID: b2e93ce979376e7750ce76dd95aff2f6a1a58389f3f1632d79cc58be79c24624
Instruction ID: 3502346f67719e85c0619be2d8b0c61841b8ebd3490d5234e0f660097800c348
Opcode Fuzzy Hash: b2e93ce979376e7750ce76dd95aff2f6a1a58389f3f1632d79cc58be79c24624
Instruction Fuzzy Hash: 1A11293A240306ABDB15AF39C844E7A77A9FF49390B50802AF842CB265EF39D801C761

Function 007B7CC2 Relevance: 6.1, APIs: 4, Instructions: 70COMMON

Download Yara Rule

APIs

GetWindowLongW.USER32(?,000000F0), ref: 007B7D0B
SetWindowLongW.USER32(00000000,000000F0,?), ref: 007B7D2A
SetWindowLongW.USER32(00000000,000000EC,000000FF), ref: 007B7D42
SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,?,?,?,?,?,?,?,?,0079B7AD,00000000), ref: 007B7D6B

Part of subcall function 00739BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00739BB2

Memory Dump Source

Source File: 00000000.00000002.1745867193.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true

Associated: 00000000.00000002.1745836741.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746071756.00000000007BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746071756.00000000007E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746152188.00000000007EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746185289.00000000007F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_720000_file.jbxd

Similarity

API ID: Window$Long
String ID:
API String ID: 847901565-0
Opcode ID: fa9e8f2a2bf8deaf9c3fde558c66e5b191435532ad0b993bd0b3d9a4d8930b68
Instruction ID: f10469134f0c342dcf052d5465ed65731aeb8d8fc84fe2008f7817d3d5bdf595
Opcode Fuzzy Hash: fa9e8f2a2bf8deaf9c3fde558c66e5b191435532ad0b993bd0b3d9a4d8930b68
Instruction Fuzzy Hash: 6E118E31604655AFCB159F28CC04FB63BA5AF853A0F258724F839DB2E0E7399950DB90

Function 007B5660 Relevance: 6.1, APIs: 4, Instructions: 67windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00001060,?,00000004), ref: 007B56BB
_wcslen.LIBCMT ref: 007B56CD
_wcslen.LIBCMT ref: 007B56D8
SendMessageW.USER32(?,00001002,00000000,?), ref: 007B5816

Memory Dump Source

Source File: 00000000.00000002.1745867193.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true

Associated: 00000000.00000002.1745836741.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746071756.00000000007BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746071756.00000000007E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746152188.00000000007EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746185289.00000000007F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_720000_file.jbxd

Similarity

API ID: MessageSend_wcslen
String ID:
API String ID: 455545452-0
Opcode ID: 434f1e7a83aecc83a51e31c57fdd6aa23ec9599ceee9ff2ff4fbcf8c8985ecb1
Instruction ID: c105685191db4e602cc1652e6b77fc5ce2e18a8dc5ca2f6140a9a41ff8029a1b
Opcode Fuzzy Hash: 434f1e7a83aecc83a51e31c57fdd6aa23ec9599ceee9ff2ff4fbcf8c8985ecb1
Instruction Fuzzy Hash: 4411D071A00608EADB209F61CC85FEE77ACEF10768F508166F915D6081EBB8DA80CB64

Function 00751D09 Relevance: 6.1, APIs: 4, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1745867193.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true

Associated: 00000000.00000002.1745836741.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746071756.00000000007BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746071756.00000000007E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746152188.00000000007EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746185289.00000000007F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_720000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bbc283a5f26f52e139fb5e253d4387e9207cec73218e4097a9845f248d5ba10f
Instruction ID: 1c4cc0964b357f796f472ab36bea0c56972c20abdfbdc8029f54be16a33b8b26
Opcode Fuzzy Hash: bbc283a5f26f52e139fb5e253d4387e9207cec73218e4097a9845f248d5ba10f
Instruction Fuzzy Hash: 5F0184B230571A7EF62116786CC4FA7672CDF413BBB754325FD31611D2DBA89C484260

Function 00781A27 Relevance: 6.1, APIs: 4, Instructions: 56windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,000000B0,?,?), ref: 00781A47
SendMessageW.USER32(?,000000C9,?,00000000), ref: 00781A59
SendMessageW.USER32(?,000000C9,?,00000000), ref: 00781A6F
SendMessageW.USER32(?,000000C9,?,00000000), ref: 00781A8A

Memory Dump Source

Source File: 00000000.00000002.1745867193.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true

Associated: 00000000.00000002.1745836741.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746071756.00000000007BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746071756.00000000007E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746152188.00000000007EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746185289.00000000007F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_720000_file.jbxd

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: 79a630911ac2efc7df43c016cd1712480cdfd76303190cb8fb0f705e1ea30060
Instruction ID: 2a17043ccd7cd7d6657d32658ab30b6d3d7e3c82133e725c80fc30ef9e85a6ef
Opcode Fuzzy Hash: 79a630911ac2efc7df43c016cd1712480cdfd76303190cb8fb0f705e1ea30060
Instruction Fuzzy Hash: 8C11393AD41219FFEB11EBA4CD85FADBB78EB08750F204091EA10B7290D6716E51DB94

Function 0078E1D6 Relevance: 6.1, APIs: 4, Instructions: 55synchronizationthreadwindowCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 0078E1FD
MessageBoxW.USER32(?,?,?,?), ref: 0078E230
WaitForSingleObject.KERNEL32(00000000,000000FF,?,?,?,?), ref: 0078E246
CloseHandle.KERNEL32(00000000,?,?,?,?), ref: 0078E24D

Memory Dump Source

Source File: 00000000.00000002.1745867193.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true

Associated: 00000000.00000002.1745836741.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746071756.00000000007BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746071756.00000000007E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746152188.00000000007EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746185289.00000000007F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_720000_file.jbxd

Similarity

API ID: CloseCurrentHandleMessageObjectSingleThreadWait
String ID:
API String ID: 2880819207-0
Opcode ID: 78f85d539a07725d0c4928dc08931eaaf66d1f26755720cb9f0bc5fbbb25d586
Instruction ID: 82de79e1d9b702deb8d3cb43ba28138a35927d996f4557e3f5f2e8d1ae46a856
Opcode Fuzzy Hash: 78f85d539a07725d0c4928dc08931eaaf66d1f26755720cb9f0bc5fbbb25d586
Instruction Fuzzy Hash: AF110872904218BBC701AFA89C09EAE7FADAF45310F40C325F814E3290D7B88D0087A4

Function 0074D1CC Relevance: 6.1, APIs: 4, Instructions: 55threadCOMMON

Download Yara Rule

APIs

CreateThread.KERNEL32(00000000,?,0074CFF9,00000000,00000004,00000000), ref: 0074D218
GetLastError.KERNEL32 ref: 0074D224
__dosmaperr.LIBCMT ref: 0074D22B
ResumeThread.KERNEL32(00000000), ref: 0074D249

Memory Dump Source

Source File: 00000000.00000002.1745867193.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true

Associated: 00000000.00000002.1745836741.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746071756.00000000007BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746071756.00000000007E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746152188.00000000007EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746185289.00000000007F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_720000_file.jbxd

Similarity

API ID: Thread$CreateErrorLastResume__dosmaperr
String ID:
API String ID: 173952441-0
Opcode ID: a29896c1fe7feb3056fb1c47c738f829be80a04c967bc6a19e3e38743af54005
Instruction ID: b3acd5cb2ee1bb5f86438292431c7ec8ddaf60a3c8c55aff6e832e25f82b5b32
Opcode Fuzzy Hash: a29896c1fe7feb3056fb1c47c738f829be80a04c967bc6a19e3e38743af54005
Instruction Fuzzy Hash: F201D276805218BBCB215BA5DC0DBAE7AA9EF81331F108319F925921D0DBB8CD01C6A1

Function 007B9EF3 Relevance: 6.1, APIs: 4, Instructions: 55COMMON

Download Yara Rule

APIs

Part of subcall function 00739BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00739BB2

GetClientRect.USER32(?,?), ref: 007B9F31
GetCursorPos.USER32(?), ref: 007B9F3B
ScreenToClient.USER32(?,?), ref: 007B9F46
DefDlgProcW.USER32(?,00000020,?,00000000,?,?,?), ref: 007B9F7A

Memory Dump Source

Source File: 00000000.00000002.1745867193.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true

Associated: 00000000.00000002.1745836741.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746071756.00000000007BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746071756.00000000007E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746152188.00000000007EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746185289.00000000007F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_720000_file.jbxd

Similarity

API ID: Client$CursorLongProcRectScreenWindow
String ID:
API String ID: 4127811313-0
Opcode ID: 9eef1ebf3f81f0c37849a04840a878fc73e33f47872d7de523b4ace5f6a82188
Instruction ID: 7b40996afb7d53504faec80f550f873462f0a536278920d933a7d63d3cef2857
Opcode Fuzzy Hash: 9eef1ebf3f81f0c37849a04840a878fc73e33f47872d7de523b4ace5f6a82188
Instruction Fuzzy Hash: 4611283190011AEFDB11DF98C849EFE77B8EB45321F504551FA11E3150D738BA91CBA5

Function 0072600E Relevance: 6.1, APIs: 4, Instructions: 53windowCOMMON

Download Yara Rule

APIs

CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 0072604C
GetStockObject.GDI32(00000011), ref: 00726060
SendMessageW.USER32(00000000,00000030,00000000), ref: 0072606A

Memory Dump Source

Source File: 00000000.00000002.1745867193.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true

Associated: 00000000.00000002.1745836741.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746071756.00000000007BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746071756.00000000007E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746152188.00000000007EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746185289.00000000007F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_720000_file.jbxd

Similarity

API ID: CreateMessageObjectSendStockWindow
String ID:
API String ID: 3970641297-0
Opcode ID: 44292af1c72ba2b897728120906b605181e91cef1f492b38d1c85644faa4b952
Instruction ID: 86cc5acf850e205278b5e416e48bb3c62839b7d0c0281ff1945fa4c80b104ada
Opcode Fuzzy Hash: 44292af1c72ba2b897728120906b605181e91cef1f492b38d1c85644faa4b952
Instruction Fuzzy Hash: 26116172501558FFEF224FA49C44EFA7B69EF19354F048216FA1556110D73ADC60EBA0

Function 00743B3C Relevance: 6.1, APIs: 4, Instructions: 53COMMONLIBRARYCODE

Download Yara Rule

APIs

___BuildCatchObject.LIBVCRUNTIME ref: 00743B56

Part of subcall function 00743AA3: BuildCatchObjectHelperInternal.LIBVCRUNTIME ref: 00743AD2
Part of subcall function 00743AA3: ___AdjustPointer.LIBCMT ref: 00743AED

_UnwindNestedFrames.LIBCMT ref: 00743B6B
__FrameHandler3::FrameUnwindToState.LIBVCRUNTIME ref: 00743B7C
CallCatchBlock.LIBVCRUNTIME ref: 00743BA4

Memory Dump Source

Source File: 00000000.00000002.1745867193.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true

Associated: 00000000.00000002.1745836741.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746071756.00000000007BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746071756.00000000007E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746152188.00000000007EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746185289.00000000007F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_720000_file.jbxd

Similarity

API ID: Catch$BuildFrameObjectUnwind$AdjustBlockCallFramesHandler3::HelperInternalNestedPointerState
String ID:
API String ID: 737400349-0
Opcode ID: 12ea49abee573113f57dbd3ec3a577afcc9c348439d29e6cbe32e78011ac24d3
Instruction ID: c43f93f0c0d772068d3be6377c8bbc7af6e82f94aa86e22c12dcb7e07a29fc5f
Opcode Fuzzy Hash: 12ea49abee573113f57dbd3ec3a577afcc9c348439d29e6cbe32e78011ac24d3
Instruction Fuzzy Hash: 84012972100148BBDF126E95CC46EEB3B6EEF48754F044014FE4896121C73AE961EBA0

Function 00753073 Relevance: 6.1, APIs: 4, Instructions: 52libraryCOMMONLIBRARYCODE

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32(00000000,00000000,00000800,007213C6,00000000,00000000,?,0075301A,007213C6,00000000,00000000,00000000,?,0075328B,00000006,FlsSetValue), ref: 007530A5
GetLastError.KERNEL32(?,0075301A,007213C6,00000000,00000000,00000000,?,0075328B,00000006,FlsSetValue,007C2290,FlsSetValue,00000000,00000364,?,00752E46), ref: 007530B1
LoadLibraryExW.KERNEL32(00000000,00000000,00000000,?,0075301A,007213C6,00000000,00000000,00000000,?,0075328B,00000006,FlsSetValue,007C2290,FlsSetValue,00000000), ref: 007530BF

Memory Dump Source

Source File: 00000000.00000002.1745867193.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true

Associated: 00000000.00000002.1745836741.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746071756.00000000007BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746071756.00000000007E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746152188.00000000007EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746185289.00000000007F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_720000_file.jbxd

Similarity

API ID: LibraryLoad$ErrorLast
String ID:
API String ID: 3177248105-0
Opcode ID: 7fcd9ea8b66c5a36a67142b8354de03f17eed054a4d553675c992a28c4284e7e
Instruction ID: cebf6ef9c5f9f472e3592c3dba6971eec5121d5380fcc4f6b34c1909a3e181ab
Opcode Fuzzy Hash: 7fcd9ea8b66c5a36a67142b8354de03f17eed054a4d553675c992a28c4284e7e
Instruction Fuzzy Hash: B101D832301326ABCB324A789C44EA77799AF457E2B108724FD0DE31A0C769D909C6E4

Function 00787464 Relevance: 6.1, APIs: 4, Instructions: 51registryCOMMON

Download Yara Rule

APIs

GetModuleFileNameW.KERNEL32(?,?,00000104,00000000), ref: 0078747F
LoadTypeLibEx.OLEAUT32(?,00000002,?), ref: 00787497
RegisterTypeLib.OLEAUT32(?,?,00000000), ref: 007874AC
RegisterTypeLibForUser.OLEAUT32(?,?,00000000), ref: 007874CA

Memory Dump Source

Source File: 00000000.00000002.1745867193.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true

Associated: 00000000.00000002.1745836741.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746071756.00000000007BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746071756.00000000007E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746152188.00000000007EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746185289.00000000007F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_720000_file.jbxd

Similarity

API ID: Type$Register$FileLoadModuleNameUser
String ID:
API String ID: 1352324309-0
Opcode ID: ed382717a3f0b30a26bcb96255fe17ff144aa1596219e16fe519c1c9e33db639
Instruction ID: cdf3cca32117d33315339ae22fca7c5816727962b7edabfc20d685fe6693fe4a
Opcode Fuzzy Hash: ed382717a3f0b30a26bcb96255fe17ff144aa1596219e16fe519c1c9e33db639
Instruction Fuzzy Hash: 0111C0B1249354AFE720AF54DC08F927FFCEB00B10F20C569A65BD6191D7B8E904DB60

Function 0078B0A8 Relevance: 6.0, APIs: 4, Instructions: 50sleepCOMMON

Download Yara Rule

APIs

QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,?,?,0078ACD3,?,00008000), ref: 0078B0C4
Sleep.KERNEL32(00000000,?,?,?,?,?,?,?,?,0078ACD3,?,00008000), ref: 0078B0E9
QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,?,?,0078ACD3,?,00008000), ref: 0078B0F3
Sleep.KERNEL32(00000000,?,?,?,?,?,?,?,?,0078ACD3,?,00008000), ref: 0078B126

Memory Dump Source

Source File: 00000000.00000002.1745867193.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true

Associated: 00000000.00000002.1745836741.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746071756.00000000007BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746071756.00000000007E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746152188.00000000007EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746185289.00000000007F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_720000_file.jbxd

Similarity

API ID: CounterPerformanceQuerySleep
String ID:
API String ID: 2875609808-0
Opcode ID: 79521e0f83aea65540c89d4b5d42402e9e8c4d3381bf4bbad624396121ca3054
Instruction ID: 1e51b87e0e1d8d23c667633dbc3cda61381f013d91a2f102a2419cf807cadeb8
Opcode Fuzzy Hash: 79521e0f83aea65540c89d4b5d42402e9e8c4d3381bf4bbad624396121ca3054
Instruction Fuzzy Hash: 31115E71C4151CD7CF00EFE8D959BEEBB78FF09711F108186D981B6181CB3855508B55

Function 007B7E14 Relevance: 6.0, APIs: 4, Instructions: 46COMMON

Download Yara Rule

APIs

GetWindowRect.USER32(?,?), ref: 007B7E33
ScreenToClient.USER32(?,?), ref: 007B7E4B
ScreenToClient.USER32(?,?), ref: 007B7E6F
InvalidateRect.USER32(?,?,?,?,?,?,?,?,?,?,?,?), ref: 007B7E8A

Memory Dump Source

Source File: 00000000.00000002.1745867193.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true

Associated: 00000000.00000002.1745836741.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746071756.00000000007BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746071756.00000000007E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746152188.00000000007EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746185289.00000000007F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_720000_file.jbxd

Similarity

API ID: ClientRectScreen$InvalidateWindow
String ID:
API String ID: 357397906-0
Opcode ID: a502d022bef1e5f4679da5c62f4de1370ef4b2d6002b7452c2b6645c498dcbd3
Instruction ID: 49f8c9c6e956400400dc84a110ab893a4424e388a17da8a219d2e2235ed1c453
Opcode Fuzzy Hash: a502d022bef1e5f4679da5c62f4de1370ef4b2d6002b7452c2b6645c498dcbd3
Instruction Fuzzy Hash: 671153B9D0020AAFDB41CF98C884AEEBBF9FF08310F509166E915E3210D735AA54CF94

Function 00782DA7 Relevance: 6.0, APIs: 4, Instructions: 34threadwindowtimeCOMMON

Download Yara Rule

APIs

SendMessageTimeoutW.USER32(?,00000000,00000000,00000000,00000002,00001388,?), ref: 00782DC5
GetWindowThreadProcessId.USER32(?,00000000), ref: 00782DD6
GetCurrentThreadId.KERNEL32 ref: 00782DDD
AttachThreadInput.USER32(00000000,?,00000000,00000000), ref: 00782DE4

Memory Dump Source

Source File: 00000000.00000002.1745867193.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true

Associated: 00000000.00000002.1745836741.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746071756.00000000007BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746071756.00000000007E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746152188.00000000007EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746185289.00000000007F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_720000_file.jbxd

Similarity

API ID: Thread$AttachCurrentInputMessageProcessSendTimeoutWindow
String ID:
API String ID: 2710830443-0
Opcode ID: 990f36f13be58249423e3aa92686c0c60a10ec6ee158c53da8fa94755c0aeb4f
Instruction ID: 6fae2c2d63ea5babf15a5e158485204c6fb1bb806dbccb74411ebefef74a4c46
Opcode Fuzzy Hash: 990f36f13be58249423e3aa92686c0c60a10ec6ee158c53da8fa94755c0aeb4f
Instruction Fuzzy Hash: 51E092726412287BD7212B729C0EFEB3F6CEF42BA6F008215F505D10819AA8C841C7B0

Function 007B8863 Relevance: 6.0, APIs: 4, Instructions: 31COMMON

Download Yara Rule

APIs

Part of subcall function 00739639: ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 00739693
Part of subcall function 00739639: SelectObject.GDI32(?,00000000), ref: 007396A2
Part of subcall function 00739639: BeginPath.GDI32(?), ref: 007396B9
Part of subcall function 00739639: SelectObject.GDI32(?,00000000), ref: 007396E2

MoveToEx.GDI32(?,00000000,00000000,00000000), ref: 007B8887
LineTo.GDI32(?,?,?), ref: 007B8894
EndPath.GDI32(?), ref: 007B88A4
StrokePath.GDI32(?), ref: 007B88B2

Memory Dump Source

Source File: 00000000.00000002.1745867193.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true

Associated: 00000000.00000002.1745836741.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746071756.00000000007BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746071756.00000000007E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746152188.00000000007EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746185289.00000000007F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_720000_file.jbxd

Similarity

API ID: Path$ObjectSelect$BeginCreateLineMoveStroke
String ID:
API String ID: 1539411459-0
Opcode ID: a87f54fea576532c8e2db07e5e1106584a745ed24083b3a1806acff258ba61ad
Instruction ID: b5201b8e6fbd425f5a5e5877a14a769954e5a143e7d48b0deb23876a49c527b0
Opcode Fuzzy Hash: a87f54fea576532c8e2db07e5e1106584a745ed24083b3a1806acff258ba61ad
Instruction Fuzzy Hash: 7BF0DA36045259FBEB136F94AC0AFDA3B59AF06310F44C100FA11651E2C7BD5551DFE9

Function 007398B0 Relevance: 6.0, APIs: 4, Instructions: 23COMMON

Download Yara Rule

APIs

GetSysColor.USER32(00000008), ref: 007398CC
SetTextColor.GDI32(?,?), ref: 007398D6
SetBkMode.GDI32(?,00000001), ref: 007398E9
GetStockObject.GDI32(00000005), ref: 007398F1

Memory Dump Source

Source File: 00000000.00000002.1745867193.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true

Associated: 00000000.00000002.1745836741.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746071756.00000000007BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746071756.00000000007E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746152188.00000000007EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746185289.00000000007F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_720000_file.jbxd

Similarity

API ID: Color$ModeObjectStockText
String ID:
API String ID: 4037423528-0
Opcode ID: 5430b0b6839450a7592fedb3d42668541ec3eab605523ca4aa2503b5e4902a97
Instruction ID: d4ebb8f8de0cf29b840c937708d2f65018c6fbbdf6a357c4182c8177c70ba4f3
Opcode Fuzzy Hash: 5430b0b6839450a7592fedb3d42668541ec3eab605523ca4aa2503b5e4902a97
Instruction Fuzzy Hash: 68E06531244288AADF225B78AC09FD83F10AB52375F14C319F6F9580E1C3794650DB11

Function 0078162B Relevance: 6.0, APIs: 4, Instructions: 22threadCOMMON

Download Yara Rule

APIs

GetCurrentThread.KERNEL32 ref: 00781634
OpenThreadToken.ADVAPI32(00000000,?,?,?,007811D9), ref: 0078163B
GetCurrentProcess.KERNEL32(00000028,?,?,?,?,007811D9), ref: 00781648
OpenProcessToken.ADVAPI32(00000000,?,?,?,007811D9), ref: 0078164F

Memory Dump Source

Source File: 00000000.00000002.1745867193.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true

Associated: 00000000.00000002.1745836741.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746071756.00000000007BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746071756.00000000007E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746152188.00000000007EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746185289.00000000007F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_720000_file.jbxd

Similarity

API ID: CurrentOpenProcessThreadToken
String ID:
API String ID: 3974789173-0
Opcode ID: d84c7b0335d6f14369b2cbd7c35aab0e5532885cf085a2f9ec2fc4dcefcb51d5
Instruction ID: 15f7d0dee222070a1e3fae8d9476d905fcd4d41877b50192a570d2f12d2a33d5
Opcode Fuzzy Hash: d84c7b0335d6f14369b2cbd7c35aab0e5532885cf085a2f9ec2fc4dcefcb51d5
Instruction Fuzzy Hash: 00E08631641211DBD7202FA09E0DF863B7CAF44791F18C918F285C9080EA3C4441C768

Function 0077D858 Relevance: 6.0, APIs: 4, Instructions: 19COMMON

Download Yara Rule

APIs

GetDesktopWindow.USER32 ref: 0077D858
GetDC.USER32(00000000), ref: 0077D862
GetDeviceCaps.GDI32(00000000,0000000C), ref: 0077D882
ReleaseDC.USER32(?), ref: 0077D8A3

Memory Dump Source

Source File: 00000000.00000002.1745867193.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true

Associated: 00000000.00000002.1745836741.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746071756.00000000007BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746071756.00000000007E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746152188.00000000007EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746185289.00000000007F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_720000_file.jbxd

Similarity

API ID: CapsDesktopDeviceReleaseWindow
String ID:
API String ID: 2889604237-0
Opcode ID: 3f29b802b07d453645da1d56d67a0524c7a542e151d0c9e6fb51e784ed238850
Instruction ID: 5e684de502ae1bfb9a021cdac35f4e65f5d08181042d8b92e1738911b9f38695
Opcode Fuzzy Hash: 3f29b802b07d453645da1d56d67a0524c7a542e151d0c9e6fb51e784ed238850
Instruction Fuzzy Hash: 58E0EEB5800204EFCB52AFA4A908F6DBBB2AB48310F24C109E80AA7250CB3C8941AF54

Function 0077D86C Relevance: 6.0, APIs: 4, Instructions: 18COMMON

Download Yara Rule

APIs

GetDesktopWindow.USER32 ref: 0077D86C
GetDC.USER32(00000000), ref: 0077D876
GetDeviceCaps.GDI32(00000000,0000000C), ref: 0077D882
ReleaseDC.USER32(?), ref: 0077D8A3

Memory Dump Source

Source File: 00000000.00000002.1745867193.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true

Associated: 00000000.00000002.1745836741.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746071756.00000000007BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746071756.00000000007E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746152188.00000000007EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746185289.00000000007F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_720000_file.jbxd

Similarity

API ID: CapsDesktopDeviceReleaseWindow
String ID:
API String ID: 2889604237-0
Opcode ID: b8ad6a53ee025b5517d18c1d968c97f4c065eb4fac9a88ec1d3517470a5d9afc
Instruction ID: cc520ff010676c58d9a715659180d44db1ccefe452dd485244f62db69a4d43b0
Opcode Fuzzy Hash: b8ad6a53ee025b5517d18c1d968c97f4c065eb4fac9a88ec1d3517470a5d9afc
Instruction Fuzzy Hash: CBE012B5C00204EFCB52AFA4E80CF6DBBB1BB48314F14C108E90AE7250CB3C9901AF54

Function 00794D87 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 230shareCOMMON

Download Yara Rule

APIs

Part of subcall function 00727620: _wcslen.LIBCMT ref: 00727625

WNetUseConnectionW.MPR(00000000,?,0000002A,00000000,?,?,0000002A,?), ref: 00794ED4

Strings

*, xrefs: 00794E10
LPT, xrefs: 00794DFB

Memory Dump Source

Source File: 00000000.00000002.1745867193.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true

Associated: 00000000.00000002.1745836741.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746071756.00000000007BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746071756.00000000007E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746152188.00000000007EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746185289.00000000007F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_720000_file.jbxd

Similarity

API ID: Connection_wcslen
String ID: *$LPT
API String ID: 1725874428-3443410124
Opcode ID: d4cbf76e9f2631fb06e65c19b265baab3988bdea88f9cfa273e5bdbfa4cbb47c
Instruction ID: d479f08cf2155383bb457cacb0f9709effdfb844d93c1bf0e687175a5ee3acc5
Opcode Fuzzy Hash: d4cbf76e9f2631fb06e65c19b265baab3988bdea88f9cfa273e5bdbfa4cbb47c
Instruction Fuzzy Hash: 32915175A00215DFCB14DF58D484EAABBF2BF48304F188099E40A9F762D739ED86CB91

Function 0074E27D Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 189COMMON

Download Yara Rule

APIs

__startOneArgErrorHandling.LIBCMT ref: 0074E30D

Strings

pow, xrefs: 0074E2E5, 0074E302

Memory Dump Source

Source File: 00000000.00000002.1745867193.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true

Associated: 00000000.00000002.1745836741.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746071756.00000000007BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746071756.00000000007E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746152188.00000000007EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746185289.00000000007F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_720000_file.jbxd

Similarity

API ID: ErrorHandling__start
String ID: pow
API String ID: 3213639722-2276729525
Opcode ID: ef46d9ab1c1163840fb1ae754fd0a41da448fa1eba889855cce0b4227f8e94d7
Instruction ID: c6974472c3755f36022c94834956d9cd03a58871e3e708a32be99beac2a0568a
Opcode Fuzzy Hash: ef46d9ab1c1163840fb1ae754fd0a41da448fa1eba889855cce0b4227f8e94d7
Instruction Fuzzy Hash: BB518261A0C301D6CB1A7B14ED467F93BA4FB40762F30895CF8D5422E9DBBD8C89D646

Function 007A7771 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 189COMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(0077569E,00000000,?,007BCC08,?,00000000,00000000), ref: 007A78DD

Part of subcall function 00726B57: _wcslen.LIBCMT ref: 00726B6A

CharUpperBuffW.USER32(0077569E,00000000,?,007BCC08,00000000,?,00000000,00000000), ref: 007A783B

Strings

<s~, xrefs: 007A77C8

Memory Dump Source

Source File: 00000000.00000002.1745867193.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true

Associated: 00000000.00000002.1745836741.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746071756.00000000007BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746071756.00000000007E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746152188.00000000007EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746185289.00000000007F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_720000_file.jbxd

Similarity

API ID: BuffCharUpper$_wcslen
String ID: <s~
API String ID: 3544283678-1637856232
Opcode ID: 8beddbfb0637aa2016b82a9894acdea6c5f84e9d3d3c5c68584f0b0e33eb085b
Instruction ID: 05bb61105b9f869cab0df6c3fd89ca4cdf3f171a5a3b474ada33c8ca00da4505
Opcode Fuzzy Hash: 8beddbfb0637aa2016b82a9894acdea6c5f84e9d3d3c5c68584f0b0e33eb085b
Instruction Fuzzy Hash: 6C614F72914128EBCF09EBA4DC95DFEB378BF59300F444226E542A7091EB3C6A45CBA0

Function 0073E187 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 184COMMON

Download Yara Rule

Strings

#, xrefs: 0073E1B1

Memory Dump Source

Source File: 00000000.00000002.1745867193.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true

Associated: 00000000.00000002.1745836741.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746071756.00000000007BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746071756.00000000007E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746152188.00000000007EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746185289.00000000007F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_720000_file.jbxd

Similarity

API ID:
String ID: #
API String ID: 0-1885708031
Opcode ID: 083721cf6e78bd9576ef407444bc60693d0c899cbd6c1fc6b190ed857f772ab4
Instruction ID: d03b60f9a871b00c57ff2e2f0336579f4ee1f744c7efbd8856bd734cb0570b4d
Opcode Fuzzy Hash: 083721cf6e78bd9576ef407444bc60693d0c899cbd6c1fc6b190ed857f772ab4
Instruction Fuzzy Hash: 79512235500346DFEF19DF68C085ABA7BA8FF19350F2480A5F8959B2D1DA3C9D52CBA0

Function 0073F291 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 144sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNEL32(00000000), ref: 0073F2A2
GlobalMemoryStatusEx.KERNEL32(?), ref: 0073F2BB

Strings

@, xrefs: 0073F2AF

Memory Dump Source

Source File: 00000000.00000002.1745867193.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true

Associated: 00000000.00000002.1745836741.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746071756.00000000007BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746071756.00000000007E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746152188.00000000007EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746185289.00000000007F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_720000_file.jbxd

Similarity

API ID: GlobalMemorySleepStatus
String ID: @
API String ID: 2783356886-2766056989
Opcode ID: f1f73f05d1ef85006860432419f599978a8c26d68534007ca04b74a5fa8c14ed
Instruction ID: 9f8a9214d29e5338291f142de3549051b1c32a4948f544102a0a9049bd9f4582
Opcode Fuzzy Hash: f1f73f05d1ef85006860432419f599978a8c26d68534007ca04b74a5fa8c14ed
Instruction Fuzzy Hash: D9512772408744EBD320AF50E98ABAFBBF8FB94300F81885DF1D941195EB748529CB66

Function 007A5745 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 125COMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?,?,00000003,?,?), ref: 007A57E0
_wcslen.LIBCMT ref: 007A57EC

Strings

CALLARGARRAY, xrefs: 007A57E6, 007A57EB

Memory Dump Source

Source File: 00000000.00000002.1745867193.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true

Associated: 00000000.00000002.1745836741.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746071756.00000000007BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746071756.00000000007E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746152188.00000000007EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746185289.00000000007F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_720000_file.jbxd

Similarity

API ID: BuffCharUpper_wcslen
String ID: CALLARGARRAY
API String ID: 157775604-1150593374
Opcode ID: 85dfcccd80e9c80ee5ede32e5809ba694f3668ee0672d712221cd32e88abc3bb
Instruction ID: 708ea3ef1536df7f37a7f78299d3e05f2db1ac4c93acb42c30601baf0be1926a
Opcode Fuzzy Hash: 85dfcccd80e9c80ee5ede32e5809ba694f3668ee0672d712221cd32e88abc3bb
Instruction Fuzzy Hash: A4419F31E00209DFCB14DFA9C8859AEBBB5FF9A364F144169E505A7252E73C9D81CFA0

Function 0079D0F4 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 98networkCOMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 0079D130
InternetCrackUrlW.WININET(?,00000000,00000000,0000007C), ref: 0079D13A

Strings

|, xrefs: 0079D10B

Memory Dump Source

Source File: 00000000.00000002.1745867193.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true

Associated: 00000000.00000002.1745836741.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746071756.00000000007BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746071756.00000000007E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746152188.00000000007EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746185289.00000000007F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_720000_file.jbxd

Similarity

API ID: CrackInternet_wcslen
String ID: |
API String ID: 596671847-2343686810
Opcode ID: 504078f4b6b96a72e2ee8f01dafd7206998bdd4b148cb8d39030ed9757034510
Instruction ID: 82465d850ad8969c3999721f56ddd9292adbe83c1c53fefd6b9a6fe0e427a25e
Opcode Fuzzy Hash: 504078f4b6b96a72e2ee8f01dafd7206998bdd4b148cb8d39030ed9757034510
Instruction Fuzzy Hash: 3D313E71D01219EBCF15EFA4DC89AEE7FB9FF04300F104019F915A6162E739AA56DB50

Function 007B356C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 96COMMON

Download Yara Rule

APIs

DestroyWindow.USER32(?,?,?,?), ref: 007B3621
MoveWindow.USER32(?,?,?,?,?,00000001,?,?,?), ref: 007B365C

Strings

static, xrefs: 007B35BC

Memory Dump Source

Source File: 00000000.00000002.1745867193.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true

Associated: 00000000.00000002.1745836741.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746071756.00000000007BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746071756.00000000007E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746152188.00000000007EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746185289.00000000007F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_720000_file.jbxd

Similarity

API ID: Window$DestroyMove
String ID: static
API String ID: 2139405536-2160076837
Opcode ID: 8c2710a0afc49a33ed2d7422b7c4bb7ff49a8efa025eb6a6afb488de7243b0b3
Instruction ID: 97ee5df688fc79cbb56d80734d424034d423cb932e2d190afb00e7f545847c51
Opcode Fuzzy Hash: 8c2710a0afc49a33ed2d7422b7c4bb7ff49a8efa025eb6a6afb488de7243b0b3
Instruction Fuzzy Hash: 44318D71110604AADB24DF38DC80FFB73A9FF88724F009619F8A597280DA38AD91D760

Function 007B4537 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 95windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000027,00001132,00000000,?), ref: 007B461F
SendMessageW.USER32(?,00001105,00000000,00000000), ref: 007B4634

Strings

', xrefs: 007B458E

Memory Dump Source

Source File: 00000000.00000002.1745867193.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true

Associated: 00000000.00000002.1745836741.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746071756.00000000007BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746071756.00000000007E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746152188.00000000007EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746185289.00000000007F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_720000_file.jbxd

Similarity

API ID: MessageSend
String ID: '
API String ID: 3850602802-1997036262
Opcode ID: c30104a9b7825d56dc84ba1c2523764c0408637e5eefd9764b02de9fc155fee5
Instruction ID: 1352a1d1af634d512dacae3935aafc04e0233338fd13a27aff099cac5ef69ed6
Opcode Fuzzy Hash: c30104a9b7825d56dc84ba1c2523764c0408637e5eefd9764b02de9fc155fee5
Instruction Fuzzy Hash: 64313974A00719AFDF14CFA9C980BEA7BB5FF09304F10406AE904AB342D774A951CF90

Function 007B31EF Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 72windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000143,00000000,?), ref: 007B327C
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 007B3287

Strings

Combobox, xrefs: 007B3249

Memory Dump Source

Source File: 00000000.00000002.1745867193.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true

Associated: 00000000.00000002.1745836741.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746071756.00000000007BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746071756.00000000007E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746152188.00000000007EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746185289.00000000007F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_720000_file.jbxd

Similarity

API ID: MessageSend
String ID: Combobox
API String ID: 3850602802-2096851135
Opcode ID: ba8f39d00fc7f6f9f9c30ebac32b8127d70f48f1b89d2b6ff4072b5f17c8461d
Instruction ID: bd43717908a575c70ba28852c55b2991eeee3e648b59050ad59771c873c9419b
Opcode Fuzzy Hash: ba8f39d00fc7f6f9f9c30ebac32b8127d70f48f1b89d2b6ff4072b5f17c8461d
Instruction Fuzzy Hash: 1711B271300208BFEF259E94DC85FFB376AFB983A4F104229F91897290D6799D918760

Function 007B3710 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 67COMMON

Download Yara Rule

APIs

Part of subcall function 0072600E: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 0072604C
Part of subcall function 0072600E: GetStockObject.GDI32(00000011), ref: 00726060
Part of subcall function 0072600E: SendMessageW.USER32(00000000,00000030,00000000), ref: 0072606A

GetWindowRect.USER32(00000000,?), ref: 007B377A
GetSysColor.USER32(00000012), ref: 007B3794

Strings

static, xrefs: 007B3757

Memory Dump Source

Source File: 00000000.00000002.1745867193.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true

Associated: 00000000.00000002.1745836741.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746071756.00000000007BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746071756.00000000007E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746152188.00000000007EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746185289.00000000007F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_720000_file.jbxd

Similarity

API ID: Window$ColorCreateMessageObjectRectSendStock
String ID: static
API String ID: 1983116058-2160076837
Opcode ID: c7d2cae3b1116aa3195f9359742688ae1e5c96f4fae1f63c1e6b07eb99864063
Instruction ID: 2926aef9d1c669d1f57d8b3744c2828b5da622b038706c2eaa1bb29fc6a2609e
Opcode Fuzzy Hash: c7d2cae3b1116aa3195f9359742688ae1e5c96f4fae1f63c1e6b07eb99864063
Instruction Fuzzy Hash: 5211F9B2610209AFDB11DFA8CC85EEA7BB8EB08354F004615F955E2250EB79E951DB60

Function 0079CD1E Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 66networkCOMMON

Download Yara Rule

APIs

InternetOpenW.WININET(?,00000000,00000000,00000000,00000000), ref: 0079CD7D
InternetSetOptionW.WININET(00000000,00000032,?,00000008), ref: 0079CDA6

Strings

<local>, xrefs: 0079CD66

Memory Dump Source

Source File: 00000000.00000002.1745867193.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true

Associated: 00000000.00000002.1745836741.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746071756.00000000007BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746071756.00000000007E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746152188.00000000007EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746185289.00000000007F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_720000_file.jbxd

Similarity

API ID: Internet$OpenOption
String ID: <local>
API String ID: 942729171-4266983199
Opcode ID: a54787a744208ea03bce6c94e93563a3e22266ff71f40eaf53bad0b08b4c7457
Instruction ID: 1b1ec05346a44dd2b8dfd53237e0cf9ed170068399bb6b8def3b17b4e163937a
Opcode Fuzzy Hash: a54787a744208ea03bce6c94e93563a3e22266ff71f40eaf53bad0b08b4c7457
Instruction Fuzzy Hash: 2011C6B13056317ADF364B669C45FE7BE6CEF127A4F004226B10983180D7789840D6F0

Function 007B3429 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 64windowCOMMON

Download Yara Rule

APIs

GetWindowTextLengthW.USER32(00000000), ref: 007B34AB
SendMessageW.USER32(?,000000B1,00000000,00000000), ref: 007B34BA

Strings

edit, xrefs: 007B348F

Memory Dump Source

Source File: 00000000.00000002.1745867193.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true

Associated: 00000000.00000002.1745836741.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746071756.00000000007BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746071756.00000000007E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746152188.00000000007EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746185289.00000000007F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_720000_file.jbxd

Similarity

API ID: LengthMessageSendTextWindow
String ID: edit
API String ID: 2978978980-2167791130
Opcode ID: b5bcf51df38a912620dd46687b906de384983148e502c9a362b162cac87d0c1b
Instruction ID: bd244817eadfa286620ad524a41890cdffed755868fa38f95595db6804532afb
Opcode Fuzzy Hash: b5bcf51df38a912620dd46687b906de384983148e502c9a362b162cac87d0c1b
Instruction Fuzzy Hash: 70116A71100248ABEB228E68DC44FFB376AEF05378F508324F961931E0C779EC919B64

Function 00786C86 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 56COMMON

Download Yara Rule

APIs

Part of subcall function 00729CB3: _wcslen.LIBCMT ref: 00729CBD

CharUpperBuffW.USER32(?,?,?), ref: 00786CB6
_wcslen.LIBCMT ref: 00786CC2

Strings

STOP, xrefs: 00786CBC, 00786CC1

Memory Dump Source

Source File: 00000000.00000002.1745867193.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true

Associated: 00000000.00000002.1745836741.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746071756.00000000007BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746071756.00000000007E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746152188.00000000007EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746185289.00000000007F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_720000_file.jbxd

Similarity

API ID: _wcslen$BuffCharUpper
String ID: STOP
API String ID: 1256254125-2411985666
Opcode ID: 20142a1e2ec4ad60d8ff9a3a08c3f7e78cf7b4da2890b8fdd8d1d51b24e1bb03
Instruction ID: b969016fa957827d7e8f3078b4cbc522195c5ad6a3fb82e4a3064a10a82fac43
Opcode Fuzzy Hash: 20142a1e2ec4ad60d8ff9a3a08c3f7e78cf7b4da2890b8fdd8d1d51b24e1bb03
Instruction Fuzzy Hash: F9010032A4052AABCB21BFBDDC949BF77A5FB60710B000538E86292190EB39E800C760

Function 00781CDE Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 52windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00729CB3: _wcslen.LIBCMT ref: 00729CBD

Part of subcall function 00783CA7: GetClassNameW.USER32(?,?,000000FF), ref: 00783CCA

SendMessageW.USER32(?,000001A2,000000FF,?), ref: 00781D4C

Strings

ListBox, xrefs: 00781D16
ComboBox, xrefs: 00781CEB

Memory Dump Source

Source File: 00000000.00000002.1745867193.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true

Associated: 00000000.00000002.1745836741.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746071756.00000000007BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746071756.00000000007E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746152188.00000000007EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746185289.00000000007F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_720000_file.jbxd

Similarity

API ID: ClassMessageNameSend_wcslen
String ID: ComboBox$ListBox
API String ID: 624084870-1403004172
Opcode ID: 161ca6fffa63825b558d98d2568765d7c123a1784ecce298248467859a1f5c93
Instruction ID: 4d4dc8ec4b44d969c5628e5de7d7971774a065ef9df2726ef069f77ff2ca60e4
Opcode Fuzzy Hash: 161ca6fffa63825b558d98d2568765d7c123a1784ecce298248467859a1f5c93
Instruction Fuzzy Hash: 3801D8B5741228EBCB04FBA4DC55DFE7368FB46350F480A19F932572C1EA3859098770

Function 00781BD8 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 50windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00729CB3: _wcslen.LIBCMT ref: 00729CBD

Part of subcall function 00783CA7: GetClassNameW.USER32(?,?,000000FF), ref: 00783CCA

SendMessageW.USER32(?,00000180,00000000,?), ref: 00781C46

Strings

ListBox, xrefs: 00781C10
ComboBox, xrefs: 00781BE5

Memory Dump Source

Source File: 00000000.00000002.1745867193.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true

Associated: 00000000.00000002.1745836741.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746071756.00000000007BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746071756.00000000007E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746152188.00000000007EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746185289.00000000007F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_720000_file.jbxd

Similarity

API ID: ClassMessageNameSend_wcslen
String ID: ComboBox$ListBox
API String ID: 624084870-1403004172
Opcode ID: bca2506a6fef62ee365ee06c868b932e2ca9eaa674061ebe705756190de71c1b
Instruction ID: fc2d17174ebaa03750be76d8eb7324111ebc850c49c6770744b729f2dca632a2
Opcode Fuzzy Hash: bca2506a6fef62ee365ee06c868b932e2ca9eaa674061ebe705756190de71c1b
Instruction Fuzzy Hash: D401A7B5AC1118A7CB04FBA0D965EFF77ACAB15340F580019A516672C1EA2C9E0987B1

Function 00781C5C Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 49windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00729CB3: _wcslen.LIBCMT ref: 00729CBD

Part of subcall function 00783CA7: GetClassNameW.USER32(?,?,000000FF), ref: 00783CCA

SendMessageW.USER32(?,00000182,?,00000000), ref: 00781CC8

Strings

ListBox, xrefs: 00781C94
ComboBox, xrefs: 00781C69

Memory Dump Source

Source File: 00000000.00000002.1745867193.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true

Associated: 00000000.00000002.1745836741.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746071756.00000000007BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746071756.00000000007E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746152188.00000000007EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746185289.00000000007F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_720000_file.jbxd

Similarity

API ID: ClassMessageNameSend_wcslen
String ID: ComboBox$ListBox
API String ID: 624084870-1403004172
Opcode ID: 8ce9258bf5f7b32aad29574a8a158f6b951eeed2efeeb5d7e614ba587850c6d9
Instruction ID: 063238590a530f9cfc02d3afc24b3aa02773578dfac9f4720557b726525c5b63
Opcode Fuzzy Hash: 8ce9258bf5f7b32aad29574a8a158f6b951eeed2efeeb5d7e614ba587850c6d9
Instruction Fuzzy Hash: BF01D6B5AC1118A7CB04FBA5DA19EFE73ACAB15340F580015B90273281EA6C9F09C771

Function 00781D68 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 46windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00729CB3: _wcslen.LIBCMT ref: 00729CBD

Part of subcall function 00783CA7: GetClassNameW.USER32(?,?,000000FF), ref: 00783CCA

SendMessageW.USER32(?,0000018B,00000000,00000000), ref: 00781DD3

Strings

ListBox, xrefs: 00781DA0
ComboBox, xrefs: 00781D75

Memory Dump Source

Source File: 00000000.00000002.1745867193.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true

Associated: 00000000.00000002.1745836741.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746071756.00000000007BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746071756.00000000007E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746152188.00000000007EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746185289.00000000007F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_720000_file.jbxd

Similarity

API ID: ClassMessageNameSend_wcslen
String ID: ComboBox$ListBox
API String ID: 624084870-1403004172
Opcode ID: bd1ad48fc9714459a0ae77f6ddf84c02413446c47aed83c2cd8c0d39d502cc27
Instruction ID: d4cb6907b9b3496b01b7cbd79a2039270c3fbd3954b61771d6b5b0b08305734a
Opcode Fuzzy Hash: bd1ad48fc9714459a0ae77f6ddf84c02413446c47aed83c2cd8c0d39d502cc27
Instruction Fuzzy Hash: 8CF0C8B1B81228A7DB04F7A5DC5AFFF777CAB05754F480915B922632C1DA6C59098370

Function 007A747E Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 36COMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 007A7493
_wcslen.LIBCMT ref: 007A74B9

Strings

3, 3, 16, 1, xrefs: 007A7483

Memory Dump Source

Source File: 00000000.00000002.1745867193.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true

Associated: 00000000.00000002.1745836741.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746071756.00000000007BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746071756.00000000007E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746152188.00000000007EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746185289.00000000007F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_720000_file.jbxd

Similarity

API ID: _wcslen
String ID: 3, 3, 16, 1
API String ID: 176396367-3042988571
Opcode ID: a7b9e23e957fc07e3bec5d1d1dee5668ce522abdfccebb166a62eb62054898e6
Instruction ID: 66779682df508f6efc18fa8acb135604eab242dcd9c32330c14e88c0510ed36f
Opcode Fuzzy Hash: a7b9e23e957fc07e3bec5d1d1dee5668ce522abdfccebb166a62eb62054898e6
Instruction Fuzzy Hash: A7E02B422152A0609239127A9CC5A7F578DCFCE750710182BF981C2266EF9C9D92F3A0

Function 00780B15 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 28windowCOMMON

Download Yara Rule

APIs

MessageBoxW.USER32(00000000,Error allocating memory.,AutoIt,00000010), ref: 00780B23

Strings

AutoIt, xrefs: 00780B17
Error allocating memory., xrefs: 00780B1C

Memory Dump Source

Source File: 00000000.00000002.1745867193.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true

Associated: 00000000.00000002.1745836741.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746071756.00000000007BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746071756.00000000007E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746152188.00000000007EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746185289.00000000007F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_720000_file.jbxd

Similarity

API ID: Message
String ID: AutoIt$Error allocating memory.
API String ID: 2030045667-4017498283
Opcode ID: 603a4eadc2e2d68f8b8337328e6569d7ca50464760823460a5e7ddd8faddd3d6
Instruction ID: 6959e455d176576df24dea58979a2d028db28cd5ddde753ff2311f6939b94f1b
Opcode Fuzzy Hash: 603a4eadc2e2d68f8b8337328e6569d7ca50464760823460a5e7ddd8faddd3d6
Instruction Fuzzy Hash: 73E0D83228435867E2113A947C0BFC97A848F05B50F104426FB88955C38AE9245006E9

Function 00740D42 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 22COMMON

Download Yara Rule

APIs

Part of subcall function 0073F7C9: InitializeCriticalSectionAndSpinCount.KERNEL32(?,00000000,?,00740D71,?,?,?,0072100A), ref: 0073F7CE

IsDebuggerPresent.KERNEL32(?,?,?,0072100A), ref: 00740D75
OutputDebugStringW.KERNEL32(ERROR : Unable to initialize critical section in CAtlBaseModule,?,?,?,0072100A), ref: 00740D84

Strings

ERROR : Unable to initialize critical section in CAtlBaseModule, xrefs: 00740D7F

Memory Dump Source

Source File: 00000000.00000002.1745867193.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true

Associated: 00000000.00000002.1745836741.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746071756.00000000007BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746071756.00000000007E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746152188.00000000007EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746185289.00000000007F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_720000_file.jbxd

Similarity

API ID: CountCriticalDebugDebuggerInitializeOutputPresentSectionSpinString
String ID: ERROR : Unable to initialize critical section in CAtlBaseModule
API String ID: 55579361-631824599
Opcode ID: 7a68bbf1384b3b8a131c0f7aade807d6147a93a6811f88886caf826dc363ef88
Instruction ID: 40ef9b280587a17539714d5312029feb60803f18bce35783139af0a8d33484a0
Opcode Fuzzy Hash: 7a68bbf1384b3b8a131c0f7aade807d6147a93a6811f88886caf826dc363ef88
Instruction Fuzzy Hash: B9E0ED746007518BE3719FB8E8087967BE4BF04B54F008A3DE596C6652DBBDE4488FE1

Function 00793017 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 18COMMON

Download Yara Rule

APIs

GetTempPathW.KERNEL32(00000104,?,00000001), ref: 0079302F
GetTempFileNameW.KERNEL32(?,aut,00000000,?), ref: 00793044

Strings

aut, xrefs: 00793038

Memory Dump Source

Source File: 00000000.00000002.1745867193.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true

Associated: 00000000.00000002.1745836741.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746071756.00000000007BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746071756.00000000007E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746152188.00000000007EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746185289.00000000007F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_720000_file.jbxd

Similarity

API ID: Temp$FileNamePath
String ID: aut
API String ID: 3285503233-3010740371
Opcode ID: 1f09ba9db54d84f8946620b8245cc9294a433c254dd25c8da8e4d4cbc30215b2
Instruction ID: c3b75de0b8188759e984b7a207906f686e902672149f3bb78f1ffece9b310121
Opcode Fuzzy Hash: 1f09ba9db54d84f8946620b8245cc9294a433c254dd25c8da8e4d4cbc30215b2
Instruction Fuzzy Hash: 33D05B7150031467DA2097959C0DFC73A6CD704750F0042617755D6091DAB49544CBD4

Function 0077D21C Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 17timeCOMMON

Download Yara Rule

APIs

GetLocalTime.KERNEL32(?), ref: 0077D220

Strings

%.3d, xrefs: 0077D22B
X64, xrefs: 0077D2A8

Memory Dump Source

Source File: 00000000.00000002.1745867193.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true

Associated: 00000000.00000002.1745836741.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746071756.00000000007BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746071756.00000000007E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746152188.00000000007EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746185289.00000000007F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_720000_file.jbxd

Similarity

API ID: LocalTime
String ID: %.3d$X64
API String ID: 481472006-1077770165
Opcode ID: 2fa27b7e9a65a55e18a0bcbdaec15adac3f7e814071d984441ab3d5c371ea107
Instruction ID: bed421b7b75e583542f5dcade055a2c1f0ece9a3d9ebe7610bc5028aa37d6fce
Opcode Fuzzy Hash: 2fa27b7e9a65a55e18a0bcbdaec15adac3f7e814071d984441ab3d5c371ea107
Instruction Fuzzy Hash: C6D012A1C09148EACFA096E0DC499B9B37CBF08381F50C452F90AA1042D62CCD09A761

Function 007B2356 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15windowCOMMON

Download Yara Rule

APIs

FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 007B236C
PostMessageW.USER32(00000000), ref: 007B2373

Part of subcall function 0078E97B: Sleep.KERNEL32 ref: 0078E9F3

Strings

Shell_TrayWnd, xrefs: 007B2365

Memory Dump Source

Source File: 00000000.00000002.1745867193.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true

Associated: 00000000.00000002.1745836741.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746071756.00000000007BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746071756.00000000007E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746152188.00000000007EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746185289.00000000007F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_720000_file.jbxd

Similarity

API ID: FindMessagePostSleepWindow
String ID: Shell_TrayWnd
API String ID: 529655941-2988720461
Opcode ID: ad9908b58192e87d651d21d311377e1bc651d16c4f80b9b24b137ba46ed7451a
Instruction ID: 5dd6c4b1114c12fc4cd5f4a135a6f83f703196e797b37db45223f20ad0518175
Opcode Fuzzy Hash: ad9908b58192e87d651d21d311377e1bc651d16c4f80b9b24b137ba46ed7451a
Instruction Fuzzy Hash: 58D0A9323C1300BAE264B7309C0FFC666049B08B00F008A12B281AA0D0C9E8B8008A08

Function 007B2322 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15windowCOMMON

Download Yara Rule

APIs

FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 007B232C
PostMessageW.USER32(00000000,00000111,00000197,00000000), ref: 007B233F

Part of subcall function 0078E97B: Sleep.KERNEL32 ref: 0078E9F3

Strings

Shell_TrayWnd, xrefs: 007B2325

Memory Dump Source

Source File: 00000000.00000002.1745867193.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true

Associated: 00000000.00000002.1745836741.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746071756.00000000007BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746071756.00000000007E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746152188.00000000007EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746185289.00000000007F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_720000_file.jbxd

Similarity

API ID: FindMessagePostSleepWindow
String ID: Shell_TrayWnd
API String ID: 529655941-2988720461
Opcode ID: 03d920eee45f1765bcafed557b5ae82e1dcf56eadd547f7a231cd717897f7aa2
Instruction ID: a469ee752c16e9438029dfdc81535cf276c31cc87aaf6b1dcd345a4333a0968d
Opcode Fuzzy Hash: 03d920eee45f1765bcafed557b5ae82e1dcf56eadd547f7a231cd717897f7aa2
Instruction Fuzzy Hash: 4ED0A9323C0300B6E264B7309C0FFD66A049B04B00F008A12B285AA0D0C9E8A8008A08

Function 0075BDFD Relevance: 5.1, APIs: 4, Instructions: 139COMMONLIBRARYCODE

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(?,00000009,?,00000000,00000000,?,?,?,00000000,?,?,?,?,?,00000000,?), ref: 0075BE93
GetLastError.KERNEL32 ref: 0075BEA1
MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 0075BEFC

Memory Dump Source

Source File: 00000000.00000002.1745867193.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true

Associated: 00000000.00000002.1745836741.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746071756.00000000007BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746071756.00000000007E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746152188.00000000007EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746185289.00000000007F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_720000_file.jbxd

Similarity

API ID: ByteCharMultiWide$ErrorLast
String ID:
API String ID: 1717984340-0
Opcode ID: ea5c7e8bd65d8033719a766e5f930227383a8fa4938b98b574438eb1a817a70d
Instruction ID: da8c15be35e9f91fa720c486fd7a834b7af431cf0fe6d775782707d7371ea42d
Opcode Fuzzy Hash: ea5c7e8bd65d8033719a766e5f930227383a8fa4938b98b574438eb1a817a70d
Instruction Fuzzy Hash: 7D41F535600246EFCF218FA4CC89AFABBA4EF41312F144169FD59971E1DBB88D09CB61

Analysis Process: firefox.exePID: 7528, Parent PID: 4500COMMON

Execution Graph

Execution Coverage:	0.4%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	100%
Total number of Nodes:	6
Total number of Limit Nodes:	0

Callgraph

Executed
Not Executed
Opacity -> Relevance
Disassembly available

Executed Functions

Function 00000250889DABF2 Relevance: 26.1, APIs: 1, Strings: 10, Instructions: 6826nativeCOMMON

Download Yara Rule

APIs

NtQuerySystemInformation.NTDLL ref: 00000250889DAC57

Strings

z, xrefs: 00000250889DC236
>, xrefs: 00000250889DACB9
#, xrefs: 00000250889DBD31
A, xrefs: 00000250889DAC4F
#, xrefs: 00000250889D8FC5
z, xrefs: 00000250889DAC8B
4, xrefs: 00000250889DECD9
>, xrefs: 00000250889DECFF
#, xrefs: 00000250889DAC82
>, xrefs: 00000250889DBA5C

Memory Dump Source

Source File: 00000010.00000002.2959380219.00000250889D8000.00000020.00000001.00020000.00000000.sdmp, Offset: 00000250889D8000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_250889d8000_firefox.jbxd

Similarity

API ID: InformationQuerySystem
String ID: #$#$#$4$>$>$>$A$z$z
API String ID: 3562636166-3072146587
Opcode ID: a7beeb6ed6d4bd1c13836e24e4a4bf8602c8d7752103ee20adf8d6ea9f6b849f
Instruction ID: 38fce1b599637a53d2ee6ae111026e329242573870c44ddaf50d2d48a5905415
Opcode Fuzzy Hash: a7beeb6ed6d4bd1c13836e24e4a4bf8602c8d7752103ee20adf8d6ea9f6b849f
Instruction Fuzzy Hash: F5A3D631618E498BDB2DDF2CDC896A973E5FB94311F14422ED88BC7255DE34E9028BC9

Source: Joe Sandbox View	IP Address: 34.149.100.209 34.149.100.209
Source: Joe Sandbox View	IP Address: 34.117.188.166 34.117.188.166
Source: Joe Sandbox View	IP Address: 52.222.236.120 52.222.236.120

Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache

Source: firefox.exe, 0000000D.00000003.1775487938.00000207FC0B9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: ://www.facebook.com/platform/impression.php equals www.facebook.com (Facebook)
Source: firefox.exe, 0000000D.00000003.1924697352.0000020806C15000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: 8://www.facebook.com/ equals www.facebook.com (Facebook)
Source: firefox.exe, 0000000D.00000003.1889311189.0000020804442000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: 8://www.youtube.com/ equals www.youtube.com (Youtube)
Source: firefox.exe, 0000000D.00000003.1888431224.00000207FBDE7000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1768102300.0000020802A9B000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1886435680.0000020802A9B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: 8https://www.facebook.com/ equals www.facebook.com (Facebook)
Source: firefox.exe, 0000000D.00000003.1888431224.00000207FBDE7000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1768102300.0000020802A9B000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1886435680.0000020802A9B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: 8https://www.youtube.com/ equals www.youtube.com (Youtube)
Source: firefox.exe, 0000000D.00000003.1924697352.0000020806C15000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: 8www.facebook.com equals www.facebook.com (Facebook)
Source: firefox.exe, 0000000D.00000003.1889311189.0000020804442000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: 8www.youtube.com equals www.youtube.com (Youtube)
Source: firefox.exe, 0000000D.00000003.1767694124.0000020802C9F000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1885893427.0000020802CA0000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1872451798.0000020802CA0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: `https://www.facebook.com/ equals www.facebook.com (Facebook)
Source: firefox.exe, 0000000D.00000003.1767694124.0000020802C9F000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1885893427.0000020802CA0000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1872451798.0000020802CA0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: `https://www.youtube.com/ equals www.youtube.com (Youtube)
Source: firefox.exe, 0000000D.00000003.1888431224.00000207FBDE7000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1768102300.0000020802A9B000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1886435680.0000020802A9B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.facebook.com/ equals www.facebook.com (Facebook)
Source: firefox.exe, 0000000D.00000003.1888431224.00000207FBDE7000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1768102300.0000020802A9B000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1886435680.0000020802A9B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/ equals www.youtube.com (Youtube)
Source: firefox.exe, 00000010.00000002.2954475347.000002508840A000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000011.00000002.2954704604.000001DB6910C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.wikipedia.org/,https://www.reddit.com/,https://www.amazon.com/,https://twitter.com/ equals www.facebook.com (Facebook)
Source: firefox.exe, 00000010.00000002.2954475347.000002508840A000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000011.00000002.2954704604.000001DB6910C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.wikipedia.org/,https://www.reddit.com/,https://www.amazon.com/,https://twitter.com/ equals www.twitter.com (Twitter)
Source: firefox.exe, 00000010.00000002.2954475347.000002508840A000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000011.00000002.2954704604.000001DB6910C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.wikipedia.org/,https://www.reddit.com/,https://www.amazon.com/,https://twitter.com/ equals www.youtube.com (Youtube)
Source: firefox.exe, 00000010.00000002.2954475347.000002508840A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.wikipedia.org/,https://www.reddit.com/,https://www.amazon.com/,https://twitter.com/&O equals www.facebook.com (Facebook)
Source: firefox.exe, 00000010.00000002.2954475347.000002508840A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.wikipedia.org/,https://www.reddit.com/,https://www.amazon.com/,https://twitter.com/&O equals www.twitter.com (Twitter)
Source: firefox.exe, 00000010.00000002.2954475347.000002508840A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.wikipedia.org/,https://www.reddit.com/,https://www.amazon.com/,https://twitter.com/&O equals www.youtube.com (Youtube)
Source: firefox.exe, 00000011.00000002.2954704604.000001DB6910C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.wikipedia.org/,https://www.reddit.com/,https://www.amazon.com/,https://twitter.com/nj` equals www.facebook.com (Facebook)
Source: firefox.exe, 00000011.00000002.2954704604.000001DB6910C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.wikipedia.org/,https://www.reddit.com/,https://www.amazon.com/,https://twitter.com/nj` equals www.twitter.com (Twitter)
Source: firefox.exe, 00000011.00000002.2954704604.000001DB6910C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.wikipedia.org/,https://www.reddit.com/,https://www.amazon.com/,https://twitter.com/nj` equals www.youtube.com (Youtube)
Source: firefox.exe, 0000000D.00000003.1889311189.0000020804449000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: moz-extension://a581a2f1-688c-434b-8db8-16166b1993d9/injections/js/bug1842437-www.youtube.com-performance-now-precision.js equals www.youtube.com (Youtube)
Source: firefox.exe, 0000000D.00000003.1925885554.0000020806096000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1901003525.0000020806096000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1924697352.0000020806C15000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: www.facebook.com equals www.facebook.com (Facebook)
Source: firefox.exe, 0000000D.00000003.1889311189.0000020804442000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: www.youtube.com equals www.youtube.com (Youtube)
Source: firefox.exe, 0000000D.00000003.1925885554.0000020806096000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1901003525.0000020806096000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: www.youtube.com- equals www.youtube.com (Youtube)
Source: firefox.exe, 0000000D.00000003.1911319298.00000207FC0B7000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1888164685.00000207FC0B7000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: x://www.facebook.com/platform/impression.php equals www.facebook.com (Facebook)

Source: global traffic	DNS traffic detected: DNS query: prod.classify-client.prod.webservices.mozgcp.net
Source: global traffic	DNS traffic detected: DNS query: youtube.com
Source: global traffic	DNS traffic detected: DNS query: detectportal.firefox.com
Source: global traffic	DNS traffic detected: DNS query: prod.detectportal.prod.cloudops.mozgcp.net
Source: global traffic	DNS traffic detected: DNS query: contile.services.mozilla.com
Source: global traffic	DNS traffic detected: DNS query: spocs.getpocket.com
Source: global traffic	DNS traffic detected: DNS query: prod.ads.prod.webservices.mozgcp.net
Source: global traffic	DNS traffic detected: DNS query: prod.balrog.prod.cloudops.mozgcp.net
Source: global traffic	DNS traffic detected: DNS query: example.org
Source: global traffic	DNS traffic detected: DNS query: ipv4only.arpa
Source: global traffic	DNS traffic detected: DNS query: content-signature-2.cdn.mozilla.net
Source: global traffic	DNS traffic detected: DNS query: prod.content-signature-chains.prod.webservices.mozgcp.net
Source: global traffic	DNS traffic detected: DNS query: shavar.services.mozilla.com
Source: global traffic	DNS traffic detected: DNS query: push.services.mozilla.com
Source: global traffic	DNS traffic detected: DNS query: support.mozilla.org
Source: global traffic	DNS traffic detected: DNS query: us-west1.prod.sumo.prod.webservices.mozgcp.net
Source: global traffic	DNS traffic detected: DNS query: firefox.settings.services.mozilla.com
Source: global traffic	DNS traffic detected: DNS query: prod.remote-settings.prod.webservices.mozgcp.net
Source: global traffic	DNS traffic detected: DNS query: telemetry-incoming.r53-2.services.mozilla.com
Source: global traffic	DNS traffic detected: DNS query: www.facebook.com
Source: global traffic	DNS traffic detected: DNS query: www.youtube.com
Source: global traffic	DNS traffic detected: DNS query: www.wikipedia.org
Source: global traffic	DNS traffic detected: DNS query: youtube-ui.l.google.com
Source: global traffic	DNS traffic detected: DNS query: star-mini.c10r.facebook.com
Source: global traffic	DNS traffic detected: DNS query: dyna.wikimedia.org
Source: global traffic	DNS traffic detected: DNS query: www.reddit.com
Source: global traffic	DNS traffic detected: DNS query: twitter.com
Source: global traffic	DNS traffic detected: DNS query: reddit.map.fastly.net
Source: global traffic	DNS traffic detected: DNS query: services.addons.mozilla.org
Source: global traffic	DNS traffic detected: DNS query: normandy.cdn.mozilla.net
Source: global traffic	DNS traffic detected: DNS query: normandy-cdn.services.mozilla.com

Source: unknown	HTTPS traffic detected: 35.244.181.201:443 -> 192.168.2.4:49743 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.160.144.191:443 -> 192.168.2.4:49749 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.160.144.191:443 -> 192.168.2.4:49751 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 35.244.181.201:443 -> 192.168.2.4:49758 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.120.208.123:443 -> 192.168.2.4:49767 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.120.208.123:443 -> 192.168.2.4:49768 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 35.244.181.201:443 -> 192.168.2.4:49774 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.149.100.209:443 -> 192.168.2.4:49775 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 52.222.236.120:443 -> 192.168.2.4:49777 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.149.100.209:443 -> 192.168.2.4:49779 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 35.244.181.201:443 -> 192.168.2.4:49781 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 35.244.181.201:443 -> 192.168.2.4:49782 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 35.244.181.201:443 -> 192.168.2.4:49780 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.120.208.123:443 -> 192.168.2.4:49827 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.120.208.123:443 -> 192.168.2.4:49828 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.120.208.123:443 -> 192.168.2.4:49829 version: TLS 1.2

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49743
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49742
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49741
Source: unknown	Network traffic detected: HTTP traffic on port 49779 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49784
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49782
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49781
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49780
Source: unknown	Network traffic detected: HTTP traffic on port 49743 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49746 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49781 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49776 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49739
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49738
Source: unknown	Network traffic detected: HTTP traffic on port 49736 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49736
Source: unknown	Network traffic detected: HTTP traffic on port 49759 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49779
Source: unknown	Network traffic detected: HTTP traffic on port 49772 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49778
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49777
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49776
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49775
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49774
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49773
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49772
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49771
Source: unknown	Network traffic detected: HTTP traffic on port 49742 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49767 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49784 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49749 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49780 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49827 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49777 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49773 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49768
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49767
Source: unknown	Network traffic detected: HTTP traffic on port 49756 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49739 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49758 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49765
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49761
Source: unknown	Network traffic detected: HTTP traffic on port 49741 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49745 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49828 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50005 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49751 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49759
Source: unknown	Network traffic detected: HTTP traffic on port 49778 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49758
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49757
Source: unknown	Network traffic detected: HTTP traffic on port 49774 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49756
Source: unknown	Network traffic detected: HTTP traffic on port 49738 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49757 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49782 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49754
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49751
Source: unknown	Network traffic detected: HTTP traffic on port 49761 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49765 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50005
Source: unknown	Network traffic detected: HTTP traffic on port 49747 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49768 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49829 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49829
Source: unknown	Network traffic detected: HTTP traffic on port 49775 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49828
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49827
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49749
Source: unknown	Network traffic detected: HTTP traffic on port 49754 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49747
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49746
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49745
Source: unknown	Network traffic detected: HTTP traffic on port 49771 -> 443

Description:	Adversaries may obtain and abuse credentials of existing accounts as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion. Compromised credentials may be used to bypass access controls placed on various resources on systems within the network and may even be used for persistent access to remote systems and externally available services, such as VPNs, Outlook Web Access, network devices, and remote desktop.Compromised credentials may also grant an adversary increased privilege to specific systems or access to restricted areas of the network. Adversaries may choose not to use malware or tools in conjunction with the legitimate access those credentials provide to make it harder to detect their presence.
Tactics:	Defense Evasion, Initial Access, Persistence, Privilege Escalation
Data Sources:	Logon Session: Logon Session Creation, Logon Session: Logon Session Metadata, User Account: User Account Authentication
Platforms:	Azure AD, Containers, Google Workspace, IaaS, Linux, macOS, Network, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to execute malicious commands and payloads. WMI is an administration feature that provides a uniform environment to access Windows system components. The WMI service enables both local and remote access, though the latter is facilitated by Remote Services such as Distributed Component Object Model (DCOM) and Windows Remote Management (WinRM).Remote WMI over DCOM operates using port 135, whereas WMI over WinRM operates over port 5985 when using HTTP and 5986 for HTTPS.
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Connection Creation, Process: Process Creation, WMI: WMI Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may exploit software vulnerabilities in an attempt to elevate privileges. Exploitation of a software vulnerability occurs when an adversary takes advantage of a programming error in a program, service, or within the operating system software or kernel itself to execute adversary-controlled code. Security constructs such as permission levels will often hinder access to information and use of certain techniques, so adversaries will likely need to perform privilege escalation to include use of software exploitation to circumvent those restrictions.
Tactics:	Privilege Escalation
Data Sources:	Driver: Driver Load, Process: Process Creation
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject malicious code into process via Extra Window Memory (EWM) in order to evade process-based defenses as well as possibly elevate privileges. EWM injection is a method of executing arbitrary code in the address space of a separate live process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Process: OS API Execution
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify access tokens to operate under a different user or system security context to perform actions and bypass access controls. Windows uses access tokens to determine the ownership of a running process. A user can manipulate access tokens to make a running process appear as though it is the child of a different process or belongs to someone other than the user that started the process. When this occurs, the process also takes on the security context associated with the new token.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Active Directory: Active Directory Object Modification, Command: Command Execution, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, User Account: User Account Metadata
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	Driver: Driver Load, File: File Modification, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Windows Registry: Windows Registry Key Modification
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of valid accounts, usernames, or email addresses on a system or within a compromised environment. This information can help adversaries determine which accounts exist, which can aid in follow-on behavior such as brute-forcing, spear-phishing attacks, or account takeovers (e.g., Valid Accounts ).
Tactics:	Discovery
Data Sources:	Command: Command Execution, File: File Access, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report file.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Memory Dumps

Sigma Signatures

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Spreading

Software Vulnerabilities

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

Private

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\ProgramData\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\uninstall_ping_308046B0AF4A39CB_f64fc7df-04bd-4865-a08c-b911e3a04c55.json (copy)

C:\ProgramData\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\uninstall_ping_308046B0AF4A39CB_f64fc7df-04bd-4865-a08c-b911e3a04c55.json.tmp

C:\Users\user\AppData\Local\Temp\mozilla-temp-files\mozilla-temp-41

C:\Users\user\AppData\Local\Temp\tmpaddon

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\ExperimentStoreData.json (copy)

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\ExperimentStoreData.json.tmp

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\addonStartup.json.lz4 (copy)

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\addonStartup.json.lz4.tmp

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\addons.json (copy)

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\addons.json.tmp

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\content-prefs.sqlite

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\crashes\store.json.mozlz4 (copy)

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\crashes\store.json.mozlz4.tmp

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\extensions.json (copy)

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\extensions.json.tmp

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\favicons.sqlite-shm

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll (copy)

Windows Analysis Report
file.exe

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to identify the primary user, currently logged in user, set of users that commonly uses a system, or whether a user is actively using the system. They may do this, for example, by retrieving account usernames or by using OS Credential Dumping . The information may be collected in a number of different ways using other Discovery techniques, because user and username details are prevalent throughout a system and include running process ownership, file/directory ownership, session information, and system logs. Adversaries may use the information from [System Owner/User Discovery](https://attack.mitre.org/techniques/T1033) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may collect data stored in the clipboard from users copying information within or between applications.
Tactics:	Collection
Data Sources:	Command: Command Execution, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may shutdown/reboot systems to interrupt access to, or aid in the destruction of, those systems. Operating systems may contain commands to initiate a shutdown/reboot of a machine or network device. In some cases, these commands may also be used to initiate a shutdown/reboot of a remote computer or network device via Network Device CLI (e.g. `reload` ).
Tactics:	Impact
Data Sources:	Command: Command Execution, Process: Process Creation, Sensor Health: Host Status
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre