Edit tour

Windows Analysis Report
file.exe

Overview

General Information

Sample name:	file.exe
Analysis ID:	1542418
MD5:	345d21f1207458568ec62cf40410aa6b
SHA1:	fbad419888c95a92d0e7707a81b320ec8d516131
SHA256:	3fb5440466a4013b6f3d92e39fc0620a38376d64d27172c4af327d2b8948c8d6
Tags:	exeuser-Bitsight
Infos:

Detection

Score:	64
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Multi AV Scanner detection for submitted file

AI detected suspicious sample

Binary is likely a compiled AutoIt script file

Found API chain indicative of sandbox detection

Machine Learning detection for sample

Connects to many different domains

Contains functionality for execution timing, often used to detect debuggers

Contains functionality for read data from the clipboard

Contains functionality to block mouse and keyboard input (often used to hinder debugging)

Contains functionality to call native functions

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to check if a window is minimized (may be used to check if an application is visible)

Contains functionality to communicate with device drivers

Contains functionality to dynamically determine API calls

Contains functionality to execute programs as a different user

Contains functionality to launch a process as a different user

Contains functionality to launch a program with higher privileges

Contains functionality to modify clipboard data

Contains functionality to open a port and listen for incoming connection (possibly a backdoor)

Contains functionality to query CPU information (cpuid)

Contains functionality to read the PEB

Contains functionality to read the clipboard data

Contains functionality to retrieve information about pressed keystrokes

Contains functionality to shutdown / reboot the system

Contains functionality to simulate keystroke presses

Contains functionality to simulate mouse events

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Detected potential crypto function

Drops PE files

Enables debug privileges

Found large amount of non-executed APIs

Found potential string decryption / allocating functions

IP address seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

OS version to string mapping found (often used in BOTs)

PE file contains sections with non-standard names

Potential key logger detected (key state polling based)

Sample execution stops while process was sleeping (likely an evasion)

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Uses taskkill to terminate processes

Classification

Process Tree

System is w10x64

file.exe (PID: 7296 cmdline: "C:\Users\user\Desktop\file.exe" MD5: 345D21F1207458568EC62CF40410AA6B)

taskkill.exe (PID: 7312 cmdline: taskkill /F /IM firefox.exe /T MD5: CA313FD7E6C2A778FFD21CFB5C1C56CD)

conhost.exe (PID: 7320 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

taskkill.exe (PID: 7408 cmdline: taskkill /F /IM chrome.exe /T MD5: CA313FD7E6C2A778FFD21CFB5C1C56CD)

conhost.exe (PID: 7416 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

taskkill.exe (PID: 7464 cmdline: taskkill /F /IM msedge.exe /T MD5: CA313FD7E6C2A778FFD21CFB5C1C56CD)

conhost.exe (PID: 7472 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

taskkill.exe (PID: 7528 cmdline: taskkill /F /IM opera.exe /T MD5: CA313FD7E6C2A778FFD21CFB5C1C56CD)

conhost.exe (PID: 7536 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

taskkill.exe (PID: 7592 cmdline: taskkill /F /IM brave.exe /T MD5: CA313FD7E6C2A778FFD21CFB5C1C56CD)

conhost.exe (PID: 7600 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

firefox.exe (PID: 7648 cmdline: "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk "https://www.facebook.com/video" --no-default-browser-check --disable-popup-blocking MD5: C86B1BE9ED6496FE0E0CBE73F81D8045)

firefox.exe (PID: 7680 cmdline: "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://www.facebook.com/video --no-default-browser-check --disable-popup-blocking --attempting-deelevation MD5: C86B1BE9ED6496FE0E0CBE73F81D8045)

firefox.exe (PID: 7696 cmdline: "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://www.facebook.com/video --no-default-browser-check --disable-popup-blocking MD5: C86B1BE9ED6496FE0E0CBE73F81D8045)

firefox.exe (PID: 7932 cmdline: "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2284 -parentBuildID 20230927232528 -prefsHandle 2228 -prefMapHandle 2220 -prefsLen 25359 -prefMapSize 237879 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {0396842b-5f8c-4a85-b679-9364957dd6a4} 7696 "\\.\pipe\gecko-crash-server-pipe.7696" 21a4256f710 socket MD5: C86B1BE9ED6496FE0E0CBE73F81D8045)

firefox.exe (PID: 7448 cmdline: "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4244 -parentBuildID 20230927232528 -prefsHandle 4564 -prefMapHandle 4560 -prefsLen 26374 -prefMapSize 237879 -appDir "C:\Program Files\Mozilla Firefox\browser" - {34c7d413-63c5-4d1d-89ed-8453ea87de46} 7696 "\\.\pipe\gecko-crash-server-pipe.7696" 21a54645310 rdd MD5: C86B1BE9ED6496FE0E0CBE73F81D8045)

firefox.exe (PID: 7524 cmdline: "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4900 -parentBuildID 20230927232528 -sandboxingKind 0 -prefsHandle 5384 -prefMapHandle 5360 -prefsLen 33185 -prefMapSize 237879 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {74dd1765-0c36-4f4d-8ed0-1fe6c7988c56} 7696 "\\.\pipe\gecko-crash-server-pipe.7696" 21a541baf10 utility MD5: C86B1BE9ED6496FE0E0CBE73F81D8045)

cleanup

Code function: 0_2_00D0EAFF OpenClipboard,IsClipboardFormatAvailable,IsClipboardFormatAvailable,GetClipboardData,CloseClipboard,GlobalLock,CloseClipboard,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,DragQueryFileW,DragQueryFileW,DragQueryFileW,GlobalUnlock,CountClipboardFormats,CloseClipboard,

0_2_00D0EAFF

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00D0ED6A OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,

0_2_00D0ED6A

Source: C:\Users\user\Desktop\file.exe

0_2_00D0EAFF

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00CFAA57 GetKeyboardState,SetKeyboardState,PostMessageW,SendInput,

0_2_00CFAA57

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00D29576 DefDlgProcW,SendMessageW,GetWindowLongW,SendMessageW,SendMessageW,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,SendMessageW,SendMessageW,SendMessageW,ImageList_SetDragCursorImage,ImageList_BeginDrag,SetCapture,ClientToScreen,ImageList_DragEnter,InvalidateRect,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW,

0_2_00D29576

System Summary

Binary is likely a compiled AutoIt script file

Source: file.exe	String found in binary or memory: This is a third-party compiled AutoIt script.
Source: file.exe, 00000000.00000002.1728099655.0000000000D52000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: This is a third-party compiled AutoIt script.	memstr_118d961d-4
Source: file.exe, 00000000.00000002.1728099655.0000000000D52000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: AnyArabicArmenianAvestanBalineseBamumBassa_VahBatakBengaliBopomofoBrahmiBrailleBugineseBuhidCCanadian_AboriginalCarianCaucasian_AlbanianCcCfChakmaChamCherokeeCnCoCommonCopticCsCuneiformCypriotCyrillicDeseretDevanagariDuployanEgyptian_HieroglyphsElbasanEthiopicGeorgianGlagoliticGothicGranthaGreekGujaratiGurmukhiHanHangulHanunooHebrewHiraganaImperial_AramaicInheritedInscriptional_PahlaviInscriptional_ParthianJavaneseKaithiKannadaKatakanaKayah_LiKharoshthiKhmerKhojkiKhudawadiLL&LaoLatinLepchaLimbuLinear_ALinear_BLisuLlLmLoLtLuLycianLydianMMahajaniMalayalamMandaicManichaeanMcMeMeetei_MayekMende_KikakuiMeroitic_CursiveMeroitic_HieroglyphsMiaoMnModiMongolianMroMyanmarNNabataeanNdNew_Tai_LueNkoNlNoOghamOl_ChikiOld_ItalicOld_North_ArabianOld_PermicOld_PersianOld_South_ArabianOld_TurkicOriyaOsmanyaPPahawh_HmongPalmyrenePau_Cin_HauPcPdPePfPhags_PaPhoenicianPiPoPsPsalter_PahlaviRejangRunicSSamaritanSaurashtraScSharadaShavianSiddhamSinhalaSkSmSoSora_SompengSundaneseSyloti_NagriSyriacTagalogTagbanwaTai_LeTai_ThamTai_VietTakriTamilTeluguThaanaThaiTibetanTifinaghTirhutaUgariticVaiWarang_CitiXanXpsXspXucXwdYiZZlZpZsSDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBoxSHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer	memstr_9c0cb049-e
Source: file.exe	String found in binary or memory: This is a third-party compiled AutoIt script.	memstr_758db1fc-4
Source: file.exe	String found in binary or memory: AnyArabicArmenianAvestanBalineseBamumBassa_VahBatakBengaliBopomofoBrahmiBrailleBugineseBuhidCCanadian_AboriginalCarianCaucasian_AlbanianCcCfChakmaChamCherokeeCnCoCommonCopticCsCuneiformCypriotCyrillicDeseretDevanagariDuployanEgyptian_HieroglyphsElbasanEthiopicGeorgianGlagoliticGothicGranthaGreekGujaratiGurmukhiHanHangulHanunooHebrewHiraganaImperial_AramaicInheritedInscriptional_PahlaviInscriptional_ParthianJavaneseKaithiKannadaKatakanaKayah_LiKharoshthiKhmerKhojkiKhudawadiLL&LaoLatinLepchaLimbuLinear_ALinear_BLisuLlLmLoLtLuLycianLydianMMahajaniMalayalamMandaicManichaeanMcMeMeetei_MayekMende_KikakuiMeroitic_CursiveMeroitic_HieroglyphsMiaoMnModiMongolianMroMyanmarNNabataeanNdNew_Tai_LueNkoNlNoOghamOl_ChikiOld_ItalicOld_North_ArabianOld_PermicOld_PersianOld_South_ArabianOld_TurkicOriyaOsmanyaPPahawh_HmongPalmyrenePau_Cin_HauPcPdPePfPhags_PaPhoenicianPiPoPsPsalter_PahlaviRejangRunicSSamaritanSaurashtraScSharadaShavianSiddhamSinhalaSkSmSoSora_SompengSundaneseSyloti_NagriSyriacTagalogTagbanwaTai_LeTai_ThamTai_VietTakriTamilTeluguThaanaThaiTibetanTifinaghTirhutaUgariticVaiWarang_CitiXanXpsXspXucXwdYiZZlZpZsSDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBoxSHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer	memstr_c67bbefa-7

Source: C:\Program Files\Mozilla Firefox\firefox.exe	Code function: 16_2_000001B497BC6037 NtQuerySystemInformation,		16_2_000001B497BC6037
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Code function: 16_2_000001B4980383F2 NtQuerySystemInformation,		16_2_000001B4980383F2

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00CFD5EB: CreateFileW,DeviceIoControl,CloseHandle,

0_2_00CFD5EB

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00CF1201 LogonUserW,DuplicateTokenEx,CloseHandle,OpenWindowStationW,GetProcessWindowStation,SetProcessWindowStation,OpenDesktopW,_wcslen,LoadUserProfileW,CreateEnvironmentBlock,CreateProcessAsUserW,UnloadUserProfile,GetProcessHeap,HeapFree,CloseWindowStation,CloseDesktop,SetProcessWindowStation,CloseHandle,DestroyEnvironmentBlock,

0_2_00CF1201

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00CFE8F6 ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState,

0_2_00CFE8F6

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00D02046	0_2_00D02046
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00C98060	0_2_00C98060
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00CF8298	0_2_00CF8298
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00CCE4FF	0_2_00CCE4FF
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00CC676B	0_2_00CC676B
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00D24873	0_2_00D24873
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00C9CAF0	0_2_00C9CAF0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00CBCAA0	0_2_00CBCAA0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00CACC39	0_2_00CACC39
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00C991C0	0_2_00C991C0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00CAB119	0_2_00CAB119
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00CB1394	0_2_00CB1394
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00CB1706	0_2_00CB1706
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00CB781B	0_2_00CB781B
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00CB19B0	0_2_00CB19B0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00CA997D	0_2_00CA997D
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00C97920	0_2_00C97920
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00CB7A4A	0_2_00CB7A4A
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00CB7CA7	0_2_00CB7CA7
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00CB1C77	0_2_00CB1C77
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00CC9EEE	0_2_00CC9EEE
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00D1BE44	0_2_00D1BE44
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00CB1F32	0_2_00CB1F32
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Code function: 16_2_000001B497BC6037	16_2_000001B497BC6037
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Code function: 16_2_000001B4980383F2	16_2_000001B4980383F2
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Code function: 16_2_000001B498038B1C	16_2_000001B498038B1C
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Code function: 16_2_000001B498038432	16_2_000001B498038432

Source: C:\Users\user\Desktop\file.exe	Code function: String function: 00CB0A30 appears 46 times
Source: C:\Users\user\Desktop\file.exe	Code function: String function: 00CAF9F2 appears 31 times

Source: file.exe

Static PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE

Source: classification engine

Classification label: mal64.evad.winEXE@34/34@67/12

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00D037B5 GetLastError,FormatMessageW,

0_2_00D037B5

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00CF10BF AdjustTokenPrivileges,CloseHandle,		0_2_00CF10BF
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00CF16C3 LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,		0_2_00CF16C3

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00D051CD SetErrorMode,GetDiskFreeSpaceExW,SetErrorMode,

0_2_00D051CD

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00CFD4DC CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,CloseHandle,

0_2_00CFD4DC

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00D0648E _wcslen,CoInitialize,CoCreateInstance,CoUninitialize,

0_2_00D0648E

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00C942A2 CreateStreamOnHGlobal,FindResourceExW,LoadResource,SizeofResource,LockResource,

0_2_00C942A2

Source: C:\Program Files\Mozilla Firefox\firefox.exe

File created: C:\Users\user\AppData\Local\Mozilla\Firefox\SkeletonUILock-c388d246

Jump to behavior

Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7416:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7472:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7600:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7320:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7536:120:WilError_03

Source: C:\Program Files\Mozilla Firefox\firefox.exe

File created: C:\Users\user\AppData\Local\Temp\firefox

Jump to behavior

Source: file.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Windows\SysWOW64\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\SysWOW64\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\SysWOW64\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\SysWOW64\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\SysWOW64\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process

Source: C:\Program Files\Mozilla Firefox\firefox.exe

File read: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini

Jump to behavior

Source: C:\Users\user\Desktop\file.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: firefox.exe, 0000000D.00000003.1848098486.0000021A5E2CC000.00000004.00000800.00020000.00000000.sdmp

Binary or memory string: SELECT sum(count) FROM events;

Source: file.exe

ReversingLabs: Detection: 26%

Source: unknown	Process created: C:\Users\user\Desktop\file.exe "C:\Users\user\Desktop\file.exe"
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM firefox.exe /T
Source: C:\Windows\SysWOW64\taskkill.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM chrome.exe /T
Source: C:\Windows\SysWOW64\taskkill.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM msedge.exe /T
Source: C:\Windows\SysWOW64\taskkill.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM opera.exe /T
Source: C:\Windows\SysWOW64\taskkill.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM brave.exe /T
Source: C:\Windows\SysWOW64\taskkill.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk "https://www.facebook.com/video" --no-default-browser-check --disable-popup-blocking
Source: unknown	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://www.facebook.com/video --no-default-browser-check --disable-popup-blocking --attempting-deelevation
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://www.facebook.com/video --no-default-browser-check --disable-popup-blocking
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2284 -parentBuildID 20230927232528 -prefsHandle 2228 -prefMapHandle 2220 -prefsLen 25359 -prefMapSize 237879 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {0396842b-5f8c-4a85-b679-9364957dd6a4} 7696 "\\.\pipe\gecko-crash-server-pipe.7696" 21a4256f710 socket
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4244 -parentBuildID 20230927232528 -prefsHandle 4564 -prefMapHandle 4560 -prefsLen 26374 -prefMapSize 237879 -appDir "C:\Program Files\Mozilla Firefox\browser" - {34c7d413-63c5-4d1d-89ed-8453ea87de46} 7696 "\\.\pipe\gecko-crash-server-pipe.7696" 21a54645310 rdd
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4900 -parentBuildID 20230927232528 -sandboxingKind 0 -prefsHandle 5384 -prefMapHandle 5360 -prefsLen 33185 -prefMapSize 237879 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {74dd1765-0c36-4f4d-8ed0-1fe6c7988c56} 7696 "\\.\pipe\gecko-crash-server-pipe.7696" 21a541baf10 utility
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM firefox.exe /T	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM chrome.exe /T	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM msedge.exe /T	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM opera.exe /T	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM brave.exe /T	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk "https://www.facebook.com/video" --no-default-browser-check --disable-popup-blocking	Jump to behavior
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://www.facebook.com/video --no-default-browser-check --disable-popup-blocking	Jump to behavior
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2284 -parentBuildID 20230927232528 -prefsHandle 2228 -prefMapHandle 2220 -prefsLen 25359 -prefMapSize 237879 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {0396842b-5f8c-4a85-b679-9364957dd6a4} 7696 "\\.\pipe\gecko-crash-server-pipe.7696" 21a4256f710 socket	Jump to behavior
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4244 -parentBuildID 20230927232528 -prefsHandle 4564 -prefMapHandle 4560 -prefsLen 26374 -prefMapSize 237879 -appDir "C:\Program Files\Mozilla Firefox\browser" - {34c7d413-63c5-4d1d-89ed-8453ea87de46} 7696 "\\.\pipe\gecko-crash-server-pipe.7696" 21a54645310 rdd	Jump to behavior
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4900 -parentBuildID 20230927232528 -sandboxingKind 0 -prefsHandle 5384 -prefMapHandle 5360 -prefsLen 33185 -prefMapSize 237879 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {74dd1765-0c36-4f4d-8ed0-1fe6c7988c56} 7696 "\\.\pipe\gecko-crash-server-pipe.7696" 21a541baf10 utility	Jump to behavior
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: unknown unknown	Jump to behavior

Source: C:\Users\user\Desktop\file.exe	Section loaded: wsock32.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: framedynos.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: dbghelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: winsta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: framedynos.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: dbghelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: winsta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: framedynos.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: dbghelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: winsta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: framedynos.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: dbghelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: winsta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: framedynos.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: dbghelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: winsta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: profapi.dll	Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: file.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: file.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: file.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: file.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: file.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: file.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT

Source: file.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: webauthn.pdb source: firefox.exe, 0000000D.00000003.1812098496.0000021A5ED01000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: z:\task_1551543573\build\openh264\gmpopenh264.pdbV source: gmpopenh264.dll.tmp.13.dr
Source:	Binary string: pnrpnsp.pdb source: firefox.exe, 0000000D.00000003.1825285482.0000021A51D88000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: z:\task_1551543573\build\openh264\gmpopenh264.pdb source: gmpopenh264.dll.tmp.13.dr
Source:	Binary string: webauthn.pdbGCTL source: firefox.exe, 0000000D.00000003.1812098496.0000021A5ED01000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: pnrpnsp.pdbUGP source: firefox.exe, 0000000D.00000003.1825285482.0000021A51D88000.00000004.00000020.00020000.00000000.sdmp

Source: file.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: file.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: file.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: file.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: file.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00C942DE GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

0_2_00C942DE

Source: gmpopenh264.dll.tmp.13.dr

Static PE information: section name: .rodata

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00CB22CB push ds; retf	0_2_00CB22E2
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00CB0A76 push ecx; ret	0_2_00CB0A89
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00CC7138 push esp; retf	0_2_00CC7140
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00CC7736 push esp; retf	0_2_00CC7737

Source: C:\Program Files\Mozilla Firefox\firefox.exe	File created: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll.tmp			Jump to dropped file
Source: C:\Program Files\Mozilla Firefox\firefox.exe	File created: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll (copy)			Jump to dropped file

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00CAF98E GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,		0_2_00CAF98E
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00D21C41 IsWindowVisible,IsWindowEnabled,GetForegroundWindow,IsIconic,IsZoomed,		0_2_00D21C41

Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Found API chain indicative of sandbox detection

Source: C:\Users\user\Desktop\file.exe

Sandbox detection routine: GetForegroundWindow, DecisionNode, Sleep

graph_0-95230

Source: C:\Program Files\Mozilla Firefox\firefox.exe

Code function: 16_2_000001B497BC6037 rdtsc

16_2_000001B497BC6037

Source: C:\Users\user\Desktop\file.exe

API coverage: 3.6 %

Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00CFDBBE lstrlenW,GetFileAttributesW,FindFirstFileW,FindClose,	0_2_00CFDBBE
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00D068EE FindFirstFileW,FindClose,	0_2_00D068EE
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00D0698F FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,FileTimeToSystemTime,FileTimeToSystemTime,	0_2_00D0698F
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00CFD076 FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	0_2_00CFD076
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00CFD3A9 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	0_2_00CFD3A9
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00D09642 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	0_2_00D09642
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00D0979D SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	0_2_00D0979D
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00D09B2B FindFirstFileW,Sleep,FindNextFileW,FindClose,	0_2_00D09B2B
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00D05C97 FindFirstFileW,FindNextFileW,FindClose,	0_2_00D05C97

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00C942DE GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

0_2_00C942DE

Source: firefox.exe, 00000010.00000002.2921653759.000001B497BE0000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll1
Source: firefox.exe, 0000000F.00000002.2915495501.000002B996331000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 00000010.00000002.2914089019.000001B49731A000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 00000010.00000002.2921653759.000001B497BE0000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 00000011.00000002.2914465992.000002AD21811000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 00000011.00000002.2921357006.000002AD21C20000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: firefox.exe, 0000000F.00000002.2921802966.000002B996812000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW : 2 : 34 : 1 : 1 : 0x20026 : 0x8 : %SystemRoot%\system32\mswsock.dll : : 1234191b-4bf7-4ca7-86e0-dfd7c32b5445
Source: firefox.exe, 0000000F.00000002.2915495501.000002B996331000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW?
Source: firefox.exe, 0000000F.00000002.2923210837.000002B996C40000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 00000010.00000002.2921653759.000001B497BE0000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

Source: C:\Users\user\Desktop\file.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Program Files\Mozilla Firefox\firefox.exe

Code function: 16_2_000001B497BC6037 rdtsc

16_2_000001B497BC6037

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00D0EAA2 BlockInput,

0_2_00D0EAA2

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00CC2622 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

0_2_00CC2622

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00C942DE GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

0_2_00C942DE

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00CB4CE8 mov eax, dword ptr fs:[00000030h]

0_2_00CB4CE8

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00CF0B62 GetSecurityDescriptorDacl,GetAclInformation,GetLengthSid,GetLengthSid,GetAce,AddAce,GetLengthSid,GetProcessHeap,HeapAlloc,GetLengthSid,CopySid,AddAce,SetSecurityDescriptorDacl,SetUserObjectSecurity,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,

0_2_00CF0B62

Source: C:\Windows\SysWOW64\taskkill.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Process token adjusted: Debug	Jump to behavior

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00CC2622 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_00CC2622
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00CB083F IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_00CB083F
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00CB09D5 SetUnhandledExceptionFilter,	0_2_00CB09D5
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00CB0C21 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	0_2_00CB0C21

Source: C:\Users\user\Desktop\file.exe

0_2_00CF1201

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00CD2BA5 KiUserCallbackDispatcher,SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW,

0_2_00CD2BA5

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00CFB226 SendInput,keybd_event,

0_2_00CFB226

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00D122DA GetForegroundWindow,GetDesktopWindow,GetWindowRect,mouse_event,GetCursorPos,mouse_event,

0_2_00D122DA

Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM firefox.exe /T	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM chrome.exe /T	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM msedge.exe /T	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM opera.exe /T	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM brave.exe /T	Jump to behavior

Source: C:\Users\user\Desktop\file.exe

0_2_00CF0B62

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00CF1663 AllocateAndInitializeSid,CheckTokenMembership,FreeSid,

0_2_00CF1663

Source: file.exe	Binary or memory string: Run Script:AutoIt script files (.au3, .a3x).au3;.a3xAll files (.).au3#include depth exceeded. Make sure there are no recursive includesError opening the file>>>AUTOIT SCRIPT<<<Bad directive syntax errorUnterminated stringCannot parse #includeUnterminated group of commentsONOFF0%d%dShell_TrayWndREMOVEKEYSEXISTSAPPENDblankinfoquestionstopwarning
Source: file.exe	Binary or memory string: Shell_TrayWnd

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00CB0698 cpuid

0_2_00CB0698

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00D08195 GetLocalTime,SystemTimeToFileTime,LocalFileTimeToFileTime,GetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,

0_2_00D08195

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00CED27A GetUserNameW,

0_2_00CED27A

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00CCBB6F _free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,

0_2_00CCBB6F

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00C942DE GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

0_2_00C942DE

Source: file.exe	Binary or memory string: WIN_81
Source: file.exe	Binary or memory string: WIN_XP
Source: file.exe	Binary or memory string: %.3d%S%M%H%m%Y%jX86IA64X64WIN32_NTWIN_11WIN_10WIN_2022WIN_2019WIN_2016WIN_81WIN_2012R2WIN_2012WIN_8WIN_2008R2WIN_7WIN_2008WIN_VISTAWIN_2003WIN_XPeWIN_XPInstallLanguageSYSTEM\CurrentControlSet\Control\Nls\LanguageSchemeLangIDControl Panel\AppearanceUSERPROFILEUSERDOMAINUSERDNSDOMAINGetSystemWow64DirectoryWSeDebugPrivilege:winapistdcallubyte64HKEY_LOCAL_MACHINEHKLMHKEY_CLASSES_ROOTHKCRHKEY_CURRENT_CONFIGHKCCHKEY_CURRENT_USERHKCUHKEY_USERSHKUREG_EXPAND_SZREG_SZREG_MULTI_SZREG_DWORDREG_QWORDREG_BINARYRegDeleteKeyExWadvapi32.dll+.-.\\[\\nrt]\|%%\|%[-+ 0#]?([0-9]\|\)?(\.[0-9]\|\.\)?[hlL]?[diouxXeEfgGs](*UCP)\XISVISIBLEISENABLEDTABLEFTTABRIGHTCURRENTTABSHOWDROPDOWNHIDEDROPDOWNADDSTRINGDELSTRINGFINDSTRINGGETCOUNTSETCURRENTSELECTIONGETCURRENTSELECTIONSELECTSTRINGISCHECKEDCHECKUNCHECKGETSELECTEDGETLINECOUNTGETCURRENTLINEGETCURRENTCOLEDITPASTEGETLINESENDCOMMANDIDGETITEMCOUNTGETSUBITEMCOUNTGETTEXTGETSELECTEDCOUNTISSELECTEDSELECTALLSELECTCLEARSELECTINVERTDESELECTFINDITEMVIEWCHANGEGETTOTALCOUNTCOLLAPSEEXPANDmsctls_statusbar321tooltips_class32%d/%02d/%02dbuttonComboboxListboxSysDateTimePick32SysMonthCal32.icl.exe.dllMsctls_Progress32msctls_trackbar32SysAnimate32msctls_updown32SysTabControl32SysTreeView32SysListView32-----@GUI_DRAGID@GUI_DROPID@GUI_DRAGFILEError text not found (please report)Q\EDEFINEUTF16)UTF)UCP)NO_AUTO_POSSESS)NO_START_OPT)LIMIT_MATCH=LIMIT_RECURSION=CR)LF)CRLF)ANY)ANYCRLF)BSR_ANYCRLF)BSR_UNICODE)argument is not a compiled regular expressionargument not compiled in 16 bit modeinternal error: opcode not recognizedinternal error: missing capturing bracketfailed to get memory
Source: file.exe	Binary or memory string: WIN_XPe
Source: file.exe	Binary or memory string: WIN_VISTA
Source: file.exe	Binary or memory string: WIN_7
Source: file.exe	Binary or memory string: WIN_8

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00D11204 socket,WSAGetLastError,bind,WSAGetLastError,closesocket,listen,WSAGetLastError,closesocket,		0_2_00D11204
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00D11806 socket,WSAGetLastError,bind,WSAGetLastError,closesocket,		0_2_00D11806

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	2 Valid Accounts	1 Windows Management Instrumentation	1 DLL Side-Loading	1 Exploitation for Privilege Escalation	2 Disable or Modify Tools	21 Input Capture	2 System Time Discovery	Remote Services	1 Archive Collected Data	2 Ingress Tool Transfer	Exfiltration Over Other Network Medium	1 System Shutdown/Reboot
Credentials	Domains	Default Accounts	1 Native API	2 Valid Accounts	1 DLL Side-Loading	1 Deobfuscate/Decode Files or Information	LSASS Memory	1 Account Discovery	Remote Desktop Protocol	21 Input Capture	12 Encrypted Channel	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	1 Extra Window Memory Injection	2 Obfuscated Files or Information	Security Account Manager	2 File and Directory Discovery	SMB/Windows Admin Shares	3 Clipboard Data	2 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	2 Valid Accounts	1 DLL Side-Loading	NTDS	16 System Information Discovery	Distributed Component Object Model	Input Capture	3 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	21 Access Token Manipulation	1 Extra Window Memory Injection	LSA Secrets	131 Security Software Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	2 Process Injection	1 Masquerading	Cached Domain Credentials	1 Virtualization/Sandbox Evasion	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	2 Valid Accounts	DCSync	3 Process Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	1 Virtualization/Sandbox Evasion	Proc Filesystem	1 Application Window Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement
Network Topology	Malvertising	Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	21 Access Token Manipulation	/etc/passwd and /etc/shadow	1 System Owner/User Discovery	Direct Cloud VM Connections	Data Staged	Web Protocols	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Internal Defacement
IP Addresses	Compromise Infrastructure	Supply Chain Compromise	PowerShell	Cron	Cron	2 Process Injection	Network Sniffing	Network Service Discovery	Shared Webroot	Local Data Staging	File Transfer Protocols	Exfiltration Over Asymmetric Encrypted Non-C2 Protocol	External Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
file.exe	26%	ReversingLabs
file.exe	100%	Joe Sandbox ML

Dropped Files

Source	Detection	Scanner	Label	Link
C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll (copy)	0%	ReversingLabs
C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll.tmp	0%	ReversingLabs

Source	Detection	Scanner	Label
https://getpocket.cdn.mozilla.net/v3/firefox/trending-topics?version=2&consumer_key=$apiKey&locale_l	0%	URL Reputation	safe
http://detectportal.firefox.com/	0%	URL Reputation	safe
https://services.addons.mozilla.org/api/v5/addons/browser-mappings/?browser=%BROWSER%	0%	URL Reputation	safe
https://datastudio.google.com/embed/reporting/	0%	URL Reputation	safe
http://www.mozilla.com0	0%	URL Reputation	safe
https://bridge.lga1.admarketplace.net/ctp?version=16.0.0&key=1696332238301000001.2&ci=1696332238417.	0%	URL Reputation	safe
https://developer.mozilla.org/en-US/docs/Web/Web_Components/Using_custom_elements#using_the_lifecycl	0%	URL Reputation	safe
https://merino.services.mozilla.com/api/v1/suggest	0%	URL Reputation	safe
https://json-schema.org/draft/2019-09/schema.	0%	URL Reputation	safe
https://monitor.firefox.com/oauth/init?entrypoint=protection_report_monitor&utm_source=about-protect	0%	URL Reputation	safe
https://spocs.getpocket.com/spocs	0%	URL Reputation	safe
https://shavar.services.mozilla.com	0%	URL Reputation	safe
https://completion.amazon.com/search/complete?q=	0%	URL Reputation	safe
https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/social-media-tracking-report	0%	URL Reputation	safe
https://ads.stickyadstv.com/firefox-etp	0%	URL Reputation	safe
https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/send-tab	0%	URL Reputation	safe
https://monitor.firefox.com/breach-details/	0%	URL Reputation	safe
https://versioncheck-bg.addons.mozilla.org/update/VersionCheck.php?reqVersion=%REQ_VERSION%&id=%ITEM	0%	URL Reputation	safe
https://services.addons.mozilla.org/api/v4/addons/addon/	0%	URL Reputation	safe
https://tracking-protection-issues.herokuapp.com/new	0%	URL Reputation	safe
https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/password-manager-report	0%	URL Reputation	safe
https://content-signature-2.cdn.mozilla.net/	0%	URL Reputation	safe
https://json-schema.org/draft/2020-12/schema/=	0%	URL Reputation	safe
https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/fingerprinters-report	0%	URL Reputation	safe
https://api.accounts.firefox.com/v1	0%	URL Reputation	safe
https://shavar.services.mozilla.com/downloads?client=SAFEBROWSING_ID&appver=118.0&pver=2.2	0%	URL Reputation	safe
https://developer.mozilla.org/docs/Mozilla/Add-ons/WebExtensions/API/tabs/captureTabMozRequestFullSc	0%	URL Reputation	safe
https://monitor.firefox.com/?entrypoint=protection_report_monitor&utm_source=about-protections	0%	URL Reputation	safe
https://bugzilla.mozilla.org/show_bug.cgi?id=1283601	0%	URL Reputation	safe
https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/shield	0%	URL Reputation	safe
https://MD8.mozilla.org/1/m	0%	URL Reputation	safe
https://getpocket.cdn.mozilla.net/v3/firefox/global-recs?version=3&consumer_key=$apiKey&locale_lang=	0%	URL Reputation	safe
https://bugzilla.mozilla.org/show_bug.cgi?id=1266220	0%	URL Reputation	safe
https://bugzilla.mo	0%	URL Reputation	safe
https://mitmdetection.services.mozilla.com/	0%	URL Reputation	safe
https://static.adsafeprotected.com/firefox-etp-js	0%	URL Reputation	safe
https://shavar.services.mozilla.com/	0%	URL Reputation	safe
https://developer.mozilla.org/docs/Web/API/Element/releasePointerCapture	0%	URL Reputation	safe
https://spocs.getpocket.com/	0%	URL Reputation	safe
https://services.addons.mozilla.org/api/v4/abuse/report/addon/	0%	URL Reputation	safe
https://services.addons.mozilla.org/api/v4/addons/search/?guid=%IDS%&lang=%LOCALE%	0%	URL Reputation	safe
https://color.firefox.com/?utm_source=firefox-browser&utm_medium=firefox-browser&utm_content=theme-f	0%	URL Reputation	safe
https://monitor.firefox.com/user/breach-stats?includeResolved=true	0%	URL Reputation	safe
https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/cross-site-tracking-report	0%	URL Reputation	safe
https://bugzilla.mozilla.org/show_bug.cgi?id=1584464	0%	URL Reputation	safe
https://safebrowsing.google.com/safebrowsing/diagnostic?site=	0%	URL Reputation	safe
https://monitor.firefox.com/user/dashboard	0%	URL Reputation	safe
https://bugzilla.mozilla.org/show_bug.cgi?id=1170143	0%	URL Reputation	safe
https://versioncheck.addons.mozilla.org/update/VersionCheck.php?reqVersion=%REQ_VERSION%&id=%ITEM_ID	0%	URL Reputation	safe
https://monitor.firefox.com/about	0%	URL Reputation	safe
https://account.bellmedia.c	0%	URL Reputation	safe
https://login.microsoftonline.com	0%	URL Reputation	safe
https://coverage.mozilla.org	0%	URL Reputation	safe
http://crl.thawte.com/ThawteTimestampingCA.crl0	0%	URL Reputation	safe
https://www.zhihu.com/	0%	URL Reputation	safe
https://infra.spec.whatwg.org/#ascii-whitespace	0%	URL Reputation	safe
https://blocked.cdn.mozilla.net/	0%	URL Reputation	safe
https://duckduckgo.com/?t=ffab&q=	0%	URL Reputation	safe
https://profiler.firefox.com	0%	URL Reputation	safe
https://outlook.live.com/default.aspx?rru=compose&to=%s	0%	URL Reputation	safe
https://bugzilla.mozilla.org/show_bug.cgi?id=793869	0%	URL Reputation	safe
https://identity.mozilla.com/apps/relay	0%	URL Reputation	safe
https://mozilla.cloudflare-dns.com/dns-query	0%	URL Reputation	safe
https://support.mozilla.org/kb/refresh-firefox-reset-add-ons-and-settings2	0%	URL Reputation	safe
https://bugzilla.mozilla.org/show_bug.cgi?id=1678448	0%	URL Reputation	safe
https://contile-images.services.mozilla.com/0TegrVVRalreHILhR2WvtD_CFzj13HCDcLqqpvXSOuY.10862.jpg	0%	URL Reputation	safe
https://contile.services.mozilla.com/v1/tiles	0%	URL Reputation	safe
https://firefox.settings.services.mozilla.com/v1/buckets/main/collections/ms-language-packs/records/	0%	URL Reputation	safe
https://monitor.firefox.com/user/preferences	0%	URL Reputation	safe
https://screenshots.firefox.com/	0%	URL Reputation	safe
https://truecolors.firefox.com/	0%	URL Reputation	safe
https://gpuweb.github.io/gpuweb/	0%	URL Reputation	safe
http://json-schema.org/draft-07/schema#-	0%	URL Reputation	safe
https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/tracking-content-report	0%	URL Reputation	safe
https://www.olx.pl/	0%	URL Reputation	safe
https://support.mozilla.org/	0%	URL Reputation	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Reputation
star-mini.c10r.facebook.com	157.240.253.35	true	false	unknown
example.org	93.184.215.14	true	false	unknown
prod.classify-client.prod.webservices.mozgcp.net	35.190.72.216	true	false	unknown
prod.balrog.prod.cloudops.mozgcp.net	35.244.181.201	true	false	unknown
twitter.com	104.244.42.129	true	false	unknown
prod.detectportal.prod.cloudops.mozgcp.net	34.107.221.82	true	false	unknown
services.addons.mozilla.org	151.101.65.91	true	false	unknown
dyna.wikimedia.org	185.15.59.224	true	false	unknown
prod.remote-settings.prod.webservices.mozgcp.net	34.149.100.209	true	false	unknown
contile.services.mozilla.com	34.117.188.166	true	false	unknown
prod.content-signature-chains.prod.webservices.mozgcp.net	34.160.144.191	true	false	unknown
youtube-ui.l.google.com	142.250.184.206	true	false	unknown
us-west1.prod.sumo.prod.webservices.mozgcp.net	34.149.128.2	true	false	unknown
reddit.map.fastly.net	151.101.193.140	true	false	unknown
ipv4only.arpa	192.0.0.170	true	false	unknown
prod.ads.prod.webservices.mozgcp.net	34.117.188.166	true	false	unknown
push.services.mozilla.com	34.107.243.93	true	false	unknown
normandy-cdn.services.mozilla.com	35.201.103.21	true	false	unknown
telemetry-incoming.r53-2.services.mozilla.com	34.120.208.123	true	false	unknown
www.reddit.com	unknown	unknown	false	unknown
spocs.getpocket.com	unknown	unknown	false	unknown
content-signature-2.cdn.mozilla.net	unknown	unknown	false	unknown
support.mozilla.org	unknown	unknown	false	unknown
firefox.settings.services.mozilla.com	unknown	unknown	false	unknown
www.youtube.com	unknown	unknown	false	unknown
www.facebook.com	unknown	unknown	false	unknown
detectportal.firefox.com	unknown	unknown	false	unknown
normandy.cdn.mozilla.net	unknown	unknown	false	unknown
shavar.services.mozilla.com	unknown	unknown	false	unknown
www.wikipedia.org	unknown	unknown	false	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://play.google.com/store/apps/details?id=org.mozilla.firefox.vpn&referrer=utm_source%3Dfirefox-	firefox.exe, 0000000F.00000002.2916858034.000002B996480000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.2920254169.000001B497B60000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.2915932300.000002AD21980000.00000002.10000000.00040000.00000000.sdmp	false		unknown
https://getpocket.cdn.mozilla.net/v3/firefox/trending-topics?version=2&consumer_key=$apiKey&locale_l	firefox.exe, 00000011.00000002.2916896948.000002AD21BC4000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://detectportal.firefox.com/	firefox.exe, 0000000D.00000003.1886536905.0000021A5BE29000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://services.addons.mozilla.org/api/v5/addons/browser-mappings/?browser=%BROWSER%	firefox.exe, 0000000F.00000002.2916858034.000002B996480000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.2920254169.000001B497B60000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.2915932300.000002AD21980000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://datastudio.google.com/embed/reporting/	firefox.exe, 0000000D.00000003.1867514348.0000021A5A409000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1850003624.0000021A5A409000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.mozilla.com0	gmpopenh264.dll.tmp.13.dr	false	URL Reputation: safe	unknown
https://bridge.lga1.admarketplace.net/ctp?version=16.0.0&key=1696332238301000001.2&ci=1696332238417.	firefox.exe, 0000000F.00000002.2917358221.000002B9966E8000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000002.2916628420.000001B4976E9000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000011.00000002.2921950111.000002AD21E03000.00000004.00000800.00020000.00000000.sdmp, prefs-1.js.13.dr	false	URL Reputation: safe	unknown
https://developer.mozilla.org/en-US/docs/Web/Web_Components/Using_custom_elements#using_the_lifecycl	firefox.exe, 0000000D.00000003.1749722693.0000021A5A643000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1825656662.0000021A5A642000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1750738952.0000021A5A63D000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1750357514.0000021A5A625000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://merino.services.mozilla.com/api/v1/suggest	firefox.exe, 00000011.00000002.2916896948.000002AD21B8F000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://json-schema.org/draft/2019-09/schema.	firefox.exe, 0000000D.00000003.1884570916.0000021A53D38000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://monitor.firefox.com/oauth/init?entrypoint=protection_report_monitor&utm_source=about-protect	firefox.exe, 0000000F.00000002.2916858034.000002B996480000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.2920254169.000001B497B60000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.2915932300.000002AD21980000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://spocs.getpocket.com/spocs	firefox.exe, 0000000D.00000003.1850003624.0000021A5A45F000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://www.amazon.com/exec/obidos/external-search/?field-keywords=&ie=UTF-8&mode=blended&tag=mozill	firefox.exe, 0000000D.00000003.1849494652.0000021A5A5C7000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1808318917.0000021A5A5C7000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://shavar.services.mozilla.com	firefox.exe, 0000000D.00000003.1852752176.0000021A548BC000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://completion.amazon.com/search/complete?q=	firefox.exe, 0000000D.00000003.1709532416.0000021A51F00000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1710093479.0000021A5215A000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1710383781.0000021A52177000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1709869627.0000021A5213C000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1709688997.0000021A5211F000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/social-media-tracking-report	firefox.exe, 0000000F.00000002.2916858034.000002B996480000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.2920254169.000001B497B60000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.2915932300.000002AD21980000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://ads.stickyadstv.com/firefox-etp	firefox.exe, 0000000D.00000003.1875522741.0000021A54189000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1748857160.0000021A535F8000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1884764203.0000021A535F8000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1868804484.0000021A54189000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/send-tab	firefox.exe, 0000000F.00000002.2916858034.000002B996480000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.2920254169.000001B497B60000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.2915932300.000002AD21980000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://monitor.firefox.com/breach-details/	firefox.exe, 0000000F.00000002.2916858034.000002B996480000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.2920254169.000001B497B60000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.2915932300.000002AD21980000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://github.com/w3c/csswg-drafts/issues/4650	firefox.exe, 0000000D.00000003.1747863250.0000021A5A4D5000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1809266579.0000021A5A4FA000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://versioncheck-bg.addons.mozilla.org/update/VersionCheck.php?reqVersion=%REQ_VERSION%&id=%ITEM	firefox.exe, 0000000F.00000002.2916858034.000002B996480000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.2920254169.000001B497B60000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.2915932300.000002AD21980000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://www.amazon.com/exec/obidos/external-search/	firefox.exe, 0000000D.00000003.1849494652.0000021A5A5FA000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://www.msn.com	firefox.exe, 0000000D.00000003.1809762919.0000021A55866000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://github.com/mozilla-services/screenshots	firefox.exe, 0000000D.00000003.1709532416.0000021A51F00000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1710093479.0000021A5215A000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1710383781.0000021A52177000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1709869627.0000021A5213C000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1709688997.0000021A5211F000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://services.addons.mozilla.org/api/v4/addons/addon/	firefox.exe, 0000000F.00000002.2916858034.000002B996480000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.2920254169.000001B497B60000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.2915932300.000002AD21980000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://tracking-protection-issues.herokuapp.com/new	firefox.exe, 0000000F.00000002.2916858034.000002B996480000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.2920254169.000001B497B60000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.2915932300.000002AD21980000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/password-manager-report	firefox.exe, 0000000F.00000002.2916858034.000002B996480000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.2920254169.000001B497B60000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.2915932300.000002AD21980000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://content-signature-2.cdn.mozilla.net/	firefox.exe, 0000000D.00000003.1884065564.0000021A53D79000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://json-schema.org/draft/2020-12/schema/=	firefox.exe, 0000000D.00000003.1884570916.0000021A53D38000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://www.amazon.com/?tag=admarketus-20&ref=pd_sl_7548d4575af019e4c148ccf1a78112802e66a0816a72fc94	firefox.exe, 0000000F.00000002.2917358221.000002B9966E8000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000002.2916628420.000001B4976E9000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000011.00000002.2921950111.000002AD21E03000.00000004.00000800.00020000.00000000.sdmp, prefs-1.js.13.dr	false		unknown
https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/fingerprinters-report	firefox.exe, 0000000F.00000002.2916858034.000002B996480000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.2920254169.000001B497B60000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.2915932300.000002AD21980000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://api.accounts.firefox.com/v1	firefox.exe, 0000000F.00000002.2916858034.000002B996480000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.2920254169.000001B497B60000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.2915932300.000002AD21980000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://login.li	firefox.exe, 0000000D.00000003.1754077732.0000021A5A6AD000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1834509532.0000021A5A6A5000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1752392445.0000021A5A6AD000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1825656662.0000021A5A6A5000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1751620549.0000021A5A6AD000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://www.amazon.com/	firefox.exe, 0000000D.00000003.1808318917.0000021A5A5C7000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://addons.mozilla.org/%LOCALE%/%APP%/blocked-addon/%addonID%/%addonVersion%/	firefox.exe, 0000000F.00000002.2916858034.000002B996480000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.2920254169.000001B497B60000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.2915932300.000002AD21980000.00000002.10000000.00040000.00000000.sdmp	false		unknown
https://shavar.services.mozilla.com/downloads?client=SAFEBROWSING_ID&appver=118.0&pver=2.2	firefox.exe, 0000000D.00000003.1806833741.0000021A5AC09000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://developer.mozilla.org/docs/Mozilla/Add-ons/WebExtensions/API/tabs/captureTabMozRequestFullSc	firefox.exe, 0000000D.00000003.1806833741.0000021A5AC5D000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1896101880.0000021A5AC5D000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://monitor.firefox.com/?entrypoint=protection_report_monitor&utm_source=about-protections	firefox.exe, 0000000F.00000002.2916858034.000002B996480000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.2920254169.000001B497B60000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.2915932300.000002AD21980000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://bridge.lga1.ap01.net/ctp?version=16.0.0&key=1696332238301000001.1&ci=1696332238417.12791&cta	firefox.exe, 0000000F.00000002.2917358221.000002B9966E8000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000002.2916628420.000001B4976E9000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000011.00000002.2921950111.000002AD21E03000.00000004.00000800.00020000.00000000.sdmp, prefs-1.js.13.dr	false		unknown
https://www.youtube.com/	firefox.exe, 0000000D.00000003.1867237868.0000021A5D893000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000002.2916628420.000001B497603000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000011.00000002.2916896948.000002AD21B0C000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://bugzilla.mozilla.org/show_bug.cgi?id=1283601	firefox.exe, 0000000D.00000003.1764453408.0000021A533B5000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1764304669.0000021A53422000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1763277393.0000021A533A6000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1764361505.0000021A53434000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/shield	firefox.exe, 0000000F.00000002.2916858034.000002B996480000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.2920254169.000001B497B60000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.2915932300.000002AD21980000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://MD8.mozilla.org/1/m	firefox.exe, 0000000D.00000003.1904552046.0000021A538A3000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://getpocket.cdn.mozilla.net/v3/firefox/global-recs?version=3&consumer_key=$apiKey&locale_lang=	firefox.exe, 00000011.00000002.2916896948.000002AD21BC4000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://127.0.0.1:	firefox.exe, 0000000F.00000002.2916858034.000002B996480000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.2920254169.000001B497B60000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.2915932300.000002AD21980000.00000002.10000000.00040000.00000000.sdmp	false		unknown
https://bugzilla.mozilla.org/show_bug.cgi?id=1266220	firefox.exe, 0000000D.00000003.1763707227.0000021A53393000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1764304669.0000021A53422000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://bugzilla.mo	firefox.exe, 0000000D.00000003.1749164837.0000021A52FF2000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://mitmdetection.services.mozilla.com/	firefox.exe, 0000000F.00000002.2916858034.000002B996480000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.2920254169.000001B497B60000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.2915932300.000002AD21980000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://static.adsafeprotected.com/firefox-etp-js	firefox.exe, 0000000D.00000003.1869575729.0000021A54156000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1876297101.0000021A54159000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://shavar.services.mozilla.com/	firefox.exe, 0000000D.00000003.1886536905.0000021A5BE29000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://developer.mozilla.org/docs/Web/API/Element/releasePointerCapture	firefox.exe, 0000000D.00000003.1896101880.0000021A5AC5D000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://spocs.getpocket.com/	firefox.exe, 0000000D.00000003.1809266579.0000021A5A4FA000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1850003624.0000021A5A45F000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000002.2916628420.000001B497612000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000011.00000002.2916896948.000002AD21B13000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://services.addons.mozilla.org/api/v4/abuse/report/addon/	firefox.exe, 0000000F.00000002.2916858034.000002B996480000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.2920254169.000001B497B60000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.2915932300.000002AD21980000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://services.addons.mozilla.org/api/v4/addons/search/?guid=%IDS%&lang=%LOCALE%	firefox.exe, 0000000F.00000002.2916858034.000002B996480000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.2920254169.000001B497B60000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.2915932300.000002AD21980000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://color.firefox.com/?utm_source=firefox-browser&utm_medium=firefox-browser&utm_content=theme-f	firefox.exe, 0000000F.00000002.2916858034.000002B996480000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.2920254169.000001B497B60000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.2915932300.000002AD21980000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://play.google.com/store/apps/details?id=org.mozilla.firefox&referrer=utm_source%3Dprotection_r	firefox.exe, 0000000F.00000002.2916858034.000002B996480000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.2920254169.000001B497B60000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.2915932300.000002AD21980000.00000002.10000000.00040000.00000000.sdmp	false		unknown
https://monitor.firefox.com/user/breach-stats?includeResolved=true	firefox.exe, 0000000F.00000002.2916858034.000002B996480000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.2920254169.000001B497B60000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.2915932300.000002AD21980000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/cross-site-tracking-report	firefox.exe, 0000000F.00000002.2916858034.000002B996480000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.2920254169.000001B497B60000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.2915932300.000002AD21980000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://addons.mozilla.org/	firefox.exe, 0000000D.00000003.1849197603.0000021A5D893000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://bugzilla.mozilla.org/show_bug.cgi?id=1584464	firefox.exe, 0000000D.00000003.1747863250.0000021A5A4D5000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1809266579.0000021A5A4FA000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://safebrowsing.google.com/safebrowsing/diagnostic?site=	firefox.exe, 0000000F.00000002.2916858034.000002B996480000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.2920254169.000001B497B60000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.2915932300.000002AD21980000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://monitor.firefox.com/user/dashboard	firefox.exe, 0000000F.00000002.2916858034.000002B996480000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.2920254169.000001B497B60000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.2915932300.000002AD21980000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://bugzilla.mozilla.org/show_bug.cgi?id=1170143	firefox.exe, 0000000D.00000003.1764304669.0000021A53422000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://versioncheck.addons.mozilla.org/update/VersionCheck.php?reqVersion=%REQ_VERSION%&id=%ITEM_ID	firefox.exe, 0000000F.00000002.2916858034.000002B996480000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.2920254169.000001B497B60000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.2915932300.000002AD21980000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://monitor.firefox.com/about	firefox.exe, 0000000F.00000002.2916858034.000002B996480000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.2920254169.000001B497B60000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.2915932300.000002AD21980000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
http://mozilla.org/MPL/2.0/.	firefox.exe, 0000000D.00000003.1863573390.0000021A540C7000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1814007391.0000021A53FC7000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1747211706.0000021A5A548000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1867850376.0000021A546B8000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1749722693.0000021A5A6C9000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1823636934.0000021A53FC7000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1810290359.0000021A5582A000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1809762919.0000021A5584E000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1821945080.0000021A524BB000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1814007391.0000021A53FB4000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1773775552.0000021A5D9FC000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1842782784.0000021A533B8000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1712749844.0000021A52151000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1747211706.0000021A5A52E000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1751620549.0000021A5A6C5000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1749722693.0000021A5A69A000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1760177378.0000021A54CEF000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1834509532.0000021A5A69D000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1820930659.0000021A54CF4000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1877982299.0000021A5320A000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1809016431.0000021A5A52A000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://account.bellmedia.c	firefox.exe, 0000000D.00000003.1809762919.0000021A55866000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://login.microsoftonline.com	firefox.exe, 0000000D.00000003.1809762919.0000021A55856000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1809762919.0000021A55866000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://coverage.mozilla.org	firefox.exe, 0000000F.00000002.2916858034.000002B996480000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.2920254169.000001B497B60000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.2915932300.000002AD21980000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
http://crl.thawte.com/ThawteTimestampingCA.crl0	gmpopenh264.dll.tmp.13.dr	false	URL Reputation: safe	unknown
https://www.zhihu.com/	firefox.exe, 0000000D.00000003.1851209866.0000021A5493C000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://infra.spec.whatwg.org/#ascii-whitespace	firefox.exe, 0000000D.00000003.1749722693.0000021A5A643000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1825656662.0000021A5A642000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1750738952.0000021A5A63D000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1750357514.0000021A5A625000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://blocked.cdn.mozilla.net/	firefox.exe, 0000000F.00000002.2916858034.000002B996480000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.2920254169.000001B497B60000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.2915932300.000002AD21980000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://duckduckgo.com/?t=ffab&q=	firefox.exe, 0000000D.00000003.1848098486.0000021A5E2CC000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://developer.mozilla.org/docs/Web/API/Element/releasePointerCapture0	firefox.exe, 0000000D.00000003.1806833741.0000021A5AC5D000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://profiler.firefox.com	firefox.exe, 0000000F.00000002.2916858034.000002B996480000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.2920254169.000001B497B60000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.2915932300.000002AD21980000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://outlook.live.com/default.aspx?rru=compose&to=%s	firefox.exe, 0000000D.00000003.1712847419.0000021A51933000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1715829172.0000021A51931000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1714304584.0000021A51918000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://bugzilla.mozilla.org/show_bug.cgi?id=793869	firefox.exe, 0000000D.00000003.1764304669.0000021A53422000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://identity.mozilla.com/apps/relay	firefox.exe, 0000000D.00000003.1901316389.0000021A53E6D000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1883579491.0000021A53E69000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://mozilla.cloudflare-dns.com/dns-query	firefox.exe, 0000000F.00000002.2916858034.000002B996480000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.2920254169.000001B497B60000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.2915932300.000002AD21980000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://support.mozilla.org/kb/refresh-firefox-reset-add-ons-and-settings2	firefox.exe, 0000000D.00000003.1890763869.0000021A5A2F2000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1850251676.0000021A5A2F2000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1897456663.0000021A5A2F4000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1809418974.0000021A5A2EC000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://bugzilla.mozilla.org/show_bug.cgi?id=1678448	firefox.exe, 0000000D.00000003.1764453408.0000021A533B5000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1764304669.0000021A53422000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1763277393.0000021A533A6000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1764361505.0000021A53434000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://mail.yahoo.co.jp/compose/?To=%s	firefox.exe, 0000000D.00000003.1712847419.0000021A51933000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1715829172.0000021A51931000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1714304584.0000021A51918000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://contile-images.services.mozilla.com/0TegrVVRalreHILhR2WvtD_CFzj13HCDcLqqpvXSOuY.10862.jpg	firefox.exe, 0000000F.00000002.2917358221.000002B9966E8000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000002.2916628420.000001B4976E9000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000011.00000002.2921950111.000002AD21E03000.00000004.00000800.00020000.00000000.sdmp, prefs-1.js.13.dr	false	URL Reputation: safe	unknown
https://contile.services.mozilla.com/v1/tiles	firefox.exe, 0000000D.00000003.1850003624.0000021A5A409000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000F.00000002.2916858034.000002B996480000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.2920254169.000001B497B60000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.2915932300.000002AD21980000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://firefox.settings.services.mozilla.com/v1/buckets/main/collections/ms-language-packs/records/	firefox.exe, 0000000D.00000003.1866808193.0000021A5DFBB000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1808318917.0000021A5A5C7000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://monitor.firefox.com/user/preferences	firefox.exe, 0000000F.00000002.2916858034.000002B996480000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.2920254169.000001B497B60000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.2915932300.000002AD21980000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://screenshots.firefox.com/	firefox.exe, 0000000D.00000003.1709688997.0000021A5211F000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://truecolors.firefox.com/	firefox.exe, 0000000D.00000003.1849197603.0000021A5D893000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://www.google.com/search	firefox.exe, 0000000D.00000003.1850003624.0000021A5A45F000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://gpuweb.github.io/gpuweb/	firefox.exe, 0000000D.00000003.1747863250.0000021A5A4D5000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1809266579.0000021A5A4FA000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://relay.firefox.com/api/v1/	firefox.exe, 0000000F.00000002.2916858034.000002B996480000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.2920254169.000001B497B60000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.2915932300.000002AD21980000.00000002.10000000.00040000.00000000.sdmp	false		unknown
http://json-schema.org/draft-07/schema#-	firefox.exe, 0000000D.00000003.1884570916.0000021A53D38000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/tracking-content-report	firefox.exe, 0000000F.00000002.2916858034.000002B996480000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.2920254169.000001B497B60000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.2915932300.000002AD21980000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://topsites.services.mozilla.com/cid/	firefox.exe, 0000000F.00000002.2916858034.000002B996480000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.2920254169.000001B497B60000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.2915932300.000002AD21980000.00000002.10000000.00040000.00000000.sdmp	false		unknown
https://twitter.com/	firefox.exe, 0000000D.00000003.1867237868.0000021A5D893000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://developer.mozilla.org/docs/Web/API/Element/releasePointerCaptureWebExtensionUncheckedLastErr	firefox.exe, 0000000D.00000003.1887390842.0000021A5AC5B000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://www.olx.pl/	firefox.exe, 0000000D.00000003.1851209866.0000021A5493C000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://bugzilla.mozilla.org/show_bug.cgi?id=1193802	firefox.exe, 0000000D.00000003.1764453408.0000021A533B5000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1764304669.0000021A53422000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1763277393.0000021A533A6000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1764361505.0000021A53434000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://support.mozilla.org/	firefox.exe, 0000000D.00000003.1849197603.0000021A5D893000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
34.149.100.209	prod.remote-settings.prod.webservices.mozgcp.net	United States	2686	ATGS-MMD-ASUS	false
34.107.243.93	push.services.mozilla.com	United States	15169	GOOGLEUS	false
151.101.65.91	services.addons.mozilla.org	United States	54113	FASTLYUS	false
34.107.221.82	prod.detectportal.prod.cloudops.mozgcp.net	United States	15169	GOOGLEUS	false
35.244.181.201	prod.balrog.prod.cloudops.mozgcp.net	United States	15169	GOOGLEUS	false
34.117.188.166	contile.services.mozilla.com	United States	139070	GOOGLE-AS-APGoogleAsiaPacificPteLtdSG	false
35.201.103.21	normandy-cdn.services.mozilla.com	United States	15169	GOOGLEUS	false
35.190.72.216	prod.classify-client.prod.webservices.mozgcp.net	United States	15169	GOOGLEUS	false
157.240.253.35	star-mini.c10r.facebook.com	United States	32934	FACEBOOKUS	false
34.160.144.191	prod.content-signature-chains.prod.webservices.mozgcp.net	United States	2686	ATGS-MMD-ASUS	false
34.120.208.123	telemetry-incoming.r53-2.services.mozilla.com	United States	15169	GOOGLEUS	false

Private

IP
127.0.0.1

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1542418
Start date and time:	2024-10-25 22:17:07 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 7m 14s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	22
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	file.exe
Detection:	MAL
Classification:	mal64.evad.winEXE@34/34@67/12
EGA Information:	Successful, ratio: 50%
HCA Information:	Successful, ratio: 94% Number of executed functions: 40 Number of non-executed functions: 299
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, svchost.exe
Excluded IPs from analysis (whitelisted): 44.231.229.39, 52.13.186.250, 34.208.54.237, 142.250.181.238, 2.22.61.59, 2.22.61.56, 142.250.186.74, 172.217.16.202, 216.58.206.78
Excluded domains from analysis (whitelisted): fs.microsoft.com, shavar.prod.mozaws.net, ciscobinary.openh264.org, slscr.update.microsoft.com, otelrules.azureedge.net, incoming.telemetry.mozilla.org, ctldl.windowsupdate.com, a17.rackcdn.com.mdc.edgesuite.net, detectportal.prod.mozaws.net, aus5.mozilla.org, fe3cr.delivery.mp.microsoft.com, a19.dscg10.akamai.net, ocsp.digicert.com, redirector.gvt1.com, safebrowsing.googleapis.com, location.services.mozilla.com
Not all processes where analyzed, report is missing behavior information
Report size exceeded maximum capacity and may have missing disassembly code.
Report size getting too big, too many NtCreateFile calls found.
Report size getting too big, too many NtOpenFile calls found.
VT rate limit hit for: file.exe

Simulations

Behavior and APIs

Time	Type	Description
16:18:06	API Interceptor	1x Sleep call for process: firefox.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
34.117.188.166	1.zip	Get hash	malicious	Unknown	Browse
	file.exe	Get hash	malicious	Unknown	Browse
	file.exe	Get hash	malicious	Unknown	Browse
	file.exe	Get hash	malicious	Unknown	Browse
	file.exe	Get hash	malicious	Unknown	Browse
	file.exe	Get hash	malicious	Unknown	Browse
	file.exe	Get hash	malicious	Unknown	Browse
	file.exe	Get hash	malicious	Unknown	Browse
	file.exe	Get hash	malicious	Unknown	Browse
	file.exe	Get hash	malicious	Unknown	Browse
34.149.100.209	1.zip	Get hash	malicious	Unknown	Browse
	file.exe	Get hash	malicious	Unknown	Browse
	file.exe	Get hash	malicious	Unknown	Browse
	file.exe	Get hash	malicious	Unknown	Browse
	file.exe	Get hash	malicious	Unknown	Browse
	file.exe	Get hash	malicious	Unknown	Browse
	file.exe	Get hash	malicious	Unknown	Browse
	file.exe	Get hash	malicious	Unknown	Browse
	file.exe	Get hash	malicious	Unknown	Browse
	file.exe	Get hash	malicious	Unknown	Browse
34.160.144.191	1.zip	Get hash	malicious	Unknown	Browse
	file.exe	Get hash	malicious	Unknown	Browse
	file.exe	Get hash	malicious	Unknown	Browse
	file.exe	Get hash	malicious	Unknown	Browse
	file.exe	Get hash	malicious	Unknown	Browse
	file.exe	Get hash	malicious	Unknown	Browse
	file.exe	Get hash	malicious	Unknown	Browse
	file.exe	Get hash	malicious	Unknown	Browse
	file.exe	Get hash	malicious	Unknown	Browse
	file.exe	Get hash	malicious	Unknown	Browse
151.101.65.91	file.exe	Get hash	malicious	Unknown	Browse
	file.exe	Get hash	malicious	Unknown	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
services.addons.mozilla.org	1.zip	Get hash	malicious	Unknown	Browse	151.101.1.91
	file.exe	Get hash	malicious	Unknown	Browse	151.101.1.91
	file.exe	Get hash	malicious	Unknown	Browse	151.101.1.91
	file.exe	Get hash	malicious	Unknown	Browse	151.101.1.91
	file.exe	Get hash	malicious	Unknown	Browse	151.101.193.91
	file.exe	Get hash	malicious	Unknown	Browse	151.101.65.91
	file.exe	Get hash	malicious	Unknown	Browse	151.101.193.91
	file.exe	Get hash	malicious	Unknown	Browse	151.101.1.91
	file.exe	Get hash	malicious	Unknown	Browse	151.101.129.91
	file.exe	Get hash	malicious	Unknown	Browse	151.101.65.91
example.org	1.zip	Get hash	malicious	Unknown	Browse	93.184.215.14
	file.exe	Get hash	malicious	Unknown	Browse	93.184.215.14
	file.exe	Get hash	malicious	Unknown	Browse	93.184.215.14
	file.exe	Get hash	malicious	Unknown	Browse	93.184.215.14
	file.exe	Get hash	malicious	Unknown	Browse	93.184.215.14
	file.exe	Get hash	malicious	Unknown	Browse	93.184.215.14
	file.exe	Get hash	malicious	Unknown	Browse	93.184.215.14
	file.exe	Get hash	malicious	Unknown	Browse	93.184.215.14
	file.exe	Get hash	malicious	Unknown	Browse	93.184.215.14
	file.exe	Get hash	malicious	Unknown	Browse	93.184.215.14
dyna.wikimedia.org	1.zip	Get hash	malicious	Unknown	Browse	185.15.59.224
	file.exe	Get hash	malicious	Unknown	Browse	185.15.59.224
	file.exe	Get hash	malicious	Unknown	Browse	185.15.59.224
	file.exe	Get hash	malicious	Unknown	Browse	185.15.59.224
	file.exe	Get hash	malicious	Unknown	Browse	185.15.59.224
	file.exe	Get hash	malicious	Unknown	Browse	185.15.59.224
	file.exe	Get hash	malicious	Unknown	Browse	185.15.59.224
	file.exe	Get hash	malicious	Unknown	Browse	185.15.59.224
	file.exe	Get hash	malicious	Unknown	Browse	185.15.59.224
	file.exe	Get hash	malicious	Unknown	Browse	185.15.59.224
twitter.com	1.zip	Get hash	malicious	Unknown	Browse	104.244.42.129
	file.exe	Get hash	malicious	Unknown	Browse	104.244.42.1
	file.exe	Get hash	malicious	Unknown	Browse	104.244.42.1
	file.exe	Get hash	malicious	Unknown	Browse	104.244.42.193
	file.exe	Get hash	malicious	Unknown	Browse	104.244.42.1
	file.exe	Get hash	malicious	Unknown	Browse	104.244.42.1
	file.exe	Get hash	malicious	Unknown	Browse	104.244.42.65
	file.exe	Get hash	malicious	Unknown	Browse	104.244.42.193
	file.exe	Get hash	malicious	Unknown	Browse	104.244.42.129
	file.exe	Get hash	malicious	Unknown	Browse	104.244.42.129

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
GOOGLE-AS-APGoogleAsiaPacificPteLtdSG	1.zip	Get hash	malicious	Unknown	Browse	34.117.188.166
	file.exe	Get hash	malicious	Unknown	Browse	34.117.188.166
	file.exe	Get hash	malicious	Unknown	Browse	34.117.188.166
	botnet.arm7.elf	Get hash	malicious	Mirai, Moobot	Browse	34.65.244.170
	file.exe	Get hash	malicious	Unknown	Browse	34.117.188.166
	file.exe	Get hash	malicious	Unknown	Browse	34.117.188.166
	VertusinstruccionesFedEX_66521.zip	Get hash	malicious	Unknown	Browse	34.117.59.81
	file.exe	Get hash	malicious	Unknown	Browse	34.117.188.166
	file.exe	Get hash	malicious	Unknown	Browse	34.117.188.166
	file.exe	Get hash	malicious	Unknown	Browse	34.117.188.166
ATGS-MMD-ASUS	http://www.wattpad.com	Get hash	malicious	Unknown	Browse	34.149.50.64
	1.zip	Get hash	malicious	Unknown	Browse	34.160.144.191
	file.exe	Get hash	malicious	Unknown	Browse	34.160.144.191
	file.exe	Get hash	malicious	Unknown	Browse	34.160.144.191
	botnet.arm.elf	Get hash	malicious	Mirai, Moobot	Browse	48.20.40.178
	botnet.arm5.elf	Get hash	malicious	Mirai, Moobot	Browse	48.234.244.144
	botnet.arm7.elf	Get hash	malicious	Mirai, Moobot	Browse	32.201.52.1
	botnet.mips.elf	Get hash	malicious	Mirai, Moobot	Browse	48.25.107.161
	botnet.m68k.elf	Get hash	malicious	Mirai, Moobot	Browse	48.63.240.255
	botnet.mpsl.elf	Get hash	malicious	Mirai, Moobot	Browse	34.133.175.89
FASTLYUS	Bill Payment__8084746.html	Get hash	malicious	Unknown	Browse	151.101.65.229
	http://www.wattpad.com	Get hash	malicious	Unknown	Browse	151.101.2.49
	1.zip	Get hash	malicious	Unknown	Browse	151.101.1.91
	file.exe	Get hash	malicious	Unknown	Browse	151.101.1.91
	file.exe	Get hash	malicious	Unknown	Browse	151.101.1.91
	file.exe	Get hash	malicious	Unknown	Browse	151.101.1.91
	file.exe	Get hash	malicious	Unknown	Browse	151.101.193.91
	https://www.google.ca/url?q=nyYhuJkyZc5becm4Aebd&rct=dHYJbECHyHBgmK2d6Hkk&sa=t&esrc=VPIIRnP5TJCWQChPCgwH&source=&cd=TWsylIzvnNqdQKP0bZIw&uact=&url=amp/uniquestarsent.com/ck/bd/BNsT048mrEEHImhtrfrgmcfu/a2Vubml0aC5jYXNlQGFkdmFuY2UtYXV0by5jb20	Get hash	malicious	HTMLPhisher	Browse	151.101.193.229
	https://accesspage853.ubpages.com/4k5-ffdfg	Get hash	malicious	Unknown	Browse	151.101.0.238
	https://beta.adiance.com/wp-content/plugins/arull.php?7096797967704b5369323074645079557a5054436e4e5379314f7a644d725474524c7a732f564c7a4f4b794d6a574277413dhttps://digidunesen.sa.com/v2Xhk/#X%5Bemail%5D	Get hash	malicious	HTMLPhisher	Browse	151.101.129.229
ATGS-MMD-ASUS	http://www.wattpad.com	Get hash	malicious	Unknown	Browse	34.149.50.64
	1.zip	Get hash	malicious	Unknown	Browse	34.160.144.191
	file.exe	Get hash	malicious	Unknown	Browse	34.160.144.191
	file.exe	Get hash	malicious	Unknown	Browse	34.160.144.191
	botnet.arm.elf	Get hash	malicious	Mirai, Moobot	Browse	48.20.40.178
	botnet.arm5.elf	Get hash	malicious	Mirai, Moobot	Browse	48.234.244.144
	botnet.arm7.elf	Get hash	malicious	Mirai, Moobot	Browse	32.201.52.1
	botnet.mips.elf	Get hash	malicious	Mirai, Moobot	Browse	48.25.107.161
	botnet.m68k.elf	Get hash	malicious	Mirai, Moobot	Browse	48.63.240.255
	botnet.mpsl.elf	Get hash	malicious	Mirai, Moobot	Browse	34.133.175.89

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
fb0aa01abe9d8e4037eb3473ca6e2dca	1.zip	Get hash	malicious	Unknown	Browse	35.244.181.201 34.149.100.209 34.160.144.191 151.101.65.91 34.120.208.123
	file.exe	Get hash	malicious	Unknown	Browse	35.244.181.201 34.149.100.209 34.160.144.191 151.101.65.91 34.120.208.123
	file.exe	Get hash	malicious	Unknown	Browse	35.244.181.201 34.149.100.209 34.160.144.191 151.101.65.91 34.120.208.123
	file.exe	Get hash	malicious	Unknown	Browse	35.244.181.201 34.149.100.209 34.160.144.191 151.101.65.91 34.120.208.123
	file.exe	Get hash	malicious	Unknown	Browse	35.244.181.201 34.149.100.209 34.160.144.191 151.101.65.91 34.120.208.123
	file.exe	Get hash	malicious	Unknown	Browse	35.244.181.201 34.149.100.209 34.160.144.191 151.101.65.91 34.120.208.123
	file.exe	Get hash	malicious	Unknown	Browse	35.244.181.201 34.149.100.209 34.160.144.191 151.101.65.91 34.120.208.123
	file.exe	Get hash	malicious	Unknown	Browse	35.244.181.201 34.149.100.209 34.160.144.191 151.101.65.91 34.120.208.123
	file.exe	Get hash	malicious	Unknown	Browse	35.244.181.201 34.149.100.209 34.160.144.191 151.101.65.91 34.120.208.123
	file.exe	Get hash	malicious	Unknown	Browse	35.244.181.201 34.149.100.209 34.160.144.191 151.101.65.91 34.120.208.123

Dropped Files

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll.tmp	1.zip	Get hash	malicious	Unknown	Browse
	file.exe	Get hash	malicious	Unknown	Browse
	file.exe	Get hash	malicious	Unknown	Browse
	file.exe	Get hash	malicious	Unknown	Browse
	file.exe	Get hash	malicious	Unknown	Browse
	file.exe	Get hash	malicious	Unknown	Browse
	file.exe	Get hash	malicious	Unknown	Browse
	file.exe	Get hash	malicious	Unknown	Browse
	file.exe	Get hash	malicious	Unknown	Browse
	file.exe	Get hash	malicious	Unknown	Browse
C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll (copy)	1.zip	Get hash	malicious	Unknown	Browse
	file.exe	Get hash	malicious	Unknown	Browse
	file.exe	Get hash	malicious	Unknown	Browse
	file.exe	Get hash	malicious	Unknown	Browse
	file.exe	Get hash	malicious	Unknown	Browse
	file.exe	Get hash	malicious	Unknown	Browse
	file.exe	Get hash	malicious	Unknown	Browse
	file.exe	Get hash	malicious	Unknown	Browse
	file.exe	Get hash	malicious	Unknown	Browse
	file.exe	Get hash	malicious	Unknown	Browse

Created / dropped Files

C:\ProgramData\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\uninstall_ping_308046B0AF4A39CB_60f973d7-f2f9-4ea4-8e72-c7f40f019b7e.json (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	7813
Entropy (8bit):	5.173519414763932
Encrypted:	false
SSDEEP:	192:ejMXc+xcbhbVbTbfbRbObtbyEl7n02erNJA6WnSrDtTUd/SkDrT:eY9cNhnzFSJgrIBnSrDhUd/p
MD5:	305D3782EC25958446C57F58515A30DA
SHA1:	1502FD42C2C7B7B292124349662B64201B80DC1E
SHA-256:	D0E870EF75FCCACD0402497EEC0D20DD66A89B92820CDE1EAF6A87EBCBC57392
SHA-512:	9C9AC656EF118C9268F69E99DBCA29E0530A541664A16BD5E83E4073D74BB1377470DD0FD61C29F2439EBCFC0AE2B7E169D6E9DC82D167CFDDD1403B28A5FF3C
Malicious:	false
Preview:	{"type":"uninstall","id":"60f973d7-f2f9-4ea4-8e72-c7f40f019b7e","creationDate":"2024-10-25T21:40:28.045Z","version":4,"application":{"architecture":"x86-64","buildId":"20230927232528","name":"Firefox","version":"118.0.1","displayVersion":"118.0.1","vendor":"Mozilla","platformVersion":"118.0.1","xpcomAbi":"x86_64-msvc","channel":"release"},"payload":{"otherInstalls":0},"clientId":"65e71c9e-6ac3-4903-9066-b134350de32c","environment":{"build":{"applicationId":"{ec8030f7-c20a-464f-9b0e-13a3a9e97384}","applicationName":"Firefox","architecture":"x86-64","buildId":"20230927232528","version":"118.0.1","vendor":"Mozilla","displayVersion":"118.0.1","platformVersion":"118.0.1","xpcomAbi":"x86_64-msvc","updaterAvailable":true},"partner":{"distributionId":null,"distributionVersion":null,"partnerId":null,"distributor":null,"distributorChannel":null,"partnerNames":[]},"system":{"memoryMB":8191,"virtualMaxMB":134217728,"cpu":{"isWindowsSMode":false,"count":4,"cores":2,"vendor":"GenuineIntel","name":"I

C:\ProgramData\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\uninstall_ping_308046B0AF4A39CB_60f973d7-f2f9-4ea4-8e72-c7f40f019b7e.json.tmp

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	7813
Entropy (8bit):	5.173519414763932
Encrypted:	false
SSDEEP:	192:ejMXc+xcbhbVbTbfbRbObtbyEl7n02erNJA6WnSrDtTUd/SkDrT:eY9cNhnzFSJgrIBnSrDhUd/p
MD5:	305D3782EC25958446C57F58515A30DA
SHA1:	1502FD42C2C7B7B292124349662B64201B80DC1E
SHA-256:	D0E870EF75FCCACD0402497EEC0D20DD66A89B92820CDE1EAF6A87EBCBC57392
SHA-512:	9C9AC656EF118C9268F69E99DBCA29E0530A541664A16BD5E83E4073D74BB1377470DD0FD61C29F2439EBCFC0AE2B7E169D6E9DC82D167CFDDD1403B28A5FF3C
Malicious:	false
Preview:	{"type":"uninstall","id":"60f973d7-f2f9-4ea4-8e72-c7f40f019b7e","creationDate":"2024-10-25T21:40:28.045Z","version":4,"application":{"architecture":"x86-64","buildId":"20230927232528","name":"Firefox","version":"118.0.1","displayVersion":"118.0.1","vendor":"Mozilla","platformVersion":"118.0.1","xpcomAbi":"x86_64-msvc","channel":"release"},"payload":{"otherInstalls":0},"clientId":"65e71c9e-6ac3-4903-9066-b134350de32c","environment":{"build":{"applicationId":"{ec8030f7-c20a-464f-9b0e-13a3a9e97384}","applicationName":"Firefox","architecture":"x86-64","buildId":"20230927232528","version":"118.0.1","vendor":"Mozilla","displayVersion":"118.0.1","platformVersion":"118.0.1","xpcomAbi":"x86_64-msvc","updaterAvailable":true},"partner":{"distributionId":null,"distributionVersion":null,"partnerId":null,"distributor":null,"distributorChannel":null,"partnerNames":[]},"system":{"memoryMB":8191,"virtualMaxMB":134217728,"cpu":{"isWindowsSMode":false,"count":4,"cores":2,"vendor":"GenuineIntel","name":"I

C:\Users\user\AppData\Local\Temp\mozilla-temp-files\mozilla-temp-41

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	ISO Media, MP4 Base Media v1 [ISO 14496-12:2003]
Category:	dropped
Size (bytes):	32768
Entropy (8bit):	0.4593089050301797
Encrypted:	false
SSDEEP:	48:9SP0nUgwyZXYI65yFRX2D3GNTTfyn0Mk1iA:9SDKaIjo3UzyE1L
MD5:	D910AD167F0217587501FDCDB33CC544
SHA1:	2F57441CEFDC781011B53C1C5D29AC54835AFC1D
SHA-256:	E3699D9404A3FFC1AFF0CA8A3972DC0EF38BDAB927741E9F627C7C55CEA42E81
SHA-512:	F1871BF28FF25EE52BDB99C7A80AB715C7CAC164DCD2FD87E681168EE927FD2C5E80E03C91BB638D955A4627213BF575FF4D9EECAEDA7718C128CF2CE8F7CB3D
Malicious:	false
Preview:	... ftypisom....isomiso2avc1mp41....free....mdat..........E...H..,. .#..x264 - core 152 r2851 ba24899 - H.264/MPEG-4 AVC codec - Copyleft 2003-2017 - http://www.videolan.org/x264.html - options: cabac=1 ref=3 deblock=1:0:0 analyse=0x3:0x113 me=hex subme=7 psy=1 psy_rd=1.00:0.00 mixed_ref=1 me_range=16 chroma_me=1 trellis=1 8x8dct=1 cqm=0 deadzone=21,11 fast_pskip=1 chroma_qp_offset=-2 threads=4 lookahead_threads=1 sliced_threads=0 nr=0 decimate=1 interlaced=0 bluray_compat=0 constrained_intra=0 bframes=3 b_pyramid=2 b_adapt=1 b_bias=0 direct=1 weightb=1 open_gop=0 weightp=2 keyint=250 keyint_min=25 scenecut=40 intra_refresh=0 rc_lookahead=40 rc=crf mbtree=1 crf=23.0 qcomp=0.60 qpmin=0 qpmax=69 qpstep=4 ip_ratio=1.40 aq=1:1.00......e...+...s\|.kG3...'.u.."...,J.w.~.d\..(K....!.+..;....h....(.T.*...M......0..~L..8..B..A.y..R..,.zBP.';j.@.].w..........c......C=.'f....gI.$^.......m5V.L...{U..%V[....8......B..i..^,....:...,..5.m.%dA....moov...lmvhd...................(...........

C:\Users\user\AppData\Local\Temp\tmpaddon

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	Zip archive data, at least v2.0 to extract, compression method=deflate
Category:	dropped
Size (bytes):	453023
Entropy (8bit):	7.997718157581587
Encrypted:	true
SSDEEP:	12288:tESTeqTI2r4ZbCgUKWKNeRcPMb6qlV7hVZe3:tEsed2Xh9/bdzZe3
MD5:	85430BAED3398695717B0263807CF97C
SHA1:	FFFBEE923CEA216F50FCE5D54219A188A5100F41
SHA-256:	A9F4281F82B3579581C389E8583DC9F477C7FD0E20C9DFC91A2E611E21E3407E
SHA-512:	06511F1F6C6D44D076B3C593528C26A602348D9C41689DBF5FF716B671C3CA5756B12CB2E5869F836DEDCE27B1A5CFE79B93C707FD01F8E84B620923BB61B5F1
Malicious:	false
Preview:	PK.........bN...R..........gmpopenh264.dll..\|.E.0.=..I.....1....4f1q.`.........q.....'+....hm{.z..o_.{w........$..($A!...\|L...B&A2.s.{..Dd......c.U.U..9u.S...K.l`...../.d.-....\|.....&....9......wn..x......i.#O.+.Y.l......+....,3.3f..\..c.SSS,............N...GG...F.'.&.:'.K.Z&.>.@.g..M...M.`............ZR....^jg.G.Kb.o~va.....<Z..1.#.O.e.....D..X..i..$imBW..Q&.......P.....,M.,..:.c...-...\...........-i.K.I..4.a..6.....Ov=...W..F.CH.>...a.'.x...#@f...d..u.1....OV.1o}....g.5.._.3.J.Hi.Z.ipM....b.Z....%.G..F................/..3.q..J.....o...%.g.N..}..).3.N%.!..q........^I.m..~...6.#.~+.....A...I]r...x...<IYj....p0..`S.M@.E..f.=.;!.@.....E..E....... .0.n....Jd..d......uM.-.qI.lR..z..=}..r.D.XLZ....x.$..\|c.1.cUkM.&.Qn]..a]t.h...!.6 7..Jd.DvKJ"Wgd*%n...w...Jni.inmr.@M.$'Z.s....#)%..Rs..:.h....R....\..t.6..'.g.........Uj+F.cr:\|..!..K.W.Y...17......,....r.....>.N..3.R.Y.._\...Ir.DNJdM... .k...&V-....z.%...-...D..i..&...6....7.2T).>..0..%.&.

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\ExperimentStoreData.json (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	3621
Entropy (8bit):	4.9305904223121475
Encrypted:	false
SSDEEP:	48:YnSwkmrOfJNmPUFpOdwNIOdoWLEWLtkDLuuukx5FBvipA6kbbXjQthvLuhakN59u:8S+OfJQPUFpOdwNIOdYVjvYcXaNLyJ8P
MD5:	F66A9857F572002FADED5F450600B93E
SHA1:	0B9B2F1AB2953074457B1A2E1A8AA53DC5BEFC16
SHA-256:	101E79537138748EFF0D262E5C7D4786C7B9E2CACDC763553B0B8A4CD0616E88
SHA-512:	4DB3850878D1C4AA7FE4D8976B36A56CE4C4C7C7A96F08CE22CA8ED7C732C494BFA0A10165422592F5CA3B6996E9FC47FEC50170DCF916B19835C13CD2F685A3
Malicious:	false
Preview:	{"csv-import-release-rollout":{"slug":"csv-import-release-rollout","branch":{"slug":"enable-csv-import","ratio":1,"feature":{"value":{},"enabled":false,"featureId":"this-is-included-for-desktop-pre-95-support"},"features":[{"value":{"csvImport":true},"enabled":true,"featureId":"cm-csv-import"}]},"active":true,"enrollmentId":"c5d95379-f4ee-4629-a507-6f15a0e93cd4","experimentType":"rollout","source":"rs-loader","userFacingName":"CSV Import (Release Rollout)","userFacingDescription":"This rollout enables users to import logins from a CSV file from the about:logins page.","lastSeen":"2023-10-03T11:50:29.548Z","featureIds":["cm-csv-import"],"prefs":[{"name":"signon.management.page.fileImport.enabled","branch":"default","featureId":"cm-csv-import","variable":"csvImport","originalValue":false}],"isRollout":true},"serp-ad-telemetry-rollout":{"slug":"serp-ad-telemetry-rollout","branch":{"slug":"control","ratio":1,"feature":{"value":{},"enabled":false,"featureId":"this-is-included-for-desktop-pr

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\ExperimentStoreData.json.tmp

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	3621
Entropy (8bit):	4.9305904223121475
Encrypted:	false
SSDEEP:	48:YnSwkmrOfJNmPUFpOdwNIOdoWLEWLtkDLuuukx5FBvipA6kbbXjQthvLuhakN59u:8S+OfJQPUFpOdwNIOdYVjvYcXaNLyJ8P
MD5:	F66A9857F572002FADED5F450600B93E
SHA1:	0B9B2F1AB2953074457B1A2E1A8AA53DC5BEFC16
SHA-256:	101E79537138748EFF0D262E5C7D4786C7B9E2CACDC763553B0B8A4CD0616E88
SHA-512:	4DB3850878D1C4AA7FE4D8976B36A56CE4C4C7C7A96F08CE22CA8ED7C732C494BFA0A10165422592F5CA3B6996E9FC47FEC50170DCF916B19835C13CD2F685A3
Malicious:	false
Preview:	{"csv-import-release-rollout":{"slug":"csv-import-release-rollout","branch":{"slug":"enable-csv-import","ratio":1,"feature":{"value":{},"enabled":false,"featureId":"this-is-included-for-desktop-pre-95-support"},"features":[{"value":{"csvImport":true},"enabled":true,"featureId":"cm-csv-import"}]},"active":true,"enrollmentId":"c5d95379-f4ee-4629-a507-6f15a0e93cd4","experimentType":"rollout","source":"rs-loader","userFacingName":"CSV Import (Release Rollout)","userFacingDescription":"This rollout enables users to import logins from a CSV file from the about:logins page.","lastSeen":"2023-10-03T11:50:29.548Z","featureIds":["cm-csv-import"],"prefs":[{"name":"signon.management.page.fileImport.enabled","branch":"default","featureId":"cm-csv-import","variable":"csvImport","originalValue":false}],"isRollout":true},"serp-ad-telemetry-rollout":{"slug":"serp-ad-telemetry-rollout","branch":{"slug":"control","ratio":1,"feature":{"value":{},"enabled":false,"featureId":"this-is-included-for-desktop-pr

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\addonStartup.json.lz4 (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	Mozilla lz4 compressed data, originally 23432 bytes
Category:	dropped
Size (bytes):	5312
Entropy (8bit):	6.615424734763731
Encrypted:	false
SSDEEP:	96:V2YbKsKNU2xWrp327tGmD4wBON6h6cHaJVJuZMd0JGkkrw2D:VTx2x2t0FDJ4NpwZMd0EJws
MD5:	1B9C8056D3619CE5A8C59B0C09873F17
SHA1:	1015C630E1937AA63F6AB31743782ECB5D78CCD8
SHA-256:	A6AE5DE0733FED050AB570AD9374FF4593D554F695B5AE4E2495871D171D34A3
SHA-512:	B1DC9CC675D5476C270A2D5B214D3DF2B3856576ED7EFE92D9A606C2D9D34E781018902AE75CE9C1E25007BB7F8D8F7B52997E6F05B845EF44BAF22F614FE899
Malicious:	false
Preview:	mozLz40..[....{"app-system-defaults":{"addon....formautofill@mozilla.org&..Gdependencies":[],"enabled":true,"lastModifiedTime":1695865283000,"loader":null,"path":s.....xpi","recommendationStateA...rootURI":"jar:file:///C:/Program%20Files/M.......refox/browser/features/...... !/...unInSafeMode..wsignedD...telemetryKey..7%40R...:1.0.1","version":"..`},"pic..#in.....T.n..w...........S.......(.[......0....0"},"screenshots..T.r.....[.......(.V....-39.......},"webcompat-reporter...Ofals..&.z.....[.......(.]....=1.5.............<.)....p....d......1.z.!18...5.....startupData...pX.astentL..!er...webRequest%..onBefore...[[{"incognitoi.UtabId..!yp...."main_frame"],"url...."://login.microsoftonline.com/","..@us/L.dwindows...},["blocking"]],...Iimag...https://smartT.".f.....etp/facebook.svg",...Aplay....8`script...P.....-....-testbed.herokuapp\.`shims_..3.jsh.bexampl\|.......Pexten{..Q../?..s...S.J/_2..@&_3U..s7.addthis . ic...officialK......-angularjs/current/dist(..t.min.js...track.adB...net/s

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\addonStartup.json.lz4.tmp

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	Mozilla lz4 compressed data, originally 23432 bytes
Category:	dropped
Size (bytes):	5312
Entropy (8bit):	6.615424734763731
Encrypted:	false
SSDEEP:	96:V2YbKsKNU2xWrp327tGmD4wBON6h6cHaJVJuZMd0JGkkrw2D:VTx2x2t0FDJ4NpwZMd0EJws
MD5:	1B9C8056D3619CE5A8C59B0C09873F17
SHA1:	1015C630E1937AA63F6AB31743782ECB5D78CCD8
SHA-256:	A6AE5DE0733FED050AB570AD9374FF4593D554F695B5AE4E2495871D171D34A3
SHA-512:	B1DC9CC675D5476C270A2D5B214D3DF2B3856576ED7EFE92D9A606C2D9D34E781018902AE75CE9C1E25007BB7F8D8F7B52997E6F05B845EF44BAF22F614FE899
Malicious:	false
Preview:	mozLz40..[....{"app-system-defaults":{"addon....formautofill@mozilla.org&..Gdependencies":[],"enabled":true,"lastModifiedTime":1695865283000,"loader":null,"path":s.....xpi","recommendationStateA...rootURI":"jar:file:///C:/Program%20Files/M.......refox/browser/features/...... !/...unInSafeMode..wsignedD...telemetryKey..7%40R...:1.0.1","version":"..`},"pic..#in.....T.n..w...........S.......(.[......0....0"},"screenshots..T.r.....[.......(.V....-39.......},"webcompat-reporter...Ofals..&.z.....[.......(.]....=1.5.............<.)....p....d......1.z.!18...5.....startupData...pX.astentL..!er...webRequest%..onBefore...[[{"incognitoi.UtabId..!yp...."main_frame"],"url...."://login.microsoftonline.com/","..@us/L.dwindows...},["blocking"]],...Iimag...https://smartT.".f.....etp/facebook.svg",...Aplay....8`script...P.....-....-testbed.herokuapp\.`shims_..3.jsh.bexampl\|.......Pexten{..Q../?..s...S.J/_2..@&_3U..s7.addthis . ic...officialK......-angularjs/current/dist(..t.min.js...track.adB...net/s

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\addons.json (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	24
Entropy (8bit):	3.91829583405449
Encrypted:	false
SSDEEP:	3:YWGifTJE6iHQ:YWGif9EE
MD5:	3088F0272D29FAA42ED452C5E8120B08
SHA1:	C72AA542EF60AFA3DF5DFE1F9FCC06C0B135BE23
SHA-256:	D587CEC944023447DC91BC5F71E2291711BA5ADD337464837909A26F34BC5A06
SHA-512:	B662414EDD6DEF8589304904263584847586ECCA0B0E6296FB3ADB2192D92FB48697C99BD27C4375D192150E3F99102702AF2391117FFF50A9763C74C193D798
Malicious:	false
Preview:	{"schema":6,"addons":[]}

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\addons.json.tmp

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	24
Entropy (8bit):	3.91829583405449
Encrypted:	false
SSDEEP:	3:YWGifTJE6iHQ:YWGif9EE
MD5:	3088F0272D29FAA42ED452C5E8120B08
SHA1:	C72AA542EF60AFA3DF5DFE1F9FCC06C0B135BE23
SHA-256:	D587CEC944023447DC91BC5F71E2291711BA5ADD337464837909A26F34BC5A06
SHA-512:	B662414EDD6DEF8589304904263584847586ECCA0B0E6296FB3ADB2192D92FB48697C99BD27C4375D192150E3F99102702AF2391117FFF50A9763C74C193D798
Malicious:	false
Preview:	{"schema":6,"addons":[]}

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\content-prefs.sqlite

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	SQLite 3.x database, user version 5, last written using SQLite version 3042000, page size 32768, file counter 5, database pages 8, cookie 0x6, schema 4, largest root page 8, UTF-8, vacuum mode 1, version-valid-for 5
Category:	dropped
Size (bytes):	262144
Entropy (8bit):	0.04905391753567332
Encrypted:	false
SSDEEP:	24:DLivwae+Q8Uu50xj0aWe9LxYkKA25Q5tvAA:D6wae+QtMImelekKDa5
MD5:	DD9D28E87ED57D16E65B14501B4E54D1
SHA1:	793839B47326441BE2D1336BA9A61C9B948C578D
SHA-256:	BB4E6C58C50BD6399ED70468C02B584595C29F010B66F864CD4D6B427FA365BC
SHA-512:	A2626F6A3CBADE62E38DA5987729D99830D0C6AA134D4A9E615026A5F18ACBB11A2C3C80917DAD76DA90ED5BAA9B0454D4A3C2DD04436735E78C974BA1D035B1
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j......\|....~.}.}z}-\|.................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\crashes\store.json.mozlz4 (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	Mozilla lz4 compressed data, originally 56 bytes
Category:	dropped
Size (bytes):	66
Entropy (8bit):	4.837595020998689
Encrypted:	false
SSDEEP:	3:3fX/xH8IXl/I3v0lb7iioW:vXpH1RPXt
MD5:	A6338865EB252D0EF8FCF11FA9AF3F0D
SHA1:	CECDD4C4DCAE10C2FFC8EB938121B6231DE48CD3
SHA-256:	078648C042B9B08483CE246B7F01371072541A2E90D1BEB0C8009A6118CBD965
SHA-512:	D950227AC83F4E8246D73F9F35C19E88CE65D0CA5F1EF8CCBB02ED6EFC66B1B7E683E2BA0200279D7CA4B49831FD8C3CEB0584265B10ACCFF2611EC1CA8C0C6C
Malicious:	false
Preview:	mozLz40.8.....{"v":1,"crashes":{},"countsByDay....rruptDate":null}

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\crashes\store.json.mozlz4.tmp

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	Mozilla lz4 compressed data, originally 56 bytes
Category:	dropped
Size (bytes):	66
Entropy (8bit):	4.837595020998689
Encrypted:	false
SSDEEP:	3:3fX/xH8IXl/I3v0lb7iioW:vXpH1RPXt
MD5:	A6338865EB252D0EF8FCF11FA9AF3F0D
SHA1:	CECDD4C4DCAE10C2FFC8EB938121B6231DE48CD3
SHA-256:	078648C042B9B08483CE246B7F01371072541A2E90D1BEB0C8009A6118CBD965
SHA-512:	D950227AC83F4E8246D73F9F35C19E88CE65D0CA5F1EF8CCBB02ED6EFC66B1B7E683E2BA0200279D7CA4B49831FD8C3CEB0584265B10ACCFF2611EC1CA8C0C6C
Malicious:	false
Preview:	mozLz40.8.....{"v":1,"crashes":{},"countsByDay....rruptDate":null}

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\extensions.json (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	36830
Entropy (8bit):	5.185924656884556
Encrypted:	false
SSDEEP:	768:wI43DvfWXf4E6C4p4EC4Y4QfEWvM4B4QS4z4444XQ4U:wUfdvk
MD5:	5656BA69BD2966108A461AAE35F60226
SHA1:	9C2E5AE52D82CEA43C4A5FFF205A7700CF54D61C
SHA-256:	587596712960B26EAC18CB354CCD633FFDB218E374A9D59EFEA843914D7AB299
SHA-512:	38F715AD9156558B5D57CA2E75FB0FFE0C5C6728BD94484B8F15E090120DDD02DCE42DBC9CC7143AD6552460A5F3A40E577FAF1D76D5D40B25CDBE636F250054
Malicious:	false
Preview:	{"schemaVersion":35,"addons":[{"id":"formautofill@mozilla.org","syncGUID":"{60024e8e-cfd0-41e5-965d-7128c7dcf0e8}","version":"1.0.1","type":"extension","loader":null,"updateURL":null,"installOrigins":null,"manifestVersion":2,"optionsURL":null,"optionsType":null,"optionsBrowserStyle":true,"aboutURL":null,"defaultLocale":{"name":"Form Autofill","creator":null,"developers":null,"translators":null,"contributors":null},"visible":true,"active":true,"userDisabled":false,"appDisabled":false,"embedderDisabled":false,"installDate":1695865283000,"updateDate":1695865283000,"applyBackgroundUpdates":1,"path":"C:\\Program Files\\Mozilla Firefox\\browser\\features\\formautofill@mozilla.org.xpi","skinnable":false,"sourceURI":null,"releaseNotesURI":null,"softDisabled":false,"foreignInstall":false,"strictCompatibility":true,"locales":[],"targetApplications":[{"id":"toolkit@mozilla.org","minVersion":null,"maxVersion":null}],"targetPlatforms":[],"signedDate":null,"seen":true,"dependencies":[],"incognito":"

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\extensions.json.tmp

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	36830
Entropy (8bit):	5.185924656884556
Encrypted:	false
SSDEEP:	768:wI43DvfWXf4E6C4p4EC4Y4QfEWvM4B4QS4z4444XQ4U:wUfdvk
MD5:	5656BA69BD2966108A461AAE35F60226
SHA1:	9C2E5AE52D82CEA43C4A5FFF205A7700CF54D61C
SHA-256:	587596712960B26EAC18CB354CCD633FFDB218E374A9D59EFEA843914D7AB299
SHA-512:	38F715AD9156558B5D57CA2E75FB0FFE0C5C6728BD94484B8F15E090120DDD02DCE42DBC9CC7143AD6552460A5F3A40E577FAF1D76D5D40B25CDBE636F250054
Malicious:	false
Preview:	{"schemaVersion":35,"addons":[{"id":"formautofill@mozilla.org","syncGUID":"{60024e8e-cfd0-41e5-965d-7128c7dcf0e8}","version":"1.0.1","type":"extension","loader":null,"updateURL":null,"installOrigins":null,"manifestVersion":2,"optionsURL":null,"optionsType":null,"optionsBrowserStyle":true,"aboutURL":null,"defaultLocale":{"name":"Form Autofill","creator":null,"developers":null,"translators":null,"contributors":null},"visible":true,"active":true,"userDisabled":false,"appDisabled":false,"embedderDisabled":false,"installDate":1695865283000,"updateDate":1695865283000,"applyBackgroundUpdates":1,"path":"C:\\Program Files\\Mozilla Firefox\\browser\\features\\formautofill@mozilla.org.xpi","skinnable":false,"sourceURI":null,"releaseNotesURI":null,"softDisabled":false,"foreignInstall":false,"strictCompatibility":true,"locales":[],"targetApplications":[{"id":"toolkit@mozilla.org","minVersion":null,"maxVersion":null}],"targetPlatforms":[],"signedDate":null,"seen":true,"dependencies":[],"incognito":"

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\favicons.sqlite-shm

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	data
Category:	dropped
Size (bytes):	32768
Entropy (8bit):	0.017262956703125623
Encrypted:	false
SSDEEP:	3:G8lQs2TSlElQs2TtPRp//:G0QjSaQjrpX
MD5:	B7C14EC6110FA820CA6B65F5AEC85911
SHA1:	608EEB7488042453C9CA40F7E1398FC1A270F3F4
SHA-256:	FD4C9FDA9CD3F9AE7C962B0DDF37232294D55580E1AA165AA06129B8549389EB
SHA-512:	D8D75760F29B1E27AC9430BC4F4FFCEC39F1590BE5AEF2BFB5A535850302E067C288EF59CF3B2C5751009A22A6957733F9F80FA18F2B0D33D90C068A3F08F3B0
Malicious:	false
Preview:	..-.....................................8...5.....-.....................................8...5...........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	1021904
Entropy (8bit):	6.648417932394748
Encrypted:	false
SSDEEP:	12288:vYLdTfFKbNSjv92eFN+3wH+NYriA0Iq6lh6VawYIpAvwHN/Uf1h47HAfg1oet:vYLdTZ923NYrjwNpgwef1hzfg1x
MD5:	FE3355639648C417E8307C6D051E3E37
SHA1:	F54602D4B4778DA21BC97C7238FC66AA68C8EE34
SHA-256:	1ED7877024BE63A049DA98733FD282C16BD620530A4FB580DACEC3A78ACE914E
SHA-512:	8F4030BB2464B98ECCBEA6F06EB186D7216932702D94F6B84C56419E9CF65A18309711AB342D1513BF85AED402BC3535A70DB4395874828F0D35C278DD2EAC9C
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Joe Sandbox View:	Filename: 1.zip, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......NH...)...)...)..eM...)..eM...)..eM..)..eM...)...)..i)..XA...)..XA..;)..XA...)...)..g)..cA...)..cA...)..Rich.)..........PE..d....z\.........." .....t................................................................`.........................................P...,...\|...(............P...H...z.................T...........................0...................p............................text...$s.......t.................. ..`.rdata...~...........x..............@..@.data....3..........................@....pdata...H...P...J..................@..@.rodata..............^..............@..@.reloc...............j..............@..B........................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll.tmp

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	1021904
Entropy (8bit):	6.648417932394748
Encrypted:	false
SSDEEP:	12288:vYLdTfFKbNSjv92eFN+3wH+NYriA0Iq6lh6VawYIpAvwHN/Uf1h47HAfg1oet:vYLdTZ923NYrjwNpgwef1hzfg1x
MD5:	FE3355639648C417E8307C6D051E3E37
SHA1:	F54602D4B4778DA21BC97C7238FC66AA68C8EE34
SHA-256:	1ED7877024BE63A049DA98733FD282C16BD620530A4FB580DACEC3A78ACE914E
SHA-512:	8F4030BB2464B98ECCBEA6F06EB186D7216932702D94F6B84C56419E9CF65A18309711AB342D1513BF85AED402BC3535A70DB4395874828F0D35C278DD2EAC9C
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Joe Sandbox View:	Filename: 1.zip, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......NH...)...)...)..eM...)..eM...)..eM..)..eM...)...)..i)..XA...)..XA..;)..XA...)...)..g)..cA...)..cA...)..Rich.)..........PE..d....z\.........." .....t................................................................`.........................................P...,...\|...(............P...H...z.................T...........................0...................p............................text...$s.......t.................. ..`.rdata...~...........x..............@..@.data....3..........................@....pdata...H...P...J..................@..@.rodata..............^..............@..@.reloc...............j..............@..B........................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.info (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	116
Entropy (8bit):	4.968220104601006
Encrypted:	false
SSDEEP:	3:C3OuN9RAM7VDXcEzq+rEakOvTMBv+FdBAIABv+FEn:0BDUmHlvAWeWEn
MD5:	3D33CDC0B3D281E67DD52E14435DD04F
SHA1:	4DB88689282FD4F9E9E6AB95FCBB23DF6E6485DB
SHA-256:	F526E9F98841D987606EFEAFF7F3E017BA9FD516C4BE83890C7F9A093EA4C47B
SHA-512:	A4A96743332CC8EF0F86BC2E6122618BFC75ED46781DADBAC9E580CD73DF89E74738638A2CCCB4CAA4CBBF393D771D7F2C73F825737CDB247362450A0D4A4BC1
Malicious:	false
Preview:	Name: gmpopenh264.Description: GMP Plugin for OpenH264..Version: 1.8.1.APIs: encode-video[h264], decode-video[h264].

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.info.tmp

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	116
Entropy (8bit):	4.968220104601006
Encrypted:	false
SSDEEP:	3:C3OuN9RAM7VDXcEzq+rEakOvTMBv+FdBAIABv+FEn:0BDUmHlvAWeWEn
MD5:	3D33CDC0B3D281E67DD52E14435DD04F
SHA1:	4DB88689282FD4F9E9E6AB95FCBB23DF6E6485DB
SHA-256:	F526E9F98841D987606EFEAFF7F3E017BA9FD516C4BE83890C7F9A093EA4C47B
SHA-512:	A4A96743332CC8EF0F86BC2E6122618BFC75ED46781DADBAC9E580CD73DF89E74738638A2CCCB4CAA4CBBF393D771D7F2C73F825737CDB247362450A0D4A4BC1
Malicious:	false
Preview:	Name: gmpopenh264.Description: GMP Plugin for OpenH264..Version: 1.8.1.APIs: encode-video[h264], decode-video[h264].

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\permissions.sqlite

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	SQLite 3.x database, user version 12, last written using SQLite version 3042000, page size 32768, file counter 4, database pages 3, cookie 0x2, schema 4, UTF-8, version-valid-for 4
Category:	dropped
Size (bytes):	98304
Entropy (8bit):	0.07328293361294239
Encrypted:	false
SSDEEP:	12:DBl/A0OWla0mwPxRymgObsCVR45wcYR4fmnsCVR4zkipA8:DLhesh7Owd4+ji
MD5:	A5283019867A98A7F5ECA455ECDD8DC3
SHA1:	0330D27081C40712138108BBE234919C6C009361
SHA-256:	CAFFF671FA7955C0CB2F88C39ED7C025F456C1CC0E54B082B137C8273060025A
SHA-512:	73307A442277CCB23CF14E3D8389BB1E3B4D28B1CDD627A6B83890169F9D1A05508B4A2187F817F44F3765D6E913263247147EA452F9CB67B5D4A8A22E8A269C
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j......~s..F~s........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\places.sqlite-shm

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	data
Category:	dropped
Size (bytes):	32768
Entropy (8bit):	0.035577876577226504
Encrypted:	false
SSDEEP:	3:GtlstFbHH8CQI8pW01lI3lstFbHH8CQI8pW01///T89//alEl:GtWtqCd8v1i3WtqCd8v1XL89XuM
MD5:	2CFF019A4DB040087D817884ECB02604
SHA1:	90AD544CCBBB1C7119D172C6D8C6953004B88E7F
SHA-256:	2109DDD3A2DC1C63429BF11EFA41BD80F9E37CD2EEAA43C8C1EE4043A31E89D9
SHA-512:	7FF7B7BCD4DA4E3640043E76E68AD549CFB710AB0FCF5EE0797D9C259E06E8E3DBA5EE8C896D061087C853BE8FF470D2A44E56EA6901B5B509E0866B577C09A0
Malicious:	false
Preview:	..-.......................F......l.m..\.$.4.u...-.......................F......l.m..\.$.4.u.........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\places.sqlite-wal

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	SQLite Write-Ahead Log, version 3007000
Category:	dropped
Size (bytes):	32824
Entropy (8bit):	0.03989725522705737
Encrypted:	false
SSDEEP:	3:Ol1q0KaVHf183Ll8rEXsxdwhml8XW3R2:KAa387l8dMhm93w
MD5:	035B234D9F3B98F157172B70B3C49EB5
SHA1:	C6C2A12597DEA4966E40DC6826FDD77BA533A52A
SHA-256:	10CB5839FBE676FDCC03BC9D300B1CBCA5287DC3EA2C1F0095F8DE8ACB07C518
SHA-512:	E50D942139B0E74EC1B6BAD8094E0311BB2A4685BB138EB31F628C1D3C50CCAA9A92CF84F313163C956366ED5E6881F048B291722225A451D31AC278F601C0F1
Malicious:	false
Preview:	7....-...........l.m..\.C\|o.0.!.........l.m..\..F......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\prefs-1.js

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	ASCII text, with very long lines (1809), with CRLF line terminators
Category:	dropped
Size (bytes):	13254
Entropy (8bit):	5.494926901110001
Encrypted:	false
SSDEEP:	192:xzoEzKdRVnaRtLYbBp6Jdhj4qyaaX1k6KaPj4NqE5RfGNBw8dSeSl:3eJqirs3cwxe0
MD5:	1875848E7DF30D43F9A9E7CD99D3ED8F
SHA1:	A63B93BDF612E1263451E936F4C08B688172612B
SHA-256:	D0E3B48DF2800A22CDB52DADD9CD526AC9AB02303D66BBCEAFAC246738769E13
SHA-512:	A892ED07E56B7636B4D7FE1F2BEFB0896FF0C2FBC3F8D227772E435DE4214DA6E2DBB7FCF8961FE33A658C118DBC781CECEBC0ABCCAEB018BBD404C7BA0A3AFF
Malicious:	false
Preview:	// Mozilla User Preferences....// DO NOT EDIT THIS FILE...//..// If you make changes to this file while the application is running,..// the changes will be overwritten when the application exits...//..// To change a preference value, you can either:..// - modify it via the UI (e.g. via about:config in the browser); or..// - set it within a user.js file in your profile.....user_pref("app.normandy.first_run", false);..user_pref("app.normandy.migrationsApplied", 12);..user_pref("app.normandy.user_id", "57f16a19-e119-4073-bf01-28f88011f783");..user_pref("app.update.auto.migrated", true);..user_pref("app.update.background.rolledout", true);..user_pref("app.update.backgroundErrors", 2);..user_pref("app.update.lastUpdateTime.addon-background-update-timer", 1729892398);..user_pref("app.update.lastUpdateTime.background-update-timer", 1729892398);..user_pref("app.update.lastUpdateTime.browser-cleanup-thumbnails", 1729892398);..user_pref("app.update.lastUpdateTime.recipe-client-addon-run", 172989

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\prefs.js (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	ASCII text, with very long lines (1809), with CRLF line terminators
Category:	dropped
Size (bytes):	13254
Entropy (8bit):	5.494926901110001
Encrypted:	false
SSDEEP:	192:xzoEzKdRVnaRtLYbBp6Jdhj4qyaaX1k6KaPj4NqE5RfGNBw8dSeSl:3eJqirs3cwxe0
MD5:	1875848E7DF30D43F9A9E7CD99D3ED8F
SHA1:	A63B93BDF612E1263451E936F4C08B688172612B
SHA-256:	D0E3B48DF2800A22CDB52DADD9CD526AC9AB02303D66BBCEAFAC246738769E13
SHA-512:	A892ED07E56B7636B4D7FE1F2BEFB0896FF0C2FBC3F8D227772E435DE4214DA6E2DBB7FCF8961FE33A658C118DBC781CECEBC0ABCCAEB018BBD404C7BA0A3AFF
Malicious:	false
Preview:	// Mozilla User Preferences....// DO NOT EDIT THIS FILE...//..// If you make changes to this file while the application is running,..// the changes will be overwritten when the application exits...//..// To change a preference value, you can either:..// - modify it via the UI (e.g. via about:config in the browser); or..// - set it within a user.js file in your profile.....user_pref("app.normandy.first_run", false);..user_pref("app.normandy.migrationsApplied", 12);..user_pref("app.normandy.user_id", "57f16a19-e119-4073-bf01-28f88011f783");..user_pref("app.update.auto.migrated", true);..user_pref("app.update.background.rolledout", true);..user_pref("app.update.backgroundErrors", 2);..user_pref("app.update.lastUpdateTime.addon-background-update-timer", 1729892398);..user_pref("app.update.lastUpdateTime.background-update-timer", 1729892398);..user_pref("app.update.lastUpdateTime.browser-cleanup-thumbnails", 1729892398);..user_pref("app.update.lastUpdateTime.recipe-client-addon-run", 172989

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\protections.sqlite

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	SQLite 3.x database, user version 1, last written using SQLite version 3042000, page size 32768, file counter 5, database pages 2, cookie 0x1, schema 4, UTF-8, version-valid-for 5
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	0.04062825861060003
Encrypted:	false
SSDEEP:	6:ltBl/l4/WN1h4BEJYqWvLue3FMOrMZ0l:DBl/WuntfJiFxMZO
MD5:	18F65713B07CB441E6A98655B726D098
SHA1:	2CEFA32BC26B25BE81C411B60C9925CB0F1F8F88
SHA-256:	B6C268E48546B113551A5AF9CA86BB6A462A512DE6C9289315E125CEB0FD8621
SHA-512:	A6871076C7D7ED53B630F9F144ED04303AD54A2E60B94ECA2AA96964D1AB375EEFDCA86CE0D3EB0E9DBB81470C6BD159877125A080C95EB17E54A52427F805FB
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j.......x..x..........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\sessionCheckpoints.json (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	90
Entropy (8bit):	4.194538242412464
Encrypted:	false
SSDEEP:	3:YVXKQJAyiVLQwJtJDBA+AJ2LKZXJ3YFwHY:Y9KQOy6Lb1BA+m2L69Yr
MD5:	C4AB2EE59CA41B6D6A6EA911F35BDC00
SHA1:	5942CD6505FC8A9DABA403B082067E1CDEFDFBC4
SHA-256:	00AD9799527C3FD21F3A85012565EAE817490F3E0D417413BF9567BB5909F6A2
SHA-512:	71EA16900479E6AF161E0AAD08C8D1E9DED5868A8D848E7647272F3002E2F2013E16382B677ABE3C6F17792A26293B9E27EC78E16F00BD24BA3D21072BD1CAE2
Malicious:	false
Preview:	{"profile-after-change":true,"final-ui-startup":true,"sessionstore-windows-restored":true}

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\sessionCheckpoints.json.tmp

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	90
Entropy (8bit):	4.194538242412464
Encrypted:	false
SSDEEP:	3:YVXKQJAyiVLQwJtJDBA+AJ2LKZXJ3YFwHY:Y9KQOy6Lb1BA+m2L69Yr
MD5:	C4AB2EE59CA41B6D6A6EA911F35BDC00
SHA1:	5942CD6505FC8A9DABA403B082067E1CDEFDFBC4
SHA-256:	00AD9799527C3FD21F3A85012565EAE817490F3E0D417413BF9567BB5909F6A2
SHA-512:	71EA16900479E6AF161E0AAD08C8D1E9DED5868A8D848E7647272F3002E2F2013E16382B677ABE3C6F17792A26293B9E27EC78E16F00BD24BA3D21072BD1CAE2
Malicious:	false
Preview:	{"profile-after-change":true,"final-ui-startup":true,"sessionstore-windows-restored":true}

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\sessionstore-backups\recovery.baklz4 (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	Mozilla lz4 compressed data, originally 5761 bytes
Category:	dropped
Size (bytes):	1531
Entropy (8bit):	6.311183455269941
Encrypted:	false
SSDEEP:	24:vHSUG6YOyLXrIgAfjpnQGeT5sCIdkPJHVQj6aQFDhuje6tOsIomN5ryNge4:fpq3ApefhHaQ0e6tIINR4
MD5:	32AF97E9BE341F6CE2AF9257036A254C
SHA1:	FE93BC4BA194F6807162FAA95F4E1CDF7D5027ED
SHA-256:	1843BF0E3BDCF84ED95D57F8B962C46E0EF4A9C5F77E76B57B9DCB0EF997FBA6
SHA-512:	029CFDE4A68B640FA8F16EE5E12FC877663F3D2123E2C22F2A5DD298707AE205B8008B4E8F0C530F019EF7BB5DC33F4BABD6226EE5CF72031EB8F46D1C3301BC
Malicious:	false
Preview:	mozLz40.......{"version":["ses....restore",1],"windows":[{"tab..bentrie....url":"https://www.facebook.com/video","title)....cacheKey":0,"ID":6,"docshellUU...D"{fdfb630f-4be1-4001-be43-4dfe960fbb73}","resultPrincipalURI":null,"hasUserInteract....true,"triggering8.p_base64z..\"3\":{}^...docIdentifier":7,"persistK..+}],"lastAccessed":1729892402647,"hidden":false,"searchMode...userContextId...attribut\|..{},"index":1...questedI..p0,"imags...chrome://global/skin/icons/warning.svg"..aselect...,"_closedT..@],"_...C....GroupCount":-1,"busy...t...Flags":2167541758P...dth":1164,"height":891,"screenX":4...Y..Aizem..."maximized"...BeforeMin...&..workspace9...1a5ccf63-1000-409f-b5c1-afec7f75d4d9","zD..1...W...l...........:..<.1":{..jUpdate...8,"startTim..Q36758...centCrash..B0},".....Dcookr. hoc..."addons.mozilla.org","valu...A8bad2467092e6ddeb0dfa9e5ea54d86d26790ca7ba2ce88d10cb4604fe726755","path":"/","na..a"taarI\|.Recure...,..Donly..eexpiry....373019,"originA...."firstPartyDomain":"","geckoViewS..

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\sessionstore-backups\recovery.jsonlz4 (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	Mozilla lz4 compressed data, originally 5761 bytes
Category:	dropped
Size (bytes):	1531
Entropy (8bit):	6.311183455269941
Encrypted:	false
SSDEEP:	24:vHSUG6YOyLXrIgAfjpnQGeT5sCIdkPJHVQj6aQFDhuje6tOsIomN5ryNge4:fpq3ApefhHaQ0e6tIINR4
MD5:	32AF97E9BE341F6CE2AF9257036A254C
SHA1:	FE93BC4BA194F6807162FAA95F4E1CDF7D5027ED
SHA-256:	1843BF0E3BDCF84ED95D57F8B962C46E0EF4A9C5F77E76B57B9DCB0EF997FBA6
SHA-512:	029CFDE4A68B640FA8F16EE5E12FC877663F3D2123E2C22F2A5DD298707AE205B8008B4E8F0C530F019EF7BB5DC33F4BABD6226EE5CF72031EB8F46D1C3301BC
Malicious:	false
Preview:	mozLz40.......{"version":["ses....restore",1],"windows":[{"tab..bentrie....url":"https://www.facebook.com/video","title)....cacheKey":0,"ID":6,"docshellUU...D"{fdfb630f-4be1-4001-be43-4dfe960fbb73}","resultPrincipalURI":null,"hasUserInteract....true,"triggering8.p_base64z..\"3\":{}^...docIdentifier":7,"persistK..+}],"lastAccessed":1729892402647,"hidden":false,"searchMode...userContextId...attribut\|..{},"index":1...questedI..p0,"imags...chrome://global/skin/icons/warning.svg"..aselect...,"_closedT..@],"_...C....GroupCount":-1,"busy...t...Flags":2167541758P...dth":1164,"height":891,"screenX":4...Y..Aizem..."maximized"...BeforeMin...&..workspace9...1a5ccf63-1000-409f-b5c1-afec7f75d4d9","zD..1...W...l...........:..<.1":{..jUpdate...8,"startTim..Q36758...centCrash..B0},".....Dcookr. hoc..."addons.mozilla.org","valu...A8bad2467092e6ddeb0dfa9e5ea54d86d26790ca7ba2ce88d10cb4604fe726755","path":"/","na..a"taarI\|.Recure...,..Donly..eexpiry....373019,"originA...."firstPartyDomain":"","geckoViewS..

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\sessionstore-backups\recovery.jsonlz4.tmp

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	Mozilla lz4 compressed data, originally 5761 bytes
Category:	dropped
Size (bytes):	1531
Entropy (8bit):	6.311183455269941
Encrypted:	false
SSDEEP:	24:vHSUG6YOyLXrIgAfjpnQGeT5sCIdkPJHVQj6aQFDhuje6tOsIomN5ryNge4:fpq3ApefhHaQ0e6tIINR4
MD5:	32AF97E9BE341F6CE2AF9257036A254C
SHA1:	FE93BC4BA194F6807162FAA95F4E1CDF7D5027ED
SHA-256:	1843BF0E3BDCF84ED95D57F8B962C46E0EF4A9C5F77E76B57B9DCB0EF997FBA6
SHA-512:	029CFDE4A68B640FA8F16EE5E12FC877663F3D2123E2C22F2A5DD298707AE205B8008B4E8F0C530F019EF7BB5DC33F4BABD6226EE5CF72031EB8F46D1C3301BC
Malicious:	false
Preview:	mozLz40.......{"version":["ses....restore",1],"windows":[{"tab..bentrie....url":"https://www.facebook.com/video","title)....cacheKey":0,"ID":6,"docshellUU...D"{fdfb630f-4be1-4001-be43-4dfe960fbb73}","resultPrincipalURI":null,"hasUserInteract....true,"triggering8.p_base64z..\"3\":{}^...docIdentifier":7,"persistK..+}],"lastAccessed":1729892402647,"hidden":false,"searchMode...userContextId...attribut\|..{},"index":1...questedI..p0,"imags...chrome://global/skin/icons/warning.svg"..aselect...,"_closedT..@],"_...C....GroupCount":-1,"busy...t...Flags":2167541758P...dth":1164,"height":891,"screenX":4...Y..Aizem..."maximized"...BeforeMin...&..workspace9...1a5ccf63-1000-409f-b5c1-afec7f75d4d9","zD..1...W...l...........:..<.1":{..jUpdate...8,"startTim..Q36758...centCrash..B0},".....Dcookr. hoc..."addons.mozilla.org","valu...A8bad2467092e6ddeb0dfa9e5ea54d86d26790ca7ba2ce88d10cb4604fe726755","path":"/","na..a"taarI\|.Recure...,..Donly..eexpiry....373019,"originA...."firstPartyDomain":"","geckoViewS..

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\storage.sqlite

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	SQLite 3.x database, user version 131075, last written using SQLite version 3042000, page size 512, file counter 6, database pages 8, cookie 0x4, schema 4, UTF-8, version-valid-for 6
Category:	dropped
Size (bytes):	4096
Entropy (8bit):	2.0836444556178684
Encrypted:	false
SSDEEP:	24:JBwdh/cEUcR9PzNFPFHx/GJRBdkOrDcRB1trwDeAq2gRMyxr3:jnEUo9LXtR+JdkOnohYsl
MD5:	8B40B1534FF0F4B533AF767EB5639A05
SHA1:	63EDB539EA39AD09D701A36B535C4C087AE08CC9
SHA-256:	AF275A19A5C2C682139266065D90C237282274D11C5619A121B7BDBDB252861B
SHA-512:	54AF707698CED33C206B1B193DA414D630901762E88E37E99885A50D4D5F8DDC28367C9B401DFE251CF0552B4FA446EE28F78A97C9096AFB0F2898BFBB673B53
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\targeting.snapshot.json (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	4537
Entropy (8bit):	5.033872381347125
Encrypted:	false
SSDEEP:	48:YrSAYeDr6UQZpExB1+anOsW4Vh351VxWRzzc8eYMsku7f86SLAVL7if5FtsfAcb5:ycGryTEr5QFRzzcMvbw6KkCrrc2Rn27
MD5:	9DF5DBF2C3F8BC472CF3E40E2FA94F48
SHA1:	1549894BC53D5F57479D5D1E7BFD23DF888C3FD6
SHA-256:	27C16A1B2A0E5C4EC64BCF2FBE36E00E55D8E6E1ADE88034672383537C46AE58
SHA-512:	197E0BE261951A82ADF972912BDE93D77CB1C6FD1CD09BD894A02CC8D58939AF0A5DD015B6F13E3B3F41D59D4D342FFFCBB55D6787366289DBB4BD708AE3AB8A
Malicious:	false
Preview:	{"environment":{"locale":"en-US","localeLanguageCode":"en","browserSettings":{"update":{"channel":"release","enabled":true,"autoDownload":true,"background":true}},"attributionData":{"campaign":"%2528not%2Bset%2529","content":"%2528not%2Bset%2529","dlsource":"mozorg","dltoken":"cd09ae95-e2cf-4b8b-8929-791b0dd48cdd","experiment":"%2528not%2Bset%2529","medium":"referral","source":"www.google.com","ua":"chrome","variation":"%2528not%2Bset%2529"},"currentDate":"2024-10-25T21:39:42.453Z","profileAgeCreated":1696333826043,"usesFirefoxSync":false,"isFxAEnabled":true,"isFxASignedIn":false,"sync":{"desktopDevices":0,"mobileDevices":0,"totalDevices":0},"xpinstallEnabled":true,"addonsInfo":{"addons":{"formautofill@mozilla.org":{"version":"1.0.1","type":"extension","isSystem":true,"isWebExtension":true,"name":"Form Autofill","userDisabled":false,"installDate":"2023-09-28T01:41:23.000Z"},"pictureinpicture@mozilla.org":{"version":"1.0.0","type":"extension","isSystem":true,"isWebExtension":true,"name"

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\targeting.snapshot.json.tmp

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	4537
Entropy (8bit):	5.033872381347125
Encrypted:	false
SSDEEP:	48:YrSAYeDr6UQZpExB1+anOsW4Vh351VxWRzzc8eYMsku7f86SLAVL7if5FtsfAcb5:ycGryTEr5QFRzzcMvbw6KkCrrc2Rn27
MD5:	9DF5DBF2C3F8BC472CF3E40E2FA94F48
SHA1:	1549894BC53D5F57479D5D1E7BFD23DF888C3FD6
SHA-256:	27C16A1B2A0E5C4EC64BCF2FBE36E00E55D8E6E1ADE88034672383537C46AE58
SHA-512:	197E0BE261951A82ADF972912BDE93D77CB1C6FD1CD09BD894A02CC8D58939AF0A5DD015B6F13E3B3F41D59D4D342FFFCBB55D6787366289DBB4BD708AE3AB8A
Malicious:	false
Preview:	{"environment":{"locale":"en-US","localeLanguageCode":"en","browserSettings":{"update":{"channel":"release","enabled":true,"autoDownload":true,"background":true}},"attributionData":{"campaign":"%2528not%2Bset%2529","content":"%2528not%2Bset%2529","dlsource":"mozorg","dltoken":"cd09ae95-e2cf-4b8b-8929-791b0dd48cdd","experiment":"%2528not%2Bset%2529","medium":"referral","source":"www.google.com","ua":"chrome","variation":"%2528not%2Bset%2529"},"currentDate":"2024-10-25T21:39:42.453Z","profileAgeCreated":1696333826043,"usesFirefoxSync":false,"isFxAEnabled":true,"isFxASignedIn":false,"sync":{"desktopDevices":0,"mobileDevices":0,"totalDevices":0},"xpinstallEnabled":true,"addonsInfo":{"addons":{"formautofill@mozilla.org":{"version":"1.0.1","type":"extension","isSystem":true,"isWebExtension":true,"name":"Form Autofill","userDisabled":false,"installDate":"2023-09-28T01:41:23.000Z"},"pictureinpicture@mozilla.org":{"version":"1.0.0","type":"extension","isSystem":true,"isWebExtension":true,"name"

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	6.583728530504982
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	file.exe
File size:	919'040 bytes
MD5:	345d21f1207458568ec62cf40410aa6b
SHA1:	fbad419888c95a92d0e7707a81b320ec8d516131
SHA256:	3fb5440466a4013b6f3d92e39fc0620a38376d64d27172c4af327d2b8948c8d6
SHA512:	884d5a73b38d4276449eef0f90da1e90e62a073c9a948a54bf6ead602a2483be32251556d4aa8ac2b4d9ea5e8e3f8494e8f1db0f8d1a4c6b250647070da40cce
SSDEEP:	12288:yqDEvFo+yo4DdbbMWu/jrQu4M9lBAlKhQcDGB3cuBNGE6iOrpfe4JdaDgagT8:yqDEvCTbMWu7rQYlBQcBiT6rprG8a48
TLSH:	24159E0273D1C062FF9B92334B5AF6515BBC69260123E61F13A81DB9BE701B1563E7A3
File Content Preview:	MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$.......................j:......j:..C...j:......@.*...............................n.......~.............{.......{.......{.........z....

File Icon


Icon Hash:	aaf3e3e3938382a0

Static PE Info

General

Entrypoint:	0x420577
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, TERMINAL_SERVER_AWARE
Time Stamp:	0x671BF79E [Fri Oct 25 19:55:10 2024 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	5
OS Version Minor:	1
File Version Major:	5
File Version Minor:	1
Subsystem Version Major:	5
Subsystem Version Minor:	1
Import Hash:	948cc502fe9226992dce9417f952fce3

Entrypoint Preview

Instruction
call 00007F54007D3743h
jmp 00007F54007D304Fh
push ebp
mov ebp, esp
push esi
push dword ptr [ebp+08h]
mov esi, ecx
call 00007F54007D322Dh
mov dword ptr [esi], 0049FDF0h
mov eax, esi
pop esi
pop ebp
retn 0004h
and dword ptr [ecx+04h], 00000000h
mov eax, ecx
and dword ptr [ecx+08h], 00000000h
mov dword ptr [ecx+04h], 0049FDF8h
mov dword ptr [ecx], 0049FDF0h
ret
push ebp
mov ebp, esp
push esi
push dword ptr [ebp+08h]
mov esi, ecx
call 00007F54007D31FAh
mov dword ptr [esi], 0049FE0Ch
mov eax, esi
pop esi
pop ebp
retn 0004h
and dword ptr [ecx+04h], 00000000h
mov eax, ecx
and dword ptr [ecx+08h], 00000000h
mov dword ptr [ecx+04h], 0049FE14h
mov dword ptr [ecx], 0049FE0Ch
ret
push ebp
mov ebp, esp
push esi
mov esi, ecx
lea eax, dword ptr [esi+04h]
mov dword ptr [esi], 0049FDD0h
and dword ptr [eax], 00000000h
and dword ptr [eax+04h], 00000000h
push eax
mov eax, dword ptr [ebp+08h]
add eax, 04h
push eax
call 00007F54007D5DEDh
pop ecx
pop ecx
mov eax, esi
pop esi
pop ebp
retn 0004h
lea eax, dword ptr [ecx+04h]
mov dword ptr [ecx], 0049FDD0h
push eax
call 00007F54007D5E38h
pop ecx
ret
push ebp
mov ebp, esp
push esi
mov esi, ecx
lea eax, dword ptr [esi+04h]
mov dword ptr [esi], 0049FDD0h
push eax
call 00007F54007D5E21h
test byte ptr [ebp+08h], 00000001h
pop ecx

Rich Headers

Programming Language:

[ C ] VS2008 SP1 build 30729
[IMP] VS2008 SP1 build 30729

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0xc8e64	0x17c	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0xd4000	0x9bf4	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0xde000	0x7594	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0xb0ff0	0x1c	.rdata
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0xc3400	0x18	.rdata
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0xb1010	0x40	.rdata
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x9c000	0x894	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x9ab1d	0x9ac00	0a1473f3064dcbc32ef93c5c8a90f3a6	False	0.565500681542811	data	6.668273581389308	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x9c000	0x2fb82	0x2fc00	c9cf2468b60bf4f80f136ed54b3989fb	False	0.35289185209424084	data	5.691811547483722	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0xcc000	0x706c	0x4800	53b9025d545d65e23295e30afdbd16d9	False	0.04356553819444445	DOS executable (block device driver @\273\)	0.5846666986982398	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0xd4000	0x9bf4	0x9c00	5eba18d0d4b2477c757f31971e58dbf4	False	0.31823417467948717	data	5.330624406114606	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0xde000	0x7594	0x7600	c68ee8931a32d45eb82dc450ee40efc3	False	0.7628111758474576	data	6.7972128181359786	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_ICON	0xd45a8	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 192	English	Great Britain	0.7466216216216216
RT_ICON	0xd46d0	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 128, 16 important colors	English	Great Britain	0.3277027027027027
RT_ICON	0xd47f8	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 192	English	Great Britain	0.3885135135135135
RT_ICON	0xd4920	0x2e8	Device independent bitmap graphic, 32 x 64 x 4, image size 0	English	Great Britain	0.3333333333333333
RT_ICON	0xd4c08	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 0	English	Great Britain	0.5
RT_ICON	0xd4d30	0xea8	Device independent bitmap graphic, 48 x 96 x 8, image size 0	English	Great Britain	0.2835820895522388
RT_ICON	0xd5bd8	0x8a8	Device independent bitmap graphic, 32 x 64 x 8, image size 0	English	Great Britain	0.37906137184115524
RT_ICON	0xd6480	0x568	Device independent bitmap graphic, 16 x 32 x 8, image size 0	English	Great Britain	0.23699421965317918
RT_ICON	0xd69e8	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 0	English	Great Britain	0.13858921161825727
RT_ICON	0xd8f90	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 0	English	Great Britain	0.25070356472795496
RT_ICON	0xda038	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 0	English	Great Britain	0.3173758865248227
RT_MENU	0xda4a0	0x50	data	English	Great Britain	0.9
RT_STRING	0xda4f0	0x594	data	English	Great Britain	0.3333333333333333
RT_STRING	0xdaa84	0x68a	data	English	Great Britain	0.2735961768219833
RT_STRING	0xdb110	0x490	data	English	Great Britain	0.3715753424657534
RT_STRING	0xdb5a0	0x5fc	data	English	Great Britain	0.3087467362924282
RT_STRING	0xdbb9c	0x65c	data	English	Great Britain	0.34336609336609336
RT_STRING	0xdc1f8	0x466	data	English	Great Britain	0.3605683836589698
RT_STRING	0xdc660	0x158	Matlab v4 mat-file (little endian) n, numeric, rows 0, columns 0	English	Great Britain	0.502906976744186
RT_RCDATA	0xdc7b8	0xebc	data			1.002916224814422
RT_GROUP_ICON	0xdd674	0x76	data	English	Great Britain	0.6610169491525424
RT_GROUP_ICON	0xdd6ec	0x14	data	English	Great Britain	1.25
RT_GROUP_ICON	0xdd700	0x14	data	English	Great Britain	1.15
RT_GROUP_ICON	0xdd714	0x14	data	English	Great Britain	1.25
RT_VERSION	0xdd728	0xdc	data	English	Great Britain	0.6181818181818182
RT_MANIFEST	0xdd804	0x3ef	ASCII text, with CRLF line terminators	English	Great Britain	0.5074478649453823

Imports

DLL	Import
WSOCK32.dll	gethostbyname, recv, send, socket, inet_ntoa, setsockopt, ntohs, WSACleanup, WSAStartup, sendto, htons, __WSAFDIsSet, select, accept, listen, bind, inet_addr, ioctlsocket, recvfrom, WSAGetLastError, closesocket, gethostname, connect
VERSION.dll	GetFileVersionInfoW, VerQueryValueW, GetFileVersionInfoSizeW
WINMM.dll	timeGetTime, waveOutSetVolume, mciSendStringW
COMCTL32.dll	ImageList_ReplaceIcon, ImageList_Destroy, ImageList_Remove, ImageList_SetDragCursorImage, ImageList_BeginDrag, ImageList_DragEnter, ImageList_DragLeave, ImageList_EndDrag, ImageList_DragMove, InitCommonControlsEx, ImageList_Create
MPR.dll	WNetGetConnectionW, WNetCancelConnection2W, WNetUseConnectionW, WNetAddConnection2W
WININET.dll	HttpOpenRequestW, InternetCloseHandle, InternetOpenW, InternetSetOptionW, InternetCrackUrlW, HttpQueryInfoW, InternetQueryOptionW, InternetConnectW, HttpSendRequestW, FtpOpenFileW, FtpGetFileSize, InternetOpenUrlW, InternetReadFile, InternetQueryDataAvailable
PSAPI.DLL	GetProcessMemoryInfo
IPHLPAPI.DLL	IcmpSendEcho, IcmpCloseHandle, IcmpCreateFile
USERENV.dll	DestroyEnvironmentBlock, LoadUserProfileW, CreateEnvironmentBlock, UnloadUserProfile
UxTheme.dll	IsThemeActive
KERNEL32.dll	DuplicateHandle, CreateThread, WaitForSingleObject, HeapAlloc, GetProcessHeap, HeapFree, Sleep, GetCurrentThreadId, MultiByteToWideChar, MulDiv, GetVersionExW, IsWow64Process, GetSystemInfo, FreeLibrary, LoadLibraryA, GetProcAddress, SetErrorMode, GetModuleFileNameW, WideCharToMultiByte, lstrcpyW, lstrlenW, GetModuleHandleW, QueryPerformanceCounter, VirtualFreeEx, OpenProcess, VirtualAllocEx, WriteProcessMemory, ReadProcessMemory, CreateFileW, SetFilePointerEx, SetEndOfFile, ReadFile, WriteFile, FlushFileBuffers, TerminateProcess, CreateToolhelp32Snapshot, Process32FirstW, Process32NextW, SetFileTime, GetFileAttributesW, FindFirstFileW, FindClose, GetLongPathNameW, GetShortPathNameW, DeleteFileW, IsDebuggerPresent, CopyFileExW, MoveFileW, CreateDirectoryW, RemoveDirectoryW, SetSystemPowerState, QueryPerformanceFrequency, LoadResource, LockResource, SizeofResource, OutputDebugStringW, GetTempPathW, GetTempFileNameW, DeviceIoControl, LoadLibraryW, GetLocalTime, CompareStringW, GetCurrentThread, EnterCriticalSection, LeaveCriticalSection, GetStdHandle, CreatePipe, InterlockedExchange, TerminateThread, LoadLibraryExW, FindResourceExW, CopyFileW, VirtualFree, FormatMessageW, GetExitCodeProcess, GetPrivateProfileStringW, WritePrivateProfileStringW, GetPrivateProfileSectionW, WritePrivateProfileSectionW, GetPrivateProfileSectionNamesW, FileTimeToLocalFileTime, FileTimeToSystemTime, SystemTimeToFileTime, LocalFileTimeToFileTime, GetDriveTypeW, GetDiskFreeSpaceExW, GetDiskFreeSpaceW, GetVolumeInformationW, SetVolumeLabelW, CreateHardLinkW, SetFileAttributesW, CreateEventW, SetEvent, GetEnvironmentVariableW, SetEnvironmentVariableW, GlobalLock, GlobalUnlock, GlobalAlloc, GetFileSize, GlobalFree, GlobalMemoryStatusEx, Beep, GetSystemDirectoryW, HeapReAlloc, HeapSize, GetComputerNameW, GetWindowsDirectoryW, GetCurrentProcessId, GetProcessIoCounters, CreateProcessW, GetProcessId, SetPriorityClass, VirtualAlloc, GetCurrentDirectoryW, lstrcmpiW, DecodePointer, GetLastError, RaiseException, InitializeCriticalSectionAndSpinCount, DeleteCriticalSection, InterlockedDecrement, InterlockedIncrement, ResetEvent, WaitForSingleObjectEx, IsProcessorFeaturePresent, UnhandledExceptionFilter, SetUnhandledExceptionFilter, GetCurrentProcess, CloseHandle, GetFullPathNameW, GetStartupInfoW, GetSystemTimeAsFileTime, InitializeSListHead, RtlUnwind, SetLastError, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, EncodePointer, ExitProcess, GetModuleHandleExW, ExitThread, ResumeThread, FreeLibraryAndExitThread, GetACP, GetDateFormatW, GetTimeFormatW, LCMapStringW, GetStringTypeW, GetFileType, SetStdHandle, GetConsoleCP, GetConsoleMode, ReadConsoleW, GetTimeZoneInformation, FindFirstFileExW, IsValidCodePage, GetOEMCP, GetCPInfo, GetCommandLineA, GetCommandLineW, GetEnvironmentStringsW, FreeEnvironmentStringsW, SetEnvironmentVariableA, SetCurrentDirectoryW, FindNextFileW, WriteConsoleW
USER32.dll	GetKeyboardLayoutNameW, IsCharAlphaW, IsCharAlphaNumericW, IsCharLowerW, IsCharUpperW, GetMenuStringW, GetSubMenu, GetCaretPos, IsZoomed, GetMonitorInfoW, SetWindowLongW, SetLayeredWindowAttributes, FlashWindow, GetClassLongW, TranslateAcceleratorW, IsDialogMessageW, GetSysColor, InflateRect, DrawFocusRect, DrawTextW, FrameRect, DrawFrameControl, FillRect, PtInRect, DestroyAcceleratorTable, CreateAcceleratorTableW, SetCursor, GetWindowDC, GetSystemMetrics, GetActiveWindow, CharNextW, wsprintfW, RedrawWindow, DrawMenuBar, DestroyMenu, SetMenu, GetWindowTextLengthW, CreateMenu, IsDlgButtonChecked, DefDlgProcW, CallWindowProcW, ReleaseCapture, SetCapture, PeekMessageW, GetInputState, UnregisterHotKey, CharLowerBuffW, MonitorFromPoint, MonitorFromRect, LoadImageW, mouse_event, ExitWindowsEx, SetActiveWindow, FindWindowExW, EnumThreadWindows, SetMenuDefaultItem, InsertMenuItemW, IsMenu, ClientToScreen, GetCursorPos, DeleteMenu, CheckMenuRadioItem, GetMenuItemID, GetMenuItemCount, SetMenuItemInfoW, GetMenuItemInfoW, SetForegroundWindow, IsIconic, FindWindowW, SystemParametersInfoW, LockWindowUpdate, SendInput, GetAsyncKeyState, SetKeyboardState, GetKeyboardState, GetKeyState, VkKeyScanW, LoadStringW, DialogBoxParamW, MessageBeep, EndDialog, SendDlgItemMessageW, GetDlgItem, SetWindowTextW, CopyRect, ReleaseDC, GetDC, EndPaint, BeginPaint, GetClientRect, GetMenu, DestroyWindow, EnumWindows, GetDesktopWindow, IsWindow, IsWindowEnabled, IsWindowVisible, EnableWindow, InvalidateRect, GetWindowLongW, GetWindowThreadProcessId, AttachThreadInput, GetFocus, GetWindowTextW, SendMessageTimeoutW, EnumChildWindows, CharUpperBuffW, GetClassNameW, GetParent, GetDlgCtrlID, SendMessageW, MapVirtualKeyW, PostMessageW, GetWindowRect, SetUserObjectSecurity, CloseDesktop, CloseWindowStation, OpenDesktopW, RegisterHotKey, GetCursorInfo, SetWindowPos, CopyImage, AdjustWindowRectEx, SetRect, SetClipboardData, EmptyClipboard, CountClipboardFormats, CloseClipboard, GetClipboardData, IsClipboardFormatAvailable, OpenClipboard, BlockInput, TrackPopupMenuEx, GetMessageW, SetProcessWindowStation, GetProcessWindowStation, OpenWindowStationW, GetUserObjectSecurity, MessageBoxW, DefWindowProcW, MoveWindow, SetFocus, PostQuitMessage, KillTimer, CreatePopupMenu, RegisterWindowMessageW, SetTimer, ShowWindow, CreateWindowExW, RegisterClassExW, LoadIconW, LoadCursorW, GetSysColorBrush, GetForegroundWindow, MessageBoxA, DestroyIcon, DispatchMessageW, keybd_event, TranslateMessage, ScreenToClient
GDI32.dll	EndPath, DeleteObject, GetTextExtentPoint32W, ExtCreatePen, StrokeAndFillPath, GetDeviceCaps, SetPixel, CloseFigure, LineTo, AngleArc, MoveToEx, Ellipse, CreateCompatibleBitmap, CreateCompatibleDC, PolyDraw, BeginPath, Rectangle, SetViewportOrgEx, GetObjectW, SetBkMode, RoundRect, SetBkColor, CreatePen, SelectObject, StretchBlt, CreateSolidBrush, SetTextColor, CreateFontW, GetTextFaceW, GetStockObject, CreateDCW, GetPixel, DeleteDC, GetDIBits, StrokePath
COMDLG32.dll	GetSaveFileNameW, GetOpenFileNameW
ADVAPI32.dll	GetAce, RegEnumValueW, RegDeleteValueW, RegDeleteKeyW, RegEnumKeyExW, RegSetValueExW, RegOpenKeyExW, RegCloseKey, RegQueryValueExW, RegConnectRegistryW, InitializeSecurityDescriptor, InitializeAcl, AdjustTokenPrivileges, OpenThreadToken, OpenProcessToken, LookupPrivilegeValueW, DuplicateTokenEx, CreateProcessAsUserW, CreateProcessWithLogonW, GetLengthSid, CopySid, LogonUserW, AllocateAndInitializeSid, CheckTokenMembership, FreeSid, GetTokenInformation, RegCreateKeyExW, GetSecurityDescriptorDacl, GetAclInformation, GetUserNameW, AddAce, SetSecurityDescriptorDacl, InitiateSystemShutdownExW
SHELL32.dll	DragFinish, DragQueryPoint, ShellExecuteExW, DragQueryFileW, SHEmptyRecycleBinW, SHGetPathFromIDListW, SHBrowseForFolderW, SHCreateShellItem, SHGetDesktopFolder, SHGetSpecialFolderLocation, SHGetFolderPathW, SHFileOperationW, ExtractIconExW, Shell_NotifyIconW, ShellExecuteW
ole32.dll	CoTaskMemAlloc, CoTaskMemFree, CLSIDFromString, ProgIDFromCLSID, CLSIDFromProgID, OleSetMenuDescriptor, MkParseDisplayName, OleSetContainedObject, CoCreateInstance, IIDFromString, StringFromGUID2, CreateStreamOnHGlobal, OleInitialize, OleUninitialize, CoInitialize, CoUninitialize, GetRunningObjectTable, CoGetInstanceFromFile, CoGetObject, CoInitializeSecurity, CoCreateInstanceEx, CoSetProxyBlanket
OLEAUT32.dll	CreateStdDispatch, CreateDispTypeInfo, UnRegisterTypeLib, UnRegisterTypeLibForUser, RegisterTypeLibForUser, RegisterTypeLib, LoadTypeLibEx, VariantCopyInd, SysReAllocString, SysFreeString, VariantChangeType, SafeArrayDestroyData, SafeArrayUnaccessData, SafeArrayAccessData, SafeArrayAllocData, SafeArrayAllocDescriptorEx, SafeArrayCreateVector, SysStringLen, QueryPathOfRegTypeLib, SysAllocString, VariantInit, VariantClear, DispCallFunc, VariantTimeToSystemTime, VarR8FromDec, SafeArrayGetVartype, SafeArrayDestroyDescriptor, VariantCopy, OleLoadPicture

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	Great Britain

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Oct 25, 2024 22:18:04.063333988 CEST	49736	443	192.168.2.4	35.190.72.216
Oct 25, 2024 22:18:04.063426971 CEST	443	49736	35.190.72.216	192.168.2.4
Oct 25, 2024 22:18:04.064445972 CEST	49736	443	192.168.2.4	35.190.72.216
Oct 25, 2024 22:18:04.071897030 CEST	49736	443	192.168.2.4	35.190.72.216
Oct 25, 2024 22:18:04.071933985 CEST	443	49736	35.190.72.216	192.168.2.4
Oct 25, 2024 22:18:04.696954966 CEST	443	49736	35.190.72.216	192.168.2.4
Oct 25, 2024 22:18:04.701145887 CEST	49736	443	192.168.2.4	35.190.72.216
Oct 25, 2024 22:18:04.709712982 CEST	49736	443	192.168.2.4	35.190.72.216
Oct 25, 2024 22:18:04.709764004 CEST	443	49736	35.190.72.216	192.168.2.4
Oct 25, 2024 22:18:04.709835052 CEST	49736	443	192.168.2.4	35.190.72.216
Oct 25, 2024 22:18:04.710410118 CEST	443	49736	35.190.72.216	192.168.2.4
Oct 25, 2024 22:18:04.710479021 CEST	49736	443	192.168.2.4	35.190.72.216
Oct 25, 2024 22:18:06.089982986 CEST	49738	443	192.168.2.4	157.240.253.35
Oct 25, 2024 22:18:06.090029001 CEST	443	49738	157.240.253.35	192.168.2.4
Oct 25, 2024 22:18:06.097521067 CEST	49738	443	192.168.2.4	157.240.253.35
Oct 25, 2024 22:18:06.099360943 CEST	49738	443	192.168.2.4	157.240.253.35
Oct 25, 2024 22:18:06.099385023 CEST	443	49738	157.240.253.35	192.168.2.4
Oct 25, 2024 22:18:06.257214069 CEST	49739	80	192.168.2.4	34.107.221.82
Oct 25, 2024 22:18:06.258112907 CEST	49740	443	192.168.2.4	157.240.253.35
Oct 25, 2024 22:18:06.258204937 CEST	443	49740	157.240.253.35	192.168.2.4
Oct 25, 2024 22:18:06.264370918 CEST	49740	443	192.168.2.4	157.240.253.35
Oct 25, 2024 22:18:06.264542103 CEST	80	49739	34.107.221.82	192.168.2.4
Oct 25, 2024 22:18:06.265736103 CEST	49740	443	192.168.2.4	157.240.253.35
Oct 25, 2024 22:18:06.265774012 CEST	443	49740	157.240.253.35	192.168.2.4
Oct 25, 2024 22:18:06.265952110 CEST	49739	80	192.168.2.4	34.107.221.82
Oct 25, 2024 22:18:06.266074896 CEST	49739	80	192.168.2.4	34.107.221.82
Oct 25, 2024 22:18:06.273750067 CEST	80	49739	34.107.221.82	192.168.2.4
Oct 25, 2024 22:18:06.760006905 CEST	49741	443	192.168.2.4	34.117.188.166
Oct 25, 2024 22:18:06.760097027 CEST	443	49741	34.117.188.166	192.168.2.4
Oct 25, 2024 22:18:06.760185957 CEST	49741	443	192.168.2.4	34.117.188.166
Oct 25, 2024 22:18:06.761640072 CEST	49741	443	192.168.2.4	34.117.188.166
Oct 25, 2024 22:18:06.761677980 CEST	443	49741	34.117.188.166	192.168.2.4
Oct 25, 2024 22:18:06.806297064 CEST	49742	443	192.168.2.4	34.117.188.166
Oct 25, 2024 22:18:06.806392908 CEST	443	49742	34.117.188.166	192.168.2.4
Oct 25, 2024 22:18:06.808820009 CEST	49742	443	192.168.2.4	34.117.188.166
Oct 25, 2024 22:18:06.810214043 CEST	49742	443	192.168.2.4	34.117.188.166
Oct 25, 2024 22:18:06.810250998 CEST	443	49742	34.117.188.166	192.168.2.4
Oct 25, 2024 22:18:06.834889889 CEST	49743	443	192.168.2.4	35.244.181.201
Oct 25, 2024 22:18:06.834934950 CEST	443	49743	35.244.181.201	192.168.2.4
Oct 25, 2024 22:18:06.835141897 CEST	49743	443	192.168.2.4	35.244.181.201
Oct 25, 2024 22:18:06.835247993 CEST	49743	443	192.168.2.4	35.244.181.201
Oct 25, 2024 22:18:06.835262060 CEST	443	49743	35.244.181.201	192.168.2.4
Oct 25, 2024 22:18:06.879986048 CEST	80	49739	34.107.221.82	192.168.2.4
Oct 25, 2024 22:18:06.932848930 CEST	49739	80	192.168.2.4	34.107.221.82
Oct 25, 2024 22:18:06.962147951 CEST	443	49738	157.240.253.35	192.168.2.4
Oct 25, 2024 22:18:06.962161064 CEST	443	49738	157.240.253.35	192.168.2.4
Oct 25, 2024 22:18:06.964917898 CEST	49738	443	192.168.2.4	157.240.253.35
Oct 25, 2024 22:18:06.969429970 CEST	49738	443	192.168.2.4	157.240.253.35
Oct 25, 2024 22:18:06.969443083 CEST	443	49738	157.240.253.35	192.168.2.4
Oct 25, 2024 22:18:06.969551086 CEST	49738	443	192.168.2.4	157.240.253.35
Oct 25, 2024 22:18:06.969862938 CEST	443	49738	157.240.253.35	192.168.2.4
Oct 25, 2024 22:18:06.969907999 CEST	49738	443	192.168.2.4	157.240.253.35
Oct 25, 2024 22:18:07.023359060 CEST	49745	443	192.168.2.4	34.160.144.191
Oct 25, 2024 22:18:07.023415089 CEST	443	49745	34.160.144.191	192.168.2.4
Oct 25, 2024 22:18:07.026400089 CEST	49745	443	192.168.2.4	34.160.144.191
Oct 25, 2024 22:18:07.026583910 CEST	49745	443	192.168.2.4	34.160.144.191
Oct 25, 2024 22:18:07.026595116 CEST	443	49745	34.160.144.191	192.168.2.4
Oct 25, 2024 22:18:07.122991085 CEST	49746	80	192.168.2.4	34.107.221.82
Oct 25, 2024 22:18:07.123434067 CEST	443	49740	157.240.253.35	192.168.2.4
Oct 25, 2024 22:18:07.126936913 CEST	49740	443	192.168.2.4	157.240.253.35
Oct 25, 2024 22:18:07.129563093 CEST	80	49746	34.107.221.82	192.168.2.4
Oct 25, 2024 22:18:07.131110907 CEST	49740	443	192.168.2.4	157.240.253.35
Oct 25, 2024 22:18:07.131133080 CEST	443	49740	157.240.253.35	192.168.2.4
Oct 25, 2024 22:18:07.131391048 CEST	49740	443	192.168.2.4	157.240.253.35
Oct 25, 2024 22:18:07.131434917 CEST	443	49740	157.240.253.35	192.168.2.4
Oct 25, 2024 22:18:07.131561995 CEST	49747	443	192.168.2.4	157.240.253.35
Oct 25, 2024 22:18:07.131604910 CEST	443	49747	157.240.253.35	192.168.2.4
Oct 25, 2024 22:18:07.133479118 CEST	49740	443	192.168.2.4	157.240.253.35
Oct 25, 2024 22:18:07.133490086 CEST	49746	80	192.168.2.4	34.107.221.82
Oct 25, 2024 22:18:07.133656025 CEST	49747	443	192.168.2.4	157.240.253.35
Oct 25, 2024 22:18:07.133656979 CEST	49746	80	192.168.2.4	34.107.221.82
Oct 25, 2024 22:18:07.134993076 CEST	49747	443	192.168.2.4	157.240.253.35
Oct 25, 2024 22:18:07.135015965 CEST	443	49747	157.240.253.35	192.168.2.4
Oct 25, 2024 22:18:07.141628981 CEST	80	49746	34.107.221.82	192.168.2.4
Oct 25, 2024 22:18:07.396019936 CEST	443	49741	34.117.188.166	192.168.2.4
Oct 25, 2024 22:18:07.396239996 CEST	49741	443	192.168.2.4	34.117.188.166
Oct 25, 2024 22:18:07.400027990 CEST	49741	443	192.168.2.4	34.117.188.166
Oct 25, 2024 22:18:07.400057077 CEST	443	49741	34.117.188.166	192.168.2.4
Oct 25, 2024 22:18:07.400134087 CEST	49741	443	192.168.2.4	34.117.188.166
Oct 25, 2024 22:18:07.400343895 CEST	443	49741	34.117.188.166	192.168.2.4
Oct 25, 2024 22:18:07.400473118 CEST	49748	443	192.168.2.4	34.117.188.166
Oct 25, 2024 22:18:07.400530100 CEST	443	49748	34.117.188.166	192.168.2.4
Oct 25, 2024 22:18:07.402997017 CEST	49741	443	192.168.2.4	34.117.188.166
Oct 25, 2024 22:18:07.402997017 CEST	49748	443	192.168.2.4	34.117.188.166
Oct 25, 2024 22:18:07.404373884 CEST	49748	443	192.168.2.4	34.117.188.166
Oct 25, 2024 22:18:07.404402971 CEST	443	49748	34.117.188.166	192.168.2.4
Oct 25, 2024 22:18:07.432445049 CEST	443	49742	34.117.188.166	192.168.2.4
Oct 25, 2024 22:18:07.434087992 CEST	49742	443	192.168.2.4	34.117.188.166
Oct 25, 2024 22:18:07.442447901 CEST	49742	443	192.168.2.4	34.117.188.166
Oct 25, 2024 22:18:07.442466974 CEST	443	49742	34.117.188.166	192.168.2.4
Oct 25, 2024 22:18:07.442512035 CEST	49742	443	192.168.2.4	34.117.188.166
Oct 25, 2024 22:18:07.442744017 CEST	443	49742	34.117.188.166	192.168.2.4
Oct 25, 2024 22:18:07.442820072 CEST	49749	443	192.168.2.4	34.117.188.166
Oct 25, 2024 22:18:07.442868948 CEST	443	49749	34.117.188.166	192.168.2.4
Oct 25, 2024 22:18:07.443423986 CEST	49742	443	192.168.2.4	34.117.188.166
Oct 25, 2024 22:18:07.443423986 CEST	49749	443	192.168.2.4	34.117.188.166
Oct 25, 2024 22:18:07.444654942 CEST	49749	443	192.168.2.4	34.117.188.166
Oct 25, 2024 22:18:07.444693089 CEST	443	49749	34.117.188.166	192.168.2.4
Oct 25, 2024 22:18:07.461806059 CEST	443	49743	35.244.181.201	192.168.2.4
Oct 25, 2024 22:18:07.461878061 CEST	49743	443	192.168.2.4	35.244.181.201
Oct 25, 2024 22:18:07.464670897 CEST	49743	443	192.168.2.4	35.244.181.201
Oct 25, 2024 22:18:07.464683056 CEST	443	49743	35.244.181.201	192.168.2.4
Oct 25, 2024 22:18:07.465135098 CEST	443	49743	35.244.181.201	192.168.2.4
Oct 25, 2024 22:18:07.467632055 CEST	49743	443	192.168.2.4	35.244.181.201
Oct 25, 2024 22:18:07.467710018 CEST	49743	443	192.168.2.4	35.244.181.201
Oct 25, 2024 22:18:07.467849970 CEST	443	49743	35.244.181.201	192.168.2.4
Oct 25, 2024 22:18:07.467911959 CEST	49743	443	192.168.2.4	35.244.181.201
Oct 25, 2024 22:18:07.559351921 CEST	49739	80	192.168.2.4	34.107.221.82
Oct 25, 2024 22:18:07.565224886 CEST	80	49739	34.107.221.82	192.168.2.4
Oct 25, 2024 22:18:07.565462112 CEST	49739	80	192.168.2.4	34.107.221.82
Oct 25, 2024 22:18:07.647681952 CEST	49750	80	192.168.2.4	34.107.221.82
Oct 25, 2024 22:18:07.653373003 CEST	80	49750	34.107.221.82	192.168.2.4
Oct 25, 2024 22:18:07.657057047 CEST	49750	80	192.168.2.4	34.107.221.82
Oct 25, 2024 22:18:07.657469988 CEST	49750	80	192.168.2.4	34.107.221.82
Oct 25, 2024 22:18:07.663549900 CEST	80	49750	34.107.221.82	192.168.2.4
Oct 25, 2024 22:18:07.664098978 CEST	443	49745	34.160.144.191	192.168.2.4
Oct 25, 2024 22:18:07.672667027 CEST	49745	443	192.168.2.4	34.160.144.191
Oct 25, 2024 22:18:07.681643009 CEST	49745	443	192.168.2.4	34.160.144.191
Oct 25, 2024 22:18:07.681684971 CEST	443	49745	34.160.144.191	192.168.2.4
Oct 25, 2024 22:18:07.682609081 CEST	443	49745	34.160.144.191	192.168.2.4
Oct 25, 2024 22:18:07.683765888 CEST	49745	443	192.168.2.4	34.160.144.191
Oct 25, 2024 22:18:07.683861971 CEST	49745	443	192.168.2.4	34.160.144.191
Oct 25, 2024 22:18:07.684195042 CEST	443	49745	34.160.144.191	192.168.2.4
Oct 25, 2024 22:18:07.684231997 CEST	49751	443	192.168.2.4	34.160.144.191
Oct 25, 2024 22:18:07.684266090 CEST	443	49751	34.160.144.191	192.168.2.4
Oct 25, 2024 22:18:07.686336994 CEST	49745	443	192.168.2.4	34.160.144.191
Oct 25, 2024 22:18:07.686336994 CEST	49745	443	192.168.2.4	34.160.144.191
Oct 25, 2024 22:18:07.686382055 CEST	49751	443	192.168.2.4	34.160.144.191
Oct 25, 2024 22:18:07.686640978 CEST	49751	443	192.168.2.4	34.160.144.191
Oct 25, 2024 22:18:07.686659098 CEST	443	49751	34.160.144.191	192.168.2.4
Oct 25, 2024 22:18:07.741580963 CEST	80	49746	34.107.221.82	192.168.2.4
Oct 25, 2024 22:18:07.745903015 CEST	49746	80	192.168.2.4	34.107.221.82
Oct 25, 2024 22:18:07.754059076 CEST	80	49746	34.107.221.82	192.168.2.4
Oct 25, 2024 22:18:07.754865885 CEST	49746	80	192.168.2.4	34.107.221.82
Oct 25, 2024 22:18:07.930627108 CEST	49753	443	192.168.2.4	34.107.243.93
Oct 25, 2024 22:18:07.930720091 CEST	443	49753	34.107.243.93	192.168.2.4
Oct 25, 2024 22:18:07.934031010 CEST	49753	443	192.168.2.4	34.107.243.93
Oct 25, 2024 22:18:07.935518980 CEST	49753	443	192.168.2.4	34.107.243.93
Oct 25, 2024 22:18:07.935553074 CEST	443	49753	34.107.243.93	192.168.2.4
Oct 25, 2024 22:18:08.010255098 CEST	443	49747	157.240.253.35	192.168.2.4
Oct 25, 2024 22:18:08.010628939 CEST	49747	443	192.168.2.4	157.240.253.35
Oct 25, 2024 22:18:08.014911890 CEST	49747	443	192.168.2.4	157.240.253.35
Oct 25, 2024 22:18:08.014942884 CEST	443	49747	157.240.253.35	192.168.2.4
Oct 25, 2024 22:18:08.014987946 CEST	49747	443	192.168.2.4	157.240.253.35
Oct 25, 2024 22:18:08.015697002 CEST	443	49747	157.240.253.35	192.168.2.4
Oct 25, 2024 22:18:08.020534039 CEST	49747	443	192.168.2.4	157.240.253.35
Oct 25, 2024 22:18:08.023113012 CEST	443	49748	34.117.188.166	192.168.2.4
Oct 25, 2024 22:18:08.025365114 CEST	49748	443	192.168.2.4	34.117.188.166
Oct 25, 2024 22:18:08.033135891 CEST	49748	443	192.168.2.4	34.117.188.166
Oct 25, 2024 22:18:08.033164024 CEST	443	49748	34.117.188.166	192.168.2.4
Oct 25, 2024 22:18:08.033216953 CEST	49748	443	192.168.2.4	34.117.188.166
Oct 25, 2024 22:18:08.033428907 CEST	443	49748	34.117.188.166	192.168.2.4
Oct 25, 2024 22:18:08.035757065 CEST	49748	443	192.168.2.4	34.117.188.166
Oct 25, 2024 22:18:08.062906027 CEST	443	49749	34.117.188.166	192.168.2.4
Oct 25, 2024 22:18:08.063126087 CEST	49749	443	192.168.2.4	34.117.188.166
Oct 25, 2024 22:18:08.067341089 CEST	49749	443	192.168.2.4	34.117.188.166
Oct 25, 2024 22:18:08.067375898 CEST	443	49749	34.117.188.166	192.168.2.4
Oct 25, 2024 22:18:08.067416906 CEST	49749	443	192.168.2.4	34.117.188.166
Oct 25, 2024 22:18:08.067712069 CEST	443	49749	34.117.188.166	192.168.2.4
Oct 25, 2024 22:18:08.075596094 CEST	49754	443	192.168.2.4	34.117.188.166
Oct 25, 2024 22:18:08.075681925 CEST	443	49754	34.117.188.166	192.168.2.4
Oct 25, 2024 22:18:08.076008081 CEST	49749	443	192.168.2.4	34.117.188.166
Oct 25, 2024 22:18:08.076081991 CEST	49754	443	192.168.2.4	34.117.188.166
Oct 25, 2024 22:18:08.077500105 CEST	49754	443	192.168.2.4	34.117.188.166
Oct 25, 2024 22:18:08.077538967 CEST	443	49754	34.117.188.166	192.168.2.4
Oct 25, 2024 22:18:08.082231045 CEST	49755	443	192.168.2.4	34.120.208.123
Oct 25, 2024 22:18:08.082319021 CEST	443	49755	34.120.208.123	192.168.2.4
Oct 25, 2024 22:18:08.082413912 CEST	49755	443	192.168.2.4	34.120.208.123
Oct 25, 2024 22:18:08.083770037 CEST	49755	443	192.168.2.4	34.120.208.123
Oct 25, 2024 22:18:08.083808899 CEST	443	49755	34.120.208.123	192.168.2.4
Oct 25, 2024 22:18:08.255821943 CEST	80	49750	34.107.221.82	192.168.2.4
Oct 25, 2024 22:18:08.295500040 CEST	443	49751	34.160.144.191	192.168.2.4
Oct 25, 2024 22:18:08.296799898 CEST	49751	443	192.168.2.4	34.160.144.191
Oct 25, 2024 22:18:08.300249100 CEST	49751	443	192.168.2.4	34.160.144.191
Oct 25, 2024 22:18:08.300261021 CEST	443	49751	34.160.144.191	192.168.2.4
Oct 25, 2024 22:18:08.300705910 CEST	443	49751	34.160.144.191	192.168.2.4
Oct 25, 2024 22:18:08.302444935 CEST	49751	443	192.168.2.4	34.160.144.191
Oct 25, 2024 22:18:08.302521944 CEST	49751	443	192.168.2.4	34.160.144.191
Oct 25, 2024 22:18:08.302690029 CEST	443	49751	34.160.144.191	192.168.2.4
Oct 25, 2024 22:18:08.306303978 CEST	49751	443	192.168.2.4	34.160.144.191
Oct 25, 2024 22:18:08.306303978 CEST	49751	443	192.168.2.4	34.160.144.191
Oct 25, 2024 22:18:08.307873964 CEST	49750	80	192.168.2.4	34.107.221.82
Oct 25, 2024 22:18:08.560976028 CEST	443	49753	34.107.243.93	192.168.2.4
Oct 25, 2024 22:18:08.567169905 CEST	49753	443	192.168.2.4	34.107.243.93
Oct 25, 2024 22:18:08.586088896 CEST	49753	443	192.168.2.4	34.107.243.93
Oct 25, 2024 22:18:08.586137056 CEST	443	49753	34.107.243.93	192.168.2.4
Oct 25, 2024 22:18:08.586164951 CEST	49753	443	192.168.2.4	34.107.243.93
Oct 25, 2024 22:18:08.586589098 CEST	443	49753	34.107.243.93	192.168.2.4
Oct 25, 2024 22:18:08.587179899 CEST	49753	443	192.168.2.4	34.107.243.93
Oct 25, 2024 22:18:08.695173025 CEST	443	49754	34.117.188.166	192.168.2.4
Oct 25, 2024 22:18:08.699350119 CEST	443	49754	34.117.188.166	192.168.2.4
Oct 25, 2024 22:18:08.702878952 CEST	49754	443	192.168.2.4	34.117.188.166
Oct 25, 2024 22:18:08.705585003 CEST	443	49755	34.120.208.123	192.168.2.4
Oct 25, 2024 22:18:08.706816912 CEST	49754	443	192.168.2.4	34.117.188.166
Oct 25, 2024 22:18:08.706847906 CEST	443	49754	34.117.188.166	192.168.2.4
Oct 25, 2024 22:18:08.706928015 CEST	49754	443	192.168.2.4	34.117.188.166
Oct 25, 2024 22:18:08.707257032 CEST	49757	443	192.168.2.4	34.117.188.166
Oct 25, 2024 22:18:08.707289934 CEST	443	49757	34.117.188.166	192.168.2.4
Oct 25, 2024 22:18:08.707375050 CEST	443	49754	34.117.188.166	192.168.2.4
Oct 25, 2024 22:18:08.708214045 CEST	49754	443	192.168.2.4	34.117.188.166
Oct 25, 2024 22:18:08.708231926 CEST	49757	443	192.168.2.4	34.117.188.166
Oct 25, 2024 22:18:08.708229065 CEST	49755	443	192.168.2.4	34.120.208.123
Oct 25, 2024 22:18:08.716206074 CEST	49757	443	192.168.2.4	34.117.188.166
Oct 25, 2024 22:18:08.716218948 CEST	443	49757	34.117.188.166	192.168.2.4
Oct 25, 2024 22:18:08.719729900 CEST	49755	443	192.168.2.4	34.120.208.123
Oct 25, 2024 22:18:08.719772100 CEST	443	49755	34.120.208.123	192.168.2.4
Oct 25, 2024 22:18:08.719801903 CEST	49755	443	192.168.2.4	34.120.208.123
Oct 25, 2024 22:18:08.720372915 CEST	443	49755	34.120.208.123	192.168.2.4
Oct 25, 2024 22:18:08.721625090 CEST	49755	443	192.168.2.4	34.120.208.123
Oct 25, 2024 22:18:08.974298000 CEST	49758	80	192.168.2.4	34.107.221.82
Oct 25, 2024 22:18:08.997657061 CEST	80	49758	34.107.221.82	192.168.2.4
Oct 25, 2024 22:18:08.997736931 CEST	49758	80	192.168.2.4	34.107.221.82
Oct 25, 2024 22:18:08.997878075 CEST	49758	80	192.168.2.4	34.107.221.82
Oct 25, 2024 22:18:08.999754906 CEST	49759	443	192.168.2.4	35.244.181.201
Oct 25, 2024 22:18:08.999816895 CEST	443	49759	35.244.181.201	192.168.2.4
Oct 25, 2024 22:18:09.000001907 CEST	49759	443	192.168.2.4	35.244.181.201
Oct 25, 2024 22:18:09.000117064 CEST	49759	443	192.168.2.4	35.244.181.201
Oct 25, 2024 22:18:09.000144005 CEST	443	49759	35.244.181.201	192.168.2.4
Oct 25, 2024 22:18:09.002126932 CEST	49760	443	192.168.2.4	34.149.100.209
Oct 25, 2024 22:18:09.002193928 CEST	443	49760	34.149.100.209	192.168.2.4
Oct 25, 2024 22:18:09.002370119 CEST	49760	443	192.168.2.4	34.149.100.209
Oct 25, 2024 22:18:09.003765106 CEST	49760	443	192.168.2.4	34.149.100.209
Oct 25, 2024 22:18:09.003793955 CEST	443	49760	34.149.100.209	192.168.2.4
Oct 25, 2024 22:18:09.007755041 CEST	80	49758	34.107.221.82	192.168.2.4
Oct 25, 2024 22:18:09.338942051 CEST	443	49757	34.117.188.166	192.168.2.4
Oct 25, 2024 22:18:09.339005947 CEST	49757	443	192.168.2.4	34.117.188.166
Oct 25, 2024 22:18:09.344491005 CEST	49757	443	192.168.2.4	34.117.188.166
Oct 25, 2024 22:18:09.344507933 CEST	443	49757	34.117.188.166	192.168.2.4
Oct 25, 2024 22:18:09.344587088 CEST	49757	443	192.168.2.4	34.117.188.166
Oct 25, 2024 22:18:09.344778061 CEST	443	49757	34.117.188.166	192.168.2.4
Oct 25, 2024 22:18:09.344830036 CEST	49757	443	192.168.2.4	34.117.188.166
Oct 25, 2024 22:18:09.607942104 CEST	80	49758	34.107.221.82	192.168.2.4
Oct 25, 2024 22:18:09.627156973 CEST	443	49759	35.244.181.201	192.168.2.4
Oct 25, 2024 22:18:09.627237082 CEST	49759	443	192.168.2.4	35.244.181.201
Oct 25, 2024 22:18:09.630033970 CEST	49759	443	192.168.2.4	35.244.181.201
Oct 25, 2024 22:18:09.630050898 CEST	443	49759	35.244.181.201	192.168.2.4
Oct 25, 2024 22:18:09.630390882 CEST	443	49759	35.244.181.201	192.168.2.4
Oct 25, 2024 22:18:09.632077932 CEST	443	49760	34.149.100.209	192.168.2.4
Oct 25, 2024 22:18:09.632385015 CEST	49760	443	192.168.2.4	34.149.100.209
Oct 25, 2024 22:18:09.634862900 CEST	49759	443	192.168.2.4	35.244.181.201
Oct 25, 2024 22:18:09.634934902 CEST	49759	443	192.168.2.4	35.244.181.201
Oct 25, 2024 22:18:09.635097027 CEST	443	49759	35.244.181.201	192.168.2.4
Oct 25, 2024 22:18:09.635282993 CEST	49759	443	192.168.2.4	35.244.181.201
Oct 25, 2024 22:18:09.637298107 CEST	49760	443	192.168.2.4	34.149.100.209
Oct 25, 2024 22:18:09.637332916 CEST	443	49760	34.149.100.209	192.168.2.4
Oct 25, 2024 22:18:09.637408018 CEST	49760	443	192.168.2.4	34.149.100.209
Oct 25, 2024 22:18:09.637662888 CEST	443	49760	34.149.100.209	192.168.2.4
Oct 25, 2024 22:18:09.637773037 CEST	49760	443	192.168.2.4	34.149.100.209
Oct 25, 2024 22:18:09.659552097 CEST	49758	80	192.168.2.4	34.107.221.82
Oct 25, 2024 22:18:11.898308039 CEST	49750	80	192.168.2.4	34.107.221.82
Oct 25, 2024 22:18:11.905901909 CEST	80	49750	34.107.221.82	192.168.2.4
Oct 25, 2024 22:18:11.911216021 CEST	49761	443	192.168.2.4	34.120.208.123
Oct 25, 2024 22:18:11.911263943 CEST	443	49761	34.120.208.123	192.168.2.4
Oct 25, 2024 22:18:11.911607981 CEST	49761	443	192.168.2.4	34.120.208.123
Oct 25, 2024 22:18:11.928458929 CEST	49761	443	192.168.2.4	34.120.208.123
Oct 25, 2024 22:18:11.928481102 CEST	443	49761	34.120.208.123	192.168.2.4
Oct 25, 2024 22:18:11.938060999 CEST	49762	443	192.168.2.4	34.120.208.123
Oct 25, 2024 22:18:11.938100100 CEST	443	49762	34.120.208.123	192.168.2.4
Oct 25, 2024 22:18:11.938766956 CEST	49762	443	192.168.2.4	34.120.208.123
Oct 25, 2024 22:18:11.938942909 CEST	49762	443	192.168.2.4	34.120.208.123
Oct 25, 2024 22:18:11.938956022 CEST	443	49762	34.120.208.123	192.168.2.4
Oct 25, 2024 22:18:11.956135988 CEST	49763	443	192.168.2.4	34.120.208.123
Oct 25, 2024 22:18:11.956155062 CEST	443	49763	34.120.208.123	192.168.2.4
Oct 25, 2024 22:18:11.958281994 CEST	49763	443	192.168.2.4	34.120.208.123
Oct 25, 2024 22:18:11.961644888 CEST	49763	443	192.168.2.4	34.120.208.123
Oct 25, 2024 22:18:11.961659908 CEST	443	49763	34.120.208.123	192.168.2.4
Oct 25, 2024 22:18:12.029119968 CEST	80	49750	34.107.221.82	192.168.2.4
Oct 25, 2024 22:18:12.074167013 CEST	49750	80	192.168.2.4	34.107.221.82
Oct 25, 2024 22:18:12.563518047 CEST	443	49762	34.120.208.123	192.168.2.4
Oct 25, 2024 22:18:12.563618898 CEST	49762	443	192.168.2.4	34.120.208.123
Oct 25, 2024 22:18:12.575916052 CEST	443	49763	34.120.208.123	192.168.2.4
Oct 25, 2024 22:18:12.575983047 CEST	49763	443	192.168.2.4	34.120.208.123
Oct 25, 2024 22:18:12.582180023 CEST	443	49761	34.120.208.123	192.168.2.4
Oct 25, 2024 22:18:12.582276106 CEST	49761	443	192.168.2.4	34.120.208.123
Oct 25, 2024 22:18:12.796866894 CEST	49762	443	192.168.2.4	34.120.208.123
Oct 25, 2024 22:18:12.796886921 CEST	443	49762	34.120.208.123	192.168.2.4
Oct 25, 2024 22:18:12.797327995 CEST	443	49762	34.120.208.123	192.168.2.4
Oct 25, 2024 22:18:12.799226046 CEST	49763	443	192.168.2.4	34.120.208.123
Oct 25, 2024 22:18:12.799268961 CEST	443	49763	34.120.208.123	192.168.2.4
Oct 25, 2024 22:18:12.800295115 CEST	443	49763	34.120.208.123	192.168.2.4
Oct 25, 2024 22:18:12.804471016 CEST	49761	443	192.168.2.4	34.120.208.123
Oct 25, 2024 22:18:12.804508924 CEST	443	49761	34.120.208.123	192.168.2.4
Oct 25, 2024 22:18:12.804553986 CEST	49761	443	192.168.2.4	34.120.208.123
Oct 25, 2024 22:18:12.804670095 CEST	49762	443	192.168.2.4	34.120.208.123
Oct 25, 2024 22:18:12.804728031 CEST	49762	443	192.168.2.4	34.120.208.123
Oct 25, 2024 22:18:12.804747105 CEST	49763	443	192.168.2.4	34.120.208.123
Oct 25, 2024 22:18:12.804794073 CEST	49763	443	192.168.2.4	34.120.208.123
Oct 25, 2024 22:18:12.805011988 CEST	443	49762	34.120.208.123	192.168.2.4
Oct 25, 2024 22:18:12.805296898 CEST	443	49761	34.120.208.123	192.168.2.4
Oct 25, 2024 22:18:12.805403948 CEST	443	49763	34.120.208.123	192.168.2.4
Oct 25, 2024 22:18:12.805484056 CEST	49761	443	192.168.2.4	34.120.208.123
Oct 25, 2024 22:18:12.805505037 CEST	49762	443	192.168.2.4	34.120.208.123
Oct 25, 2024 22:18:12.805507898 CEST	49763	443	192.168.2.4	34.120.208.123
Oct 25, 2024 22:18:17.039194107 CEST	49758	80	192.168.2.4	34.107.221.82
Oct 25, 2024 22:18:17.045953035 CEST	80	49758	34.107.221.82	192.168.2.4
Oct 25, 2024 22:18:17.167541981 CEST	80	49758	34.107.221.82	192.168.2.4
Oct 25, 2024 22:18:17.204906940 CEST	49750	80	192.168.2.4	34.107.221.82
Oct 25, 2024 22:18:17.206305027 CEST	49766	443	192.168.2.4	34.120.208.123
Oct 25, 2024 22:18:17.206372976 CEST	443	49766	34.120.208.123	192.168.2.4
Oct 25, 2024 22:18:17.210448027 CEST	80	49750	34.107.221.82	192.168.2.4
Oct 25, 2024 22:18:17.222367048 CEST	49766	443	192.168.2.4	34.120.208.123
Oct 25, 2024 22:18:17.222529888 CEST	49758	80	192.168.2.4	34.107.221.82
Oct 25, 2024 22:18:17.223747969 CEST	49766	443	192.168.2.4	34.120.208.123
Oct 25, 2024 22:18:17.223787069 CEST	443	49766	34.120.208.123	192.168.2.4
Oct 25, 2024 22:18:17.329834938 CEST	80	49750	34.107.221.82	192.168.2.4
Oct 25, 2024 22:18:17.369499922 CEST	49750	80	192.168.2.4	34.107.221.82
Oct 25, 2024 22:18:17.414855957 CEST	49767	443	192.168.2.4	34.107.243.93
Oct 25, 2024 22:18:17.414947987 CEST	443	49767	34.107.243.93	192.168.2.4
Oct 25, 2024 22:18:17.415194035 CEST	49767	443	192.168.2.4	34.107.243.93
Oct 25, 2024 22:18:17.416644096 CEST	49767	443	192.168.2.4	34.107.243.93
Oct 25, 2024 22:18:17.416677952 CEST	443	49767	34.107.243.93	192.168.2.4
Oct 25, 2024 22:18:17.837018967 CEST	443	49766	34.120.208.123	192.168.2.4
Oct 25, 2024 22:18:17.837033033 CEST	443	49766	34.120.208.123	192.168.2.4
Oct 25, 2024 22:18:17.837145090 CEST	49766	443	192.168.2.4	34.120.208.123
Oct 25, 2024 22:18:17.890907049 CEST	49766	443	192.168.2.4	34.120.208.123
Oct 25, 2024 22:18:17.890923023 CEST	443	49766	34.120.208.123	192.168.2.4
Oct 25, 2024 22:18:17.890993118 CEST	49766	443	192.168.2.4	34.120.208.123
Oct 25, 2024 22:18:17.891139030 CEST	443	49766	34.120.208.123	192.168.2.4
Oct 25, 2024 22:18:17.891521931 CEST	49766	443	192.168.2.4	34.120.208.123
Oct 25, 2024 22:18:18.026063919 CEST	443	49767	34.107.243.93	192.168.2.4
Oct 25, 2024 22:18:18.026137114 CEST	49767	443	192.168.2.4	34.107.243.93
Oct 25, 2024 22:18:18.030662060 CEST	49767	443	192.168.2.4	34.107.243.93
Oct 25, 2024 22:18:18.030675888 CEST	443	49767	34.107.243.93	192.168.2.4
Oct 25, 2024 22:18:18.030750990 CEST	49767	443	192.168.2.4	34.107.243.93
Oct 25, 2024 22:18:18.030889988 CEST	443	49767	34.107.243.93	192.168.2.4
Oct 25, 2024 22:18:18.030946970 CEST	49767	443	192.168.2.4	34.107.243.93
Oct 25, 2024 22:18:18.622364998 CEST	49758	80	192.168.2.4	34.107.221.82
Oct 25, 2024 22:18:18.631225109 CEST	80	49758	34.107.221.82	192.168.2.4
Oct 25, 2024 22:18:18.755058050 CEST	80	49758	34.107.221.82	192.168.2.4
Oct 25, 2024 22:18:18.798993111 CEST	49758	80	192.168.2.4	34.107.221.82
Oct 25, 2024 22:18:18.848455906 CEST	49750	80	192.168.2.4	34.107.221.82
Oct 25, 2024 22:18:18.857120037 CEST	80	49750	34.107.221.82	192.168.2.4
Oct 25, 2024 22:18:18.976850033 CEST	80	49750	34.107.221.82	192.168.2.4
Oct 25, 2024 22:18:19.002640963 CEST	49758	80	192.168.2.4	34.107.221.82
Oct 25, 2024 22:18:19.010812044 CEST	80	49758	34.107.221.82	192.168.2.4
Oct 25, 2024 22:18:19.030913115 CEST	49750	80	192.168.2.4	34.107.221.82
Oct 25, 2024 22:18:19.132195950 CEST	80	49758	34.107.221.82	192.168.2.4
Oct 25, 2024 22:18:19.184571028 CEST	49758	80	192.168.2.4	34.107.221.82
Oct 25, 2024 22:18:28.739173889 CEST	49768	443	192.168.2.4	34.107.243.93
Oct 25, 2024 22:18:28.739267111 CEST	443	49768	34.107.243.93	192.168.2.4
Oct 25, 2024 22:18:28.739356041 CEST	49768	443	192.168.2.4	34.107.243.93
Oct 25, 2024 22:18:28.740803003 CEST	49768	443	192.168.2.4	34.107.243.93
Oct 25, 2024 22:18:28.740839005 CEST	443	49768	34.107.243.93	192.168.2.4
Oct 25, 2024 22:18:28.997190952 CEST	49750	80	192.168.2.4	34.107.221.82
Oct 25, 2024 22:18:29.003107071 CEST	80	49750	34.107.221.82	192.168.2.4
Oct 25, 2024 22:18:29.144345999 CEST	49758	80	192.168.2.4	34.107.221.82
Oct 25, 2024 22:18:29.151160955 CEST	80	49758	34.107.221.82	192.168.2.4
Oct 25, 2024 22:18:29.357197046 CEST	443	49768	34.107.243.93	192.168.2.4
Oct 25, 2024 22:18:29.357296944 CEST	49768	443	192.168.2.4	34.107.243.93
Oct 25, 2024 22:18:29.361804962 CEST	49768	443	192.168.2.4	34.107.243.93
Oct 25, 2024 22:18:29.361835957 CEST	443	49768	34.107.243.93	192.168.2.4
Oct 25, 2024 22:18:29.361891031 CEST	49768	443	192.168.2.4	34.107.243.93
Oct 25, 2024 22:18:29.362067938 CEST	443	49768	34.107.243.93	192.168.2.4
Oct 25, 2024 22:18:29.362896919 CEST	49768	443	192.168.2.4	34.107.243.93
Oct 25, 2024 22:18:29.365036011 CEST	49750	80	192.168.2.4	34.107.221.82
Oct 25, 2024 22:18:29.370589018 CEST	80	49750	34.107.221.82	192.168.2.4
Oct 25, 2024 22:18:29.490439892 CEST	80	49750	34.107.221.82	192.168.2.4
Oct 25, 2024 22:18:29.494672060 CEST	49758	80	192.168.2.4	34.107.221.82
Oct 25, 2024 22:18:29.500088930 CEST	80	49758	34.107.221.82	192.168.2.4
Oct 25, 2024 22:18:29.545604944 CEST	49750	80	192.168.2.4	34.107.221.82
Oct 25, 2024 22:18:29.621898890 CEST	80	49758	34.107.221.82	192.168.2.4
Oct 25, 2024 22:18:29.661478996 CEST	49758	80	192.168.2.4	34.107.221.82
Oct 25, 2024 22:18:32.351572990 CEST	49771	443	192.168.2.4	35.244.181.201
Oct 25, 2024 22:18:32.351664066 CEST	443	49771	35.244.181.201	192.168.2.4
Oct 25, 2024 22:18:32.353763103 CEST	49771	443	192.168.2.4	35.244.181.201
Oct 25, 2024 22:18:32.354125977 CEST	49771	443	192.168.2.4	35.244.181.201
Oct 25, 2024 22:18:32.354161024 CEST	443	49771	35.244.181.201	192.168.2.4
Oct 25, 2024 22:18:32.374931097 CEST	49772	443	192.168.2.4	34.149.100.209
Oct 25, 2024 22:18:32.375015020 CEST	443	49772	34.149.100.209	192.168.2.4
Oct 25, 2024 22:18:32.376075983 CEST	49772	443	192.168.2.4	34.149.100.209
Oct 25, 2024 22:18:32.376192093 CEST	49772	443	192.168.2.4	34.149.100.209
Oct 25, 2024 22:18:32.376216888 CEST	443	49772	34.149.100.209	192.168.2.4
Oct 25, 2024 22:18:32.379861116 CEST	49773	443	192.168.2.4	35.190.72.216
Oct 25, 2024 22:18:32.379880905 CEST	443	49773	35.190.72.216	192.168.2.4
Oct 25, 2024 22:18:32.382122993 CEST	49773	443	192.168.2.4	35.190.72.216
Oct 25, 2024 22:18:32.386437893 CEST	49773	443	192.168.2.4	35.190.72.216
Oct 25, 2024 22:18:32.386460066 CEST	443	49773	35.190.72.216	192.168.2.4
Oct 25, 2024 22:18:32.386802912 CEST	49774	443	192.168.2.4	151.101.65.91
Oct 25, 2024 22:18:32.386898994 CEST	443	49774	151.101.65.91	192.168.2.4
Oct 25, 2024 22:18:32.391952991 CEST	49774	443	192.168.2.4	151.101.65.91
Oct 25, 2024 22:18:32.407370090 CEST	49774	443	192.168.2.4	151.101.65.91
Oct 25, 2024 22:18:32.407413006 CEST	443	49774	151.101.65.91	192.168.2.4
Oct 25, 2024 22:18:32.407711029 CEST	49775	443	192.168.2.4	35.201.103.21
Oct 25, 2024 22:18:32.407741070 CEST	443	49775	35.201.103.21	192.168.2.4
Oct 25, 2024 22:18:32.411150932 CEST	49775	443	192.168.2.4	35.201.103.21
Oct 25, 2024 22:18:32.412590981 CEST	49775	443	192.168.2.4	35.201.103.21
Oct 25, 2024 22:18:32.412631989 CEST	443	49775	35.201.103.21	192.168.2.4
Oct 25, 2024 22:18:32.983143091 CEST	443	49771	35.244.181.201	192.168.2.4
Oct 25, 2024 22:18:32.983263969 CEST	49771	443	192.168.2.4	35.244.181.201
Oct 25, 2024 22:18:32.986641884 CEST	49771	443	192.168.2.4	35.244.181.201
Oct 25, 2024 22:18:32.986674070 CEST	443	49771	35.244.181.201	192.168.2.4
Oct 25, 2024 22:18:32.987190962 CEST	443	49771	35.244.181.201	192.168.2.4
Oct 25, 2024 22:18:32.989288092 CEST	49771	443	192.168.2.4	35.244.181.201
Oct 25, 2024 22:18:32.989373922 CEST	49771	443	192.168.2.4	35.244.181.201
Oct 25, 2024 22:18:32.989729881 CEST	443	49771	35.244.181.201	192.168.2.4
Oct 25, 2024 22:18:32.989804983 CEST	49771	443	192.168.2.4	35.244.181.201
Oct 25, 2024 22:18:32.993017912 CEST	49750	80	192.168.2.4	34.107.221.82
Oct 25, 2024 22:18:32.998502970 CEST	80	49750	34.107.221.82	192.168.2.4
Oct 25, 2024 22:18:33.015953064 CEST	443	49773	35.190.72.216	192.168.2.4
Oct 25, 2024 22:18:33.016170979 CEST	49773	443	192.168.2.4	35.190.72.216
Oct 25, 2024 22:18:33.020386934 CEST	49773	443	192.168.2.4	35.190.72.216
Oct 25, 2024 22:18:33.020437956 CEST	443	49773	35.190.72.216	192.168.2.4
Oct 25, 2024 22:18:33.020497084 CEST	49773	443	192.168.2.4	35.190.72.216
Oct 25, 2024 22:18:33.020723104 CEST	443	49773	35.190.72.216	192.168.2.4
Oct 25, 2024 22:18:33.020915985 CEST	49773	443	192.168.2.4	35.190.72.216
Oct 25, 2024 22:18:33.023962021 CEST	443	49772	34.149.100.209	192.168.2.4
Oct 25, 2024 22:18:33.024051905 CEST	49772	443	192.168.2.4	34.149.100.209
Oct 25, 2024 22:18:33.024255991 CEST	443	49774	151.101.65.91	192.168.2.4
Oct 25, 2024 22:18:33.024444103 CEST	49774	443	192.168.2.4	151.101.65.91
Oct 25, 2024 22:18:33.027230024 CEST	49772	443	192.168.2.4	34.149.100.209
Oct 25, 2024 22:18:33.027282953 CEST	443	49772	34.149.100.209	192.168.2.4
Oct 25, 2024 22:18:33.027648926 CEST	443	49772	34.149.100.209	192.168.2.4
Oct 25, 2024 22:18:33.029737949 CEST	49774	443	192.168.2.4	151.101.65.91
Oct 25, 2024 22:18:33.029788971 CEST	443	49774	151.101.65.91	192.168.2.4
Oct 25, 2024 22:18:33.030292034 CEST	443	49774	151.101.65.91	192.168.2.4
Oct 25, 2024 22:18:33.032320976 CEST	49772	443	192.168.2.4	34.149.100.209
Oct 25, 2024 22:18:33.032398939 CEST	49772	443	192.168.2.4	34.149.100.209
Oct 25, 2024 22:18:33.032537937 CEST	443	49772	34.149.100.209	192.168.2.4
Oct 25, 2024 22:18:33.032640934 CEST	49774	443	192.168.2.4	151.101.65.91
Oct 25, 2024 22:18:33.032690048 CEST	49774	443	192.168.2.4	151.101.65.91
Oct 25, 2024 22:18:33.032855988 CEST	443	49774	151.101.65.91	192.168.2.4
Oct 25, 2024 22:18:33.032881975 CEST	49772	443	192.168.2.4	34.149.100.209
Oct 25, 2024 22:18:33.032916069 CEST	49774	443	192.168.2.4	151.101.65.91
Oct 25, 2024 22:18:33.040224075 CEST	443	49775	35.201.103.21	192.168.2.4
Oct 25, 2024 22:18:33.040226936 CEST	49776	443	192.168.2.4	35.244.181.201
Oct 25, 2024 22:18:33.040312052 CEST	443	49776	35.244.181.201	192.168.2.4
Oct 25, 2024 22:18:33.043426991 CEST	49777	443	192.168.2.4	35.244.181.201
Oct 25, 2024 22:18:33.043495893 CEST	443	49777	35.244.181.201	192.168.2.4
Oct 25, 2024 22:18:33.044307947 CEST	49778	443	192.168.2.4	35.244.181.201
Oct 25, 2024 22:18:33.044334888 CEST	443	49778	35.244.181.201	192.168.2.4
Oct 25, 2024 22:18:33.045523882 CEST	49775	443	192.168.2.4	35.201.103.21
Oct 25, 2024 22:18:33.045567989 CEST	49776	443	192.168.2.4	35.244.181.201
Oct 25, 2024 22:18:33.045568943 CEST	49778	443	192.168.2.4	35.244.181.201
Oct 25, 2024 22:18:33.045577049 CEST	49777	443	192.168.2.4	35.244.181.201
Oct 25, 2024 22:18:33.047386885 CEST	49776	443	192.168.2.4	35.244.181.201
Oct 25, 2024 22:18:33.047427893 CEST	443	49776	35.244.181.201	192.168.2.4
Oct 25, 2024 22:18:33.047477007 CEST	49777	443	192.168.2.4	35.244.181.201
Oct 25, 2024 22:18:33.047512054 CEST	443	49777	35.244.181.201	192.168.2.4
Oct 25, 2024 22:18:33.047538996 CEST	49778	443	192.168.2.4	35.244.181.201
Oct 25, 2024 22:18:33.047565937 CEST	443	49778	35.244.181.201	192.168.2.4
Oct 25, 2024 22:18:33.049877882 CEST	49775	443	192.168.2.4	35.201.103.21
Oct 25, 2024 22:18:33.049890041 CEST	443	49775	35.201.103.21	192.168.2.4
Oct 25, 2024 22:18:33.049978018 CEST	49775	443	192.168.2.4	35.201.103.21
Oct 25, 2024 22:18:33.050172091 CEST	443	49775	35.201.103.21	192.168.2.4
Oct 25, 2024 22:18:33.050977945 CEST	49775	443	192.168.2.4	35.201.103.21
Oct 25, 2024 22:18:33.066447973 CEST	49779	443	192.168.2.4	34.149.100.209
Oct 25, 2024 22:18:33.066499949 CEST	443	49779	34.149.100.209	192.168.2.4
Oct 25, 2024 22:18:33.066595078 CEST	49779	443	192.168.2.4	34.149.100.209
Oct 25, 2024 22:18:33.066694021 CEST	49779	443	192.168.2.4	34.149.100.209
Oct 25, 2024 22:18:33.066705942 CEST	443	49779	34.149.100.209	192.168.2.4
Oct 25, 2024 22:18:33.118772030 CEST	80	49750	34.107.221.82	192.168.2.4
Oct 25, 2024 22:18:33.121608019 CEST	49758	80	192.168.2.4	34.107.221.82
Oct 25, 2024 22:18:33.127091885 CEST	80	49758	34.107.221.82	192.168.2.4
Oct 25, 2024 22:18:33.171642065 CEST	49750	80	192.168.2.4	34.107.221.82
Oct 25, 2024 22:18:33.249587059 CEST	80	49758	34.107.221.82	192.168.2.4
Oct 25, 2024 22:18:33.309703112 CEST	49758	80	192.168.2.4	34.107.221.82
Oct 25, 2024 22:18:33.658315897 CEST	443	49777	35.244.181.201	192.168.2.4
Oct 25, 2024 22:18:33.658396006 CEST	49777	443	192.168.2.4	35.244.181.201
Oct 25, 2024 22:18:33.661134005 CEST	49777	443	192.168.2.4	35.244.181.201
Oct 25, 2024 22:18:33.661148071 CEST	443	49777	35.244.181.201	192.168.2.4
Oct 25, 2024 22:18:33.661559105 CEST	443	49777	35.244.181.201	192.168.2.4
Oct 25, 2024 22:18:33.663969994 CEST	49777	443	192.168.2.4	35.244.181.201
Oct 25, 2024 22:18:33.664072037 CEST	49777	443	192.168.2.4	35.244.181.201
Oct 25, 2024 22:18:33.664180994 CEST	443	49777	35.244.181.201	192.168.2.4
Oct 25, 2024 22:18:33.665175915 CEST	49777	443	192.168.2.4	35.244.181.201
Oct 25, 2024 22:18:33.665913105 CEST	443	49778	35.244.181.201	192.168.2.4
Oct 25, 2024 22:18:33.666521072 CEST	49778	443	192.168.2.4	35.244.181.201
Oct 25, 2024 22:18:33.669017076 CEST	49778	443	192.168.2.4	35.244.181.201
Oct 25, 2024 22:18:33.669039965 CEST	443	49778	35.244.181.201	192.168.2.4
Oct 25, 2024 22:18:33.669163942 CEST	49750	80	192.168.2.4	34.107.221.82
Oct 25, 2024 22:18:33.670123100 CEST	443	49778	35.244.181.201	192.168.2.4
Oct 25, 2024 22:18:33.671103001 CEST	443	49776	35.244.181.201	192.168.2.4
Oct 25, 2024 22:18:33.671256065 CEST	49776	443	192.168.2.4	35.244.181.201
Oct 25, 2024 22:18:33.671452999 CEST	443	49779	34.149.100.209	192.168.2.4
Oct 25, 2024 22:18:33.671533108 CEST	49779	443	192.168.2.4	34.149.100.209
Oct 25, 2024 22:18:33.673964977 CEST	49776	443	192.168.2.4	35.244.181.201
Oct 25, 2024 22:18:33.673985004 CEST	443	49776	35.244.181.201	192.168.2.4
Oct 25, 2024 22:18:33.674401045 CEST	443	49776	35.244.181.201	192.168.2.4
Oct 25, 2024 22:18:33.674797058 CEST	80	49750	34.107.221.82	192.168.2.4
Oct 25, 2024 22:18:33.676753044 CEST	49779	443	192.168.2.4	34.149.100.209
Oct 25, 2024 22:18:33.676774979 CEST	443	49779	34.149.100.209	192.168.2.4
Oct 25, 2024 22:18:33.677160025 CEST	443	49779	34.149.100.209	192.168.2.4
Oct 25, 2024 22:18:33.677607059 CEST	49778	443	192.168.2.4	35.244.181.201
Oct 25, 2024 22:18:33.677711964 CEST	49778	443	192.168.2.4	35.244.181.201
Oct 25, 2024 22:18:33.678900957 CEST	443	49778	35.244.181.201	192.168.2.4
Oct 25, 2024 22:18:33.681432962 CEST	49776	443	192.168.2.4	35.244.181.201
Oct 25, 2024 22:18:33.681504011 CEST	49776	443	192.168.2.4	35.244.181.201
Oct 25, 2024 22:18:33.681775093 CEST	443	49776	35.244.181.201	192.168.2.4
Oct 25, 2024 22:18:33.681896925 CEST	49779	443	192.168.2.4	34.149.100.209
Oct 25, 2024 22:18:33.681942940 CEST	49779	443	192.168.2.4	34.149.100.209
Oct 25, 2024 22:18:33.682111979 CEST	443	49779	34.149.100.209	192.168.2.4
Oct 25, 2024 22:18:33.684784889 CEST	49779	443	192.168.2.4	34.149.100.209
Oct 25, 2024 22:18:33.684803009 CEST	49778	443	192.168.2.4	35.244.181.201
Oct 25, 2024 22:18:33.684803009 CEST	49776	443	192.168.2.4	35.244.181.201
Oct 25, 2024 22:18:33.684815884 CEST	49779	443	192.168.2.4	34.149.100.209
Oct 25, 2024 22:18:33.794363022 CEST	80	49750	34.107.221.82	192.168.2.4
Oct 25, 2024 22:18:33.797719002 CEST	49758	80	192.168.2.4	34.107.221.82
Oct 25, 2024 22:18:33.803512096 CEST	80	49758	34.107.221.82	192.168.2.4
Oct 25, 2024 22:18:33.842375040 CEST	49750	80	192.168.2.4	34.107.221.82
Oct 25, 2024 22:18:33.925458908 CEST	80	49758	34.107.221.82	192.168.2.4
Oct 25, 2024 22:18:33.973932981 CEST	49758	80	192.168.2.4	34.107.221.82
Oct 25, 2024 22:18:42.188883066 CEST	49750	80	192.168.2.4	34.107.221.82
Oct 25, 2024 22:18:42.194345951 CEST	80	49750	34.107.221.82	192.168.2.4
Oct 25, 2024 22:18:42.315711021 CEST	80	49750	34.107.221.82	192.168.2.4
Oct 25, 2024 22:18:42.318499088 CEST	49758	80	192.168.2.4	34.107.221.82
Oct 25, 2024 22:18:42.323936939 CEST	80	49758	34.107.221.82	192.168.2.4
Oct 25, 2024 22:18:42.366988897 CEST	49750	80	192.168.2.4	34.107.221.82
Oct 25, 2024 22:18:42.446319103 CEST	80	49758	34.107.221.82	192.168.2.4
Oct 25, 2024 22:18:42.498534918 CEST	49758	80	192.168.2.4	34.107.221.82
Oct 25, 2024 22:18:49.647908926 CEST	49783	443	192.168.2.4	34.107.243.93
Oct 25, 2024 22:18:49.647934914 CEST	443	49783	34.107.243.93	192.168.2.4
Oct 25, 2024 22:18:49.648199081 CEST	49783	443	192.168.2.4	34.107.243.93
Oct 25, 2024 22:18:49.649573088 CEST	49783	443	192.168.2.4	34.107.243.93
Oct 25, 2024 22:18:49.649585009 CEST	443	49783	34.107.243.93	192.168.2.4
Oct 25, 2024 22:18:50.276853085 CEST	443	49783	34.107.243.93	192.168.2.4
Oct 25, 2024 22:18:50.277035952 CEST	49783	443	192.168.2.4	34.107.243.93
Oct 25, 2024 22:18:50.281553030 CEST	49783	443	192.168.2.4	34.107.243.93
Oct 25, 2024 22:18:50.281570911 CEST	443	49783	34.107.243.93	192.168.2.4
Oct 25, 2024 22:18:50.281644106 CEST	49783	443	192.168.2.4	34.107.243.93
Oct 25, 2024 22:18:50.281759024 CEST	443	49783	34.107.243.93	192.168.2.4
Oct 25, 2024 22:18:50.282268047 CEST	49783	443	192.168.2.4	34.107.243.93
Oct 25, 2024 22:18:50.284081936 CEST	49750	80	192.168.2.4	34.107.221.82
Oct 25, 2024 22:18:50.289664984 CEST	80	49750	34.107.221.82	192.168.2.4
Oct 25, 2024 22:18:50.410269022 CEST	80	49750	34.107.221.82	192.168.2.4
Oct 25, 2024 22:18:50.424940109 CEST	49758	80	192.168.2.4	34.107.221.82
Oct 25, 2024 22:18:50.430608034 CEST	80	49758	34.107.221.82	192.168.2.4
Oct 25, 2024 22:18:50.475528002 CEST	49750	80	192.168.2.4	34.107.221.82
Oct 25, 2024 22:18:50.552630901 CEST	80	49758	34.107.221.82	192.168.2.4
Oct 25, 2024 22:18:50.607131958 CEST	49758	80	192.168.2.4	34.107.221.82
Oct 25, 2024 22:19:00.432051897 CEST	49750	80	192.168.2.4	34.107.221.82
Oct 25, 2024 22:19:00.456599951 CEST	80	49750	34.107.221.82	192.168.2.4
Oct 25, 2024 22:19:00.563694000 CEST	49758	80	192.168.2.4	34.107.221.82
Oct 25, 2024 22:19:00.569195986 CEST	80	49758	34.107.221.82	192.168.2.4
Oct 25, 2024 22:19:02.813591003 CEST	49816	443	192.168.2.4	34.120.208.123
Oct 25, 2024 22:19:02.813631058 CEST	443	49816	34.120.208.123	192.168.2.4
Oct 25, 2024 22:19:02.813781023 CEST	49817	443	192.168.2.4	34.120.208.123
Oct 25, 2024 22:19:02.813796997 CEST	443	49817	34.120.208.123	192.168.2.4
Oct 25, 2024 22:19:02.813942909 CEST	49818	443	192.168.2.4	34.120.208.123
Oct 25, 2024 22:19:02.813952923 CEST	443	49818	34.120.208.123	192.168.2.4
Oct 25, 2024 22:19:02.814495087 CEST	49816	443	192.168.2.4	34.120.208.123
Oct 25, 2024 22:19:02.814512968 CEST	49817	443	192.168.2.4	34.120.208.123
Oct 25, 2024 22:19:02.814522982 CEST	49818	443	192.168.2.4	34.120.208.123
Oct 25, 2024 22:19:02.814755917 CEST	49816	443	192.168.2.4	34.120.208.123
Oct 25, 2024 22:19:02.814769983 CEST	443	49816	34.120.208.123	192.168.2.4
Oct 25, 2024 22:19:02.815047979 CEST	49818	443	192.168.2.4	34.120.208.123
Oct 25, 2024 22:19:02.815057993 CEST	443	49818	34.120.208.123	192.168.2.4
Oct 25, 2024 22:19:02.815197945 CEST	49817	443	192.168.2.4	34.120.208.123
Oct 25, 2024 22:19:02.815212965 CEST	443	49817	34.120.208.123	192.168.2.4
Oct 25, 2024 22:19:03.428457975 CEST	443	49816	34.120.208.123	192.168.2.4
Oct 25, 2024 22:19:03.431387901 CEST	49816	443	192.168.2.4	34.120.208.123
Oct 25, 2024 22:19:03.432600975 CEST	443	49817	34.120.208.123	192.168.2.4
Oct 25, 2024 22:19:03.434560061 CEST	49816	443	192.168.2.4	34.120.208.123
Oct 25, 2024 22:19:03.434571981 CEST	443	49816	34.120.208.123	192.168.2.4
Oct 25, 2024 22:19:03.434891939 CEST	443	49816	34.120.208.123	192.168.2.4
Oct 25, 2024 22:19:03.438654900 CEST	443	49818	34.120.208.123	192.168.2.4
Oct 25, 2024 22:19:03.440860033 CEST	49816	443	192.168.2.4	34.120.208.123
Oct 25, 2024 22:19:03.440965891 CEST	49816	443	192.168.2.4	34.120.208.123
Oct 25, 2024 22:19:03.441159010 CEST	443	49816	34.120.208.123	192.168.2.4
Oct 25, 2024 22:19:03.443344116 CEST	443	49817	34.120.208.123	192.168.2.4
Oct 25, 2024 22:19:03.443378925 CEST	443	49818	34.120.208.123	192.168.2.4
Oct 25, 2024 22:19:03.445008039 CEST	49816	443	192.168.2.4	34.120.208.123
Oct 25, 2024 22:19:03.445027113 CEST	49816	443	192.168.2.4	34.120.208.123
Oct 25, 2024 22:19:03.445064068 CEST	49817	443	192.168.2.4	34.120.208.123
Oct 25, 2024 22:19:03.445153952 CEST	49818	443	192.168.2.4	34.120.208.123
Oct 25, 2024 22:19:03.448607922 CEST	49817	443	192.168.2.4	34.120.208.123
Oct 25, 2024 22:19:03.448632956 CEST	443	49817	34.120.208.123	192.168.2.4
Oct 25, 2024 22:19:03.449592113 CEST	443	49817	34.120.208.123	192.168.2.4
Oct 25, 2024 22:19:03.450947046 CEST	49818	443	192.168.2.4	34.120.208.123
Oct 25, 2024 22:19:03.450952053 CEST	443	49818	34.120.208.123	192.168.2.4
Oct 25, 2024 22:19:03.451298952 CEST	443	49818	34.120.208.123	192.168.2.4
Oct 25, 2024 22:19:03.454011917 CEST	49817	443	192.168.2.4	34.120.208.123
Oct 25, 2024 22:19:03.454129934 CEST	49818	443	192.168.2.4	34.120.208.123
Oct 25, 2024 22:19:03.454838037 CEST	49817	443	192.168.2.4	34.120.208.123
Oct 25, 2024 22:19:03.454911947 CEST	49817	443	192.168.2.4	34.120.208.123
Oct 25, 2024 22:19:03.455307961 CEST	443	49817	34.120.208.123	192.168.2.4
Oct 25, 2024 22:19:03.455478907 CEST	49818	443	192.168.2.4	34.120.208.123
Oct 25, 2024 22:19:03.455533981 CEST	49818	443	192.168.2.4	34.120.208.123
Oct 25, 2024 22:19:03.455703974 CEST	443	49818	34.120.208.123	192.168.2.4
Oct 25, 2024 22:19:03.462635994 CEST	49817	443	192.168.2.4	34.120.208.123
Oct 25, 2024 22:19:03.465480089 CEST	49818	443	192.168.2.4	34.120.208.123
Oct 25, 2024 22:19:03.475672007 CEST	49750	80	192.168.2.4	34.107.221.82
Oct 25, 2024 22:19:03.481178045 CEST	80	49750	34.107.221.82	192.168.2.4
Oct 25, 2024 22:19:03.601227999 CEST	80	49750	34.107.221.82	192.168.2.4
Oct 25, 2024 22:19:03.629081964 CEST	49758	80	192.168.2.4	34.107.221.82
Oct 25, 2024 22:19:03.636327028 CEST	80	49758	34.107.221.82	192.168.2.4
Oct 25, 2024 22:19:03.654536963 CEST	49750	80	192.168.2.4	34.107.221.82
Oct 25, 2024 22:19:03.758531094 CEST	80	49758	34.107.221.82	192.168.2.4
Oct 25, 2024 22:19:03.809895039 CEST	49758	80	192.168.2.4	34.107.221.82
Oct 25, 2024 22:19:13.615518093 CEST	49750	80	192.168.2.4	34.107.221.82
Oct 25, 2024 22:19:13.620958090 CEST	80	49750	34.107.221.82	192.168.2.4
Oct 25, 2024 22:19:13.769262075 CEST	49758	80	192.168.2.4	34.107.221.82
Oct 25, 2024 22:19:13.774733067 CEST	80	49758	34.107.221.82	192.168.2.4
Oct 25, 2024 22:19:23.630434036 CEST	49750	80	192.168.2.4	34.107.221.82
Oct 25, 2024 22:19:23.754575968 CEST	80	49750	34.107.221.82	192.168.2.4
Oct 25, 2024 22:19:23.784001112 CEST	49758	80	192.168.2.4	34.107.221.82
Oct 25, 2024 22:19:23.789278030 CEST	80	49758	34.107.221.82	192.168.2.4
Oct 25, 2024 22:19:30.785306931 CEST	49969	443	192.168.2.4	34.107.243.93
Oct 25, 2024 22:19:30.785387039 CEST	443	49969	34.107.243.93	192.168.2.4
Oct 25, 2024 22:19:30.785672903 CEST	49969	443	192.168.2.4	34.107.243.93
Oct 25, 2024 22:19:30.787818909 CEST	49969	443	192.168.2.4	34.107.243.93
Oct 25, 2024 22:19:30.787863970 CEST	443	49969	34.107.243.93	192.168.2.4
Oct 25, 2024 22:19:31.400413990 CEST	443	49969	34.107.243.93	192.168.2.4
Oct 25, 2024 22:19:31.400520086 CEST	49969	443	192.168.2.4	34.107.243.93
Oct 25, 2024 22:19:31.404886007 CEST	49969	443	192.168.2.4	34.107.243.93
Oct 25, 2024 22:19:31.404906988 CEST	443	49969	34.107.243.93	192.168.2.4
Oct 25, 2024 22:19:31.405047894 CEST	49969	443	192.168.2.4	34.107.243.93
Oct 25, 2024 22:19:31.405196905 CEST	443	49969	34.107.243.93	192.168.2.4
Oct 25, 2024 22:19:31.405297995 CEST	49969	443	192.168.2.4	34.107.243.93
Oct 25, 2024 22:19:31.407989979 CEST	49750	80	192.168.2.4	34.107.221.82
Oct 25, 2024 22:19:31.413434029 CEST	80	49750	34.107.221.82	192.168.2.4
Oct 25, 2024 22:19:31.536250114 CEST	80	49750	34.107.221.82	192.168.2.4
Oct 25, 2024 22:19:31.540314913 CEST	49758	80	192.168.2.4	34.107.221.82
Oct 25, 2024 22:19:31.545825005 CEST	80	49758	34.107.221.82	192.168.2.4
Oct 25, 2024 22:19:31.591135979 CEST	49750	80	192.168.2.4	34.107.221.82
Oct 25, 2024 22:19:31.667403936 CEST	80	49758	34.107.221.82	192.168.2.4
Oct 25, 2024 22:19:31.722661972 CEST	49758	80	192.168.2.4	34.107.221.82
Oct 25, 2024 22:19:41.550782919 CEST	49750	80	192.168.2.4	34.107.221.82
Oct 25, 2024 22:19:41.556390047 CEST	80	49750	34.107.221.82	192.168.2.4
Oct 25, 2024 22:19:41.682295084 CEST	49758	80	192.168.2.4	34.107.221.82
Oct 25, 2024 22:19:41.687959909 CEST	80	49758	34.107.221.82	192.168.2.4
Oct 25, 2024 22:19:51.564412117 CEST	49750	80	192.168.2.4	34.107.221.82
Oct 25, 2024 22:19:51.569919109 CEST	80	49750	34.107.221.82	192.168.2.4
Oct 25, 2024 22:19:51.696105003 CEST	49758	80	192.168.2.4	34.107.221.82
Oct 25, 2024 22:19:51.701858997 CEST	80	49758	34.107.221.82	192.168.2.4
Oct 25, 2024 22:20:01.581093073 CEST	49750	80	192.168.2.4	34.107.221.82
Oct 25, 2024 22:20:01.586779118 CEST	80	49750	34.107.221.82	192.168.2.4
Oct 25, 2024 22:20:01.718849897 CEST	49758	80	192.168.2.4	34.107.221.82
Oct 25, 2024 22:20:01.724348068 CEST	80	49758	34.107.221.82	192.168.2.4

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Oct 25, 2024 22:18:04.063751936 CEST	61648	53	192.168.2.4	1.1.1.1
Oct 25, 2024 22:18:04.074256897 CEST	53	61648	1.1.1.1	192.168.2.4
Oct 25, 2024 22:18:04.078125000 CEST	63653	53	192.168.2.4	1.1.1.1
Oct 25, 2024 22:18:04.086987019 CEST	53	63653	1.1.1.1	192.168.2.4
Oct 25, 2024 22:18:06.065303087 CEST	60419	53	192.168.2.4	1.1.1.1
Oct 25, 2024 22:18:06.065586090 CEST	55353	53	192.168.2.4	1.1.1.1
Oct 25, 2024 22:18:06.075114012 CEST	53	55353	1.1.1.1	192.168.2.4
Oct 25, 2024 22:18:06.090641975 CEST	63156	53	192.168.2.4	1.1.1.1
Oct 25, 2024 22:18:06.098042965 CEST	53	63156	1.1.1.1	192.168.2.4
Oct 25, 2024 22:18:06.100995064 CEST	53505	53	192.168.2.4	1.1.1.1
Oct 25, 2024 22:18:06.101736069 CEST	56643	53	192.168.2.4	1.1.1.1
Oct 25, 2024 22:18:06.108216047 CEST	53	53505	1.1.1.1	192.168.2.4
Oct 25, 2024 22:18:06.109627962 CEST	53	56643	1.1.1.1	192.168.2.4
Oct 25, 2024 22:18:06.110074043 CEST	58925	53	192.168.2.4	1.1.1.1
Oct 25, 2024 22:18:06.120038986 CEST	53	58925	1.1.1.1	192.168.2.4
Oct 25, 2024 22:18:06.749399900 CEST	62400	53	192.168.2.4	1.1.1.1
Oct 25, 2024 22:18:06.759233952 CEST	53	62400	1.1.1.1	192.168.2.4
Oct 25, 2024 22:18:06.760179043 CEST	58141	53	192.168.2.4	1.1.1.1
Oct 25, 2024 22:18:06.769999027 CEST	53	58141	1.1.1.1	192.168.2.4
Oct 25, 2024 22:18:06.771354914 CEST	54389	53	192.168.2.4	1.1.1.1
Oct 25, 2024 22:18:06.780162096 CEST	53	54389	1.1.1.1	192.168.2.4
Oct 25, 2024 22:18:06.793147087 CEST	56416	53	192.168.2.4	1.1.1.1
Oct 25, 2024 22:18:06.804164886 CEST	53	56416	1.1.1.1	192.168.2.4
Oct 25, 2024 22:18:06.806395054 CEST	59954	53	192.168.2.4	1.1.1.1
Oct 25, 2024 22:18:06.817264080 CEST	53	59954	1.1.1.1	192.168.2.4
Oct 25, 2024 22:18:06.833373070 CEST	64296	53	192.168.2.4	1.1.1.1
Oct 25, 2024 22:18:06.835051060 CEST	51956	53	192.168.2.4	1.1.1.1
Oct 25, 2024 22:18:06.844105005 CEST	53	64296	1.1.1.1	192.168.2.4
Oct 25, 2024 22:18:06.845839977 CEST	53	51956	1.1.1.1	192.168.2.4
Oct 25, 2024 22:18:06.860681057 CEST	57166	53	192.168.2.4	1.1.1.1
Oct 25, 2024 22:18:06.870925903 CEST	53	57166	1.1.1.1	192.168.2.4
Oct 25, 2024 22:18:07.013139009 CEST	51340	53	192.168.2.4	1.1.1.1
Oct 25, 2024 22:18:07.022550106 CEST	53	51340	1.1.1.1	192.168.2.4
Oct 25, 2024 22:18:07.023638964 CEST	63121	53	192.168.2.4	1.1.1.1
Oct 25, 2024 22:18:07.032856941 CEST	53	63121	1.1.1.1	192.168.2.4
Oct 25, 2024 22:18:07.033565998 CEST	62535	53	192.168.2.4	1.1.1.1
Oct 25, 2024 22:18:07.041817904 CEST	53	62535	1.1.1.1	192.168.2.4
Oct 25, 2024 22:18:07.098005056 CEST	65103	53	192.168.2.4	1.1.1.1
Oct 25, 2024 22:18:07.098392963 CEST	54817	53	192.168.2.4	1.1.1.1
Oct 25, 2024 22:18:07.108408928 CEST	53	65103	1.1.1.1	192.168.2.4
Oct 25, 2024 22:18:07.108422041 CEST	53	54817	1.1.1.1	192.168.2.4
Oct 25, 2024 22:18:07.112544060 CEST	59556	53	192.168.2.4	1.1.1.1
Oct 25, 2024 22:18:07.771248102 CEST	55700	53	192.168.2.4	1.1.1.1
Oct 25, 2024 22:18:07.803260088 CEST	53	52426	1.1.1.1	192.168.2.4
Oct 25, 2024 22:18:07.872839928 CEST	54885	53	192.168.2.4	1.1.1.1
Oct 25, 2024 22:18:07.882112980 CEST	53	54885	1.1.1.1	192.168.2.4
Oct 25, 2024 22:18:07.887835979 CEST	62553	53	192.168.2.4	1.1.1.1
Oct 25, 2024 22:18:07.896513939 CEST	53	62553	1.1.1.1	192.168.2.4
Oct 25, 2024 22:18:07.900501013 CEST	57790	53	192.168.2.4	1.1.1.1
Oct 25, 2024 22:18:07.909353971 CEST	53	57790	1.1.1.1	192.168.2.4
Oct 25, 2024 22:18:08.082297087 CEST	57867	53	192.168.2.4	1.1.1.1
Oct 25, 2024 22:18:08.090039015 CEST	53	57867	1.1.1.1	192.168.2.4
Oct 25, 2024 22:18:08.090563059 CEST	61003	53	192.168.2.4	1.1.1.1
Oct 25, 2024 22:18:08.098680973 CEST	53	61003	1.1.1.1	192.168.2.4
Oct 25, 2024 22:18:08.928921938 CEST	53780	53	192.168.2.4	1.1.1.1
Oct 25, 2024 22:18:09.000231981 CEST	53	53780	1.1.1.1	192.168.2.4
Oct 25, 2024 22:18:09.002310991 CEST	58672	53	192.168.2.4	1.1.1.1
Oct 25, 2024 22:18:09.013395071 CEST	53	58672	1.1.1.1	192.168.2.4
Oct 25, 2024 22:18:09.014522076 CEST	53457	53	192.168.2.4	1.1.1.1
Oct 25, 2024 22:18:09.024837017 CEST	53	53457	1.1.1.1	192.168.2.4
Oct 25, 2024 22:18:11.914854050 CEST	51437	53	192.168.2.4	1.1.1.1
Oct 25, 2024 22:18:11.926826000 CEST	53	51437	1.1.1.1	192.168.2.4
Oct 25, 2024 22:18:11.929019928 CEST	50629	53	192.168.2.4	1.1.1.1
Oct 25, 2024 22:18:11.938780069 CEST	53	50629	1.1.1.1	192.168.2.4
Oct 25, 2024 22:18:11.945733070 CEST	54203	53	192.168.2.4	1.1.1.1
Oct 25, 2024 22:18:11.958601952 CEST	53	54203	1.1.1.1	192.168.2.4
Oct 25, 2024 22:18:17.227773905 CEST	55123	53	192.168.2.4	1.1.1.1
Oct 25, 2024 22:18:17.235728979 CEST	53	55123	1.1.1.1	192.168.2.4
Oct 25, 2024 22:18:17.297260046 CEST	54780	53	192.168.2.4	1.1.1.1
Oct 25, 2024 22:18:17.304913044 CEST	53	54780	1.1.1.1	192.168.2.4
Oct 25, 2024 22:18:17.306241035 CEST	63114	53	192.168.2.4	1.1.1.1
Oct 25, 2024 22:18:17.313832998 CEST	53	63114	1.1.1.1	192.168.2.4
Oct 25, 2024 22:18:20.839994907 CEST	63193	53	192.168.2.4	1.1.1.1
Oct 25, 2024 22:18:20.840301991 CEST	58957	53	192.168.2.4	1.1.1.1
Oct 25, 2024 22:18:20.840583086 CEST	62239	53	192.168.2.4	1.1.1.1
Oct 25, 2024 22:18:20.847901106 CEST	53	62239	1.1.1.1	192.168.2.4
Oct 25, 2024 22:18:20.848500967 CEST	54963	53	192.168.2.4	1.1.1.1
Oct 25, 2024 22:18:20.848856926 CEST	53	58957	1.1.1.1	192.168.2.4
Oct 25, 2024 22:18:20.849040985 CEST	53	63193	1.1.1.1	192.168.2.4
Oct 25, 2024 22:18:20.849409103 CEST	52953	53	192.168.2.4	1.1.1.1
Oct 25, 2024 22:18:20.849894047 CEST	52874	53	192.168.2.4	1.1.1.1
Oct 25, 2024 22:18:20.856767893 CEST	53	54963	1.1.1.1	192.168.2.4
Oct 25, 2024 22:18:20.857254028 CEST	61451	53	192.168.2.4	1.1.1.1
Oct 25, 2024 22:18:20.857511044 CEST	53	52874	1.1.1.1	192.168.2.4
Oct 25, 2024 22:18:20.857878923 CEST	53	52953	1.1.1.1	192.168.2.4
Oct 25, 2024 22:18:20.857991934 CEST	60007	53	192.168.2.4	1.1.1.1
Oct 25, 2024 22:18:20.858375072 CEST	56150	53	192.168.2.4	1.1.1.1
Oct 25, 2024 22:18:20.865149975 CEST	53	61451	1.1.1.1	192.168.2.4
Oct 25, 2024 22:18:20.865715981 CEST	50235	53	192.168.2.4	1.1.1.1
Oct 25, 2024 22:18:20.865746975 CEST	53	60007	1.1.1.1	192.168.2.4
Oct 25, 2024 22:18:20.866060019 CEST	53	56150	1.1.1.1	192.168.2.4
Oct 25, 2024 22:18:20.873368979 CEST	53	50235	1.1.1.1	192.168.2.4
Oct 25, 2024 22:18:20.874018908 CEST	57979	53	192.168.2.4	1.1.1.1
Oct 25, 2024 22:18:20.882807016 CEST	53	57979	1.1.1.1	192.168.2.4
Oct 25, 2024 22:18:20.883263111 CEST	54952	53	192.168.2.4	1.1.1.1
Oct 25, 2024 22:18:20.891609907 CEST	53	54952	1.1.1.1	192.168.2.4
Oct 25, 2024 22:18:28.730670929 CEST	55510	53	192.168.2.4	1.1.1.1
Oct 25, 2024 22:18:28.738218069 CEST	53	55510	1.1.1.1	192.168.2.4
Oct 25, 2024 22:18:28.739113092 CEST	62585	53	192.168.2.4	1.1.1.1
Oct 25, 2024 22:18:28.748691082 CEST	53	62585	1.1.1.1	192.168.2.4
Oct 25, 2024 22:18:29.365319014 CEST	54399	53	192.168.2.4	1.1.1.1
Oct 25, 2024 22:18:32.352313042 CEST	55212	53	192.168.2.4	1.1.1.1
Oct 25, 2024 22:18:32.361979008 CEST	53	55212	1.1.1.1	192.168.2.4
Oct 25, 2024 22:18:32.371119976 CEST	52621	53	192.168.2.4	1.1.1.1
Oct 25, 2024 22:18:32.373399973 CEST	50391	53	192.168.2.4	1.1.1.1
Oct 25, 2024 22:18:32.380781889 CEST	53	52621	1.1.1.1	192.168.2.4
Oct 25, 2024 22:18:32.381803036 CEST	65223	53	192.168.2.4	1.1.1.1
Oct 25, 2024 22:18:32.382340908 CEST	53	50391	1.1.1.1	192.168.2.4
Oct 25, 2024 22:18:32.383028984 CEST	53335	53	192.168.2.4	1.1.1.1
Oct 25, 2024 22:18:32.390434027 CEST	53	65223	1.1.1.1	192.168.2.4
Oct 25, 2024 22:18:32.391536951 CEST	53	53335	1.1.1.1	192.168.2.4
Oct 25, 2024 22:18:32.393022060 CEST	58733	53	192.168.2.4	1.1.1.1
Oct 25, 2024 22:18:32.393614054 CEST	60041	53	192.168.2.4	1.1.1.1
Oct 25, 2024 22:18:32.402729034 CEST	53	58733	1.1.1.1	192.168.2.4
Oct 25, 2024 22:18:32.403224945 CEST	53	60041	1.1.1.1	192.168.2.4
Oct 25, 2024 22:18:32.404858112 CEST	58861	53	192.168.2.4	1.1.1.1
Oct 25, 2024 22:18:32.413934946 CEST	53	58861	1.1.1.1	192.168.2.4
Oct 25, 2024 22:18:49.637777090 CEST	55333	53	192.168.2.4	1.1.1.1
Oct 25, 2024 22:18:49.646908045 CEST	53	55333	1.1.1.1	192.168.2.4
Oct 25, 2024 22:18:49.647727966 CEST	58769	53	192.168.2.4	1.1.1.1
Oct 25, 2024 22:18:49.655549049 CEST	53	58769	1.1.1.1	192.168.2.4
Oct 25, 2024 22:18:50.284336090 CEST	65085	53	192.168.2.4	1.1.1.1
Oct 25, 2024 22:19:02.807526112 CEST	62104	53	192.168.2.4	1.1.1.1
Oct 25, 2024 22:19:02.814991951 CEST	53	62104	1.1.1.1	192.168.2.4
Oct 25, 2024 22:19:30.776987076 CEST	53830	53	192.168.2.4	1.1.1.1
Oct 25, 2024 22:19:30.784394026 CEST	53	53830	1.1.1.1	192.168.2.4
Oct 25, 2024 22:19:30.785573959 CEST	64902	53	192.168.2.4	1.1.1.1
Oct 25, 2024 22:19:30.793700933 CEST	53	64902	1.1.1.1	192.168.2.4
Oct 25, 2024 22:19:31.408181906 CEST	61802	53	192.168.2.4	1.1.1.1

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Oct 25, 2024 22:18:04.063751936 CEST	192.168.2.4	1.1.1.1	0x2392	Standard query (0)	prod.classify-client.prod.webservices.mozgcp.net	A (IP address)	IN (0x0001)	false
Oct 25, 2024 22:18:04.078125000 CEST	192.168.2.4	1.1.1.1	0x9c50	Standard query (0)	prod.classify-client.prod.webservices.mozgcp.net	28	IN (0x0001)	false
Oct 25, 2024 22:18:06.065303087 CEST	192.168.2.4	1.1.1.1	0xd60c	Standard query (0)	detectportal.firefox.com	A (IP address)	IN (0x0001)	false
Oct 25, 2024 22:18:06.065586090 CEST	192.168.2.4	1.1.1.1	0xd313	Standard query (0)	www.facebook.com	A (IP address)	IN (0x0001)	false
Oct 25, 2024 22:18:06.090641975 CEST	192.168.2.4	1.1.1.1	0xcbfc	Standard query (0)	star-mini.c10r.facebook.com	A (IP address)	IN (0x0001)	false
Oct 25, 2024 22:18:06.100995064 CEST	192.168.2.4	1.1.1.1	0x3c4b	Standard query (0)	star-mini.c10r.facebook.com	28	IN (0x0001)	false
Oct 25, 2024 22:18:06.101736069 CEST	192.168.2.4	1.1.1.1	0x152b	Standard query (0)	prod.detectportal.prod.cloudops.mozgcp.net	A (IP address)	IN (0x0001)	false
Oct 25, 2024 22:18:06.110074043 CEST	192.168.2.4	1.1.1.1	0x4a61	Standard query (0)	prod.detectportal.prod.cloudops.mozgcp.net	28	IN (0x0001)	false
Oct 25, 2024 22:18:06.749399900 CEST	192.168.2.4	1.1.1.1	0x4358	Standard query (0)	contile.services.mozilla.com	A (IP address)	IN (0x0001)	false
Oct 25, 2024 22:18:06.760179043 CEST	192.168.2.4	1.1.1.1	0x939e	Standard query (0)	contile.services.mozilla.com	A (IP address)	IN (0x0001)	false
Oct 25, 2024 22:18:06.771354914 CEST	192.168.2.4	1.1.1.1	0x554	Standard query (0)	contile.services.mozilla.com	28	IN (0x0001)	false
Oct 25, 2024 22:18:06.793147087 CEST	192.168.2.4	1.1.1.1	0x3191	Standard query (0)	spocs.getpocket.com	A (IP address)	IN (0x0001)	false
Oct 25, 2024 22:18:06.806395054 CEST	192.168.2.4	1.1.1.1	0xcd7d	Standard query (0)	prod.ads.prod.webservices.mozgcp.net	A (IP address)	IN (0x0001)	false
Oct 25, 2024 22:18:06.833373070 CEST	192.168.2.4	1.1.1.1	0xfa3f	Standard query (0)	prod.ads.prod.webservices.mozgcp.net	28	IN (0x0001)	false
Oct 25, 2024 22:18:06.835051060 CEST	192.168.2.4	1.1.1.1	0x87f8	Standard query (0)	prod.balrog.prod.cloudops.mozgcp.net	A (IP address)	IN (0x0001)	false
Oct 25, 2024 22:18:06.860681057 CEST	192.168.2.4	1.1.1.1	0xc2a	Standard query (0)	prod.balrog.prod.cloudops.mozgcp.net	28	IN (0x0001)	false
Oct 25, 2024 22:18:07.013139009 CEST	192.168.2.4	1.1.1.1	0x60de	Standard query (0)	content-signature-2.cdn.mozilla.net	A (IP address)	IN (0x0001)	false
Oct 25, 2024 22:18:07.023638964 CEST	192.168.2.4	1.1.1.1	0x69c6	Standard query (0)	prod.content-signature-chains.prod.webservices.mozgcp.net	A (IP address)	IN (0x0001)	false
Oct 25, 2024 22:18:07.033565998 CEST	192.168.2.4	1.1.1.1	0xf09c	Standard query (0)	prod.content-signature-chains.prod.webservices.mozgcp.net	28	IN (0x0001)	false
Oct 25, 2024 22:18:07.098005056 CEST	192.168.2.4	1.1.1.1	0x262b	Standard query (0)	example.org	A (IP address)	IN (0x0001)	false
Oct 25, 2024 22:18:07.098392963 CEST	192.168.2.4	1.1.1.1	0x7dd5	Standard query (0)	ipv4only.arpa	A (IP address)	IN (0x0001)	false
Oct 25, 2024 22:18:07.112544060 CEST	192.168.2.4	1.1.1.1	0x65c9	Standard query (0)	detectportal.firefox.com	A (IP address)	IN (0x0001)	false
Oct 25, 2024 22:18:07.771248102 CEST	192.168.2.4	1.1.1.1	0x4d	Standard query (0)	shavar.services.mozilla.com	A (IP address)	IN (0x0001)	false
Oct 25, 2024 22:18:07.872839928 CEST	192.168.2.4	1.1.1.1	0x5aac	Standard query (0)	push.services.mozilla.com	A (IP address)	IN (0x0001)	false
Oct 25, 2024 22:18:07.887835979 CEST	192.168.2.4	1.1.1.1	0x6b79	Standard query (0)	push.services.mozilla.com	A (IP address)	IN (0x0001)	false
Oct 25, 2024 22:18:07.900501013 CEST	192.168.2.4	1.1.1.1	0xaa0d	Standard query (0)	push.services.mozilla.com	28	IN (0x0001)	false
Oct 25, 2024 22:18:08.082297087 CEST	192.168.2.4	1.1.1.1	0xc586	Standard query (0)	telemetry-incoming.r53-2.services.mozilla.com	A (IP address)	IN (0x0001)	false
Oct 25, 2024 22:18:08.090563059 CEST	192.168.2.4	1.1.1.1	0x28a3	Standard query (0)	telemetry-incoming.r53-2.services.mozilla.com	28	IN (0x0001)	false
Oct 25, 2024 22:18:08.928921938 CEST	192.168.2.4	1.1.1.1	0x6dc5	Standard query (0)	firefox.settings.services.mozilla.com	A (IP address)	IN (0x0001)	false
Oct 25, 2024 22:18:09.002310991 CEST	192.168.2.4	1.1.1.1	0x6b0e	Standard query (0)	prod.remote-settings.prod.webservices.mozgcp.net	A (IP address)	IN (0x0001)	false
Oct 25, 2024 22:18:09.014522076 CEST	192.168.2.4	1.1.1.1	0x3bc1	Standard query (0)	prod.remote-settings.prod.webservices.mozgcp.net	28	IN (0x0001)	false
Oct 25, 2024 22:18:11.914854050 CEST	192.168.2.4	1.1.1.1	0xddd9	Standard query (0)	support.mozilla.org	A (IP address)	IN (0x0001)	false
Oct 25, 2024 22:18:11.929019928 CEST	192.168.2.4	1.1.1.1	0x92fb	Standard query (0)	us-west1.prod.sumo.prod.webservices.mozgcp.net	A (IP address)	IN (0x0001)	false
Oct 25, 2024 22:18:11.945733070 CEST	192.168.2.4	1.1.1.1	0x23b2	Standard query (0)	us-west1.prod.sumo.prod.webservices.mozgcp.net	28	IN (0x0001)	false
Oct 25, 2024 22:18:17.227773905 CEST	192.168.2.4	1.1.1.1	0xc0cf	Standard query (0)	telemetry-incoming.r53-2.services.mozilla.com	28	IN (0x0001)	false
Oct 25, 2024 22:18:17.297260046 CEST	192.168.2.4	1.1.1.1	0x6d69	Standard query (0)	push.services.mozilla.com	A (IP address)	IN (0x0001)	false
Oct 25, 2024 22:18:17.306241035 CEST	192.168.2.4	1.1.1.1	0xea38	Standard query (0)	push.services.mozilla.com	28	IN (0x0001)	false
Oct 25, 2024 22:18:20.839994907 CEST	192.168.2.4	1.1.1.1	0xda87	Standard query (0)	www.youtube.com	A (IP address)	IN (0x0001)	false
Oct 25, 2024 22:18:20.840301991 CEST	192.168.2.4	1.1.1.1	0x7f88	Standard query (0)	www.wikipedia.org	A (IP address)	IN (0x0001)	false
Oct 25, 2024 22:18:20.840583086 CEST	192.168.2.4	1.1.1.1	0xcc3f	Standard query (0)	www.reddit.com	A (IP address)	IN (0x0001)	false
Oct 25, 2024 22:18:20.848500967 CEST	192.168.2.4	1.1.1.1	0x6fcc	Standard query (0)	reddit.map.fastly.net	A (IP address)	IN (0x0001)	false
Oct 25, 2024 22:18:20.849409103 CEST	192.168.2.4	1.1.1.1	0x35fc	Standard query (0)	dyna.wikimedia.org	A (IP address)	IN (0x0001)	false
Oct 25, 2024 22:18:20.849894047 CEST	192.168.2.4	1.1.1.1	0xc322	Standard query (0)	youtube-ui.l.google.com	A (IP address)	IN (0x0001)	false
Oct 25, 2024 22:18:20.857254028 CEST	192.168.2.4	1.1.1.1	0xf817	Standard query (0)	reddit.map.fastly.net	28	IN (0x0001)	false
Oct 25, 2024 22:18:20.857991934 CEST	192.168.2.4	1.1.1.1	0xc52a	Standard query (0)	youtube-ui.l.google.com	28	IN (0x0001)	false
Oct 25, 2024 22:18:20.858375072 CEST	192.168.2.4	1.1.1.1	0x56ea	Standard query (0)	dyna.wikimedia.org	28	IN (0x0001)	false
Oct 25, 2024 22:18:20.865715981 CEST	192.168.2.4	1.1.1.1	0xaee	Standard query (0)	twitter.com	A (IP address)	IN (0x0001)	false
Oct 25, 2024 22:18:20.874018908 CEST	192.168.2.4	1.1.1.1	0xa38	Standard query (0)	twitter.com	A (IP address)	IN (0x0001)	false
Oct 25, 2024 22:18:20.883263111 CEST	192.168.2.4	1.1.1.1	0x79c8	Standard query (0)	twitter.com	28	IN (0x0001)	false
Oct 25, 2024 22:18:28.730670929 CEST	192.168.2.4	1.1.1.1	0xc554	Standard query (0)	push.services.mozilla.com	A (IP address)	IN (0x0001)	false
Oct 25, 2024 22:18:28.739113092 CEST	192.168.2.4	1.1.1.1	0xc080	Standard query (0)	push.services.mozilla.com	28	IN (0x0001)	false
Oct 25, 2024 22:18:29.365319014 CEST	192.168.2.4	1.1.1.1	0xf4b4	Standard query (0)	detectportal.firefox.com	A (IP address)	IN (0x0001)	false
Oct 25, 2024 22:18:32.352313042 CEST	192.168.2.4	1.1.1.1	0x8486	Standard query (0)	prod.balrog.prod.cloudops.mozgcp.net	A (IP address)	IN (0x0001)	false
Oct 25, 2024 22:18:32.371119976 CEST	192.168.2.4	1.1.1.1	0xdd24	Standard query (0)	services.addons.mozilla.org	A (IP address)	IN (0x0001)	false
Oct 25, 2024 22:18:32.373399973 CEST	192.168.2.4	1.1.1.1	0xc059	Standard query (0)	prod.balrog.prod.cloudops.mozgcp.net	28	IN (0x0001)	false
Oct 25, 2024 22:18:32.381803036 CEST	192.168.2.4	1.1.1.1	0x8b14	Standard query (0)	normandy.cdn.mozilla.net	A (IP address)	IN (0x0001)	false
Oct 25, 2024 22:18:32.383028984 CEST	192.168.2.4	1.1.1.1	0xdd12	Standard query (0)	services.addons.mozilla.org	A (IP address)	IN (0x0001)	false
Oct 25, 2024 22:18:32.393022060 CEST	192.168.2.4	1.1.1.1	0x235e	Standard query (0)	services.addons.mozilla.org	28	IN (0x0001)	false
Oct 25, 2024 22:18:32.393614054 CEST	192.168.2.4	1.1.1.1	0x1051	Standard query (0)	normandy-cdn.services.mozilla.com	A (IP address)	IN (0x0001)	false
Oct 25, 2024 22:18:32.404858112 CEST	192.168.2.4	1.1.1.1	0xc866	Standard query (0)	normandy-cdn.services.mozilla.com	28	IN (0x0001)	false
Oct 25, 2024 22:18:49.637777090 CEST	192.168.2.4	1.1.1.1	0x172c	Standard query (0)	push.services.mozilla.com	A (IP address)	IN (0x0001)	false
Oct 25, 2024 22:18:49.647727966 CEST	192.168.2.4	1.1.1.1	0x42f2	Standard query (0)	push.services.mozilla.com	28	IN (0x0001)	false
Oct 25, 2024 22:18:50.284336090 CEST	192.168.2.4	1.1.1.1	0x532a	Standard query (0)	detectportal.firefox.com	A (IP address)	IN (0x0001)	false
Oct 25, 2024 22:19:02.807526112 CEST	192.168.2.4	1.1.1.1	0x4fec	Standard query (0)	telemetry-incoming.r53-2.services.mozilla.com	28	IN (0x0001)	false
Oct 25, 2024 22:19:30.776987076 CEST	192.168.2.4	1.1.1.1	0x9a28	Standard query (0)	push.services.mozilla.com	A (IP address)	IN (0x0001)	false
Oct 25, 2024 22:19:30.785573959 CEST	192.168.2.4	1.1.1.1	0x648c	Standard query (0)	push.services.mozilla.com	28	IN (0x0001)	false
Oct 25, 2024 22:19:31.408181906 CEST	192.168.2.4	1.1.1.1	0x14fe	Standard query (0)	detectportal.firefox.com	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Oct 25, 2024 22:18:04.055079937 CEST	1.1.1.1	192.168.2.4	0x4d82	No error (0)	prod.classify-client.prod.webservices.mozgcp.net		35.190.72.216	A (IP address)	IN (0x0001)	false
Oct 25, 2024 22:18:04.074256897 CEST	1.1.1.1	192.168.2.4	0x2392	No error (0)	prod.classify-client.prod.webservices.mozgcp.net		35.190.72.216	A (IP address)	IN (0x0001)	false
Oct 25, 2024 22:18:06.075114012 CEST	1.1.1.1	192.168.2.4	0xd313	No error (0)	www.facebook.com	star-mini.c10r.facebook.com		CNAME (Canonical name)	IN (0x0001)	false
Oct 25, 2024 22:18:06.075114012 CEST	1.1.1.1	192.168.2.4	0xd313	No error (0)	star-mini.c10r.facebook.com		157.240.253.35	A (IP address)	IN (0x0001)	false
Oct 25, 2024 22:18:06.075247049 CEST	1.1.1.1	192.168.2.4	0xd60c	No error (0)	detectportal.firefox.com	detectportal.prod.mozaws.net		CNAME (Canonical name)	IN (0x0001)	false
Oct 25, 2024 22:18:06.075247049 CEST	1.1.1.1	192.168.2.4	0xd60c	No error (0)	prod.detectportal.prod.cloudops.mozgcp.net		34.107.221.82	A (IP address)	IN (0x0001)	false
Oct 25, 2024 22:18:06.098042965 CEST	1.1.1.1	192.168.2.4	0xcbfc	No error (0)	star-mini.c10r.facebook.com		157.240.0.35	A (IP address)	IN (0x0001)	false
Oct 25, 2024 22:18:06.108216047 CEST	1.1.1.1	192.168.2.4	0x3c4b	No error (0)	star-mini.c10r.facebook.com			28	IN (0x0001)	false
Oct 25, 2024 22:18:06.109627962 CEST	1.1.1.1	192.168.2.4	0x152b	No error (0)	prod.detectportal.prod.cloudops.mozgcp.net		34.107.221.82	A (IP address)	IN (0x0001)	false
Oct 25, 2024 22:18:06.120038986 CEST	1.1.1.1	192.168.2.4	0x4a61	No error (0)	prod.detectportal.prod.cloudops.mozgcp.net			28	IN (0x0001)	false
Oct 25, 2024 22:18:06.759233952 CEST	1.1.1.1	192.168.2.4	0x4358	No error (0)	contile.services.mozilla.com		34.117.188.166	A (IP address)	IN (0x0001)	false
Oct 25, 2024 22:18:06.769999027 CEST	1.1.1.1	192.168.2.4	0x939e	No error (0)	contile.services.mozilla.com		34.117.188.166	A (IP address)	IN (0x0001)	false
Oct 25, 2024 22:18:06.804164886 CEST	1.1.1.1	192.168.2.4	0x3191	No error (0)	spocs.getpocket.com	prod.ads.prod.webservices.mozgcp.net		CNAME (Canonical name)	IN (0x0001)	false
Oct 25, 2024 22:18:06.804164886 CEST	1.1.1.1	192.168.2.4	0x3191	No error (0)	prod.ads.prod.webservices.mozgcp.net		34.117.188.166	A (IP address)	IN (0x0001)	false
Oct 25, 2024 22:18:06.817264080 CEST	1.1.1.1	192.168.2.4	0xcd7d	No error (0)	prod.ads.prod.webservices.mozgcp.net		34.117.188.166	A (IP address)	IN (0x0001)	false
Oct 25, 2024 22:18:06.824502945 CEST	1.1.1.1	192.168.2.4	0x3122	No error (0)	balrog-aus5.r53-2.services.mozilla.com	prod.balrog.prod.cloudops.mozgcp.net		CNAME (Canonical name)	IN (0x0001)	false
Oct 25, 2024 22:18:06.824502945 CEST	1.1.1.1	192.168.2.4	0x3122	No error (0)	prod.balrog.prod.cloudops.mozgcp.net		35.244.181.201	A (IP address)	IN (0x0001)	false
Oct 25, 2024 22:18:06.845839977 CEST	1.1.1.1	192.168.2.4	0x87f8	No error (0)	prod.balrog.prod.cloudops.mozgcp.net		35.244.181.201	A (IP address)	IN (0x0001)	false
Oct 25, 2024 22:18:07.022550106 CEST	1.1.1.1	192.168.2.4	0x60de	No error (0)	content-signature-2.cdn.mozilla.net	content-signature-chains.prod.autograph.services.mozaws.net		CNAME (Canonical name)	IN (0x0001)	false
Oct 25, 2024 22:18:07.022550106 CEST	1.1.1.1	192.168.2.4	0x60de	No error (0)	content-signature-chains.prod.autograph.services.mozaws.net	prod.content-signature-chains.prod.webservices.mozgcp.net		CNAME (Canonical name)	IN (0x0001)	false
Oct 25, 2024 22:18:07.022550106 CEST	1.1.1.1	192.168.2.4	0x60de	No error (0)	prod.content-signature-chains.prod.webservices.mozgcp.net		34.160.144.191	A (IP address)	IN (0x0001)	false
Oct 25, 2024 22:18:07.032856941 CEST	1.1.1.1	192.168.2.4	0x69c6	No error (0)	prod.content-signature-chains.prod.webservices.mozgcp.net		34.160.144.191	A (IP address)	IN (0x0001)	false
Oct 25, 2024 22:18:07.041817904 CEST	1.1.1.1	192.168.2.4	0xf09c	No error (0)	prod.content-signature-chains.prod.webservices.mozgcp.net			28	IN (0x0001)	false
Oct 25, 2024 22:18:07.108408928 CEST	1.1.1.1	192.168.2.4	0x262b	No error (0)	example.org		93.184.215.14	A (IP address)	IN (0x0001)	false
Oct 25, 2024 22:18:07.108422041 CEST	1.1.1.1	192.168.2.4	0x7dd5	No error (0)	ipv4only.arpa		192.0.0.170	A (IP address)	IN (0x0001)	false
Oct 25, 2024 22:18:07.108422041 CEST	1.1.1.1	192.168.2.4	0x7dd5	No error (0)	ipv4only.arpa		192.0.0.171	A (IP address)	IN (0x0001)	false
Oct 25, 2024 22:18:07.120264053 CEST	1.1.1.1	192.168.2.4	0x65c9	No error (0)	detectportal.firefox.com	detectportal.prod.mozaws.net		CNAME (Canonical name)	IN (0x0001)	false
Oct 25, 2024 22:18:07.120264053 CEST	1.1.1.1	192.168.2.4	0x65c9	No error (0)	prod.detectportal.prod.cloudops.mozgcp.net		34.107.221.82	A (IP address)	IN (0x0001)	false
Oct 25, 2024 22:18:07.780992031 CEST	1.1.1.1	192.168.2.4	0x4d	No error (0)	shavar.services.mozilla.com	shavar.prod.mozaws.net		CNAME (Canonical name)	IN (0x0001)	false
Oct 25, 2024 22:18:07.882112980 CEST	1.1.1.1	192.168.2.4	0x5aac	No error (0)	push.services.mozilla.com		34.107.243.93	A (IP address)	IN (0x0001)	false
Oct 25, 2024 22:18:07.896513939 CEST	1.1.1.1	192.168.2.4	0x6b79	No error (0)	push.services.mozilla.com		34.107.243.93	A (IP address)	IN (0x0001)	false
Oct 25, 2024 22:18:08.077433109 CEST	1.1.1.1	192.168.2.4	0x5816	No error (0)	telemetry-incoming.r53-2.services.mozilla.com		34.120.208.123	A (IP address)	IN (0x0001)	false
Oct 25, 2024 22:18:08.090039015 CEST	1.1.1.1	192.168.2.4	0xc586	No error (0)	telemetry-incoming.r53-2.services.mozilla.com		34.120.208.123	A (IP address)	IN (0x0001)	false
Oct 25, 2024 22:18:08.999022961 CEST	1.1.1.1	192.168.2.4	0x923b	No error (0)	balrog-aus5.r53-2.services.mozilla.com	prod.balrog.prod.cloudops.mozgcp.net		CNAME (Canonical name)	IN (0x0001)	false
Oct 25, 2024 22:18:08.999022961 CEST	1.1.1.1	192.168.2.4	0x923b	No error (0)	prod.balrog.prod.cloudops.mozgcp.net		35.244.181.201	A (IP address)	IN (0x0001)	false
Oct 25, 2024 22:18:09.000231981 CEST	1.1.1.1	192.168.2.4	0x6dc5	No error (0)	firefox.settings.services.mozilla.com	prod.remote-settings.prod.webservices.mozgcp.net		CNAME (Canonical name)	IN (0x0001)	false
Oct 25, 2024 22:18:09.000231981 CEST	1.1.1.1	192.168.2.4	0x6dc5	No error (0)	prod.remote-settings.prod.webservices.mozgcp.net		34.149.100.209	A (IP address)	IN (0x0001)	false
Oct 25, 2024 22:18:09.013395071 CEST	1.1.1.1	192.168.2.4	0x6b0e	No error (0)	prod.remote-settings.prod.webservices.mozgcp.net		34.149.100.209	A (IP address)	IN (0x0001)	false
Oct 25, 2024 22:18:11.910173893 CEST	1.1.1.1	192.168.2.4	0x7dcf	No error (0)	telemetry-incoming.r53-2.services.mozilla.com		34.120.208.123	A (IP address)	IN (0x0001)	false
Oct 25, 2024 22:18:11.926826000 CEST	1.1.1.1	192.168.2.4	0xddd9	No error (0)	support.mozilla.org	prod.sumo.prod.webservices.mozgcp.net		CNAME (Canonical name)	IN (0x0001)	false
Oct 25, 2024 22:18:11.926826000 CEST	1.1.1.1	192.168.2.4	0xddd9	No error (0)	prod.sumo.prod.webservices.mozgcp.net	us-west1.prod.sumo.prod.webservices.mozgcp.net		CNAME (Canonical name)	IN (0x0001)	false
Oct 25, 2024 22:18:11.926826000 CEST	1.1.1.1	192.168.2.4	0xddd9	No error (0)	us-west1.prod.sumo.prod.webservices.mozgcp.net		34.149.128.2	A (IP address)	IN (0x0001)	false
Oct 25, 2024 22:18:11.938780069 CEST	1.1.1.1	192.168.2.4	0x92fb	No error (0)	us-west1.prod.sumo.prod.webservices.mozgcp.net		34.149.128.2	A (IP address)	IN (0x0001)	false
Oct 25, 2024 22:18:17.212737083 CEST	1.1.1.1	192.168.2.4	0x6861	No error (0)	telemetry-incoming.r53-2.services.mozilla.com		34.120.208.123	A (IP address)	IN (0x0001)	false
Oct 25, 2024 22:18:17.304913044 CEST	1.1.1.1	192.168.2.4	0x6d69	No error (0)	push.services.mozilla.com		34.107.243.93	A (IP address)	IN (0x0001)	false
Oct 25, 2024 22:18:20.847901106 CEST	1.1.1.1	192.168.2.4	0xcc3f	No error (0)	www.reddit.com	reddit.map.fastly.net		CNAME (Canonical name)	IN (0x0001)	false
Oct 25, 2024 22:18:20.847901106 CEST	1.1.1.1	192.168.2.4	0xcc3f	No error (0)	reddit.map.fastly.net		151.101.193.140	A (IP address)	IN (0x0001)	false
Oct 25, 2024 22:18:20.847901106 CEST	1.1.1.1	192.168.2.4	0xcc3f	No error (0)	reddit.map.fastly.net		151.101.129.140	A (IP address)	IN (0x0001)	false
Oct 25, 2024 22:18:20.847901106 CEST	1.1.1.1	192.168.2.4	0xcc3f	No error (0)	reddit.map.fastly.net		151.101.1.140	A (IP address)	IN (0x0001)	false
Oct 25, 2024 22:18:20.847901106 CEST	1.1.1.1	192.168.2.4	0xcc3f	No error (0)	reddit.map.fastly.net		151.101.65.140	A (IP address)	IN (0x0001)	false
Oct 25, 2024 22:18:20.848856926 CEST	1.1.1.1	192.168.2.4	0x7f88	No error (0)	www.wikipedia.org	dyna.wikimedia.org		CNAME (Canonical name)	IN (0x0001)	false
Oct 25, 2024 22:18:20.848856926 CEST	1.1.1.1	192.168.2.4	0x7f88	No error (0)	dyna.wikimedia.org		185.15.59.224	A (IP address)	IN (0x0001)	false
Oct 25, 2024 22:18:20.849040985 CEST	1.1.1.1	192.168.2.4	0xda87	No error (0)	www.youtube.com	youtube-ui.l.google.com		CNAME (Canonical name)	IN (0x0001)	false
Oct 25, 2024 22:18:20.849040985 CEST	1.1.1.1	192.168.2.4	0xda87	No error (0)	youtube-ui.l.google.com		142.250.184.206	A (IP address)	IN (0x0001)	false
Oct 25, 2024 22:18:20.849040985 CEST	1.1.1.1	192.168.2.4	0xda87	No error (0)	youtube-ui.l.google.com		142.250.186.142	A (IP address)	IN (0x0001)	false
Oct 25, 2024 22:18:20.849040985 CEST	1.1.1.1	192.168.2.4	0xda87	No error (0)	youtube-ui.l.google.com		142.250.186.78	A (IP address)	IN (0x0001)	false
Oct 25, 2024 22:18:20.849040985 CEST	1.1.1.1	192.168.2.4	0xda87	No error (0)	youtube-ui.l.google.com		142.250.185.110	A (IP address)	IN (0x0001)	false
Oct 25, 2024 22:18:20.849040985 CEST	1.1.1.1	192.168.2.4	0xda87	No error (0)	youtube-ui.l.google.com		142.250.185.78	A (IP address)	IN (0x0001)	false
Oct 25, 2024 22:18:20.849040985 CEST	1.1.1.1	192.168.2.4	0xda87	No error (0)	youtube-ui.l.google.com		172.217.16.142	A (IP address)	IN (0x0001)	false
Oct 25, 2024 22:18:20.849040985 CEST	1.1.1.1	192.168.2.4	0xda87	No error (0)	youtube-ui.l.google.com		142.250.185.238	A (IP address)	IN (0x0001)	false
Oct 25, 2024 22:18:20.849040985 CEST	1.1.1.1	192.168.2.4	0xda87	No error (0)	youtube-ui.l.google.com		216.58.206.46	A (IP address)	IN (0x0001)	false
Oct 25, 2024 22:18:20.849040985 CEST	1.1.1.1	192.168.2.4	0xda87	No error (0)	youtube-ui.l.google.com		172.217.18.14	A (IP address)	IN (0x0001)	false
Oct 25, 2024 22:18:20.849040985 CEST	1.1.1.1	192.168.2.4	0xda87	No error (0)	youtube-ui.l.google.com		142.250.186.46	A (IP address)	IN (0x0001)	false
Oct 25, 2024 22:18:20.849040985 CEST	1.1.1.1	192.168.2.4	0xda87	No error (0)	youtube-ui.l.google.com		142.250.185.174	A (IP address)	IN (0x0001)	false
Oct 25, 2024 22:18:20.849040985 CEST	1.1.1.1	192.168.2.4	0xda87	No error (0)	youtube-ui.l.google.com		172.217.16.206	A (IP address)	IN (0x0001)	false
Oct 25, 2024 22:18:20.849040985 CEST	1.1.1.1	192.168.2.4	0xda87	No error (0)	youtube-ui.l.google.com		142.250.181.238	A (IP address)	IN (0x0001)	false
Oct 25, 2024 22:18:20.849040985 CEST	1.1.1.1	192.168.2.4	0xda87	No error (0)	youtube-ui.l.google.com		142.250.185.206	A (IP address)	IN (0x0001)	false
Oct 25, 2024 22:18:20.849040985 CEST	1.1.1.1	192.168.2.4	0xda87	No error (0)	youtube-ui.l.google.com		142.250.186.110	A (IP address)	IN (0x0001)	false
Oct 25, 2024 22:18:20.849040985 CEST	1.1.1.1	192.168.2.4	0xda87	No error (0)	youtube-ui.l.google.com		142.250.185.142	A (IP address)	IN (0x0001)	false
Oct 25, 2024 22:18:20.856767893 CEST	1.1.1.1	192.168.2.4	0x6fcc	No error (0)	reddit.map.fastly.net		151.101.1.140	A (IP address)	IN (0x0001)	false
Oct 25, 2024 22:18:20.856767893 CEST	1.1.1.1	192.168.2.4	0x6fcc	No error (0)	reddit.map.fastly.net		151.101.65.140	A (IP address)	IN (0x0001)	false
Oct 25, 2024 22:18:20.856767893 CEST	1.1.1.1	192.168.2.4	0x6fcc	No error (0)	reddit.map.fastly.net		151.101.193.140	A (IP address)	IN (0x0001)	false
Oct 25, 2024 22:18:20.856767893 CEST	1.1.1.1	192.168.2.4	0x6fcc	No error (0)	reddit.map.fastly.net		151.101.129.140	A (IP address)	IN (0x0001)	false
Oct 25, 2024 22:18:20.857511044 CEST	1.1.1.1	192.168.2.4	0xc322	No error (0)	youtube-ui.l.google.com		172.217.16.206	A (IP address)	IN (0x0001)	false
Oct 25, 2024 22:18:20.857511044 CEST	1.1.1.1	192.168.2.4	0xc322	No error (0)	youtube-ui.l.google.com		142.250.185.238	A (IP address)	IN (0x0001)	false
Oct 25, 2024 22:18:20.857511044 CEST	1.1.1.1	192.168.2.4	0xc322	No error (0)	youtube-ui.l.google.com		216.58.206.78	A (IP address)	IN (0x0001)	false
Oct 25, 2024 22:18:20.857511044 CEST	1.1.1.1	192.168.2.4	0xc322	No error (0)	youtube-ui.l.google.com		142.250.181.238	A (IP address)	IN (0x0001)	false
Oct 25, 2024 22:18:20.857511044 CEST	1.1.1.1	192.168.2.4	0xc322	No error (0)	youtube-ui.l.google.com		142.250.185.174	A (IP address)	IN (0x0001)	false
Oct 25, 2024 22:18:20.857511044 CEST	1.1.1.1	192.168.2.4	0xc322	No error (0)	youtube-ui.l.google.com		142.250.185.110	A (IP address)	IN (0x0001)	false
Oct 25, 2024 22:18:20.857511044 CEST	1.1.1.1	192.168.2.4	0xc322	No error (0)	youtube-ui.l.google.com		142.250.184.238	A (IP address)	IN (0x0001)	false
Oct 25, 2024 22:18:20.857511044 CEST	1.1.1.1	192.168.2.4	0xc322	No error (0)	youtube-ui.l.google.com		142.250.185.206	A (IP address)	IN (0x0001)	false
Oct 25, 2024 22:18:20.857511044 CEST	1.1.1.1	192.168.2.4	0xc322	No error (0)	youtube-ui.l.google.com		142.250.186.78	A (IP address)	IN (0x0001)	false
Oct 25, 2024 22:18:20.857511044 CEST	1.1.1.1	192.168.2.4	0xc322	No error (0)	youtube-ui.l.google.com		142.250.186.46	A (IP address)	IN (0x0001)	false
Oct 25, 2024 22:18:20.857511044 CEST	1.1.1.1	192.168.2.4	0xc322	No error (0)	youtube-ui.l.google.com		216.58.212.142	A (IP address)	IN (0x0001)	false
Oct 25, 2024 22:18:20.857511044 CEST	1.1.1.1	192.168.2.4	0xc322	No error (0)	youtube-ui.l.google.com		142.250.186.174	A (IP address)	IN (0x0001)	false
Oct 25, 2024 22:18:20.857511044 CEST	1.1.1.1	192.168.2.4	0xc322	No error (0)	youtube-ui.l.google.com		142.250.185.142	A (IP address)	IN (0x0001)	false
Oct 25, 2024 22:18:20.857511044 CEST	1.1.1.1	192.168.2.4	0xc322	No error (0)	youtube-ui.l.google.com		142.250.185.78	A (IP address)	IN (0x0001)	false
Oct 25, 2024 22:18:20.857511044 CEST	1.1.1.1	192.168.2.4	0xc322	No error (0)	youtube-ui.l.google.com		216.58.206.46	A (IP address)	IN (0x0001)	false
Oct 25, 2024 22:18:20.857511044 CEST	1.1.1.1	192.168.2.4	0xc322	No error (0)	youtube-ui.l.google.com		172.217.23.110	A (IP address)	IN (0x0001)	false
Oct 25, 2024 22:18:20.857878923 CEST	1.1.1.1	192.168.2.4	0x35fc	No error (0)	dyna.wikimedia.org		185.15.59.224	A (IP address)	IN (0x0001)	false
Oct 25, 2024 22:18:20.865746975 CEST	1.1.1.1	192.168.2.4	0xc52a	No error (0)	youtube-ui.l.google.com			28	IN (0x0001)	false
Oct 25, 2024 22:18:20.865746975 CEST	1.1.1.1	192.168.2.4	0xc52a	No error (0)	youtube-ui.l.google.com			28	IN (0x0001)	false
Oct 25, 2024 22:18:20.865746975 CEST	1.1.1.1	192.168.2.4	0xc52a	No error (0)	youtube-ui.l.google.com			28	IN (0x0001)	false
Oct 25, 2024 22:18:20.865746975 CEST	1.1.1.1	192.168.2.4	0xc52a	No error (0)	youtube-ui.l.google.com			28	IN (0x0001)	false
Oct 25, 2024 22:18:20.866060019 CEST	1.1.1.1	192.168.2.4	0x56ea	No error (0)	dyna.wikimedia.org			28	IN (0x0001)	false
Oct 25, 2024 22:18:20.873368979 CEST	1.1.1.1	192.168.2.4	0xaee	No error (0)	twitter.com		104.244.42.129	A (IP address)	IN (0x0001)	false
Oct 25, 2024 22:18:20.882807016 CEST	1.1.1.1	192.168.2.4	0xa38	No error (0)	twitter.com		104.244.42.193	A (IP address)	IN (0x0001)	false
Oct 25, 2024 22:18:28.738218069 CEST	1.1.1.1	192.168.2.4	0xc554	No error (0)	push.services.mozilla.com		34.107.243.93	A (IP address)	IN (0x0001)	false
Oct 25, 2024 22:18:29.372848988 CEST	1.1.1.1	192.168.2.4	0xf4b4	No error (0)	detectportal.firefox.com	detectportal.prod.mozaws.net		CNAME (Canonical name)	IN (0x0001)	false
Oct 25, 2024 22:18:29.372848988 CEST	1.1.1.1	192.168.2.4	0xf4b4	No error (0)	prod.detectportal.prod.cloudops.mozgcp.net		34.107.221.82	A (IP address)	IN (0x0001)	false
Oct 25, 2024 22:18:32.360430956 CEST	1.1.1.1	192.168.2.4	0x185	No error (0)	balrog-aus5.r53-2.services.mozilla.com	prod.balrog.prod.cloudops.mozgcp.net		CNAME (Canonical name)	IN (0x0001)	false
Oct 25, 2024 22:18:32.360430956 CEST	1.1.1.1	192.168.2.4	0x185	No error (0)	prod.balrog.prod.cloudops.mozgcp.net		35.244.181.201	A (IP address)	IN (0x0001)	false
Oct 25, 2024 22:18:32.361979008 CEST	1.1.1.1	192.168.2.4	0x8486	No error (0)	prod.balrog.prod.cloudops.mozgcp.net		35.244.181.201	A (IP address)	IN (0x0001)	false
Oct 25, 2024 22:18:32.380781889 CEST	1.1.1.1	192.168.2.4	0xdd24	No error (0)	services.addons.mozilla.org		151.101.65.91	A (IP address)	IN (0x0001)	false
Oct 25, 2024 22:18:32.380781889 CEST	1.1.1.1	192.168.2.4	0xdd24	No error (0)	services.addons.mozilla.org		151.101.193.91	A (IP address)	IN (0x0001)	false
Oct 25, 2024 22:18:32.380781889 CEST	1.1.1.1	192.168.2.4	0xdd24	No error (0)	services.addons.mozilla.org		151.101.1.91	A (IP address)	IN (0x0001)	false
Oct 25, 2024 22:18:32.380781889 CEST	1.1.1.1	192.168.2.4	0xdd24	No error (0)	services.addons.mozilla.org		151.101.129.91	A (IP address)	IN (0x0001)	false
Oct 25, 2024 22:18:32.390434027 CEST	1.1.1.1	192.168.2.4	0x8b14	No error (0)	normandy.cdn.mozilla.net	normandy-cdn.services.mozilla.com		CNAME (Canonical name)	IN (0x0001)	false
Oct 25, 2024 22:18:32.390434027 CEST	1.1.1.1	192.168.2.4	0x8b14	No error (0)	normandy-cdn.services.mozilla.com		35.201.103.21	A (IP address)	IN (0x0001)	false
Oct 25, 2024 22:18:32.391536951 CEST	1.1.1.1	192.168.2.4	0xdd12	No error (0)	services.addons.mozilla.org		151.101.1.91	A (IP address)	IN (0x0001)	false
Oct 25, 2024 22:18:32.391536951 CEST	1.1.1.1	192.168.2.4	0xdd12	No error (0)	services.addons.mozilla.org		151.101.129.91	A (IP address)	IN (0x0001)	false
Oct 25, 2024 22:18:32.391536951 CEST	1.1.1.1	192.168.2.4	0xdd12	No error (0)	services.addons.mozilla.org		151.101.193.91	A (IP address)	IN (0x0001)	false
Oct 25, 2024 22:18:32.391536951 CEST	1.1.1.1	192.168.2.4	0xdd12	No error (0)	services.addons.mozilla.org		151.101.65.91	A (IP address)	IN (0x0001)	false
Oct 25, 2024 22:18:32.403224945 CEST	1.1.1.1	192.168.2.4	0x1051	No error (0)	normandy-cdn.services.mozilla.com		35.201.103.21	A (IP address)	IN (0x0001)	false
Oct 25, 2024 22:18:33.697688103 CEST	1.1.1.1	192.168.2.4	0x8819	No error (0)	a21ed24aedde648804e7-228765c84088fef4ff5e70f2710398e9.r17.cf1.rackcdn.com	a17.rackcdn.com		CNAME (Canonical name)	IN (0x0001)	false
Oct 25, 2024 22:18:33.697688103 CEST	1.1.1.1	192.168.2.4	0x8819	No error (0)	a17.rackcdn.com	a17.rackcdn.com.mdc.edgesuite.net		CNAME (Canonical name)	IN (0x0001)	false
Oct 25, 2024 22:18:49.646908045 CEST	1.1.1.1	192.168.2.4	0x172c	No error (0)	push.services.mozilla.com		34.107.243.93	A (IP address)	IN (0x0001)	false
Oct 25, 2024 22:18:50.291769981 CEST	1.1.1.1	192.168.2.4	0x532a	No error (0)	detectportal.firefox.com	detectportal.prod.mozaws.net		CNAME (Canonical name)	IN (0x0001)	false
Oct 25, 2024 22:18:50.291769981 CEST	1.1.1.1	192.168.2.4	0x532a	No error (0)	prod.detectportal.prod.cloudops.mozgcp.net		34.107.221.82	A (IP address)	IN (0x0001)	false
Oct 25, 2024 22:19:02.792576075 CEST	1.1.1.1	192.168.2.4	0x544d	No error (0)	telemetry-incoming.r53-2.services.mozilla.com		34.120.208.123	A (IP address)	IN (0x0001)	false
Oct 25, 2024 22:19:30.784394026 CEST	1.1.1.1	192.168.2.4	0x9a28	No error (0)	push.services.mozilla.com		34.107.243.93	A (IP address)	IN (0x0001)	false
Oct 25, 2024 22:19:31.415939093 CEST	1.1.1.1	192.168.2.4	0x14fe	No error (0)	detectportal.firefox.com	detectportal.prod.mozaws.net		CNAME (Canonical name)	IN (0x0001)	false
Oct 25, 2024 22:19:31.415939093 CEST	1.1.1.1	192.168.2.4	0x14fe	No error (0)	prod.detectportal.prod.cloudops.mozgcp.net		34.107.221.82	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

detectportal.firefox.com

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.4	49739	34.107.221.82	80	7696	C:\Program Files\Mozilla Firefox\firefox.exe

Timestamp	Bytes transferred	Direction	Data
Oct 25, 2024 22:18:06.266074896 CEST	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Oct 25, 2024 22:18:06.879986048 CEST	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Fri, 25 Oct 2024 13:56:18 GMT Age: 22908 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.4	49746	34.107.221.82	80	7696	C:\Program Files\Mozilla Firefox\firefox.exe

Timestamp	Bytes transferred	Direction	Data
Oct 25, 2024 22:18:07.133656979 CEST	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Oct 25, 2024 22:18:07.741580963 CEST	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Fri, 25 Oct 2024 09:22:18 GMT Age: 39349 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.4	49750	34.107.221.82	80	7696	C:\Program Files\Mozilla Firefox\firefox.exe

Timestamp	Bytes transferred	Direction	Data
Oct 25, 2024 22:18:07.657469988 CEST	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Oct 25, 2024 22:18:08.255821943 CEST	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Fri, 25 Oct 2024 13:56:18 GMT Age: 22910 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Oct 25, 2024 22:18:11.898308039 CEST	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Oct 25, 2024 22:18:12.029119968 CEST	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Fri, 25 Oct 2024 13:56:18 GMT Age: 22913 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Oct 25, 2024 22:18:17.204906940 CEST	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Oct 25, 2024 22:18:17.329834938 CEST	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Fri, 25 Oct 2024 13:56:18 GMT Age: 22919 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Oct 25, 2024 22:18:18.848455906 CEST	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Oct 25, 2024 22:18:18.976850033 CEST	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Fri, 25 Oct 2024 13:56:18 GMT Age: 22920 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Oct 25, 2024 22:18:28.997190952 CEST	6	OUT	Data Raw: 00 Data Ascii:
Oct 25, 2024 22:18:29.365036011 CEST	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Oct 25, 2024 22:18:29.490439892 CEST	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Fri, 25 Oct 2024 13:56:18 GMT Age: 22931 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Oct 25, 2024 22:18:32.993017912 CEST	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Oct 25, 2024 22:18:33.118772030 CEST	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Fri, 25 Oct 2024 13:56:18 GMT Age: 22935 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Oct 25, 2024 22:18:33.669163942 CEST	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Oct 25, 2024 22:18:33.794363022 CEST	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Fri, 25 Oct 2024 13:56:18 GMT Age: 22935 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Oct 25, 2024 22:18:42.188883066 CEST	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Oct 25, 2024 22:18:42.315711021 CEST	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Fri, 25 Oct 2024 13:56:18 GMT Age: 22944 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Oct 25, 2024 22:18:50.284081936 CEST	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Oct 25, 2024 22:18:50.410269022 CEST	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Fri, 25 Oct 2024 13:56:18 GMT Age: 22952 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Oct 25, 2024 22:19:00.432051897 CEST	6	OUT	Data Raw: 00 Data Ascii:
Oct 25, 2024 22:19:03.475672007 CEST	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Oct 25, 2024 22:19:03.601227999 CEST	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Fri, 25 Oct 2024 13:56:18 GMT Age: 22965 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Oct 25, 2024 22:19:13.615518093 CEST	6	OUT	Data Raw: 00 Data Ascii:
Oct 25, 2024 22:19:23.630434036 CEST	6	OUT	Data Raw: 00 Data Ascii:
Oct 25, 2024 22:19:31.407989979 CEST	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Oct 25, 2024 22:19:31.536250114 CEST	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Fri, 25 Oct 2024 13:56:18 GMT Age: 22993 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Oct 25, 2024 22:19:41.550782919 CEST	6	OUT	Data Raw: 00 Data Ascii:
Oct 25, 2024 22:19:51.564412117 CEST	6	OUT	Data Raw: 00 Data Ascii:
Oct 25, 2024 22:20:01.581093073 CEST	6	OUT	Data Raw: 00 Data Ascii:

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
3	192.168.2.4	49758	34.107.221.82	80	7696	C:\Program Files\Mozilla Firefox\firefox.exe

Timestamp	Bytes transferred	Direction	Data
Oct 25, 2024 22:18:08.997878075 CEST	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Oct 25, 2024 22:18:09.607942104 CEST	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Fri, 25 Oct 2024 09:22:18 GMT Age: 39351 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Oct 25, 2024 22:18:17.039194107 CEST	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Oct 25, 2024 22:18:17.167541981 CEST	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Fri, 25 Oct 2024 09:22:18 GMT Age: 39359 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Oct 25, 2024 22:18:18.622364998 CEST	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Oct 25, 2024 22:18:18.755058050 CEST	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Fri, 25 Oct 2024 09:22:18 GMT Age: 39360 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Oct 25, 2024 22:18:19.002640963 CEST	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Oct 25, 2024 22:18:19.132195950 CEST	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Fri, 25 Oct 2024 09:22:18 GMT Age: 39361 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Oct 25, 2024 22:18:29.144345999 CEST	6	OUT	Data Raw: 00 Data Ascii:
Oct 25, 2024 22:18:29.494672060 CEST	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Oct 25, 2024 22:18:29.621898890 CEST	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Fri, 25 Oct 2024 09:22:18 GMT Age: 39371 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Oct 25, 2024 22:18:33.121608019 CEST	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Oct 25, 2024 22:18:33.249587059 CEST	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Fri, 25 Oct 2024 09:22:18 GMT Age: 39375 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Oct 25, 2024 22:18:33.797719002 CEST	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Oct 25, 2024 22:18:33.925458908 CEST	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Fri, 25 Oct 2024 09:22:18 GMT Age: 39375 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Oct 25, 2024 22:18:42.318499088 CEST	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Oct 25, 2024 22:18:42.446319103 CEST	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Fri, 25 Oct 2024 09:22:18 GMT Age: 39384 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Oct 25, 2024 22:18:50.424940109 CEST	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Oct 25, 2024 22:18:50.552630901 CEST	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Fri, 25 Oct 2024 09:22:18 GMT Age: 39392 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Oct 25, 2024 22:19:00.563694000 CEST	6	OUT	Data Raw: 00 Data Ascii:
Oct 25, 2024 22:19:03.629081964 CEST	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Oct 25, 2024 22:19:03.758531094 CEST	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Fri, 25 Oct 2024 09:22:18 GMT Age: 39405 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Oct 25, 2024 22:19:13.769262075 CEST	6	OUT	Data Raw: 00 Data Ascii:
Oct 25, 2024 22:19:23.784001112 CEST	6	OUT	Data Raw: 00 Data Ascii:
Oct 25, 2024 22:19:31.540314913 CEST	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Oct 25, 2024 22:19:31.667403936 CEST	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Fri, 25 Oct 2024 09:22:18 GMT Age: 39433 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Oct 25, 2024 22:19:41.682295084 CEST	6	OUT	Data Raw: 00 Data Ascii:
Oct 25, 2024 22:19:51.696105003 CEST	6	OUT	Data Raw: 00 Data Ascii:
Oct 25, 2024 22:20:01.718849897 CEST	6	OUT	Data Raw: 00 Data Ascii:

Target ID:	0
Start time:	16:17:57
Start date:	25/10/2024
Path:	C:\Users\user\Desktop\file.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\file.exe"
Imagebase:	0xc90000
File size:	919'040 bytes
MD5 hash:	345D21F1207458568EC62CF40410AA6B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	1
Start time:	16:17:57
Start date:	25/10/2024
Path:	C:\Windows\SysWOW64\taskkill.exe
Wow64 process (32bit):	true
Commandline:	taskkill /F /IM firefox.exe /T
Imagebase:	0x620000
File size:	74'240 bytes
MD5 hash:	CA313FD7E6C2A778FFD21CFB5C1C56CD
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	2
Start time:	16:17:57
Start date:	25/10/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	3
Start time:	16:17:59
Start date:	25/10/2024
Path:	C:\Windows\SysWOW64\taskkill.exe
Wow64 process (32bit):	true
Commandline:	taskkill /F /IM chrome.exe /T
Imagebase:	0x620000
File size:	74'240 bytes
MD5 hash:	CA313FD7E6C2A778FFD21CFB5C1C56CD
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	4
Start time:	16:17:59
Start date:	25/10/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	5
Start time:	16:17:59
Start date:	25/10/2024
Path:	C:\Windows\SysWOW64\taskkill.exe
Wow64 process (32bit):	true
Commandline:	taskkill /F /IM msedge.exe /T
Imagebase:	0x620000
File size:	74'240 bytes
MD5 hash:	CA313FD7E6C2A778FFD21CFB5C1C56CD
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	6
Start time:	16:17:59
Start date:	25/10/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	7
Start time:	16:17:59
Start date:	25/10/2024
Path:	C:\Windows\SysWOW64\taskkill.exe
Wow64 process (32bit):	true
Commandline:	taskkill /F /IM opera.exe /T
Imagebase:	0x620000
File size:	74'240 bytes
MD5 hash:	CA313FD7E6C2A778FFD21CFB5C1C56CD
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	8
Start time:	16:17:59
Start date:	25/10/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	9
Start time:	16:18:00
Start date:	25/10/2024
Path:	C:\Windows\SysWOW64\taskkill.exe
Wow64 process (32bit):	true
Commandline:	taskkill /F /IM brave.exe /T
Imagebase:	0x620000
File size:	74'240 bytes
MD5 hash:	CA313FD7E6C2A778FFD21CFB5C1C56CD
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	10
Start time:	16:18:00
Start date:	25/10/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	11
Start time:	16:18:00
Start date:	25/10/2024
Path:	C:\Program Files\Mozilla Firefox\firefox.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk "https://www.facebook.com/video" --no-default-browser-check --disable-popup-blocking
Imagebase:	0x7ff6bf500000
File size:	676'768 bytes
MD5 hash:	C86B1BE9ED6496FE0E0CBE73F81D8045
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	12
Start time:	16:18:00
Start date:	25/10/2024
Path:	C:\Program Files\Mozilla Firefox\firefox.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://www.facebook.com/video --no-default-browser-check --disable-popup-blocking --attempting-deelevation
Imagebase:	0x7ff6bf500000
File size:	676'768 bytes
MD5 hash:	C86B1BE9ED6496FE0E0CBE73F81D8045
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	13
Start time:	16:18:00
Start date:	25/10/2024
Path:	C:\Program Files\Mozilla Firefox\firefox.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://www.facebook.com/video --no-default-browser-check --disable-popup-blocking
Imagebase:	0x7ff6bf500000
File size:	676'768 bytes
MD5 hash:	C86B1BE9ED6496FE0E0CBE73F81D8045
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Target ID:	15
Start time:	16:18:01
Start date:	25/10/2024
Path:	C:\Program Files\Mozilla Firefox\firefox.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2284 -parentBuildID 20230927232528 -prefsHandle 2228 -prefMapHandle 2220 -prefsLen 25359 -prefMapSize 237879 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {0396842b-5f8c-4a85-b679-9364957dd6a4} 7696 "\\.\pipe\gecko-crash-server-pipe.7696" 21a4256f710 socket
Imagebase:	0x7ff6bf500000
File size:	676'768 bytes
MD5 hash:	C86B1BE9ED6496FE0E0CBE73F81D8045
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Target ID:	16
Start time:	16:18:03
Start date:	25/10/2024
Path:	C:\Program Files\Mozilla Firefox\firefox.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4244 -parentBuildID 20230927232528 -prefsHandle 4564 -prefMapHandle 4560 -prefsLen 26374 -prefMapSize 237879 -appDir "C:\Program Files\Mozilla Firefox\browser" - {34c7d413-63c5-4d1d-89ed-8453ea87de46} 7696 "\\.\pipe\gecko-crash-server-pipe.7696" 21a54645310 rdd
Imagebase:	0x7ff6bf500000
File size:	676'768 bytes
MD5 hash:	C86B1BE9ED6496FE0E0CBE73F81D8045
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Target ID:	17
Start time:	16:18:07
Start date:	25/10/2024
Path:	C:\Program Files\Mozilla Firefox\firefox.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4900 -parentBuildID 20230927232528 -sandboxingKind 0 -prefsHandle 5384 -prefMapHandle 5360 -prefsLen 33185 -prefMapSize 237879 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {74dd1765-0c36-4f4d-8ed0-1fe6c7988c56} 7696 "\\.\pipe\gecko-crash-server-pipe.7696" 21a541baf10 utility
Imagebase:	0x7ff6bf500000
File size:	676'768 bytes
MD5 hash:	C86B1BE9ED6496FE0E0CBE73F81D8045
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Execution Graph

Execution Coverage:	2.1%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	4.2%
Total number of Nodes:	1596
Total number of Limit Nodes:	66

Executed Functions

Function 00C942DE Relevance: 21.2, APIs: 9, Strings: 3, Instructions: 235
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetVersionExW.KERNEL32(?), ref: 00C9430D

Part of subcall function 00C96B57: _wcslen.LIBCMT ref: 00C96B6A

GetCurrentProcess.KERNEL32(?,00D2CB64,00000000,?,?), ref: 00C94422
IsWow64Process.KERNEL32(00000000,?,?), ref: 00C94429
LoadLibraryA.KERNEL32(kernel32.dll,?,?), ref: 00C94454
GetProcAddress.KERNEL32(00000000,GetNativeSystemInfo), ref: 00C94466
GetNativeSystemInfo.KERNELBASE(?,?,?), ref: 00C94474
FreeLibrary.KERNEL32(00000000,?,?), ref: 00C9447B
GetSystemInfo.KERNEL32(?,?,?), ref: 00C944A0

Strings

GetNativeSystemInfo, xrefs: 00C94460
|O, xrefs: 00CD36F8
kernel32.dll, xrefs: 00C9444F

Memory Dump Source

Source File: 00000000.00000002.1727992052.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true

Associated: 00000000.00000002.1727967772.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1728099655.0000000000D2C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1728099655.0000000000D52000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1728148949.0000000000D5C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1728172009.0000000000D64000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c90000_file.jbxd

Similarity

API ID: InfoLibraryProcessSystem$AddressCurrentFreeLoadNativeProcVersionWow64_wcslen
String ID: GetNativeSystemInfo$kernel32.dll$|O
API String ID: 3290436268-3101561225
Opcode ID: 8dc8fbca6cb8330937ff7e0760beb0487ed18b493743c2960fb3abb5842d7925
Instruction ID: 1048707bd319df1f7582c97b6e7ce156b4c2a297b7372762538e306c0193ad95
Opcode Fuzzy Hash: 8dc8fbca6cb8330937ff7e0760beb0487ed18b493743c2960fb3abb5842d7925
Instruction Fuzzy Hash: 9EA1917A91A3C0DFCB16CB697C455997FA47B36300B0C5899E093D7B22D3A14A0ADB72

Function 00C942A2 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 61
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateStreamOnHGlobal.COMBASE(00000000,00000001,?,?,?,?,?,00C950AA,?,?,00000000,00000000), ref: 00C942B2
FindResourceExW.KERNEL32(?,0000000A,SCRIPT,00000000,?,?,00C950AA,?,?,00000000,00000000), ref: 00C942C9
LoadResource.KERNEL32(?,00000000,?,?,00C950AA,?,?,00000000,00000000,?,?,?,?,?,?,00C94F20), ref: 00CD35BE
SizeofResource.KERNEL32(?,00000000,?,?,00C950AA,?,?,00000000,00000000,?,?,?,?,?,?,00C94F20), ref: 00CD35D3
LockResource.KERNEL32(00C950AA,?,?,00C950AA,?,?,00000000,00000000,?,?,?,?,?,?,00C94F20,?), ref: 00CD35E6

Strings

SCRIPT, xrefs: 00C942BF

Memory Dump Source

Source File: 00000000.00000002.1727992052.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true

Associated: 00000000.00000002.1727967772.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1728099655.0000000000D2C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1728099655.0000000000D52000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1728148949.0000000000D5C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1728172009.0000000000D64000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c90000_file.jbxd

Similarity

API ID: Resource$CreateFindGlobalLoadLockSizeofStream
String ID: SCRIPT
API String ID: 3051347437-3967369404
Opcode ID: b373915ae075e4e0ed6e0096823cea36538cb20486af4dd3d51f7652a31c8b97
Instruction ID: 9cbc98032bc41c4f15977b9cbf010fd881e202eabee922bce168247589ac7a4c
Opcode Fuzzy Hash: b373915ae075e4e0ed6e0096823cea36538cb20486af4dd3d51f7652a31c8b97
Instruction Fuzzy Hash: 01117C70200B00BFEB258B65DC48F2B7BB9EFD5B51F208169B412DA250EB71DD018630

Function 00CD2BA5 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 62
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetCurrentDirectoryW.KERNEL32(?), ref: 00C92B6B

Part of subcall function 00C93A5A: GetModuleFileNameW.KERNEL32(00000000,?,00007FFF,00D61418,?,00C92E7F,?,?,?,00000000), ref: 00C93A78

Part of subcall function 00C99CB3: _wcslen.LIBCMT ref: 00C99CBD

GetForegroundWindow.USER32(runas,?,?,?,?,?,00D52224), ref: 00CD2C10
ShellExecuteW.SHELL32(00000000,?,?,00D52224), ref: 00CD2C17

Strings

runas, xrefs: 00CD2C0B

Memory Dump Source

Source File: 00000000.00000002.1727992052.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true

Associated: 00000000.00000002.1727967772.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1728099655.0000000000D2C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1728099655.0000000000D52000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1728148949.0000000000D5C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1728172009.0000000000D64000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c90000_file.jbxd

Similarity

API ID: CurrentDirectoryExecuteFileForegroundModuleNameShellWindow_wcslen
String ID: runas
API String ID: 448630720-4000483414
Opcode ID: 45351290e9a86e9dbbe85a2d7a0e5aa8b656b9d5e999220bc00519caf5a6b6e2
Instruction ID: 844f732ee51d49e659e03b3c25ddd5f9a28d55b0158bc9ab8406e3d29078bd54
Opcode Fuzzy Hash: 45351290e9a86e9dbbe85a2d7a0e5aa8b656b9d5e999220bc00519caf5a6b6e2
Instruction Fuzzy Hash: DE11B1312083856BCF14FF64D85A9BE77E4ABA1341F48142EF592531A2DF619A0EA722

Function 00CFD4DC Relevance: 6.1, APIs: 4, Instructions: 86
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateToolhelp32Snapshot.KERNEL32 ref: 00CFD501
Process32FirstW.KERNEL32(00000000,?), ref: 00CFD50F
Process32NextW.KERNEL32(00000000,?), ref: 00CFD52F
CloseHandle.KERNELBASE(00000000), ref: 00CFD5DC

Memory Dump Source

Source File: 00000000.00000002.1727992052.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true

Associated: 00000000.00000002.1727967772.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1728099655.0000000000D2C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1728099655.0000000000D52000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1728148949.0000000000D5C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1728172009.0000000000D64000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c90000_file.jbxd

Similarity

API ID: Process32$CloseCreateFirstHandleNextSnapshotToolhelp32
String ID:
API String ID: 420147892-0
Opcode ID: e05ef73fcff2cbe6239b9eae25ba02cc49a1eb87baa8962d0a1f800e7b941610
Instruction ID: 693c131884d0dee3baaa3c680228dd8b0f7cb8690191b11df93e95180dd6f58f
Opcode Fuzzy Hash: e05ef73fcff2cbe6239b9eae25ba02cc49a1eb87baa8962d0a1f800e7b941610
Instruction Fuzzy Hash: EC31C2711083049FD701EF64C885ABFBBF8EF99354F10092DF592821A1EB719A49DBA3

Function 00CFDBBE Relevance: 6.0, APIs: 4, Instructions: 29
filestringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

lstrlenW.KERNEL32(?,00CD5222), ref: 00CFDBCE
GetFileAttributesW.KERNELBASE(?), ref: 00CFDBDD
FindFirstFileW.KERNEL32(?,?), ref: 00CFDBEE
FindClose.KERNEL32(00000000), ref: 00CFDBFA

Memory Dump Source

Source File: 00000000.00000002.1727992052.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true

Associated: 00000000.00000002.1727967772.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1728099655.0000000000D2C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1728099655.0000000000D52000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1728148949.0000000000D5C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1728172009.0000000000D64000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c90000_file.jbxd

Similarity

API ID: FileFind$AttributesCloseFirstlstrlen
String ID:
API String ID: 2695905019-0
Opcode ID: 1ec6eb927c8c5adbf32d32a078110c1fcd9d59b81a77fc100e844fedd4dc5234
Instruction ID: 52fc9dc7aeeaba439e822d0de38e6a2628f23273e39a16f7c89ae6bed6e9b355
Opcode Fuzzy Hash: 1ec6eb927c8c5adbf32d32a078110c1fcd9d59b81a77fc100e844fedd4dc5234
Instruction Fuzzy Hash: E6F0EC304206149782306B7C9C0D47E376D9E11334B104702F577C11F0EFB05D55C5EA

Function 00CB4CE8 Relevance: 4.5, APIs: 3, Instructions: 20COMMONLIBRARYCODE

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(00CC28E9,?,00CB4CBE,00CC28E9,00D588B8,0000000C,00CB4E15,00CC28E9,00000002,00000000,?,00CC28E9), ref: 00CB4D09
TerminateProcess.KERNEL32(00000000,?,00CB4CBE,00CC28E9,00D588B8,0000000C,00CB4E15,00CC28E9,00000002,00000000,?,00CC28E9), ref: 00CB4D10
ExitProcess.KERNEL32 ref: 00CB4D22

Memory Dump Source

Source File: 00000000.00000002.1727992052.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true

Associated: 00000000.00000002.1727967772.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1728099655.0000000000D2C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1728099655.0000000000D52000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1728148949.0000000000D5C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1728172009.0000000000D64000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c90000_file.jbxd

Similarity

API ID: Process$CurrentExitTerminate
String ID:
API String ID: 1703294689-0
Opcode ID: d96474782c69b1e25d00a4febd0fde4e0105b573ffdf7feac3f49d9eb7390c18
Instruction ID: c378af308fa6348099bb945317acea33c9e4f477b9d807398fdc6c8224830e23
Opcode Fuzzy Hash: d96474782c69b1e25d00a4febd0fde4e0105b573ffdf7feac3f49d9eb7390c18
Instruction Fuzzy Hash: 7EE0B631054648ABCF26AF64DD0AA983B69FB51795F108418FC15CA223CB35DE52DB94

Function 00D1AFF9 Relevance: 24.4, APIs: 16, Instructions: 418
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_wcslen.LIBCMT ref: 00D1B198
GetSystemDirectoryW.KERNEL32(00000000,00000000), ref: 00D1B1B0
GetSystemDirectoryW.KERNEL32(00000000,00000000), ref: 00D1B1D4
_wcslen.LIBCMT ref: 00D1B200
GetCurrentDirectoryW.KERNEL32(00000000,00000000), ref: 00D1B214
GetCurrentDirectoryW.KERNEL32(00000000,00000000), ref: 00D1B236
_wcslen.LIBCMT ref: 00D1B332

Part of subcall function 00D005A7: GetStdHandle.KERNEL32(000000F6), ref: 00D005C6

_wcslen.LIBCMT ref: 00D1B34B
_wcslen.LIBCMT ref: 00D1B366
CreateProcessW.KERNELBASE(00000000,?,00000000,00000000,?,?,00000000,?,?,?), ref: 00D1B3B6
GetLastError.KERNEL32(00000000), ref: 00D1B407
CloseHandle.KERNEL32(?), ref: 00D1B439
CloseHandle.KERNEL32(00000000), ref: 00D1B44A
CloseHandle.KERNEL32(00000000), ref: 00D1B45C
CloseHandle.KERNEL32(00000000), ref: 00D1B46E
CloseHandle.KERNEL32(?), ref: 00D1B4E3

Memory Dump Source

Source File: 00000000.00000002.1727992052.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true

Associated: 00000000.00000002.1727967772.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1728099655.0000000000D2C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1728099655.0000000000D52000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1728148949.0000000000D5C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1728172009.0000000000D64000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c90000_file.jbxd

Similarity

API ID: Handle$Close_wcslen$Directory$CurrentSystem$CreateErrorLastProcess
String ID:
API String ID: 2178637699-0
Opcode ID: cfca8c4449fc23726f206c22f740b3b579557ea72c7ba4ef9acb54cd01d6c6cc
Instruction ID: 7b95e447677cee9c0caa1479a7b0e49725ce9b8cef8cec7b0f51e88d465a865b
Opcode Fuzzy Hash: cfca8c4449fc23726f206c22f740b3b579557ea72c7ba4ef9acb54cd01d6c6cc
Instruction Fuzzy Hash: 4CF1B331508340EFCB14EF24D885BAEBBE5AF85324F18855EF4958B2A2CB31DC45DB62

Function 00C9D730 Relevance: 21.6, APIs: 14, Instructions: 625windowsleeptimeCOMMON

Download Yara Rule

APIs

GetInputState.USER32 ref: 00C9D807
timeGetTime.WINMM ref: 00C9DA07
PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00C9DB28
TranslateMessage.USER32(?), ref: 00C9DB7B
DispatchMessageW.USER32(?), ref: 00C9DB89
PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00C9DB9F
Sleep.KERNELBASE(0000000A), ref: 00C9DBB1

Memory Dump Source

Source File: 00000000.00000002.1727992052.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true

Associated: 00000000.00000002.1727967772.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1728099655.0000000000D2C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1728099655.0000000000D52000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1728148949.0000000000D5C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1728172009.0000000000D64000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c90000_file.jbxd

Similarity

API ID: Message$Peek$DispatchInputSleepStateTimeTranslatetime
String ID:
API String ID: 2189390790-0
Opcode ID: f699f9e65f47463c014079bf6f3c546f24e20ae9e9529a2874fdd9631c75ca0b
Instruction ID: 281708b148065011cdc2a7fe3f5a49f8ccd1d84298c4e584abc69ea894c96b6e
Opcode Fuzzy Hash: f699f9e65f47463c014079bf6f3c546f24e20ae9e9529a2874fdd9631c75ca0b
Instruction Fuzzy Hash: 99420230608381EFDB38DF25C889BAAB7E4BF45304F18451DE46697391DB70EA54DBA2

Function 00C92CD4 Relevance: 19.3, APIs: 7, Strings: 4, Instructions: 53
windowregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSysColorBrush.USER32(0000000F), ref: 00C92D07
RegisterClassExW.USER32(00000030), ref: 00C92D31
RegisterWindowMessageW.USER32(TaskbarCreated), ref: 00C92D42
InitCommonControlsEx.COMCTL32(?), ref: 00C92D5F
ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 00C92D6F
LoadIconW.USER32(000000A9), ref: 00C92D85
ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 00C92D94

Strings

+, xrefs: 00C92CF0
TaskbarCreated, xrefs: 00C92D37
0, xrefs: 00C92CE9
AutoIt v3 GUI, xrefs: 00C92D23

Memory Dump Source

Source File: 00000000.00000002.1727992052.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true

Associated: 00000000.00000002.1727967772.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1728099655.0000000000D2C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1728099655.0000000000D52000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1728148949.0000000000D5C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1728172009.0000000000D64000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c90000_file.jbxd

Similarity

API ID: IconImageList_Register$BrushClassColorCommonControlsCreateInitLoadMessageReplaceWindow
String ID: +$0$AutoIt v3 GUI$TaskbarCreated
API String ID: 2914291525-1005189915
Opcode ID: 82f89a77e6a2e078085bf0ebebb4c53185b7c003815f0f9c071c10a354108015
Instruction ID: 090dd50e914f7571b609c12799f6fc2d86f11bd54b3816ba2a9dd784747ab834
Opcode Fuzzy Hash: 82f89a77e6a2e078085bf0ebebb4c53185b7c003815f0f9c071c10a354108015
Instruction Fuzzy Hash: A32102B8921318AFDB10DFA4E849B9DBBB4FB18701F14411AE521E73A0D7B10940CFB0

Function 00CD065B Relevance: 17.8, APIs: 9, Strings: 1, Instructions: 272
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00CD039A: CreateFileW.KERNELBASE(00000000,00000000,?,00CD0704,?,?,00000000,?,00CD0704,00000000,0000000C), ref: 00CD03B7

GetLastError.KERNEL32 ref: 00CD076F
__dosmaperr.LIBCMT ref: 00CD0776
GetFileType.KERNELBASE(00000000), ref: 00CD0782
GetLastError.KERNEL32 ref: 00CD078C
__dosmaperr.LIBCMT ref: 00CD0795
CloseHandle.KERNEL32(00000000), ref: 00CD07B5
CloseHandle.KERNEL32(?), ref: 00CD08FF
GetLastError.KERNEL32 ref: 00CD0931
__dosmaperr.LIBCMT ref: 00CD0938

Strings

H, xrefs: 00CD08BD

Memory Dump Source

Source File: 00000000.00000002.1727992052.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true

Associated: 00000000.00000002.1727967772.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1728099655.0000000000D2C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1728099655.0000000000D52000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1728148949.0000000000D5C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1728172009.0000000000D64000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c90000_file.jbxd

Similarity

API ID: ErrorLast__dosmaperr$CloseFileHandle$CreateType
String ID: H
API String ID: 4237864984-2852464175
Opcode ID: ac7d6540bb8412f8e5430d14953714ced4deed7ae9e5583a680fdc718add42c1
Instruction ID: e435f72473a994b65bd205fb3c19679045010e5a5e21e1b7f9102ef93a11dbf0
Opcode Fuzzy Hash: ac7d6540bb8412f8e5430d14953714ced4deed7ae9e5583a680fdc718add42c1
Instruction Fuzzy Hash: 0CA1E032A102049FDF19AF68DC52BAE7BA0AB46320F24015EF915DB3A1D7719D13DBA1

Function 00C9344D Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 201
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00C93A5A: GetModuleFileNameW.KERNEL32(00000000,?,00007FFF,00D61418,?,00C92E7F,?,?,?,00000000), ref: 00C93A78

Part of subcall function 00C93357: GetFullPathNameW.KERNEL32(?,00007FFF,?,?), ref: 00C93379

RegOpenKeyExW.KERNELBASE(80000001,Software\AutoIt v3\AutoIt,00000000,00000001,?,?,\Include\), ref: 00C9356A
RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,00000000,?), ref: 00CD318D
RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,?,?,00000000), ref: 00CD31CE
RegCloseKey.ADVAPI32(?), ref: 00CD3210
_wcslen.LIBCMT ref: 00CD3277
_wcslen.LIBCMT ref: 00CD3286

Strings

\, xrefs: 00CD328C
\Include\, xrefs: 00C93527
Software\AutoIt v3\AutoIt, xrefs: 00C93560
Include, xrefs: 00CD3184, 00CD31C5

Memory Dump Source

Source File: 00000000.00000002.1727992052.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true

Associated: 00000000.00000002.1727967772.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1728099655.0000000000D2C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1728099655.0000000000D52000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1728148949.0000000000D5C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1728172009.0000000000D64000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c90000_file.jbxd

Similarity

API ID: NameQueryValue_wcslen$CloseFileFullModuleOpenPath
String ID: Include$Software\AutoIt v3\AutoIt$\$\Include\
API String ID: 98802146-2727554177
Opcode ID: d0744d99b8c46390dc355a561a3d3bc8989541f8200953577b4e6a2045e64c27
Instruction ID: 6d1080207b8824da90c8dcd8955df308ca31ed3aae255c3f5558bc4c31538a05
Opcode Fuzzy Hash: d0744d99b8c46390dc355a561a3d3bc8989541f8200953577b4e6a2045e64c27
Instruction Fuzzy Hash: 867158719047019EC714EF65EC858AABBE8FF99340F40082EF555C23A1EB709A49DB72

Function 00C92B83 Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 63
windowregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSysColorBrush.USER32(0000000F), ref: 00C92B8E
LoadCursorW.USER32(00000000,00007F00), ref: 00C92B9D
LoadIconW.USER32(00000063), ref: 00C92BB3
LoadIconW.USER32(000000A4), ref: 00C92BC5
LoadIconW.USER32(000000A2), ref: 00C92BD7
LoadImageW.USER32(00000063,00000001,00000010,00000010,00000000), ref: 00C92BEF
RegisterClassExW.USER32(?), ref: 00C92C40

Part of subcall function 00C92CD4: GetSysColorBrush.USER32(0000000F), ref: 00C92D07
Part of subcall function 00C92CD4: RegisterClassExW.USER32(00000030), ref: 00C92D31
Part of subcall function 00C92CD4: RegisterWindowMessageW.USER32(TaskbarCreated), ref: 00C92D42
Part of subcall function 00C92CD4: InitCommonControlsEx.COMCTL32(?), ref: 00C92D5F
Part of subcall function 00C92CD4: ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 00C92D6F
Part of subcall function 00C92CD4: LoadIconW.USER32(000000A9), ref: 00C92D85
Part of subcall function 00C92CD4: ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 00C92D94

Strings

AutoIt v3, xrefs: 00C92C2F
#, xrefs: 00C92C16
0, xrefs: 00C92C0F

Memory Dump Source

Source File: 00000000.00000002.1727992052.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true

Associated: 00000000.00000002.1727967772.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1728099655.0000000000D2C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1728099655.0000000000D52000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1728148949.0000000000D5C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1728172009.0000000000D64000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c90000_file.jbxd

Similarity

API ID: Load$Icon$ImageRegister$BrushClassColorList_$CommonControlsCreateCursorInitMessageReplaceWindow
String ID: #$0$AutoIt v3
API String ID: 423443420-4155596026
Opcode ID: d4dd1339645bd14e9821776fee38f264e3119c5454abd1d558f53b9c1f022dc8
Instruction ID: 7ad0f4b2036f55dabf7313873ed1aac9d2a174952b34bd029bccaea8d46e5945
Opcode Fuzzy Hash: d4dd1339645bd14e9821776fee38f264e3119c5454abd1d558f53b9c1f022dc8
Instruction Fuzzy Hash: 9C21F878E10314ABDB109FA5EC59A9D7FB4FB48B50F18001AE501E77A0D7B159409FB0

Function 00C93170 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 145
windowtimeregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DefWindowProcW.USER32(?,?,?,?,?,?,?,?,?,00C9316A,?,?), ref: 00C931D8
KillTimer.USER32(?,00000001,?,?,?,?,?,00C9316A,?,?), ref: 00C93204
SetTimer.USER32(?,00000001,000002EE,00000000), ref: 00C93227
RegisterWindowMessageW.USER32(TaskbarCreated,?,?,?,?,?,00C9316A,?,?), ref: 00C93232
CreatePopupMenu.USER32 ref: 00C93246
PostQuitMessage.USER32(00000000), ref: 00C93267

Strings

TaskbarCreated, xrefs: 00C9322D

Memory Dump Source

Source File: 00000000.00000002.1727992052.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true

Associated: 00000000.00000002.1727967772.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1728099655.0000000000D2C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1728099655.0000000000D52000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1728148949.0000000000D5C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1728172009.0000000000D64000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c90000_file.jbxd

Similarity

API ID: MessageTimerWindow$CreateKillMenuPopupPostProcQuitRegister
String ID: TaskbarCreated
API String ID: 129472671-2362178303
Opcode ID: 41069af29bc209d3cdefc6c32da66611dd995aa7d895f4a5a2605ec38151b17b
Instruction ID: a0163dd8fa58aff5fe705bcace91f2000003e046bd875b697d963baa103b2066
Opcode Fuzzy Hash: 41069af29bc209d3cdefc6c32da66611dd995aa7d895f4a5a2605ec38151b17b
Instruction Fuzzy Hash: 87411739254384A7DF255BB89D0DB7D3A1AEB55340F080126F622C63B2CBA19F41E7B1

Function 00C91410 Relevance: 14.3, APIs: 7, Strings: 1, Instructions: 332
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

mciSendStringW.WINMM(close all,00000000,00000000,00000000), ref: 00C91459
CoUninitialize.COMBASE ref: 00C914F8
UnregisterHotKey.USER32(?), ref: 00C916DD
DestroyWindow.USER32(?), ref: 00CD24B9
FreeLibrary.KERNEL32(?), ref: 00CD251E
VirtualFree.KERNEL32(?,00000000,00008000), ref: 00CD254B

Strings

close all, xrefs: 00C91454

Memory Dump Source

Source File: 00000000.00000002.1727992052.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true

Associated: 00000000.00000002.1727967772.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1728099655.0000000000D2C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1728099655.0000000000D52000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1728148949.0000000000D5C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1728172009.0000000000D64000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c90000_file.jbxd

Similarity

API ID: Free$DestroyLibrarySendStringUninitializeUnregisterVirtualWindow
String ID: close all
API String ID: 469580280-3243417748
Opcode ID: 1197b2137df3f9ca33b37ef46da90dc5518cf5ed12a620308b851786aa522419
Instruction ID: 3f1da7c4ba4fc36fccaf81bcde92c5f9fa5387b416741a9dc6e3cb1e06483401
Opcode Fuzzy Hash: 1197b2137df3f9ca33b37ef46da90dc5518cf5ed12a620308b851786aa522419
Instruction Fuzzy Hash: 0AD18A31701212CFCB29EF55D49AA29F7A0BF15700F1942AEE94AAB351DB30ED12DF64

Function 00C92C63 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 44
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateWindowExW.USER32(00000000,AutoIt v3,AutoIt v3,00CF0000,80000000,80000000,0000012C,00000064,00000000,00000000,00000000,00000001), ref: 00C92C91
CreateWindowExW.USER32(00000000,edit,00000000,50B008C4,00000000,00000000,00000000,00000000,00000000,00000001,00000000), ref: 00C92CB2
ShowWindow.USER32(00000000,?,?,?,?,?,?,00C91CAD,?), ref: 00C92CC6
ShowWindow.USER32(00000000,?,?,?,?,?,?,00C91CAD,?), ref: 00C92CCF

Strings

AutoIt v3, xrefs: 00C92C89, 00C92C8E, 00C92C8F
edit, xrefs: 00C92CAC

Memory Dump Source

Source File: 00000000.00000002.1727992052.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true

Associated: 00000000.00000002.1727967772.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1728099655.0000000000D2C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1728099655.0000000000D52000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1728148949.0000000000D5C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1728172009.0000000000D64000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c90000_file.jbxd

Similarity

API ID: Window$CreateShow
String ID: AutoIt v3$edit
API String ID: 1584632944-3779509399
Opcode ID: c2d7c04430bd5095064152188c678070db6aec7556315d02f7ed5087179f9350
Instruction ID: 0aceb89c9373dbca3384b3466e36bf8000971214e10b3acba9c3658c89b72359
Opcode Fuzzy Hash: c2d7c04430bd5095064152188c678070db6aec7556315d02f7ed5087179f9350
Instruction Fuzzy Hash: 9CF0DA795503907AEB711757AC08E7B2EBDD7DAF50B04105AF901E37A0C6A11C51EEB1

Function 00C93B1C Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 58
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RegOpenKeyExW.KERNELBASE(80000001,Control Panel\Mouse,00000000,00000001,00000000,?,?,80000001,80000001,?,00C93B0F,SwapMouseButtons,00000004,?), ref: 00C93B40
RegQueryValueExW.KERNELBASE(00000000,00000000,00000000,00000000,?,?,?,?,?,80000001,80000001,?,00C93B0F,SwapMouseButtons,00000004,?), ref: 00C93B61
RegCloseKey.KERNELBASE(00000000,?,?,?,80000001,80000001,?,00C93B0F,SwapMouseButtons,00000004,?), ref: 00C93B83

Strings

Control Panel\Mouse, xrefs: 00C93B3E

Memory Dump Source

Source File: 00000000.00000002.1727992052.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true

Associated: 00000000.00000002.1727967772.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1728099655.0000000000D2C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1728099655.0000000000D52000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1728148949.0000000000D5C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1728172009.0000000000D64000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c90000_file.jbxd

Similarity

API ID: CloseOpenQueryValue
String ID: Control Panel\Mouse
API String ID: 3677997916-824357125
Opcode ID: ed66830736f476bcd113dd0790b559837e2319ce664d36c709bd238da5df5b53
Instruction ID: 937b1a2bdd699c0c611542621bf85cd65966cdf99422abda542a7ff450ab9730
Opcode Fuzzy Hash: ed66830736f476bcd113dd0790b559837e2319ce664d36c709bd238da5df5b53
Instruction Fuzzy Hash: 2B112AB5520248FFDF208FA5DC48EAEB7B8EF44744B104459A805D7210D3719F4197A0

Function 00C93923 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 94windowCOMMON

Download Yara Rule

APIs

LoadStringW.USER32(00000065,?,0000007F,00000104), ref: 00CD33A2

Part of subcall function 00C96B57: _wcslen.LIBCMT ref: 00C96B6A

Shell_NotifyIconW.SHELL32(00000001,?), ref: 00C93A04

Strings

Line: , xrefs: 00CD33EB

Memory Dump Source

Source File: 00000000.00000002.1727992052.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true

Associated: 00000000.00000002.1727967772.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1728099655.0000000000D2C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1728099655.0000000000D52000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1728148949.0000000000D5C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1728172009.0000000000D64000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c90000_file.jbxd

Similarity

API ID: IconLoadNotifyShell_String_wcslen
String ID: Line:
API String ID: 2289894680-1585850449
Opcode ID: 3fd27a15b22566d67c397ed1640b1482687223c8c4c9a4f9635daf141bea8fd7
Instruction ID: 1b6982e8caa12a0918005ee6df6398e71b89d93237c1dbf570a4f1f5cde9c302
Opcode Fuzzy Hash: 3fd27a15b22566d67c397ed1640b1482687223c8c4c9a4f9635daf141bea8fd7
Instruction Fuzzy Hash: E631C571448340AFCB25EB50DC49BEFB7E8AB40710F04451AF59A932E1DB709B49D7E2

Function 00CAFDDB Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 43COMMON

Download Yara Rule

APIs

__CxxThrowException@8.LIBVCRUNTIME ref: 00CB0668

Part of subcall function 00CB32A4: RaiseException.KERNEL32(?,?,?,00CB068A,?,00D61444,?,?,?,?,?,?,00CB068A,00C91129,00D58738,00C91129), ref: 00CB3304

__CxxThrowException@8.LIBVCRUNTIME ref: 00CB0685

Strings

Unknown exception, xrefs: 00CB0692

Memory Dump Source

Source File: 00000000.00000002.1727992052.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true

Associated: 00000000.00000002.1727967772.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1728099655.0000000000D2C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1728099655.0000000000D52000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1728148949.0000000000D5C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1728172009.0000000000D64000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c90000_file.jbxd

Similarity

API ID: Exception@8Throw$ExceptionRaise
String ID: Unknown exception
API String ID: 3476068407-410509341
Opcode ID: b9faf680ea33c3f0b04bb00d2e8198d379106a0bdd0092f047ab1b3ed75e5272
Instruction ID: f289da102764f9ce809c47a5ff1dee1c1ce69f6c2c0d18e12cb732b05418fe73
Opcode Fuzzy Hash: b9faf680ea33c3f0b04bb00d2e8198d379106a0bdd0092f047ab1b3ed75e5272
Instruction Fuzzy Hash: 89F0C23490030DB78F14BAA4D846CDF7B7C9E00754F704535BC2496592EF71DB2AE691

Function 00C910F3 Relevance: 4.7, APIs: 3, Instructions: 153comCOMMON

Download Yara Rule

APIs

Part of subcall function 00C91BC3: MapVirtualKeyW.USER32(0000005B,00000000), ref: 00C91BF4
Part of subcall function 00C91BC3: MapVirtualKeyW.USER32(00000010,00000000), ref: 00C91BFC
Part of subcall function 00C91BC3: MapVirtualKeyW.USER32(000000A0,00000000), ref: 00C91C07
Part of subcall function 00C91BC3: MapVirtualKeyW.USER32(000000A1,00000000), ref: 00C91C12
Part of subcall function 00C91BC3: MapVirtualKeyW.USER32(00000011,00000000), ref: 00C91C1A
Part of subcall function 00C91BC3: MapVirtualKeyW.USER32(00000012,00000000), ref: 00C91C22

Part of subcall function 00C91B4A: RegisterWindowMessageW.USER32(00000004,?,00C912C4), ref: 00C91BA2

GetStdHandle.KERNEL32(000000F6,00000000,00000000), ref: 00C9136A
OleInitialize.OLE32 ref: 00C91388
CloseHandle.KERNEL32(00000000,00000000), ref: 00CD24AB

Memory Dump Source

Source File: 00000000.00000002.1727992052.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true

Associated: 00000000.00000002.1727967772.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1728099655.0000000000D2C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1728099655.0000000000D52000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1728148949.0000000000D5C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1728172009.0000000000D64000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c90000_file.jbxd

Similarity

API ID: Virtual$Handle$CloseInitializeMessageRegisterWindow
String ID:
API String ID: 1986988660-0
Opcode ID: c1f6297da0db6f32c46701f12294e6720ab48419f69948b888bae93be7e6ff19
Instruction ID: 0b3ad9948390d20ebe6bf0fe39905166a6288d4c969a251fdf16d97379cbec76
Opcode Fuzzy Hash: c1f6297da0db6f32c46701f12294e6720ab48419f69948b888bae93be7e6ff19
Instruction Fuzzy Hash: BF71A7BC9113019F8784DF7AA94A659BBF0BB9834575C822AD40BC7361EBB04444AFB5

Function 00CFC161 Relevance: 4.6, APIs: 3, Instructions: 74timewindowCOMMON

Download Yara Rule

APIs

Part of subcall function 00C93923: Shell_NotifyIconW.SHELL32(00000001,?), ref: 00C93A04

Shell_NotifyIconW.SHELL32(00000001,000003A8), ref: 00CFC259
KillTimer.USER32(?,00000001,?,?), ref: 00CFC261
SetTimer.USER32(?,00000001,000002EE,00000000), ref: 00CFC270

Memory Dump Source

Source File: 00000000.00000002.1727992052.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true

Associated: 00000000.00000002.1727967772.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1728099655.0000000000D2C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1728099655.0000000000D52000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1728148949.0000000000D5C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1728172009.0000000000D64000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c90000_file.jbxd

Similarity

API ID: IconNotifyShell_Timer$Kill
String ID:
API String ID: 3500052701-0
Opcode ID: ae38f7735d2ff11b2cb50a1c47d92a4bd4ab17e98fe460055b0327b1a5846831
Instruction ID: 6e90f3abefce6ea606ced4667e482d24c2b5e21d7ec6c74be6651254ade20b6d
Opcode Fuzzy Hash: ae38f7735d2ff11b2cb50a1c47d92a4bd4ab17e98fe460055b0327b1a5846831
Instruction Fuzzy Hash: AD31C570A04348AFEB729F64C995BEBBBEC9F16304F040499D2EA93241C7745B85CB52

Function 00CC86AE Relevance: 4.6, APIs: 3, Instructions: 61COMMONLIBRARYCODE

Download Yara Rule

APIs

CloseHandle.KERNELBASE(00000000,00000000,?,?,00CC85CC,?,00D58CC8,0000000C), ref: 00CC8704
GetLastError.KERNEL32(?,00CC85CC,?,00D58CC8,0000000C), ref: 00CC870E
__dosmaperr.LIBCMT ref: 00CC8739

Memory Dump Source

Source File: 00000000.00000002.1727992052.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true

Associated: 00000000.00000002.1727967772.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1728099655.0000000000D2C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1728099655.0000000000D52000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1728148949.0000000000D5C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1728172009.0000000000D64000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c90000_file.jbxd

Similarity

API ID: CloseErrorHandleLast__dosmaperr
String ID:
API String ID: 2583163307-0
Opcode ID: 4f7919f5aa2b98d876864cb97ee6e6e78297cd976f6a3710cf6a63e447ee03ca
Instruction ID: 0c92dee8a658daa5fd59642e047d63633080bf28d3e59eaeee26279311036fae
Opcode Fuzzy Hash: 4f7919f5aa2b98d876864cb97ee6e6e78297cd976f6a3710cf6a63e447ee03ca
Instruction Fuzzy Hash: B4014E32E0566026D7346334E845F7F6B494B91778F3D021DF824CB2E2DEA0EDC592A0

Function 00C9DB38 Relevance: 4.5, APIs: 3, Instructions: 29windowsleepCOMMON

Download Yara Rule

APIs

TranslateMessage.USER32(?), ref: 00C9DB7B
DispatchMessageW.USER32(?), ref: 00C9DB89
PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00C9DB9F
Sleep.KERNELBASE(0000000A), ref: 00C9DBB1
TranslateAcceleratorW.USER32(?,?,?), ref: 00CE1CC9

Memory Dump Source

Source File: 00000000.00000002.1727992052.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true

Associated: 00000000.00000002.1727967772.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1728099655.0000000000D2C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1728099655.0000000000D52000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1728148949.0000000000D5C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1728172009.0000000000D64000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c90000_file.jbxd

Similarity

API ID: Message$Translate$AcceleratorDispatchPeekSleep
String ID:
API String ID: 3288985973-0
Opcode ID: 84cdf488ec6b5ab6897c91a4d840800346fd97359d0dc2956dd2a27ef9e32b9c
Instruction ID: 798193fe726a30b6006e5bb10b9d127c3e0f68f2e20253e7b23212ddfe6d0469
Opcode Fuzzy Hash: 84cdf488ec6b5ab6897c91a4d840800346fd97359d0dc2956dd2a27ef9e32b9c
Instruction Fuzzy Hash: A0F05E306043809BEB30CB618C49FAA73A8EB55350F144A19E61AD31C0DB3095899B75

Function 00CA1310 Relevance: 4.0, APIs: 1, Strings: 1, Instructions: 531COMMON

Download Yara Rule

APIs

__Init_thread_footer.LIBCMT ref: 00CA17F6

Strings

CALL, xrefs: 00CA17C6

Memory Dump Source

Source File: 00000000.00000002.1727992052.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true

Associated: 00000000.00000002.1727967772.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1728099655.0000000000D2C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1728099655.0000000000D52000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1728148949.0000000000D5C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1728172009.0000000000D64000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c90000_file.jbxd

Similarity

API ID: Init_thread_footer
String ID: CALL
API String ID: 1385522511-4196123274
Opcode ID: a8921715090e8da9f846721e91202f2544a455c9cdd309e3aa86cfa5fe784896
Instruction ID: f7803579e4ff70ad78147d5202db70565406cbf7cf2351326c4138fcccac3570
Opcode Fuzzy Hash: a8921715090e8da9f846721e91202f2544a455c9cdd309e3aa86cfa5fe784896
Instruction Fuzzy Hash: 8F229D706083429FC714CF25C484A2ABBF1BF9A358F28891DF8968B3A1D771E945DB52

Function 00C92DE3 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 64COMMON

Download Yara Rule

APIs

GetOpenFileNameW.COMDLG32(?), ref: 00CD2C8C

Part of subcall function 00C93AA2: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00C93A97,?,?,00C92E7F,?,?,?,00000000), ref: 00C93AC2

Part of subcall function 00C92DA5: GetLongPathNameW.KERNELBASE(?,?,00007FFF), ref: 00C92DC4

Strings

X, xrefs: 00CD2C5A

Memory Dump Source

Source File: 00000000.00000002.1727992052.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true

Associated: 00000000.00000002.1727967772.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1728099655.0000000000D2C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1728099655.0000000000D52000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1728148949.0000000000D5C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1728172009.0000000000D64000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c90000_file.jbxd

Similarity

API ID: Name$Path$FileFullLongOpen
String ID: X
API String ID: 779396738-3081909835
Opcode ID: 38058f20163b9cbbe56a16ba4a1896bf47501d703846caa7e515bd55c357c580
Instruction ID: 0131033ee12156f607d184591d74978d009a2e4e0e89292a62d5ce798418c64f
Opcode Fuzzy Hash: 38058f20163b9cbbe56a16ba4a1896bf47501d703846caa7e515bd55c357c580
Instruction Fuzzy Hash: C321C371A10298AFDF01DF94C849BEE7BF8AF48305F00405AE905E7341DBB49A499BA1

Function 00C93837 Relevance: 3.1, APIs: 2, Instructions: 77windowCOMMON

Download Yara Rule

APIs

Shell_NotifyIconW.SHELL32(00000000,?), ref: 00C93908

Memory Dump Source

Source File: 00000000.00000002.1727992052.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true

Associated: 00000000.00000002.1727967772.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1728099655.0000000000D2C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1728099655.0000000000D52000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1728148949.0000000000D5C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1728172009.0000000000D64000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c90000_file.jbxd

Similarity

API ID: IconNotifyShell_
String ID:
API String ID: 1144537725-0
Opcode ID: 7c539152bdeb68e627011c1ea15e8bcbebc72fa17a97bdea42fb2e20229f663a
Instruction ID: b660fa383d9bb16574f2880aaf4592a9abfb46b1e6759e5cd0f2986d152091ed
Opcode Fuzzy Hash: 7c539152bdeb68e627011c1ea15e8bcbebc72fa17a97bdea42fb2e20229f663a
Instruction Fuzzy Hash: D63181705047419FD720DF64D888797BBE8FB49708F04092EF5AAC7390E7B1AA45CBA2

Function 00CAF645 Relevance: 3.0, APIs: 2, Instructions: 29sleeptimeCOMMON

Download Yara Rule

APIs

timeGetTime.WINMM ref: 00CAF661

Part of subcall function 00C9D730: GetInputState.USER32 ref: 00C9D807

Sleep.KERNEL32(00000000), ref: 00CEF2DE

Memory Dump Source

Source File: 00000000.00000002.1727992052.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true

Associated: 00000000.00000002.1727967772.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1728099655.0000000000D2C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1728099655.0000000000D52000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1728148949.0000000000D5C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1728172009.0000000000D64000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c90000_file.jbxd

Similarity

API ID: InputSleepStateTimetime
String ID:
API String ID: 4149333218-0
Opcode ID: ba3750ffed400dc3bde5db50563714cf16827cba192c5e08fabd4554892d6906
Instruction ID: 93c40755314a382b6ce4a06679c179ff9456727a010ba621b760ff79b013d089
Opcode Fuzzy Hash: ba3750ffed400dc3bde5db50563714cf16827cba192c5e08fabd4554892d6906
Instruction Fuzzy Hash: 3CF08C31240706AFD310EFA9E549B6AB7E8EF55760F000029F85AC7360DB70AC01CBA1

Function 00C9B710 Relevance: 2.1, APIs: 1, Instructions: 587COMMON

Download Yara Rule

APIs

__Init_thread_footer.LIBCMT ref: 00C9BB4E

Memory Dump Source

Source File: 00000000.00000002.1727992052.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true

Associated: 00000000.00000002.1727967772.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1728099655.0000000000D2C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1728099655.0000000000D52000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1728148949.0000000000D5C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1728172009.0000000000D64000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c90000_file.jbxd

Similarity

API ID: Init_thread_footer
String ID:
API String ID: 1385522511-0
Opcode ID: ffec6299ec26d8ae4fcaa0e51b339a5e3df21ed608c3698f793ddf869072a663
Instruction ID: 5b0f96e29a4d5c197e5286124d5df8d4036bb4d21801b2d771b956c357d574ad
Opcode Fuzzy Hash: ffec6299ec26d8ae4fcaa0e51b339a5e3df21ed608c3698f793ddf869072a663
Instruction Fuzzy Hash: E232D434A00249EFCF14CF55D998ABE77B5EF44304F258059E916AB3A1C7B4EE81CBA1

Function 00C94ECB Relevance: 1.6, APIs: 1, Instructions: 65libraryCOMMON

Download Yara Rule

APIs

Part of subcall function 00C94E90: LoadLibraryA.KERNEL32(kernel32.dll,?,?,00C94EDD,?,00D61418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00C94E9C
Part of subcall function 00C94E90: GetProcAddress.KERNEL32(00000000,Wow64DisableWow64FsRedirection), ref: 00C94EAE
Part of subcall function 00C94E90: FreeLibrary.KERNEL32(00000000,?,?,00C94EDD,?,00D61418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00C94EC0

LoadLibraryExW.KERNEL32(?,00000000,00000002,?,00D61418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00C94EFD

Part of subcall function 00C94E59: LoadLibraryA.KERNEL32(kernel32.dll,?,?,00CD3CDE,?,00D61418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00C94E62
Part of subcall function 00C94E59: GetProcAddress.KERNEL32(00000000,Wow64RevertWow64FsRedirection), ref: 00C94E74
Part of subcall function 00C94E59: FreeLibrary.KERNEL32(00000000,?,?,00CD3CDE,?,00D61418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00C94E87

Memory Dump Source

Source File: 00000000.00000002.1727992052.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true

Associated: 00000000.00000002.1727967772.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1728099655.0000000000D2C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1728099655.0000000000D52000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1728148949.0000000000D5C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1728172009.0000000000D64000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c90000_file.jbxd

Similarity

API ID: Library$Load$AddressFreeProc
String ID:
API String ID: 2632591731-0
Opcode ID: b35d90e55a3ec72758c176820d10f0f84c6b54959339666ba2ae3912c92376c2
Instruction ID: ff320e66341f37f4aaf7028e5efbbd1fdfd1f3071f687ec612e5636614567e0a
Opcode Fuzzy Hash: b35d90e55a3ec72758c176820d10f0f84c6b54959339666ba2ae3912c92376c2
Instruction Fuzzy Hash: 3F110A32610306AACF28FFA4DC0AFAD77A59F50750F10842DF542B61D1EE70DE0AA760

Function 00CC8402 Relevance: 1.6, APIs: 1, Instructions: 54COMMON

Download Yara Rule

APIs

__wsopen_s.LIBCMT ref: 00CC8440

Memory Dump Source

Source File: 00000000.00000002.1727992052.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true

Associated: 00000000.00000002.1727967772.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1728099655.0000000000D2C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1728099655.0000000000D52000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1728148949.0000000000D5C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1728172009.0000000000D64000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c90000_file.jbxd

Similarity

API ID: __wsopen_s
String ID:
API String ID: 3347428461-0
Opcode ID: c2cdacff5dfb497adbd57e9086e34b81f883416a281f662bcd8501a67e9a8f59
Instruction ID: d3632ebdfaea0cd0b208952aec3249b1fa1f572d831dfe0e264a110d800a0ad4
Opcode Fuzzy Hash: c2cdacff5dfb497adbd57e9086e34b81f883416a281f662bcd8501a67e9a8f59
Instruction Fuzzy Hash: 1911487190420AAFCB09DF58E940E9F7BF5EF48300F104069F808AB312DA30DA15CBA4

Function 00CC5000 Relevance: 1.6, APIs: 1, Instructions: 52COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 00CC4C7D: RtlAllocateHeap.NTDLL(00000008,00C91129,00000000,?,00CC2E29,00000001,00000364,?,?,?,00CBF2DE,00CC3863,00D61444,?,00CAFDF5,?), ref: 00CC4CBE

_free.LIBCMT ref: 00CC506C

Memory Dump Source

Source File: 00000000.00000002.1727992052.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true

Associated: 00000000.00000002.1727967772.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1728099655.0000000000D2C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1728099655.0000000000D52000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1728148949.0000000000D5C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1728172009.0000000000D64000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c90000_file.jbxd

Similarity

API ID: AllocateHeap_free
String ID:
API String ID: 614378929-0
Opcode ID: 9ba45ce058d1080761d5af908226540236078fd1fc19e2e0238d0ad147f07c6e
Instruction ID: 69a44f1f380851e3be85c68908783611e35824c382c15129826e16fca580c2b5
Opcode Fuzzy Hash: 9ba45ce058d1080761d5af908226540236078fd1fc19e2e0238d0ad147f07c6e
Instruction Fuzzy Hash: 630126726047046BE3258E65D881F5AFBE8FB89370F25051DE594832C0EB30A945C6B4

Function 00CBE602 Relevance: 1.5, APIs: 1, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1727992052.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true

Associated: 00000000.00000002.1727967772.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1728099655.0000000000D2C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1728099655.0000000000D52000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1728148949.0000000000D5C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1728172009.0000000000D64000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c90000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d6c69ec2a70ac845cc05b5f137181c3f07394ab8b33ef369e8c7ef627d5c9574
Instruction ID: e48a415564cb9b0c96f4cf8dac80f44b98a23f0dac78aee654c448c6f39d3dff
Opcode Fuzzy Hash: d6c69ec2a70ac845cc05b5f137181c3f07394ab8b33ef369e8c7ef627d5c9574
Instruction Fuzzy Hash: 33F02832910A18DAC7313A6ACC05FDB379C9F62734F100719F831932D2DF70D906A6A6

Function 00CC4C7D Relevance: 1.5, APIs: 1, Instructions: 39memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(00000008,00C91129,00000000,?,00CC2E29,00000001,00000364,?,?,?,00CBF2DE,00CC3863,00D61444,?,00CAFDF5,?), ref: 00CC4CBE

Memory Dump Source

Source File: 00000000.00000002.1727992052.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true

Associated: 00000000.00000002.1727967772.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1728099655.0000000000D2C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1728099655.0000000000D52000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1728148949.0000000000D5C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1728172009.0000000000D64000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c90000_file.jbxd

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: 3ff7c27e411fd9b7896a0a448373953cf21f35e14e6057f37d2b77f2e5b826ec
Instruction ID: 92b139dd0e4dbd27d78829fa1150b098240dc72366f8b4d98ae041a16f672124
Opcode Fuzzy Hash: 3ff7c27e411fd9b7896a0a448373953cf21f35e14e6057f37d2b77f2e5b826ec
Instruction Fuzzy Hash: 2AF0B431A0622466DB295F66DC15F9A3788AF517B1B14C119FC26E62A1CA70D90156E0

Function 00CC3820 Relevance: 1.5, APIs: 1, Instructions: 32memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(00000000,?,00D61444,?,00CAFDF5,?,?,00C9A976,00000010,00D61440,00C913FC,?,00C913C6,?,00C91129), ref: 00CC3852

Memory Dump Source

Source File: 00000000.00000002.1727992052.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true

Associated: 00000000.00000002.1727967772.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1728099655.0000000000D2C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1728099655.0000000000D52000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1728148949.0000000000D5C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1728172009.0000000000D64000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c90000_file.jbxd

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: 85fe709739273be89989bc364bd1fad768ece9c95c832988f6c2d1fba37f3dcb
Instruction ID: 155ed6cbb718ac3a765cb9c460725574f1f7e477099a0d16bf7e6500688d40a1
Opcode Fuzzy Hash: 85fe709739273be89989bc364bd1fad768ece9c95c832988f6c2d1fba37f3dcb
Instruction Fuzzy Hash: 7BE0E5312042A456E7312A67FC01FDA3758AB427B0F05802AFC25D6AC1CB10DF0195F1

Function 00C94F39 Relevance: 1.5, APIs: 1, Instructions: 28COMMON

Download Yara Rule

APIs

FreeLibrary.KERNEL32(?,?,00D61418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00C94F6D

Memory Dump Source

Source File: 00000000.00000002.1727992052.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true

Associated: 00000000.00000002.1727967772.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1728099655.0000000000D2C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1728099655.0000000000D52000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1728148949.0000000000D5C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1728172009.0000000000D64000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c90000_file.jbxd

Similarity

API ID: FreeLibrary
String ID:
API String ID: 3664257935-0
Opcode ID: 857b41230871bbf5253a855b05848910392a6c1e1c9c89d00fe83c804db738f9
Instruction ID: f11384e788d6ca9fb860c38b1c6690a730a98ceea7754779d0d58773b88ac559
Opcode Fuzzy Hash: 857b41230871bbf5253a855b05848910392a6c1e1c9c89d00fe83c804db738f9
Instruction Fuzzy Hash: C6F03971109752CFDF389FA5D498C66BBE4EF143293208A7EE1EA82621C731D845DF10

Function 00C930F2 Relevance: 1.5, APIs: 1, Instructions: 24windowCOMMON

Download Yara Rule

APIs

Shell_NotifyIconW.SHELL32(00000002,?), ref: 00C9314E

Memory Dump Source

Source File: 00000000.00000002.1727992052.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true

Associated: 00000000.00000002.1727967772.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1728099655.0000000000D2C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1728099655.0000000000D52000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1728148949.0000000000D5C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1728172009.0000000000D64000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c90000_file.jbxd

Similarity

API ID: IconNotifyShell_
String ID:
API String ID: 1144537725-0
Opcode ID: fb1798250707c98b0e4510a58aee20c6432d655fcbf02d95a1b4291a0da9a94e
Instruction ID: 05419b7205dfb018445aae2fdc3a4ca13daf694a7469bf28dd4d7d3bf8d7f0c0
Opcode Fuzzy Hash: fb1798250707c98b0e4510a58aee20c6432d655fcbf02d95a1b4291a0da9a94e
Instruction Fuzzy Hash: 7AF0A7709143049FEB529B24DC497DA7BFCA701708F0400E5E149D7391D7B05B88CFA1

Function 00C92DA5 Relevance: 1.5, APIs: 1, Instructions: 23COMMON

Download Yara Rule

APIs

GetLongPathNameW.KERNELBASE(?,?,00007FFF), ref: 00C92DC4

Part of subcall function 00C96B57: _wcslen.LIBCMT ref: 00C96B6A

Memory Dump Source

Source File: 00000000.00000002.1727992052.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true

Associated: 00000000.00000002.1727967772.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1728099655.0000000000D2C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1728099655.0000000000D52000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1728148949.0000000000D5C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1728172009.0000000000D64000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c90000_file.jbxd

Similarity

API ID: LongNamePath_wcslen
String ID:
API String ID: 541455249-0
Opcode ID: 929c944780375c6263293b4f6ad669a2d3707f4acb97d665b597b5d398df35ca
Instruction ID: 3b59e353697a7df248a1d6aaf3ec3526c8b81da3f5e8459fe93bdc10b6cdfb68
Opcode Fuzzy Hash: 929c944780375c6263293b4f6ad669a2d3707f4acb97d665b597b5d398df35ca
Instruction Fuzzy Hash: 51E0CD726002245BCB20D798DC05FDA77DDDFC8790F040071FD09D7348D960ED849550

Function 00C92B3D Relevance: 1.5, APIs: 1, Instructions: 22COMMON

Download Yara Rule

APIs

Part of subcall function 00C93837: Shell_NotifyIconW.SHELL32(00000000,?), ref: 00C93908

Part of subcall function 00C9D730: GetInputState.USER32 ref: 00C9D807

SetCurrentDirectoryW.KERNEL32(?), ref: 00C92B6B

Part of subcall function 00C930F2: Shell_NotifyIconW.SHELL32(00000002,?), ref: 00C9314E

Memory Dump Source

Source File: 00000000.00000002.1727992052.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true

Associated: 00000000.00000002.1727967772.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1728099655.0000000000D2C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1728099655.0000000000D52000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1728148949.0000000000D5C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1728172009.0000000000D64000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c90000_file.jbxd

Similarity

API ID: IconNotifyShell_$CurrentDirectoryInputState
String ID:
API String ID: 3667716007-0
Opcode ID: 77a2ffaba6c12605450ac505da966eee8677f87f7d33bdc8ace439e926143f3c
Instruction ID: 8ee76e424d84da6dff8a7eb1ffbef54baa2077199d84c773fe3ea0a50441b025
Opcode Fuzzy Hash: 77a2ffaba6c12605450ac505da966eee8677f87f7d33bdc8ace439e926143f3c
Instruction Fuzzy Hash: CFE0262230038407CE08BB75981A47DA3898BE1351F40143EF143832A2CF208A455222

Function 00CD039A Relevance: 1.5, APIs: 1, Instructions: 15fileCOMMONLIBRARYCODE

Download Yara Rule

APIs

CreateFileW.KERNELBASE(00000000,00000000,?,00CD0704,?,?,00000000,?,00CD0704,00000000,0000000C), ref: 00CD03B7

Memory Dump Source

Source File: 00000000.00000002.1727992052.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true

Associated: 00000000.00000002.1727967772.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1728099655.0000000000D2C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1728099655.0000000000D52000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1728148949.0000000000D5C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1728172009.0000000000D64000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c90000_file.jbxd

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: 2cc0ebcbb3a83803dec7a379f0914562a35167e7cfb14295cad1a53d40fecf68
Instruction ID: a9b5d73c63b608506b8dc2de8affa7b97bf0ee7971b2ddc56444e9be942ec256
Opcode Fuzzy Hash: 2cc0ebcbb3a83803dec7a379f0914562a35167e7cfb14295cad1a53d40fecf68
Instruction Fuzzy Hash: F7D06C3205020DBBDF128F84DD06EDA3BAAFB48714F014000BE1896120C732E832AB90

Function 00C91CAD Relevance: 1.5, APIs: 1, Instructions: 8COMMON

Download Yara Rule

APIs

SystemParametersInfoW.USER32(00002001,00000000,00000002), ref: 00C91CBC

Memory Dump Source

Source File: 00000000.00000002.1727992052.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true

Associated: 00000000.00000002.1727967772.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1728099655.0000000000D2C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1728099655.0000000000D52000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1728148949.0000000000D5C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1728172009.0000000000D64000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c90000_file.jbxd

Similarity

API ID: InfoParametersSystem
String ID:
API String ID: 3098949447-0
Opcode ID: ec2f7c3e4ed0ec5354c569359af3c068f7258b185d1ebc3e78c1d3f1654cdbec
Instruction ID: be05203632d3e9a9cd247c4fe5f8802aebbb62e88aef89db078036e0edbcca5f
Opcode Fuzzy Hash: ec2f7c3e4ed0ec5354c569359af3c068f7258b185d1ebc3e78c1d3f1654cdbec
Instruction Fuzzy Hash: D7C09B352803049FF2244780BC4AF147764A768B00F044001F60AD57E3C3E16810D670

Non-executed Functions

Function 00D29576 Relevance: 72.4, APIs: 39, Strings: 2, Instructions: 625windowkeyboardCOMMON

Download Yara Rule

APIs

Part of subcall function 00CA9BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00CA9BB2

DefDlgProcW.USER32(?,0000004E,?,?,?,?,?,?), ref: 00D2961A
SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 00D2965B
GetWindowLongW.USER32(FFFFFDD9,000000F0), ref: 00D2969F
SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 00D296C9
SendMessageW.USER32 ref: 00D296F2
GetKeyState.USER32(00000011), ref: 00D2978B
GetKeyState.USER32(00000009), ref: 00D29798
SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 00D297AE
GetKeyState.USER32(00000010), ref: 00D297B8
SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 00D297E9
SendMessageW.USER32 ref: 00D29810
SendMessageW.USER32(?,00001030,?,00D27E95), ref: 00D29918
ImageList_SetDragCursorImage.COMCTL32(00000000,00000000,00000000,?,?,?), ref: 00D2992E
ImageList_BeginDrag.COMCTL32(00000000,000000F8,000000F0), ref: 00D29941
SetCapture.USER32(?), ref: 00D2994A
ClientToScreen.USER32(?,?), ref: 00D299AF
ImageList_DragEnter.COMCTL32(00000000,?,?), ref: 00D299BC
InvalidateRect.USER32(?,00000000,00000001,?,?,?), ref: 00D299D6
ReleaseCapture.USER32 ref: 00D299E1
GetCursorPos.USER32(?), ref: 00D29A19
ScreenToClient.USER32(?,?), ref: 00D29A26
SendMessageW.USER32(?,00001012,00000000,?), ref: 00D29A80
SendMessageW.USER32 ref: 00D29AAE
SendMessageW.USER32(?,00001111,00000000,?), ref: 00D29AEB
SendMessageW.USER32 ref: 00D29B1A
SendMessageW.USER32(?,0000110B,00000009,00000000), ref: 00D29B3B
SendMessageW.USER32(?,0000110B,00000009,?), ref: 00D29B4A
GetCursorPos.USER32(?), ref: 00D29B68
ScreenToClient.USER32(?,?), ref: 00D29B75
GetParent.USER32(?), ref: 00D29B93
SendMessageW.USER32(?,00001012,00000000,?), ref: 00D29BFA
SendMessageW.USER32 ref: 00D29C2B
ClientToScreen.USER32(?,?), ref: 00D29C84
TrackPopupMenuEx.USER32(?,00000000,?,?,?,00000000), ref: 00D29CB4
SendMessageW.USER32(?,00001111,00000000,?), ref: 00D29CDE
SendMessageW.USER32 ref: 00D29D01
ClientToScreen.USER32(?,?), ref: 00D29D4E
TrackPopupMenuEx.USER32(?,00000080,?,?,?,00000000), ref: 00D29D82

Part of subcall function 00CA9944: GetWindowLongW.USER32(?,000000EB), ref: 00CA9952

GetWindowLongW.USER32(?,000000F0), ref: 00D29E05

Strings

@GUI_DRAGID, xrefs: 00D2997D
F, xrefs: 00D29D07

Memory Dump Source

Source File: 00000000.00000002.1727992052.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true

Associated: 00000000.00000002.1727967772.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1728099655.0000000000D2C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1728099655.0000000000D52000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1728148949.0000000000D5C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1728172009.0000000000D64000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c90000_file.jbxd

Similarity

API ID: MessageSend$ClientScreen$ImageLongWindow$CursorDragList_State$CaptureMenuPopupTrack$BeginEnterInvalidateParentProcRectRelease
String ID: @GUI_DRAGID$F
API String ID: 3429851547-4164748364
Opcode ID: 89812f17a9c92e3fb159831cbcfe3a0428df965a2140140891d08527d126b2b7
Instruction ID: 1e5e4a799c76f788ef0af292bc77ca58f00fb404100e08d21309a22dacb0f0d4
Opcode Fuzzy Hash: 89812f17a9c92e3fb159831cbcfe3a0428df965a2140140891d08527d126b2b7
Instruction Fuzzy Hash: 85429934204311AFDB20CF24D864AAABBE5FFA9319F180619F699873A1D731E851DF61

Function 00D24873 Relevance: 60.1, APIs: 33, Strings: 1, Instructions: 566windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000408,00000000,00000000), ref: 00D248F3
SendMessageW.USER32(00000000,00000188,00000000,00000000), ref: 00D24908
SendMessageW.USER32(00000000,0000018A,00000000,00000000), ref: 00D24927
SendMessageW.USER32(?,00000148,00000000,00000000), ref: 00D2494B
SendMessageW.USER32(00000000,00000147,00000000,00000000), ref: 00D2495C
SendMessageW.USER32(00000000,00000149,00000000,00000000), ref: 00D2497B
SendMessageW.USER32(00000000,0000130B,00000000,00000000), ref: 00D249AE
SendMessageW.USER32(00000000,0000133C,00000000,?), ref: 00D249D4
SendMessageW.USER32(00000000,0000110A,00000009,00000000), ref: 00D24A0F
SendMessageW.USER32(00000000,0000113E,00000000,00000004), ref: 00D24A56
SendMessageW.USER32(00000000,0000113E,00000000,00000004), ref: 00D24A7E
IsMenu.USER32(?), ref: 00D24A97
GetMenuItemInfoW.USER32(?,?,00000000,?), ref: 00D24AF2
GetMenuItemInfoW.USER32(?,?,00000000,?), ref: 00D24B20
GetWindowLongW.USER32(?,000000F0), ref: 00D24B94
SendMessageW.USER32(?,0000113E,00000000,00000008), ref: 00D24BE3
SendMessageW.USER32(00000000,00001001,00000000,?), ref: 00D24C82
wsprintfW.USER32 ref: 00D24CAE
SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 00D24CC9
GetWindowTextW.USER32(?,00000000,00000001), ref: 00D24CF1
SendMessageW.USER32(00000000,000000F0,00000000,00000000), ref: 00D24D13
SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 00D24D33
GetWindowTextW.USER32(?,00000000,00000001), ref: 00D24D5A

Strings

%d/%02d/%02d, xrefs: 00D24CA8

Memory Dump Source

Source File: 00000000.00000002.1727992052.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true

Associated: 00000000.00000002.1727967772.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1728099655.0000000000D2C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1728099655.0000000000D52000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1728148949.0000000000D5C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1728172009.0000000000D64000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c90000_file.jbxd

Similarity

API ID: MessageSend$MenuWindow$InfoItemText$Longwsprintf
String ID: %d/%02d/%02d
API String ID: 4054740463-328681919
Opcode ID: f2262e0a2aad9aec51f39701e123da582e276e17aaf98f2ec621c99c14e179f1
Instruction ID: 8c2d750eae9437577807b5896507e49529eccfc12d002fcf6c303b2cc0f6c6e5
Opcode Fuzzy Hash: f2262e0a2aad9aec51f39701e123da582e276e17aaf98f2ec621c99c14e179f1
Instruction Fuzzy Hash: 0512C071600324ABEB248F28EC49FAE7BF8EF95718F144119F915DA2E1DB74D941CB60

Function 00CAF98E Relevance: 43.9, APIs: 24, Strings: 1, Instructions: 130keyboardthreadwindowCOMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32(00000000,00000000,00000000), ref: 00CAF998
FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 00CEF474
IsIconic.USER32(00000000), ref: 00CEF47D
ShowWindow.USER32(00000000,00000009), ref: 00CEF48A
SetForegroundWindow.USER32(00000000), ref: 00CEF494
GetWindowThreadProcessId.USER32(00000000,00000000), ref: 00CEF4AA
GetCurrentThreadId.KERNEL32 ref: 00CEF4B1
GetWindowThreadProcessId.USER32(00000000,00000000), ref: 00CEF4BD
AttachThreadInput.USER32(?,00000000,00000001), ref: 00CEF4CE
AttachThreadInput.USER32(?,00000000,00000001), ref: 00CEF4D6
AttachThreadInput.USER32(00000000,000000FF,00000001), ref: 00CEF4DE
SetForegroundWindow.USER32(00000000), ref: 00CEF4E1
MapVirtualKeyW.USER32(00000012,00000000), ref: 00CEF4F6
keybd_event.USER32(00000012,00000000), ref: 00CEF501
MapVirtualKeyW.USER32(00000012,00000000), ref: 00CEF50B
keybd_event.USER32(00000012,00000000), ref: 00CEF510
MapVirtualKeyW.USER32(00000012,00000000), ref: 00CEF519
keybd_event.USER32(00000012,00000000), ref: 00CEF51E
MapVirtualKeyW.USER32(00000012,00000000), ref: 00CEF528
keybd_event.USER32(00000012,00000000), ref: 00CEF52D
SetForegroundWindow.USER32(00000000), ref: 00CEF530
AttachThreadInput.USER32(?,000000FF,00000000), ref: 00CEF557

Strings

Shell_TrayWnd, xrefs: 00CEF46F

Memory Dump Source

Source File: 00000000.00000002.1727992052.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true

Associated: 00000000.00000002.1727967772.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1728099655.0000000000D2C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1728099655.0000000000D52000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1728148949.0000000000D5C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1728172009.0000000000D64000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c90000_file.jbxd

Similarity

API ID: Window$Thread$AttachForegroundInputVirtualkeybd_event$Process$CurrentFindIconicShow
String ID: Shell_TrayWnd
API String ID: 4125248594-2988720461
Opcode ID: d20690b69bceeb771748f82abcb794e0e0ca5b14112b88d907ee3e4ece760fca
Instruction ID: 0526c807454a85c2c19fcd65855e5f3906be4f7588d145433f5f47d2913aa665
Opcode Fuzzy Hash: d20690b69bceeb771748f82abcb794e0e0ca5b14112b88d907ee3e4ece760fca
Instruction Fuzzy Hash: DC319871A503587FEB316BB64C49FBF7E6CEB54B50F101029FA01E61D1C6B09D02AAB0

Function 00CF1201 Relevance: 38.7, APIs: 19, Strings: 3, Instructions: 241COMMON

Download Yara Rule

APIs

Part of subcall function 00CF16C3: LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 00CF170D
Part of subcall function 00CF16C3: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 00CF173A
Part of subcall function 00CF16C3: GetLastError.KERNEL32 ref: 00CF174A

LogonUserW.ADVAPI32(?,?,?,00000000,00000000,?), ref: 00CF1286
DuplicateTokenEx.ADVAPI32(?,00000000,00000000,00000002,00000001,?), ref: 00CF12A8
CloseHandle.KERNEL32(?), ref: 00CF12B9
OpenWindowStationW.USER32(winsta0,00000000,00060000), ref: 00CF12D1
GetProcessWindowStation.USER32 ref: 00CF12EA
SetProcessWindowStation.USER32(00000000), ref: 00CF12F4
OpenDesktopW.USER32(default,00000000,00000000,00060081), ref: 00CF1310

Part of subcall function 00CF10BF: AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000,?,00CF11FC), ref: 00CF10D4
Part of subcall function 00CF10BF: CloseHandle.KERNEL32(?,?,00CF11FC), ref: 00CF10E9

Strings

winsta0, xrefs: 00CF12CC
default, xrefs: 00CF130B
, xrefs: 00CF125A

Memory Dump Source

Source File: 00000000.00000002.1727992052.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true

Associated: 00000000.00000002.1727967772.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1728099655.0000000000D2C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1728099655.0000000000D52000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1728148949.0000000000D5C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1728172009.0000000000D64000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c90000_file.jbxd

Similarity

API ID: StationTokenWindow$AdjustCloseHandleOpenPrivilegesProcess$DesktopDuplicateErrorLastLogonLookupPrivilegeUserValue
String ID: $default$winsta0
API String ID: 22674027-1027155976
Opcode ID: 644d1eabbe346c9770a2fc0f58b0e29ac9dd616f6562478015b428c94d1d52cb
Instruction ID: 97c7eaa0615e6d38f9addbb5a10ded648ec33daa4800a00b97d3ce6dc55b9778
Opcode Fuzzy Hash: 644d1eabbe346c9770a2fc0f58b0e29ac9dd616f6562478015b428c94d1d52cb
Instruction Fuzzy Hash: 90816571900209EBDF259FA4DC49BFE7BB9AF44704F184129FE21E62A0C7318A45CB62

Function 00CF0B62 Relevance: 31.7, APIs: 21, Instructions: 202memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 00CF10F9: GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 00CF1114
Part of subcall function 00CF10F9: GetLastError.KERNEL32(?,00000000,00000000,?,?,00CF0B9B,?,?,?), ref: 00CF1120
Part of subcall function 00CF10F9: GetProcessHeap.KERNEL32(00000008,?,?,00000000,00000000,?,?,00CF0B9B,?,?,?), ref: 00CF112F
Part of subcall function 00CF10F9: HeapAlloc.KERNEL32(00000000,?,00000000,00000000,?,?,00CF0B9B,?,?,?), ref: 00CF1136
Part of subcall function 00CF10F9: GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 00CF114D

GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 00CF0BCC
GetAclInformation.ADVAPI32(?,?,0000000C,00000002), ref: 00CF0C00
GetLengthSid.ADVAPI32(?), ref: 00CF0C17
GetAce.ADVAPI32(?,00000000,?), ref: 00CF0C51
AddAce.ADVAPI32(?,00000002,000000FF,?,?), ref: 00CF0C6D
GetLengthSid.ADVAPI32(?), ref: 00CF0C84
GetProcessHeap.KERNEL32(00000008,00000008), ref: 00CF0C8C
HeapAlloc.KERNEL32(00000000), ref: 00CF0C93
GetLengthSid.ADVAPI32(?,00000008,?), ref: 00CF0CB4
CopySid.ADVAPI32(00000000), ref: 00CF0CBB
AddAce.ADVAPI32(?,00000002,000000FF,00000000,?), ref: 00CF0CEA
SetSecurityDescriptorDacl.ADVAPI32(?,00000001,?,00000000), ref: 00CF0D0C
SetUserObjectSecurity.USER32(?,00000004,?), ref: 00CF0D1E
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00CF0D45
HeapFree.KERNEL32(00000000), ref: 00CF0D4C
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00CF0D55
HeapFree.KERNEL32(00000000), ref: 00CF0D5C
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00CF0D65
HeapFree.KERNEL32(00000000), ref: 00CF0D6C
GetProcessHeap.KERNEL32(00000000,?), ref: 00CF0D78
HeapFree.KERNEL32(00000000), ref: 00CF0D7F

Part of subcall function 00CF1193: GetProcessHeap.KERNEL32(00000008,00CF0BB1,?,00000000,?,00CF0BB1,?), ref: 00CF11A1
Part of subcall function 00CF1193: HeapAlloc.KERNEL32(00000000,?,00000000,?,00CF0BB1,?), ref: 00CF11A8
Part of subcall function 00CF1193: InitializeSecurityDescriptor.ADVAPI32(00000000,00000001,?,00000000,?,00CF0BB1,?), ref: 00CF11B7

Memory Dump Source

Source File: 00000000.00000002.1727992052.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true

Associated: 00000000.00000002.1727967772.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1728099655.0000000000D2C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1728099655.0000000000D52000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1728148949.0000000000D5C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1728172009.0000000000D64000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c90000_file.jbxd

Similarity

API ID: Heap$Process$Security$Free$AllocDescriptorLengthObjectUser$Dacl$CopyErrorInformationInitializeLast
String ID:
API String ID: 4175595110-0
Opcode ID: 5568f3227d337d26c3a23f21ab6762d75fc7de660895658917d42f156c39bca3
Instruction ID: 54b5411c0f7eef322a661f108168b37c9c93066ec368870ef8869e775f2a371a
Opcode Fuzzy Hash: 5568f3227d337d26c3a23f21ab6762d75fc7de660895658917d42f156c39bca3
Instruction Fuzzy Hash: 20717C7190020AABDF609FA4DC45FBEBBBDBF14700F244519EA14E6292D771AE06CB71

Function 00D0EAFF Relevance: 30.2, APIs: 20, Instructions: 191clipboardfileCOMMON

Download Yara Rule

APIs

OpenClipboard.USER32(00D2CC08), ref: 00D0EB29
IsClipboardFormatAvailable.USER32(0000000D), ref: 00D0EB37
GetClipboardData.USER32(0000000D), ref: 00D0EB43
CloseClipboard.USER32 ref: 00D0EB4F
GlobalLock.KERNEL32(00000000), ref: 00D0EB87
CloseClipboard.USER32 ref: 00D0EB91
GlobalUnlock.KERNEL32(00000000), ref: 00D0EBBC
IsClipboardFormatAvailable.USER32(00000001), ref: 00D0EBC9
GetClipboardData.USER32(00000001), ref: 00D0EBD1
GlobalLock.KERNEL32(00000000), ref: 00D0EBE2
GlobalUnlock.KERNEL32(00000000), ref: 00D0EC22
IsClipboardFormatAvailable.USER32(0000000F), ref: 00D0EC38
GetClipboardData.USER32(0000000F), ref: 00D0EC44
GlobalLock.KERNEL32(00000000), ref: 00D0EC55
DragQueryFileW.SHELL32(00000000,000000FF,00000000,00000000), ref: 00D0EC77
DragQueryFileW.SHELL32(00000000,?,?,00000104), ref: 00D0EC94
DragQueryFileW.SHELL32(00000000,?,?,00000104), ref: 00D0ECD2
GlobalUnlock.KERNEL32(00000000), ref: 00D0ECF3
CountClipboardFormats.USER32 ref: 00D0ED14
CloseClipboard.USER32 ref: 00D0ED59

Memory Dump Source

Source File: 00000000.00000002.1727992052.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true

Associated: 00000000.00000002.1727967772.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1728099655.0000000000D2C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1728099655.0000000000D52000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1728148949.0000000000D5C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1728172009.0000000000D64000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c90000_file.jbxd

Similarity

API ID: Clipboard$Global$AvailableCloseDataDragFileFormatLockQueryUnlock$CountFormatsOpen
String ID:
API String ID: 420908878-0
Opcode ID: ac0d00bb81bebd74b73934d09b81d420a4bc82086cfea5f7d823f0768fc07e0b
Instruction ID: 116397f3a8d36692542a08a97a3d265c79390018aa473c434d671ae4c599e382
Opcode Fuzzy Hash: ac0d00bb81bebd74b73934d09b81d420a4bc82086cfea5f7d823f0768fc07e0b
Instruction Fuzzy Hash: EB618835204302AFD710EF24D898B6A77A4EF94704F085959F85A872E2DB71ED06DBB2

Function 00D0698F Relevance: 21.4, APIs: 7, Strings: 5, Instructions: 363timefileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?), ref: 00D069BE
FindClose.KERNEL32(00000000), ref: 00D06A12
FileTimeToLocalFileTime.KERNEL32(?,?), ref: 00D06A4E
FileTimeToLocalFileTime.KERNEL32(?,?), ref: 00D06A75

Part of subcall function 00C99CB3: _wcslen.LIBCMT ref: 00C99CBD

FileTimeToSystemTime.KERNEL32(?,?), ref: 00D06AB2
FileTimeToSystemTime.KERNEL32(?,?), ref: 00D06ADF

Strings

%4d, xrefs: 00D06BB1
%02d, xrefs: 00D06C00, 00D06C0A, 00D06C5A, 00D06CAA, 00D06CFA, 00D06D4A
%4d%02d%02d%02d%02d%02d, xrefs: 00D06B6A
%4d%02d%02d%02d%02d%02d%03d, xrefs: 00D06B32
%03d, xrefs: 00D06DA2

Memory Dump Source

Source File: 00000000.00000002.1727992052.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true

Associated: 00000000.00000002.1727967772.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1728099655.0000000000D2C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1728099655.0000000000D52000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1728148949.0000000000D5C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1728172009.0000000000D64000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c90000_file.jbxd

Similarity

API ID: Time$File$FindLocalSystem$CloseFirst_wcslen
String ID: %02d$%03d$%4d$%4d%02d%02d%02d%02d%02d$%4d%02d%02d%02d%02d%02d%03d
API String ID: 3830820486-3289030164
Opcode ID: ee4a7310752b2e478e634e88a80cbe241037c9edee77de6fa384ff725d821f7d
Instruction ID: 0db17ae20123918b54402fbc7c663ea04c0a0eb348f6abf8b33c1f258075a1c1
Opcode Fuzzy Hash: ee4a7310752b2e478e634e88a80cbe241037c9edee77de6fa384ff725d821f7d
Instruction Fuzzy Hash: C1D14E72508300AFC710EBA4C885EAFB7ECAF99704F44491DF589C7291EB74DA48DB62

Function 00D09642 Relevance: 21.1, APIs: 11, Strings: 1, Instructions: 118fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?,74DE8FB0,?,00000000), ref: 00D09663
GetFileAttributesW.KERNEL32(?), ref: 00D096A1
SetFileAttributesW.KERNEL32(?,?), ref: 00D096BB
FindNextFileW.KERNEL32(00000000,?), ref: 00D096D3
FindClose.KERNEL32(00000000), ref: 00D096DE
FindFirstFileW.KERNEL32(*.*,?), ref: 00D096FA
SetCurrentDirectoryW.KERNEL32(?), ref: 00D0974A
SetCurrentDirectoryW.KERNEL32(00D56B7C), ref: 00D09768
FindNextFileW.KERNEL32(00000000,00000010), ref: 00D09772
FindClose.KERNEL32(00000000), ref: 00D0977F
FindClose.KERNEL32(00000000), ref: 00D0978F

Strings

*.*, xrefs: 00D096F5

Memory Dump Source

Source File: 00000000.00000002.1727992052.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true

Associated: 00000000.00000002.1727967772.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1728099655.0000000000D2C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1728099655.0000000000D52000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1728148949.0000000000D5C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1728172009.0000000000D64000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c90000_file.jbxd

Similarity

API ID: Find$File$Close$AttributesCurrentDirectoryFirstNext
String ID: *.*
API String ID: 1409584000-438819550
Opcode ID: a43106a68bdeebeb18e3bd49287a7d8de4beb6ceddf55b8d66fdf3912c7c5daf
Instruction ID: ea68fa8558511294414329dc7283fa1175fa1ce4c2ed2883261a2cb35846b52e
Opcode Fuzzy Hash: a43106a68bdeebeb18e3bd49287a7d8de4beb6ceddf55b8d66fdf3912c7c5daf
Instruction Fuzzy Hash: DB31E032541219AECF24EFB4EC19BDEB7ACAF49321F144155F808E21E1DB30DE458A74

Function 00D0979D Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 111fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?,74DE8FB0,?,00000000), ref: 00D097BE
FindNextFileW.KERNEL32(00000000,?), ref: 00D09819
FindClose.KERNEL32(00000000), ref: 00D09824
FindFirstFileW.KERNEL32(*.*,?), ref: 00D09840
SetCurrentDirectoryW.KERNEL32(?), ref: 00D09890
SetCurrentDirectoryW.KERNEL32(00D56B7C), ref: 00D098AE
FindNextFileW.KERNEL32(00000000,00000010), ref: 00D098B8
FindClose.KERNEL32(00000000), ref: 00D098C5
FindClose.KERNEL32(00000000), ref: 00D098D5

Part of subcall function 00CFDAE5: CreateFileW.KERNEL32(?,40000000,00000001,00000000,00000003,02000080,00000000), ref: 00CFDB00

Strings

*.*, xrefs: 00D0983B

Memory Dump Source

Source File: 00000000.00000002.1727992052.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true

Associated: 00000000.00000002.1727967772.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1728099655.0000000000D2C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1728099655.0000000000D52000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1728148949.0000000000D5C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1728172009.0000000000D64000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c90000_file.jbxd

Similarity

API ID: Find$File$Close$CurrentDirectoryFirstNext$Create
String ID: *.*
API String ID: 2640511053-438819550
Opcode ID: b0403afbcece87ede9c82ba47819855c04e8722398635ecc3647e509a2a65ef2
Instruction ID: bd85a3b87c80a378f72291f8fff2bfda72b2e52844b00a76901e9e5fc162fb49
Opcode Fuzzy Hash: b0403afbcece87ede9c82ba47819855c04e8722398635ecc3647e509a2a65ef2
Instruction Fuzzy Hash: D431E3325016196EDF24EFB4EC58BDEB7AC9F06320F148156E818E32E1DB30DD498A74

Function 00D1BE44 Relevance: 17.0, APIs: 11, Instructions: 456registryCOMMON

Download Yara Rule

APIs

Part of subcall function 00D1C998: CharUpperBuffW.USER32(?,?,?,?,?,?,?,00D1B6AE,?,?), ref: 00D1C9B5
Part of subcall function 00D1C998: _wcslen.LIBCMT ref: 00D1C9F1
Part of subcall function 00D1C998: _wcslen.LIBCMT ref: 00D1CA68
Part of subcall function 00D1C998: _wcslen.LIBCMT ref: 00D1CA9E

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 00D1BF3E
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?,?,?), ref: 00D1BFA9
RegCloseKey.ADVAPI32(00000000), ref: 00D1BFCD
RegQueryValueExW.ADVAPI32(?,?,00000000,?,00000000,?), ref: 00D1C02C
RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,?,00000008), ref: 00D1C0E7
RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,?,?,?,00000000), ref: 00D1C154
RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,?,?,?,00000000), ref: 00D1C1E9
RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,00000000,?,?,?,00000000), ref: 00D1C23A
RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,?,?,?,00000000), ref: 00D1C2E3
RegCloseKey.ADVAPI32(?,?,00000000), ref: 00D1C382
RegCloseKey.ADVAPI32(00000000), ref: 00D1C38F

Memory Dump Source

Source File: 00000000.00000002.1727992052.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true

Associated: 00000000.00000002.1727967772.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1728099655.0000000000D2C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1728099655.0000000000D52000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1728148949.0000000000D5C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1728172009.0000000000D64000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c90000_file.jbxd

Similarity

API ID: QueryValue$Close_wcslen$BuffCharConnectOpenRegistryUpper
String ID:
API String ID: 3102970594-0
Opcode ID: 97ff444f2aead4c3fe252f40b99d209a77a1f40b402b209fa793ed51670994bf
Instruction ID: 0bee510ba3e170fb2584ba90d8fe748d4e6cc126f7b037e5df5903e511de13ce
Opcode Fuzzy Hash: 97ff444f2aead4c3fe252f40b99d209a77a1f40b402b209fa793ed51670994bf
Instruction Fuzzy Hash: D9026071614200AFC714CF28D895E6ABBE5EF49318F18C49DF45ACB2A2DB31ED46CB61

Function 00D08195 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 186timeCOMMON

Download Yara Rule

APIs

GetLocalTime.KERNEL32(?), ref: 00D08257
SystemTimeToFileTime.KERNEL32(?,?), ref: 00D08267
LocalFileTimeToFileTime.KERNEL32(?,?), ref: 00D08273
GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 00D08310
SetCurrentDirectoryW.KERNEL32(?), ref: 00D08324
SetCurrentDirectoryW.KERNEL32(?), ref: 00D08356
SetCurrentDirectoryW.KERNEL32(?,?,?,?,?), ref: 00D0838C
SetCurrentDirectoryW.KERNEL32(?), ref: 00D08395

Strings

*.*, xrefs: 00D0839B

Memory Dump Source

Source File: 00000000.00000002.1727992052.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true

Associated: 00000000.00000002.1727967772.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1728099655.0000000000D2C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1728099655.0000000000D52000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1728148949.0000000000D5C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1728172009.0000000000D64000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c90000_file.jbxd

Similarity

API ID: CurrentDirectoryTime$File$Local$System
String ID: *.*
API String ID: 1464919966-438819550
Opcode ID: f72a0f607d99991ea0d1b176f456338760004e5f3b7fd1f2112e956cf2a87086
Instruction ID: d4078245bfca4be14a03da4e0e79cc6b126a21bb2666ed3becd4cb0b82204e59
Opcode Fuzzy Hash: f72a0f607d99991ea0d1b176f456338760004e5f3b7fd1f2112e956cf2a87086
Instruction Fuzzy Hash: C0616D725083059FCB10EF64D844AAEB3E8FF89314F04491DF999D7251EB31E945DBA2

Function 00CFD076 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 172fileCOMMON

Download Yara Rule

APIs

Part of subcall function 00C93AA2: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00C93A97,?,?,00C92E7F,?,?,?,00000000), ref: 00C93AC2

Part of subcall function 00CFE199: GetFileAttributesW.KERNEL32(?,00CFCF95), ref: 00CFE19A

FindFirstFileW.KERNEL32(?,?), ref: 00CFD122
DeleteFileW.KERNEL32(?,?,?,?,?,00000000,?,?,?), ref: 00CFD1DD
MoveFileW.KERNEL32(?,?), ref: 00CFD1F0
DeleteFileW.KERNEL32(?,?,?,?), ref: 00CFD20D
FindNextFileW.KERNEL32(00000000,00000010), ref: 00CFD237

Part of subcall function 00CFD29C: CopyFileExW.KERNEL32(?,?,00000000,00000000,00000000,00000008,?,?,00CFD21C,?,?), ref: 00CFD2B2

FindClose.KERNEL32(00000000,?,?,?), ref: 00CFD253
FindClose.KERNEL32(00000000), ref: 00CFD264

Strings

\*.*, xrefs: 00CFD0CD, 00CFD0D6, 00CFD0EB

Memory Dump Source

Source File: 00000000.00000002.1727992052.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true

Associated: 00000000.00000002.1727967772.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1728099655.0000000000D2C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1728099655.0000000000D52000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1728148949.0000000000D5C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1728172009.0000000000D64000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c90000_file.jbxd

Similarity

API ID: File$Find$CloseDelete$AttributesCopyFirstFullMoveNameNextPath
String ID: \*.*
API String ID: 1946585618-1173974218
Opcode ID: cfeb016ed7c40a6d7350ed7ec95fe5d1a12e77ed04b97abd7496aefc7d5f9eeb
Instruction ID: b42757658c6e61b5abce66e96bc7277687c65e2b0802174ed3b2e444cdf5c91f
Opcode Fuzzy Hash: cfeb016ed7c40a6d7350ed7ec95fe5d1a12e77ed04b97abd7496aefc7d5f9eeb
Instruction Fuzzy Hash: 38617F3180110D9BCF15EBE4C9969FDB776AF55300F208169E512771A2EF315F09EBA2

Function 00D0ED6A Relevance: 13.6, APIs: 9, Instructions: 102clipboardmemoryCOMMON

Download Yara Rule

APIs

OpenClipboard.USER32 ref: 00D0ED91
EmptyClipboard.USER32 ref: 00D0ED97
GlobalAlloc.KERNEL32(00000002,?), ref: 00D0EDAC
CloseClipboard.USER32 ref: 00D0EEA3

Memory Dump Source

Source File: 00000000.00000002.1727992052.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true

Associated: 00000000.00000002.1727967772.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1728099655.0000000000D2C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1728099655.0000000000D52000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1728148949.0000000000D5C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1728172009.0000000000D64000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c90000_file.jbxd

Similarity

API ID: Clipboard$AllocCloseEmptyGlobalOpen
String ID:
API String ID: 1737998785-0
Opcode ID: 17dc16e25df2c8423c222d7f8ecd19e637a2fe6d05b9a03c6b68efc7a5f46e28
Instruction ID: de8c3abb12f9efe8d89269cb6bfda8bdafa3c7eb964efe68b742e0781f2429bb
Opcode Fuzzy Hash: 17dc16e25df2c8423c222d7f8ecd19e637a2fe6d05b9a03c6b68efc7a5f46e28
Instruction Fuzzy Hash: 0441BC35204611AFE720DF15D888B19BBE1EF44319F18C499E42ACB7A2C735EC42CBA0

Function 00CFE8F6 Relevance: 12.3, APIs: 3, Strings: 4, Instructions: 57shutdownCOMMON

Download Yara Rule

APIs

Part of subcall function 00CF16C3: LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 00CF170D
Part of subcall function 00CF16C3: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 00CF173A
Part of subcall function 00CF16C3: GetLastError.KERNEL32 ref: 00CF174A

ExitWindowsEx.USER32(?,00000000), ref: 00CFE932

Strings

@, xrefs: 00CFE925
, xrefs: 00CFE95C
SeShutdownPrivilege, xrefs: 00CFE902
, xrefs: 00CFE920

Memory Dump Source

Source File: 00000000.00000002.1727992052.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true

Associated: 00000000.00000002.1727967772.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1728099655.0000000000D2C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1728099655.0000000000D52000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1728148949.0000000000D5C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1728172009.0000000000D64000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c90000_file.jbxd

Similarity

API ID: AdjustErrorExitLastLookupPrivilegePrivilegesTokenValueWindows
String ID: $ $@$SeShutdownPrivilege
API String ID: 2234035333-3163812486
Opcode ID: 6711a66d16ddbdb84f3261ad59eede16acbc140538ec27f2eac7c8881c2f66e8
Instruction ID: ad27be0f287559c128af1f1c395ab54c397f6fd29668c827dccdf21fb141f781
Opcode Fuzzy Hash: 6711a66d16ddbdb84f3261ad59eede16acbc140538ec27f2eac7c8881c2f66e8
Instruction Fuzzy Hash: 9F012632620318AFEBA427B59C86FFF72AC9B14751F180521FE12E21E1D9E05E4091B2

Function 00D11204 Relevance: 12.1, APIs: 8, Instructions: 113networkCOMMON

Download Yara Rule

APIs

socket.WSOCK32(00000002,00000001,00000006,?,00000002,00000000), ref: 00D11276
WSAGetLastError.WSOCK32 ref: 00D11283
bind.WSOCK32(00000000,?,00000010), ref: 00D112BA
WSAGetLastError.WSOCK32 ref: 00D112C5
closesocket.WSOCK32(00000000), ref: 00D112F4
listen.WSOCK32(00000000,00000005), ref: 00D11303
WSAGetLastError.WSOCK32 ref: 00D1130D
closesocket.WSOCK32(00000000), ref: 00D1133C

Memory Dump Source

Source File: 00000000.00000002.1727992052.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true

Associated: 00000000.00000002.1727967772.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1728099655.0000000000D2C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1728099655.0000000000D52000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1728148949.0000000000D5C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1728172009.0000000000D64000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c90000_file.jbxd

Similarity

API ID: ErrorLast$closesocket$bindlistensocket
String ID:
API String ID: 540024437-0
Opcode ID: 756445fe3cc2d64af4179415d5954bb3bac09500871eed2d0aa97de3ef1ae70b
Instruction ID: a9fbb533e64eb07dd15ddeb1f0013c2dc6c7d838801172bd136a40102459a976
Opcode Fuzzy Hash: 756445fe3cc2d64af4179415d5954bb3bac09500871eed2d0aa97de3ef1ae70b
Instruction Fuzzy Hash: E941A235600240AFD720DF64D489B69BBE5AF46318F188188E9568F396CB71EC82CBF1

Function 00CFD3A9 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 91fileCOMMON

Download Yara Rule

APIs

Part of subcall function 00C93AA2: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00C93A97,?,?,00C92E7F,?,?,?,00000000), ref: 00C93AC2

Part of subcall function 00CFE199: GetFileAttributesW.KERNEL32(?,00CFCF95), ref: 00CFE19A

FindFirstFileW.KERNEL32(?,?), ref: 00CFD420
DeleteFileW.KERNEL32(?,?,?,?), ref: 00CFD470
FindNextFileW.KERNEL32(00000000,00000010), ref: 00CFD481
FindClose.KERNEL32(00000000), ref: 00CFD498
FindClose.KERNEL32(00000000), ref: 00CFD4A1

Strings

\*.*, xrefs: 00CFD3F2

Memory Dump Source

Source File: 00000000.00000002.1727992052.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true

Associated: 00000000.00000002.1727967772.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1728099655.0000000000D2C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1728099655.0000000000D52000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1728148949.0000000000D5C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1728172009.0000000000D64000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c90000_file.jbxd

Similarity

API ID: FileFind$Close$AttributesDeleteFirstFullNameNextPath
String ID: \*.*
API String ID: 2649000838-1173974218
Opcode ID: 44f1ba2da579645a45890b5c4daa124c496a429790b7ce3121049c53c9969a0d
Instruction ID: a7582da7569aa45427346ae2a942d525632eb88a6e4200d3e3b9af3785879606
Opcode Fuzzy Hash: 44f1ba2da579645a45890b5c4daa124c496a429790b7ce3121049c53c9969a0d
Instruction Fuzzy Hash: C53170310183459BC714EF64C8559BF7BA8BFA1304F444A1DF5E6931A1EB30EA09E767

Function 00CCE4FF Relevance: 10.1, APIs: 1, Strings: 4, Instructions: 1381COMMON

Download Yara Rule

APIs

__floor_pentium4.LIBCMT ref: 00CCE645

Strings

1#SNAN, xrefs: 00CCF844
1#IND, xrefs: 00CCF83D
1#INF, xrefs: 00CCF852
1#QNAN, xrefs: 00CCF84B

Memory Dump Source

Source File: 00000000.00000002.1727992052.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true

Associated: 00000000.00000002.1727967772.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1728099655.0000000000D2C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1728099655.0000000000D52000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1728148949.0000000000D5C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1728172009.0000000000D64000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c90000_file.jbxd

Similarity

API ID: __floor_pentium4
String ID: 1#IND$1#INF$1#QNAN$1#SNAN
API String ID: 4168288129-2761157908
Opcode ID: debe89994d0385f37b8b4386c147bedae853348911bfa59357e6e38195bb613b
Instruction ID: f8addaf664c1dea797f36e01dbd24d4e5224f8b5c160c1561a8ad9f95fb8964c
Opcode Fuzzy Hash: debe89994d0385f37b8b4386c147bedae853348911bfa59357e6e38195bb613b
Instruction Fuzzy Hash: C7C20772E046288BDB25CF68DD40BEAB7B6EB49305F1441EED45DE7241E774AE828F40

Function 00D0648E Relevance: 9.1, APIs: 4, Strings: 1, Instructions: 367comCOMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 00D064DC
CoInitialize.OLE32(00000000), ref: 00D06639
CoCreateInstance.OLE32(00D2FCF8,00000000,00000001,00D2FB68,?), ref: 00D06650
CoUninitialize.OLE32 ref: 00D068D4

Strings

.lnk, xrefs: 00D064BA, 00D06524, 00D065E0

Memory Dump Source

Source File: 00000000.00000002.1727992052.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true

Associated: 00000000.00000002.1727967772.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1728099655.0000000000D2C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1728099655.0000000000D52000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1728148949.0000000000D5C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1728172009.0000000000D64000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c90000_file.jbxd

Similarity

API ID: CreateInitializeInstanceUninitialize_wcslen
String ID: .lnk
API String ID: 886957087-24824748
Opcode ID: da3dea25397e31c13b9f5b0e07770e838c3cbb4710958a2e432994e75400b576
Instruction ID: 8ff84ff173bb0156c67eefa1c45c40ca3258c104e0ffb3768f3b8ab57f4fc468
Opcode Fuzzy Hash: da3dea25397e31c13b9f5b0e07770e838c3cbb4710958a2e432994e75400b576
Instruction Fuzzy Hash: 7ED14A715083019FC714EF24C885A6BB7E8FF94704F44496DF5998B2A1EB71ED09CBA2

Function 00D122DA Relevance: 9.1, APIs: 6, Instructions: 103COMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32(?,?,00000000), ref: 00D122E8

Part of subcall function 00D0E4EC: GetWindowRect.USER32(?,?), ref: 00D0E504

GetDesktopWindow.USER32 ref: 00D12312
GetWindowRect.USER32(00000000), ref: 00D12319
mouse_event.USER32(00008001,?,?,00000002,00000002), ref: 00D12355
GetCursorPos.USER32(?), ref: 00D12381
mouse_event.USER32(00008001,?,?,00000000,00000000), ref: 00D123DF

Memory Dump Source

Source File: 00000000.00000002.1727992052.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true

Associated: 00000000.00000002.1727967772.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1728099655.0000000000D2C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1728099655.0000000000D52000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1728148949.0000000000D5C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1728172009.0000000000D64000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c90000_file.jbxd

Similarity

API ID: Window$Rectmouse_event$CursorDesktopForeground
String ID:
API String ID: 2387181109-0
Opcode ID: e5b1abbdc159a1e73c6555d46bedfaee87bc7f1eef3ff643a05fa6de3bbb940f
Instruction ID: 0942ba9e9215f55fdbe4330e4d7800c4e5cffa4708b4a0405544d009d75b23be
Opcode Fuzzy Hash: e5b1abbdc159a1e73c6555d46bedfaee87bc7f1eef3ff643a05fa6de3bbb940f
Instruction Fuzzy Hash: 6A31DE72504315AFC720DF14D849BABBBA9FF88310F00091DF995D7291DB35EA59CBA2

Function 00D09B2B Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 119filesleepCOMMON

Download Yara Rule

APIs

Part of subcall function 00C99CB3: _wcslen.LIBCMT ref: 00C99CBD

FindFirstFileW.KERNEL32(00000001,?,*.*,?,?,00000000,00000000), ref: 00D09B78
FindClose.KERNEL32(00000000,?,00000000,00000000), ref: 00D09C8B

Part of subcall function 00D03874: GetInputState.USER32 ref: 00D038CB
Part of subcall function 00D03874: PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00D03966

Sleep.KERNEL32(0000000A,?,00000000,00000000), ref: 00D09BA8
FindNextFileW.KERNEL32(?,?,?,00000000,00000000), ref: 00D09C75

Strings

*.*, xrefs: 00D09B5D

Memory Dump Source

Source File: 00000000.00000002.1727992052.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true

Associated: 00000000.00000002.1727967772.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1728099655.0000000000D2C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1728099655.0000000000D52000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1728148949.0000000000D5C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1728172009.0000000000D64000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c90000_file.jbxd

Similarity

API ID: Find$File$CloseFirstInputMessageNextPeekSleepState_wcslen
String ID: *.*
API String ID: 1972594611-438819550
Opcode ID: fadce3932b80942b674ecdc69bf2bd4839e41c89b928b29c53677edec1cdb1a7
Instruction ID: d3c14d02b79d4dc67659630e833505c496ca139703ff479c31f189326541e7a4
Opcode Fuzzy Hash: fadce3932b80942b674ecdc69bf2bd4839e41c89b928b29c53677edec1cdb1a7
Instruction Fuzzy Hash: D1415C7194020AAFDF14DF64C899BEEBBB8EF15310F24415AE809A21D2EB309E45DF74

Function 00CA997D Relevance: 7.9, APIs: 5, Instructions: 375COMMON

Download Yara Rule

APIs

Part of subcall function 00CA9BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00CA9BB2

DefDlgProcW.USER32(?,?,?,?,?), ref: 00CA9A4E
GetSysColor.USER32(0000000F), ref: 00CA9B23
SetBkColor.GDI32(?,00000000), ref: 00CA9B36

Memory Dump Source

Source File: 00000000.00000002.1727992052.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true

Associated: 00000000.00000002.1727967772.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1728099655.0000000000D2C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1728099655.0000000000D52000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1728148949.0000000000D5C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1728172009.0000000000D64000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c90000_file.jbxd

Similarity

API ID: Color$LongProcWindow
String ID:
API String ID: 3131106179-0
Opcode ID: a6dd60c557fab687bfdfdeaa15f5937ca11f7d063771129ed375fe4eca9b9594
Instruction ID: 9dbe196da6692f6acc4d1a6d2922791e9ec8f8f473500e5210aa8b1650bb3a7b
Opcode Fuzzy Hash: a6dd60c557fab687bfdfdeaa15f5937ca11f7d063771129ed375fe4eca9b9594
Instruction Fuzzy Hash: 45A13D70108595BFE7399A3E9C5AE7F369DDB8730CF14020AF522C6691CA359F01E271

Function 00D11806 Relevance: 7.7, APIs: 5, Instructions: 153networkCOMMON

Download Yara Rule

APIs

Part of subcall function 00D1304E: inet_addr.WSOCK32(?,?,?,?,?,00000000), ref: 00D1307A
Part of subcall function 00D1304E: _wcslen.LIBCMT ref: 00D1309B

socket.WSOCK32(00000002,00000002,00000011,?,?,00000000), ref: 00D1185D
WSAGetLastError.WSOCK32 ref: 00D11884
bind.WSOCK32(00000000,?,00000010), ref: 00D118DB
WSAGetLastError.WSOCK32 ref: 00D118E6
closesocket.WSOCK32(00000000), ref: 00D11915

Memory Dump Source

Source File: 00000000.00000002.1727992052.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true

Associated: 00000000.00000002.1727967772.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1728099655.0000000000D2C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1728099655.0000000000D52000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1728148949.0000000000D5C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1728172009.0000000000D64000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c90000_file.jbxd

Similarity

API ID: ErrorLast$_wcslenbindclosesocketinet_addrsocket
String ID:
API String ID: 1601658205-0
Opcode ID: 44d697a6244db1ba840d5841d8bca5b6cbcd9be81d3a8d2071942828b627ae8a
Instruction ID: 42321fe2037ac0fa8fd4e6d28cb71a387a76c30bd180fdf54f029028ea35b10e
Opcode Fuzzy Hash: 44d697a6244db1ba840d5841d8bca5b6cbcd9be81d3a8d2071942828b627ae8a
Instruction Fuzzy Hash: 7751E675A00200AFDB10AF24D88AF6A77E5AB49718F18C058FA159F3D3DB71ED41DBA1

Function 00D21C41 Relevance: 7.6, APIs: 5, Instructions: 83windowCOMMON

Download Yara Rule

APIs

IsWindowVisible.USER32 ref: 00D21CC0
IsWindowEnabled.USER32 ref: 00D21CCE
GetForegroundWindow.USER32(?,?,00000001,?), ref: 00D21CDB
IsIconic.USER32 ref: 00D21CE9
IsZoomed.USER32 ref: 00D21CF7

Memory Dump Source

Source File: 00000000.00000002.1727992052.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true

Associated: 00000000.00000002.1727967772.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1728099655.0000000000D2C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1728099655.0000000000D52000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1728148949.0000000000D5C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1728172009.0000000000D64000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c90000_file.jbxd

Similarity

API ID: Window$EnabledForegroundIconicVisibleZoomed
String ID:
API String ID: 292994002-0
Opcode ID: 2eaed827c172bc1afd80f0f5f1ee0b29b37a7721d85810610e05af10ecba5137
Instruction ID: 91be17008ff9fb13edb7cf9b39216c55f0376bec0edd22ddc958613495bbef66
Opcode Fuzzy Hash: 2eaed827c172bc1afd80f0f5f1ee0b29b37a7721d85810610e05af10ecba5137
Instruction Fuzzy Hash: 8B21D6397402205FD7208F1AE884B2ABBA5EFB5319B1DC068E845CB351C771EC42DBB0

Function 00C98060 Relevance: 7.4, Strings: 5, Instructions: 1151COMMON

Download Yara Rule

Strings

VUUU, xrefs: 00C9843C
VUUU, xrefs: 00C983FA
VUUU, xrefs: 00C983E8
VUUU, xrefs: 00CD5DF0
ERCP, xrefs: 00C9813C

Memory Dump Source

Source File: 00000000.00000002.1727992052.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true

Associated: 00000000.00000002.1727967772.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1728099655.0000000000D2C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1728099655.0000000000D52000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1728148949.0000000000D5C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1728172009.0000000000D64000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c90000_file.jbxd

Similarity

API ID:
String ID: ERCP$VUUU$VUUU$VUUU$VUUU
API String ID: 0-1546025612
Opcode ID: 8ec1e5ac27a05b539de8af49bb8cbb4827220ee96449e03147d389c8e532c6b4
Instruction ID: 424b3de12f1cc5835fdb17e6594708f2249db942da97bf52001a25a0922a1b67
Opcode Fuzzy Hash: 8ec1e5ac27a05b539de8af49bb8cbb4827220ee96449e03147d389c8e532c6b4
Instruction Fuzzy Hash: 58A29171E0061ACBDF24CF58C8447AEB7B1BF55310F2481AAE925AB385DB749E85CF90

Function 00CFAA57 Relevance: 6.1, APIs: 4, Instructions: 107keyboardwindowCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?,00000001,00000040,00000000), ref: 00CFAAAC
SetKeyboardState.USER32(00000080), ref: 00CFAAC8
PostMessageW.USER32(?,00000102,00000001,00000001), ref: 00CFAB36
SendInput.USER32(00000001,?,0000001C,00000001,00000040,00000000), ref: 00CFAB88

Memory Dump Source

Source File: 00000000.00000002.1727992052.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true

Associated: 00000000.00000002.1727967772.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1728099655.0000000000D2C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1728099655.0000000000D52000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1728148949.0000000000D5C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1728172009.0000000000D64000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c90000_file.jbxd

Similarity

API ID: KeyboardState$InputMessagePostSend
String ID:
API String ID: 432972143-0
Opcode ID: e04020b0e69357a4b2949c838cb5ec45c28ce9c4eea1490b1a5da0eb224e1922
Instruction ID: dc6b263fe69c42e7c943b047d4b36f1c6ca535d3d6b7e803b1676d20d92311b7
Opcode Fuzzy Hash: e04020b0e69357a4b2949c838cb5ec45c28ce9c4eea1490b1a5da0eb224e1922
Instruction Fuzzy Hash: 943118B0A4030CAFFF758B65CC05BFABBA6AB45310F14421AF299961E0D3748E85D763

Function 00CCBB6F Relevance: 6.1, APIs: 4, Instructions: 90timeCOMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 00CCBB7F

Part of subcall function 00CC29C8: RtlFreeHeap.NTDLL(00000000,00000000,?,00CCD7D1,00000000,00000000,00000000,00000000,?,00CCD7F8,00000000,00000007,00000000,?,00CCDBF5,00000000), ref: 00CC29DE
Part of subcall function 00CC29C8: GetLastError.KERNEL32(00000000,?,00CCD7D1,00000000,00000000,00000000,00000000,?,00CCD7F8,00000000,00000007,00000000,?,00CCDBF5,00000000,00000000), ref: 00CC29F0

GetTimeZoneInformation.KERNEL32 ref: 00CCBB91
WideCharToMultiByte.KERNEL32(00000000,?,00D6121C,000000FF,?,0000003F,?,?), ref: 00CCBC09
WideCharToMultiByte.KERNEL32(00000000,?,00D61270,000000FF,?,0000003F,?,?,?,00D6121C,000000FF,?,0000003F,?,?), ref: 00CCBC36

Memory Dump Source

Source File: 00000000.00000002.1727992052.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true

Associated: 00000000.00000002.1727967772.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1728099655.0000000000D2C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1728099655.0000000000D52000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1728148949.0000000000D5C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1728172009.0000000000D64000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c90000_file.jbxd

Similarity

API ID: ByteCharMultiWide$ErrorFreeHeapInformationLastTimeZone_free
String ID:
API String ID: 806657224-0
Opcode ID: 4fafdb6085ff902599c645a52572aacc0abc07a992f073860b32c3fe28667f93
Instruction ID: 4f4951310ddc54892667fe68dd508a92c52bf91354a672b30786c3559775937f
Opcode Fuzzy Hash: 4fafdb6085ff902599c645a52572aacc0abc07a992f073860b32c3fe28667f93
Instruction Fuzzy Hash: 4F31AE74904245DFCB11DFA9CC93A2EBBB8BF59710B1846AEE060D73A1D7709E01DB64

Function 00D0CE44 Relevance: 6.1, APIs: 4, Instructions: 75filenetworkCOMMON

Download Yara Rule

APIs

InternetReadFile.WININET(?,?,00000400,?), ref: 00D0CE89
GetLastError.KERNEL32(?,00000000), ref: 00D0CEEA
SetEvent.KERNEL32(?,?,00000000), ref: 00D0CEFE

Memory Dump Source

Source File: 00000000.00000002.1727992052.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true

Associated: 00000000.00000002.1727967772.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1728099655.0000000000D2C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1728099655.0000000000D52000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1728148949.0000000000D5C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1728172009.0000000000D64000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c90000_file.jbxd

Similarity

API ID: ErrorEventFileInternetLastRead
String ID:
API String ID: 234945975-0
Opcode ID: 44314c179146df4618f77b260251f577540dceeef852f629e957b32b9dd4dde8
Instruction ID: 2462f2955cf0c21c0ea9f3e8c41b208ca90c1707543bb584fcca3e041b2102bd
Opcode Fuzzy Hash: 44314c179146df4618f77b260251f577540dceeef852f629e957b32b9dd4dde8
Instruction Fuzzy Hash: B121AC715107059BDB30CFA5C948BAA7BF8EF10314F24562AFA4AD2191E770EE059B64

Function 00CF8298 Relevance: 5.1, APIs: 1, Strings: 2, Instructions: 568stringCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(?,?,?,00000000), ref: 00CF82AA

Strings

(, xrefs: 00CF82F0
|, xrefs: 00CF82DA

Memory Dump Source

Source File: 00000000.00000002.1727992052.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true

Associated: 00000000.00000002.1727967772.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1728099655.0000000000D2C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1728099655.0000000000D52000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1728148949.0000000000D5C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1728172009.0000000000D64000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c90000_file.jbxd

Similarity

API ID: lstrlen
String ID: ($|
API String ID: 1659193697-1631851259
Opcode ID: 31d60ae7dd7f25f9ffa3aa8a6b6155efbe04c301d6850155057a19f0571ab01f
Instruction ID: b4c14c75db85e42195161b940ae35626efa8b25719da9c80620c581fedf96364
Opcode Fuzzy Hash: 31d60ae7dd7f25f9ffa3aa8a6b6155efbe04c301d6850155057a19f0571ab01f
Instruction Fuzzy Hash: A2325675A007099FCB68CF59C081A6AB7F0FF48710B11C56EE5AADB3A1EB70E945CB41

Function 00D05C97 Relevance: 4.6, APIs: 3, Instructions: 138fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?), ref: 00D05CC1
FindNextFileW.KERNEL32(00000000,?), ref: 00D05D17
FindClose.KERNEL32(?), ref: 00D05D5F

Memory Dump Source

Source File: 00000000.00000002.1727992052.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true

Associated: 00000000.00000002.1727967772.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1728099655.0000000000D2C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1728099655.0000000000D52000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1728148949.0000000000D5C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1728172009.0000000000D64000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c90000_file.jbxd

Similarity

API ID: Find$File$CloseFirstNext
String ID:
API String ID: 3541575487-0
Opcode ID: ecfac0100f7b8df9ce0731be4cc54fa757a97d6f9ada1c1ed75d41cf0c1acfee
Instruction ID: d2eddd1660a8c0b2c94f72edd109e1557016e517d6e8b8b465740f35b3c9c101
Opcode Fuzzy Hash: ecfac0100f7b8df9ce0731be4cc54fa757a97d6f9ada1c1ed75d41cf0c1acfee
Instruction Fuzzy Hash: 79518A35604A019FC714CF28D498E9AB7E4FF49314F18855EE99A8B3A1DB30ED45CFA1

Function 00CC2622 Relevance: 4.6, APIs: 3, Instructions: 78COMMONLIBRARYCODE

Download Yara Rule

APIs

IsDebuggerPresent.KERNEL32 ref: 00CC271A
SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 00CC2724
UnhandledExceptionFilter.KERNEL32(?), ref: 00CC2731

Memory Dump Source

Source File: 00000000.00000002.1727992052.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true

Associated: 00000000.00000002.1727967772.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1728099655.0000000000D2C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1728099655.0000000000D52000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1728148949.0000000000D5C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1728172009.0000000000D64000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c90000_file.jbxd

Similarity

API ID: ExceptionFilterUnhandled$DebuggerPresent
String ID:
API String ID: 3906539128-0
Opcode ID: 83986b96a40ebbaa014353b61264061165cb9e3990449a5d38cdea525be1265e
Instruction ID: 1aed04a9742178cc999cf4fc33783a1be3c098a39bc41b4bad980bc806e4b3d9
Opcode Fuzzy Hash: 83986b96a40ebbaa014353b61264061165cb9e3990449a5d38cdea525be1265e
Instruction Fuzzy Hash: C931D374911318ABCB21DF68DC88BDDBBB8AF08310F5041EAE81CA7261E7309F819F54

Function 00D051CD Relevance: 4.6, APIs: 3, Instructions: 76COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 00D051DA
GetDiskFreeSpaceExW.KERNEL32(?,?,?,?), ref: 00D05238
SetErrorMode.KERNEL32(00000000), ref: 00D052A1

Memory Dump Source

Source File: 00000000.00000002.1727992052.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true

Associated: 00000000.00000002.1727967772.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1728099655.0000000000D2C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1728099655.0000000000D52000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1728148949.0000000000D5C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1728172009.0000000000D64000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c90000_file.jbxd

Similarity

API ID: ErrorMode$DiskFreeSpace
String ID:
API String ID: 1682464887-0
Opcode ID: a033487efb230b76557c279c7c5e2a98a6ba298fc7b2ef5feb72264413937d43
Instruction ID: ddc66f6d4a34e6a19fc626710c0d0d847a1a19230775189c78817253e914ee61
Opcode Fuzzy Hash: a033487efb230b76557c279c7c5e2a98a6ba298fc7b2ef5feb72264413937d43
Instruction Fuzzy Hash: 6F313E755106189FDB00DF54D485EADBBB4FF49314F088099E8099B396DB31E856CB61

Function 00CF16C3 Relevance: 4.6, APIs: 3, Instructions: 68COMMON

Download Yara Rule

APIs

Part of subcall function 00CAFDDB: __CxxThrowException@8.LIBVCRUNTIME ref: 00CB0668
Part of subcall function 00CAFDDB: __CxxThrowException@8.LIBVCRUNTIME ref: 00CB0685

LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 00CF170D
AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 00CF173A
GetLastError.KERNEL32 ref: 00CF174A

Memory Dump Source

Source File: 00000000.00000002.1727992052.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true

Associated: 00000000.00000002.1727967772.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1728099655.0000000000D2C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1728099655.0000000000D52000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1728148949.0000000000D5C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1728172009.0000000000D64000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c90000_file.jbxd

Similarity

API ID: Exception@8Throw$AdjustErrorLastLookupPrivilegePrivilegesTokenValue
String ID:
API String ID: 577356006-0
Opcode ID: 8901499da2e7a7224fb4eb834afa5896e6705126dc1678eeb58d4aa41edc701d
Instruction ID: 6be220b3c13929c9a312fab3940022e64f48b57b1fb9e9ec637c8b4909a98af3
Opcode Fuzzy Hash: 8901499da2e7a7224fb4eb834afa5896e6705126dc1678eeb58d4aa41edc701d
Instruction Fuzzy Hash: D11191B2814309EFE728AF54DC86D6AB7B9EB44714B24852EF45697241EB70BC428A60

Function 00CFD5EB Relevance: 4.6, APIs: 3, Instructions: 58fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(?,00000080,00000003,00000000,00000003,00000080,00000000), ref: 00CFD608
DeviceIoControl.KERNEL32(00000000,002D1400,?,0000000C,?,00000028,?,00000000), ref: 00CFD645
CloseHandle.KERNEL32(?,?,00000080,00000003,00000000,00000003,00000080,00000000), ref: 00CFD650

Memory Dump Source

Source File: 00000000.00000002.1727992052.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true

Associated: 00000000.00000002.1727967772.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1728099655.0000000000D2C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1728099655.0000000000D52000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1728148949.0000000000D5C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1728172009.0000000000D64000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c90000_file.jbxd

Similarity

API ID: CloseControlCreateDeviceFileHandle
String ID:
API String ID: 33631002-0
Opcode ID: 17e05a171971091eaa74efeff037dd631be8ffa7726f424ca003ff70457072bc
Instruction ID: 4e9cb47613afd36e06bf4dabab54b05381d56ce66b5f72ae6f603450492617c4
Opcode Fuzzy Hash: 17e05a171971091eaa74efeff037dd631be8ffa7726f424ca003ff70457072bc
Instruction Fuzzy Hash: C0113C75E05328BBDB208F95DC45FAFBBBCEB45B60F108515F914E7290D6704A058BA1

Function 00CF1663 Relevance: 4.5, APIs: 3, Instructions: 40memoryCOMMON

Download Yara Rule

APIs

AllocateAndInitializeSid.ADVAPI32(?,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,?,?), ref: 00CF168C
CheckTokenMembership.ADVAPI32(00000000,?,?), ref: 00CF16A1
FreeSid.ADVAPI32(?), ref: 00CF16B1

Memory Dump Source

Source File: 00000000.00000002.1727992052.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true

Associated: 00000000.00000002.1727967772.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1728099655.0000000000D2C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1728099655.0000000000D52000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1728148949.0000000000D5C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1728172009.0000000000D64000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c90000_file.jbxd

Similarity

API ID: AllocateCheckFreeInitializeMembershipToken
String ID:
API String ID: 3429775523-0
Opcode ID: e1b8cdec0dec7b02a371097f19e0afe57026b214aedeb135b239d831077544e2
Instruction ID: 34a79f5da7d35d6e397a8a70686f18288cf78d6d669a942702f59b81a52d3a53
Opcode Fuzzy Hash: e1b8cdec0dec7b02a371097f19e0afe57026b214aedeb135b239d831077544e2
Instruction Fuzzy Hash: 95F0F47195030DFBDB00DFE49D89EAEBBBCFB08644F505565E901E2281E774AA448A64

Function 00CED27A Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 10COMMON

Download Yara Rule

APIs

GetUserNameW.ADVAPI32(?,?), ref: 00CED28C

Strings

X64, xrefs: 00CED2A8

Memory Dump Source

Source File: 00000000.00000002.1727992052.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true

Associated: 00000000.00000002.1727967772.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1728099655.0000000000D2C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1728099655.0000000000D52000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1728148949.0000000000D5C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1728172009.0000000000D64000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c90000_file.jbxd

Similarity

API ID: NameUser
String ID: X64
API String ID: 2645101109-893830106
Opcode ID: 34ad3b90ea4df2a90933b050e46794bb84edcbc54a6621ec15d63513d576a0eb
Instruction ID: 9322a693bf451804b3a1dd182f3588af33db24e99239cd40fb0dffa1630609bd
Opcode Fuzzy Hash: 34ad3b90ea4df2a90933b050e46794bb84edcbc54a6621ec15d63513d576a0eb
Instruction Fuzzy Hash: 6AD0C9B481111DEACB90CB91DCC8DDDB37CBB14305F100191F107E2100D73099498F20

Function 00CBCAA0 Relevance: 3.5, APIs: 2, Instructions: 464COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1727992052.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true

Associated: 00000000.00000002.1727967772.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1728099655.0000000000D2C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1728099655.0000000000D52000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1728148949.0000000000D5C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1728172009.0000000000D64000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c90000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2fbdbeface8d474e65e3d830227d731b015bc4fe83c76ff0107a9da6199ccf29
Instruction ID: 59bb160cb014a66e3e5ebdd13926e3ffba7f63df075d2a7f725fc783fc8f29d8
Opcode Fuzzy Hash: 2fbdbeface8d474e65e3d830227d731b015bc4fe83c76ff0107a9da6199ccf29
Instruction Fuzzy Hash: 35020C71E001199BDF14CFA9C8C06EEBBF5EF98314F25416AD929EB384D731AE418B94

Function 00D068EE Relevance: 3.1, APIs: 2, Instructions: 57fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?), ref: 00D06918
FindClose.KERNEL32(00000000), ref: 00D06961

Memory Dump Source

Source File: 00000000.00000002.1727992052.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true

Associated: 00000000.00000002.1727967772.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1728099655.0000000000D2C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1728099655.0000000000D52000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1728148949.0000000000D5C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1728172009.0000000000D64000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c90000_file.jbxd

Similarity

API ID: Find$CloseFileFirst
String ID:
API String ID: 2295610775-0
Opcode ID: 198134f56e127e0bb2ec0ad2e9a879e64636e80e0b47e488b393bde16fd3fd2c
Instruction ID: 2c046c67f2c7a891866f596ad555ec1cd4d9ee379b39e58bef8e3088f56e0607
Opcode Fuzzy Hash: 198134f56e127e0bb2ec0ad2e9a879e64636e80e0b47e488b393bde16fd3fd2c
Instruction Fuzzy Hash: D2118E316142019FC710DF69D488B1ABBE5EF85328F18C699E4698F7A2DB30EC05CBA1

Function 00D037B5 Relevance: 3.0, APIs: 2, Instructions: 33windowCOMMON

Download Yara Rule

APIs

GetLastError.KERNEL32(00000000,?,00000FFF,00000000,?,?,?,00D14891,?,?,00000035,?), ref: 00D037E4
FormatMessageW.KERNEL32(00001000,00000000,?,00000000,?,00000FFF,00000000,?,?,?,00D14891,?,?,00000035,?), ref: 00D037F4

Memory Dump Source

Source File: 00000000.00000002.1727992052.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true

Associated: 00000000.00000002.1727967772.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1728099655.0000000000D2C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1728099655.0000000000D52000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1728148949.0000000000D5C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1728172009.0000000000D64000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c90000_file.jbxd

Similarity

API ID: ErrorFormatLastMessage
String ID:
API String ID: 3479602957-0
Opcode ID: cf38d8485abfd8c9ec27708f73fba1ec8dac88380e940fb72eeafe616b24f45c
Instruction ID: 6da8557a8ebb8f22a84b3203ef70e677f2cd1eeb29d02cd280aca363190e797f
Opcode Fuzzy Hash: cf38d8485abfd8c9ec27708f73fba1ec8dac88380e940fb72eeafe616b24f45c
Instruction Fuzzy Hash: CEF0E5B07043286AEB3057A68C4DFEF3AAEEFC9761F000265F509D22D1D9609D04C7B0

Function 00CFB226 Relevance: 3.0, APIs: 2, Instructions: 29keyboardCOMMON

Download Yara Rule

APIs

SendInput.USER32(00000001,?,0000001C,?,?,00000002), ref: 00CFB25D
keybd_event.USER32(?,75C0C0D0,?,00000000), ref: 00CFB270

Memory Dump Source

Source File: 00000000.00000002.1727992052.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true

Associated: 00000000.00000002.1727967772.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1728099655.0000000000D2C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1728099655.0000000000D52000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1728148949.0000000000D5C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1728172009.0000000000D64000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c90000_file.jbxd

Similarity

API ID: InputSendkeybd_event
String ID:
API String ID: 3536248340-0
Opcode ID: 0e8737d9702e555902505898b828ebab28b970c9eebcadc631569e1459538208
Instruction ID: abbdc70681bd24d1ce2679bdf9055818ea68db98a87fdfa99f175c805bf9298d
Opcode Fuzzy Hash: 0e8737d9702e555902505898b828ebab28b970c9eebcadc631569e1459538208
Instruction Fuzzy Hash: BDF01D7181424EABDF159FA1C805BBE7BB4FF04305F109009F965A6192C379C6129FA5

Function 00CF10BF Relevance: 3.0, APIs: 2, Instructions: 24COMMON

Download Yara Rule

APIs

AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000,?,00CF11FC), ref: 00CF10D4
CloseHandle.KERNEL32(?,?,00CF11FC), ref: 00CF10E9

Memory Dump Source

Source File: 00000000.00000002.1727992052.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true

Associated: 00000000.00000002.1727967772.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1728099655.0000000000D2C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1728099655.0000000000D52000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1728148949.0000000000D5C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1728172009.0000000000D64000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c90000_file.jbxd

Similarity

API ID: AdjustCloseHandlePrivilegesToken
String ID:
API String ID: 81990902-0
Opcode ID: 2f2a93ede69c4cce01c12edd1753194cae46cc41e483d24cb61e3f3003a1785f
Instruction ID: 612d04440c4bc36cd1b808a1e7c2da2311599799b698b3741e37ace8363db556
Opcode Fuzzy Hash: 2f2a93ede69c4cce01c12edd1753194cae46cc41e483d24cb61e3f3003a1785f
Instruction Fuzzy Hash: 5CE04F32014701EEE7352B61FC05E7777E9EB04324B24882DF5A5804B1DB726CA1EB64

Function 00C9CAF0 Relevance: 1.9, Strings: 1, Instructions: 659COMMON

Download Yara Rule

Strings

Variable is not of type 'Object'., xrefs: 00CE0C40

Memory Dump Source

Source File: 00000000.00000002.1727992052.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true

Associated: 00000000.00000002.1727967772.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1728099655.0000000000D2C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1728099655.0000000000D52000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1728148949.0000000000D5C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1728172009.0000000000D64000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c90000_file.jbxd

Similarity

API ID:
String ID: Variable is not of type 'Object'.
API String ID: 0-1840281001
Opcode ID: 4cc77e40b0c4c9554394c468d1fa180813b2678b46746cacb31cc10d1490cca2
Instruction ID: afc9400cf9e695c410ffe738775b46d8ea86874f22c024139b515a793515a677
Opcode Fuzzy Hash: 4cc77e40b0c4c9554394c468d1fa180813b2678b46746cacb31cc10d1490cca2
Instruction Fuzzy Hash: ED32BD31900218DFCF14DF95C9C9AEDB7B5FF05304F244069E816AB292DB75AE85DBA0

Function 00CC676B Relevance: 1.8, APIs: 1, Instructions: 269COMMONLIBRARYCODE

Download Yara Rule

APIs

RaiseException.KERNEL32(C000000D,00000000,00000001,?,?,00000008,?,?,00CC6766,?,?,00000008,?,?,00CCFEFE,00000000), ref: 00CC6998

Memory Dump Source

Source File: 00000000.00000002.1727992052.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true

Associated: 00000000.00000002.1727967772.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1728099655.0000000000D2C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1728099655.0000000000D52000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1728148949.0000000000D5C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1728172009.0000000000D64000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c90000_file.jbxd

Similarity

API ID: ExceptionRaise
String ID:
API String ID: 3997070919-0
Opcode ID: f1e0dcfa7b837ae30284a7a060584e6f975105a6bac464c33f5a5957124961e8
Instruction ID: 94afbd342252cccd99bcd66dc8d545c14a80aa7ea22409de1baf50f2a163d7fa
Opcode Fuzzy Hash: f1e0dcfa7b837ae30284a7a060584e6f975105a6bac464c33f5a5957124961e8
Instruction Fuzzy Hash: 90B11A316106099FD715CF28C58AF657BE0FF45364F25865CE8AACF2A2C735EA92CB40

Function 00CAB119 Relevance: 1.8, Strings: 1, Instructions: 511COMMON

Download Yara Rule

Strings

, xrefs: 00CE851F

Memory Dump Source

Source File: 00000000.00000002.1727992052.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true

Associated: 00000000.00000002.1727967772.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1728099655.0000000000D2C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1728099655.0000000000D52000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1728148949.0000000000D5C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1728172009.0000000000D64000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c90000_file.jbxd

Similarity

API ID:
String ID:
API String ID: 0-3916222277
Opcode ID: 04fa9522d5d010e6d66dd262af1c2ff021436d0cd18c89ad456353c4ed81a79e
Instruction ID: 21f673e6ab957f7f69abc2af7b3b0c4f5bc6e57f343550b093b452d1f998aa9a
Opcode Fuzzy Hash: 04fa9522d5d010e6d66dd262af1c2ff021436d0cd18c89ad456353c4ed81a79e
Instruction Fuzzy Hash: 3112707190022A9FCB14CF59C8806EEB7F5FF49314F14819AE849EB256DB309E85CFA0

Function 00D0EAA2 Relevance: 1.5, APIs: 1, Instructions: 25keyboardCOMMON

Download Yara Rule

APIs

BlockInput.USER32(00000001), ref: 00D0EABD

Memory Dump Source

Source File: 00000000.00000002.1727992052.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true

Associated: 00000000.00000002.1727967772.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1728099655.0000000000D2C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1728099655.0000000000D52000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1728148949.0000000000D5C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1728172009.0000000000D64000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c90000_file.jbxd

Similarity

API ID: BlockInput
String ID:
API String ID: 3456056419-0
Opcode ID: 73d9d09519725f7a3a46c66ef5a4aba5772a630de11fa7504a72a7d4a92b15ad
Instruction ID: fba5000f97912adb393e0c5c5d6402e137bf3e884183fe38443f14845048c4a6
Opcode Fuzzy Hash: 73d9d09519725f7a3a46c66ef5a4aba5772a630de11fa7504a72a7d4a92b15ad
Instruction Fuzzy Hash: 88E04F32310204AFC710EF59D848E9AF7E9AF98760F008416FC49C73A1DB70EC418BA0

Function 00CB09D5 Relevance: 1.5, APIs: 1, Instructions: 3COMMON

Download Yara Rule

APIs

SetUnhandledExceptionFilter.KERNEL32(Function_000209E1,00CB03EE), ref: 00CB09DA

Memory Dump Source

Source File: 00000000.00000002.1727992052.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true

Associated: 00000000.00000002.1727967772.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1728099655.0000000000D2C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1728099655.0000000000D52000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1728148949.0000000000D5C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1728172009.0000000000D64000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c90000_file.jbxd

Similarity

API ID: ExceptionFilterUnhandled
String ID:
API String ID: 3192549508-0
Opcode ID: df005fea7cca6e02579db10ff872a993037f11731b868ea3f6aa853fe3d07815
Instruction ID: 920df0554439203688d38273f37f8469043f171d8a1092327cfd31b9de4bad9f
Opcode Fuzzy Hash: df005fea7cca6e02579db10ff872a993037f11731b868ea3f6aa853fe3d07815
Instruction Fuzzy Hash:

Function 00CB781B Relevance: 1.5, Strings: 1, Instructions: 214COMMON

Download Yara Rule

Strings

0, xrefs: 00CB798B

Memory Dump Source

Source File: 00000000.00000002.1727992052.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true

Associated: 00000000.00000002.1727967772.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1728099655.0000000000D2C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1728099655.0000000000D52000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1728148949.0000000000D5C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1728172009.0000000000D64000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c90000_file.jbxd

Similarity

API ID:
String ID: 0
API String ID: 0-4108050209
Opcode ID: 9084b4e029052128895840c3c28e948f6724b1d83b91d22a18243ac96ad56844
Instruction ID: a92cee9934221dea04f578672e1ae42eab687866eea16ff59834d6a177ec9199
Opcode Fuzzy Hash: 9084b4e029052128895840c3c28e948f6724b1d83b91d22a18243ac96ad56844
Instruction Fuzzy Hash: 6E515761A0C7055BDF388569895E7FE27999BD2340F180709ECA2FB2C2CA17DF05E356

Function 00CACC39 Relevance: .6, Instructions: 635COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1727992052.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true

Associated: 00000000.00000002.1727967772.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1728099655.0000000000D2C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1728099655.0000000000D52000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1728148949.0000000000D5C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1728172009.0000000000D64000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c90000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 310b107f24fc3c99c4247cd89e9a432b7eccf1e2c078cd722e8c7400a4309f22
Instruction ID: adac9bb6ab1b01541f1f1202328270eae0e49dd274a44890887ea16c1c498211
Opcode Fuzzy Hash: 310b107f24fc3c99c4247cd89e9a432b7eccf1e2c078cd722e8c7400a4309f22
Instruction Fuzzy Hash: 52322A32A042968BDF24CF2FC4D067D77A1EB46318F28856AD869DB291D234DF83DB51

Function 00C97920 Relevance: .6, Instructions: 563COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1727992052.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true

Associated: 00000000.00000002.1727967772.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1728099655.0000000000D2C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1728099655.0000000000D52000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1728148949.0000000000D5C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1728172009.0000000000D64000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c90000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e748f395620e78207ddc5006921c81b2b78bdb0a951486a3c50a8df2065f2846
Instruction ID: 0551aacbb3b58504b444911061a2d6697c7dd7b4a5f1e75c349fa5bbd8022384
Opcode Fuzzy Hash: e748f395620e78207ddc5006921c81b2b78bdb0a951486a3c50a8df2065f2846
Instruction Fuzzy Hash: D222AF70A0060ADFDF14CFA5D885AAEB7F5FF44300F20462AE816A7391EB35EA15DB50

Function 00C991C0 Relevance: .5, Instructions: 475COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1727992052.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true

Associated: 00000000.00000002.1727967772.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1728099655.0000000000D2C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1728099655.0000000000D52000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1728148949.0000000000D5C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1728172009.0000000000D64000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c90000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6e1bf1787cb7ad787ec139a986dbc3cf045aee049e8ed07ae78255979125334b
Instruction ID: 209ef8317ff4ebf8f486bb7d89b03c105eed6fad961bfeee28626458447538ce
Opcode Fuzzy Hash: 6e1bf1787cb7ad787ec139a986dbc3cf045aee049e8ed07ae78255979125334b
Instruction Fuzzy Hash: 0302C8B0E00206EBDF05EF55D885AAEB7B1FF44304F108169E916DB390EB31EA11DB95

Function 00CC9EEE Relevance: .3, Instructions: 294COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1727992052.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true

Associated: 00000000.00000002.1727967772.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1728099655.0000000000D2C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1728099655.0000000000D52000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1728148949.0000000000D5C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1728172009.0000000000D64000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c90000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: aaff5727b9dd6a808d89a8b72b7505446d881d6fab485aabfb6633d67e3ef26f
Instruction ID: cade9ccf938d6e26fce030b2de1100919911184696651aae332323e315bb206c
Opcode Fuzzy Hash: aaff5727b9dd6a808d89a8b72b7505446d881d6fab485aabfb6633d67e3ef26f
Instruction Fuzzy Hash: 07B10221D2AF404DD3239639C935336B65CAFBB6D5F91D71BFC26B4E22EB2286834140

Function 00CB1C77 Relevance: .3, Instructions: 254COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1727992052.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true

Associated: 00000000.00000002.1727967772.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1728099655.0000000000D2C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1728099655.0000000000D52000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1728148949.0000000000D5C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1728172009.0000000000D64000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c90000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 93657a121f16255c59120ad0d08fdbba6372c273009ad596b4ecdf6e8f3c6909
Instruction ID: db39fe7c4aa14903ddb668ba375b26ec9078d21861df85b11220b471c79bf8da
Opcode Fuzzy Hash: 93657a121f16255c59120ad0d08fdbba6372c273009ad596b4ecdf6e8f3c6909
Instruction Fuzzy Hash: ED9189725080E34ADB2A467E85740BEFFE15A523A1B5E079DDCF2CA1C5FE14CB64D620

Function 00CB1F32 Relevance: .2, Instructions: 244COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1727992052.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true

Associated: 00000000.00000002.1727967772.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1728099655.0000000000D2C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1728099655.0000000000D52000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1728148949.0000000000D5C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1728172009.0000000000D64000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c90000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 05e0b846b00456d0f1e87463b9d189974beed2fe63262d4392584e128a114ea2
Instruction ID: 071b8a0585c11c5d867ea109c43a73373e8c9c84b79890814ad7256e3cb286ad
Opcode Fuzzy Hash: 05e0b846b00456d0f1e87463b9d189974beed2fe63262d4392584e128a114ea2
Instruction Fuzzy Hash: 6C9178736090E349DB29467E84740BEFFE15A923A1B1E079DD8F2CB1C5EE24CA54D720

Function 00CB19B0 Relevance: .2, Instructions: 240COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1727992052.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true

Associated: 00000000.00000002.1727967772.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1728099655.0000000000D2C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1728099655.0000000000D52000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1728148949.0000000000D5C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1728172009.0000000000D64000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c90000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 40101273f58913c3cb3bc7eb54df01d47b4121c3e67d19f11ec2cb23d33ea445
Instruction ID: 044cbdc8f0ee823bcba1da0bd65e984acb9075bf30d3dae4aa3fb48de5574e07
Opcode Fuzzy Hash: 40101273f58913c3cb3bc7eb54df01d47b4121c3e67d19f11ec2cb23d33ea445
Instruction Fuzzy Hash: 419195722090E34EDB2D427A85740BEFFE15A923A2B5E079DD8F2CA1C5FE14D754E620

Function 00CB7A4A Relevance: .2, Instructions: 237COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1727992052.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true

Associated: 00000000.00000002.1727967772.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1728099655.0000000000D2C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1728099655.0000000000D52000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1728148949.0000000000D5C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1728172009.0000000000D64000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c90000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 49a845fc66bea9549782145b217203e10a32d45909f2ee965885f95a1826ce56
Instruction ID: f528413841c4683dfd28070c9db5a22f0089d6653475f757c38b855a0cb652c4
Opcode Fuzzy Hash: 49a845fc66bea9549782145b217203e10a32d45909f2ee965885f95a1826ce56
Instruction Fuzzy Hash: 35616431648309A7DE749A688DA5BFE2398DFC1700F201B1AEC63DB2C1DA119F46EB55

Function 00CB7CA7 Relevance: .2, Instructions: 237COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1727992052.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true

Associated: 00000000.00000002.1727967772.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1728099655.0000000000D2C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1728099655.0000000000D52000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1728148949.0000000000D5C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1728172009.0000000000D64000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c90000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f18a90a78bd150edabad4bda85dfb403d956cd7b1757a792df4c769eb6ae239d
Instruction ID: c55f5032a4b829a017ac2d1b132268a67ca396704705f283a1f1c1188d0370f0
Opcode Fuzzy Hash: f18a90a78bd150edabad4bda85dfb403d956cd7b1757a792df4c769eb6ae239d
Instruction Fuzzy Hash: 786168316087495ADE385A3888A6BFF2398EFC2780F100B59ED53DF681DA12DF46D355

Function 00CB1706 Relevance: .2, Instructions: 232COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1727992052.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true

Associated: 00000000.00000002.1727967772.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1728099655.0000000000D2C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1728099655.0000000000D52000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1728148949.0000000000D5C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1728172009.0000000000D64000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c90000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 70da388f96bbbf26b230a155b4728740b34f0d100ea60ab2bbadb9d7d0befbf0
Instruction ID: 6439854048db1c7a8234c25df7a4a542bd2ae0985f32e177188fc89607f8c4e3
Opcode Fuzzy Hash: 70da388f96bbbf26b230a155b4728740b34f0d100ea60ab2bbadb9d7d0befbf0
Instruction Fuzzy Hash: 378176336090E349DB6D467A85344BEFFE16A923A1B5E079DD8F2CB1C1EE24CB54D620

Function 00D02046 Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1727992052.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true

Associated: 00000000.00000002.1727967772.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1728099655.0000000000D2C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1728099655.0000000000D52000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1728148949.0000000000D5C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1728172009.0000000000D64000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c90000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: aad043b45a15b592a333bc27abec05bb95b183332fefadadc071b3b87b5a3687
Instruction ID: 884c1b6fb2495c3eabee5dc05bf886addcb19eb74b73b3f36a7a3941ad1c29c0
Opcode Fuzzy Hash: aad043b45a15b592a333bc27abec05bb95b183332fefadadc071b3b87b5a3687
Instruction Fuzzy Hash: 1A21B7326216118BD728CF79C82767E73E5AB54310F19862EE4A7C37D0DE75A904CBA0

Function 00D12ADE Relevance: 77.5, APIs: 40, Strings: 4, Instructions: 486filecommemoryCOMMON

Download Yara Rule

APIs

DeleteObject.GDI32(00000000), ref: 00D12B30
DeleteObject.GDI32(00000000), ref: 00D12B43
DestroyWindow.USER32 ref: 00D12B52
GetDesktopWindow.USER32 ref: 00D12B6D
GetWindowRect.USER32(00000000), ref: 00D12B74
SetRect.USER32(?,00000000,00000000,00000007,00000002), ref: 00D12CA3
AdjustWindowRectEx.USER32(?,88C00000,00000000,?), ref: 00D12CB1
CreateWindowExW.USER32(?,AutoIt v3,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00D12CF8
GetClientRect.USER32(00000000,?), ref: 00D12D04
CreateWindowExW.USER32(00000000,static,00000000,5000000E,00000000,00000000,?,?,00000000,00000000,00000000), ref: 00D12D40
CreateFileW.KERNEL32(?,80000000,00000000,00000000,00000003,00000000,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00D12D62
GetFileSize.KERNEL32(00000000,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00D12D75
GlobalAlloc.KERNEL32(00000002,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00D12D80
GlobalLock.KERNEL32(00000000), ref: 00D12D89
ReadFile.KERNEL32(00000000,00000000,00000000,?,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00D12D98
GlobalUnlock.KERNEL32(00000000), ref: 00D12DA1
CloseHandle.KERNEL32(00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00D12DA8
GlobalFree.KERNEL32(00000000), ref: 00D12DB3
CreateStreamOnHGlobal.OLE32(00000000,00000001,?,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00D12DC5
OleLoadPicture.OLEAUT32(?,00000000,00000000,00D2FC38,00000000), ref: 00D12DDB
GlobalFree.KERNEL32(00000000), ref: 00D12DEB
CopyImage.USER32(00000007,00000000,00000000,00000000,00002000), ref: 00D12E11
SendMessageW.USER32(00000000,00000172,00000000,00000007), ref: 00D12E30
SetWindowPos.USER32(00000000,00000000,00000000,00000000,?,?,00000020,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00D12E52
ShowWindow.USER32(00000004,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00D1303F

Strings

AutoIt v3, xrefs: 00D12CF2
static, xrefs: 00D12D3A, 00D12E91
, xrefs: 00D12FC5
DISPLAY, xrefs: 00D12EA2

Memory Dump Source

Source File: 00000000.00000002.1727992052.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true

Associated: 00000000.00000002.1727967772.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1728099655.0000000000D2C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1728099655.0000000000D52000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1728148949.0000000000D5C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1728172009.0000000000D64000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c90000_file.jbxd

Similarity

API ID: Window$Global$CreateRect$File$DeleteFreeObject$AdjustAllocClientCloseCopyDesktopDestroyHandleImageLoadLockMessagePictureReadSendShowSizeStreamUnlock
String ID: $AutoIt v3$DISPLAY$static
API String ID: 2211948467-2373415609
Opcode ID: 5fc295982583e12312b88427824ca00d0b37ec87ffa5f893a670a37c28ef8062
Instruction ID: 5cf4af8878d8c8eea189b43c5fac58ed468eb7a4e4a6cb235e73fd2300162e2a
Opcode Fuzzy Hash: 5fc295982583e12312b88427824ca00d0b37ec87ffa5f893a670a37c28ef8062
Instruction Fuzzy Hash: 82024675A10205AFDB24DFA4DD89EAE7BB9EF48311F048118F915EB2A1CB71AD41CB70

Function 00D270D5 Relevance: 49.8, APIs: 33, Instructions: 273COMMON

Download Yara Rule

APIs

SetTextColor.GDI32(?,00000000), ref: 00D2712F
GetSysColorBrush.USER32(0000000F), ref: 00D27160
GetSysColor.USER32(0000000F), ref: 00D2716C
SetBkColor.GDI32(?,000000FF), ref: 00D27186
SelectObject.GDI32(?,?), ref: 00D27195
InflateRect.USER32(?,000000FF,000000FF), ref: 00D271C0
GetSysColor.USER32(00000010), ref: 00D271C8
CreateSolidBrush.GDI32(00000000), ref: 00D271CF
FrameRect.USER32(?,?,00000000), ref: 00D271DE
DeleteObject.GDI32(00000000), ref: 00D271E5
InflateRect.USER32(?,000000FE,000000FE), ref: 00D27230
FillRect.USER32(?,?,?), ref: 00D27262
GetWindowLongW.USER32(?,000000F0), ref: 00D27284

Part of subcall function 00D273E8: GetSysColor.USER32(00000012), ref: 00D27421
Part of subcall function 00D273E8: SetTextColor.GDI32(?,?), ref: 00D27425
Part of subcall function 00D273E8: GetSysColorBrush.USER32(0000000F), ref: 00D2743B
Part of subcall function 00D273E8: GetSysColor.USER32(0000000F), ref: 00D27446
Part of subcall function 00D273E8: GetSysColor.USER32(00000011), ref: 00D27463
Part of subcall function 00D273E8: CreatePen.GDI32(00000000,00000001,00743C00), ref: 00D27471
Part of subcall function 00D273E8: SelectObject.GDI32(?,00000000), ref: 00D27482
Part of subcall function 00D273E8: SetBkColor.GDI32(?,00000000), ref: 00D2748B
Part of subcall function 00D273E8: SelectObject.GDI32(?,?), ref: 00D27498
Part of subcall function 00D273E8: InflateRect.USER32(?,000000FF,000000FF), ref: 00D274B7
Part of subcall function 00D273E8: RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 00D274CE
Part of subcall function 00D273E8: GetWindowLongW.USER32(00000000,000000F0), ref: 00D274DB

Memory Dump Source

Source File: 00000000.00000002.1727992052.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true

Associated: 00000000.00000002.1727967772.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1728099655.0000000000D2C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1728099655.0000000000D52000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1728148949.0000000000D5C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1728172009.0000000000D64000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c90000_file.jbxd

Similarity

API ID: Color$Rect$Object$BrushInflateSelect$CreateLongTextWindow$DeleteFillFrameRoundSolid
String ID:
API String ID: 4124339563-0
Opcode ID: e599dc559d3639bcb35cd0ffbeb21ef128e73a951cf3d8cafd848ebe87b6dad9
Instruction ID: 8e1db5effdff410fbe2c5b4e8fff9729cea0bb9144f77ca9acdb894364d2fe0d
Opcode Fuzzy Hash: e599dc559d3639bcb35cd0ffbeb21ef128e73a951cf3d8cafd848ebe87b6dad9
Instruction Fuzzy Hash: A9A1CF72018311EFD7219F60DC48A5F7BA9FF99324F141A18F9A2D62E0D770E905CBA2

Function 00CA8D85 Relevance: 47.7, APIs: 26, Strings: 1, Instructions: 480windowCOMMON

Download Yara Rule

APIs

DestroyWindow.USER32(?,?), ref: 00CA8E14
SendMessageW.USER32(?,00001308,?,00000000), ref: 00CE6AC5
ImageList_Remove.COMCTL32(?,000000FF,?), ref: 00CE6AFE
MoveWindow.USER32(?,?,?,?,?,00000000), ref: 00CE6F43

Part of subcall function 00CA8F62: InvalidateRect.USER32(?,00000000,00000001,?,?,?,00CA8BE8,?,00000000,?,?,?,?,00CA8BBA,00000000,?), ref: 00CA8FC5

SendMessageW.USER32(?,00001053), ref: 00CE6F7F
SendMessageW.USER32(?,00001008,000000FF,00000000), ref: 00CE6F96
ImageList_Destroy.COMCTL32(00000000,?), ref: 00CE6FAC
ImageList_Destroy.COMCTL32(00000000,?), ref: 00CE6FB7

Strings

0, xrefs: 00CE6DCF

Memory Dump Source

Source File: 00000000.00000002.1727992052.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true

Associated: 00000000.00000002.1727967772.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1728099655.0000000000D2C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1728099655.0000000000D52000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1728148949.0000000000D5C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1728172009.0000000000D64000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c90000_file.jbxd

Similarity

API ID: DestroyImageList_MessageSend$Window$InvalidateMoveRectRemove
String ID: 0
API String ID: 2760611726-4108050209
Opcode ID: 135389570c28b0ef575bf98840f0fe696c22e0220def6202f126bfa190234685
Instruction ID: ae8abb54db6f1d38c0ddca206dcc22a1f878bfaf76a9c90258cfcd9bda8a0fae
Opcode Fuzzy Hash: 135389570c28b0ef575bf98840f0fe696c22e0220def6202f126bfa190234685
Instruction Fuzzy Hash: D112BE38210282DFDB25CF25C844BA9B7E1FB65344F184469F4A5CB261CB32EE56DFA1

Function 00D12711 Relevance: 45.8, APIs: 22, Strings: 4, Instructions: 330windowCOMMON

Download Yara Rule

APIs

DestroyWindow.USER32(00000000), ref: 00D1273E
SystemParametersInfoW.USER32(00000030,00000000,?,00000000), ref: 00D1286A
SetRect.USER32(?,00000000,00000000,0000012C,?), ref: 00D128A9
AdjustWindowRectEx.USER32(?,88C00000,00000000,00000008), ref: 00D128B9
CreateWindowExW.USER32(00000008,AutoIt v3,?,88C00000,000000FF,?,?,?,00000000,00000000,00000000), ref: 00D12900
GetClientRect.USER32(00000000,?), ref: 00D1290C
CreateWindowExW.USER32(00000000,static,?,50000000,?,00000004,00000500,-00000017,00000000,00000000,00000000), ref: 00D12955
CreateDCW.GDI32(DISPLAY,00000000,00000000,00000000), ref: 00D12964
GetStockObject.GDI32(00000011), ref: 00D12974
SelectObject.GDI32(00000000,00000000), ref: 00D12978
GetTextFaceW.GDI32(00000000,00000040,?,?,50000000,?,00000004,00000500,-00000017,00000000,00000000,00000000,?,88C00000,000000FF,?), ref: 00D12988
GetDeviceCaps.GDI32(00000000,0000005A), ref: 00D12991
DeleteDC.GDI32(00000000), ref: 00D1299A
CreateFontW.GDI32(00000000,00000000,00000000,00000000,00000258,00000000,00000000,00000000,00000001,00000004,00000000,00000002,00000000,?), ref: 00D129C6
SendMessageW.USER32(00000030,00000000,00000001), ref: 00D129DD
CreateWindowExW.USER32(00000200,msctls_progress32,00000000,50000001,?,-0000001D,00000104,00000014,00000000,00000000,00000000), ref: 00D12A1D
SendMessageW.USER32(00000000,00000401,00000000,00640000), ref: 00D12A31
SendMessageW.USER32(00000404,00000001,00000000), ref: 00D12A42
CreateWindowExW.USER32(00000000,static,?,50000000,?,00000041,00000500,-00000027,00000000,00000000,00000000), ref: 00D12A77
GetStockObject.GDI32(00000011), ref: 00D12A82
SendMessageW.USER32(00000030,00000000,?,50000000), ref: 00D12A8D
ShowWindow.USER32(00000004,?,50000000,?,00000004,00000500,-00000017,00000000,00000000,00000000,?,88C00000,000000FF,?,?,?), ref: 00D12A97

Strings

AutoIt v3, xrefs: 00D128F8
static, xrefs: 00D1294F, 00D12A71
msctls_progress32, xrefs: 00D12A13
DISPLAY, xrefs: 00D1295A

Memory Dump Source

Source File: 00000000.00000002.1727992052.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true

Associated: 00000000.00000002.1727967772.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1728099655.0000000000D2C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1728099655.0000000000D52000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1728148949.0000000000D5C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1728172009.0000000000D64000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c90000_file.jbxd

Similarity

API ID: Window$Create$MessageSend$ObjectRect$Stock$AdjustCapsClientDeleteDestroyDeviceFaceFontInfoParametersSelectShowSystemText
String ID: AutoIt v3$DISPLAY$msctls_progress32$static
API String ID: 2910397461-517079104
Opcode ID: b746882096ee4bfc0ab675cac88751f7936237ec95e83489d0ccad2061468ad4
Instruction ID: 747c7511f28ec733937e029b1f1a043891b646b26aea2e7d978d61bd990cf609
Opcode Fuzzy Hash: b746882096ee4bfc0ab675cac88751f7936237ec95e83489d0ccad2061468ad4
Instruction Fuzzy Hash: 6FB13C75A10215BFEB24DF68DC4AFAE7BA9EB08711F044214F915E72A0DB70ED41CBA4

Function 00D04ADF Relevance: 45.7, APIs: 3, Strings: 23, Instructions: 191COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 00D04AED
GetDriveTypeW.KERNEL32(?,00D2CB68,?,\\.\,00D2CC08), ref: 00D04BCA
SetErrorMode.KERNEL32(00000000,00D2CB68,?,\\.\,00D2CC08), ref: 00D04D36

Strings

MMC, xrefs: 00D04CDE
SAS, xrefs: 00D04CC9
PhysicalDrive, xrefs: 00D04B76
USB, xrefs: 00D04CB4
Virtual, xrefs: 00D04CE5
Unknown, xrefs: 00D04BED, 00D04C83
Fixed, xrefs: 00D04C09
ATAPI, xrefs: 00D04C91
Network, xrefs: 00D04C02
Removable, xrefs: 00D04C10, 00D04C15
CDROM, xrefs: 00D04BFB
Fibre, xrefs: 00D04CAD
iSCSI, xrefs: 00D04CC2
SSD, xrefs: 00D04C4A
1394, xrefs: 00D04C9F
ATA, xrefs: 00D04C98
\\.\, xrefs: 00D04B3F
FileBackedVirtual, xrefs: 00D04CEC
RAID, xrefs: 00D04CBB
SCSI, xrefs: 00D04C8A
RAMDisk, xrefs: 00D04BF4
SATA, xrefs: 00D04CD0
SSA, xrefs: 00D04CA6

Memory Dump Source

Source File: 00000000.00000002.1727992052.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true

Associated: 00000000.00000002.1727967772.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1728099655.0000000000D2C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1728099655.0000000000D52000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1728148949.0000000000D5C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1728172009.0000000000D64000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c90000_file.jbxd

Similarity

API ID: ErrorMode$DriveType
String ID: 1394$ATA$ATAPI$CDROM$Fibre$FileBackedVirtual$Fixed$MMC$Network$PhysicalDrive$RAID$RAMDisk$Removable$SAS$SATA$SCSI$SSA$SSD$USB$Unknown$Virtual$\\.\$iSCSI
API String ID: 2907320926-4222207086
Opcode ID: 964e307ce362a732f14b729110b5d3e4dadfc3c2dde351fa96f2a49e59ed5ae0
Instruction ID: 72c5e67dcd5fd47fa8ecb5421d29449d130e2e1bb45060bbda1f9e7657d9c9f3
Opcode Fuzzy Hash: 964e307ce362a732f14b729110b5d3e4dadfc3c2dde351fa96f2a49e59ed5ae0
Instruction Fuzzy Hash: 7161ADB0605206EFDF04DF24CA82E7877B0AF44301B684416FE4AAB2D1DA31ED49AB75

Function 00D273E8 Relevance: 39.2, APIs: 26, Instructions: 201windowCOMMON

Download Yara Rule

APIs

GetSysColor.USER32(00000012), ref: 00D27421
SetTextColor.GDI32(?,?), ref: 00D27425
GetSysColorBrush.USER32(0000000F), ref: 00D2743B
GetSysColor.USER32(0000000F), ref: 00D27446
CreateSolidBrush.GDI32(?), ref: 00D2744B
GetSysColor.USER32(00000011), ref: 00D27463
CreatePen.GDI32(00000000,00000001,00743C00), ref: 00D27471
SelectObject.GDI32(?,00000000), ref: 00D27482
SetBkColor.GDI32(?,00000000), ref: 00D2748B
SelectObject.GDI32(?,?), ref: 00D27498
InflateRect.USER32(?,000000FF,000000FF), ref: 00D274B7
RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 00D274CE
GetWindowLongW.USER32(00000000,000000F0), ref: 00D274DB
SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 00D2752A
GetWindowTextW.USER32(00000000,00000000,00000001), ref: 00D27554
InflateRect.USER32(?,000000FD,000000FD), ref: 00D27572
DrawFocusRect.USER32(?,?), ref: 00D2757D
GetSysColor.USER32(00000011), ref: 00D2758E
SetTextColor.GDI32(?,00000000), ref: 00D27596
DrawTextW.USER32(?,00D270F5,000000FF,?,00000000), ref: 00D275A8
SelectObject.GDI32(?,?), ref: 00D275BF
DeleteObject.GDI32(?), ref: 00D275CA
SelectObject.GDI32(?,?), ref: 00D275D0
DeleteObject.GDI32(?), ref: 00D275D5
SetTextColor.GDI32(?,?), ref: 00D275DB
SetBkColor.GDI32(?,?), ref: 00D275E5

Memory Dump Source

Source File: 00000000.00000002.1727992052.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true

Associated: 00000000.00000002.1727967772.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1728099655.0000000000D2C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1728099655.0000000000D52000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1728148949.0000000000D5C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1728172009.0000000000D64000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c90000_file.jbxd

Similarity

API ID: Color$Object$Text$RectSelect$BrushCreateDeleteDrawInflateWindow$FocusLongMessageRoundSendSolid
String ID:
API String ID: 1996641542-0
Opcode ID: fbc73102e53c22643baa36acf8d858c0e360ed4174eeba31f4ef3db9caea7512
Instruction ID: 5374572473d5147cb9945f8a977c1cefdfb5fc0103d39ee289bef0bef6baa5e0
Opcode Fuzzy Hash: fbc73102e53c22643baa36acf8d858c0e360ed4174eeba31f4ef3db9caea7512
Instruction Fuzzy Hash: 88616A72900228AFDF219FA4DC49EAEBFB9EF18320F145115F911EB2A1D7749D41DBA0

Function 00D20FF3 Relevance: 37.0, APIs: 18, Strings: 3, Instructions: 284windowCOMMON

Download Yara Rule

APIs

GetCursorPos.USER32(?), ref: 00D21128
GetDesktopWindow.USER32 ref: 00D2113D
GetWindowRect.USER32(00000000), ref: 00D21144
GetWindowLongW.USER32(?,000000F0), ref: 00D21199
DestroyWindow.USER32(?), ref: 00D211B9
CreateWindowExW.USER32(00000008,tooltips_class32,00000000,7FFFFFFD,80000000,80000000,80000000,80000000,00000000,00000000,00000000,00000000), ref: 00D211ED
SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 00D2120B
SendMessageW.USER32(00000000,00000418,00000000,?), ref: 00D2121D
SendMessageW.USER32(00000000,00000421,?,?), ref: 00D21232
SendMessageW.USER32(00000000,0000041D,00000000,00000000), ref: 00D21245
IsWindowVisible.USER32(00000000), ref: 00D212A1
SendMessageW.USER32(00000000,00000412,00000000,D8F0D8F0), ref: 00D212BC
SendMessageW.USER32(00000000,00000411,00000001,00000030), ref: 00D212D0
GetWindowRect.USER32(00000000,?), ref: 00D212E8
MonitorFromPoint.USER32(?,?,00000002), ref: 00D2130E
GetMonitorInfoW.USER32(00000000,?), ref: 00D21328
CopyRect.USER32(?,?), ref: 00D2133F
SendMessageW.USER32(00000000,00000412,00000000), ref: 00D213AA

Strings

0, xrefs: 00D210D3
(, xrefs: 00D2131B
tooltips_class32, xrefs: 00D211E6

Memory Dump Source

Source File: 00000000.00000002.1727992052.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true

Associated: 00000000.00000002.1727967772.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1728099655.0000000000D2C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1728099655.0000000000D52000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1728148949.0000000000D5C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1728172009.0000000000D64000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c90000_file.jbxd

Similarity

API ID: MessageSendWindow$Rect$Monitor$CopyCreateCursorDesktopDestroyFromInfoLongPointVisible
String ID: ($0$tooltips_class32
API String ID: 698492251-4156429822
Opcode ID: b13dcded4d1294a359ce37a339ef0d1e214e5659df27693fb73210a0ab75e96f
Instruction ID: e23ecb2379817aeac9a569ba99da0e21c28d79894d550af4443b9a02d5b0ff40
Opcode Fuzzy Hash: b13dcded4d1294a359ce37a339ef0d1e214e5659df27693fb73210a0ab75e96f
Instruction Fuzzy Hash: F4B19C71608351AFDB10DF64D988B6EBBE5FFA8344F008918F9999B261C731EC45CBA1

Function 00CA8891 Relevance: 33.5, APIs: 18, Strings: 1, Instructions: 282windowtimeCOMMON

Download Yara Rule

APIs

SystemParametersInfoW.USER32(00000030,00000000,000000FF,00000000), ref: 00CA8968
GetSystemMetrics.USER32(00000007), ref: 00CA8970
SystemParametersInfoW.USER32(00000030,00000000,000000FF,00000000), ref: 00CA899B
GetSystemMetrics.USER32(00000008), ref: 00CA89A3
GetSystemMetrics.USER32(00000004), ref: 00CA89C8
SetRect.USER32(000000FF,00000000,00000000,000000FF,000000FF), ref: 00CA89E5
AdjustWindowRectEx.USER32(000000FF,?,00000000,?), ref: 00CA89F5
CreateWindowExW.USER32(?,AutoIt v3 GUI,?,?,?,000000FF,000000FF,000000FF,?,00000000,00000000), ref: 00CA8A28
SetWindowLongW.USER32(00000000,000000EB,00000000), ref: 00CA8A3C
GetClientRect.USER32(00000000,000000FF), ref: 00CA8A5A
GetStockObject.GDI32(00000011), ref: 00CA8A76
SendMessageW.USER32(00000000,00000030,00000000), ref: 00CA8A81

Part of subcall function 00CA912D: GetCursorPos.USER32(?), ref: 00CA9141
Part of subcall function 00CA912D: ScreenToClient.USER32(00000000,?), ref: 00CA915E
Part of subcall function 00CA912D: GetAsyncKeyState.USER32(00000001), ref: 00CA9183
Part of subcall function 00CA912D: GetAsyncKeyState.USER32(00000002), ref: 00CA919D

SetTimer.USER32(00000000,00000000,00000028,00CA90FC), ref: 00CA8AA8

Strings

AutoIt v3 GUI, xrefs: 00CA8A20

Memory Dump Source

Source File: 00000000.00000002.1727992052.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true

Associated: 00000000.00000002.1727967772.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1728099655.0000000000D2C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1728099655.0000000000D52000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1728148949.0000000000D5C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1728172009.0000000000D64000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c90000_file.jbxd

Similarity

API ID: System$MetricsRectWindow$AsyncClientInfoParametersState$AdjustCreateCursorLongMessageObjectScreenSendStockTimer
String ID: AutoIt v3 GUI
API String ID: 1458621304-248962490
Opcode ID: 23c163cd6d23db9851b8d8994ded579239a30ebd82cb192e87fb14df545230c9
Instruction ID: 55d15b983b862e645998dcd19d68c156cde3df2a5998a17be3e9bd6d492407f0
Opcode Fuzzy Hash: 23c163cd6d23db9851b8d8994ded579239a30ebd82cb192e87fb14df545230c9
Instruction Fuzzy Hash: 99B18D35A1020AAFDB24DFA9CC45BAE3BB5FB58314F144229FA15E7290DB74E941CF60

Function 00CF0D8B Relevance: 31.7, APIs: 21, Instructions: 202memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 00CF10F9: GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 00CF1114
Part of subcall function 00CF10F9: GetLastError.KERNEL32(?,00000000,00000000,?,?,00CF0B9B,?,?,?), ref: 00CF1120
Part of subcall function 00CF10F9: GetProcessHeap.KERNEL32(00000008,?,?,00000000,00000000,?,?,00CF0B9B,?,?,?), ref: 00CF112F
Part of subcall function 00CF10F9: HeapAlloc.KERNEL32(00000000,?,00000000,00000000,?,?,00CF0B9B,?,?,?), ref: 00CF1136
Part of subcall function 00CF10F9: GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 00CF114D

GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 00CF0DF5
GetAclInformation.ADVAPI32(?,?,0000000C,00000002), ref: 00CF0E29
GetLengthSid.ADVAPI32(?), ref: 00CF0E40
GetAce.ADVAPI32(?,00000000,?), ref: 00CF0E7A
AddAce.ADVAPI32(?,00000002,000000FF,?,?), ref: 00CF0E96
GetLengthSid.ADVAPI32(?), ref: 00CF0EAD
GetProcessHeap.KERNEL32(00000008,00000008), ref: 00CF0EB5
HeapAlloc.KERNEL32(00000000), ref: 00CF0EBC
GetLengthSid.ADVAPI32(?,00000008,?), ref: 00CF0EDD
CopySid.ADVAPI32(00000000), ref: 00CF0EE4
AddAce.ADVAPI32(?,00000002,000000FF,00000000,?), ref: 00CF0F13
SetSecurityDescriptorDacl.ADVAPI32(?,00000001,?,00000000), ref: 00CF0F35
SetUserObjectSecurity.USER32(?,00000004,?), ref: 00CF0F47
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00CF0F6E
HeapFree.KERNEL32(00000000), ref: 00CF0F75
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00CF0F7E
HeapFree.KERNEL32(00000000), ref: 00CF0F85
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00CF0F8E
HeapFree.KERNEL32(00000000), ref: 00CF0F95
GetProcessHeap.KERNEL32(00000000,?), ref: 00CF0FA1
HeapFree.KERNEL32(00000000), ref: 00CF0FA8

Part of subcall function 00CF1193: GetProcessHeap.KERNEL32(00000008,00CF0BB1,?,00000000,?,00CF0BB1,?), ref: 00CF11A1
Part of subcall function 00CF1193: HeapAlloc.KERNEL32(00000000,?,00000000,?,00CF0BB1,?), ref: 00CF11A8
Part of subcall function 00CF1193: InitializeSecurityDescriptor.ADVAPI32(00000000,00000001,?,00000000,?,00CF0BB1,?), ref: 00CF11B7

Memory Dump Source

Source File: 00000000.00000002.1727992052.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true

Associated: 00000000.00000002.1727967772.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1728099655.0000000000D2C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1728099655.0000000000D52000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1728148949.0000000000D5C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1728172009.0000000000D64000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c90000_file.jbxd

Similarity

API ID: Heap$Process$Security$Free$AllocDescriptorLengthObjectUser$Dacl$CopyErrorInformationInitializeLast
String ID:
API String ID: 4175595110-0
Opcode ID: b269c0aa5ad9043610bf4ea43dfa7f9be77f944d392650c56a81e98f5cf2af57
Instruction ID: da82b51bb763f6ec773c79a5da1fca119dbbf4b9c5806842ea3113e466c644e5
Opcode Fuzzy Hash: b269c0aa5ad9043610bf4ea43dfa7f9be77f944d392650c56a81e98f5cf2af57
Instruction Fuzzy Hash: FF716D7190030AABDB60DFA4DC45FBEBBB8BF14700F144115FA29E6292D7309E06CB61

Function 00D1C3B7 Relevance: 30.2, APIs: 11, Strings: 6, Instructions: 495registryCOMMON

Download Yara Rule

APIs

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 00D1C4BD
RegCreateKeyExW.ADVAPI32(?,?,00000000,00D2CC08,00000000,?,00000000,?,?), ref: 00D1C544
RegCloseKey.ADVAPI32(00000000,00000000,00000000), ref: 00D1C5A4
_wcslen.LIBCMT ref: 00D1C5F4
_wcslen.LIBCMT ref: 00D1C66F
RegSetValueExW.ADVAPI32(00000001,?,00000000,00000001,?,?), ref: 00D1C6B2
RegSetValueExW.ADVAPI32(00000001,?,00000000,00000007,?,?), ref: 00D1C7C1
RegSetValueExW.ADVAPI32(00000001,?,00000000,0000000B,?,00000008), ref: 00D1C84D
RegCloseKey.ADVAPI32(?), ref: 00D1C881
RegCloseKey.ADVAPI32(00000000), ref: 00D1C88E
RegSetValueExW.ADVAPI32(00000001,?,00000000,00000003,00000000,00000000), ref: 00D1C960

Strings

REG_MULTI_SZ, xrefs: 00D1C6F5
REG_DWORD, xrefs: 00D1C804
REG_EXPAND_SZ, xrefs: 00D1C5CD
REG_QWORD, xrefs: 00D1C8C3
REG_SZ, xrefs: 00D1C644
REG_BINARY, xrefs: 00D1C913

Memory Dump Source

Source File: 00000000.00000002.1727992052.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true

Associated: 00000000.00000002.1727967772.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1728099655.0000000000D2C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1728099655.0000000000D52000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1728148949.0000000000D5C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1728172009.0000000000D64000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c90000_file.jbxd

Similarity

API ID: Value$Close$_wcslen$ConnectCreateRegistry
String ID: REG_BINARY$REG_DWORD$REG_EXPAND_SZ$REG_MULTI_SZ$REG_QWORD$REG_SZ
API String ID: 9721498-966354055
Opcode ID: e8ac48f4386d4a1129578df5bcbe1f6b2aeeeb5e6d5b5b7d0a5f6283976a732b
Instruction ID: 630fd4ee93c78383dcd4d102223b8329bc735a94fefa92f2d04e24b88414135a
Opcode Fuzzy Hash: e8ac48f4386d4a1129578df5bcbe1f6b2aeeeb5e6d5b5b7d0a5f6283976a732b
Instruction Fuzzy Hash: 86129B35218201AFDB14DF14D885A6AB7E5FF88314F09885CF88A9B3A2DB30FD41DB91

Function 00D2091E Relevance: 30.1, APIs: 6, Strings: 11, Instructions: 372windowCOMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?), ref: 00D209C6
_wcslen.LIBCMT ref: 00D20A01
SendMessageW.USER32(?,00001105,00000000,00000000), ref: 00D20A54
_wcslen.LIBCMT ref: 00D20A8A
_wcslen.LIBCMT ref: 00D20B06
_wcslen.LIBCMT ref: 00D20B81

Part of subcall function 00CAF9F2: _wcslen.LIBCMT ref: 00CAF9FD

Part of subcall function 00CF2BE8: SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 00CF2BFA

Strings

EXISTS, xrefs: 00D20B7C, 00D20B97
GETTEXT, xrefs: 00D20C97
ISCHECKED, xrefs: 00D20CE1
SELECT, xrefs: 00D20D11
GETSELECTED, xrefs: 00D20C4E
GETITEMCOUNT, xrefs: 00D20C1E
COLLAPSE, xrefs: 00D20B01, 00D20B1C
UNCHECK, xrefs: 00D20D3E
CHECK, xrefs: 00D20A85, 00D20AA0
EXPAND, xrefs: 00D20BF8
GETTOTALCOUNT, xrefs: 00D209F2, 00D20A17

Memory Dump Source

Source File: 00000000.00000002.1727992052.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true

Associated: 00000000.00000002.1727967772.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1728099655.0000000000D2C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1728099655.0000000000D52000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1728148949.0000000000D5C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1728172009.0000000000D64000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c90000_file.jbxd

Similarity

API ID: _wcslen$MessageSend$BuffCharUpper
String ID: CHECK$COLLAPSE$EXISTS$EXPAND$GETITEMCOUNT$GETSELECTED$GETTEXT$GETTOTALCOUNT$ISCHECKED$SELECT$UNCHECK
API String ID: 1103490817-4258414348
Opcode ID: c0e2b1245e938c58ba0d9b334c6c6107f655de71193e3164a13c9dd2fe5c0b4a
Instruction ID: 6a9938d798ea59632f6ca32504ad93f41de149e8d3c0a67421a1fe0a7c2ae181
Opcode Fuzzy Hash: c0e2b1245e938c58ba0d9b334c6c6107f655de71193e3164a13c9dd2fe5c0b4a
Instruction Fuzzy Hash: D3E1BE312083118FCB14DF24D45092ABBE1FFA8318F58895DF8969B7A2D730ED49DBA1

Function 00D1C998 Relevance: 30.0, APIs: 7, Strings: 10, Instructions: 242COMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?,?,?,?,?,?,00D1B6AE,?,?), ref: 00D1C9B5
_wcslen.LIBCMT ref: 00D1C9F1
_wcslen.LIBCMT ref: 00D1CA68
_wcslen.LIBCMT ref: 00D1CA9E
_wcslen.LIBCMT ref: 00D1CAF9
_wcslen.LIBCMT ref: 00D1CB2F
_wcslen.LIBCMT ref: 00D1CB7F

Strings

HKEY_USERS, xrefs: 00D1CBDF
HKEY_CURRENT_USER, xrefs: 00D1CBBD
HKCR, xrefs: 00D1CB29, 00D1CB2E
HKEY_LOCAL_MACHINE, xrefs: 00D1CA62, 00D1CA67
HKCC, xrefs: 00D1CBAC
HKEY_CLASSES_ROOT, xrefs: 00D1CAF3, 00D1CAF8
HKU, xrefs: 00D1CBF0
HKCU, xrefs: 00D1CBCE
HKEY_CURRENT_CONFIG, xrefs: 00D1CB79, 00D1CB7E
HKLM, xrefs: 00D1CA98, 00D1CA9D

Memory Dump Source

Source File: 00000000.00000002.1727992052.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true

Associated: 00000000.00000002.1727967772.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1728099655.0000000000D2C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1728099655.0000000000D52000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1728148949.0000000000D5C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1728172009.0000000000D64000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c90000_file.jbxd

Similarity

API ID: _wcslen$BuffCharUpper
String ID: HKCC$HKCR$HKCU$HKEY_CLASSES_ROOT$HKEY_CURRENT_CONFIG$HKEY_CURRENT_USER$HKEY_LOCAL_MACHINE$HKEY_USERS$HKLM$HKU
API String ID: 1256254125-909552448
Opcode ID: facf3b40882e98a69024ef6c3e23c5750106ca15b6c324bd6ec9d01dda04d2af
Instruction ID: ba283afb210af7f39ff1219eddd20178f74756e2f3db983a331c74d213b3c667
Opcode Fuzzy Hash: facf3b40882e98a69024ef6c3e23c5750106ca15b6c324bd6ec9d01dda04d2af
Instruction Fuzzy Hash: 6F71E3326A412AABCF20DE78A9415FE3395AF61754B291128FC66D7284EE31CDC5D3B0

Function 00D2833C Relevance: 29.9, APIs: 14, Strings: 3, Instructions: 196windowlibraryCOMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 00D2835A
_wcslen.LIBCMT ref: 00D2836E
_wcslen.LIBCMT ref: 00D28391
_wcslen.LIBCMT ref: 00D283B4
LoadImageW.USER32(00000000,?,00000001,?,?,00002010), ref: 00D283F2
LoadLibraryExW.KERNEL32(?,00000000,00000032,?,?,00000001,?,?,?,00D2361A,?), ref: 00D2844E
LoadImageW.USER32(?,?,00000001,?,?,00000000), ref: 00D28487
LoadImageW.USER32(00000000,?,00000001,?,?,00000000), ref: 00D284CA
LoadImageW.USER32(?,?,00000001,?,?,00000000), ref: 00D28501
FreeLibrary.KERNEL32(?), ref: 00D2850D
ExtractIconExW.SHELL32(?,00000000,00000000,00000000,00000001), ref: 00D2851D
DestroyIcon.USER32(?), ref: 00D2852C
SendMessageW.USER32(?,00000170,00000000,00000000), ref: 00D28549
SendMessageW.USER32(?,00000064,00000172,00000001), ref: 00D28555

Strings

.exe, xrefs: 00D28388
.dll, xrefs: 00D283AB
.icl, xrefs: 00D28368

Memory Dump Source

Source File: 00000000.00000002.1727992052.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true

Associated: 00000000.00000002.1727967772.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1728099655.0000000000D2C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1728099655.0000000000D52000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1728148949.0000000000D5C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1728172009.0000000000D64000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c90000_file.jbxd

Similarity

API ID: Load$Image_wcslen$IconLibraryMessageSend$DestroyExtractFree
String ID: .dll$.exe$.icl
API String ID: 799131459-1154884017
Opcode ID: 0fc2ec653e1e6dfb9e38e8deef79f345fb7bb6dd76191f89d709acc24feb0208
Instruction ID: 3b89fe0aea84ede03b0b8db676714b4b715e54d79a555f250bab8f644c006525
Opcode Fuzzy Hash: 0fc2ec653e1e6dfb9e38e8deef79f345fb7bb6dd76191f89d709acc24feb0208
Instruction Fuzzy Hash: 9961DE71904225BAEB24DF64DC41BFE77A8BF28B11F104609F815D61D1DB74AA81E7B0

Function 00C97778 Relevance: 28.3, APIs: 1, Strings: 15, Instructions: 273COMMON

Download Yara Rule

Strings

#include, xrefs: 00C97847
Unterminated group of comments, xrefs: 00CD528C
#notrayicon, xrefs: 00C977E7
#cs, xrefs: 00C97873, 00C978C5
#requireadmin, xrefs: 00C977FF
Cannot parse #include, xrefs: 00CD5279
Bad directive syntax error, xrefs: 00CD519A
#ce, xrefs: 00C978ED
#comments-end, xrefs: 00C978D9
#OnAutoItStartRegister, xrefs: 00C97817
", xrefs: 00CD5153
#comments-start, xrefs: 00C9785F, 00C978B1
', xrefs: 00CD5169
#pragma compile, xrefs: 00C977D3
#include-once, xrefs: 00C9782F

Memory Dump Source

Source File: 00000000.00000002.1727992052.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true

Associated: 00000000.00000002.1727967772.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1728099655.0000000000D2C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1728099655.0000000000D52000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1728148949.0000000000D5C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1728172009.0000000000D64000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c90000_file.jbxd

Similarity

API ID:
String ID: "$#OnAutoItStartRegister$#ce$#comments-end$#comments-start$#cs$#include$#include-once$#notrayicon$#pragma compile$#requireadmin$'$Bad directive syntax error$Cannot parse #include$Unterminated group of comments
API String ID: 0-1645009161
Opcode ID: 284d84c4bdb5ca4446ae70dd3760e7c7ce95b2fc08fc1c0b4199cb7e4ade21a9
Instruction ID: 82602f3851c0df715f506a1b3220c6e3070f8709a96eb514cc87e3f9c1d34d37
Opcode Fuzzy Hash: 284d84c4bdb5ca4446ae70dd3760e7c7ce95b2fc08fc1c0b4199cb7e4ade21a9
Instruction Fuzzy Hash: 02811171A15205BFDF21AFA0DC46FAE37A9AF15300F044025F914AA292EB70DA19E7A1

Function 00D03E79 Relevance: 28.2, APIs: 8, Strings: 8, Instructions: 205COMMON

Download Yara Rule

APIs

CharLowerBuffW.USER32(?,?), ref: 00D03EF8
_wcslen.LIBCMT ref: 00D03F03
_wcslen.LIBCMT ref: 00D03F5A
_wcslen.LIBCMT ref: 00D03F98
GetDriveTypeW.KERNEL32(?), ref: 00D03FD6
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 00D0401E
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 00D04059
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 00D04087

Strings

wait, xrefs: 00D04044
closed, xrefs: 00D03F08, 00D03F2D, 00D03F46, 00D03F7E, 00D03F97
open , xrefs: 00D03FE5
close cd wait, xrefs: 00D04072
set cd door , xrefs: 00D04028
open, xrefs: 00D03F54, 00D03F59
close, xrefs: 00D03EFE, 00D03F18
type cdaudio alias cd wait, xrefs: 00D04001

Memory Dump Source

Source File: 00000000.00000002.1727992052.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true

Associated: 00000000.00000002.1727967772.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1728099655.0000000000D2C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1728099655.0000000000D52000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1728148949.0000000000D5C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1728172009.0000000000D64000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c90000_file.jbxd

Similarity

API ID: SendString_wcslen$BuffCharDriveLowerType
String ID: type cdaudio alias cd wait$ wait$close$close cd wait$closed$open$open $set cd door
API String ID: 1839972693-4113822522
Opcode ID: 7bb978e9e7328b5d351cd36e494786f22aad1c63e360cdce2a6b42b5d7fa8443
Instruction ID: e7513e56ecc4e5117fed924acd5aa798dc32e0455b893dfe34fed2273a50033b
Opcode Fuzzy Hash: 7bb978e9e7328b5d351cd36e494786f22aad1c63e360cdce2a6b42b5d7fa8443
Instruction Fuzzy Hash: A071D4729043029FCB10DF24C88096EBBF4EF94754F44492DF99997291EB31DD49CBA1

Function 00CF5A1B Relevance: 27.2, APIs: 18, Instructions: 198windowtimeCOMMON

Download Yara Rule

APIs

LoadIconW.USER32(00000063), ref: 00CF5A2E
SendMessageW.USER32(?,00000080,00000000,00000000), ref: 00CF5A40
SetWindowTextW.USER32(?,?), ref: 00CF5A57
GetDlgItem.USER32(?,000003EA), ref: 00CF5A6C
SetWindowTextW.USER32(00000000,?), ref: 00CF5A72
GetDlgItem.USER32(?,000003E9), ref: 00CF5A82
SetWindowTextW.USER32(00000000,?), ref: 00CF5A88
SendDlgItemMessageW.USER32(?,000003E9,000000CC,?,00000000), ref: 00CF5AA9
SendDlgItemMessageW.USER32(?,000003E9,000000C5,00000000,00000000), ref: 00CF5AC3
GetWindowRect.USER32(?,?), ref: 00CF5ACC
_wcslen.LIBCMT ref: 00CF5B33
SetWindowTextW.USER32(?,?), ref: 00CF5B6F
GetDesktopWindow.USER32 ref: 00CF5B75
GetWindowRect.USER32(00000000), ref: 00CF5B7C
MoveWindow.USER32(?,?,00000080,00000000,?,00000000), ref: 00CF5BD3
GetClientRect.USER32(?,?), ref: 00CF5BE0
PostMessageW.USER32(?,00000005,00000000,?), ref: 00CF5C05
SetTimer.USER32(?,0000040A,00000000,00000000), ref: 00CF5C2F

Memory Dump Source

Source File: 00000000.00000002.1727992052.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true

Associated: 00000000.00000002.1727967772.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1728099655.0000000000D2C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1728099655.0000000000D52000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1728148949.0000000000D5C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1728172009.0000000000D64000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c90000_file.jbxd

Similarity

API ID: Window$ItemMessageText$RectSend$ClientDesktopIconLoadMovePostTimer_wcslen
String ID:
API String ID: 895679908-0
Opcode ID: e60c1e2a01fe91e29fa43163f92df5cc13f62b9c7772d7848eaa34301ded772f
Instruction ID: a4e77af08a8ce6e07a705f46f9e25da1acfdfc170526bd4ae88f02c31fb1ba32
Opcode Fuzzy Hash: e60c1e2a01fe91e29fa43163f92df5cc13f62b9c7772d7848eaa34301ded772f
Instruction Fuzzy Hash: CA716D31900B09AFDB20DFA8CE85A7EBBF5FF48705F104518E752A26A0D775AE41CB60

Function 00D0FE0E Relevance: 27.1, APIs: 18, Instructions: 128COMMON

Download Yara Rule

APIs

LoadCursorW.USER32(00000000,00007F89), ref: 00D0FE27
LoadCursorW.USER32(00000000,00007F8A), ref: 00D0FE32
LoadCursorW.USER32(00000000,00007F00), ref: 00D0FE3D
LoadCursorW.USER32(00000000,00007F03), ref: 00D0FE48
LoadCursorW.USER32(00000000,00007F8B), ref: 00D0FE53
LoadCursorW.USER32(00000000,00007F01), ref: 00D0FE5E
LoadCursorW.USER32(00000000,00007F81), ref: 00D0FE69
LoadCursorW.USER32(00000000,00007F88), ref: 00D0FE74
LoadCursorW.USER32(00000000,00007F80), ref: 00D0FE7F
LoadCursorW.USER32(00000000,00007F86), ref: 00D0FE8A
LoadCursorW.USER32(00000000,00007F83), ref: 00D0FE95
LoadCursorW.USER32(00000000,00007F85), ref: 00D0FEA0
LoadCursorW.USER32(00000000,00007F82), ref: 00D0FEAB
LoadCursorW.USER32(00000000,00007F84), ref: 00D0FEB6
LoadCursorW.USER32(00000000,00007F04), ref: 00D0FEC1
LoadCursorW.USER32(00000000,00007F02), ref: 00D0FECC
GetCursorInfo.USER32(?), ref: 00D0FEDC
GetLastError.KERNEL32 ref: 00D0FF1E

Memory Dump Source

Source File: 00000000.00000002.1727992052.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true

Associated: 00000000.00000002.1727967772.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1728099655.0000000000D2C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1728099655.0000000000D52000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1728148949.0000000000D5C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1728172009.0000000000D64000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c90000_file.jbxd

Similarity

API ID: Cursor$Load$ErrorInfoLast
String ID:
API String ID: 3215588206-0
Opcode ID: 318e645caea80785f910122b11e98e2e8058d47fb0d0a07a89c79a7e1410114b
Instruction ID: fc9133a25e5e27d21f3bd29e7105c54b591c367f6b65818c27ba0a3467a8619d
Opcode Fuzzy Hash: 318e645caea80785f910122b11e98e2e8058d47fb0d0a07a89c79a7e1410114b
Instruction Fuzzy Hash: 05417770D043196ADB20DFBA8C8995EBFE8FF04354B54452AE11DE7281D7749901CEA0

Function 00CB00C6 Relevance: 26.3, APIs: 10, Strings: 5, Instructions: 81COMMON

Download Yara Rule

APIs

__scrt_initialize_thread_safe_statics_platform_specific.LIBCMT ref: 00CB00C6

Part of subcall function 00CB00ED: InitializeCriticalSectionAndSpinCount.KERNEL32(00D6070C,00000FA0,B66F0112,?,?,?,?,00CD23B3,000000FF), ref: 00CB011C
Part of subcall function 00CB00ED: GetModuleHandleW.KERNEL32(api-ms-win-core-synch-l1-2-0.dll,?,?,?,?,00CD23B3,000000FF), ref: 00CB0127
Part of subcall function 00CB00ED: GetModuleHandleW.KERNEL32(kernel32.dll,?,?,?,?,00CD23B3,000000FF), ref: 00CB0138
Part of subcall function 00CB00ED: GetProcAddress.KERNEL32(00000000,InitializeConditionVariable), ref: 00CB014E
Part of subcall function 00CB00ED: GetProcAddress.KERNEL32(00000000,SleepConditionVariableCS), ref: 00CB015C
Part of subcall function 00CB00ED: GetProcAddress.KERNEL32(00000000,WakeAllConditionVariable), ref: 00CB016A
Part of subcall function 00CB00ED: __crt_fast_encode_pointer.LIBVCRUNTIME ref: 00CB0195
Part of subcall function 00CB00ED: __crt_fast_encode_pointer.LIBVCRUNTIME ref: 00CB01A0

___scrt_fastfail.LIBCMT ref: 00CB00E7

Part of subcall function 00CB00A3: __onexit.LIBCMT ref: 00CB00A9

Strings

InitializeConditionVariable, xrefs: 00CB0148
SleepConditionVariableCS, xrefs: 00CB0154
WakeAllConditionVariable, xrefs: 00CB0162
api-ms-win-core-synch-l1-2-0.dll, xrefs: 00CB0122
kernel32.dll, xrefs: 00CB0133

Memory Dump Source

Source File: 00000000.00000002.1727992052.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true

Associated: 00000000.00000002.1727967772.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1728099655.0000000000D2C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1728099655.0000000000D52000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1728148949.0000000000D5C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1728172009.0000000000D64000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c90000_file.jbxd

Similarity

API ID: AddressProc$HandleModule__crt_fast_encode_pointer$CountCriticalInitializeSectionSpin___scrt_fastfail__onexit__scrt_initialize_thread_safe_statics_platform_specific
String ID: InitializeConditionVariable$SleepConditionVariableCS$WakeAllConditionVariable$api-ms-win-core-synch-l1-2-0.dll$kernel32.dll
API String ID: 66158676-1714406822
Opcode ID: cf930df18c6a96a0c0b1a12d360a149cf792fa2913daf8962ff69af25b117fdd
Instruction ID: ec7a77c46a917fe92e37b55ff05ff336c06488cdaacabea87562f8a44eb0f55c
Opcode Fuzzy Hash: cf930df18c6a96a0c0b1a12d360a149cf792fa2913daf8962ff69af25b117fdd
Instruction Fuzzy Hash: B7210B32A447116FD725ABA8BC06BAF77A4EB15B55F200539F811E3391DBB09C008AB0

Function 00CF30F7 Relevance: 24.9, APIs: 8, Strings: 6, Instructions: 400COMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 00CF318D
_wcslen.LIBCMT ref: 00CF31F8

Strings

INSTANCE, xrefs: 00CF3453
NAME, xrefs: 00CF3335, 00CF3346
TEXT, xrefs: 00CF347C
REGEXPCLASS, xrefs: 00CF3255, 00CF3266
CLASSNN, xrefs: 00CF31F3, 00CF3204
CLASS, xrefs: 00CF3188, 00CF31A5

Memory Dump Source

Source File: 00000000.00000002.1727992052.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true

Associated: 00000000.00000002.1727967772.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1728099655.0000000000D2C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1728099655.0000000000D52000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1728148949.0000000000D5C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1728172009.0000000000D64000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c90000_file.jbxd

Similarity

API ID: _wcslen
String ID: CLASS$CLASSNN$INSTANCE$NAME$REGEXPCLASS$TEXT
API String ID: 176396367-1603158881
Opcode ID: d95c86eda169be6d8c2e210b9ad6cda528c988069882bea22280de623e97cfc1
Instruction ID: 78e0d88859d03715e245d22b35b0a1c87019a168a496db15d024af8dfaaac4a7
Opcode Fuzzy Hash: d95c86eda169be6d8c2e210b9ad6cda528c988069882bea22280de623e97cfc1
Instruction Fuzzy Hash: CAE12731A0055ABBCF59DFB4C8517FEBBB0BF44710F148119EA66A7240DB30AF8997A1

Function 00D044C0 Relevance: 24.8, APIs: 7, Strings: 7, Instructions: 309COMMON

Download Yara Rule

APIs

CharLowerBuffW.USER32(00000000,00000000,00D2CC08), ref: 00D04527
_wcslen.LIBCMT ref: 00D0453B
_wcslen.LIBCMT ref: 00D04599
_wcslen.LIBCMT ref: 00D045F4
_wcslen.LIBCMT ref: 00D0463F
_wcslen.LIBCMT ref: 00D046A7

Part of subcall function 00CAF9F2: _wcslen.LIBCMT ref: 00CAF9FD

GetDriveTypeW.KERNEL32(?,00D56BF0,00000061), ref: 00D04743

Strings

removable, xrefs: 00D045EA, 00D045EF
network, xrefs: 00D0469D, 00D046A2
cdrom, xrefs: 00D0458F, 00D04594
unknown, xrefs: 00D04708
fixed, xrefs: 00D04635, 00D0463A
ramdisk, xrefs: 00D046F1
all, xrefs: 00D04531, 00D04536

Memory Dump Source

Source File: 00000000.00000002.1727992052.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true

Associated: 00000000.00000002.1727967772.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1728099655.0000000000D2C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1728099655.0000000000D52000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1728148949.0000000000D5C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1728172009.0000000000D64000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c90000_file.jbxd

Similarity

API ID: _wcslen$BuffCharDriveLowerType
String ID: all$cdrom$fixed$network$ramdisk$removable$unknown
API String ID: 2055661098-1000479233
Opcode ID: 313523cf529f8a995333aefbe64eba92e1855cbc31ce6a32eb8e9639bb55c6b4
Instruction ID: 8f9152a098268343dc3d0902cf60e93fc4699d3ceab1f61cd2c34b0161ba13ac
Opcode Fuzzy Hash: 313523cf529f8a995333aefbe64eba92e1855cbc31ce6a32eb8e9639bb55c6b4
Instruction Fuzzy Hash: E1B1E1B16083029FC710DF28C894E6EB7E5AFA5710F94491DF69AC72D1E730D844CAA2

Function 00D13FE9 Relevance: 23.2, APIs: 11, Strings: 2, Instructions: 478libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,?,00D2CC08), ref: 00D140BB
GetProcAddress.KERNEL32(00000000,GetModuleHandleExW), ref: 00D140CD
GetModuleFileNameW.KERNEL32(?,?,00000104,?,?,?,00D2CC08), ref: 00D140F2
FreeLibrary.KERNEL32(00000000,?,00D2CC08), ref: 00D1413E
StringFromGUID2.OLE32(?,?,00000028,?,00D2CC08), ref: 00D141A8
SysFreeString.OLEAUT32(00000009), ref: 00D14262
QueryPathOfRegTypeLib.OLEAUT32(?,?,?,?,?), ref: 00D142C8
SysFreeString.OLEAUT32(?), ref: 00D142F2

Strings

GetModuleHandleExW, xrefs: 00D140C7
kernel32.dll, xrefs: 00D140B6

Memory Dump Source

Source File: 00000000.00000002.1727992052.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true

Associated: 00000000.00000002.1727967772.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1728099655.0000000000D2C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1728099655.0000000000D52000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1728148949.0000000000D5C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1728172009.0000000000D64000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c90000_file.jbxd

Similarity

API ID: FreeString$Library$AddressFileFromLoadModuleNamePathProcQueryType
String ID: GetModuleHandleExW$kernel32.dll
API String ID: 354098117-199464113
Opcode ID: eb1982cb8ccb60a7c6e3516839ba02b9a3399e84905603104f9f6c20de377298
Instruction ID: 5593d1fb3dcb566bd0bfcd92b6594fc26c04e75911b02e7d66f52f945afbd169
Opcode Fuzzy Hash: eb1982cb8ccb60a7c6e3516839ba02b9a3399e84905603104f9f6c20de377298
Instruction Fuzzy Hash: 29123A75A00215EFDB14CF94D884EAEB7B5FF49314F288098F905AB251DB71ED86CBA0

Function 00C9326F Relevance: 23.0, APIs: 12, Strings: 1, Instructions: 214windowCOMMON

Download Yara Rule

APIs

GetMenuItemCount.USER32(00D61990), ref: 00CD2F8D
GetMenuItemCount.USER32(00D61990), ref: 00CD303D
GetCursorPos.USER32(?), ref: 00CD3081
SetForegroundWindow.USER32(00000000), ref: 00CD308A
TrackPopupMenuEx.USER32(00D61990,00000000,?,00000000,00000000,00000000), ref: 00CD309D
PostMessageW.USER32(00000000,00000000,00000000,00000000), ref: 00CD30A9

Strings

0, xrefs: 00C9327D

Memory Dump Source

Source File: 00000000.00000002.1727992052.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true

Associated: 00000000.00000002.1727967772.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1728099655.0000000000D2C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1728099655.0000000000D52000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1728148949.0000000000D5C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1728172009.0000000000D64000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c90000_file.jbxd

Similarity

API ID: Menu$CountItem$CursorForegroundMessagePopupPostTrackWindow
String ID: 0
API String ID: 36266755-4108050209
Opcode ID: bc0c5b80c036588c1faf71e0b3dc31e0ca6ffa43021af2d51e48d0a1e103f3b7
Instruction ID: 0c589b2acc1ab8341513cb31162732d87123365e71b93d5d31d169df17951797
Opcode Fuzzy Hash: bc0c5b80c036588c1faf71e0b3dc31e0ca6ffa43021af2d51e48d0a1e103f3b7
Instruction Fuzzy Hash: 77712931644255BEEB218F65CC49FAABF74FF15324F200207F624AA2E1C7B1AE10D791

Function 00D26CD9 Relevance: 22.9, APIs: 11, Strings: 2, Instructions: 194windowCOMMON

Download Yara Rule

APIs

DestroyWindow.USER32(00000000,?), ref: 00D26DEB

Part of subcall function 00C96B57: _wcslen.LIBCMT ref: 00C96B6A

CreateWindowExW.USER32(00000008,tooltips_class32,00000000,?,80000000,80000000,80000000,80000000,?,00000000,00000000,?), ref: 00D26E5F
SendMessageW.USER32(00000000,00000433,00000000,00000030), ref: 00D26E81
SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 00D26E94
DestroyWindow.USER32(?), ref: 00D26EB5
CreateWindowExW.USER32(00000008,tooltips_class32,00000000,?,80000000,80000000,80000000,80000000,?,00000000,00C90000,00000000), ref: 00D26EE4
SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 00D26EFD
GetDesktopWindow.USER32 ref: 00D26F16
GetWindowRect.USER32(00000000), ref: 00D26F1D
SendMessageW.USER32(00000000,00000418,00000000,?), ref: 00D26F35
SendMessageW.USER32(00000000,00000421,?,00000000), ref: 00D26F4D

Part of subcall function 00CA9944: GetWindowLongW.USER32(?,000000EB), ref: 00CA9952

Strings

0, xrefs: 00D26D98
tooltips_class32, xrefs: 00D26E58, 00D26EDD

Memory Dump Source

Source File: 00000000.00000002.1727992052.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true

Associated: 00000000.00000002.1727967772.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1728099655.0000000000D2C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1728099655.0000000000D52000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1728148949.0000000000D5C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1728172009.0000000000D64000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c90000_file.jbxd

Similarity

API ID: Window$MessageSend$CreateDestroy$DesktopLongRect_wcslen
String ID: 0$tooltips_class32
API String ID: 2429346358-3619404913
Opcode ID: 76f46242f48a5e5d54470a63d13b9604b81edf6392f1fb39b1ed613abfc561ab
Instruction ID: 8fdbfcadeced4f78dbf183d0c58c633631dbc457b6efab3218d360a39ff23c6d
Opcode Fuzzy Hash: 76f46242f48a5e5d54470a63d13b9604b81edf6392f1fb39b1ed613abfc561ab
Instruction Fuzzy Hash: 50712774104345AFDB21CF18E844AAABBE9EFA9308F18441EF99997261D770E906DF21

Function 00D2911E Relevance: 22.9, APIs: 10, Strings: 3, Instructions: 181windowfileCOMMON

Download Yara Rule

APIs

Part of subcall function 00CA9BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00CA9BB2

DragQueryPoint.SHELL32(?,?), ref: 00D29147

Part of subcall function 00D27674: ClientToScreen.USER32(?,?), ref: 00D2769A
Part of subcall function 00D27674: GetWindowRect.USER32(?,?), ref: 00D27710
Part of subcall function 00D27674: PtInRect.USER32(?,?,00D28B89), ref: 00D27720

SendMessageW.USER32(?,000000B0,?,?), ref: 00D291B0
DragQueryFileW.SHELL32(?,000000FF,00000000,00000000), ref: 00D291BB
DragQueryFileW.SHELL32(?,00000000,?,00000104), ref: 00D291DE
SendMessageW.USER32(?,000000C2,00000001,?), ref: 00D29225
SendMessageW.USER32(?,000000B0,?,?), ref: 00D2923E
SendMessageW.USER32(?,000000B1,?,?), ref: 00D29255
SendMessageW.USER32(?,000000B1,?,?), ref: 00D29277
DragFinish.SHELL32(?), ref: 00D2927E
DefDlgProcW.USER32(?,00000233,?,00000000,?,?,?), ref: 00D29371

Strings

@GUI_DRAGID, xrefs: 00D292E9
@GUI_DRAGFILE, xrefs: 00D29320
@GUI_DROPID, xrefs: 00D2929E

Memory Dump Source

Source File: 00000000.00000002.1727992052.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true

Associated: 00000000.00000002.1727967772.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1728099655.0000000000D2C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1728099655.0000000000D52000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1728148949.0000000000D5C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1728172009.0000000000D64000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c90000_file.jbxd

Similarity

API ID: MessageSend$Drag$Query$FileRectWindow$ClientFinishLongPointProcScreen
String ID: @GUI_DRAGFILE$@GUI_DRAGID$@GUI_DROPID
API String ID: 221274066-3440237614
Opcode ID: 750d0434776de90a70b4fa06f0353246ac3b94a1367a707f215000d7d7eaf211
Instruction ID: f3afee71a43efdaf6e51919ae06c7735049f989edafd4ac437e8b9d7027e9da8
Opcode Fuzzy Hash: 750d0434776de90a70b4fa06f0353246ac3b94a1367a707f215000d7d7eaf211
Instruction Fuzzy Hash: 85619D71108301AFC711EF64DC89DAFBBE8EF99350F40091EF595932A0DB309A49CBA2

Function 00D0C476 Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 143networkCOMMON

Download Yara Rule

APIs

InternetConnectW.WININET(?,?,?,?,?,?,00000000,00000000), ref: 00D0C4B0
GetLastError.KERNEL32(?,00000003,?,?,?,?,?,?), ref: 00D0C4C3
SetEvent.KERNEL32(?,?,00000003,?,?,?,?,?,?), ref: 00D0C4D7
HttpOpenRequestW.WININET(00000000,00000000,?,00000000,00000000,00000000,?,00000000), ref: 00D0C4F0
InternetQueryOptionW.WININET(00000000,0000001F,?,?), ref: 00D0C533
InternetSetOptionW.WININET(00000000,0000001F,00000100,00000004), ref: 00D0C549
HttpSendRequestW.WININET(00000000,00000000,00000000,00000000,00000000), ref: 00D0C554
HttpQueryInfoW.WININET(00000000,00000005,?,?,?), ref: 00D0C584
GetLastError.KERNEL32(?,00000003,?,?,?,?,?,?), ref: 00D0C5DC
SetEvent.KERNEL32(?,?,00000003,?,?,?,?,?,?), ref: 00D0C5F0
InternetCloseHandle.WININET(00000000), ref: 00D0C5FB

Strings

, xrefs: 00D0C575

Memory Dump Source

Source File: 00000000.00000002.1727992052.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true

Associated: 00000000.00000002.1727967772.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1728099655.0000000000D2C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1728099655.0000000000D52000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1728148949.0000000000D5C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1728172009.0000000000D64000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c90000_file.jbxd

Similarity

API ID: Internet$Http$ErrorEventLastOptionQueryRequest$CloseConnectHandleInfoOpenSend
String ID:
API String ID: 3800310941-3916222277
Opcode ID: 82e718ec31cfdb625fd650adb2096e691c859b05b19b6dbcd50bece0a4d27545
Instruction ID: 86c63b32e0d44662a2c5d1dd3394e4856a78ba492d30ecae5d5910d70145be09
Opcode Fuzzy Hash: 82e718ec31cfdb625fd650adb2096e691c859b05b19b6dbcd50bece0a4d27545
Instruction Fuzzy Hash: FD5159B4510708AFDB218F60CD88BAB7BBCFF18354F045619F949D6290EB30E9059BB0

Function 00D2856F Relevance: 22.6, APIs: 15, Instructions: 131filecommemoryCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(?,80000000,00000000,00000000,00000003,00000000,00000000,?,00000000,?), ref: 00D28592
GetFileSize.KERNEL32(00000000,00000000), ref: 00D285A2
GlobalAlloc.KERNEL32(00000002,00000000), ref: 00D285AD
CloseHandle.KERNEL32(00000000), ref: 00D285BA
GlobalLock.KERNEL32(00000000), ref: 00D285C8
ReadFile.KERNEL32(00000000,00000000,00000000,?,00000000), ref: 00D285D7
GlobalUnlock.KERNEL32(00000000), ref: 00D285E0
CloseHandle.KERNEL32(00000000), ref: 00D285E7
CreateStreamOnHGlobal.OLE32(00000000,00000001,?), ref: 00D285F8
OleLoadPicture.OLEAUT32(?,00000000,00000000,00D2FC38,?), ref: 00D28611
GlobalFree.KERNEL32(00000000), ref: 00D28621
GetObjectW.GDI32(?,00000018,000000FF), ref: 00D28641
CopyImage.USER32(?,00000000,00000000,?,00002000), ref: 00D28671
DeleteObject.GDI32(00000000), ref: 00D28699
SendMessageW.USER32(?,00000172,00000000,00000000), ref: 00D286AF

Memory Dump Source

Source File: 00000000.00000002.1727992052.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true

Associated: 00000000.00000002.1727967772.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1728099655.0000000000D2C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1728099655.0000000000D52000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1728148949.0000000000D5C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1728172009.0000000000D64000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c90000_file.jbxd

Similarity

API ID: Global$File$CloseCreateHandleObject$AllocCopyDeleteFreeImageLoadLockMessagePictureReadSendSizeStreamUnlock
String ID:
API String ID: 3840717409-0
Opcode ID: 47dcde02d9f6523fcc6a7f0d1d736d9924ced106ebab549265c33ad0874d0a06
Instruction ID: 29738cb3acdb012feef9194e73433b11c217553eab14af80d44376aee036319c
Opcode Fuzzy Hash: 47dcde02d9f6523fcc6a7f0d1d736d9924ced106ebab549265c33ad0874d0a06
Instruction Fuzzy Hash: 74413971601314AFDB219FA5DC48EAE7BB8EFA9715F144058F915E7260DB30AD02DB70

Function 00D014BD Relevance: 21.4, APIs: 10, Strings: 2, Instructions: 360timeCOMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(00000000), ref: 00D01502
VariantCopy.OLEAUT32(?,?), ref: 00D0150B
VariantClear.OLEAUT32(?), ref: 00D01517
VariantTimeToSystemTime.OLEAUT32(?,?,?), ref: 00D015FB
VarR8FromDec.OLEAUT32(?,?), ref: 00D01657
VariantInit.OLEAUT32(?), ref: 00D01708
SysFreeString.OLEAUT32(?), ref: 00D0178C
VariantClear.OLEAUT32(?), ref: 00D017D8
VariantClear.OLEAUT32(?), ref: 00D017E7
VariantInit.OLEAUT32(00000000), ref: 00D01823

Strings

%4d%02d%02d%02d%02d%02d, xrefs: 00D01625
Default, xrefs: 00D016AF

Memory Dump Source

Source File: 00000000.00000002.1727992052.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true

Associated: 00000000.00000002.1727967772.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1728099655.0000000000D2C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1728099655.0000000000D52000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1728148949.0000000000D5C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1728172009.0000000000D64000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c90000_file.jbxd

Similarity

API ID: Variant$ClearInit$Time$CopyFreeFromStringSystem
String ID: %4d%02d%02d%02d%02d%02d$Default
API String ID: 1234038744-3931177956
Opcode ID: 5cf95dcdef96eb941cf30981d5daf319631846552821dd748a06280e9cf7cdbe
Instruction ID: 8c685c3c63e506903c7d39a739245838cb67532c4e10b083b1be616a802941c6
Opcode Fuzzy Hash: 5cf95dcdef96eb941cf30981d5daf319631846552821dd748a06280e9cf7cdbe
Instruction Fuzzy Hash: EAD1CD35A00615EBDB10EFA5E889B6DB7B5BF45700F14845AE44AAF2C0DB30EC45EBB1

Function 00D1B60E Relevance: 21.3, APIs: 10, Strings: 2, Instructions: 285registrylibraryloaderCOMMON

Download Yara Rule

APIs

Part of subcall function 00C99CB3: _wcslen.LIBCMT ref: 00C99CBD

Part of subcall function 00D1C998: CharUpperBuffW.USER32(?,?,?,?,?,?,?,00D1B6AE,?,?), ref: 00D1C9B5
Part of subcall function 00D1C998: _wcslen.LIBCMT ref: 00D1C9F1
Part of subcall function 00D1C998: _wcslen.LIBCMT ref: 00D1CA68
Part of subcall function 00D1C998: _wcslen.LIBCMT ref: 00D1CA9E

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 00D1B6F4
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 00D1B772
RegDeleteValueW.ADVAPI32(?,?), ref: 00D1B80A
RegCloseKey.ADVAPI32(?), ref: 00D1B87E
RegCloseKey.ADVAPI32(?), ref: 00D1B89C
LoadLibraryA.KERNEL32(advapi32.dll), ref: 00D1B8F2
GetProcAddress.KERNEL32(00000000,RegDeleteKeyExW), ref: 00D1B904
RegDeleteKeyW.ADVAPI32(?,?), ref: 00D1B922
FreeLibrary.KERNEL32(00000000), ref: 00D1B983
RegCloseKey.ADVAPI32(00000000), ref: 00D1B994

Strings

advapi32.dll, xrefs: 00D1B8ED
RegDeleteKeyExW, xrefs: 00D1B8FE

Memory Dump Source

Source File: 00000000.00000002.1727992052.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true

Associated: 00000000.00000002.1727967772.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1728099655.0000000000D2C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1728099655.0000000000D52000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1728148949.0000000000D5C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1728172009.0000000000D64000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c90000_file.jbxd

Similarity

API ID: _wcslen$Close$DeleteLibrary$AddressBuffCharConnectFreeLoadOpenProcRegistryUpperValue
String ID: RegDeleteKeyExW$advapi32.dll
API String ID: 146587525-4033151799
Opcode ID: 524b05f66742d66bfa4775f905b766a55e081f98e2fbb814bdab6cd359291815
Instruction ID: d2d5c7cd5d5c669e15bc051f8c5dd713df2b58391c945294ed0c67db32be8a8a
Opcode Fuzzy Hash: 524b05f66742d66bfa4775f905b766a55e081f98e2fbb814bdab6cd359291815
Instruction Fuzzy Hash: 3FC17F31208201AFD710DF14D495F6ABBE5FF84318F18859DF4998B2A2CB71ED86DBA1

Function 00D1255C Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 169windowCOMMON

Download Yara Rule

APIs

GetDC.USER32(00000000), ref: 00D125D8
CreateCompatibleBitmap.GDI32(00000000,?,?), ref: 00D125E8
CreateCompatibleDC.GDI32(?), ref: 00D125F4
SelectObject.GDI32(00000000,?), ref: 00D12601
StretchBlt.GDI32(?,00000000,00000000,?,?,?,00000006,?,?,?,00CC0020), ref: 00D1266D
GetDIBits.GDI32(?,?,00000000,00000000,00000000,00000028,00000000), ref: 00D126AC
GetDIBits.GDI32(?,?,00000000,?,00000000,00000028,00000000), ref: 00D126D0
SelectObject.GDI32(?,?), ref: 00D126D8
DeleteObject.GDI32(?), ref: 00D126E1
DeleteDC.GDI32(?), ref: 00D126E8
ReleaseDC.USER32(00000000,?), ref: 00D126F3

Strings

(, xrefs: 00D1268D

Memory Dump Source

Source File: 00000000.00000002.1727992052.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true

Associated: 00000000.00000002.1727967772.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1728099655.0000000000D2C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1728099655.0000000000D52000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1728148949.0000000000D5C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1728172009.0000000000D64000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c90000_file.jbxd

Similarity

API ID: Object$BitsCompatibleCreateDeleteSelect$BitmapReleaseStretch
String ID: (
API String ID: 2598888154-3887548279
Opcode ID: 4cf420321a1d7ef59c10e6ba567bad764521bb68b41b527801a151e2dd646027
Instruction ID: 5e75bad497785db89a021560221ff24c05408f2a7098fda65469e7c1e4ec2fea
Opcode Fuzzy Hash: 4cf420321a1d7ef59c10e6ba567bad764521bb68b41b527801a151e2dd646027
Instruction Fuzzy Hash: A661FFB5D00219EFCB15CFA8D885AAEBBB6FF48310F208529E955A7250D731AD51CFA0

Function 00CCDA5D Relevance: 19.6, APIs: 13, Instructions: 114COMMONLIBRARYCODE

Download Yara Rule

APIs

___free_lconv_mon.LIBCMT ref: 00CCDAA1

Part of subcall function 00CCD63C: _free.LIBCMT ref: 00CCD659
Part of subcall function 00CCD63C: _free.LIBCMT ref: 00CCD66B
Part of subcall function 00CCD63C: _free.LIBCMT ref: 00CCD67D
Part of subcall function 00CCD63C: _free.LIBCMT ref: 00CCD68F
Part of subcall function 00CCD63C: _free.LIBCMT ref: 00CCD6A1
Part of subcall function 00CCD63C: _free.LIBCMT ref: 00CCD6B3
Part of subcall function 00CCD63C: _free.LIBCMT ref: 00CCD6C5
Part of subcall function 00CCD63C: _free.LIBCMT ref: 00CCD6D7
Part of subcall function 00CCD63C: _free.LIBCMT ref: 00CCD6E9
Part of subcall function 00CCD63C: _free.LIBCMT ref: 00CCD6FB
Part of subcall function 00CCD63C: _free.LIBCMT ref: 00CCD70D
Part of subcall function 00CCD63C: _free.LIBCMT ref: 00CCD71F
Part of subcall function 00CCD63C: _free.LIBCMT ref: 00CCD731

_free.LIBCMT ref: 00CCDA96

Part of subcall function 00CC29C8: RtlFreeHeap.NTDLL(00000000,00000000,?,00CCD7D1,00000000,00000000,00000000,00000000,?,00CCD7F8,00000000,00000007,00000000,?,00CCDBF5,00000000), ref: 00CC29DE
Part of subcall function 00CC29C8: GetLastError.KERNEL32(00000000,?,00CCD7D1,00000000,00000000,00000000,00000000,?,00CCD7F8,00000000,00000007,00000000,?,00CCDBF5,00000000,00000000), ref: 00CC29F0

_free.LIBCMT ref: 00CCDAB8
_free.LIBCMT ref: 00CCDACD
_free.LIBCMT ref: 00CCDAD8
_free.LIBCMT ref: 00CCDAFA
_free.LIBCMT ref: 00CCDB0D
_free.LIBCMT ref: 00CCDB1B
_free.LIBCMT ref: 00CCDB26
_free.LIBCMT ref: 00CCDB5E
_free.LIBCMT ref: 00CCDB65
_free.LIBCMT ref: 00CCDB82
_free.LIBCMT ref: 00CCDB9A

Memory Dump Source

Source File: 00000000.00000002.1727992052.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true

Associated: 00000000.00000002.1727967772.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1728099655.0000000000D2C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1728099655.0000000000D52000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1728148949.0000000000D5C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1728172009.0000000000D64000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c90000_file.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast___free_lconv_mon
String ID:
API String ID: 161543041-0
Opcode ID: 71aec88fb6f296c31b0f90193434af194b57adaac1756a4aea07d7aaba027cc9
Instruction ID: 2a6eebe2c05aa15483f6d3fd12b07f797bb138910b88f3e8fca625ed2171858c
Opcode Fuzzy Hash: 71aec88fb6f296c31b0f90193434af194b57adaac1756a4aea07d7aaba027cc9
Instruction Fuzzy Hash: B6311731A047059FEB21AA39E845F5AB7E9FF00311F15446DF46AD7191DA31EE80EB20

Function 00CF365B Relevance: 19.5, APIs: 10, Strings: 1, Instructions: 267windowtimeCOMMON

Download Yara Rule

APIs

GetClassNameW.USER32(?,?,00000100), ref: 00CF369C
_wcslen.LIBCMT ref: 00CF36A7
SendMessageTimeoutW.USER32(?,?,00000101,00000000,00000002,00001388,?), ref: 00CF3797
GetClassNameW.USER32(?,?,00000400), ref: 00CF380C
GetDlgCtrlID.USER32(?), ref: 00CF385D
GetWindowRect.USER32(?,?), ref: 00CF3882
GetParent.USER32(?), ref: 00CF38A0
ScreenToClient.USER32(00000000), ref: 00CF38A7
GetClassNameW.USER32(?,?,00000100), ref: 00CF3921
GetWindowTextW.USER32(?,?,00000400), ref: 00CF395D

Strings

%s%u, xrefs: 00CF3734

Memory Dump Source

Source File: 00000000.00000002.1727992052.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true

Associated: 00000000.00000002.1727967772.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1728099655.0000000000D2C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1728099655.0000000000D52000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1728148949.0000000000D5C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1728172009.0000000000D64000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c90000_file.jbxd

Similarity

API ID: ClassName$Window$ClientCtrlMessageParentRectScreenSendTextTimeout_wcslen
String ID: %s%u
API String ID: 4010501982-679674701
Opcode ID: 670a1c44c35f64d8e52b3f0f145af63422dc16a3c3bc98a98c0e305d5fccbf0d
Instruction ID: 9cc0241b08e05b0b6dc63ce171281b64a3db2ddf4e93f21dc18ea376b144633c
Opcode Fuzzy Hash: 670a1c44c35f64d8e52b3f0f145af63422dc16a3c3bc98a98c0e305d5fccbf0d
Instruction Fuzzy Hash: 1291A27120464ABFD759DF24C885BFAB7A8FF44350F004519FAA9C2190DB70EB45CBA2

Function 00CF4954 Relevance: 19.5, APIs: 10, Strings: 1, Instructions: 253COMMON

Download Yara Rule

APIs

GetClassNameW.USER32(?,?,00000400), ref: 00CF4994
GetWindowTextW.USER32(?,?,00000400), ref: 00CF49DA
_wcslen.LIBCMT ref: 00CF49EB
CharUpperBuffW.USER32(?,00000000), ref: 00CF49F7
_wcsstr.LIBVCRUNTIME ref: 00CF4A2C
GetClassNameW.USER32(00000018,?,00000400), ref: 00CF4A64
GetWindowTextW.USER32(?,?,00000400), ref: 00CF4A9D
GetClassNameW.USER32(00000018,?,00000400), ref: 00CF4AE6
GetClassNameW.USER32(?,?,00000400), ref: 00CF4B20
GetWindowRect.USER32(?,?), ref: 00CF4B8B

Strings

ThumbnailClass, xrefs: 00CF4A6F, 00CF4AF1

Memory Dump Source

Source File: 00000000.00000002.1727992052.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true

Associated: 00000000.00000002.1727967772.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1728099655.0000000000D2C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1728099655.0000000000D52000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1728148949.0000000000D5C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1728172009.0000000000D64000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c90000_file.jbxd

Similarity

API ID: ClassName$Window$Text$BuffCharRectUpper_wcslen_wcsstr
String ID: ThumbnailClass
API String ID: 1311036022-1241985126
Opcode ID: 6aee54fac0884efaae84824f9e241a35e26169e3cbafd818a593dc14aab899e8
Instruction ID: 060e0559611ca29ed931edd1efbf5048d95a6e0924d511abb16f5436dd54ab94
Opcode Fuzzy Hash: 6aee54fac0884efaae84824f9e241a35e26169e3cbafd818a593dc14aab899e8
Instruction Fuzzy Hash: 9B91AE311042099FDB58CF14C985BBB77E8FF44314F04946AFE959A196DB30EE45CBA2

Function 00CFBF30 Relevance: 19.4, APIs: 10, Strings: 1, Instructions: 190windowsleepCOMMON

Download Yara Rule

APIs

GetMenuItemInfoW.USER32(00D61990,000000FF,00000000,00000030), ref: 00CFBFAC
SetMenuItemInfoW.USER32(00D61990,00000004,00000000,00000030), ref: 00CFBFE1
Sleep.KERNEL32(000001F4), ref: 00CFBFF3
GetMenuItemCount.USER32(?), ref: 00CFC039
GetMenuItemID.USER32(?,00000000), ref: 00CFC056
GetMenuItemID.USER32(?,-00000001), ref: 00CFC082
GetMenuItemID.USER32(?,?), ref: 00CFC0C9
CheckMenuRadioItem.USER32(?,00000000,?,00000000,00000400), ref: 00CFC10F
GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00CFC124
SetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00CFC145

Strings

0, xrefs: 00CFBF3D

Memory Dump Source

Source File: 00000000.00000002.1727992052.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true

Associated: 00000000.00000002.1727967772.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1728099655.0000000000D2C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1728099655.0000000000D52000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1728148949.0000000000D5C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1728172009.0000000000D64000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c90000_file.jbxd

Similarity

API ID: ItemMenu$Info$CheckCountRadioSleep
String ID: 0
API String ID: 1460738036-4108050209
Opcode ID: be5be4b110c5014b9d2621faf1a542c3226f3e4bb3f42579f8ebc85be1854fc0
Instruction ID: 5a406cf828b4c7bfe6f9bb6b10f74910c398c9c94795b092404b1b53438d1d6b
Opcode Fuzzy Hash: be5be4b110c5014b9d2621faf1a542c3226f3e4bb3f42579f8ebc85be1854fc0
Instruction Fuzzy Hash: ED618170A0034EAFDF61CF64CE88ABE7BB8EB05344F144115EA11E3291DB35AE15DB62

Function 00D1CC34 Relevance: 19.4, APIs: 9, Strings: 2, Instructions: 104registryCOMMON

Download Yara Rule

APIs

RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?,?,?,00000000), ref: 00D1CC64
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?,?,?,00000000), ref: 00D1CC8D
FreeLibrary.KERNEL32(00000000,?,?,00000000), ref: 00D1CD48

Part of subcall function 00D1CC34: RegCloseKey.ADVAPI32(?,?,?,00000000), ref: 00D1CCAA
Part of subcall function 00D1CC34: LoadLibraryA.KERNEL32(advapi32.dll,?,?,00000000), ref: 00D1CCBD
Part of subcall function 00D1CC34: GetProcAddress.KERNEL32(00000000,RegDeleteKeyExW), ref: 00D1CCCF
Part of subcall function 00D1CC34: FreeLibrary.KERNEL32(00000000,?,?,00000000), ref: 00D1CD05
Part of subcall function 00D1CC34: RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?,?,?,00000000), ref: 00D1CD28

RegDeleteKeyW.ADVAPI32(?,?), ref: 00D1CCF3

Strings

advapi32.dll, xrefs: 00D1CCB8
RegDeleteKeyExW, xrefs: 00D1CCC9

Memory Dump Source

Source File: 00000000.00000002.1727992052.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true

Associated: 00000000.00000002.1727967772.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1728099655.0000000000D2C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1728099655.0000000000D52000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1728148949.0000000000D5C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1728172009.0000000000D64000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c90000_file.jbxd

Similarity

API ID: Library$EnumFree$AddressCloseDeleteLoadOpenProc
String ID: RegDeleteKeyExW$advapi32.dll
API String ID: 2734957052-4033151799
Opcode ID: 76b6948d2df359535ffbf8dfea87e53fefc36f244bfec3d43b45f874758340d4
Instruction ID: a957ee6707b7254e9254a3e563eb148b915f8f0aebfcb80d46d74b34a48c4daa
Opcode Fuzzy Hash: 76b6948d2df359535ffbf8dfea87e53fefc36f244bfec3d43b45f874758340d4
Instruction Fuzzy Hash: 11318E71951229BBDB318B50EC88EFFBB7CEF55740F041165A905E2241DA709E86DAF0

Function 00D03D1E Relevance: 19.4, APIs: 8, Strings: 3, Instructions: 101fileCOMMON

Download Yara Rule

APIs

GetFullPathNameW.KERNEL32(?,00007FFF,?,?), ref: 00D03D40
_wcslen.LIBCMT ref: 00D03D6D
CreateDirectoryW.KERNEL32(?,00000000), ref: 00D03D9D
CreateFileW.KERNEL32(?,40000000,00000000,00000000,00000003,02200000,00000000), ref: 00D03DBE
RemoveDirectoryW.KERNEL32(?), ref: 00D03DCE
DeviceIoControl.KERNEL32(00000000,000900A4,?,?,00000000,00000000,?,00000000), ref: 00D03E55
CloseHandle.KERNEL32(00000000), ref: 00D03E60
CloseHandle.KERNEL32(00000000), ref: 00D03E6B

Strings

:, xrefs: 00D03D82
\, xrefs: 00D03D77
\??\%s, xrefs: 00D03D5B

Memory Dump Source

Source File: 00000000.00000002.1727992052.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true

Associated: 00000000.00000002.1727967772.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1728099655.0000000000D2C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1728099655.0000000000D52000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1728148949.0000000000D5C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1728172009.0000000000D64000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c90000_file.jbxd

Similarity

API ID: CloseCreateDirectoryHandle$ControlDeviceFileFullNamePathRemove_wcslen
String ID: :$\$\??\%s
API String ID: 1149970189-3457252023
Opcode ID: 9da806189165f7a9668b9aa6fbd231998811bb15abd14ca07eafc64528637917
Instruction ID: 658ec27e82beca8157d85940ad529c4641217b0be57d5f86442ab3b5081b1849
Opcode Fuzzy Hash: 9da806189165f7a9668b9aa6fbd231998811bb15abd14ca07eafc64528637917
Instruction Fuzzy Hash: A231817191020AABDB21DBA0DC49FEF37BCEF89740F1441A6F509D61A0EB749B458B34

Function 00CFE6B0 Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 72sleepwindowtimeCOMMON

Download Yara Rule

APIs

timeGetTime.WINMM ref: 00CFE6B4

Part of subcall function 00CAE551: timeGetTime.WINMM(?,?,00CFE6D4), ref: 00CAE555

Sleep.KERNEL32(0000000A), ref: 00CFE6E1
EnumThreadWindows.USER32(?,Function_0006E665,00000000), ref: 00CFE705
FindWindowExW.USER32(00000000,00000000,BUTTON,00000000), ref: 00CFE727
SetActiveWindow.USER32 ref: 00CFE746
SendMessageW.USER32(00000000,000000F5,00000000,00000000), ref: 00CFE754
SendMessageW.USER32(00000010,00000000,00000000), ref: 00CFE773
Sleep.KERNEL32(000000FA), ref: 00CFE77E
IsWindow.USER32 ref: 00CFE78A
EndDialog.USER32(00000000), ref: 00CFE79B

Strings

BUTTON, xrefs: 00CFE719

Memory Dump Source

Source File: 00000000.00000002.1727992052.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true

Associated: 00000000.00000002.1727967772.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1728099655.0000000000D2C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1728099655.0000000000D52000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1728148949.0000000000D5C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1728172009.0000000000D64000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c90000_file.jbxd

Similarity

API ID: Window$MessageSendSleepTimetime$ActiveDialogEnumFindThreadWindows
String ID: BUTTON
API String ID: 1194449130-3405671355
Opcode ID: 5cc050e7215fb529c1be8dabfa54ee4a1388d854ae979782906f720aab578d28
Instruction ID: 55d899aabe89b30125c2213e30af223aa6f19d5e1b8c3db26b929481e198e1ed
Opcode Fuzzy Hash: 5cc050e7215fb529c1be8dabfa54ee4a1388d854ae979782906f720aab578d28
Instruction Fuzzy Hash: 9621A47021074CAFEB106FA5EC8EB393B69F764749B101425F612C23B1DBB19C119B36

Function 00CFE9FC Relevance: 19.3, APIs: 5, Strings: 6, Instructions: 71COMMON

Download Yara Rule

APIs

Part of subcall function 00C99CB3: _wcslen.LIBCMT ref: 00C99CBD

mciSendStringW.WINMM(status PlayMe mode,?,00000100,00000000), ref: 00CFEA5D
mciSendStringW.WINMM(close PlayMe,00000000,00000000,00000000), ref: 00CFEA73
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 00CFEA84
mciSendStringW.WINMM(play PlayMe wait,00000000,00000000,00000000), ref: 00CFEA96
mciSendStringW.WINMM(play PlayMe,00000000,00000000,00000000), ref: 00CFEAA7

Strings

close PlayMe, xrefs: 00CFEA6E, 00CFEA9B
play PlayMe wait, xrefs: 00CFEA91
open , xrefs: 00CFEA0C
alias PlayMe, xrefs: 00CFEA36
play PlayMe, xrefs: 00CFEAA2
status PlayMe mode, xrefs: 00CFEA58

Memory Dump Source

Source File: 00000000.00000002.1727992052.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true

Associated: 00000000.00000002.1727967772.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1728099655.0000000000D2C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1728099655.0000000000D52000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1728148949.0000000000D5C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1728172009.0000000000D64000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c90000_file.jbxd

Similarity

API ID: SendString$_wcslen
String ID: alias PlayMe$close PlayMe$open $play PlayMe$play PlayMe wait$status PlayMe mode
API String ID: 2420728520-1007645807
Opcode ID: 5fd0ffbf7e820b222747d83f0ec071b216e023d3d3ce24690820f66ad7aa7a7c
Instruction ID: f96464db6826e2d6216ce1352c331f6c66ad379e28de1d3eaee935601e183702
Opcode Fuzzy Hash: 5fd0ffbf7e820b222747d83f0ec071b216e023d3d3ce24690820f66ad7aa7a7c
Instruction Fuzzy Hash: 6B119131A902697DDB24A7A2DC4ADFF6A7CEBD1F01F400429BD11A30E0EA704E09D9B1

Function 00CF9F91 Relevance: 18.2, APIs: 12, Instructions: 188keyboardCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?), ref: 00CFA012
SetKeyboardState.USER32(?), ref: 00CFA07D
GetAsyncKeyState.USER32(000000A0), ref: 00CFA09D
GetKeyState.USER32(000000A0), ref: 00CFA0B4
GetAsyncKeyState.USER32(000000A1), ref: 00CFA0E3
GetKeyState.USER32(000000A1), ref: 00CFA0F4
GetAsyncKeyState.USER32(00000011), ref: 00CFA120
GetKeyState.USER32(00000011), ref: 00CFA12E
GetAsyncKeyState.USER32(00000012), ref: 00CFA157
GetKeyState.USER32(00000012), ref: 00CFA165
GetAsyncKeyState.USER32(0000005B), ref: 00CFA18E
GetKeyState.USER32(0000005B), ref: 00CFA19C

Memory Dump Source

Source File: 00000000.00000002.1727992052.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true

Associated: 00000000.00000002.1727967772.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1728099655.0000000000D2C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1728099655.0000000000D52000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1728148949.0000000000D5C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1728172009.0000000000D64000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c90000_file.jbxd

Similarity

API ID: State$Async$Keyboard
String ID:
API String ID: 541375521-0
Opcode ID: 01866ad019c95da9c4c0fe0cee71f51e3dbcf1f81380ddd88966160742ade3b5
Instruction ID: c5f8849e5d4f37d8edd05215099241a6e6c20f94661c6b2a0e54ee890c6e7c4e
Opcode Fuzzy Hash: 01866ad019c95da9c4c0fe0cee71f51e3dbcf1f81380ddd88966160742ade3b5
Instruction Fuzzy Hash: 8651D67090478C6AFB75EBA088147FEEFB49F12380F088599D6D6571C2DA64AB4CC763

Function 00CF5CC6 Relevance: 18.2, APIs: 12, Instructions: 173COMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,00000001), ref: 00CF5CE2
GetWindowRect.USER32(00000000,?), ref: 00CF5CFB
MoveWindow.USER32(?,0000000A,00000004,?,?,00000004,00000000), ref: 00CF5D59
GetDlgItem.USER32(?,00000002), ref: 00CF5D69
GetWindowRect.USER32(00000000,?), ref: 00CF5D7B
MoveWindow.USER32(?,?,00000004,00000000,?,00000004,00000000), ref: 00CF5DCF
GetDlgItem.USER32(?,000003E9), ref: 00CF5DDD
GetWindowRect.USER32(00000000,?), ref: 00CF5DEF
MoveWindow.USER32(?,0000000A,00000000,?,00000004,00000000), ref: 00CF5E31
GetDlgItem.USER32(?,000003EA), ref: 00CF5E44
MoveWindow.USER32(00000000,0000000A,0000000A,?,-00000005,00000000), ref: 00CF5E5A
InvalidateRect.USER32(?,00000000,00000001), ref: 00CF5E67

Memory Dump Source

Source File: 00000000.00000002.1727992052.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true

Associated: 00000000.00000002.1727967772.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1728099655.0000000000D2C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1728099655.0000000000D52000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1728148949.0000000000D5C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1728172009.0000000000D64000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c90000_file.jbxd

Similarity

API ID: Window$ItemMoveRect$Invalidate
String ID:
API String ID: 3096461208-0
Opcode ID: e4cd65ff3bd2ff105e3d7c2cbb9060ce4dd78530f9e81b3c149222d402a229ce
Instruction ID: c1974a9d47dd112a83672621244ea96906ebd03d1999d4f2cb3da0e9a0236e63
Opcode Fuzzy Hash: e4cd65ff3bd2ff105e3d7c2cbb9060ce4dd78530f9e81b3c149222d402a229ce
Instruction Fuzzy Hash: 00512E70A10709AFDB18CF68CD89AAEBBB5FB58301F108129F615E7290D7709E05CB61

Function 00CA8BCD Relevance: 18.2, APIs: 12, Instructions: 168timeCOMMON

Download Yara Rule

APIs

Part of subcall function 00CA8F62: InvalidateRect.USER32(?,00000000,00000001,?,?,?,00CA8BE8,?,00000000,?,?,?,?,00CA8BBA,00000000,?), ref: 00CA8FC5

DestroyWindow.USER32(?), ref: 00CA8C81
KillTimer.USER32(00000000,?,?,?,?,00CA8BBA,00000000,?), ref: 00CA8D1B
DestroyAcceleratorTable.USER32(00000000), ref: 00CE6973
ImageList_Destroy.COMCTL32(00000000,?,?,?,?,?,?,00000000,?,?,?,?,00CA8BBA,00000000,?), ref: 00CE69A1
ImageList_Destroy.COMCTL32(?,?,?,?,?,?,?,00000000,?,?,?,?,00CA8BBA,00000000,?), ref: 00CE69B8
ImageList_Destroy.COMCTL32(00000000,?,?,?,?,?,?,?,?,00000000,?,?,?,?,00CA8BBA,00000000), ref: 00CE69D4
DeleteObject.GDI32(00000000), ref: 00CE69E6

Memory Dump Source

Source File: 00000000.00000002.1727992052.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true

Associated: 00000000.00000002.1727967772.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1728099655.0000000000D2C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1728099655.0000000000D52000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1728148949.0000000000D5C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1728172009.0000000000D64000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c90000_file.jbxd

Similarity

API ID: Destroy$ImageList_$AcceleratorDeleteInvalidateKillObjectRectTableTimerWindow
String ID:
API String ID: 641708696-0
Opcode ID: fe431e94d70c5a3db46a08dd307da55bb61a7ac94eb14d3521461090a5073117
Instruction ID: e9e762835c63f0bd11048a19984acccabf8d74424728f121a62212506b11cc0e
Opcode Fuzzy Hash: fe431e94d70c5a3db46a08dd307da55bb61a7ac94eb14d3521461090a5073117
Instruction Fuzzy Hash: 1561BB34412742DFCB359F15CA48B297BB1FB6132AF144529E062976A0CB71AE89DFB0

Function 00CA9838 Relevance: 18.1, APIs: 12, Instructions: 137COMMON

Download Yara Rule

APIs

Part of subcall function 00CA9944: GetWindowLongW.USER32(?,000000EB), ref: 00CA9952

GetSysColor.USER32(0000000F), ref: 00CA9862

Memory Dump Source

Source File: 00000000.00000002.1727992052.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true

Associated: 00000000.00000002.1727967772.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1728099655.0000000000D2C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1728099655.0000000000D52000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1728148949.0000000000D5C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1728172009.0000000000D64000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c90000_file.jbxd

Similarity

API ID: ColorLongWindow
String ID:
API String ID: 259745315-0
Opcode ID: db9c3a68adb1d95af409449fb6ce9e8e3275153923848375e4b0ae791b0a2748
Instruction ID: e43096a5999a39dd213acccf60c62af641bdcf0ad346230befa33551ac70ff7d
Opcode Fuzzy Hash: db9c3a68adb1d95af409449fb6ce9e8e3275153923848375e4b0ae791b0a2748
Instruction Fuzzy Hash: 3D419B31104741AFDB319F399C8ABBA3BA5EB57324F144605E9B28B2E1C6399D42DB20

Function 00CF96E2 Relevance: 17.6, APIs: 5, Strings: 5, Instructions: 137windowCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,?,00000FFF,00000001,00000000,?,?,00CDF7F8,00000001,0000138C,00000001,?,00000001,00000000,?,?), ref: 00CF9717
LoadStringW.USER32(00000000,?,00CDF7F8,00000001), ref: 00CF9720

Part of subcall function 00C99CB3: _wcslen.LIBCMT ref: 00C99CBD

GetModuleHandleW.KERNEL32(00000000,00000001,?,00000FFF,?,?,00CDF7F8,00000001,0000138C,00000001,?,00000001,00000000,?,?,00000000), ref: 00CF9742
LoadStringW.USER32(00000000,?,00CDF7F8,00000001), ref: 00CF9745
MessageBoxW.USER32(00000000,00000000,?,00011010), ref: 00CF9866

Strings

Line %d:, xrefs: 00CF97A0
Error: , xrefs: 00CF981D
Line %d (File "%s"):, xrefs: 00CF978F
^ ERROR, xrefs: 00CF97FB
%s (%d) : ==> %s: %s %s, xrefs: 00CF984A

Memory Dump Source

Source File: 00000000.00000002.1727992052.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true

Associated: 00000000.00000002.1727967772.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1728099655.0000000000D2C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1728099655.0000000000D52000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1728148949.0000000000D5C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1728172009.0000000000D64000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c90000_file.jbxd

Similarity

API ID: HandleLoadModuleString$Message_wcslen
String ID: Error: $%s (%d) : ==> %s: %s %s$Line %d (File "%s"):$Line %d:$^ ERROR
API String ID: 747408836-2268648507
Opcode ID: aa9b340ec5c324ba1ea4dc0e7f9c706bfaf418a291962b3dcc88667d3b1cce29
Instruction ID: 3ecb945f96a458dffd2f6c463f5804fd61e85ee4636355258497694034040eee
Opcode Fuzzy Hash: aa9b340ec5c324ba1ea4dc0e7f9c706bfaf418a291962b3dcc88667d3b1cce29
Instruction Fuzzy Hash: 83413E72800209AACF14EBE0DD46EFE7378EF55340F500069F605721A1EB755F49EA71

Function 00CF06DE Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 127registryshareCOMMON

Download Yara Rule

APIs

Part of subcall function 00C96B57: _wcslen.LIBCMT ref: 00C96B6A

WNetAddConnection2W.MPR(?,?,?,00000000), ref: 00CF07A2
RegConnectRegistryW.ADVAPI32(?,80000002,?), ref: 00CF07BE
RegOpenKeyExW.ADVAPI32(?,?,00000000,00020019,?,?,SOFTWARE\Classes\), ref: 00CF07DA
RegQueryValueExW.ADVAPI32(?,00000000,00000000,00000000,?,?,?,SOFTWARE\Classes\), ref: 00CF0804
CLSIDFromString.OLE32(?,000001FE,?,SOFTWARE\Classes\), ref: 00CF082C
RegCloseKey.ADVAPI32(?,?,SOFTWARE\Classes\), ref: 00CF0837
RegCloseKey.ADVAPI32(?,?,SOFTWARE\Classes\), ref: 00CF083C

Strings

\CLSID, xrefs: 00CF0724
\IPC$, xrefs: 00CF0784
SOFTWARE\Classes\, xrefs: 00CF070E

Memory Dump Source

Source File: 00000000.00000002.1727992052.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true

Associated: 00000000.00000002.1727967772.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1728099655.0000000000D2C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1728099655.0000000000D52000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1728148949.0000000000D5C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1728172009.0000000000D64000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c90000_file.jbxd

Similarity

API ID: Close$ConnectConnection2FromOpenQueryRegistryStringValue_wcslen
String ID: SOFTWARE\Classes\$\CLSID$\IPC$
API String ID: 323675364-22481851
Opcode ID: 0019d85537f71802ed0877b01802a617424dc2563233ec7332b344e885cc44c6
Instruction ID: 77589c3f3ae9f8d1a35fd16fe10cb6169ba4c146ea8df3be879eac29ed961029
Opcode Fuzzy Hash: 0019d85537f71802ed0877b01802a617424dc2563233ec7332b344e885cc44c6
Instruction Fuzzy Hash: 20410572C10229ABCF21EBA4DC998EDB778FF54750F144169E911A31A1EB309E09DFA0

Function 00D23F98 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 101windowCOMMON

Download Yara Rule

APIs

MoveWindow.USER32(?,?,?,000000FF,000000FF,00000000,?,?,000000FF,000000FF,?,?,static,00000000,00000000,?), ref: 00D2403B
CreateCompatibleDC.GDI32(00000000), ref: 00D24042
SendMessageW.USER32(?,00000173,00000000,00000000), ref: 00D24055
SelectObject.GDI32(00000000,00000000), ref: 00D2405D
GetPixel.GDI32(00000000,00000000,00000000), ref: 00D24068
DeleteDC.GDI32(00000000), ref: 00D24072
GetWindowLongW.USER32(?,000000EC), ref: 00D2407C
SetLayeredWindowAttributes.USER32(?,?,00000000,00000001,?,00000000,?), ref: 00D24092
DestroyWindow.USER32(?,?,?,000000FF,000000FF,?,?,static,00000000,00000000,?,?,00000000,00000000,?), ref: 00D2409E

Strings

static, xrefs: 00D23FD3

Memory Dump Source

Source File: 00000000.00000002.1727992052.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true

Associated: 00000000.00000002.1727967772.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1728099655.0000000000D2C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1728099655.0000000000D52000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1728148949.0000000000D5C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1728172009.0000000000D64000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c90000_file.jbxd

Similarity

API ID: Window$AttributesCompatibleCreateDeleteDestroyLayeredLongMessageMoveObjectPixelSelectSend
String ID: static
API String ID: 2559357485-2160076837
Opcode ID: 7bbb6b76bc05d02b3be5b4d908819c6ed553b8e3cf4c710867a47c19a6f47678
Instruction ID: 8d8edd64049f1c43608cdf90868d36b01cccaee2274745c56e2c258239dfaa29
Opcode Fuzzy Hash: 7bbb6b76bc05d02b3be5b4d908819c6ed553b8e3cf4c710867a47c19a6f47678
Instruction Fuzzy Hash: CF315A32111225ABDF229FA4EC09FDE3B68EF29724F141210FA14E61A0C775DC61DBB4

Function 00D13C30 Relevance: 16.8, APIs: 11, Instructions: 344fileCOMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 00D13C5C
CoInitialize.OLE32(00000000), ref: 00D13C8A
CoUninitialize.OLE32 ref: 00D13C94
_wcslen.LIBCMT ref: 00D13D2D
GetRunningObjectTable.OLE32(00000000,?), ref: 00D13DB1
SetErrorMode.KERNEL32(00000001,00000029), ref: 00D13ED5
CoGetInstanceFromFile.OLE32(00000000,?,00000000,00000015,00000002,?,00000001,?), ref: 00D13F0E
CoGetObject.OLE32(?,00000000,00D2FB98,?), ref: 00D13F2D
SetErrorMode.KERNEL32(00000000), ref: 00D13F40
SetErrorMode.KERNEL32(00000000,00000000,00000000,00000000,00000000), ref: 00D13FC4
VariantClear.OLEAUT32(?), ref: 00D13FD8

Memory Dump Source

Source File: 00000000.00000002.1727992052.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true

Associated: 00000000.00000002.1727967772.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1728099655.0000000000D2C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1728099655.0000000000D52000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1728148949.0000000000D5C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1728172009.0000000000D64000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c90000_file.jbxd

Similarity

API ID: ErrorMode$ObjectVariant$ClearFileFromInitInitializeInstanceRunningTableUninitialize_wcslen
String ID:
API String ID: 429561992-0
Opcode ID: 897dfbadf0e73f534ed5b740fdef08ec1077970a988110475b0f0166837ef207
Instruction ID: 3e4c6b66a434501f75af3a4792830a2b5c276ff211f60afee75c01838db01808
Opcode Fuzzy Hash: 897dfbadf0e73f534ed5b740fdef08ec1077970a988110475b0f0166837ef207
Instruction Fuzzy Hash: D1C15671608301AFD700DF28D88496BB7E9FF88744F14491DF98A9B210DB30EE46CB62

Function 00D07A96 Relevance: 16.8, APIs: 11, Instructions: 298comCOMMON

Download Yara Rule

APIs

CoInitialize.OLE32(00000000), ref: 00D07AF3
SHGetSpecialFolderLocation.SHELL32(00000000,00000000,?), ref: 00D07B8F
SHGetDesktopFolder.SHELL32(?), ref: 00D07BA3
CoCreateInstance.OLE32(00D2FD08,00000000,00000001,00D56E6C,?), ref: 00D07BEF
SHCreateShellItem.SHELL32(00000000,00000000,?,00000003), ref: 00D07C74
CoTaskMemFree.OLE32(?,?), ref: 00D07CCC
SHBrowseForFolderW.SHELL32(?), ref: 00D07D57
SHGetPathFromIDListW.SHELL32(00000000,?), ref: 00D07D7A
CoTaskMemFree.OLE32(00000000), ref: 00D07D81
CoTaskMemFree.OLE32(00000000), ref: 00D07DD6
CoUninitialize.OLE32 ref: 00D07DDC

Memory Dump Source

Source File: 00000000.00000002.1727992052.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true

Associated: 00000000.00000002.1727967772.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1728099655.0000000000D2C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1728099655.0000000000D52000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1728148949.0000000000D5C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1728172009.0000000000D64000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c90000_file.jbxd

Similarity

API ID: FolderFreeTask$Create$BrowseDesktopFromInitializeInstanceItemListLocationPathShellSpecialUninitialize
String ID:
API String ID: 2762341140-0
Opcode ID: 5c264494e5a0129ef94658174a83a7459f66d7afd52968b6dc84433e785bfa75
Instruction ID: e92b5ede7ff7d01fbdde308a366950211c9be9df726ef6b43e0d5bb5dae2b1a4
Opcode Fuzzy Hash: 5c264494e5a0129ef94658174a83a7459f66d7afd52968b6dc84433e785bfa75
Instruction Fuzzy Hash: 59C1FB75A04209AFDB14DF64C888EAEBBF5FF48304B148599E519DB361D730EE45CBA0

Function 00D2541D Relevance: 16.7, APIs: 11, Instructions: 191windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00000158,000000FF,00000158), ref: 00D25504
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 00D25515
CharNextW.USER32(00000158), ref: 00D25544
SendMessageW.USER32(?,0000014B,00000000,00000000), ref: 00D25585
SendMessageW.USER32(?,00000158,000000FF,0000014E), ref: 00D2559B
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 00D255AC

Memory Dump Source

Source File: 00000000.00000002.1727992052.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true

Associated: 00000000.00000002.1727967772.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1728099655.0000000000D2C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1728099655.0000000000D52000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1728148949.0000000000D5C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1728172009.0000000000D64000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c90000_file.jbxd

Similarity

API ID: MessageSend$CharNext
String ID:
API String ID: 1350042424-0
Opcode ID: a182880c45f3da914ba59a8732b4a7b7092f618d22fe605111c7422451ea142d
Instruction ID: a83d558a876d5810883d4642c72662347817e8259c2f4597e443af3b630d97c6
Opcode Fuzzy Hash: a182880c45f3da914ba59a8732b4a7b7092f618d22fe605111c7422451ea142d
Instruction Fuzzy Hash: 3A61AE30904628EBDF209F54FC84DFE7B79EB29329F144145F965A62A4D7708A81DB70

Function 00CEFA88 Relevance: 16.6, APIs: 11, Instructions: 122memoryCOMMON

Download Yara Rule

APIs

SafeArrayAllocDescriptorEx.OLEAUT32(0000000C,?,?), ref: 00CEFAAF
SafeArrayAllocData.OLEAUT32(?), ref: 00CEFB08
VariantInit.OLEAUT32(?), ref: 00CEFB1A
SafeArrayAccessData.OLEAUT32(?,?), ref: 00CEFB3A
VariantCopy.OLEAUT32(?,?), ref: 00CEFB8D
SafeArrayUnaccessData.OLEAUT32(?), ref: 00CEFBA1
VariantClear.OLEAUT32(?), ref: 00CEFBB6
SafeArrayDestroyData.OLEAUT32(?), ref: 00CEFBC3
SafeArrayDestroyDescriptor.OLEAUT32(?), ref: 00CEFBCC
VariantClear.OLEAUT32(?), ref: 00CEFBDE
SafeArrayDestroyDescriptor.OLEAUT32(?), ref: 00CEFBE9

Memory Dump Source

Source File: 00000000.00000002.1727992052.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true

Associated: 00000000.00000002.1727967772.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1728099655.0000000000D2C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1728099655.0000000000D52000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1728148949.0000000000D5C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1728172009.0000000000D64000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c90000_file.jbxd

Similarity

API ID: ArraySafe$DataVariant$DescriptorDestroy$AllocClear$AccessCopyInitUnaccess
String ID:
API String ID: 2706829360-0
Opcode ID: 01d11cd6fe81f818adbc888c3a2b4c2edae53f0dbfdf83368ed6c2fcbb4c62ff
Instruction ID: a59eb976cd478302f3b1ba8b6f8d475552c7abee65541c039590284cf26e442e
Opcode Fuzzy Hash: 01d11cd6fe81f818adbc888c3a2b4c2edae53f0dbfdf83368ed6c2fcbb4c62ff
Instruction Fuzzy Hash: BB414135A102199FCF10EF65CC589AEBBB9EF58344F108069E955E7361D730AE47CBA0

Function 00CF9C79 Relevance: 16.6, APIs: 11, Instructions: 119keyboardCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?), ref: 00CF9CA1
GetAsyncKeyState.USER32(000000A0), ref: 00CF9D22
GetKeyState.USER32(000000A0), ref: 00CF9D3D
GetAsyncKeyState.USER32(000000A1), ref: 00CF9D57
GetKeyState.USER32(000000A1), ref: 00CF9D6C
GetAsyncKeyState.USER32(00000011), ref: 00CF9D84
GetKeyState.USER32(00000011), ref: 00CF9D96
GetAsyncKeyState.USER32(00000012), ref: 00CF9DAE
GetKeyState.USER32(00000012), ref: 00CF9DC0
GetAsyncKeyState.USER32(0000005B), ref: 00CF9DD8
GetKeyState.USER32(0000005B), ref: 00CF9DEA

Memory Dump Source

Source File: 00000000.00000002.1727992052.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true

Associated: 00000000.00000002.1727967772.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1728099655.0000000000D2C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1728099655.0000000000D52000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1728148949.0000000000D5C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1728172009.0000000000D64000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c90000_file.jbxd

Similarity

API ID: State$Async$Keyboard
String ID:
API String ID: 541375521-0
Opcode ID: f042212cfce1261c9c10aa9f8e619977b23b805d6a35f0e2a6309b3774c6663f
Instruction ID: ca542035f6aa94800a06e1dc146e09cd3cf718a9aa22464211c48953515379ab
Opcode Fuzzy Hash: f042212cfce1261c9c10aa9f8e619977b23b805d6a35f0e2a6309b3774c6663f
Instruction Fuzzy Hash: 4C41D634504BCD69FFB4966488043B5BEA0EF22344F14805ADBD6566C2DBB49FC8C7A3

Function 00D1055B Relevance: 16.0, APIs: 8, Strings: 1, Instructions: 207networkfileCOMMON

Download Yara Rule

APIs

WSAStartup.WSOCK32(00000101,?), ref: 00D105BC
inet_addr.WSOCK32(?), ref: 00D1061C
gethostbyname.WSOCK32(?), ref: 00D10628
IcmpCreateFile.IPHLPAPI ref: 00D10636
IcmpSendEcho.IPHLPAPI(?,?,?,00000005,00000000,?,00000029,00000FA0), ref: 00D106C6
IcmpSendEcho.IPHLPAPI(00000000,00000000,?,00000005,00000000,?,00000029,00000FA0), ref: 00D106E5
IcmpCloseHandle.IPHLPAPI(?), ref: 00D107B9
WSACleanup.WSOCK32 ref: 00D107BF

Strings

Ping, xrefs: 00D10676

Memory Dump Source

Source File: 00000000.00000002.1727992052.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true

Associated: 00000000.00000002.1727967772.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1728099655.0000000000D2C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1728099655.0000000000D52000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1728148949.0000000000D5C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1728172009.0000000000D64000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c90000_file.jbxd

Similarity

API ID: Icmp$EchoSend$CleanupCloseCreateFileHandleStartupgethostbynameinet_addr
String ID: Ping
API String ID: 1028309954-2246546115
Opcode ID: 49039b60e61856cadd4a616f76e611ed4f00d5d92ea51068112375b20d67a5a6
Instruction ID: 308a4d263d86f57f7a419978620eaf5be7708756a3d313f1084f6657f20d90d9
Opcode Fuzzy Hash: 49039b60e61856cadd4a616f76e611ed4f00d5d92ea51068112375b20d67a5a6
Instruction Fuzzy Hash: 8D916E35604301AFD720EF15D489B5ABBE1AF44318F1885A9E4698B7A2CB70EDC5CFA1

Function 00D18CD3 Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 193COMMON

Download Yara Rule

APIs

CharLowerBuffW.USER32(?,?,00000000,?), ref: 00D18CF3

Part of subcall function 00CF8E54: _wcslen.LIBCMT ref: 00CF8E77

_wcslen.LIBCMT ref: 00D18D4E
_wcslen.LIBCMT ref: 00D18D9C
_wcslen.LIBCMT ref: 00D18DDC
_wcslen.LIBCMT ref: 00D18E6E

Strings

none, xrefs: 00D18E65, 00D18E6A
cdecl, xrefs: 00D18D48, 00D18D4D
stdcall, xrefs: 00D18DD6, 00D18DDB
winapi, xrefs: 00D18D96, 00D18D9B

Memory Dump Source

Source File: 00000000.00000002.1727992052.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true

Associated: 00000000.00000002.1727967772.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1728099655.0000000000D2C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1728099655.0000000000D52000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1728148949.0000000000D5C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1728172009.0000000000D64000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c90000_file.jbxd

Similarity

API ID: _wcslen$BuffCharLower
String ID: cdecl$none$stdcall$winapi
API String ID: 707087890-567219261
Opcode ID: 301421b4c2c9138b666caacae94574a344bb1b2c995120fa2b06c09abb9e02fc
Instruction ID: 2d1a8981d3348e80e8a6c8a7d6df62edf357c8ec47fafcb703abf546e86a69f3
Opcode Fuzzy Hash: 301421b4c2c9138b666caacae94574a344bb1b2c995120fa2b06c09abb9e02fc
Instruction Fuzzy Hash: 0A518F71A04116AACF14DF6CE9409FEB7A5AF65324B244229F866E72C4DF31DD80E7A0

Function 00D1372C Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 187comCOMMON

Download Yara Rule

APIs

CoInitialize.OLE32 ref: 00D13774
CoUninitialize.OLE32 ref: 00D1377F
CoCreateInstance.OLE32(?,00000000,00000017,00D2FB78,?), ref: 00D137D9
IIDFromString.OLE32(?,?), ref: 00D1384C
VariantInit.OLEAUT32(?), ref: 00D138E4
VariantClear.OLEAUT32(?), ref: 00D13936

Strings

Failed to create object, xrefs: 00D137E4, 00D1389A
NULL Pointer assignment, xrefs: 00D1381E
Invalid parameter, xrefs: 00D13865

Memory Dump Source

Source File: 00000000.00000002.1727992052.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true

Associated: 00000000.00000002.1727967772.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1728099655.0000000000D2C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1728099655.0000000000D52000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1728148949.0000000000D5C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1728172009.0000000000D64000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c90000_file.jbxd

Similarity

API ID: Variant$ClearCreateFromInitInitializeInstanceStringUninitialize
String ID: Failed to create object$Invalid parameter$NULL Pointer assignment
API String ID: 636576611-1287834457
Opcode ID: 4d406f0db4ae195edcb1f8022d60a7f45e1a380dd89872452d6efad90420e04f
Instruction ID: 4f5f3ab965d6e7739b6ec3300f3310d87f7d3b6130c007751e363b7d1f2f67fb
Opcode Fuzzy Hash: 4d406f0db4ae195edcb1f8022d60a7f45e1a380dd89872452d6efad90420e04f
Instruction Fuzzy Hash: 4661B170608301AFD710DF54E848BAABBE8EF45715F14491DF98597291CB70EE89CBB2

Function 00D03388 Relevance: 15.9, APIs: 3, Strings: 6, Instructions: 149COMMON

Download Yara Rule

APIs

LoadStringW.USER32(00000066,?,00000FFF,?), ref: 00D033CF

Part of subcall function 00C99CB3: _wcslen.LIBCMT ref: 00C99CBD

LoadStringW.USER32(00000072,?,00000FFF,?), ref: 00D033F0

Strings

"%s" (%d) : ==> %s:%s%s, xrefs: 00D03504
"%s" (%d) : ==> %s:, xrefs: 00D03522
Error: , xrefs: 00D034D1
Line %d (File "%s"):, xrefs: 00D03443, 00D0345C
Incorrect parameters to object property !, xrefs: 00D034AB
^ ERROR , xrefs: 00D0349E

Memory Dump Source

Source File: 00000000.00000002.1727992052.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true

Associated: 00000000.00000002.1727967772.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1728099655.0000000000D2C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1728099655.0000000000D52000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1728148949.0000000000D5C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1728172009.0000000000D64000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c90000_file.jbxd

Similarity

API ID: LoadString$_wcslen
String ID: Error: $"%s" (%d) : ==> %s:$"%s" (%d) : ==> %s:%s%s$Incorrect parameters to object property !$Line %d (File "%s"):$^ ERROR
API String ID: 4099089115-3080491070
Opcode ID: 17ba8bc65c9cd3d196cf934a66673ff993871b752de135f6d8c2f903e99ee207
Instruction ID: f0a81ab0f339d8fe77e58a609cf0f25881005c67fefc35011693b3ec78b0e6c1
Opcode Fuzzy Hash: 17ba8bc65c9cd3d196cf934a66673ff993871b752de135f6d8c2f903e99ee207
Instruction Fuzzy Hash: B7518E31940209AADF15EBE0CD4AEEEB378EF14340F144165F909B21A2EB716F58EB71

Function 00CFB5C8 Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 142COMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?), ref: 00CFB5FC
_wcslen.LIBCMT ref: 00CFB608
_wcslen.LIBCMT ref: 00CFB64D
_wcslen.LIBCMT ref: 00CFB68C
_wcslen.LIBCMT ref: 00CFB6C7

Strings

EXISTS, xrefs: 00CFB686, 00CFB68B
APPEND, xrefs: 00CFB6C1, 00CFB6C6
KEYS, xrefs: 00CFB647, 00CFB64C
REMOVE, xrefs: 00CFB602, 00CFB607

Memory Dump Source

Source File: 00000000.00000002.1727992052.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true

Associated: 00000000.00000002.1727967772.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1728099655.0000000000D2C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1728099655.0000000000D52000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1728148949.0000000000D5C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1728172009.0000000000D64000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c90000_file.jbxd

Similarity

API ID: _wcslen$BuffCharUpper
String ID: APPEND$EXISTS$KEYS$REMOVE
API String ID: 1256254125-769500911
Opcode ID: 3b15fa1a110ee107adcb4ab72f427bbe6ce3de53cfd811d0dd644995e59b5f4a
Instruction ID: 0d4c788101701164e1417067f4e9fe489cca2519a3fc90e68d106ae07fcbcdd2
Opcode Fuzzy Hash: 3b15fa1a110ee107adcb4ab72f427bbe6ce3de53cfd811d0dd644995e59b5f4a
Instruction Fuzzy Hash: 0741E632A0002A9BCB646F7DCC905BE77B5AF60754B244129FA31DB284F731CE81C7A1

Function 00D05393 Relevance: 15.9, APIs: 4, Strings: 5, Instructions: 103COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 00D053A0
GetDiskFreeSpaceW.KERNEL32(?,?,?,?,?,00000002,00000001), ref: 00D05416
GetLastError.KERNEL32 ref: 00D05420
SetErrorMode.KERNEL32(00000000,READY), ref: 00D054A7

Strings

READY, xrefs: 00D05460, 00D05468
UNKNOWN, xrefs: 00D05444
NOTREADY, xrefs: 00D0544B
READONLY, xrefs: 00D05452
INVALID, xrefs: 00D05459

Memory Dump Source

Source File: 00000000.00000002.1727992052.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true

Associated: 00000000.00000002.1727967772.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1728099655.0000000000D2C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1728099655.0000000000D52000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1728148949.0000000000D5C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1728172009.0000000000D64000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c90000_file.jbxd

Similarity

API ID: Error$Mode$DiskFreeLastSpace
String ID: INVALID$NOTREADY$READONLY$READY$UNKNOWN
API String ID: 4194297153-14809454
Opcode ID: 4792a720819731d57b293693f1c36e53eb4fd6c879389c82006bc60749fde112
Instruction ID: 8c8259ed39f07814242547c149b15223570ce9413b08b81a5ccfffa76be3d3d6
Opcode Fuzzy Hash: 4792a720819731d57b293693f1c36e53eb4fd6c879389c82006bc60749fde112
Instruction Fuzzy Hash: A2319E35A006059FCB10DF68D489BEABBB4EB05305F588069EC0ACB396D770DD86CBA1

Function 00D23C46 Relevance: 15.9, APIs: 7, Strings: 2, Instructions: 101windowCOMMON

Download Yara Rule

APIs

CreateMenu.USER32 ref: 00D23C79
SetMenu.USER32(?,00000000), ref: 00D23C88
GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00D23D10
IsMenu.USER32(?), ref: 00D23D24
CreatePopupMenu.USER32 ref: 00D23D2E
InsertMenuItemW.USER32(?,?,00000001,00000030), ref: 00D23D5B
DrawMenuBar.USER32 ref: 00D23D63

Strings

F, xrefs: 00D23D4E
0, xrefs: 00D23C54

Memory Dump Source

Source File: 00000000.00000002.1727992052.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true

Associated: 00000000.00000002.1727967772.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1728099655.0000000000D2C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1728099655.0000000000D52000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1728148949.0000000000D5C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1728172009.0000000000D64000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c90000_file.jbxd

Similarity

API ID: Menu$CreateItem$DrawInfoInsertPopup
String ID: 0$F
API String ID: 161812096-3044882817
Opcode ID: 970dbab073aa875c3df1d693ee73579e8efc5dc17cc792b3ebfcf694c534e6ca
Instruction ID: 9343ed1841cf6c4a28e8c6702617fa4a2237bfb01a146373a32f7bb2f9a5a5be
Opcode Fuzzy Hash: 970dbab073aa875c3df1d693ee73579e8efc5dc17cc792b3ebfcf694c534e6ca
Instruction Fuzzy Hash: 6C418878A01319AFDB24CF64E844AAA7BB5FF59304F180029E946A7360D774EE11CFA0

Function 00CF1EDF Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 78windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00C99CB3: _wcslen.LIBCMT ref: 00C99CBD

Part of subcall function 00CF3CA7: GetClassNameW.USER32(?,?,000000FF), ref: 00CF3CCA

SendMessageW.USER32(?,0000018C,000000FF,00020000), ref: 00CF1F64
GetDlgCtrlID.USER32 ref: 00CF1F6F
GetParent.USER32 ref: 00CF1F8B
SendMessageW.USER32(00000000,?,00000111,?), ref: 00CF1F8E
GetDlgCtrlID.USER32(?), ref: 00CF1F97
GetParent.USER32(?), ref: 00CF1FAB
SendMessageW.USER32(00000000,?,00000111,?), ref: 00CF1FAE

Strings

ComboBox, xrefs: 00CF1EEC
ListBox, xrefs: 00CF1F21

Memory Dump Source

Source File: 00000000.00000002.1727992052.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true

Associated: 00000000.00000002.1727967772.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1728099655.0000000000D2C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1728099655.0000000000D52000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1728148949.0000000000D5C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1728172009.0000000000D64000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c90000_file.jbxd

Similarity

API ID: MessageSend$CtrlParent$ClassName_wcslen
String ID: ComboBox$ListBox
API String ID: 711023334-1403004172
Opcode ID: 166ca988ea25645405b8112c5a2c98c040bcf4426f1e35a5f3e3c9b47a0a463c
Instruction ID: 91340cc96636ae856e8a12c12a9fa275622135334afade198dca7260e780d039
Opcode Fuzzy Hash: 166ca988ea25645405b8112c5a2c98c040bcf4426f1e35a5f3e3c9b47a0a463c
Instruction Fuzzy Hash: 3521B070A00218BBCF15AFA5DC99AFEBBB8EF15350F001159BA61A72A1CB345909DB71

Function 00CF1FC0 Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 77windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00C99CB3: _wcslen.LIBCMT ref: 00C99CBD

Part of subcall function 00CF3CA7: GetClassNameW.USER32(?,?,000000FF), ref: 00CF3CCA

SendMessageW.USER32(?,00000186,00020000,00000000), ref: 00CF2043
GetDlgCtrlID.USER32 ref: 00CF204E
GetParent.USER32 ref: 00CF206A
SendMessageW.USER32(00000000,?,00000111,?), ref: 00CF206D
GetDlgCtrlID.USER32(?), ref: 00CF2076
GetParent.USER32(?), ref: 00CF208A
SendMessageW.USER32(00000000,?,00000111,?), ref: 00CF208D

Strings

ComboBox, xrefs: 00CF1FCD
ListBox, xrefs: 00CF2002

Memory Dump Source

Source File: 00000000.00000002.1727992052.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true

Associated: 00000000.00000002.1727967772.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1728099655.0000000000D2C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1728099655.0000000000D52000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1728148949.0000000000D5C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1728172009.0000000000D64000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c90000_file.jbxd

Similarity

API ID: MessageSend$CtrlParent$ClassName_wcslen
String ID: ComboBox$ListBox
API String ID: 711023334-1403004172
Opcode ID: 9f639b59d7e09605ab48b6a47c5714f5e39923dc5371d4624ec3b62678810f79
Instruction ID: e65bd031722f8221a3531849207ded540381df28a6d22ae807b7a90266b93e30
Opcode Fuzzy Hash: 9f639b59d7e09605ab48b6a47c5714f5e39923dc5371d4624ec3b62678810f79
Instruction Fuzzy Hash: E321F671A00218BFCF14AFA4CC89EFEBBB8EF15340F000045FA61A72A1CA754919EB71

Function 00D23A23 Relevance: 15.2, APIs: 10, Instructions: 182windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,0000101F,00000000,00000000), ref: 00D23A9D
SendMessageW.USER32(00000000,?,0000101F,00000000), ref: 00D23AA0
GetWindowLongW.USER32(?,000000F0), ref: 00D23AC7
SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00D23AEA
SendMessageW.USER32(?,0000104D,00000000,00000007), ref: 00D23B62
SendMessageW.USER32(?,00001074,00000000,00000007), ref: 00D23BAC
SendMessageW.USER32(?,00001057,00000000,00000000), ref: 00D23BC7
SendMessageW.USER32(?,0000101D,00001004,00000000), ref: 00D23BE2
SendMessageW.USER32(?,0000101E,00001004,00000000), ref: 00D23BF6
SendMessageW.USER32(?,00001008,00000000,00000007), ref: 00D23C13

Memory Dump Source

Source File: 00000000.00000002.1727992052.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true

Associated: 00000000.00000002.1727967772.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1728099655.0000000000D2C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1728099655.0000000000D52000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1728148949.0000000000D5C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1728172009.0000000000D64000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c90000_file.jbxd

Similarity

API ID: MessageSend$LongWindow
String ID:
API String ID: 312131281-0
Opcode ID: 0b505642c8b40081f832bf43f2f536807eceb697390fb3a8d59d75af23bd941d
Instruction ID: ee1649dda86d4c8d606d97942d2122d7717b157fdc80d7605e64a82b4864f89f
Opcode Fuzzy Hash: 0b505642c8b40081f832bf43f2f536807eceb697390fb3a8d59d75af23bd941d
Instruction Fuzzy Hash: 99617A75900218AFDB20DFA8DC81EEE77B8EB59704F14009AFA15E72A1C774AE45DF60

Function 00CC2C80 Relevance: 15.1, APIs: 10, Instructions: 54COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 00CC2C94

Part of subcall function 00CC29C8: RtlFreeHeap.NTDLL(00000000,00000000,?,00CCD7D1,00000000,00000000,00000000,00000000,?,00CCD7F8,00000000,00000007,00000000,?,00CCDBF5,00000000), ref: 00CC29DE
Part of subcall function 00CC29C8: GetLastError.KERNEL32(00000000,?,00CCD7D1,00000000,00000000,00000000,00000000,?,00CCD7F8,00000000,00000007,00000000,?,00CCDBF5,00000000,00000000), ref: 00CC29F0

_free.LIBCMT ref: 00CC2CA0
_free.LIBCMT ref: 00CC2CAB
_free.LIBCMT ref: 00CC2CB6
_free.LIBCMT ref: 00CC2CC1
_free.LIBCMT ref: 00CC2CCC
_free.LIBCMT ref: 00CC2CD7
_free.LIBCMT ref: 00CC2CE2
_free.LIBCMT ref: 00CC2CED
_free.LIBCMT ref: 00CC2CFB

Memory Dump Source

Source File: 00000000.00000002.1727992052.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true

Associated: 00000000.00000002.1727967772.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1728099655.0000000000D2C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1728099655.0000000000D52000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1728148949.0000000000D5C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1728172009.0000000000D64000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c90000_file.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: a0bb37b670680739ce52c956159e8ce88f1a35a08d98fc4f748d762decfb2240
Instruction ID: 719b3d7873cffcba59c472b0888cafbf0adb3be3a7fa7b451dda1512b7709be4
Opcode Fuzzy Hash: a0bb37b670680739ce52c956159e8ce88f1a35a08d98fc4f748d762decfb2240
Instruction Fuzzy Hash: DC118676900108BFCB02EF54D982EDD3BA5FF05350F5145A9FA499F222DA31EE50AB90

Function 00D07DF0 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 230COMMON

Download Yara Rule

APIs

GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 00D07FAD
SetCurrentDirectoryW.KERNEL32(?), ref: 00D07FC1
GetFileAttributesW.KERNEL32(?), ref: 00D07FEB
SetFileAttributesW.KERNEL32(?,00000000), ref: 00D08005
SetCurrentDirectoryW.KERNEL32(?), ref: 00D08017
SetCurrentDirectoryW.KERNEL32(?), ref: 00D08060
SetCurrentDirectoryW.KERNEL32(?,?,?,?,?), ref: 00D080B0

Strings

*.*, xrefs: 00D08066

Memory Dump Source

Source File: 00000000.00000002.1727992052.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true

Associated: 00000000.00000002.1727967772.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1728099655.0000000000D2C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1728099655.0000000000D52000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1728148949.0000000000D5C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1728172009.0000000000D64000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c90000_file.jbxd

Similarity

API ID: CurrentDirectory$AttributesFile
String ID: *.*
API String ID: 769691225-438819550
Opcode ID: 0de9bb05d6de4bbbe634070badf2d3a70872c36a615cf55cf802fe31bd8d3240
Instruction ID: 7eb44d3e10c9b48a9f5794b0ceb848e8f11de41e1bced95035043bcc4eab7169
Opcode Fuzzy Hash: 0de9bb05d6de4bbbe634070badf2d3a70872c36a615cf55cf802fe31bd8d3240
Instruction Fuzzy Hash: A08193719083469BCB20DF54C444AAEB7D8BF88310F584C6EF889DB290EB35ED45DB62

Function 00C95BEA Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 184windowCOMMON

Download Yara Rule

APIs

SetWindowLongW.USER32(?,000000EB), ref: 00C95C7A

Part of subcall function 00C95D0A: GetClientRect.USER32(?,?), ref: 00C95D30
Part of subcall function 00C95D0A: GetWindowRect.USER32(?,?), ref: 00C95D71
Part of subcall function 00C95D0A: ScreenToClient.USER32(?,?), ref: 00C95D99

GetDC.USER32 ref: 00CD46F5
SendMessageW.USER32(?,00000031,00000000,00000000), ref: 00CD4708
SelectObject.GDI32(00000000,00000000), ref: 00CD4716
SelectObject.GDI32(00000000,00000000), ref: 00CD472B
ReleaseDC.USER32(?,00000000), ref: 00CD4733
MoveWindow.USER32(?,?,?,?,?,?,?,00000031,00000000,00000000), ref: 00CD47C4

Strings

U, xrefs: 00CD4693

Memory Dump Source

Source File: 00000000.00000002.1727992052.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true

Associated: 00000000.00000002.1727967772.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1728099655.0000000000D2C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1728099655.0000000000D52000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1728148949.0000000000D5C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1728172009.0000000000D64000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c90000_file.jbxd

Similarity

API ID: Window$ClientObjectRectSelect$LongMessageMoveReleaseScreenSend
String ID: U
API String ID: 4009187628-3372436214
Opcode ID: 87313b0ad57bfbecc29767f3bac1dab00ecb89612fca070824098effb20107d2
Instruction ID: bf5d0a35d085396512458600eb5a42aaf3f439eea512a0ae0bfa3396aeb17c00
Opcode Fuzzy Hash: 87313b0ad57bfbecc29767f3bac1dab00ecb89612fca070824098effb20107d2
Instruction Fuzzy Hash: 6D71B035400205DFCF298F64C984ABA7BB5FF4A354F144266FB669A2A6C331CD42DF60

Function 00D0359C Relevance: 14.2, APIs: 3, Strings: 5, Instructions: 150COMMON

Download Yara Rule

APIs

LoadStringW.USER32(00000066,?,00000FFF,00000000), ref: 00D035E4

Part of subcall function 00C99CB3: _wcslen.LIBCMT ref: 00C99CBD

LoadStringW.USER32(00D62390,?,00000FFF,?), ref: 00D0360A

Strings

"%s" (%d) : ==> %s:%s%s, xrefs: 00D03724
"%s" (%d) : ==> %s:, xrefs: 00D03742
Error: , xrefs: 00D036EF
Line %d (File "%s"):, xrefs: 00D0366B
^ ERROR, xrefs: 00D036C9

Memory Dump Source

Source File: 00000000.00000002.1727992052.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true

Associated: 00000000.00000002.1727967772.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1728099655.0000000000D2C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1728099655.0000000000D52000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1728148949.0000000000D5C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1728172009.0000000000D64000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c90000_file.jbxd

Similarity

API ID: LoadString$_wcslen
String ID: Error: $"%s" (%d) : ==> %s:$"%s" (%d) : ==> %s:%s%s$Line %d (File "%s"):$^ ERROR
API String ID: 4099089115-2391861430
Opcode ID: 2beb6e1a9b9c49560c43c64822e4ae0a0049c6ee185be8d19ff5b9e1b65d36d1
Instruction ID: 8656f4b8b17fcd70291b475b118aa42b11efc564809415c5208dfaeaf8d686b2
Opcode Fuzzy Hash: 2beb6e1a9b9c49560c43c64822e4ae0a0049c6ee185be8d19ff5b9e1b65d36d1
Instruction Fuzzy Hash: 40518E71840209BBCF14EBA0CC46EEDBB38EF54300F044169F505721A1EB715A99EFB1

Function 00D0C253 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 94networkCOMMON

Download Yara Rule

APIs

InternetOpenUrlW.WININET(?,?,00000000,00000000,?,00000000), ref: 00D0C272
HttpSendRequestW.WININET(00000000,00000000,00000000,00000000,00000000), ref: 00D0C29A
HttpQueryInfoW.WININET(00000000,00000005,?,?,?), ref: 00D0C2CA
GetLastError.KERNEL32 ref: 00D0C322
SetEvent.KERNEL32(?), ref: 00D0C336
InternetCloseHandle.WININET(00000000), ref: 00D0C341

Strings

, xrefs: 00D0C2BB

Memory Dump Source

Source File: 00000000.00000002.1727992052.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true

Associated: 00000000.00000002.1727967772.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1728099655.0000000000D2C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1728099655.0000000000D52000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1728148949.0000000000D5C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1728172009.0000000000D64000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c90000_file.jbxd

Similarity

API ID: HttpInternet$CloseErrorEventHandleInfoLastOpenQueryRequestSend
String ID:
API String ID: 3113390036-3916222277
Opcode ID: 5b9c00bfd6287cd8f7850e3a3faf65d6b30e48a786a135f2c0857869c91a41c2
Instruction ID: 0d36a29dbdd507f0630a3c0709b7f3ac3aaaa821d7dda4ece22f0a2708e8d8a3
Opcode Fuzzy Hash: 5b9c00bfd6287cd8f7850e3a3faf65d6b30e48a786a135f2c0857869c91a41c2
Instruction Fuzzy Hash: 49318FB1520304AFD7219F648884BAF7AFCEB59740F14A61EF48AD3290DB30DD059B71

Function 00CF989B Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 74windowCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,?,?,00000FFF,00000000,?,00CD3AAF,?,?,Bad directive syntax error,00D2CC08,00000000,00000010,?,?,>>>AUTOIT SCRIPT<<<), ref: 00CF98BC
LoadStringW.USER32(00000000,?,00CD3AAF,?), ref: 00CF98C3

Part of subcall function 00C99CB3: _wcslen.LIBCMT ref: 00C99CBD

MessageBoxW.USER32(00000000,00000001,00000001,00011010), ref: 00CF9987

Strings

Line %d:, xrefs: 00CF9912
Error: , xrefs: 00CF9955
Line %d (File "%s"):, xrefs: 00CF992D
%s (%d) : ==> %s.: %s %s, xrefs: 00CF98F1
., xrefs: 00CF996D

Memory Dump Source

Source File: 00000000.00000002.1727992052.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true

Associated: 00000000.00000002.1727967772.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1728099655.0000000000D2C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1728099655.0000000000D52000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1728148949.0000000000D5C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1728172009.0000000000D64000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c90000_file.jbxd

Similarity

API ID: HandleLoadMessageModuleString_wcslen
String ID: Error: $%s (%d) : ==> %s.: %s %s$.$Line %d (File "%s"):$Line %d:
API String ID: 858772685-4153970271
Opcode ID: 635c46669e0f21bab8c5584cf6988eab3e127fde49867b264026bc815e43dfd6
Instruction ID: 75850aa172d5dc2318bcaf387af94154aa8533799fb762df073d1770f7b9e8f3
Opcode Fuzzy Hash: 635c46669e0f21bab8c5584cf6988eab3e127fde49867b264026bc815e43dfd6
Instruction Fuzzy Hash: D921743194021EAFDF15AF90CC0AEFD7775FF24305F044459F915660A1EB719A18EB61

Function 00CF209F Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 71windowCOMMON

Download Yara Rule

APIs

GetParent.USER32 ref: 00CF20AB
GetClassNameW.USER32(00000000,?,00000100), ref: 00CF20C0
SendMessageW.USER32(00000000,00000111,0000702B,00000000), ref: 00CF214D

Strings

SHELLDLL_DefView, xrefs: 00CF20CC
details, xrefs: 00CF20FB
list, xrefs: 00CF212F
largeicons, xrefs: 00CF20E1
smallicons, xrefs: 00CF2115

Memory Dump Source

Source File: 00000000.00000002.1727992052.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true

Associated: 00000000.00000002.1727967772.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1728099655.0000000000D2C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1728099655.0000000000D52000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1728148949.0000000000D5C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1728172009.0000000000D64000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c90000_file.jbxd

Similarity

API ID: ClassMessageNameParentSend
String ID: SHELLDLL_DefView$details$largeicons$list$smallicons
API String ID: 1290815626-3381328864
Opcode ID: 6465243b18e15e678fa30b9302321ff04843896b478bcf607f15252c519a7796
Instruction ID: ffba77c98292d40705b91e1d31543aca0eca9d61ca73eda7b973f534af93d32c
Opcode Fuzzy Hash: 6465243b18e15e678fa30b9302321ff04843896b478bcf607f15252c519a7796
Instruction Fuzzy Hash: F6113D7618870AB9FF152220EC1BDFE739CCF15315F205115FF05A40E2FE619C0A652A

Function 00CC8D45 Relevance: 13.8, APIs: 9, Instructions: 300COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1727992052.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true

Associated: 00000000.00000002.1727967772.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1728099655.0000000000D2C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1728099655.0000000000D52000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1728148949.0000000000D5C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1728172009.0000000000D64000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c90000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9a9717dca09172a149ac9303e4e0c5e3f7daf8699dd7f4968816608e4b56636a
Instruction ID: 37c85d3c018d7e68c9705c91c59dff6fede5a11a6ee3288b2cf21e4fa12f354c
Opcode Fuzzy Hash: 9a9717dca09172a149ac9303e4e0c5e3f7daf8699dd7f4968816608e4b56636a
Instruction Fuzzy Hash: 3CC1BD75A04349AFDB11DFA8C845FEEBBB0AF09310F14409DE925A7392C7749A42DB71

Function 00CCCE90 Relevance: 13.7, APIs: 9, Instructions: 209COMMON

Download Yara Rule

APIs

___from_strstr_to_strchr.LIBCMT ref: 00CCCEB7
_free.LIBCMT ref: 00CCCF22
_free.LIBCMT ref: 00CCCF48
_free.LIBCMT ref: 00CCCF71
_free.LIBCMT ref: 00CCCFA9
_free.LIBCMT ref: 00CCCFDA
_free.LIBCMT ref: 00CCD01B
SetEnvironmentVariableA.KERNEL32(00000000,00000000), ref: 00CCD09C
_free.LIBCMT ref: 00CCD0B5

Memory Dump Source

Source File: 00000000.00000002.1727992052.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true

Associated: 00000000.00000002.1727967772.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1728099655.0000000000D2C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1728099655.0000000000D52000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1728148949.0000000000D5C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1728172009.0000000000D64000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c90000_file.jbxd

Similarity

API ID: _free$EnvironmentVariable___from_strstr_to_strchr
String ID:
API String ID: 1282221369-0
Opcode ID: 88197f8e9b8ca4c3f7e1bcf6018c4c361ee673c7515fd02c3cb3dc6ec37958f9
Instruction ID: 2d355f639cdab0b9da90094df2b5b6bc389c4488e5c8648b53497c2fdbb2f4e4
Opcode Fuzzy Hash: 88197f8e9b8ca4c3f7e1bcf6018c4c361ee673c7515fd02c3cb3dc6ec37958f9
Instruction Fuzzy Hash: 6B610571904301AFDB25AFF8D8C1F6A7BA9AF05360F08426DF959D7282D6719E019BA0

Function 00D250D4 Relevance: 13.7, APIs: 9, Instructions: 162windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00002001,00000000,00000000), ref: 00D25186
ShowWindow.USER32(?,00000000), ref: 00D251C7
ShowWindow.USER32(?,00000005,?,00000000), ref: 00D251CD
SetFocus.USER32(?,?,00000005,?,00000000), ref: 00D251D1

Part of subcall function 00D26FBA: DeleteObject.GDI32(00000000), ref: 00D26FE6

GetWindowLongW.USER32(?,000000F0), ref: 00D2520D
SetWindowLongW.USER32(?,000000F0,00000000), ref: 00D2521A
InvalidateRect.USER32(?,00000000,00000001,?,00000001), ref: 00D2524D
SendMessageW.USER32(?,00001001,00000000,000000FE), ref: 00D25287
SendMessageW.USER32(?,00001026,00000000,000000FE), ref: 00D25296

Memory Dump Source

Source File: 00000000.00000002.1727992052.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true

Associated: 00000000.00000002.1727967772.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1728099655.0000000000D2C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1728099655.0000000000D52000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1728148949.0000000000D5C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1728172009.0000000000D64000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c90000_file.jbxd

Similarity

API ID: Window$MessageSend$LongShow$DeleteFocusInvalidateObjectRect
String ID:
API String ID: 3210457359-0
Opcode ID: 6213d970cba362dad6f6c6055694e7599897ed094390a3341b4e6d0043ceb21e
Instruction ID: 442e58e85057c7152a06efefea79e169b3c727c13719c20b47e187ac776608a0
Opcode Fuzzy Hash: 6213d970cba362dad6f6c6055694e7599897ed094390a3341b4e6d0043ceb21e
Instruction Fuzzy Hash: 41517C30A50A29FEEF219E24FC4AF983B65EF25329F184011F619962E4C375A990DB70

Function 00CA8B06 Relevance: 13.7, APIs: 9, Instructions: 155windowCOMMON

Download Yara Rule

APIs

LoadImageW.USER32(00000000,?,?,00000010,00000010,00000010), ref: 00CE6890
ExtractIconExW.SHELL32(?,?,00000000,00000000,00000001), ref: 00CE68A9
LoadImageW.USER32(00000000,?,00000001,00000000,00000000,00000050), ref: 00CE68B9
ExtractIconExW.SHELL32(?,?,?,00000000,00000001), ref: 00CE68D1
SendMessageW.USER32(00000000,00000080,00000000,00000000), ref: 00CE68F2
DestroyIcon.USER32(00000000,?,00000010,00000010,00000010,?,?,?,?,?,00CA8874,00000000,00000000,00000000,000000FF,00000000), ref: 00CE6901
SendMessageW.USER32(00000000,00000080,00000001,00000000), ref: 00CE691E
DestroyIcon.USER32(00000000,?,00000010,00000010,00000010,?,?,?,?,?,00CA8874,00000000,00000000,00000000,000000FF,00000000), ref: 00CE692D

Memory Dump Source

Source File: 00000000.00000002.1727992052.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true

Associated: 00000000.00000002.1727967772.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1728099655.0000000000D2C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1728099655.0000000000D52000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1728148949.0000000000D5C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1728172009.0000000000D64000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c90000_file.jbxd

Similarity

API ID: Icon$DestroyExtractImageLoadMessageSend
String ID:
API String ID: 1268354404-0
Opcode ID: 0f639d5a70043cfec72c332d446d13dbee366e72539f71f6f23cc44459b7eaf0
Instruction ID: b1187cae84cad7ded9daacb187fad36c9db97c9896f7179478e50eccf548664c
Opcode Fuzzy Hash: 0f639d5a70043cfec72c332d446d13dbee366e72539f71f6f23cc44459b7eaf0
Instruction Fuzzy Hash: 0251897061030AAFDB20CF26DC55BAA7BB5EB69354F104518F922D72A0DB70EE51DB60

Function 00D0C143 Relevance: 13.6, APIs: 9, Instructions: 95networkCOMMON

Download Yara Rule

APIs

InternetConnectW.WININET(?,?,?,?,?,?,00000000,00000000), ref: 00D0C182
GetLastError.KERNEL32 ref: 00D0C195
SetEvent.KERNEL32(?), ref: 00D0C1A9

Part of subcall function 00D0C253: InternetOpenUrlW.WININET(?,?,00000000,00000000,?,00000000), ref: 00D0C272
Part of subcall function 00D0C253: GetLastError.KERNEL32 ref: 00D0C322
Part of subcall function 00D0C253: SetEvent.KERNEL32(?), ref: 00D0C336
Part of subcall function 00D0C253: InternetCloseHandle.WININET(00000000), ref: 00D0C341

Memory Dump Source

Source File: 00000000.00000002.1727992052.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true

Associated: 00000000.00000002.1727967772.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1728099655.0000000000D2C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1728099655.0000000000D52000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1728148949.0000000000D5C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1728172009.0000000000D64000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c90000_file.jbxd

Similarity

API ID: Internet$ErrorEventLast$CloseConnectHandleOpen
String ID:
API String ID: 337547030-0
Opcode ID: 50c0d1bff95a2eb85629cb0f1173996a25027eb47f8880e160f13584eb2822cc
Instruction ID: 490a3ccc4769b52383c8978b9b311fbea0b350574977bf9c2c0fd3790136c3f3
Opcode Fuzzy Hash: 50c0d1bff95a2eb85629cb0f1173996a25027eb47f8880e160f13584eb2822cc
Instruction Fuzzy Hash: E1318B71621701AFDB219FB5DD04B6ABBE8FF28300B04661DF95AC7A50DB31E8119BB0

Function 00CF25A2 Relevance: 13.6, APIs: 9, Instructions: 60sleepkeyboardwindowCOMMON

Download Yara Rule

APIs

Part of subcall function 00CF3A3D: GetWindowThreadProcessId.USER32(?,00000000), ref: 00CF3A57
Part of subcall function 00CF3A3D: GetCurrentThreadId.KERNEL32 ref: 00CF3A5E
Part of subcall function 00CF3A3D: AttachThreadInput.USER32(00000000,?,00000000,00000000,?,00CF25B3), ref: 00CF3A65

MapVirtualKeyW.USER32(00000025,00000000), ref: 00CF25BD
PostMessageW.USER32(?,00000100,00000025,00000000), ref: 00CF25DB
Sleep.KERNEL32(00000000,?,00000100,00000025,00000000), ref: 00CF25DF
MapVirtualKeyW.USER32(00000025,00000000), ref: 00CF25E9
PostMessageW.USER32(?,00000100,00000027,00000000), ref: 00CF2601
Sleep.KERNEL32(00000000,?,00000100,00000027,00000000), ref: 00CF2605
MapVirtualKeyW.USER32(00000025,00000000), ref: 00CF260F
PostMessageW.USER32(?,00000101,00000027,00000000), ref: 00CF2623
Sleep.KERNEL32(00000000,?,00000101,00000027,00000000,?,00000100,00000027,00000000), ref: 00CF2627

Memory Dump Source

Source File: 00000000.00000002.1727992052.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true

Associated: 00000000.00000002.1727967772.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1728099655.0000000000D2C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1728099655.0000000000D52000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1728148949.0000000000D5C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1728172009.0000000000D64000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c90000_file.jbxd

Similarity

API ID: MessagePostSleepThreadVirtual$AttachCurrentInputProcessWindow
String ID:
API String ID: 2014098862-0
Opcode ID: 22a87ce3e6186f94ced823318dae6c0cdecb01d6416aecc2ce261d22e25f7cf9
Instruction ID: 24be0107dc590a2385a6148dc08cda05ca7c9915336ec2b8e2f1956068539dce
Opcode Fuzzy Hash: 22a87ce3e6186f94ced823318dae6c0cdecb01d6416aecc2ce261d22e25f7cf9
Instruction Fuzzy Hash: 8701D830394714BBFB2067699C8AF693F59DF6EB12F101001F314EE1E1C9E218459A7A

Function 00CF1803 Relevance: 13.5, APIs: 9, Instructions: 49memorythreadCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000008,0000000C,?,00000000,?,00CF1449,?,?,00000000), ref: 00CF180C
HeapAlloc.KERNEL32(00000000,?,00CF1449,?,?,00000000), ref: 00CF1813
GetCurrentProcess.KERNEL32(00000000,00000000,00000000,00000002,?,00CF1449,?,?,00000000), ref: 00CF1828
GetCurrentProcess.KERNEL32(?,00000000,?,00CF1449,?,?,00000000), ref: 00CF1830
DuplicateHandle.KERNEL32(00000000,?,00CF1449,?,?,00000000), ref: 00CF1833
GetCurrentProcess.KERNEL32(00000000,00000000,00000000,00000002,?,00CF1449,?,?,00000000), ref: 00CF1843
GetCurrentProcess.KERNEL32(00CF1449,00000000,?,00CF1449,?,?,00000000), ref: 00CF184B
DuplicateHandle.KERNEL32(00000000,?,00CF1449,?,?,00000000), ref: 00CF184E
CreateThread.KERNEL32(00000000,00000000,00CF1874,00000000,00000000,00000000), ref: 00CF1868

Memory Dump Source

Source File: 00000000.00000002.1727992052.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true

Associated: 00000000.00000002.1727967772.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1728099655.0000000000D2C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1728099655.0000000000D52000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1728148949.0000000000D5C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1728172009.0000000000D64000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c90000_file.jbxd

Similarity

API ID: Process$Current$DuplicateHandleHeap$AllocCreateThread
String ID:
API String ID: 1957940570-0
Opcode ID: f7efbf0822d760cda54b5981b617672549508d4de8bb3978a04c42b134f1a709
Instruction ID: 36465ff5cdca0614c6eae29288f522ed8a2249746384288eaa19255a5da1eb29
Opcode Fuzzy Hash: f7efbf0822d760cda54b5981b617672549508d4de8bb3978a04c42b134f1a709
Instruction Fuzzy Hash: EE01FBB5250308BFE720ABA5DC4EF6B3BACEB99B00F104410FA04DB2A1CA709C11CB70

Function 00D1A0E2 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 160COMMON

Download Yara Rule

APIs

Part of subcall function 00CFD4DC: CreateToolhelp32Snapshot.KERNEL32 ref: 00CFD501
Part of subcall function 00CFD4DC: Process32FirstW.KERNEL32(00000000,?), ref: 00CFD50F
Part of subcall function 00CFD4DC: CloseHandle.KERNELBASE(00000000), ref: 00CFD5DC

OpenProcess.KERNEL32(00000001,00000000,?), ref: 00D1A16D
GetLastError.KERNEL32 ref: 00D1A180
OpenProcess.KERNEL32(00000001,00000000,?), ref: 00D1A1B3
TerminateProcess.KERNEL32(00000000,00000000), ref: 00D1A268
GetLastError.KERNEL32(00000000), ref: 00D1A273
CloseHandle.KERNEL32(00000000), ref: 00D1A2C4

Strings

SeDebugPrivilege, xrefs: 00D1A18F

Memory Dump Source

Source File: 00000000.00000002.1727992052.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true

Associated: 00000000.00000002.1727967772.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1728099655.0000000000D2C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1728099655.0000000000D52000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1728148949.0000000000D5C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1728172009.0000000000D64000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c90000_file.jbxd

Similarity

API ID: Process$CloseErrorHandleLastOpen$CreateFirstProcess32SnapshotTerminateToolhelp32
String ID: SeDebugPrivilege
API String ID: 2533919879-2896544425
Opcode ID: c0f474cd84aa53eb987f27e933155784a06f2b29f2217712172753eccba84d06
Instruction ID: 9c0a586cc25a2a55ca537ff7955d8ed49b5beab27082113451513abe0a32f4fe
Opcode Fuzzy Hash: c0f474cd84aa53eb987f27e933155784a06f2b29f2217712172753eccba84d06
Instruction Fuzzy Hash: F661B431205341AFD720DF18D494F69BBE1AF54318F58848CE4568B7A3CB72ED85CBA2

Function 00D23886 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 141windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00001036,00000010,00000010), ref: 00D23925
SendMessageW.USER32(00000000,00001036,00000000,?), ref: 00D2393A
SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000013), ref: 00D23954
_wcslen.LIBCMT ref: 00D23999
SendMessageW.USER32(?,00001057,00000000,?), ref: 00D239C6
SendMessageW.USER32(?,00001061,?,0000000F), ref: 00D239F4

Strings

SysListView32, xrefs: 00D238F7

Memory Dump Source

Source File: 00000000.00000002.1727992052.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true

Associated: 00000000.00000002.1727967772.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1728099655.0000000000D2C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1728099655.0000000000D52000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1728148949.0000000000D5C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1728172009.0000000000D64000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c90000_file.jbxd

Similarity

API ID: MessageSend$Window_wcslen
String ID: SysListView32
API String ID: 2147712094-78025650
Opcode ID: 1b56f22d1d4ab0fce975c448a7817113707bb3b94c65fa506fc9cc28d37e4c40
Instruction ID: e0523982bafd3c227c1c0e5e4b6b9de93b55748508cdbe92e03d428bb45c4a5a
Opcode Fuzzy Hash: 1b56f22d1d4ab0fce975c448a7817113707bb3b94c65fa506fc9cc28d37e4c40
Instruction Fuzzy Hash: 4441E431A00328ABEF219F64DC45BEE7BA9EF18354F140126F958E7281D375DD84CBA0

Function 00CFBC5E Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 137windowCOMMON

Download Yara Rule

APIs

GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00CFBCFD
IsMenu.USER32(00000000), ref: 00CFBD1D
CreatePopupMenu.USER32 ref: 00CFBD53
GetMenuItemCount.USER32(00F55360), ref: 00CFBDA4
InsertMenuItemW.USER32(00F55360,?,00000001,00000030), ref: 00CFBDCC

Strings

2, xrefs: 00CFBD37
0, xrefs: 00CFBCA8

Memory Dump Source

Source File: 00000000.00000002.1727992052.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true

Associated: 00000000.00000002.1727967772.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1728099655.0000000000D2C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1728099655.0000000000D52000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1728148949.0000000000D5C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1728172009.0000000000D64000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c90000_file.jbxd

Similarity

API ID: Menu$Item$CountCreateInfoInsertPopup
String ID: 0$2
API String ID: 93392585-3793063076
Opcode ID: d065c68ac0e3adb8f0c406549a873791216b29aaaa47b6b2b5308c25869e85c7
Instruction ID: bb2606a3c540e1aff6a923b7c4785b3f6bb6582e646ee9a0fbbb3922be73ea9b
Opcode Fuzzy Hash: d065c68ac0e3adb8f0c406549a873791216b29aaaa47b6b2b5308c25869e85c7
Instruction Fuzzy Hash: 0251AD70A0030D9BDB64DFA9D884BBEBBF8AF55314F144219E621D7298D770AE41CB63

Function 00CFC874 Relevance: 12.3, APIs: 2, Strings: 5, Instructions: 81windowCOMMON

Download Yara Rule

APIs

LoadIconW.USER32(00000000,00007F03), ref: 00CFC913

Strings

blank, xrefs: 00CFC895
info, xrefs: 00CFC8B4
question, xrefs: 00CFC8CC
warning, xrefs: 00CFC8FC
stop, xrefs: 00CFC8E4

Memory Dump Source

Source File: 00000000.00000002.1727992052.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true

Associated: 00000000.00000002.1727967772.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1728099655.0000000000D2C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1728099655.0000000000D52000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1728148949.0000000000D5C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1728172009.0000000000D64000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c90000_file.jbxd

Similarity

API ID: IconLoad
String ID: blank$info$question$stop$warning
API String ID: 2457776203-404129466
Opcode ID: 2dc708ff8cb2f36e40229963fefa954534130a91f4641231db5f9c660ca322ac
Instruction ID: d4747df7a749f9968b1e4dca7da0153ab151dd55e933b326efc30779526bfc9f
Opcode Fuzzy Hash: 2dc708ff8cb2f36e40229963fefa954534130a91f4641231db5f9c660ca322ac
Instruction Fuzzy Hash: 5A11D83178930EBEEB459B559DC2CFA779CDF15355B60002AFA00A72C2E7A19F046276

Function 00CFDE27 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 70networkCOMMON

Download Yara Rule

APIs

WSAStartup.WSOCK32(00000101,?), ref: 00CFDE42
gethostname.WSOCK32(?,00000100), ref: 00CFDE5C
gethostbyname.WSOCK32(?), ref: 00CFDE69
inet_ntoa.WSOCK32(?), ref: 00CFDEAB
_strcat.LIBCMT ref: 00CFDEB9
WSACleanup.WSOCK32 ref: 00CFDEDE

Strings

0.0.0.0, xrefs: 00CFDE87

Memory Dump Source

Source File: 00000000.00000002.1727992052.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true

Associated: 00000000.00000002.1727967772.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1728099655.0000000000D2C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1728099655.0000000000D52000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1728148949.0000000000D5C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1728172009.0000000000D64000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c90000_file.jbxd

Similarity

API ID: CleanupStartup_strcatgethostbynamegethostnameinet_ntoa
String ID: 0.0.0.0
API String ID: 642191829-3771769585
Opcode ID: 88cdb3cd4e36af4f50957cef9466eea701537c0ff54e43f5314afb1d86335fd3
Instruction ID: 1206d6957c5a61f0cd74968b3da1cd3564c4b1e7f662ec4ffd5720fe753f6200
Opcode Fuzzy Hash: 88cdb3cd4e36af4f50957cef9466eea701537c0ff54e43f5314afb1d86335fd3
Instruction Fuzzy Hash: 30113631804209AFCB74AB209C0AEEE77ACDF20711F000169F656DB191EF71CE819A62

Function 00D29F86 Relevance: 12.3, APIs: 8, Instructions: 260windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00CA9BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00CA9BB2

GetSystemMetrics.USER32(0000000F), ref: 00D29FC7
GetSystemMetrics.USER32(0000000F), ref: 00D29FE7
MoveWindow.USER32(00000003,?,?,?,?,00000000,?,?,?), ref: 00D2A224
SendMessageW.USER32(00000003,00000142,00000000,0000FFFF), ref: 00D2A242
SendMessageW.USER32(00000003,00000469,?,00000000), ref: 00D2A263
ShowWindow.USER32(00000003,00000000), ref: 00D2A282
InvalidateRect.USER32(?,00000000,00000001), ref: 00D2A2A7
DefDlgProcW.USER32(?,00000005,?,?), ref: 00D2A2CA

Memory Dump Source

Source File: 00000000.00000002.1727992052.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true

Associated: 00000000.00000002.1727967772.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1728099655.0000000000D2C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1728099655.0000000000D52000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1728148949.0000000000D5C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1728172009.0000000000D64000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c90000_file.jbxd

Similarity

API ID: Window$MessageMetricsSendSystem$InvalidateLongMoveProcRectShow
String ID:
API String ID: 1211466189-0
Opcode ID: c1788a4839b516323cb1229b7a4549e38317cb89077455e4230e83d215e039f7
Instruction ID: 5b666952247ab4b5cb9318e0fdfb3c11bc7835466ff3bf280f6b942080ec1498
Opcode Fuzzy Hash: c1788a4839b516323cb1229b7a4549e38317cb89077455e4230e83d215e039f7
Instruction Fuzzy Hash: E5B1A731600225EFDF14CF68D9857AE7BB2FF64715F088069EC899B299D731A940CB71

Function 00CFED19 Relevance: 12.1, APIs: 8, Instructions: 137timeCOMMON

Download Yara Rule

APIs

GetLocalTime.KERNEL32 ref: 00CFED2A
_wcslen.LIBCMT ref: 00CFED3B
_wcslen.LIBCMT ref: 00CFED79
_wcslen.LIBCMT ref: 00CFEDAF
_wcslen.LIBCMT ref: 00CFEDDF
_wcslen.LIBCMT ref: 00CFEDEF
_wcslen.LIBCMT ref: 00CFEE2B
_wcslen.LIBCMT ref: 00CFEE5A

Memory Dump Source

Source File: 00000000.00000002.1727992052.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true

Associated: 00000000.00000002.1727967772.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1728099655.0000000000D2C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1728099655.0000000000D52000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1728148949.0000000000D5C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1728172009.0000000000D64000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c90000_file.jbxd

Similarity

API ID: _wcslen$LocalTime
String ID:
API String ID: 952045576-0
Opcode ID: 7343e8f49ae8ebfef2ee3a4e560b61d4af3b83a71d440d2e321b7ea782479092
Instruction ID: 91079d698928c42d681a75e3b11d4510ce11544d0c37ad7fc6146784d89d1867
Opcode Fuzzy Hash: 7343e8f49ae8ebfef2ee3a4e560b61d4af3b83a71d440d2e321b7ea782479092
Instruction Fuzzy Hash: 3E419F65C10218B6DB51EBF4CC8A9DFB7ACAF45710F508462E618E3122FB34E755C3A6

Function 00CAF8D8 Relevance: 12.1, APIs: 8, Instructions: 124COMMON

Download Yara Rule

APIs

ShowWindow.USER32(FFFFFFFF,000000FF,?,00000000,?,00CE682C,00000004,00000000,00000000), ref: 00CAF953
ShowWindow.USER32(FFFFFFFF,00000006,?,00000000,?,00CE682C,00000004,00000000,00000000), ref: 00CEF3D1
ShowWindow.USER32(FFFFFFFF,000000FF,?,00000000,?,00CE682C,00000004,00000000,00000000), ref: 00CEF454

Memory Dump Source

Source File: 00000000.00000002.1727992052.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true

Associated: 00000000.00000002.1727967772.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1728099655.0000000000D2C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1728099655.0000000000D52000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1728148949.0000000000D5C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1728172009.0000000000D64000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c90000_file.jbxd

Similarity

API ID: ShowWindow
String ID:
API String ID: 1268545403-0
Opcode ID: 9b9b1766c4a5cd9505e501e7c1ab3f6465713d0ec760e2c526b2160b7c99f73a
Instruction ID: a190dca443962b5930c6121f911f23fcabf8fd1c370376e026688b22b349fa34
Opcode Fuzzy Hash: 9b9b1766c4a5cd9505e501e7c1ab3f6465713d0ec760e2c526b2160b7c99f73a
Instruction Fuzzy Hash: 25413B30604781BAC7758B7AC88876F7B91AF57318F14443CE09793670C672AA83CB61

Function 00D22D03 Relevance: 12.1, APIs: 8, Instructions: 95windowCOMMON

Download Yara Rule

APIs

DeleteObject.GDI32(00000000), ref: 00D22D1B
GetDC.USER32(00000000), ref: 00D22D23
GetDeviceCaps.GDI32(00000000,0000005A), ref: 00D22D2E
ReleaseDC.USER32(00000000,00000000), ref: 00D22D3A
CreateFontW.GDI32(?,00000000,00000000,00000000,?,00000000,00000000,00000000,00000001,00000004,00000000,?,00000000,?), ref: 00D22D76
SendMessageW.USER32(?,00000030,00000000,00000001), ref: 00D22D87
MoveWindow.USER32(?,?,?,?,?,00000000,?,?,00D25A65,?,?,000000FF,00000000,?,000000FF,?), ref: 00D22DC2
SendMessageW.USER32(?,00000142,00000000,00000000), ref: 00D22DE1

Memory Dump Source

Source File: 00000000.00000002.1727992052.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true

Associated: 00000000.00000002.1727967772.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1728099655.0000000000D2C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1728099655.0000000000D52000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1728148949.0000000000D5C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1728172009.0000000000D64000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c90000_file.jbxd

Similarity

API ID: MessageSend$CapsCreateDeleteDeviceFontMoveObjectReleaseWindow
String ID:
API String ID: 3864802216-0
Opcode ID: 37014e069c808e1be4035b0eba60cfd2c3989034bfa5dbed27ce4bca000c6a44
Instruction ID: e5ec013b390aaab9c1f0ec2e5982595ae00cbf0014c395afb0adeaae6beaff3b
Opcode Fuzzy Hash: 37014e069c808e1be4035b0eba60cfd2c3989034bfa5dbed27ce4bca000c6a44
Instruction Fuzzy Hash: FD318D72211224BBEB214F509C8AFFB3BA9EF19715F084055FE08DA2A1C6759C51C7B4

Function 00CF5622 Relevance: 12.1, APIs: 8, Instructions: 92COMMON

Download Yara Rule

APIs

_memcmp.LIBVCRUNTIME ref: 00CF5637
_memcmp.LIBVCRUNTIME ref: 00CF5659
_memcmp.LIBVCRUNTIME ref: 00CF5671
_memcmp.LIBVCRUNTIME ref: 00CF5684
_memcmp.LIBVCRUNTIME ref: 00CF569E
_memcmp.LIBVCRUNTIME ref: 00CF56B1
_memcmp.LIBVCRUNTIME ref: 00CF56C9
_memcmp.LIBVCRUNTIME ref: 00CF56E4

Memory Dump Source

Source File: 00000000.00000002.1727992052.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true

Associated: 00000000.00000002.1727967772.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1728099655.0000000000D2C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1728099655.0000000000D52000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1728148949.0000000000D5C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1728172009.0000000000D64000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c90000_file.jbxd

Similarity

API ID: _memcmp
String ID:
API String ID: 2931989736-0
Opcode ID: 00ce9e837718e171b939051b6d1d0a9e66713433410cfa08673e3e7e29309b7a
Instruction ID: 913a29cf2eac2926c4a975d852081029dadf46711f8423b8d41bdd263769e464
Opcode Fuzzy Hash: 00ce9e837718e171b939051b6d1d0a9e66713433410cfa08673e3e7e29309b7a
Instruction Fuzzy Hash: 5721C961644A1D7BD69466219D92FFA33ACAF203C8F880431FF25DA781F720EE1491B7

Function 00D14FAE Relevance: 10.9, APIs: 4, Strings: 2, Instructions: 359COMMON

Download Yara Rule

Strings

Not an Object type, xrefs: 00D15007
NULL Pointer assignment, xrefs: 00D1502E, 00D15383

Memory Dump Source

Source File: 00000000.00000002.1727992052.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true

Associated: 00000000.00000002.1727967772.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1728099655.0000000000D2C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1728099655.0000000000D52000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1728148949.0000000000D5C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1728172009.0000000000D64000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c90000_file.jbxd

Similarity

API ID:
String ID: NULL Pointer assignment$Not an Object type
API String ID: 0-572801152
Opcode ID: 1b9b7d55d635e72ddbafebe01e0c4a228248951d482088b58b3fb9aeb080e7a7
Instruction ID: cd206746e1e4f96cd189bfad200bd1c1c8bedb37534bb00073bcf4bbe0e947f0
Opcode Fuzzy Hash: 1b9b7d55d635e72ddbafebe01e0c4a228248951d482088b58b3fb9aeb080e7a7
Instruction Fuzzy Hash: 76D1A575A0060AEFDF10CF98E880BEEB7B5BF88344F148069E915AB285D774DD85CB60

Function 00CD1522 Relevance: 10.8, APIs: 7, Instructions: 268COMMON

Download Yara Rule

APIs

GetCPInfo.KERNEL32(?,?), ref: 00CD15CE
MultiByteToWideChar.KERNEL32(?,00000009,?,?,00000000,00000000), ref: 00CD1651
MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 00CD16E4
MultiByteToWideChar.KERNEL32(?,00000009,?,?,00000000,00000000), ref: 00CD16FB

Part of subcall function 00CC3820: RtlAllocateHeap.NTDLL(00000000,?,00D61444,?,00CAFDF5,?,?,00C9A976,00000010,00D61440,00C913FC,?,00C913C6,?,00C91129), ref: 00CC3852

MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 00CD1777
__freea.LIBCMT ref: 00CD17A2
__freea.LIBCMT ref: 00CD17AE

Memory Dump Source

Source File: 00000000.00000002.1727992052.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true

Associated: 00000000.00000002.1727967772.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1728099655.0000000000D2C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1728099655.0000000000D52000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1728148949.0000000000D5C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1728172009.0000000000D64000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c90000_file.jbxd

Similarity

API ID: ByteCharMultiWide$__freea$AllocateHeapInfo
String ID:
API String ID: 2829977744-0
Opcode ID: 740924775c3b7ffebd61434897b6032546e9b00539dcb73be943db7b40661e92
Instruction ID: d7020da5f5b362d9b29742c278e1d2ae69f61afd3aba94805345db71ea3c42a6
Opcode Fuzzy Hash: 740924775c3b7ffebd61434897b6032546e9b00539dcb73be943db7b40661e92
Instruction Fuzzy Hash: B191E271E00206AADB208E64D881AEE7BB5EF49310F1C465AFE11E7391E739CE41CB60

Function 00D14523 Relevance: 10.8, APIs: 4, Strings: 2, Instructions: 262COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 00D14648
VariantInit.OLEAUT32(?), ref: 00D14749
VariantClear.OLEAUT32(?), ref: 00D14753
VariantClear.OLEAUT32(?), ref: 00D147B0

Strings

Null Object assignment in FOR..IN loop, xrefs: 00D145D8, 00D14706, 00D147BE
Incorrect Object type in FOR..IN loop, xrefs: 00D1472C

Memory Dump Source

Source File: 00000000.00000002.1727992052.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true

Associated: 00000000.00000002.1727967772.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1728099655.0000000000D2C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1728099655.0000000000D52000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1728148949.0000000000D5C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1728172009.0000000000D64000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c90000_file.jbxd

Similarity

API ID: Variant$ClearInit
String ID: Incorrect Object type in FOR..IN loop$Null Object assignment in FOR..IN loop
API String ID: 2610073882-625585964
Opcode ID: 450cb31f915a6ff3f29ced989d00b38693e4ba0846dfeb5ee10c928af5000c16
Instruction ID: ab987947f5841d7e584d4a39d83c741ced6100ea9bef343ac5ac6bb511e0b362
Opcode Fuzzy Hash: 450cb31f915a6ff3f29ced989d00b38693e4ba0846dfeb5ee10c928af5000c16
Instruction Fuzzy Hash: 6A917E71A00215BBDF20CFA5E844FEEBBB8EF46715F148559F905AB280DB709985CBB0

Function 00D01187 Relevance: 10.8, APIs: 7, Instructions: 254COMMON

Download Yara Rule

APIs

SafeArrayGetVartype.OLEAUT32(00000001,?), ref: 00D0125C
SafeArrayAccessData.OLEAUT32(00000000,?), ref: 00D01284
SafeArrayUnaccessData.OLEAUT32(00000001), ref: 00D012A8
SafeArrayAccessData.OLEAUT32(00000001,?), ref: 00D012D8
SafeArrayAccessData.OLEAUT32(00000001,?), ref: 00D0135F
SafeArrayAccessData.OLEAUT32(00000001,?), ref: 00D013C4
SafeArrayAccessData.OLEAUT32(00000001,?), ref: 00D01430

Memory Dump Source

Source File: 00000000.00000002.1727992052.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true

Associated: 00000000.00000002.1727967772.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1728099655.0000000000D2C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1728099655.0000000000D52000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1728148949.0000000000D5C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1728172009.0000000000D64000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c90000_file.jbxd

Similarity

API ID: ArraySafe$Data$Access$UnaccessVartype
String ID:
API String ID: 2550207440-0
Opcode ID: baaaf7dde2a399ebe9f3ef04b2ebec9aa8b9aa5a188ece8d0b181f016491c98b
Instruction ID: ba7c8b1f80b34fd75f3b63ebf0c70e32b5ff25763217562b04f06a0b274011d1
Opcode Fuzzy Hash: baaaf7dde2a399ebe9f3ef04b2ebec9aa8b9aa5a188ece8d0b181f016491c98b
Instruction Fuzzy Hash: FE91CE79A00209AFDB009FA4C885BBEB7B5FF45314F144029E949EB2E1D774E946CBB4

Function 00CA948A Relevance: 10.8, APIs: 7, Instructions: 254COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1727992052.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true

Associated: 00000000.00000002.1727967772.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1728099655.0000000000D2C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1728099655.0000000000D52000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1728148949.0000000000D5C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1728172009.0000000000D64000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c90000_file.jbxd

Similarity

API ID: ObjectSelect$BeginCreatePath
String ID:
API String ID: 3225163088-0
Opcode ID: 3d631b39a81f47b2b21a87b624ffc3dfc5ae9c6a74f2bcf4ffde3ae791894822
Instruction ID: fa7d634869cdeee34b7861ca42f1240a027bd11b3ddfdf3146b3d6df850aa319
Opcode Fuzzy Hash: 3d631b39a81f47b2b21a87b624ffc3dfc5ae9c6a74f2bcf4ffde3ae791894822
Instruction Fuzzy Hash: 2E916971D0021AEFCB10CFA9CC86AEEBBB9FF49324F148145E515B7251D374AA42DB60

Function 00D13947 Relevance: 10.7, APIs: 4, Strings: 2, Instructions: 240COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 00D1396B
CharUpperBuffW.USER32(?,?), ref: 00D13A7A
_wcslen.LIBCMT ref: 00D13A8A
VariantClear.OLEAUT32(?), ref: 00D13C1F

Part of subcall function 00D00CDF: VariantInit.OLEAUT32(00000000), ref: 00D00D1F
Part of subcall function 00D00CDF: VariantCopy.OLEAUT32(?,?), ref: 00D00D28
Part of subcall function 00D00CDF: VariantClear.OLEAUT32(?), ref: 00D00D34

Strings

AUTOIT.ERROR, xrefs: 00D13A80, 00D13A85
Incorrect Parameter format, xrefs: 00D139A6, 00D13BA1

Memory Dump Source

Source File: 00000000.00000002.1727992052.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true

Associated: 00000000.00000002.1727967772.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1728099655.0000000000D2C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1728099655.0000000000D52000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1728148949.0000000000D5C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1728172009.0000000000D64000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c90000_file.jbxd

Similarity

API ID: Variant$ClearInit$BuffCharCopyUpper_wcslen
String ID: AUTOIT.ERROR$Incorrect Parameter format
API String ID: 4137639002-1221869570
Opcode ID: 4320e2613ad25b4d5e3893017e06e0a3aacf410aa152018a62154d4a46bd4265
Instruction ID: 358cb6185ff3634a0941a8fa565382fe650c037533adc78d0660b8b74201cb1c
Opcode Fuzzy Hash: 4320e2613ad25b4d5e3893017e06e0a3aacf410aa152018a62154d4a46bd4265
Instruction Fuzzy Hash: 63917C74608305AFCB04DF28D4849AAB7E4FF89314F14896DF88A97351DB30EE45CBA2

Function 00D14BAD Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 236COMMON

Download Yara Rule

APIs

Part of subcall function 00CF000E: CLSIDFromProgID.OLE32(?,?,?,00000000,?,?,?,-C000001E,00000001,?,00CEFF41,80070057,?,?,?,00CF035E), ref: 00CF002B
Part of subcall function 00CF000E: ProgIDFromCLSID.OLE32(?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,00CEFF41,80070057,?,?), ref: 00CF0046
Part of subcall function 00CF000E: lstrcmpiW.KERNEL32(?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,00CEFF41,80070057,?,?), ref: 00CF0054
Part of subcall function 00CF000E: CoTaskMemFree.OLE32(00000000,?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,00CEFF41,80070057,?), ref: 00CF0064

CoInitializeSecurity.OLE32(00000000,000000FF,00000000,00000000,00000002,00000003,00000000,00000000,00000000,00000001,?,?), ref: 00D14C51
_wcslen.LIBCMT ref: 00D14D59
CoCreateInstanceEx.OLE32(?,00000000,00000015,?,00000001,?), ref: 00D14DCF
CoTaskMemFree.OLE32(?), ref: 00D14DDA

Strings

NULL Pointer assignment, xrefs: 00D14E23, 00D14E52

Memory Dump Source

Source File: 00000000.00000002.1727992052.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true

Associated: 00000000.00000002.1727967772.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1728099655.0000000000D2C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1728099655.0000000000D52000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1728148949.0000000000D5C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1728172009.0000000000D64000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c90000_file.jbxd

Similarity

API ID: FreeFromProgTask$CreateInitializeInstanceSecurity_wcslenlstrcmpi
String ID: NULL Pointer assignment
API String ID: 614568839-2785691316
Opcode ID: 9989cfb2fb537b033d59f83716c23209b49e8b5cb42c9a07b7aa3640a8b63218
Instruction ID: b4cf6694f6ed3b33d3846ad3f2636a477ddc22e0dd83b4efe27a25484f6c648f
Opcode Fuzzy Hash: 9989cfb2fb537b033d59f83716c23209b49e8b5cb42c9a07b7aa3640a8b63218
Instruction Fuzzy Hash: 1B911571D0021DAFDF14DFA4D891AEEB7B9FF08314F10816AE915A7291EB309A45DFA0

Function 00D220FD Relevance: 10.7, APIs: 7, Instructions: 196windowCOMMON

Download Yara Rule

APIs

GetMenu.USER32(?), ref: 00D22183
GetMenuItemCount.USER32(00000000), ref: 00D221B5
GetMenuStringW.USER32(00000000,00000000,?,00007FFF,00000400), ref: 00D221DD
_wcslen.LIBCMT ref: 00D22213
GetMenuItemID.USER32(?,?), ref: 00D2224D
GetSubMenu.USER32(?,?), ref: 00D2225B

Part of subcall function 00CF3A3D: GetWindowThreadProcessId.USER32(?,00000000), ref: 00CF3A57
Part of subcall function 00CF3A3D: GetCurrentThreadId.KERNEL32 ref: 00CF3A5E
Part of subcall function 00CF3A3D: AttachThreadInput.USER32(00000000,?,00000000,00000000,?,00CF25B3), ref: 00CF3A65

PostMessageW.USER32(?,00000111,00000000,00000000), ref: 00D222E3

Part of subcall function 00CFE97B: Sleep.KERNEL32 ref: 00CFE9F3

Memory Dump Source

Source File: 00000000.00000002.1727992052.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true

Associated: 00000000.00000002.1727967772.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1728099655.0000000000D2C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1728099655.0000000000D52000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1728148949.0000000000D5C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1728172009.0000000000D64000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c90000_file.jbxd

Similarity

API ID: Menu$Thread$Item$AttachCountCurrentInputMessagePostProcessSleepStringWindow_wcslen
String ID:
API String ID: 4196846111-0
Opcode ID: 2fc4c25f1b1be8fb7c7bbde53266cdb27abc868670b0e837e4bbef4f7ea79e47
Instruction ID: ca5786e6364b04c784b673a745b0f3623c863e43b1f8a1e9354a837654014289
Opcode Fuzzy Hash: 2fc4c25f1b1be8fb7c7bbde53266cdb27abc868670b0e837e4bbef4f7ea79e47
Instruction Fuzzy Hash: D1717A35A00215EFCB11DFA8D885ABEB7B1EF58314F148458F856EB351DB35EE428BA0

Function 00D27E9E Relevance: 10.7, APIs: 7, Instructions: 193windowCOMMON

Download Yara Rule

APIs

IsWindow.USER32(00F556A8), ref: 00D27F37
IsWindowEnabled.USER32(00F556A8), ref: 00D27F43
SendMessageW.USER32(00000000,0000041C,00000000,00000000), ref: 00D2801E
SendMessageW.USER32(00F556A8,000000B0,?,?), ref: 00D28051
IsDlgButtonChecked.USER32(?,?), ref: 00D28089
GetWindowLongW.USER32(00F556A8,000000EC), ref: 00D280AB
SendMessageW.USER32(?,000000A1,00000002,00000000), ref: 00D280C3

Memory Dump Source

Source File: 00000000.00000002.1727992052.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true

Associated: 00000000.00000002.1727967772.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1728099655.0000000000D2C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1728099655.0000000000D52000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1728148949.0000000000D5C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1728172009.0000000000D64000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c90000_file.jbxd

Similarity

API ID: MessageSendWindow$ButtonCheckedEnabledLong
String ID:
API String ID: 4072528602-0
Opcode ID: fa64f38d2ba544570c5024dce88b1b697b700cbb90051f10512893dcbfc4da6e
Instruction ID: b764d31f205fe926cf44a15c8275703c8d78da08e94957ddbe47e7ce213707cf
Opcode Fuzzy Hash: fa64f38d2ba544570c5024dce88b1b697b700cbb90051f10512893dcbfc4da6e
Instruction Fuzzy Hash: 8671B03460D224AFEB319F54E984FAABBB5EF29308F180059F955933A1CB31AC45DB31

Function 00CFAEBA Relevance: 10.7, APIs: 7, Instructions: 162windowCOMMON

Download Yara Rule

APIs

GetParent.USER32(?), ref: 00CFAEF9
GetKeyboardState.USER32(?), ref: 00CFAF0E
SetKeyboardState.USER32(?), ref: 00CFAF6F
PostMessageW.USER32(?,00000101,00000010,?), ref: 00CFAF9D
PostMessageW.USER32(?,00000101,00000011,?), ref: 00CFAFBC
PostMessageW.USER32(?,00000101,00000012,?), ref: 00CFAFFD
PostMessageW.USER32(?,00000101,0000005B,?), ref: 00CFB020

Memory Dump Source

Source File: 00000000.00000002.1727992052.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true

Associated: 00000000.00000002.1727967772.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1728099655.0000000000D2C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1728099655.0000000000D52000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1728148949.0000000000D5C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1728172009.0000000000D64000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c90000_file.jbxd

Similarity

API ID: MessagePost$KeyboardState$Parent
String ID:
API String ID: 87235514-0
Opcode ID: 9175a5ccda2613696d8abdd1ea92922c685645b38b6aa85b5ffa50f336f0fd29
Instruction ID: 92d38b376f89a4b82bb6707923c1b603be6e30a2f648fe4cc17f5c51cd555b87
Opcode Fuzzy Hash: 9175a5ccda2613696d8abdd1ea92922c685645b38b6aa85b5ffa50f336f0fd29
Instruction Fuzzy Hash: 285107E06047D93EFB764274CC45BBABEE95B06304F088589E2E9494C2C7D8AEC4D763

Function 00CFACDA Relevance: 10.7, APIs: 7, Instructions: 161windowCOMMON

Download Yara Rule

APIs

GetParent.USER32(00000000), ref: 00CFAD19
GetKeyboardState.USER32(?), ref: 00CFAD2E
SetKeyboardState.USER32(?), ref: 00CFAD8F
PostMessageW.USER32(00000000,00000100,00000010,?), ref: 00CFADBB
PostMessageW.USER32(00000000,00000100,00000011,?), ref: 00CFADD8
PostMessageW.USER32(00000000,00000100,00000012,?), ref: 00CFAE17
PostMessageW.USER32(00000000,00000100,0000005B,?), ref: 00CFAE38

Memory Dump Source

Source File: 00000000.00000002.1727992052.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true

Associated: 00000000.00000002.1727967772.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1728099655.0000000000D2C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1728099655.0000000000D52000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1728148949.0000000000D5C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1728172009.0000000000D64000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c90000_file.jbxd

Similarity

API ID: MessagePost$KeyboardState$Parent
String ID:
API String ID: 87235514-0
Opcode ID: d41d6be48273d4ebf43ed6273f7fae052f8799e43f3212b6417ffbf4ee8580ac
Instruction ID: 19f8647fe2275f3d6e11708d423ec526a94bec40ea55e1b57e41fb8770f6670c
Opcode Fuzzy Hash: d41d6be48273d4ebf43ed6273f7fae052f8799e43f3212b6417ffbf4ee8580ac
Instruction Fuzzy Hash: 8C51E7E15047D93DFB764334CC45B7AFEA96B46300F088488E2E9468C2C394ED98E763

Function 00CC542E Relevance: 10.7, APIs: 7, Instructions: 152fileCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetConsoleCP.KERNEL32(00CD3CD6,?,?,?,?,?,?,?,?,00CC5BA3,?,?,00CD3CD6,?,?), ref: 00CC5470
__fassign.LIBCMT ref: 00CC54EB
__fassign.LIBCMT ref: 00CC5506
WideCharToMultiByte.KERNEL32(?,00000000,?,00000001,00CD3CD6,00000005,00000000,00000000), ref: 00CC552C
WriteFile.KERNEL32(?,00CD3CD6,00000000,00CC5BA3,00000000,?,?,?,?,?,?,?,?,?,00CC5BA3,?), ref: 00CC554B
WriteFile.KERNEL32(?,?,00000001,00CC5BA3,00000000,?,?,?,?,?,?,?,?,?,00CC5BA3,?), ref: 00CC5584

Memory Dump Source

Source File: 00000000.00000002.1727992052.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true

Associated: 00000000.00000002.1727967772.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1728099655.0000000000D2C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1728099655.0000000000D52000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1728148949.0000000000D5C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1728172009.0000000000D64000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c90000_file.jbxd

Similarity

API ID: FileWrite__fassign$ByteCharConsoleMultiWide
String ID:
API String ID: 1324828854-0
Opcode ID: f15b036c03e182e391a1184df1ab9efd2afbbadafa2cc991c44ff76e08364368
Instruction ID: 7ccb3c07ff2d1ef78b3e92db2b9d26cdf6031eb81fb58db1a0bb4c8221769140
Opcode Fuzzy Hash: f15b036c03e182e391a1184df1ab9efd2afbbadafa2cc991c44ff76e08364368
Instruction Fuzzy Hash: 88518D71A00749AFDB11CFA8D845FEEBBF9AF08300F14451EE555E7291D670AA81CB60

Function 00CB2D20 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 117COMMON

Download Yara Rule

APIs

_ValidateLocalCookies.LIBCMT ref: 00CB2D4B
___except_validate_context_record.LIBVCRUNTIME ref: 00CB2D53
_ValidateLocalCookies.LIBCMT ref: 00CB2DE1
__IsNonwritableInCurrentImage.LIBCMT ref: 00CB2E0C
_ValidateLocalCookies.LIBCMT ref: 00CB2E61

Strings

csm, xrefs: 00CB2DF6

Memory Dump Source

Source File: 00000000.00000002.1727992052.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true

Associated: 00000000.00000002.1727967772.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1728099655.0000000000D2C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1728099655.0000000000D52000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1728148949.0000000000D5C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1728172009.0000000000D64000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c90000_file.jbxd

Similarity

API ID: CookiesLocalValidate$CurrentImageNonwritable___except_validate_context_record
String ID: csm
API String ID: 1170836740-1018135373
Opcode ID: 04302739c1bbe369eb655d36653ebb9fb61bc6167e6560fec861253b8779c096
Instruction ID: 7087c563c9b034dd25cb587807d3ea72391655591153125714cf78ed95d833b5
Opcode Fuzzy Hash: 04302739c1bbe369eb655d36653ebb9fb61bc6167e6560fec861253b8779c096
Instruction Fuzzy Hash: 02419034A00249ABCF10DF69CC45ADEBBB5FF44325F148156E824AB392D731EA05CBE1

Function 00D110B8 Relevance: 10.6, APIs: 7, Instructions: 110networkCOMMON

Download Yara Rule

APIs

Part of subcall function 00D1304E: inet_addr.WSOCK32(?,?,?,?,?,00000000), ref: 00D1307A
Part of subcall function 00D1304E: _wcslen.LIBCMT ref: 00D1309B

socket.WSOCK32(00000002,00000001,00000006,?,?,00000000), ref: 00D11112
WSAGetLastError.WSOCK32 ref: 00D11121
WSAGetLastError.WSOCK32 ref: 00D111C9
closesocket.WSOCK32(00000000), ref: 00D111F9

Memory Dump Source

Source File: 00000000.00000002.1727992052.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true

Associated: 00000000.00000002.1727967772.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1728099655.0000000000D2C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1728099655.0000000000D52000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1728148949.0000000000D5C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1728172009.0000000000D64000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c90000_file.jbxd

Similarity

API ID: ErrorLast$_wcslenclosesocketinet_addrsocket
String ID:
API String ID: 2675159561-0
Opcode ID: 29167cbb98099e2e1394d10d21167abad006863b2ee83ced4bcb60b67cee130f
Instruction ID: d7dd39360424a063c445d53b1c06972277a417c79e779849c5d8aed5d2a1530f
Opcode Fuzzy Hash: 29167cbb98099e2e1394d10d21167abad006863b2ee83ced4bcb60b67cee130f
Instruction Fuzzy Hash: 6441B135600304BFDB209F54E884BE9B7A9EF45324F188059FA599B292DB70EDC1CBB1

Function 00CFCF00 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 108filestringCOMMON

Download Yara Rule

APIs

Part of subcall function 00CFDDE0: GetFullPathNameW.KERNEL32(00000000,00007FFF,?,?,?,?,?,?,00CFCF22,?), ref: 00CFDDFD

Part of subcall function 00CFDDE0: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,?,00CFCF22,?), ref: 00CFDE16

lstrcmpiW.KERNEL32(?,?), ref: 00CFCF45
MoveFileW.KERNEL32(?,?), ref: 00CFCF7F
_wcslen.LIBCMT ref: 00CFD005
_wcslen.LIBCMT ref: 00CFD01B
SHFileOperationW.SHELL32(?), ref: 00CFD061

Strings

\*.*, xrefs: 00CFCFF3

Memory Dump Source

Source File: 00000000.00000002.1727992052.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true

Associated: 00000000.00000002.1727967772.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1728099655.0000000000D2C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1728099655.0000000000D52000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1728148949.0000000000D5C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1728172009.0000000000D64000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c90000_file.jbxd

Similarity

API ID: FileFullNamePath_wcslen$MoveOperationlstrcmpi
String ID: \*.*
API String ID: 3164238972-1173974218
Opcode ID: 3b1815f933f2139625546f7004f432bbaa86d4d7661de44f9fc6c57faf5fbbef
Instruction ID: ab75146b026d6105c6ada1711613df981695d6d66a2347a283521901cdd630c0
Opcode Fuzzy Hash: 3b1815f933f2139625546f7004f432bbaa86d4d7661de44f9fc6c57faf5fbbef
Instruction Fuzzy Hash: CE41877190521D5FDF56EFA4CAC1AEEB7B9AF08340F0000E6E605EB142EB34AB48DB51

Function 00D22DFD Relevance: 10.6, APIs: 7, Instructions: 99windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,000000F0,00000000,00000000), ref: 00D22E1C
GetWindowLongW.USER32(?,000000F0), ref: 00D22E4F
GetWindowLongW.USER32(?,000000F0), ref: 00D22E84
SendMessageW.USER32(?,000000F1,00000000,00000000), ref: 00D22EB6
SendMessageW.USER32(?,000000F1,00000001,00000000), ref: 00D22EE0
GetWindowLongW.USER32(?,000000F0), ref: 00D22EF1
SetWindowLongW.USER32(?,000000F0,00000000), ref: 00D22F0B

Memory Dump Source

Source File: 00000000.00000002.1727992052.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true

Associated: 00000000.00000002.1727967772.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1728099655.0000000000D2C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1728099655.0000000000D52000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1728148949.0000000000D5C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1728172009.0000000000D64000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c90000_file.jbxd

Similarity

API ID: LongWindow$MessageSend
String ID:
API String ID: 2178440468-0
Opcode ID: d7c89f50f8a2ee558bba7290a4704c325ae8dd4a644142bf0ae286c96bfff125
Instruction ID: a136904ce45290f4ae654c9264bbb713dc60ccf86c363aecb7ca69053b8b6d9c
Opcode Fuzzy Hash: d7c89f50f8a2ee558bba7290a4704c325ae8dd4a644142bf0ae286c96bfff125
Instruction Fuzzy Hash: 7631F434614260AFDB21CF58EC84F6937E1EBAA715F1A1165F910CB2B1CBB1AC41AF61

Function 00CF7726 Relevance: 10.6, APIs: 7, Instructions: 94memoryCOMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 00CF7769
MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 00CF778F
SysAllocString.OLEAUT32(00000000), ref: 00CF7792
SysAllocString.OLEAUT32(?), ref: 00CF77B0
SysFreeString.OLEAUT32(?), ref: 00CF77B9
StringFromGUID2.OLE32(?,?,00000028), ref: 00CF77DE
SysAllocString.OLEAUT32(?), ref: 00CF77EC

Memory Dump Source

Source File: 00000000.00000002.1727992052.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true

Associated: 00000000.00000002.1727967772.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1728099655.0000000000D2C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1728099655.0000000000D52000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1728148949.0000000000D5C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1728172009.0000000000D64000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c90000_file.jbxd

Similarity

API ID: String$Alloc$ByteCharMultiWide$FreeFrom
String ID:
API String ID: 3761583154-0
Opcode ID: adfaf5734d5ea92bd2c16faf6295ffbc91d83792999d7dd127f26738d7342515
Instruction ID: c8327174b28a04beb5623dd29e801332bdd618bc8964c41a693ca9c8bb6e4a9b
Opcode Fuzzy Hash: adfaf5734d5ea92bd2c16faf6295ffbc91d83792999d7dd127f26738d7342515
Instruction Fuzzy Hash: EC21A37661421DAFDB51EFA9CC84CBB73ACEB093647108126FA14DB250D670ED42CBA1

Function 00CF77FD Relevance: 10.6, APIs: 7, Instructions: 89memoryCOMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 00CF7842
MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 00CF7868
SysAllocString.OLEAUT32(00000000), ref: 00CF786B
SysAllocString.OLEAUT32 ref: 00CF788C
SysFreeString.OLEAUT32 ref: 00CF7895
StringFromGUID2.OLE32(?,?,00000028), ref: 00CF78AF
SysAllocString.OLEAUT32(?), ref: 00CF78BD

Memory Dump Source

Source File: 00000000.00000002.1727992052.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true

Associated: 00000000.00000002.1727967772.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1728099655.0000000000D2C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1728099655.0000000000D52000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1728148949.0000000000D5C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1728172009.0000000000D64000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c90000_file.jbxd

Similarity

API ID: String$Alloc$ByteCharMultiWide$FreeFrom
String ID:
API String ID: 3761583154-0
Opcode ID: f38dbca00a2aa37f9d5915997e49c0afb627d25d5948c6084d3651f49b40787e
Instruction ID: 8173a56acaf5be448ae5991542c80799870dc9303a5faa3c1022af69259eb862
Opcode Fuzzy Hash: f38dbca00a2aa37f9d5915997e49c0afb627d25d5948c6084d3651f49b40787e
Instruction Fuzzy Hash: 4821A931604208AFDB10AFA8DC88D7B77ECEB097607108125F615DB2A1D670DD42CB75

Function 00D004D2 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 80pipeCOMMON

Download Yara Rule

APIs

GetStdHandle.KERNEL32(0000000C), ref: 00D004F2
CreatePipe.KERNEL32(?,?,0000000C,00000000), ref: 00D0052E

Strings

nul, xrefs: 00D00567

Memory Dump Source

Source File: 00000000.00000002.1727992052.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true

Associated: 00000000.00000002.1727967772.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1728099655.0000000000D2C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1728099655.0000000000D52000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1728148949.0000000000D5C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1728172009.0000000000D64000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c90000_file.jbxd

Similarity

API ID: CreateHandlePipe
String ID: nul
API String ID: 1424370930-2873401336
Opcode ID: b667582aed72f216f8bef13d9e6e5023d34dff23d749dbee2daff36f0af3bb8b
Instruction ID: d1b824852dfda4ee88f8fbf4d4ce323d5ff4dd34fa6d0092419fb37b95eb114a
Opcode Fuzzy Hash: b667582aed72f216f8bef13d9e6e5023d34dff23d749dbee2daff36f0af3bb8b
Instruction Fuzzy Hash: E7217A71500305ABDB208F29DC08B9A7BB4AF54724F244A29E8A9D72E0E7B0D941CF30

Function 00D005A7 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 80pipeCOMMON

Download Yara Rule

APIs

GetStdHandle.KERNEL32(000000F6), ref: 00D005C6
CreatePipe.KERNEL32(?,?,0000000C,00000000), ref: 00D00601

Strings

nul, xrefs: 00D00639

Memory Dump Source

Source File: 00000000.00000002.1727992052.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true

Associated: 00000000.00000002.1727967772.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1728099655.0000000000D2C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1728099655.0000000000D52000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1728148949.0000000000D5C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1728172009.0000000000D64000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c90000_file.jbxd

Similarity

API ID: CreateHandlePipe
String ID: nul
API String ID: 1424370930-2873401336
Opcode ID: 4e012456c0bb255b1f86dd977c48a2f6141b4fcfeace384a2163dca68149052c
Instruction ID: ee37d4426f1d7063d12dfc55bfbeda2b983529041614ea30ca80a8e7c9c7265c
Opcode Fuzzy Hash: 4e012456c0bb255b1f86dd977c48a2f6141b4fcfeace384a2163dca68149052c
Instruction Fuzzy Hash: B6218175500305ABDB209F69DC04B9A7BE5AF95720F240A19F8A9E72E0DB719961CB30

Function 00D240AD Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 75windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00C9600E: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 00C9604C
Part of subcall function 00C9600E: GetStockObject.GDI32(00000011), ref: 00C96060
Part of subcall function 00C9600E: SendMessageW.USER32(00000000,00000030,00000000), ref: 00C9606A

SendMessageW.USER32(00000000,00002001,00000000,FF000000), ref: 00D24112
SendMessageW.USER32(?,00000409,00000000,FF000000), ref: 00D2411F
SendMessageW.USER32(?,00000402,00000000,00000000), ref: 00D2412A
SendMessageW.USER32(?,00000401,00000000,00640000), ref: 00D24139
SendMessageW.USER32(?,00000404,00000001,00000000), ref: 00D24145

Strings

Msctls_Progress32, xrefs: 00D240E3

Memory Dump Source

Source File: 00000000.00000002.1727992052.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true

Associated: 00000000.00000002.1727967772.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1728099655.0000000000D2C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1728099655.0000000000D52000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1728148949.0000000000D5C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1728172009.0000000000D64000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c90000_file.jbxd

Similarity

API ID: MessageSend$CreateObjectStockWindow
String ID: Msctls_Progress32
API String ID: 1025951953-3636473452
Opcode ID: b7d81efb114d8e1fb209ff9139eb991b6db4f54f0d44cd5ca2783be1f49d6db6
Instruction ID: 46b20b112dd30bc2230375400188b2654a6f2b8fedb90930a867497f737783b0
Opcode Fuzzy Hash: b7d81efb114d8e1fb209ff9139eb991b6db4f54f0d44cd5ca2783be1f49d6db6
Instruction Fuzzy Hash: 221193B1150229BEEF118F64DC85EE77F5DEF18798F014110FA18A2190C6729C61DBB4

Function 00CCD7DF Relevance: 10.6, APIs: 7, Instructions: 65COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 00CCD7A3: _free.LIBCMT ref: 00CCD7CC

_free.LIBCMT ref: 00CCD82D

Part of subcall function 00CC29C8: RtlFreeHeap.NTDLL(00000000,00000000,?,00CCD7D1,00000000,00000000,00000000,00000000,?,00CCD7F8,00000000,00000007,00000000,?,00CCDBF5,00000000), ref: 00CC29DE
Part of subcall function 00CC29C8: GetLastError.KERNEL32(00000000,?,00CCD7D1,00000000,00000000,00000000,00000000,?,00CCD7F8,00000000,00000007,00000000,?,00CCDBF5,00000000,00000000), ref: 00CC29F0

_free.LIBCMT ref: 00CCD838
_free.LIBCMT ref: 00CCD843
_free.LIBCMT ref: 00CCD897
_free.LIBCMT ref: 00CCD8A2
_free.LIBCMT ref: 00CCD8AD
_free.LIBCMT ref: 00CCD8B8

Memory Dump Source

Source File: 00000000.00000002.1727992052.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true

Associated: 00000000.00000002.1727967772.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1728099655.0000000000D2C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1728099655.0000000000D52000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1728148949.0000000000D5C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1728172009.0000000000D64000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c90000_file.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: d5e9bbcb1dbdafe4c8d3bd98f36014f41f46dc5d4a3df644b036f3c2391e0fc8
Instruction ID: 300d5d55d7f0fae084d44a56609f639bab97ee2127187e17aeea815f7f52e008
Opcode Fuzzy Hash: d5e9bbcb1dbdafe4c8d3bd98f36014f41f46dc5d4a3df644b036f3c2391e0fc8
Instruction Fuzzy Hash: C1111971940B04AADA21BFB0CC47FCB7BDCAF04700F40586DF29EE6892DA75B545A760

Function 00CFDA5A Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 46windowCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,?,?,00000100,00000000), ref: 00CFDA74
LoadStringW.USER32(00000000), ref: 00CFDA7B
GetModuleHandleW.KERNEL32(00000000,00001389,?,00000100), ref: 00CFDA91
LoadStringW.USER32(00000000), ref: 00CFDA98
MessageBoxW.USER32(00000000,?,?,00011010), ref: 00CFDADC

Strings

%s (%d) : ==> %s: %s %s, xrefs: 00CFDAB9

Memory Dump Source

Source File: 00000000.00000002.1727992052.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true

Associated: 00000000.00000002.1727967772.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1728099655.0000000000D2C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1728099655.0000000000D52000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1728148949.0000000000D5C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1728172009.0000000000D64000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c90000_file.jbxd

Similarity

API ID: HandleLoadModuleString$Message
String ID: %s (%d) : ==> %s: %s %s
API String ID: 4072794657-3128320259
Opcode ID: 5655e3135a017c588d7ba35fea24ebbdd44f908dcd8aa8c2b7a629695a87852d
Instruction ID: 92e25d5bd17f8cff3b277c96da476a20c4cf63e041ac66e2ac4ab926c67b868e
Opcode Fuzzy Hash: 5655e3135a017c588d7ba35fea24ebbdd44f908dcd8aa8c2b7a629695a87852d
Instruction Fuzzy Hash: 750186F25103087FEB619BA09D89EFB336CEB08701F401492F706E2141E6749E854F75

Function 00D0096B Relevance: 10.5, APIs: 7, Instructions: 35synchronizationthreadCOMMON

Download Yara Rule

APIs

InterlockedExchange.KERNEL32(00F4E2D8,00F4E2D8), ref: 00D0097B
EnterCriticalSection.KERNEL32(00F4E2B8,00000000), ref: 00D0098D
TerminateThread.KERNEL32(?,000001F6), ref: 00D0099B
WaitForSingleObject.KERNEL32(?,000003E8), ref: 00D009A9
CloseHandle.KERNEL32(?), ref: 00D009B8
InterlockedExchange.KERNEL32(00F4E2D8,000001F6), ref: 00D009C8
LeaveCriticalSection.KERNEL32(00F4E2B8), ref: 00D009CF

Memory Dump Source

Source File: 00000000.00000002.1727992052.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true

Associated: 00000000.00000002.1727967772.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1728099655.0000000000D2C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1728099655.0000000000D52000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1728148949.0000000000D5C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1728172009.0000000000D64000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c90000_file.jbxd

Similarity

API ID: CriticalExchangeInterlockedSection$CloseEnterHandleLeaveObjectSingleTerminateThreadWait
String ID:
API String ID: 3495660284-0
Opcode ID: c787f978e9bcea42fe5939701d2399ec24ae960ca2c9fbb122363282a91ad594
Instruction ID: 5f85ae75ab07555493aed806dd212cdb1711a06ee62158fa5bfe3cb870387b9f
Opcode Fuzzy Hash: c787f978e9bcea42fe5939701d2399ec24ae960ca2c9fbb122363282a91ad594
Instruction Fuzzy Hash: B6F01D31552A02FBD7615B94EE89BDA7A25BF11702F542015F101909A0CB749866CFA4

Function 00C95D0A Relevance: 9.3, APIs: 6, Instructions: 276COMMON

Download Yara Rule

APIs

GetClientRect.USER32(?,?), ref: 00C95D30
GetWindowRect.USER32(?,?), ref: 00C95D71
ScreenToClient.USER32(?,?), ref: 00C95D99
GetClientRect.USER32(?,?), ref: 00C95ED7
GetWindowRect.USER32(?,?), ref: 00C95EF8

Memory Dump Source

Source File: 00000000.00000002.1727992052.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true

Associated: 00000000.00000002.1727967772.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1728099655.0000000000D2C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1728099655.0000000000D52000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1728148949.0000000000D5C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1728172009.0000000000D64000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c90000_file.jbxd

Similarity

API ID: Rect$Client$Window$Screen
String ID:
API String ID: 1296646539-0
Opcode ID: 456dcef3d1b3ad3e13b92ab6f173620ac03ff7016c7e0fcee5f51c0ba94fe4da
Instruction ID: 1253b75d3a0cfebba7163e4094a0d7fbb20dfb06135b744f12e5e073e4feea56
Opcode Fuzzy Hash: 456dcef3d1b3ad3e13b92ab6f173620ac03ff7016c7e0fcee5f51c0ba94fe4da
Instruction Fuzzy Hash: DEB17635A00B8ADBDB14CFA9C4846EEB7F1FF58310F14841AE9A9D7290DB34AA41DB50

Function 00CC01B7 Relevance: 9.3, APIs: 6, Instructions: 269COMMON

Download Yara Rule

APIs

__allrem.LIBCMT ref: 00CC00BA
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00CC00D6
__allrem.LIBCMT ref: 00CC00ED
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00CC010B
__allrem.LIBCMT ref: 00CC0122
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00CC0140

Memory Dump Source

Source File: 00000000.00000002.1727992052.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true

Associated: 00000000.00000002.1727967772.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1728099655.0000000000D2C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1728099655.0000000000D52000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1728148949.0000000000D5C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1728172009.0000000000D64000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c90000_file.jbxd

Similarity

API ID: Unothrow_t@std@@@__allrem__ehfuncinfo$??2@
String ID:
API String ID: 1992179935-0
Opcode ID: c0aa086816e9a6b10c8594d9af3fc1b6618250ddc70608c46d0048b3e4fbc764
Instruction ID: 19e348cb1f536c2c606d68af75b8820e25d50a7b6eb6eeae9cd9c6442db737ef
Opcode Fuzzy Hash: c0aa086816e9a6b10c8594d9af3fc1b6618250ddc70608c46d0048b3e4fbc764
Instruction Fuzzy Hash: 2781F672600B06DBE7249FA9CC42FAAB3E8EF41724F28413EF561D6781E770DA419750

Function 00D11D10 Relevance: 9.3, APIs: 6, Instructions: 254networkCOMMON

Download Yara Rule

APIs

Part of subcall function 00D13149: select.WSOCK32(00000000,?,00000000,00000000,?,?,?,00000000,?,?,?,00D1101C,00000000,?,?,00000000), ref: 00D13195

__WSAFDIsSet.WSOCK32(00000000,?,00000000,00000000,?,00000064,00000000), ref: 00D11DC0
#17.WSOCK32(00000000,?,?,00000000,?,00000010), ref: 00D11DE1
WSAGetLastError.WSOCK32 ref: 00D11DF2
inet_ntoa.WSOCK32(?), ref: 00D11E8C
htons.WSOCK32(?,?,?,?,?), ref: 00D11EDB
_strlen.LIBCMT ref: 00D11F35

Part of subcall function 00CF39E8: _strlen.LIBCMT ref: 00CF39F2

Part of subcall function 00C96D9E: MultiByteToWideChar.KERNEL32(00000000,00000001,?,?,00000000,00000000,00000002,?,?,?,?,00CACF58,?,?,?), ref: 00C96DBA
Part of subcall function 00C96D9E: MultiByteToWideChar.KERNEL32(00000000,00000001,?,?,00000000,?,?,?,00CACF58,?,?,?), ref: 00C96DED

Memory Dump Source

Source File: 00000000.00000002.1727992052.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true

Associated: 00000000.00000002.1727967772.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1728099655.0000000000D2C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1728099655.0000000000D52000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1728148949.0000000000D5C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1728172009.0000000000D64000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c90000_file.jbxd

Similarity

API ID: ByteCharMultiWide_strlen$ErrorLasthtonsinet_ntoaselect
String ID:
API String ID: 1923757996-0
Opcode ID: 177b745ac813d3e9d29ea726d9c5a67bfcd8502e43569cc5944b3e9c0c059f96
Instruction ID: e78fdd2fd6d7495f930da1cef26e8f22a17924bcbf9bf8f53a5cd9ab5b3f0f5f
Opcode Fuzzy Hash: 177b745ac813d3e9d29ea726d9c5a67bfcd8502e43569cc5944b3e9c0c059f96
Instruction Fuzzy Hash: 4FA1EF35204341AFC724DF24D885F6ABBA5AF85318F58894CF5565B2E2CF31ED82CBA1

Function 00CC61FE Relevance: 9.2, APIs: 6, Instructions: 216COMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000001,00000000,?,?,00000000,00000000,?,00CB82D9,00CB82D9,?,?,?,00CC644F,00000001,00000001,8BE85006), ref: 00CC6258
MultiByteToWideChar.KERNEL32(00000001,00000001,?,?,00000000,?,?,?,?,00CC644F,00000001,00000001,8BE85006,?,?,?), ref: 00CC62DE
WideCharToMultiByte.KERNEL32(00000001,00000000,00000000,00000000,?,8BE85006,00000000,00000000,?,00000400,00000000,?,00000000,00000000,00000000,00000000), ref: 00CC63D8
__freea.LIBCMT ref: 00CC63E5

Part of subcall function 00CC3820: RtlAllocateHeap.NTDLL(00000000,?,00D61444,?,00CAFDF5,?,?,00C9A976,00000010,00D61440,00C913FC,?,00C913C6,?,00C91129), ref: 00CC3852

__freea.LIBCMT ref: 00CC63EE
__freea.LIBCMT ref: 00CC6413

Memory Dump Source

Source File: 00000000.00000002.1727992052.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true

Associated: 00000000.00000002.1727967772.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1728099655.0000000000D2C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1728099655.0000000000D52000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1728148949.0000000000D5C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1728172009.0000000000D64000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c90000_file.jbxd

Similarity

API ID: ByteCharMultiWide__freea$AllocateHeap
String ID:
API String ID: 1414292761-0
Opcode ID: b1b0a452621c682e9fedf78b8dea1a5af5c82ed4c27781d814e4402aff8bd204
Instruction ID: 6915aed2c04f46d9c0870d04cd4e4a0114f3946a5ee8b6ce46dd464695590c7f
Opcode Fuzzy Hash: b1b0a452621c682e9fedf78b8dea1a5af5c82ed4c27781d814e4402aff8bd204
Instruction Fuzzy Hash: 4E511072A00246AFEB268F64CE81FAF7BA9EF44710F18422DFD15D6191EB34DD40D6A0

Function 00D1BBDB Relevance: 9.2, APIs: 6, Instructions: 191registryCOMMON

Download Yara Rule

APIs

Part of subcall function 00C99CB3: _wcslen.LIBCMT ref: 00C99CBD

Part of subcall function 00D1C998: CharUpperBuffW.USER32(?,?,?,?,?,?,?,00D1B6AE,?,?), ref: 00D1C9B5
Part of subcall function 00D1C998: _wcslen.LIBCMT ref: 00D1C9F1
Part of subcall function 00D1C998: _wcslen.LIBCMT ref: 00D1CA68
Part of subcall function 00D1C998: _wcslen.LIBCMT ref: 00D1CA9E

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 00D1BCCA
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 00D1BD25
RegCloseKey.ADVAPI32(00000000), ref: 00D1BD6A
RegEnumValueW.ADVAPI32(?,-00000001,?,?,00000000,?,00000000,00000000), ref: 00D1BD99
RegCloseKey.ADVAPI32(?,?,00000000), ref: 00D1BDF3
RegCloseKey.ADVAPI32(?), ref: 00D1BDFF

Memory Dump Source

Source File: 00000000.00000002.1727992052.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true

Associated: 00000000.00000002.1727967772.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1728099655.0000000000D2C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1728099655.0000000000D52000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1728148949.0000000000D5C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1728172009.0000000000D64000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c90000_file.jbxd

Similarity

API ID: _wcslen$Close$BuffCharConnectEnumOpenRegistryUpperValue
String ID:
API String ID: 1120388591-0
Opcode ID: 7278cd71ef49be51da3d4ec58bcb5521880c6a5a9b9d020aa38b81e263bba6ad
Instruction ID: 37f70836653f8f37f227a7c1e2f8e4c5053126837b06ba31fcb7ef48fae7ab3f
Opcode Fuzzy Hash: 7278cd71ef49be51da3d4ec58bcb5521880c6a5a9b9d020aa38b81e263bba6ad
Instruction Fuzzy Hash: F381AF30208241AFC714DF24D885E6ABBE5FF84318F14855DF4968B2A2CF31ED45DBA2

Function 00CEF7AD Relevance: 9.2, APIs: 6, Instructions: 183memoryCOMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(00000035), ref: 00CEF7B9
SysAllocString.OLEAUT32(00000001), ref: 00CEF860
VariantCopy.OLEAUT32(00CEFA64,00000000), ref: 00CEF889
VariantClear.OLEAUT32(00CEFA64), ref: 00CEF8AD
VariantCopy.OLEAUT32(00CEFA64,00000000), ref: 00CEF8B1
VariantClear.OLEAUT32(?), ref: 00CEF8BB

Memory Dump Source

Source File: 00000000.00000002.1727992052.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true

Associated: 00000000.00000002.1727967772.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1728099655.0000000000D2C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1728099655.0000000000D52000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1728148949.0000000000D5C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1728172009.0000000000D64000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c90000_file.jbxd

Similarity

API ID: Variant$ClearCopy$AllocInitString
String ID:
API String ID: 3859894641-0
Opcode ID: 6f48abfe5515102eb283712c6cb98615fc06680560fd5d0bacf5e32dc99c1a38
Instruction ID: 9f53480353a5d6d22be411bab3fa07b388e1cd5f7b86aff213e782ab505da74d
Opcode Fuzzy Hash: 6f48abfe5515102eb283712c6cb98615fc06680560fd5d0bacf5e32dc99c1a38
Instruction Fuzzy Hash: 4B51C531610350BADF24AF67D895B29B3A8EF45310B24946EF806DF292DB709C42D7A6

Function 00D0910C Relevance: 9.1, APIs: 4, Strings: 1, Instructions: 383COMMON

Download Yara Rule

APIs

Part of subcall function 00C97620: _wcslen.LIBCMT ref: 00C97625

Part of subcall function 00C96B57: _wcslen.LIBCMT ref: 00C96B6A

GetOpenFileNameW.COMDLG32(00000058), ref: 00D094E5
_wcslen.LIBCMT ref: 00D09506
_wcslen.LIBCMT ref: 00D0952D
GetSaveFileNameW.COMDLG32(00000058), ref: 00D09585

Strings

X, xrefs: 00D09412

Memory Dump Source

Source File: 00000000.00000002.1727992052.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true

Associated: 00000000.00000002.1727967772.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1728099655.0000000000D2C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1728099655.0000000000D52000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1728148949.0000000000D5C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1728172009.0000000000D64000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c90000_file.jbxd

Similarity

API ID: _wcslen$FileName$OpenSave
String ID: X
API String ID: 83654149-3081909835
Opcode ID: 723fccb58e38329a3bd862e6e19aaf40f7b087d8350e88242704fce6127a92c9
Instruction ID: 3ed563bc59bda3b0f31114bd720f82aad83ecbb7401759ddd4b7eea5a3906c7e
Opcode Fuzzy Hash: 723fccb58e38329a3bd862e6e19aaf40f7b087d8350e88242704fce6127a92c9
Instruction Fuzzy Hash: 55E18F715083419FCB24DF24C895B6AB7E4FF85314F08896DF8999B2A2DB31DD05CBA2

Function 00CA920C Relevance: 9.1, APIs: 6, Instructions: 113COMMON

Download Yara Rule

APIs

Part of subcall function 00CA9BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00CA9BB2

BeginPaint.USER32(?,?,?), ref: 00CA9241
GetWindowRect.USER32(?,?), ref: 00CA92A5
ScreenToClient.USER32(?,?), ref: 00CA92C2
SetViewportOrgEx.GDI32(00000000,?,?,00000000), ref: 00CA92D3
EndPaint.USER32(?,?,?,?,?), ref: 00CA9321
Rectangle.GDI32(00000000,00000000,00000000,?,?), ref: 00CE71EA

Part of subcall function 00CA9339: BeginPath.GDI32(00000000), ref: 00CA9357

Memory Dump Source

Source File: 00000000.00000002.1727992052.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true

Associated: 00000000.00000002.1727967772.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1728099655.0000000000D2C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1728099655.0000000000D52000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1728148949.0000000000D5C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1728172009.0000000000D64000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c90000_file.jbxd

Similarity

API ID: BeginPaintWindow$ClientLongPathRectRectangleScreenViewport
String ID:
API String ID: 3050599898-0
Opcode ID: ebfd40ef8c29ee8543131d3a6be90f5cbd7aafbd78ee00a4a9ee9408ae3e0c7d
Instruction ID: f71fae6ac64a577d772eec67994aa43fac14e501f78ca8415070445f1909c2fa
Opcode Fuzzy Hash: ebfd40ef8c29ee8543131d3a6be90f5cbd7aafbd78ee00a4a9ee9408ae3e0c7d
Instruction Fuzzy Hash: E841BB70105301AFDB21DF25C886FAA7BB8EF5A324F140229F9A4C72B1C7709945DB72

Function 00D007EF Relevance: 9.1, APIs: 6, Instructions: 107fileCOMMON

Download Yara Rule

APIs

InterlockedExchange.KERNEL32(?,000001F5), ref: 00D0080C
ReadFile.KERNEL32(?,?,0000FFFF,?,00000000), ref: 00D00847
EnterCriticalSection.KERNEL32(?), ref: 00D00863
LeaveCriticalSection.KERNEL32(?), ref: 00D008DC
ReadFile.KERNEL32(?,?,0000FFFF,00000000,00000000), ref: 00D008F3
InterlockedExchange.KERNEL32(?,000001F6), ref: 00D00921

Memory Dump Source

Source File: 00000000.00000002.1727992052.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true

Associated: 00000000.00000002.1727967772.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1728099655.0000000000D2C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1728099655.0000000000D52000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1728148949.0000000000D5C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1728172009.0000000000D64000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c90000_file.jbxd

Similarity

API ID: CriticalExchangeFileInterlockedReadSection$EnterLeave
String ID:
API String ID: 3368777196-0
Opcode ID: af191424a094dcab5b81f3428f07c1eafcd0701b4918169abc627d0a05faaa46
Instruction ID: 861cfd3bd1806f774d905a759799a995bdd4e3f7e6e3144fdc7ee807748c0fd9
Opcode Fuzzy Hash: af191424a094dcab5b81f3428f07c1eafcd0701b4918169abc627d0a05faaa46
Instruction Fuzzy Hash: A0414C71900205EBDF15AF94DC85AAA7BB8FF04314F1480A9ED04DA296DB30EE65DBA4

Function 00D281DB Relevance: 9.1, APIs: 6, Instructions: 104windowCOMMON

Download Yara Rule

APIs

ShowWindow.USER32(FFFFFFFF,00000000,?,00000000,00000000,?,00CEF3AB,00000000,?,?,00000000,?,00CE682C,00000004,00000000,00000000), ref: 00D2824C
EnableWindow.USER32(?,00000000), ref: 00D28272
ShowWindow.USER32(FFFFFFFF,00000000), ref: 00D282D1
ShowWindow.USER32(?,00000004), ref: 00D282E5
EnableWindow.USER32(?,00000001), ref: 00D2830B
SendMessageW.USER32(?,0000130C,00000000,00000000), ref: 00D2832F

Memory Dump Source

Source File: 00000000.00000002.1727992052.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true

Associated: 00000000.00000002.1727967772.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1728099655.0000000000D2C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1728099655.0000000000D52000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1728148949.0000000000D5C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1728172009.0000000000D64000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c90000_file.jbxd

Similarity

API ID: Window$Show$Enable$MessageSend
String ID:
API String ID: 642888154-0
Opcode ID: 3c563b29fa9b3a18e63fa9d873b41851caaf360d2db58da9e4ce2fc73d1561c6
Instruction ID: fc513fe916d39f9048cddad917d6d2b53491d2698a7a8836d332315765c304c9
Opcode Fuzzy Hash: 3c563b29fa9b3a18e63fa9d873b41851caaf360d2db58da9e4ce2fc73d1561c6
Instruction Fuzzy Hash: 9341D234602750EFDB21CF14E899BA87BE0FF6A719F1C0169E5188B262CB71A841DF74

Function 00CF4C7D Relevance: 9.1, APIs: 6, Instructions: 87windowCOMMON

Download Yara Rule

APIs

IsWindowVisible.USER32(?), ref: 00CF4C95
SendMessageW.USER32(?,0000000E,00000000,00000000), ref: 00CF4CB2
SendMessageW.USER32(?,0000000D,00000001,00000000), ref: 00CF4CEA
_wcslen.LIBCMT ref: 00CF4D08
CharUpperBuffW.USER32(00000000,00000000,?,?,?,?), ref: 00CF4D10
_wcsstr.LIBVCRUNTIME ref: 00CF4D1A

Memory Dump Source

Source File: 00000000.00000002.1727992052.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true

Associated: 00000000.00000002.1727967772.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1728099655.0000000000D2C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1728099655.0000000000D52000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1728148949.0000000000D5C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1728172009.0000000000D64000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c90000_file.jbxd

Similarity

API ID: MessageSend$BuffCharUpperVisibleWindow_wcslen_wcsstr
String ID:
API String ID: 72514467-0
Opcode ID: 1cb130e730adbf81b2f48b04b96233ddc5859d7d02e76f649af400448b1ab06a
Instruction ID: ccc3ff193e5efa23a12fb7be5eb5d5d868779ce8fb5a08007665bc77f3128eee
Opcode Fuzzy Hash: 1cb130e730adbf81b2f48b04b96233ddc5859d7d02e76f649af400448b1ab06a
Instruction Fuzzy Hash: A7213832204204BBEB695B7AEC09E7F7B9CDF55750F10803DF905CA2A2EA71CD0197A1

Function 00D0581E Relevance: 9.1, APIs: 4, Strings: 1, Instructions: 336comCOMMON

Download Yara Rule

APIs

Part of subcall function 00C93AA2: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00C93A97,?,?,00C92E7F,?,?,?,00000000), ref: 00C93AC2

_wcslen.LIBCMT ref: 00D0587B
CoInitialize.OLE32(00000000), ref: 00D05995
CoCreateInstance.OLE32(00D2FCF8,00000000,00000001,00D2FB68,?), ref: 00D059AE
CoUninitialize.OLE32 ref: 00D059CC

Strings

.lnk, xrefs: 00D05876, 00D058C1, 00D05985

Memory Dump Source

Source File: 00000000.00000002.1727992052.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true

Associated: 00000000.00000002.1727967772.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1728099655.0000000000D2C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1728099655.0000000000D52000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1728148949.0000000000D5C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1728172009.0000000000D64000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c90000_file.jbxd

Similarity

API ID: CreateFullInitializeInstanceNamePathUninitialize_wcslen
String ID: .lnk
API String ID: 3172280962-24824748
Opcode ID: fd042e04af52a0ef3cec423d03e4a38654cc4d74425146ad7aed26985d0f06e7
Instruction ID: 1e8a899344f2f9aec93bbfcba961fde7c8ddbbb48d9b5caed96126b5800ff92e
Opcode Fuzzy Hash: fd042e04af52a0ef3cec423d03e4a38654cc4d74425146ad7aed26985d0f06e7
Instruction Fuzzy Hash: CBD141716086019FCB14DF24D484A2BBBE5EF89710F158959F88A9B3A1DB31ED05CFA2

Function 00CF175D Relevance: 9.1, APIs: 6, Instructions: 68memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 00CF0FB4: GetTokenInformation.ADVAPI32(?,00000002,?,00000000,?), ref: 00CF0FCA
Part of subcall function 00CF0FB4: GetLastError.KERNEL32(?,00000002,?,00000000,?), ref: 00CF0FD6
Part of subcall function 00CF0FB4: GetProcessHeap.KERNEL32(00000008,?,?,00000002,?,00000000,?), ref: 00CF0FE5
Part of subcall function 00CF0FB4: HeapAlloc.KERNEL32(00000000,?,00000002,?,00000000,?), ref: 00CF0FEC
Part of subcall function 00CF0FB4: GetTokenInformation.ADVAPI32(?,00000002,00000000,?,?,?,00000002,?,00000000,?), ref: 00CF1002

GetLengthSid.ADVAPI32(?,00000000,00CF1335), ref: 00CF17AE
GetProcessHeap.KERNEL32(00000008,00000000), ref: 00CF17BA
HeapAlloc.KERNEL32(00000000), ref: 00CF17C1
CopySid.ADVAPI32(00000000,00000000,?), ref: 00CF17DA
GetProcessHeap.KERNEL32(00000000,00000000,00CF1335), ref: 00CF17EE
HeapFree.KERNEL32(00000000), ref: 00CF17F5

Memory Dump Source

Source File: 00000000.00000002.1727992052.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true

Associated: 00000000.00000002.1727967772.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1728099655.0000000000D2C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1728099655.0000000000D52000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1728148949.0000000000D5C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1728172009.0000000000D64000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c90000_file.jbxd

Similarity

API ID: Heap$Process$AllocInformationToken$CopyErrorFreeLastLength
String ID:
API String ID: 3008561057-0
Opcode ID: 026d3d18c283c9a6fbcebe9eac1099f25684951d7612ac1c3f05260cad65b422
Instruction ID: dbd2065bd7e2e1cf74e46fe78b42c72161652b42c17d8c0f19481dbcffdca5ef
Opcode Fuzzy Hash: 026d3d18c283c9a6fbcebe9eac1099f25684951d7612ac1c3f05260cad65b422
Instruction Fuzzy Hash: E211AC31A10309EFDB60AFA4CC4ABBF7BA9EB51355F184019F945D7210C735AE45CB61

Function 00CF14CE Relevance: 9.1, APIs: 6, Instructions: 64processCOMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(0000000A,00000004), ref: 00CF14FF
OpenProcessToken.ADVAPI32(00000000), ref: 00CF1506
CreateEnvironmentBlock.USERENV(?,00000004,00000001), ref: 00CF1515
CloseHandle.KERNEL32(00000004), ref: 00CF1520
CreateProcessWithLogonW.ADVAPI32(?,?,?,00000000,00000000,?,?,00000000,?,?,?), ref: 00CF154F
DestroyEnvironmentBlock.USERENV(00000000), ref: 00CF1563

Memory Dump Source

Source File: 00000000.00000002.1727992052.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true

Associated: 00000000.00000002.1727967772.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1728099655.0000000000D2C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1728099655.0000000000D52000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1728148949.0000000000D5C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1728172009.0000000000D64000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c90000_file.jbxd

Similarity

API ID: Process$BlockCreateEnvironment$CloseCurrentDestroyHandleLogonOpenTokenWith
String ID:
API String ID: 1413079979-0
Opcode ID: 911a3209d55deca2ce98a368c678bc5f698a5e97b06d628fe33c032d82d4857d
Instruction ID: 188cf9577cd1b0ecc738df01a4ba47432d504703482b3351e3a5f9ac2b6ef365
Opcode Fuzzy Hash: 911a3209d55deca2ce98a368c678bc5f698a5e97b06d628fe33c032d82d4857d
Instruction Fuzzy Hash: 4C11297250024DEBDF21CF98DD49BEE7BA9EF48744F188015FE15A2160C3758E61DB61

Function 00CB3382 Relevance: 9.1, APIs: 6, Instructions: 60COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,00CB3379,00CB2FE5), ref: 00CB3390
___vcrt_FlsGetValue.LIBVCRUNTIME ref: 00CB339E
___vcrt_FlsSetValue.LIBVCRUNTIME ref: 00CB33B7
SetLastError.KERNEL32(00000000,?,00CB3379,00CB2FE5), ref: 00CB3409

Memory Dump Source

Source File: 00000000.00000002.1727992052.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true

Associated: 00000000.00000002.1727967772.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1728099655.0000000000D2C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1728099655.0000000000D52000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1728148949.0000000000D5C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1728172009.0000000000D64000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c90000_file.jbxd

Similarity

API ID: ErrorLastValue___vcrt_
String ID:
API String ID: 3852720340-0
Opcode ID: c5c31a7d893e2b51fe5d39e376299d3986f3ea8bff312c9c09149c60045da454
Instruction ID: e7c45e881a1b7067a363f4176239cd996a79ffc6d2630b3be011b43febea6347
Opcode Fuzzy Hash: c5c31a7d893e2b51fe5d39e376299d3986f3ea8bff312c9c09149c60045da454
Instruction Fuzzy Hash: 2601FC33619351BEE62527B9BC867DB2F98EB15377F200229F921C13F1EF114E02A564

Function 00CC2D74 Relevance: 9.0, APIs: 6, Instructions: 50COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,00CC5686,00CD3CD6,?,00000000,?,00CC5B6A,?,?,?,?,?,00CBE6D1,?,00D58A48), ref: 00CC2D78
_free.LIBCMT ref: 00CC2DAB
_free.LIBCMT ref: 00CC2DD3
SetLastError.KERNEL32(00000000,?,?,?,?,00CBE6D1,?,00D58A48,00000010,00C94F4A,?,?,00000000,00CD3CD6), ref: 00CC2DE0
SetLastError.KERNEL32(00000000,?,?,?,?,00CBE6D1,?,00D58A48,00000010,00C94F4A,?,?,00000000,00CD3CD6), ref: 00CC2DEC
_abort.LIBCMT ref: 00CC2DF2

Memory Dump Source

Source File: 00000000.00000002.1727992052.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true

Associated: 00000000.00000002.1727967772.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1728099655.0000000000D2C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1728099655.0000000000D52000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1728148949.0000000000D5C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1728172009.0000000000D64000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c90000_file.jbxd

Similarity

API ID: ErrorLast$_free$_abort
String ID:
API String ID: 3160817290-0
Opcode ID: ca5ba87cc9b9c3f201ec08420db51592ce4de625a4b79893523d34311490b72d
Instruction ID: f45121570d5dd7a0d247e5381cdb2ea892bdf85950a058a2ef0bea8d5310d760
Opcode Fuzzy Hash: ca5ba87cc9b9c3f201ec08420db51592ce4de625a4b79893523d34311490b72d
Instruction Fuzzy Hash: 26F0A432A04B006BC6226735FC06F1E2659ABE17A1F24451CF836D22E2EF248D02A170

Function 00D28A24 Relevance: 9.0, APIs: 6, Instructions: 49COMMON

Download Yara Rule

APIs

Part of subcall function 00CA9639: ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 00CA9693
Part of subcall function 00CA9639: SelectObject.GDI32(?,00000000), ref: 00CA96A2
Part of subcall function 00CA9639: BeginPath.GDI32(?), ref: 00CA96B9
Part of subcall function 00CA9639: SelectObject.GDI32(?,00000000), ref: 00CA96E2

MoveToEx.GDI32(?,-00000002,00000000,00000000), ref: 00D28A4E
LineTo.GDI32(?,00000003,00000000), ref: 00D28A62
MoveToEx.GDI32(?,00000000,-00000002,00000000), ref: 00D28A70
LineTo.GDI32(?,00000000,00000003), ref: 00D28A80
EndPath.GDI32(?), ref: 00D28A90
StrokePath.GDI32(?), ref: 00D28AA0

Memory Dump Source

Source File: 00000000.00000002.1727992052.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true

Associated: 00000000.00000002.1727967772.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1728099655.0000000000D2C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1728099655.0000000000D52000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1728148949.0000000000D5C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1728172009.0000000000D64000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c90000_file.jbxd

Similarity

API ID: Path$LineMoveObjectSelect$BeginCreateStroke
String ID:
API String ID: 43455801-0
Opcode ID: 816df8a6ff25470284043796f22c3d6c3895223255be14c4f6fd3346520519df
Instruction ID: 837de42cfa17db849bea1be9a3132c5a82eaf1bdb852b9f31c966346c213e241
Opcode Fuzzy Hash: 816df8a6ff25470284043796f22c3d6c3895223255be14c4f6fd3346520519df
Instruction Fuzzy Hash: 14110C76040219FFEF129F94DC48E9A7F6CEB18394F048012FA15952A1C7719D55DFB0

Function 00CF51FD Relevance: 9.0, APIs: 6, Instructions: 49COMMON

Download Yara Rule

APIs

GetDC.USER32(00000000), ref: 00CF5218
GetDeviceCaps.GDI32(00000000,00000058), ref: 00CF5229
GetDeviceCaps.GDI32(00000000,0000005A), ref: 00CF5230
ReleaseDC.USER32(00000000,00000000), ref: 00CF5238
MulDiv.KERNEL32(000009EC,?,00000000), ref: 00CF524F
MulDiv.KERNEL32(000009EC,00000001,?), ref: 00CF5261

Memory Dump Source

Source File: 00000000.00000002.1727992052.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true

Associated: 00000000.00000002.1727967772.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1728099655.0000000000D2C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1728099655.0000000000D52000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1728148949.0000000000D5C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1728172009.0000000000D64000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c90000_file.jbxd

Similarity

API ID: CapsDevice$Release
String ID:
API String ID: 1035833867-0
Opcode ID: bc478ec0b599c8da3e810a21e6ffef469418be7e08843a1afebfe3cec6e6ef3f
Instruction ID: 0a6315cc9061e6ea7a29449b845c1f67395ea1805542b796c9fa9028a5c09e69
Opcode Fuzzy Hash: bc478ec0b599c8da3e810a21e6ffef469418be7e08843a1afebfe3cec6e6ef3f
Instruction Fuzzy Hash: 10018B75E00708BBEB209BA69C49A5EBFB8EF58752F044165FB04EB391D6709D01CBA0

Function 00C91BC3 Relevance: 9.0, APIs: 6, Instructions: 44keyboardCOMMON

Download Yara Rule

APIs

MapVirtualKeyW.USER32(0000005B,00000000), ref: 00C91BF4
MapVirtualKeyW.USER32(00000010,00000000), ref: 00C91BFC
MapVirtualKeyW.USER32(000000A0,00000000), ref: 00C91C07
MapVirtualKeyW.USER32(000000A1,00000000), ref: 00C91C12
MapVirtualKeyW.USER32(00000011,00000000), ref: 00C91C1A
MapVirtualKeyW.USER32(00000012,00000000), ref: 00C91C22

Memory Dump Source

Source File: 00000000.00000002.1727992052.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true

Associated: 00000000.00000002.1727967772.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1728099655.0000000000D2C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1728099655.0000000000D52000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1728148949.0000000000D5C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1728172009.0000000000D64000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c90000_file.jbxd

Similarity

API ID: Virtual
String ID:
API String ID: 4278518827-0
Opcode ID: 1be68ed307adfa1d6f9fb9e8beeb5a6e90c7db334192f5bc3c6a4dda6e1f3fbd
Instruction ID: 3f0e27b29aaf85edab28e7c5a8538df658edc1f04fe079d35ce44551adc842ca
Opcode Fuzzy Hash: 1be68ed307adfa1d6f9fb9e8beeb5a6e90c7db334192f5bc3c6a4dda6e1f3fbd
Instruction Fuzzy Hash: E1016CB09027597DE3008F5A8C85B56FFA8FF19354F00411B915C47A41C7F5AC64CBE5

Function 00CFEB20 Relevance: 9.0, APIs: 6, Instructions: 42windowtimethreadCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,00000010,00000000,00000000), ref: 00CFEB30
SendMessageTimeoutW.USER32(?,00000010,00000000,00000000,00000002,000001F4,?), ref: 00CFEB46
GetWindowThreadProcessId.USER32(?,?), ref: 00CFEB55
OpenProcess.KERNEL32(001F0FFF,00000000,?,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 00CFEB64
TerminateProcess.KERNEL32(00000000,00000000,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 00CFEB6E
CloseHandle.KERNEL32(00000000,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 00CFEB75

Memory Dump Source

Source File: 00000000.00000002.1727992052.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true

Associated: 00000000.00000002.1727967772.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1728099655.0000000000D2C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1728099655.0000000000D52000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1728148949.0000000000D5C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1728172009.0000000000D64000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c90000_file.jbxd

Similarity

API ID: Process$Message$CloseHandleOpenPostSendTerminateThreadTimeoutWindow
String ID:
API String ID: 839392675-0
Opcode ID: 9175f48cf109b571e5868641a18bbfd9cd2dfc39201fcc32c17c75658fa33f8d
Instruction ID: ced1fd7398cdc55ce3237afcf879edaaf960a065c8578edb869b8541f8b31c35
Opcode Fuzzy Hash: 9175f48cf109b571e5868641a18bbfd9cd2dfc39201fcc32c17c75658fa33f8d
Instruction Fuzzy Hash: 12F03A72250658BBE7315B629C0EEEF3A7CEFDAB12F001158F611D12A1D7A05E02C6B5

Function 00CE7439 Relevance: 9.0, APIs: 6, Instructions: 37windowCOMMON

Download Yara Rule

APIs

GetClientRect.USER32(?), ref: 00CE7452
SendMessageW.USER32(?,00001328,00000000,?), ref: 00CE7469
GetWindowDC.USER32(?), ref: 00CE7475
GetPixel.GDI32(00000000,?,?), ref: 00CE7484
ReleaseDC.USER32(?,00000000), ref: 00CE7496
GetSysColor.USER32(00000005), ref: 00CE74B0

Memory Dump Source

Source File: 00000000.00000002.1727992052.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true

Associated: 00000000.00000002.1727967772.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1728099655.0000000000D2C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1728099655.0000000000D52000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1728148949.0000000000D5C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1728172009.0000000000D64000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c90000_file.jbxd

Similarity

API ID: ClientColorMessagePixelRectReleaseSendWindow
String ID:
API String ID: 272304278-0
Opcode ID: 588a540abc133b15f724a0ccf99ef71b18017277ff4acfe6b088a7b8bc43db3a
Instruction ID: e38015b440d5e100ae8db1c02a9d54aa09fda22e85f38b5405710e23e6e7bf1d
Opcode Fuzzy Hash: 588a540abc133b15f724a0ccf99ef71b18017277ff4acfe6b088a7b8bc43db3a
Instruction Fuzzy Hash: E0017431410205EFEB215FA4DC09BAE7BB5FB14322F201160F926E22A0CB311E52AF60

Function 00CF1874 Relevance: 9.0, APIs: 6, Instructions: 23memorysynchronizationCOMMON

Download Yara Rule

APIs

WaitForSingleObject.KERNEL32(?,000000FF), ref: 00CF187F
UnloadUserProfile.USERENV(?,?), ref: 00CF188B
CloseHandle.KERNEL32(?), ref: 00CF1894
CloseHandle.KERNEL32(?), ref: 00CF189C
GetProcessHeap.KERNEL32(00000000,?), ref: 00CF18A5
HeapFree.KERNEL32(00000000), ref: 00CF18AC

Memory Dump Source

Source File: 00000000.00000002.1727992052.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true

Associated: 00000000.00000002.1727967772.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1728099655.0000000000D2C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1728099655.0000000000D52000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1728148949.0000000000D5C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1728172009.0000000000D64000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c90000_file.jbxd

Similarity

API ID: CloseHandleHeap$FreeObjectProcessProfileSingleUnloadUserWait
String ID:
API String ID: 146765662-0
Opcode ID: 8b802dfb765c8362ac791cdc42b9ccbc18998b119fe6a18a11dfe8187ff9ae25
Instruction ID: 367e7db4e04b6d411675d8a6e0858d533790f655b360dc4a5df12b9339587f5f
Opcode Fuzzy Hash: 8b802dfb765c8362ac791cdc42b9ccbc18998b119fe6a18a11dfe8187ff9ae25
Instruction Fuzzy Hash: DAE0C236114701BBDA125BA1ED0D90ABB29FF69B22B209620F225C1274CB329832DB60

Function 00CFC5D0 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 191windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00C97620: _wcslen.LIBCMT ref: 00C97625

GetMenuItemInfoW.USER32(?,?,00000000,?), ref: 00CFC6EE
_wcslen.LIBCMT ref: 00CFC735
SetMenuItemInfoW.USER32(?,?,00000000,?), ref: 00CFC79C
SetMenuDefaultItem.USER32(?,000000FF,00000000), ref: 00CFC7CA

Strings

0, xrefs: 00CFC6AF

Memory Dump Source

Source File: 00000000.00000002.1727992052.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true

Associated: 00000000.00000002.1727967772.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1728099655.0000000000D2C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1728099655.0000000000D52000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1728148949.0000000000D5C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1728172009.0000000000D64000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c90000_file.jbxd

Similarity

API ID: ItemMenu$Info_wcslen$Default
String ID: 0
API String ID: 1227352736-4108050209
Opcode ID: 6e00576e85f103b9bdf663560b87dcb6bee5df9f3e7bfd9b682f3f7e48df495f
Instruction ID: c9419c2df402159e6df4c060288a0237723087113ebdc25195d97f121ccb896e
Opcode Fuzzy Hash: 6e00576e85f103b9bdf663560b87dcb6bee5df9f3e7bfd9b682f3f7e48df495f
Instruction Fuzzy Hash: F651A07170830D9BD795AE28CAC5B7A77E4AF45314F04092AFAA5D2290DB70DA04DB53

Function 00D1AD64 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 176COMMON

Download Yara Rule

APIs

ShellExecuteExW.SHELL32(0000003C), ref: 00D1AEA3

Part of subcall function 00C97620: _wcslen.LIBCMT ref: 00C97625

GetProcessId.KERNEL32(00000000), ref: 00D1AF38
CloseHandle.KERNEL32(00000000), ref: 00D1AF67

Strings

<, xrefs: 00D1AE6B
@, xrefs: 00D1AE72

Memory Dump Source

Source File: 00000000.00000002.1727992052.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true

Associated: 00000000.00000002.1727967772.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1728099655.0000000000D2C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1728099655.0000000000D52000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1728148949.0000000000D5C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1728172009.0000000000D64000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c90000_file.jbxd

Similarity

API ID: CloseExecuteHandleProcessShell_wcslen
String ID: <$@
API String ID: 146682121-1426351568
Opcode ID: 86f9f865795f3ec3a8bf1389fbc3ecf2f5278f25a7d14a06658a040ba40bc7ad
Instruction ID: b38b37d65c82049a356bfedefb3294f9f39ca54d834a3b20e05c30f09fa9c919
Opcode Fuzzy Hash: 86f9f865795f3ec3a8bf1389fbc3ecf2f5278f25a7d14a06658a040ba40bc7ad
Instruction Fuzzy Hash: 8C715971A01615EFCF14DF58D484A9EBBF0BF08314F048499E816AB3A2DB74ED85DBA1

Function 00CF719E Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 120comlibraryloaderCOMMON

Download Yara Rule

APIs

CoCreateInstance.OLE32(?,00000000,00000005,?,?,?,?,?,?,?,?,?,?,?), ref: 00CF7206
SetErrorMode.KERNEL32(00000001,?,?,?,?,?,?,?,?,?), ref: 00CF723C
GetProcAddress.KERNEL32(?,DllGetClassObject), ref: 00CF724D
SetErrorMode.KERNEL32(00000000,?,?,?,?,?,?,?,?,?), ref: 00CF72CF

Strings

DllGetClassObject, xrefs: 00CF7242

Memory Dump Source

Source File: 00000000.00000002.1727992052.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true

Associated: 00000000.00000002.1727967772.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1728099655.0000000000D2C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1728099655.0000000000D52000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1728148949.0000000000D5C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1728172009.0000000000D64000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c90000_file.jbxd

Similarity

API ID: ErrorMode$AddressCreateInstanceProc
String ID: DllGetClassObject
API String ID: 753597075-1075368562
Opcode ID: f4e021352dd4cd00f42691e842a846b5d95e776a12d43f2a96c009d33a233728
Instruction ID: bf54eb880364e3b6394561618b5abc4e94b200665f0e96f0b910c03dd3030644
Opcode Fuzzy Hash: f4e021352dd4cd00f42691e842a846b5d95e776a12d43f2a96c009d33a233728
Instruction Fuzzy Hash: A8416E71604208EFDB55CF54C885AAA7BB9EF44310F1481ADBE05DF20AD7B0DE45CBA1

Function 00D23D7C Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 101windowCOMMON

Download Yara Rule

APIs

GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00D23E35
IsMenu.USER32(?), ref: 00D23E4A
InsertMenuItemW.USER32(?,?,00000001,00000030), ref: 00D23E92
DrawMenuBar.USER32 ref: 00D23EA5

Strings

0, xrefs: 00D23D89

Memory Dump Source

Source File: 00000000.00000002.1727992052.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true

Associated: 00000000.00000002.1727967772.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1728099655.0000000000D2C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1728099655.0000000000D52000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1728148949.0000000000D5C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1728172009.0000000000D64000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c90000_file.jbxd

Similarity

API ID: Menu$Item$DrawInfoInsert
String ID: 0
API String ID: 3076010158-4108050209
Opcode ID: 7882dc5927c4814f943a026255796ea5310708a493356082a932d97d43125982
Instruction ID: 701cff14519084e7ca28be84da3d3288052d637cabd77b8f6be48537ed74a4e2
Opcode Fuzzy Hash: 7882dc5927c4814f943a026255796ea5310708a493356082a932d97d43125982
Instruction Fuzzy Hash: 0A417BB5A00319AFDB10DF50E884AAAB7B5FF58358F094259F91197350C334EE09CF60

Function 00CF1DE2 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 93windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00C99CB3: _wcslen.LIBCMT ref: 00C99CBD

Part of subcall function 00CF3CA7: GetClassNameW.USER32(?,?,000000FF), ref: 00CF3CCA

SendMessageW.USER32(?,00000188,00000000,00000000), ref: 00CF1E66
SendMessageW.USER32(?,0000018A,00000000,00000000), ref: 00CF1E79
SendMessageW.USER32(?,00000189,?,00000000), ref: 00CF1EA9

Part of subcall function 00C96B57: _wcslen.LIBCMT ref: 00C96B6A

Strings

ComboBox, xrefs: 00CF1DF0
ListBox, xrefs: 00CF1E25

Memory Dump Source

Source File: 00000000.00000002.1727992052.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true

Associated: 00000000.00000002.1727967772.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1728099655.0000000000D2C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1728099655.0000000000D52000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1728148949.0000000000D5C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1728172009.0000000000D64000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c90000_file.jbxd

Similarity

API ID: MessageSend$_wcslen$ClassName
String ID: ComboBox$ListBox
API String ID: 2081771294-1403004172
Opcode ID: ca9e2dd901ffa6c1b912b8f1e9edda47afb2f7de7c883fdbab5de86698266486
Instruction ID: c880f75094ce9ed05e8e359940d0eedf1aa9fb15e1cb1d7e78df5f73e82ef08a
Opcode Fuzzy Hash: ca9e2dd901ffa6c1b912b8f1e9edda47afb2f7de7c883fdbab5de86698266486
Instruction Fuzzy Hash: C921F171A00108BEDF18ABA5DC5ADFFB7B8DF56350B184119FD25A72E1DB344E0AA630

Function 00D22F17 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 78windowlibraryCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000467,00000000,?), ref: 00D22F8D
LoadLibraryW.KERNEL32(?), ref: 00D22F94
SendMessageW.USER32(?,00000467,00000000,00000000), ref: 00D22FA9
DestroyWindow.USER32(?), ref: 00D22FB1

Strings

SysAnimate32, xrefs: 00D22F68

Memory Dump Source

Source File: 00000000.00000002.1727992052.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true

Associated: 00000000.00000002.1727967772.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1728099655.0000000000D2C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1728099655.0000000000D52000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1728148949.0000000000D5C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1728172009.0000000000D64000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c90000_file.jbxd

Similarity

API ID: MessageSend$DestroyLibraryLoadWindow
String ID: SysAnimate32
API String ID: 3529120543-1011021900
Opcode ID: 03708a55b9c08a3b44e3e7cba8a6a1963f6f4a9e015df881f0c3b30a584c33c6
Instruction ID: 6d56e649d9cd8fae3a2ac5b718d41ab85a8c491a45609be00bc52c4772b6c71a
Opcode Fuzzy Hash: 03708a55b9c08a3b44e3e7cba8a6a1963f6f4a9e015df881f0c3b30a584c33c6
Instruction Fuzzy Hash: 9F219A72204225BBEB208F66ED80EBB37B9EF69368F140218FA50D21A0D771DC519770

Function 00CB4D6D Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 38libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,?,?,?,00CB4D1E,00CC28E9,?,00CB4CBE,00CC28E9,00D588B8,0000000C,00CB4E15,00CC28E9,00000002), ref: 00CB4D8D
GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 00CB4DA0
FreeLibrary.KERNEL32(00000000,?,?,?,00CB4D1E,00CC28E9,?,00CB4CBE,00CC28E9,00D588B8,0000000C,00CB4E15,00CC28E9,00000002,00000000), ref: 00CB4DC3

Strings

mscoree.dll, xrefs: 00CB4D86
CorExitProcess, xrefs: 00CB4D98

Memory Dump Source

Source File: 00000000.00000002.1727992052.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true

Associated: 00000000.00000002.1727967772.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1728099655.0000000000D2C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1728099655.0000000000D52000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1728148949.0000000000D5C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1728172009.0000000000D64000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c90000_file.jbxd

Similarity

API ID: AddressFreeHandleLibraryModuleProc
String ID: CorExitProcess$mscoree.dll
API String ID: 4061214504-1276376045
Opcode ID: 2522ad73719f87b0429e25ac5933e99ffc09f9325500f71889ea60205860ecb1
Instruction ID: be3fc67bfc55d129ee7694c64706ad72437921ccdea672bc2c4366bbcea6ffd8
Opcode Fuzzy Hash: 2522ad73719f87b0429e25ac5933e99ffc09f9325500f71889ea60205860ecb1
Instruction Fuzzy Hash: A3F03C35A54308ABDB259FA4DC49BEEBFB5EF54752F0000A4E805E22A1CB305E55DAA0

Function 00CED3A0 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 29libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32 ref: 00CED3AD
GetProcAddress.KERNEL32(00000000,GetSystemWow64DirectoryW), ref: 00CED3BF
FreeLibrary.KERNEL32(00000000), ref: 00CED3E5

Strings

X64, xrefs: 00CED2A8
GetSystemWow64DirectoryW, xrefs: 00CED3B9

Memory Dump Source

Source File: 00000000.00000002.1727992052.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true

Associated: 00000000.00000002.1727967772.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1728099655.0000000000D2C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1728099655.0000000000D52000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1728148949.0000000000D5C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1728172009.0000000000D64000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c90000_file.jbxd

Similarity

API ID: Library$AddressFreeLoadProc
String ID: GetSystemWow64DirectoryW$X64
API String ID: 145871493-2590602151
Opcode ID: 2e232ded267b65eb346aa65fbabd2a5c35d29a70494fd5e94f1244206b5c02bf
Instruction ID: 3f0b6ba9257fe354679bcfd36b910ad7b442dca5a5e776de45a382f139b4e5da
Opcode Fuzzy Hash: 2e232ded267b65eb346aa65fbabd2a5c35d29a70494fd5e94f1244206b5c02bf
Instruction Fuzzy Hash: 68F0AB3090ABA1DBD73217139C4892D3730AF22B02F65A089F913E2220CB30CE49C6F2

Function 00C94E90 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 24libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,?,?,00C94EDD,?,00D61418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00C94E9C
GetProcAddress.KERNEL32(00000000,Wow64DisableWow64FsRedirection), ref: 00C94EAE
FreeLibrary.KERNEL32(00000000,?,?,00C94EDD,?,00D61418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00C94EC0

Strings

Wow64DisableWow64FsRedirection, xrefs: 00C94EA8
kernel32.dll, xrefs: 00C94E94

Memory Dump Source

Source File: 00000000.00000002.1727992052.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true

Associated: 00000000.00000002.1727967772.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1728099655.0000000000D2C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1728099655.0000000000D52000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1728148949.0000000000D5C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1728172009.0000000000D64000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c90000_file.jbxd

Similarity

API ID: Library$AddressFreeLoadProc
String ID: Wow64DisableWow64FsRedirection$kernel32.dll
API String ID: 145871493-3689287502
Opcode ID: cb674ed75e289ce70262e32251fdb85fcaa134a206f7ce0a140b560bfd3b1785
Instruction ID: 703b6a619aa6bc7aaadf41478d99f9f140d384523b8bbae6928951f7eaee02f2
Opcode Fuzzy Hash: cb674ed75e289ce70262e32251fdb85fcaa134a206f7ce0a140b560bfd3b1785
Instruction Fuzzy Hash: A9E08635A157225B96321B256C1DE5FB554AFA1B637051115FC11D2240DB60CE0780F1

Function 00C94E59 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 22libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,?,?,00CD3CDE,?,00D61418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00C94E62
GetProcAddress.KERNEL32(00000000,Wow64RevertWow64FsRedirection), ref: 00C94E74
FreeLibrary.KERNEL32(00000000,?,?,00CD3CDE,?,00D61418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00C94E87

Strings

Wow64RevertWow64FsRedirection, xrefs: 00C94E6E
kernel32.dll, xrefs: 00C94E5B

Memory Dump Source

Source File: 00000000.00000002.1727992052.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true

Associated: 00000000.00000002.1727967772.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1728099655.0000000000D2C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1728099655.0000000000D52000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1728148949.0000000000D5C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1728172009.0000000000D64000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c90000_file.jbxd

Similarity

API ID: Library$AddressFreeLoadProc
String ID: Wow64RevertWow64FsRedirection$kernel32.dll
API String ID: 145871493-1355242751
Opcode ID: 89d9420a96e5de99964ca9d211676630b593f9e40a91930fef1bd487d1d81e22
Instruction ID: 382e0dbec495c950b8f679acd9485210570db2ed48459fc3feba8ac589be9d7f
Opcode Fuzzy Hash: 89d9420a96e5de99964ca9d211676630b593f9e40a91930fef1bd487d1d81e22
Instruction Fuzzy Hash: CBD0C232922B315B4E331B247C0DD8FBA18AF85B513051150BC10E2310CF20CE13C1F0

Function 00D02947 Relevance: 7.8, APIs: 5, Instructions: 313fileCOMMON

Download Yara Rule

APIs

DeleteFileW.KERNEL32(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 00D02C05
DeleteFileW.KERNEL32(?), ref: 00D02C87
CopyFileW.KERNEL32(?,?,00000000,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001), ref: 00D02C9D
DeleteFileW.KERNEL32(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 00D02CAE
DeleteFileW.KERNEL32(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 00D02CC0

Memory Dump Source

Source File: 00000000.00000002.1727992052.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true

Associated: 00000000.00000002.1727967772.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1728099655.0000000000D2C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1728099655.0000000000D52000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1728148949.0000000000D5C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1728172009.0000000000D64000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c90000_file.jbxd

Similarity

API ID: File$Delete$Copy
String ID:
API String ID: 3226157194-0
Opcode ID: 775f1386c3d98b397613db46ea135bee1b3d6e3846898af11c92653f84e65f34
Instruction ID: 9c8bff6aa11083343edccf66fe8762e0d6d6f6bb69373e8ac715511c75eb7eda
Opcode Fuzzy Hash: 775f1386c3d98b397613db46ea135bee1b3d6e3846898af11c92653f84e65f34
Instruction Fuzzy Hash: BAB15D71D01119ABDF21DBA4CC89EEEB7BDEF48350F1040A6FA09E6181EA319A449F71

Function 00D1A387 Relevance: 7.8, APIs: 5, Instructions: 256COMMON

Download Yara Rule

APIs

GetCurrentProcessId.KERNEL32 ref: 00D1A427
OpenProcess.KERNEL32(00000410,00000000,00000000), ref: 00D1A435
GetProcessIoCounters.KERNEL32(00000000,?), ref: 00D1A468
CloseHandle.KERNEL32(?), ref: 00D1A63D

Memory Dump Source

Source File: 00000000.00000002.1727992052.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true

Associated: 00000000.00000002.1727967772.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1728099655.0000000000D2C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1728099655.0000000000D52000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1728148949.0000000000D5C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1728172009.0000000000D64000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c90000_file.jbxd

Similarity

API ID: Process$CloseCountersCurrentHandleOpen
String ID:
API String ID: 3488606520-0
Opcode ID: 50142f8252a1330f8db984d36aea571763e45774d9956925b4f17d91c17f7811
Instruction ID: 4790194d6e7477baeb97d7e3a541732cdbb58ef45dbe3d151887033b687fca28
Opcode Fuzzy Hash: 50142f8252a1330f8db984d36aea571763e45774d9956925b4f17d91c17f7811
Instruction Fuzzy Hash: DFA18271604701AFD720DF28D886F2AB7E5AF84714F14885DF59A9B3D2DB70EC418B92

Function 00CFE3FB Relevance: 7.7, APIs: 5, Instructions: 167filestringCOMMON

Download Yara Rule

APIs

Part of subcall function 00CFDDE0: GetFullPathNameW.KERNEL32(00000000,00007FFF,?,?,?,?,?,?,00CFCF22,?), ref: 00CFDDFD

Part of subcall function 00CFDDE0: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,?,00CFCF22,?), ref: 00CFDE16

Part of subcall function 00CFE199: GetFileAttributesW.KERNEL32(?,00CFCF95), ref: 00CFE19A

lstrcmpiW.KERNEL32(?,?), ref: 00CFE473
MoveFileW.KERNEL32(?,?), ref: 00CFE4AC
_wcslen.LIBCMT ref: 00CFE5EB
_wcslen.LIBCMT ref: 00CFE603
SHFileOperationW.SHELL32(?,?,?,?,?,?), ref: 00CFE650

Memory Dump Source

Source File: 00000000.00000002.1727992052.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true

Associated: 00000000.00000002.1727967772.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1728099655.0000000000D2C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1728099655.0000000000D52000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1728148949.0000000000D5C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1728172009.0000000000D64000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c90000_file.jbxd

Similarity

API ID: File$FullNamePath_wcslen$AttributesMoveOperationlstrcmpi
String ID:
API String ID: 3183298772-0
Opcode ID: 009d21db4bd48b278f97fc9035b995f0aa913bc9de664385eace4defae13a5f1
Instruction ID: 58408c1941c9b8e9a73b044788d923afe56d15cd3a870ee7d931496c894fc501
Opcode Fuzzy Hash: 009d21db4bd48b278f97fc9035b995f0aa913bc9de664385eace4defae13a5f1
Instruction Fuzzy Hash: DB5170B24083499BC764EB94DC819EFB7ECAF84340F00491EF699D3191EE74A688D767

Function 00D1B9C9 Relevance: 7.7, APIs: 5, Instructions: 167registryCOMMON

Download Yara Rule

APIs

Part of subcall function 00C99CB3: _wcslen.LIBCMT ref: 00C99CBD

Part of subcall function 00D1C998: CharUpperBuffW.USER32(?,?,?,?,?,?,?,00D1B6AE,?,?), ref: 00D1C9B5
Part of subcall function 00D1C998: _wcslen.LIBCMT ref: 00D1C9F1
Part of subcall function 00D1C998: _wcslen.LIBCMT ref: 00D1CA68
Part of subcall function 00D1C998: _wcslen.LIBCMT ref: 00D1CA9E

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 00D1BAA5
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 00D1BB00
RegEnumKeyExW.ADVAPI32(?,-00000001,?,?,00000000,00000000,00000000,?), ref: 00D1BB63
RegCloseKey.ADVAPI32(?,?), ref: 00D1BBA6
RegCloseKey.ADVAPI32(00000000), ref: 00D1BBB3

Memory Dump Source

Source File: 00000000.00000002.1727992052.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true

Associated: 00000000.00000002.1727967772.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1728099655.0000000000D2C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1728099655.0000000000D52000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1728148949.0000000000D5C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1728172009.0000000000D64000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c90000_file.jbxd

Similarity

API ID: _wcslen$Close$BuffCharConnectEnumOpenRegistryUpper
String ID:
API String ID: 826366716-0
Opcode ID: 634b54a7a6a243a33a47f59f8df30430d72ae7f2f14ee70806799bc1aa6e41b4
Instruction ID: c5f6b2b4edd1a3a15ee71606d44ff35314b6911c0fb9121f0507264285893df9
Opcode Fuzzy Hash: 634b54a7a6a243a33a47f59f8df30430d72ae7f2f14ee70806799bc1aa6e41b4
Instruction Fuzzy Hash: A961B131208241AFC714DF14D594E6ABBE5FF84318F14859DF4998B2A2CF31ED85CBA2

Function 00CF8BB0 Relevance: 7.7, APIs: 5, Instructions: 159COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 00CF8BCD
VariantClear.OLEAUT32 ref: 00CF8C3E
VariantClear.OLEAUT32 ref: 00CF8C9D
VariantClear.OLEAUT32(?), ref: 00CF8D10
VariantChangeType.OLEAUT32(?,?,00000000,00000013), ref: 00CF8D3B

Memory Dump Source

Source File: 00000000.00000002.1727992052.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true

Associated: 00000000.00000002.1727967772.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1728099655.0000000000D2C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1728099655.0000000000D52000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1728148949.0000000000D5C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1728172009.0000000000D64000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c90000_file.jbxd

Similarity

API ID: Variant$Clear$ChangeInitType
String ID:
API String ID: 4136290138-0
Opcode ID: a2d377ebc67557bb22dc1d7f07724c159df346a4596ae564fe6a1b8c657177db
Instruction ID: 2a3193474d9ee0c82758ec80c1cb3190cca8ff7ec6501ead97737fd5985fee77
Opcode Fuzzy Hash: a2d377ebc67557bb22dc1d7f07724c159df346a4596ae564fe6a1b8c657177db
Instruction Fuzzy Hash: 24517CB5A0061AEFCB10CF58C884AAAB7F4FF89310B158559F915DB354E730E911CFA0

Function 00D08AFB Relevance: 7.6, APIs: 5, Instructions: 143COMMON

Download Yara Rule

APIs

GetPrivateProfileSectionW.KERNEL32(00000003,?,00007FFF,?), ref: 00D08BAE
GetPrivateProfileSectionW.KERNEL32(?,00000003,00000003,?), ref: 00D08BDA
WritePrivateProfileSectionW.KERNEL32(?,?,?), ref: 00D08C32
WritePrivateProfileStringW.KERNEL32(00000003,00000000,00000000,?), ref: 00D08C57
WritePrivateProfileStringW.KERNEL32(00000000,00000000,00000000,?), ref: 00D08C5F

Memory Dump Source

Source File: 00000000.00000002.1727992052.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true

Associated: 00000000.00000002.1727967772.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1728099655.0000000000D2C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1728099655.0000000000D52000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1728148949.0000000000D5C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1728172009.0000000000D64000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c90000_file.jbxd

Similarity

API ID: PrivateProfile$SectionWrite$String
String ID:
API String ID: 2832842796-0
Opcode ID: de7f5c564c2f9587fd1a9e887d8be57025be3761c6dd6d52fb92789c73d5167b
Instruction ID: ccdd01ce0f34bd7e0008c15507cf4e4d1a3a0ad6c87a63a80a144b77358bb0e4
Opcode Fuzzy Hash: de7f5c564c2f9587fd1a9e887d8be57025be3761c6dd6d52fb92789c73d5167b
Instruction Fuzzy Hash: DE513735A00215AFDF11DF64C884A69BBF5FF49314F088058E849AB3A2DB31ED51DBA0

Function 00D18EE4 Relevance: 7.6, APIs: 5, Instructions: 143libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryW.KERNEL32(?,00000000,?), ref: 00D18F40
GetProcAddress.KERNEL32(00000000,?), ref: 00D18FD0
GetProcAddress.KERNEL32(00000000,00000000), ref: 00D18FEC
GetProcAddress.KERNEL32(00000000,?), ref: 00D19032
FreeLibrary.KERNEL32(00000000), ref: 00D19052

Part of subcall function 00CAF6C9: WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,00000000,00000000,00000000,?,00000000,?,?,?,00D01043,?,753CE610), ref: 00CAF6E6
Part of subcall function 00CAF6C9: WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,00CEFA64,00000000,00000000,?,?,00D01043,?,753CE610,?,00CEFA64), ref: 00CAF70D

Memory Dump Source

Source File: 00000000.00000002.1727992052.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true

Associated: 00000000.00000002.1727967772.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1728099655.0000000000D2C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1728099655.0000000000D52000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1728148949.0000000000D5C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1728172009.0000000000D64000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c90000_file.jbxd

Similarity

API ID: AddressProc$ByteCharLibraryMultiWide$FreeLoad
String ID:
API String ID: 666041331-0
Opcode ID: 360842872279bb97ea7dc993e2ea8d0e9803ded0ae586edf39ac45dac06ee4b3
Instruction ID: c460a5679885b696f4fe6b42105572e2ac4e4c6ab37d358a30ee7ac9cb89fbbb
Opcode Fuzzy Hash: 360842872279bb97ea7dc993e2ea8d0e9803ded0ae586edf39ac45dac06ee4b3
Instruction Fuzzy Hash: 8D513B35604205EFCB15DF58D4958EDBBF1FF49314B098098E8469B362DB31ED86DBA0

Function 00D26B76 Relevance: 7.6, APIs: 5, Instructions: 131windowCOMMON

Download Yara Rule

APIs

SetWindowLongW.USER32(00000002,000000F0,?), ref: 00D26C33
SetWindowLongW.USER32(?,000000EC,?), ref: 00D26C4A
SendMessageW.USER32(00000002,00001036,00000000,?), ref: 00D26C73
ShowWindow.USER32(00000002,00000000,00000002,00000002,?,?,?,?,?,?,?,00D0AB79,00000000,00000000), ref: 00D26C98
SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000027,00000002,?,00000001,00000002,00000002,?,?,?), ref: 00D26CC7

Memory Dump Source

Source File: 00000000.00000002.1727992052.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true

Associated: 00000000.00000002.1727967772.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1728099655.0000000000D2C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1728099655.0000000000D52000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1728148949.0000000000D5C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1728172009.0000000000D64000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c90000_file.jbxd

Similarity

API ID: Window$Long$MessageSendShow
String ID:
API String ID: 3688381893-0
Opcode ID: 317f9087ba33af8b45090b51b8d9cf9086f901c740ba10381e3e5d50450760a6
Instruction ID: 2a5d185f513e63132a986235321c4f5131383b63c4138d17be3bafe4b297df02
Opcode Fuzzy Hash: 317f9087ba33af8b45090b51b8d9cf9086f901c740ba10381e3e5d50450760a6
Instruction Fuzzy Hash: 9B41B335604324AFD724EF28DC54BA97FA5EB19354F180264F895E73A0C371ED41EA70

Function 00CC2051 Relevance: 7.6, APIs: 5, Instructions: 129COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 00CC20C3
_free.LIBCMT ref: 00CC20E3

Memory Dump Source

Source File: 00000000.00000002.1727992052.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true

Associated: 00000000.00000002.1727967772.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1728099655.0000000000D2C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1728099655.0000000000D52000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1728148949.0000000000D5C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1728172009.0000000000D64000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c90000_file.jbxd

Similarity

API ID: _free
String ID:
API String ID: 269201875-0
Opcode ID: bde0092525eab52b180e469047b565644f48838f35cffec512fa3d733bbd2dba
Instruction ID: f77719dddf0e1b425289d119048e3e5f29ccf45d4f960a2efb22350b89c6825a
Opcode Fuzzy Hash: bde0092525eab52b180e469047b565644f48838f35cffec512fa3d733bbd2dba
Instruction Fuzzy Hash: F341B132A003009FCB24DF78C981F5DB7A5EF89314F1545ADEA15EB396DA31AE01DB90

Function 00CA912D Relevance: 7.6, APIs: 5, Instructions: 121keyboardCOMMON

Download Yara Rule

APIs

GetCursorPos.USER32(?), ref: 00CA9141
ScreenToClient.USER32(00000000,?), ref: 00CA915E
GetAsyncKeyState.USER32(00000001), ref: 00CA9183
GetAsyncKeyState.USER32(00000002), ref: 00CA919D

Memory Dump Source

Source File: 00000000.00000002.1727992052.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true

Associated: 00000000.00000002.1727967772.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1728099655.0000000000D2C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1728099655.0000000000D52000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1728148949.0000000000D5C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1728172009.0000000000D64000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c90000_file.jbxd

Similarity

API ID: AsyncState$ClientCursorScreen
String ID:
API String ID: 4210589936-0
Opcode ID: eb2eb3e55708448d92d729b9e99e8eece0f0444b47fe5555490e5f6797dc5e83
Instruction ID: 3adf8cdf8501cad3560fb7e45c5cb0ef7e299e690bddd68f39fbaf988d16a9f3
Opcode Fuzzy Hash: eb2eb3e55708448d92d729b9e99e8eece0f0444b47fe5555490e5f6797dc5e83
Instruction Fuzzy Hash: FB418D31A0865BBBDF159F65C848BEEB774FF06324F208315E429A7290C7346E50DBA1

Function 00D03874 Relevance: 7.6, APIs: 5, Instructions: 101windowCOMMON

Download Yara Rule

APIs

GetInputState.USER32 ref: 00D038CB
TranslateAcceleratorW.USER32(?,00000000,?), ref: 00D03922
TranslateMessage.USER32(?), ref: 00D0394B
DispatchMessageW.USER32(?), ref: 00D03955
PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00D03966

Memory Dump Source

Source File: 00000000.00000002.1727992052.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true

Associated: 00000000.00000002.1727967772.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1728099655.0000000000D2C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1728099655.0000000000D52000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1728148949.0000000000D5C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1728172009.0000000000D64000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c90000_file.jbxd

Similarity

API ID: Message$Translate$AcceleratorDispatchInputPeekState
String ID:
API String ID: 2256411358-0
Opcode ID: 87a90f553f64ee64de140b7e94e55e1a8d9d55a19424c642dd2d2d8ea2eab05e
Instruction ID: a07267fd6b638b165826a290fadc30106e13e15d94c4de018a36994295510180
Opcode Fuzzy Hash: 87a90f553f64ee64de140b7e94e55e1a8d9d55a19424c642dd2d2d8ea2eab05e
Instruction Fuzzy Hash: 2D31B5749043419EEB35CB34A849BB637ACEB15304F0C456DE4AAC22E0E3F49A85CF71

Function 00D0CF1A Relevance: 7.6, APIs: 5, Instructions: 93networkfileCOMMON

Download Yara Rule

APIs

InternetQueryDataAvailable.WININET(?,?,00000000,00000000,00000000,?,00000000,?,?,?,00D0C21E,00000000), ref: 00D0CF38
InternetReadFile.WININET(?,00000000,?,?), ref: 00D0CF6F
GetLastError.KERNEL32(?,00000000,?,?,?,00D0C21E,00000000), ref: 00D0CFB4
SetEvent.KERNEL32(?,?,00000000,?,?,?,00D0C21E,00000000), ref: 00D0CFC8
SetEvent.KERNEL32(?,?,00000000,?,?,?,00D0C21E,00000000), ref: 00D0CFF2

Memory Dump Source

Source File: 00000000.00000002.1727992052.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true

Associated: 00000000.00000002.1727967772.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1728099655.0000000000D2C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1728099655.0000000000D52000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1728148949.0000000000D5C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1728172009.0000000000D64000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c90000_file.jbxd

Similarity

API ID: EventInternet$AvailableDataErrorFileLastQueryRead
String ID:
API String ID: 3191363074-0
Opcode ID: c9efae167db7abd17f0db0ba67f56f7f94e6f3fd7bb70403c3a8fdf84f22c591
Instruction ID: 593aba901d35c6a3bc428dd8ab35950c360ef3a025075abd37fc6ff4e1919049
Opcode Fuzzy Hash: c9efae167db7abd17f0db0ba67f56f7f94e6f3fd7bb70403c3a8fdf84f22c591
Instruction Fuzzy Hash: AF316D71515306EFDB20DFA5C884AAEBBF9EF14354B14552EF50AD2280DB30EE429B71

Function 00CF1901 Relevance: 7.6, APIs: 5, Instructions: 93sleepwindowCOMMON

Download Yara Rule

APIs

GetWindowRect.USER32(?,?), ref: 00CF1915
PostMessageW.USER32(00000001,00000201,00000001), ref: 00CF19C1
Sleep.KERNEL32(00000000,?,?,?), ref: 00CF19C9
PostMessageW.USER32(00000001,00000202,00000000), ref: 00CF19DA
Sleep.KERNEL32(00000000,?,?,?,?), ref: 00CF19E2

Memory Dump Source

Source File: 00000000.00000002.1727992052.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true

Associated: 00000000.00000002.1727967772.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1728099655.0000000000D2C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1728099655.0000000000D52000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1728148949.0000000000D5C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1728172009.0000000000D64000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c90000_file.jbxd

Similarity

API ID: MessagePostSleep$RectWindow
String ID:
API String ID: 3382505437-0
Opcode ID: a9bd487050c1f122c0d6410b055405406a2802d76a9ad4c7c351772edb62f82b
Instruction ID: 4f2316b1fef4e87c299f65c49ca32a3e87f6fe142a20d63422e793b0d5233eea
Opcode Fuzzy Hash: a9bd487050c1f122c0d6410b055405406a2802d76a9ad4c7c351772edb62f82b
Instruction Fuzzy Hash: C831BE71A0021DEFCB14CFA8C999AAE3BB5EB14315F145229FE21E72D0C3B09E54DB91

Function 00D10930 Relevance: 7.6, APIs: 5, Instructions: 69COMMON

Download Yara Rule

APIs

IsWindow.USER32(00000000), ref: 00D10951
GetForegroundWindow.USER32 ref: 00D10968
GetDC.USER32(00000000), ref: 00D109A4
GetPixel.GDI32(00000000,?,00000003), ref: 00D109B0
ReleaseDC.USER32(00000000,00000003), ref: 00D109E8

Memory Dump Source

Source File: 00000000.00000002.1727992052.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true

Associated: 00000000.00000002.1727967772.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1728099655.0000000000D2C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1728099655.0000000000D52000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1728148949.0000000000D5C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1728172009.0000000000D64000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c90000_file.jbxd

Similarity

API ID: Window$ForegroundPixelRelease
String ID:
API String ID: 4156661090-0
Opcode ID: d24d723726ff819cd5dc193053de84b6da6c2e54b7702b255e0e3043c48a84b5
Instruction ID: 02d93c14f6f385b293ffe934a0f1cb7df74587a46d8cda35b83949bb36df50a7
Opcode Fuzzy Hash: d24d723726ff819cd5dc193053de84b6da6c2e54b7702b255e0e3043c48a84b5
Instruction Fuzzy Hash: 7021C335600204AFD714EF68D888AAEBBF5EF44700F048028F84AD7762CB70EC44CBA0

Function 00CCCDBD Relevance: 7.6, APIs: 5, Instructions: 68COMMON

Download Yara Rule

APIs

GetEnvironmentStringsW.KERNEL32 ref: 00CCCDC6
WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 00CCCDE9

Part of subcall function 00CC3820: RtlAllocateHeap.NTDLL(00000000,?,00D61444,?,00CAFDF5,?,?,00C9A976,00000010,00D61440,00C913FC,?,00C913C6,?,00C91129), ref: 00CC3852

WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,00000000,00000000), ref: 00CCCE0F
_free.LIBCMT ref: 00CCCE22
FreeEnvironmentStringsW.KERNEL32(00000000), ref: 00CCCE31

Memory Dump Source

Source File: 00000000.00000002.1727992052.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true

Associated: 00000000.00000002.1727967772.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1728099655.0000000000D2C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1728099655.0000000000D52000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1728148949.0000000000D5C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1728172009.0000000000D64000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c90000_file.jbxd

Similarity

API ID: ByteCharEnvironmentMultiStringsWide$AllocateFreeHeap_free
String ID:
API String ID: 336800556-0
Opcode ID: 3ec9cc677e1d1144e7be7bbbeb0369b10f62628841002125d9c7bac44edd9b56
Instruction ID: 22a14887e7d27737f24ccb12861b6dcc8ca5f9de45d7537911841795eef13845
Opcode Fuzzy Hash: 3ec9cc677e1d1144e7be7bbbeb0369b10f62628841002125d9c7bac44edd9b56
Instruction Fuzzy Hash: 9D018472A017157F232156B6ECC9E7F696DDEC7BA1315012DF919C7201EA618E0291F0

Function 00CA9639 Relevance: 7.6, APIs: 5, Instructions: 66COMMON

Download Yara Rule

APIs

ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 00CA9693
SelectObject.GDI32(?,00000000), ref: 00CA96A2
BeginPath.GDI32(?), ref: 00CA96B9
SelectObject.GDI32(?,00000000), ref: 00CA96E2

Memory Dump Source

Source File: 00000000.00000002.1727992052.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true

Associated: 00000000.00000002.1727967772.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1728099655.0000000000D2C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1728099655.0000000000D52000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1728148949.0000000000D5C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1728172009.0000000000D64000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c90000_file.jbxd

Similarity

API ID: ObjectSelect$BeginCreatePath
String ID:
API String ID: 3225163088-0
Opcode ID: 446af0e4559436bd14230f4272279b922d7330f27ab6b05d79afaf9f6a560d6d
Instruction ID: b2c7c90e09e9e595213be3b215f088fac658c9abeab7c47a79435470078a1257
Opcode Fuzzy Hash: 446af0e4559436bd14230f4272279b922d7330f27ab6b05d79afaf9f6a560d6d
Instruction Fuzzy Hash: 85214F34812306EBEB119F65DC1A7A93BB8FF51359F184216F420E62B0D3B09991DFB4

Function 00CF5711 Relevance: 7.6, APIs: 5, Instructions: 61COMMON

Download Yara Rule

APIs

_memcmp.LIBVCRUNTIME ref: 00CF5726
_memcmp.LIBVCRUNTIME ref: 00CF5744
_memcmp.LIBVCRUNTIME ref: 00CF5757
_memcmp.LIBVCRUNTIME ref: 00CF576F
_memcmp.LIBVCRUNTIME ref: 00CF5787

Memory Dump Source

Source File: 00000000.00000002.1727992052.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true

Associated: 00000000.00000002.1727967772.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1728099655.0000000000D2C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1728099655.0000000000D52000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1728148949.0000000000D5C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1728172009.0000000000D64000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c90000_file.jbxd

Similarity

API ID: _memcmp
String ID:
API String ID: 2931989736-0
Opcode ID: 425f0557901cac4fd7660e703d4720026e16e7b3653459c062ddc0ac74f006c2
Instruction ID: 662e687e40bf37e35ab8b86072e7da0eb0b5e8d014a272fdd45eddfba4873576
Opcode Fuzzy Hash: 425f0557901cac4fd7660e703d4720026e16e7b3653459c062ddc0ac74f006c2
Instruction Fuzzy Hash: B901F9A1255A1DBFD24866119D82FFB739C9B30398F540032FF059A241F720EE1492B2

Function 00CC2DF8 Relevance: 7.6, APIs: 5, Instructions: 53COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,?,00CBF2DE,00CC3863,00D61444,?,00CAFDF5,?,?,00C9A976,00000010,00D61440,00C913FC,?,00C913C6), ref: 00CC2DFD
_free.LIBCMT ref: 00CC2E32
_free.LIBCMT ref: 00CC2E59
SetLastError.KERNEL32(00000000,00C91129), ref: 00CC2E66
SetLastError.KERNEL32(00000000,00C91129), ref: 00CC2E6F

Memory Dump Source

Source File: 00000000.00000002.1727992052.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true

Associated: 00000000.00000002.1727967772.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1728099655.0000000000D2C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1728099655.0000000000D52000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1728148949.0000000000D5C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1728172009.0000000000D64000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c90000_file.jbxd

Similarity

API ID: ErrorLast$_free
String ID:
API String ID: 3170660625-0
Opcode ID: 6f840a014fdf4fdeffa41c81b898fdd72743c117d11a643a74d54b1975ad849a
Instruction ID: 47e8f8357b2fbaf53a13242d853c427b53030253ce76870a1cbf164226cd6c8f
Opcode Fuzzy Hash: 6f840a014fdf4fdeffa41c81b898fdd72743c117d11a643a74d54b1975ad849a
Instruction Fuzzy Hash: 5601F436605B006BCA226775EC45F2F266DABD13B3B20442CF821F2393EB34CD065030

Function 00CF000E Relevance: 7.5, APIs: 5, Instructions: 47stringCOMMON

Download Yara Rule

APIs

CLSIDFromProgID.OLE32(?,?,?,00000000,?,?,?,-C000001E,00000001,?,00CEFF41,80070057,?,?,?,00CF035E), ref: 00CF002B
ProgIDFromCLSID.OLE32(?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,00CEFF41,80070057,?,?), ref: 00CF0046
lstrcmpiW.KERNEL32(?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,00CEFF41,80070057,?,?), ref: 00CF0054
CoTaskMemFree.OLE32(00000000,?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,00CEFF41,80070057,?), ref: 00CF0064
CLSIDFromString.OLE32(?,?,?,?,?,00000000,?,?,?,-C000001E,00000001,?,00CEFF41,80070057,?,?), ref: 00CF0070

Memory Dump Source

Source File: 00000000.00000002.1727992052.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true

Associated: 00000000.00000002.1727967772.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1728099655.0000000000D2C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1728099655.0000000000D52000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1728148949.0000000000D5C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1728172009.0000000000D64000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c90000_file.jbxd

Similarity

API ID: From$Prog$FreeStringTasklstrcmpi
String ID:
API String ID: 3897988419-0
Opcode ID: 8ca07df05bb940047c4b2a73b8e74a7520ebd8539989e7cebb385ac90533da83
Instruction ID: b95f2114d3fb986cc81d0e592ba0f6975382e0370682612fa4a2bd79b21b9910
Opcode Fuzzy Hash: 8ca07df05bb940047c4b2a73b8e74a7520ebd8539989e7cebb385ac90533da83
Instruction Fuzzy Hash: 17017172610208BBDB604F65DC04BAE7EADEB48B52F245114FA05D2211DB71DD4187A0

Function 00CFE97B Relevance: 7.5, APIs: 5, Instructions: 47sleepCOMMON

Download Yara Rule

APIs

QueryPerformanceCounter.KERNEL32(?), ref: 00CFE997
QueryPerformanceFrequency.KERNEL32(?), ref: 00CFE9A5
Sleep.KERNEL32(00000000), ref: 00CFE9AD
QueryPerformanceCounter.KERNEL32(?), ref: 00CFE9B7
Sleep.KERNEL32 ref: 00CFE9F3

Memory Dump Source

Source File: 00000000.00000002.1727992052.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true

Associated: 00000000.00000002.1727967772.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1728099655.0000000000D2C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1728099655.0000000000D52000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1728148949.0000000000D5C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1728172009.0000000000D64000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c90000_file.jbxd

Similarity

API ID: PerformanceQuery$CounterSleep$Frequency
String ID:
API String ID: 2833360925-0
Opcode ID: 30e119edad695bc8ee81c302751326e9561d03bb4b111858240eb81d16817afe
Instruction ID: 62290f7c06c64013b7c2d9de00b87755df02236e8e9544229a91e74ae1f7b016
Opcode Fuzzy Hash: 30e119edad695bc8ee81c302751326e9561d03bb4b111858240eb81d16817afe
Instruction Fuzzy Hash: 6E015B31D0162DDBCF50AFE5DC496EDBB78BF19700F000546E602B2260CB709A56C7B2

Function 00CF10F9 Relevance: 7.5, APIs: 5, Instructions: 46memoryCOMMON

Download Yara Rule

APIs

GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 00CF1114
GetLastError.KERNEL32(?,00000000,00000000,?,?,00CF0B9B,?,?,?), ref: 00CF1120
GetProcessHeap.KERNEL32(00000008,?,?,00000000,00000000,?,?,00CF0B9B,?,?,?), ref: 00CF112F
HeapAlloc.KERNEL32(00000000,?,00000000,00000000,?,?,00CF0B9B,?,?,?), ref: 00CF1136
GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 00CF114D

Memory Dump Source

Source File: 00000000.00000002.1727992052.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true

Associated: 00000000.00000002.1727967772.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1728099655.0000000000D2C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1728099655.0000000000D52000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1728148949.0000000000D5C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1728172009.0000000000D64000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c90000_file.jbxd

Similarity

API ID: HeapObjectSecurityUser$AllocErrorLastProcess
String ID:
API String ID: 842720411-0
Opcode ID: be7ca985322319cf102104519e4d5ce6c0c1fdb807d46f86b0a928eb9f75a56e
Instruction ID: c96573a0bfcfe5effe074256e7907fde1e9f96de5205cbe7f25fbbdb242b08e2
Opcode Fuzzy Hash: be7ca985322319cf102104519e4d5ce6c0c1fdb807d46f86b0a928eb9f75a56e
Instruction Fuzzy Hash: 46016979200309BFDB224FA4DC49A6E3B6EEF993A0B244418FA41C3360DB31DD018AB0

Function 00CF0FB4 Relevance: 7.5, APIs: 5, Instructions: 43memoryCOMMON

Download Yara Rule

APIs

GetTokenInformation.ADVAPI32(?,00000002,?,00000000,?), ref: 00CF0FCA
GetLastError.KERNEL32(?,00000002,?,00000000,?), ref: 00CF0FD6
GetProcessHeap.KERNEL32(00000008,?,?,00000002,?,00000000,?), ref: 00CF0FE5
HeapAlloc.KERNEL32(00000000,?,00000002,?,00000000,?), ref: 00CF0FEC
GetTokenInformation.ADVAPI32(?,00000002,00000000,?,?,?,00000002,?,00000000,?), ref: 00CF1002

Memory Dump Source

Source File: 00000000.00000002.1727992052.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true

Associated: 00000000.00000002.1727967772.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1728099655.0000000000D2C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1728099655.0000000000D52000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1728148949.0000000000D5C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1728172009.0000000000D64000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c90000_file.jbxd

Similarity

API ID: HeapInformationToken$AllocErrorLastProcess
String ID:
API String ID: 44706859-0
Opcode ID: 0c97d3f3554cd1febc3f66891db24a53dac00f5c3e0bbf2f01b9c0df4dc454bb
Instruction ID: 4884ad51525e4c8993065bea6e8769efd7a52ede26f05a707aaf5bad92e83f6a
Opcode Fuzzy Hash: 0c97d3f3554cd1febc3f66891db24a53dac00f5c3e0bbf2f01b9c0df4dc454bb
Instruction Fuzzy Hash: D9F04936210305EFDB214FA49C4AF6A3BADEF99762F244424FA45C7351CA70DC518A70

Function 00CF1014 Relevance: 7.5, APIs: 5, Instructions: 43memoryCOMMON

Download Yara Rule

APIs

GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),?,00000000,?), ref: 00CF102A
GetLastError.KERNEL32(?,TokenIntegrityLevel,?,00000000,?), ref: 00CF1036
GetProcessHeap.KERNEL32(00000008,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00CF1045
HeapAlloc.KERNEL32(00000000,?,TokenIntegrityLevel,?,00000000,?), ref: 00CF104C
GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),00000000,?,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00CF1062

Memory Dump Source

Source File: 00000000.00000002.1727992052.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true

Associated: 00000000.00000002.1727967772.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1728099655.0000000000D2C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1728099655.0000000000D52000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1728148949.0000000000D5C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1728172009.0000000000D64000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c90000_file.jbxd

Similarity

API ID: HeapInformationToken$AllocErrorLastProcess
String ID:
API String ID: 44706859-0
Opcode ID: f88165d6bcbaf6b7621d0c87fff27ae9a632e5e5a9a38b8ce96132d0dc2ededb
Instruction ID: 58ed4fcbc640c2b61d23e895b427f943b6ed7ff643f59646696f6197f7d94456
Opcode Fuzzy Hash: f88165d6bcbaf6b7621d0c87fff27ae9a632e5e5a9a38b8ce96132d0dc2ededb
Instruction Fuzzy Hash: 2FF04935210305EBDB225FA4EC4AF6A3BADEF99761F240424FA45C7350CA70DD518A70

Function 00D0030F Relevance: 7.5, APIs: 6, Instructions: 41COMMON

Download Yara Rule

APIs

CloseHandle.KERNEL32(?,?,?,?,00D0017D,?,00D032FC,?,00000001,00CD2592,?), ref: 00D00324
CloseHandle.KERNEL32(?,?,?,?,00D0017D,?,00D032FC,?,00000001,00CD2592,?), ref: 00D00331
CloseHandle.KERNEL32(?,?,?,?,00D0017D,?,00D032FC,?,00000001,00CD2592,?), ref: 00D0033E
CloseHandle.KERNEL32(?,?,?,?,00D0017D,?,00D032FC,?,00000001,00CD2592,?), ref: 00D0034B
CloseHandle.KERNEL32(?,?,?,?,00D0017D,?,00D032FC,?,00000001,00CD2592,?), ref: 00D00358
CloseHandle.KERNEL32(?,?,?,?,00D0017D,?,00D032FC,?,00000001,00CD2592,?), ref: 00D00365

Memory Dump Source

Source File: 00000000.00000002.1727992052.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true

Associated: 00000000.00000002.1727967772.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1728099655.0000000000D2C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1728099655.0000000000D52000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1728148949.0000000000D5C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1728172009.0000000000D64000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c90000_file.jbxd

Similarity

API ID: CloseHandle
String ID:
API String ID: 2962429428-0
Opcode ID: 11009977956a20e569b3b82190fc77d5f5c8b6880828e60b14cc8f259aa2a8bc
Instruction ID: 86ee83cd15f0cabbef8d1a554b8d168ee63acf63b577b2ca0c71465491bb00e7
Opcode Fuzzy Hash: 11009977956a20e569b3b82190fc77d5f5c8b6880828e60b14cc8f259aa2a8bc
Instruction Fuzzy Hash: 8301E272800B01AFC7319F66D880602FBF9BF603153188A3FD19A52970C370A944CF90

Function 00CCD73A Relevance: 7.5, APIs: 5, Instructions: 40COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 00CCD752

Part of subcall function 00CC29C8: RtlFreeHeap.NTDLL(00000000,00000000,?,00CCD7D1,00000000,00000000,00000000,00000000,?,00CCD7F8,00000000,00000007,00000000,?,00CCDBF5,00000000), ref: 00CC29DE
Part of subcall function 00CC29C8: GetLastError.KERNEL32(00000000,?,00CCD7D1,00000000,00000000,00000000,00000000,?,00CCD7F8,00000000,00000007,00000000,?,00CCDBF5,00000000,00000000), ref: 00CC29F0

_free.LIBCMT ref: 00CCD764
_free.LIBCMT ref: 00CCD776
_free.LIBCMT ref: 00CCD788
_free.LIBCMT ref: 00CCD79A

Memory Dump Source

Source File: 00000000.00000002.1727992052.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true

Associated: 00000000.00000002.1727967772.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1728099655.0000000000D2C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1728099655.0000000000D52000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1728148949.0000000000D5C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1728172009.0000000000D64000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c90000_file.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: f05477fd8d3088340ccdc0af66eebe7d0dc8812dbc74866ea014ec6a161773ef
Instruction ID: 2149b882758bf027f5a6af68bbc7b576c2fba029ef97cf8d19b77cb0c144a3c4
Opcode Fuzzy Hash: f05477fd8d3088340ccdc0af66eebe7d0dc8812dbc74866ea014ec6a161773ef
Instruction Fuzzy Hash: B7F06D32950304AF8621EB68F9C6E1A7BDDBB04311BA5181DF45AE7606CB30FC808B70

Function 00CF5C44 Relevance: 7.5, APIs: 5, Instructions: 40windowtimeCOMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,000003E9), ref: 00CF5C58
GetWindowTextW.USER32(00000000,?,00000100), ref: 00CF5C6F
MessageBeep.USER32(00000000), ref: 00CF5C87
KillTimer.USER32(?,0000040A), ref: 00CF5CA3
EndDialog.USER32(?,00000001), ref: 00CF5CBD

Memory Dump Source

Source File: 00000000.00000002.1727992052.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true

Associated: 00000000.00000002.1727967772.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1728099655.0000000000D2C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1728099655.0000000000D52000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1728148949.0000000000D5C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1728172009.0000000000D64000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c90000_file.jbxd

Similarity

API ID: BeepDialogItemKillMessageTextTimerWindow
String ID:
API String ID: 3741023627-0
Opcode ID: 2f3738dfc16b2245b7091753a6e8a0117e30d04aaacb6ce06645cc7288d4ccec
Instruction ID: afef8712d1fc36847bc101c370c5272c2b8278a7be8a773f24f85a25fe6f9e90
Opcode Fuzzy Hash: 2f3738dfc16b2245b7091753a6e8a0117e30d04aaacb6ce06645cc7288d4ccec
Instruction Fuzzy Hash: 60018630510B08ABEB305B10DD4EFBA77B8BF14B06F001559A793E15E1DBF0AE858AA1

Function 00CC22A0 Relevance: 7.5, APIs: 5, Instructions: 30COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 00CC22BE

Part of subcall function 00CC29C8: RtlFreeHeap.NTDLL(00000000,00000000,?,00CCD7D1,00000000,00000000,00000000,00000000,?,00CCD7F8,00000000,00000007,00000000,?,00CCDBF5,00000000), ref: 00CC29DE
Part of subcall function 00CC29C8: GetLastError.KERNEL32(00000000,?,00CCD7D1,00000000,00000000,00000000,00000000,?,00CCD7F8,00000000,00000007,00000000,?,00CCDBF5,00000000,00000000), ref: 00CC29F0

_free.LIBCMT ref: 00CC22D0
_free.LIBCMT ref: 00CC22E3
_free.LIBCMT ref: 00CC22F4
_free.LIBCMT ref: 00CC2305

Memory Dump Source

Source File: 00000000.00000002.1727992052.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true

Associated: 00000000.00000002.1727967772.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1728099655.0000000000D2C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1728099655.0000000000D52000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1728148949.0000000000D5C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1728172009.0000000000D64000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c90000_file.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: b45f3c972e06d30870e0039850105b0aa1159a5b3e9c2ca378f997ed64d1131f
Instruction ID: 5b4c8a5206efaaf01f4fadf02c0daee3759b56528c9a03c421a0588df478c808
Opcode Fuzzy Hash: b45f3c972e06d30870e0039850105b0aa1159a5b3e9c2ca378f997ed64d1131f
Instruction Fuzzy Hash: 71F0DA75C513209F8A16AF54FC12E493F65BB18761705150EF810D63B1CBB10951EFB8

Function 00CA95C5 Relevance: 7.5, APIs: 5, Instructions: 29COMMON

Download Yara Rule

APIs

EndPath.GDI32(?), ref: 00CA95D4
StrokeAndFillPath.GDI32(?,?,00CE71F7,00000000,?,?,?), ref: 00CA95F0
SelectObject.GDI32(?,00000000), ref: 00CA9603
DeleteObject.GDI32 ref: 00CA9616
StrokePath.GDI32(?), ref: 00CA9631

Memory Dump Source

Source File: 00000000.00000002.1727992052.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true

Associated: 00000000.00000002.1727967772.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1728099655.0000000000D2C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1728099655.0000000000D52000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1728148949.0000000000D5C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1728172009.0000000000D64000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c90000_file.jbxd

Similarity

API ID: Path$ObjectStroke$DeleteFillSelect
String ID:
API String ID: 2625713937-0
Opcode ID: e8bfa8298fb1df5a6ff5c70af9dc89a593ebe14e752a0823aff4aa30c6b7a133
Instruction ID: 6994d325693975fb0914d92443acfda52aebe0b3769b58c49005fa25d833f5f0
Opcode Fuzzy Hash: e8bfa8298fb1df5a6ff5c70af9dc89a593ebe14e752a0823aff4aa30c6b7a133
Instruction Fuzzy Hash: DEF03C38445305EBEB265F65ED1E7A83B65EB12326F088215F435D52F0C7B08AA2DFB1

Function 00CC0F47 Relevance: 7.4, APIs: 2, Strings: 2, Instructions: 389COMMONLIBRARYCODE

Download Yara Rule

APIs

__freea.LIBCMT ref: 00CC10F9
__freea.LIBCMT ref: 00CC1117

Part of subcall function 00CC1537: _free.LIBCMT ref: 00CC154F

Strings

a/p, xrefs: 00CC11DE
am/pm, xrefs: 00CC117A

Memory Dump Source

Source File: 00000000.00000002.1727992052.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true

Associated: 00000000.00000002.1727967772.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1728099655.0000000000D2C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1728099655.0000000000D52000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1728148949.0000000000D5C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1728172009.0000000000D64000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c90000_file.jbxd

Similarity

API ID: __freea$_free
String ID: a/p$am/pm
API String ID: 3432400110-3206640213
Opcode ID: ee89657824234b366391d3beafa95e42cd07e746ff6ee7d4ea95c13da438677d
Instruction ID: 51687089a4b1260444ab998338b55a9f5783383f15c3e03bd3067b6073a92757
Opcode Fuzzy Hash: ee89657824234b366391d3beafa95e42cd07e746ff6ee7d4ea95c13da438677d
Instruction Fuzzy Hash: F6D1D035900286CADB249F6AC955FBEB7B0EF07304F2C415DED219B662D2359E81CB91

Function 00D17B7E Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 230COMMON

Download Yara Rule

APIs

Part of subcall function 00CB0242: EnterCriticalSection.KERNEL32(00D6070C,00D61884,?,?,00CA198B,00D62518,?,?,?,00C912F9,00000000), ref: 00CB024D
Part of subcall function 00CB0242: LeaveCriticalSection.KERNEL32(00D6070C,?,00CA198B,00D62518,?,?,?,00C912F9,00000000), ref: 00CB028A

Part of subcall function 00C99CB3: _wcslen.LIBCMT ref: 00C99CBD

Part of subcall function 00CB00A3: __onexit.LIBCMT ref: 00CB00A9

__Init_thread_footer.LIBCMT ref: 00D17BFB

Part of subcall function 00CB01F8: EnterCriticalSection.KERNEL32(00D6070C,?,?,00CA8747,00D62514), ref: 00CB0202
Part of subcall function 00CB01F8: LeaveCriticalSection.KERNEL32(00D6070C,?,00CA8747,00D62514), ref: 00CB0235

Strings

Variable must be of type 'Object'., xrefs: 00D17C3A
5, xrefs: 00D17C78
G, xrefs: 00D17C7F

Memory Dump Source

Source File: 00000000.00000002.1727992052.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true

Associated: 00000000.00000002.1727967772.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1728099655.0000000000D2C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1728099655.0000000000D52000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1728148949.0000000000D5C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1728172009.0000000000D64000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c90000_file.jbxd

Similarity

API ID: CriticalSection$EnterLeave$Init_thread_footer__onexit_wcslen
String ID: 5$G$Variable must be of type 'Object'.
API String ID: 535116098-3733170431
Opcode ID: 89c1764d7d53c9885c9cb29f272b27b6b828f3a69ff48380c3a3a63a223f849b
Instruction ID: 2b71e61b0eed6195a3f64a2b61a52a1d6ebd59b1dfe20bc8575c600a2611271d
Opcode Fuzzy Hash: 89c1764d7d53c9885c9cb29f272b27b6b828f3a69ff48380c3a3a63a223f849b
Instruction Fuzzy Hash: 15918C74A04209EFCB14EF94E8859FDB7B2FF48304F148059F8469B2A1DB71AE85DB61

Function 00CF2716 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 121windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00CFB403: WriteProcessMemory.KERNEL32(?,?,?,00000000,00000000,00000000,?,00CF21D0,?,?,00000034,00000800,?,00000034), ref: 00CFB42D

SendMessageW.USER32(?,00001104,00000000,00000000), ref: 00CF2760

Part of subcall function 00CFB3CE: ReadProcessMemory.KERNEL32(?,?,?,00000000,00000000,00000000,?,00CF21FF,?,?,00000800,?,00001073,00000000,?,?), ref: 00CFB3F8

Part of subcall function 00CFB32A: GetWindowThreadProcessId.USER32(?,?), ref: 00CFB355
Part of subcall function 00CFB32A: OpenProcess.KERNEL32(00000438,00000000,?,?,?,00CF2194,00000034,?,?,00001004,00000000,00000000), ref: 00CFB365
Part of subcall function 00CFB32A: VirtualAllocEx.KERNEL32(00000000,00000000,?,00001000,00000004,?,?,00CF2194,00000034,?,?,00001004,00000000,00000000), ref: 00CFB37B

SendMessageW.USER32(?,00001111,00000000,00000000), ref: 00CF27CD
SendMessageW.USER32(?,00001111,00000000,00000000), ref: 00CF281A

Strings

@, xrefs: 00CF2832

Memory Dump Source

Source File: 00000000.00000002.1727992052.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true

Associated: 00000000.00000002.1727967772.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1728099655.0000000000D2C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1728099655.0000000000D52000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1728148949.0000000000D5C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1728172009.0000000000D64000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c90000_file.jbxd

Similarity

API ID: Process$MessageSend$Memory$AllocOpenReadThreadVirtualWindowWrite
String ID: @
API String ID: 4150878124-2766056989
Opcode ID: de2ffa97d4d64f46b52e34ce54020c8f05b4d3037e5cb589308091f75823b14c
Instruction ID: f4fd901c7b32bf2ed247113f248fe16e33865aa382861f1c3b724ade74b576c9
Opcode Fuzzy Hash: de2ffa97d4d64f46b52e34ce54020c8f05b4d3037e5cb589308091f75823b14c
Instruction Fuzzy Hash: 50413D7290021CAFDB50DFA4CD46AEEBBB8EF09300F104055FA55B7191DB706E45DBA1

Function 00CC172E Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 115COMMON

Download Yara Rule

APIs

GetModuleFileNameW.KERNEL32(00000000,C:\Users\user\Desktop\file.exe,00000104), ref: 00CC1769
_free.LIBCMT ref: 00CC1834
_free.LIBCMT ref: 00CC183E

Strings

C:\Users\user\Desktop\file.exe, xrefs: 00CC1760, 00CC1767, 00CC1796, 00CC17CE

Memory Dump Source

Source File: 00000000.00000002.1727992052.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true

Associated: 00000000.00000002.1727967772.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1728099655.0000000000D2C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1728099655.0000000000D52000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1728148949.0000000000D5C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1728172009.0000000000D64000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c90000_file.jbxd

Similarity

API ID: _free$FileModuleName
String ID: C:\Users\user\Desktop\file.exe
API String ID: 2506810119-1957095476
Opcode ID: 005a429e3affed41b73b28f01ff26a51e243179ca8dffe4bd33227e7843deb59
Instruction ID: cbb51f92d4a18c8909614874ad45b71fca62346a9061592e71f07cf3e5a58d7b
Opcode Fuzzy Hash: 005a429e3affed41b73b28f01ff26a51e243179ca8dffe4bd33227e7843deb59
Instruction Fuzzy Hash: B2318575A44218EFDB21DF9AD881E9EBBBCEB86310B18416AE814D7252D6704E40D7A0

Function 00CFC27D Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 114windowCOMMON

Download Yara Rule

APIs

GetMenuItemInfoW.USER32(00000004,00000000,00000000,?), ref: 00CFC306
DeleteMenu.USER32(?,00000007,00000000), ref: 00CFC34C
DeleteMenu.USER32(?,00000000,00000000,?,00000000,00000000,00D61990,00F55360), ref: 00CFC395

Strings

0, xrefs: 00CFC2DF

Memory Dump Source

Source File: 00000000.00000002.1727992052.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true

Associated: 00000000.00000002.1727967772.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1728099655.0000000000D2C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1728099655.0000000000D52000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1728148949.0000000000D5C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1728172009.0000000000D64000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c90000_file.jbxd

Similarity

API ID: Menu$Delete$InfoItem
String ID: 0
API String ID: 135850232-4108050209
Opcode ID: 0db49b35e95a3e0b1b0db0b09500d0ff64100b12bdf96751e52f7d3192a09c81
Instruction ID: cafeca2c8cb65505464d4c604f8daa6c2129df2d87f347b551497a00d5991e70
Opcode Fuzzy Hash: 0db49b35e95a3e0b1b0db0b09500d0ff64100b12bdf96751e52f7d3192a09c81
Instruction Fuzzy Hash: 7B41B1312043099FD760DF25D984BAABBE4EF85350F00861DFAA5972E1D730E908DB63

Function 00D24416 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 106COMMON

Download Yara Rule

APIs

SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000013,?,?,SysTreeView32,00D2CC08,00000000,?,?,?,?), ref: 00D244AA
GetWindowLongW.USER32 ref: 00D244C7
SetWindowLongW.USER32(?,000000F0,00000000), ref: 00D244D7

Strings

SysTreeView32, xrefs: 00D2447C

Memory Dump Source

Source File: 00000000.00000002.1727992052.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true

Associated: 00000000.00000002.1727967772.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1728099655.0000000000D2C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1728099655.0000000000D52000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1728148949.0000000000D5C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1728172009.0000000000D64000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c90000_file.jbxd

Similarity

API ID: Window$Long
String ID: SysTreeView32
API String ID: 847901565-1698111956
Opcode ID: 4b1eae108190eb256327b86f0562fd1bd0e46d4bff221aabecc7a7eb0385792c
Instruction ID: 4e8bc88aad361fc0383a2df7062dd7a52845980023eb8efedf15aa9a52379536
Opcode Fuzzy Hash: 4b1eae108190eb256327b86f0562fd1bd0e46d4bff221aabecc7a7eb0385792c
Instruction Fuzzy Hash: 18318B31210215AFDB219E38EC45BEA7BA9EB18328F244715FD75A22E0D770EC519B60

Function 00D1304E Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 90networkCOMMON

Download Yara Rule

APIs

Part of subcall function 00D1335B: WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,00000000,00000000,00000000,?,?,?,?,?,00D13077,?,?), ref: 00D13378

inet_addr.WSOCK32(?,?,?,?,?,00000000), ref: 00D1307A
_wcslen.LIBCMT ref: 00D1309B
htons.WSOCK32(00000000,?,?,00000000), ref: 00D13106

Strings

255.255.255.255, xrefs: 00D13095, 00D1309A

Memory Dump Source

Source File: 00000000.00000002.1727992052.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true

Associated: 00000000.00000002.1727967772.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1728099655.0000000000D2C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1728099655.0000000000D52000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1728148949.0000000000D5C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1728172009.0000000000D64000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c90000_file.jbxd

Similarity

API ID: ByteCharMultiWide_wcslenhtonsinet_addr
String ID: 255.255.255.255
API String ID: 946324512-2422070025
Opcode ID: 0114a76b3e53398c30e47ffff362b9251b56df05b5bab767809372d30cd86190
Instruction ID: 412c8cd70c3a1db11e0a01f816f1ae7b75a3de76b6c8b807afb9261472eacd23
Opcode Fuzzy Hash: 0114a76b3e53398c30e47ffff362b9251b56df05b5bab767809372d30cd86190
Instruction Fuzzy Hash: 20319235604305AFCB20CF68E585AE977E0EF58314F288099E9159B392DB71EEC5C770

Function 00D23EB8 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 89windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00001009,00000000,?), ref: 00D23F40
SetWindowPos.USER32(?,00000000,?,?,?,?,00000004), ref: 00D23F54
SendMessageW.USER32(?,00001002,00000000,?), ref: 00D23F78

Strings

SysMonthCal32, xrefs: 00D23F0B

Memory Dump Source

Source File: 00000000.00000002.1727992052.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true

Associated: 00000000.00000002.1727967772.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1728099655.0000000000D2C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1728099655.0000000000D52000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1728148949.0000000000D5C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1728172009.0000000000D64000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c90000_file.jbxd

Similarity

API ID: MessageSend$Window
String ID: SysMonthCal32
API String ID: 2326795674-1439706946
Opcode ID: 1ef5242d414bdae9b00c1fb102428d6e152d221100934e614f42f28432b1eec1
Instruction ID: b124f5776c5de38a5e7fde8c74678451ee7ed05f597e0dfdd767ea322c92af74
Opcode Fuzzy Hash: 1ef5242d414bdae9b00c1fb102428d6e152d221100934e614f42f28432b1eec1
Instruction Fuzzy Hash: 5D21DB32600229BBDF218E50EC46FEA3B79EF58728F150214FE15AB1D0C6B5AC559BA0

Function 00D24653 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 87windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000469,?,00000000), ref: 00D24705
SendMessageW.USER32(00000000,00000465,00000000,80017FFF), ref: 00D24713
DestroyWindow.USER32(00000000,00000000,?,?,?,00000000,msctls_updown32,00000000,00000000,00000000,00000000,00000000,00000000,?,?,00000000), ref: 00D2471A

Strings

msctls_updown32, xrefs: 00D24684

Memory Dump Source

Source File: 00000000.00000002.1727992052.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true

Associated: 00000000.00000002.1727967772.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1728099655.0000000000D2C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1728099655.0000000000D52000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1728148949.0000000000D5C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1728172009.0000000000D64000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c90000_file.jbxd

Similarity

API ID: MessageSend$DestroyWindow
String ID: msctls_updown32
API String ID: 4014797782-2298589950
Opcode ID: 98e5fc5ac6ea18b9d79aa52587099b1d73f45a664e3245311770188dbcb3094a
Instruction ID: 4a55cb3eb724fa202ab6ecb7b7655bd7027b72bb8ce77bf7c91d3c8e892e82ff
Opcode Fuzzy Hash: 98e5fc5ac6ea18b9d79aa52587099b1d73f45a664e3245311770188dbcb3094a
Instruction Fuzzy Hash: 73212FB5600215AFDB11DF64ECC1DA637ADEB6A368B140059FA14DB351C771EC11DAB0

Function 00CF95AD Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 85COMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 00CF961D

Strings

#notrayicon, xrefs: 00CF95B7
#requireadmin, xrefs: 00CF95D9
#OnAutoItStartRegister, xrefs: 00CF95F3

Memory Dump Source

Source File: 00000000.00000002.1727992052.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true

Associated: 00000000.00000002.1727967772.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1728099655.0000000000D2C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1728099655.0000000000D52000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1728148949.0000000000D5C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1728172009.0000000000D64000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c90000_file.jbxd

Similarity

API ID: _wcslen
String ID: #OnAutoItStartRegister$#notrayicon$#requireadmin
API String ID: 176396367-2734436370
Opcode ID: 6d90365ef3f0917cdf04a2827052bd4c994d2d57121c750438743569366c39e8
Instruction ID: 2fe18a21264c5cb7923c789a0ef0a206e0f3a4a4ab538a6d6e15a7c5cf66c608
Opcode Fuzzy Hash: 6d90365ef3f0917cdf04a2827052bd4c994d2d57121c750438743569366c39e8
Instruction Fuzzy Hash: F4215B3210412566CBB1AB25DC02FB773ECDF61304F10442AFB59D7041EB71DE45D2A6

Function 00D237B7 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 84windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000180,00000000,?), ref: 00D23840
SendMessageW.USER32(?,00000186,00000000,00000000), ref: 00D23850
MoveWindow.USER32(00000000,?,?,?,?,00000000,?,?,Listbox,00000000,00000000,?,?,?,?,?), ref: 00D23876

Strings

Listbox, xrefs: 00D2380F

Memory Dump Source

Source File: 00000000.00000002.1727992052.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true

Associated: 00000000.00000002.1727967772.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1728099655.0000000000D2C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1728099655.0000000000D52000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1728148949.0000000000D5C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1728172009.0000000000D64000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c90000_file.jbxd

Similarity

API ID: MessageSend$MoveWindow
String ID: Listbox
API String ID: 3315199576-2633736733
Opcode ID: 289ed6ecde85b7a012f820678021d7a87d6948c9c03da7e012fa0f0d921c37b4
Instruction ID: 09d2faf7f1db5ec40393db3bc327d73ba7b5e424294ba33651dfe3f26a71a200
Opcode Fuzzy Hash: 289ed6ecde85b7a012f820678021d7a87d6948c9c03da7e012fa0f0d921c37b4
Instruction Fuzzy Hash: 9621D172610228BBEF218F54EC85FBB776EEFA9758F148124F9009B190C675DC528BB0

Function 00D049F4 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 78COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 00D04A08
GetVolumeInformationW.KERNEL32(?,?,00007FFF,?,00000000,00000000,00000000,00000000), ref: 00D04A5C
SetErrorMode.KERNEL32(00000000,?,?,00D2CC08), ref: 00D04AD0

Strings

%lu, xrefs: 00D04A6F

Memory Dump Source

Source File: 00000000.00000002.1727992052.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true

Associated: 00000000.00000002.1727967772.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1728099655.0000000000D2C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1728099655.0000000000D52000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1728148949.0000000000D5C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1728172009.0000000000D64000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c90000_file.jbxd

Similarity

API ID: ErrorMode$InformationVolume
String ID: %lu
API String ID: 2507767853-685833217
Opcode ID: 1cea064f56c2509428e42aa3ef19e9d007129518ac5f8cd68ce3742b77068537
Instruction ID: 16d6ffb73d513c358a4f71edbdd8e5d4394b8da55f369f374e1a81ad2ef8b644
Opcode Fuzzy Hash: 1cea064f56c2509428e42aa3ef19e9d007129518ac5f8cd68ce3742b77068537
Instruction Fuzzy Hash: 65310C75A00209AFDB10DF54C985EAA7BF8EF09308F1480A9E909DB252D771EE46DB71

Function 00D241EB Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 67windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000405,00000000,00000000), ref: 00D2424F
SendMessageW.USER32(?,00000406,00000000,00640000), ref: 00D24264
SendMessageW.USER32(?,00000414,0000000A,00000000), ref: 00D24271

Strings

msctls_trackbar32, xrefs: 00D24226

Memory Dump Source

Source File: 00000000.00000002.1727992052.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true

Associated: 00000000.00000002.1727967772.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1728099655.0000000000D2C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1728099655.0000000000D52000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1728148949.0000000000D5C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1728172009.0000000000D64000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c90000_file.jbxd

Similarity

API ID: MessageSend
String ID: msctls_trackbar32
API String ID: 3850602802-1010561917
Opcode ID: 124d31d830bc3d3c4ebe0ff64885204239f0ec2bdfe2bc7ddb589659f2e38a46
Instruction ID: 0438ffac5a1a2d7ceeeeb3afbed567b540c8bc4ebaf833a794c33a8a3830a624
Opcode Fuzzy Hash: 124d31d830bc3d3c4ebe0ff64885204239f0ec2bdfe2bc7ddb589659f2e38a46
Instruction Fuzzy Hash: 2511E331240318BEEF215E29DC06FAB3BACEFA5B58F110114FE55E20A0D2B1DC219B34

Function 00CF2F52 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 67windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00C96B57: _wcslen.LIBCMT ref: 00C96B6A

Part of subcall function 00CF2DA7: SendMessageTimeoutW.USER32(?,00000000,00000000,00000000,00000002,00001388,?), ref: 00CF2DC5
Part of subcall function 00CF2DA7: GetWindowThreadProcessId.USER32(?,00000000), ref: 00CF2DD6
Part of subcall function 00CF2DA7: GetCurrentThreadId.KERNEL32 ref: 00CF2DDD
Part of subcall function 00CF2DA7: AttachThreadInput.USER32(00000000,?,00000000,00000000), ref: 00CF2DE4

GetFocus.USER32 ref: 00CF2F78

Part of subcall function 00CF2DEE: GetParent.USER32(00000000), ref: 00CF2DF9

GetClassNameW.USER32(?,?,00000100), ref: 00CF2FC3
EnumChildWindows.USER32(?,00CF303B), ref: 00CF2FEB

Strings

%s%d, xrefs: 00CF2FFF

Memory Dump Source

Source File: 00000000.00000002.1727992052.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true

Associated: 00000000.00000002.1727967772.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1728099655.0000000000D2C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1728099655.0000000000D52000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1728148949.0000000000D5C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1728172009.0000000000D64000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c90000_file.jbxd

Similarity

API ID: Thread$AttachChildClassCurrentEnumFocusInputMessageNameParentProcessSendTimeoutWindowWindows_wcslen
String ID: %s%d
API String ID: 1272988791-1110647743
Opcode ID: 53428c4f0e53f9a62874a7d46857af965471923e4707bdb4062c2a5861ca34f5
Instruction ID: fdc52f15a52dae41630fbd0585a0de7d227b8b69762c2ab2f47e5e636d509144
Opcode Fuzzy Hash: 53428c4f0e53f9a62874a7d46857af965471923e4707bdb4062c2a5861ca34f5
Instruction Fuzzy Hash: 1611B4716002096BCF547F709C85EFD376AAF94304F044075FE099B292DE709A4AEB71

Function 00CF007F Relevance: 6.3, APIs: 4, Instructions: 322COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1727992052.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true

Associated: 00000000.00000002.1727967772.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1728099655.0000000000D2C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1728099655.0000000000D52000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1728148949.0000000000D5C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1728172009.0000000000D64000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c90000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8faf3f39a1ed3396ae039bb19c94c12890bf407df84e51fa673cdc7e2c4af12b
Instruction ID: 26b501eb2d5300e6ea6a67b20e3f08aafd3babb6988200fafe4b94f7d23f6669
Opcode Fuzzy Hash: 8faf3f39a1ed3396ae039bb19c94c12890bf407df84e51fa673cdc7e2c4af12b
Instruction Fuzzy Hash: BBC15D75A0020AEFDB54CF94C898ABEB7B5FF48704F208598E515EB252D731EE41CB91

Function 00CC3E80 Relevance: 6.3, APIs: 4, Instructions: 305COMMON

Download Yara Rule

APIs

_strrchr.LIBCMT ref: 00CC3F0B
__alldvrm.LIBCMT ref: 00CC410C
__alldvrm.LIBCMT ref: 00CC412E

Memory Dump Source

Source File: 00000000.00000002.1727992052.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true

Associated: 00000000.00000002.1727967772.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1728099655.0000000000D2C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1728099655.0000000000D52000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1728148949.0000000000D5C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1728172009.0000000000D64000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c90000_file.jbxd

Similarity

API ID: __alldvrm$_strrchr
String ID:
API String ID: 1036877536-0
Opcode ID: 190bec492484a18a97fe5f025dcdb3e473ceac46589bc02d4dbe4f94f5be8f6e
Instruction ID: eeea7212136bf57eeddac3814971ce9e1786244896edb209602cda337b9e635b
Opcode Fuzzy Hash: 190bec492484a18a97fe5f025dcdb3e473ceac46589bc02d4dbe4f94f5be8f6e
Instruction Fuzzy Hash: 55A16871D003869FDB29CF58C8A1FAEBBF5EF61350F1881ADE9959B281C6348E81C750

Function 00D1342E Relevance: 6.3, APIs: 4, Instructions: 257COMMON

Download Yara Rule

APIs

CoInitialize.OLE32(00000000), ref: 00D13459
CoUninitialize.OLE32 ref: 00D13463
VariantInit.OLEAUT32(?), ref: 00D1346E
VariantClear.OLEAUT32(?), ref: 00D1371B

Memory Dump Source

Source File: 00000000.00000002.1727992052.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true

Associated: 00000000.00000002.1727967772.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1728099655.0000000000D2C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1728099655.0000000000D52000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1728148949.0000000000D5C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1728172009.0000000000D64000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c90000_file.jbxd

Similarity

API ID: Variant$ClearInitInitializeUninitialize
String ID:
API String ID: 1998397398-0
Opcode ID: 5917b05152eadf02c2b28d3133fea90e23925736eabfc30666de42ff9dc4c550
Instruction ID: c98e8c333f2d0f570407587dc590fc73ce2b56f679db8f6716c23f7df106bdab
Opcode Fuzzy Hash: 5917b05152eadf02c2b28d3133fea90e23925736eabfc30666de42ff9dc4c550
Instruction Fuzzy Hash: 8BA18075604300AFDB00DF28D485A6AB7E5FF88714F05895DF98A9B362DB30EE41DBA1

Function 00CF0436 Relevance: 6.2, APIs: 4, Instructions: 230COMMON

Download Yara Rule

APIs

ProgIDFromCLSID.OLE32(?,00000000,?,00000000,00000800,00000000,?,00D2FC08,?), ref: 00CF05F0
CoTaskMemFree.OLE32(00000000,00000000,?,00000000,00000800,00000000,?,00D2FC08,?), ref: 00CF0608
CLSIDFromProgID.OLE32(?,?,00000000,00D2CC40,000000FF,?,00000000,00000800,00000000,?,00D2FC08,?), ref: 00CF062D
_memcmp.LIBVCRUNTIME ref: 00CF064E

Memory Dump Source

Source File: 00000000.00000002.1727992052.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true

Associated: 00000000.00000002.1727967772.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1728099655.0000000000D2C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1728099655.0000000000D52000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1728148949.0000000000D5C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1728172009.0000000000D64000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c90000_file.jbxd

Similarity

API ID: FromProg$FreeTask_memcmp
String ID:
API String ID: 314563124-0
Opcode ID: 191029cb42ca806b1006c38d87a2ef8a52c9bb9ac2dc57bfeaaf64bdb172c5ef
Instruction ID: c6e5db622b06bd90af06150b14bd4cf50e55fd8e32c72e2c0ae3a149564c4d54
Opcode Fuzzy Hash: 191029cb42ca806b1006c38d87a2ef8a52c9bb9ac2dc57bfeaaf64bdb172c5ef
Instruction Fuzzy Hash: BF813871A00109EFCB04DF94C988EEEB7B9FF89715F204158E616EB251DB71AE06CB61

Function 00D1A67C Relevance: 6.2, APIs: 4, Instructions: 175processCOMMON

Download Yara Rule

APIs

CreateToolhelp32Snapshot.KERNEL32 ref: 00D1A6AC
Process32FirstW.KERNEL32(00000000,?), ref: 00D1A6BA

Part of subcall function 00C99CB3: _wcslen.LIBCMT ref: 00C99CBD

Process32NextW.KERNEL32(00000000,?), ref: 00D1A79C
CloseHandle.KERNEL32(00000000), ref: 00D1A7AB

Part of subcall function 00CACE60: CompareStringW.KERNEL32(00000409,00000001,?,00000000,00000000,?,?,00000000,?,00CD3303,?), ref: 00CACE8A

Memory Dump Source

Source File: 00000000.00000002.1727992052.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true

Associated: 00000000.00000002.1727967772.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1728099655.0000000000D2C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1728099655.0000000000D52000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1728148949.0000000000D5C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1728172009.0000000000D64000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c90000_file.jbxd

Similarity

API ID: Process32$CloseCompareCreateFirstHandleNextSnapshotStringToolhelp32_wcslen
String ID:
API String ID: 1991900642-0
Opcode ID: 0528ee3ca04cfa49ec669c0f1bd7f96a6752fa94e4b14d8c32203cd3f575dd8d
Instruction ID: 51a76617839551c3ff21864bfae514ffab805537a097e3cda68a589dde276529
Opcode Fuzzy Hash: 0528ee3ca04cfa49ec669c0f1bd7f96a6752fa94e4b14d8c32203cd3f575dd8d
Instruction Fuzzy Hash: 25514C71508301AFD710EF28D886A6FBBE8FF89754F40491DF589972A1EB30D904DBA2

Function 00CD1391 Relevance: 6.2, APIs: 4, Instructions: 152COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 00CD14C0

Memory Dump Source

Source File: 00000000.00000002.1727992052.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true

Associated: 00000000.00000002.1727967772.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1728099655.0000000000D2C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1728099655.0000000000D52000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1728148949.0000000000D5C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1728172009.0000000000D64000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c90000_file.jbxd

Similarity

API ID: _free
String ID:
API String ID: 269201875-0
Opcode ID: 5890a17f21505a0452dc984ee194c4b31929e5d9608e9f450cc0ba638cac8191
Instruction ID: eb2d65d9e42a12c6970ce9fe11d73c206af35fd038966827c955b48da498a4dd
Opcode Fuzzy Hash: 5890a17f21505a0452dc984ee194c4b31929e5d9608e9f450cc0ba638cac8191
Instruction Fuzzy Hash: 49413C35A005107BDB256FB9DC46BBE3AA4EF41330F1C422BFE29D6391E67489416272

Function 00D26278 Relevance: 6.1, APIs: 4, Instructions: 138COMMON

Download Yara Rule

APIs

GetWindowRect.USER32(?,?), ref: 00D262E2
ScreenToClient.USER32(?,?), ref: 00D26315
MoveWindow.USER32(?,?,?,?,000000FF,00000001,?,?,?,?,?), ref: 00D26382

Memory Dump Source

Source File: 00000000.00000002.1727992052.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true

Associated: 00000000.00000002.1727967772.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1728099655.0000000000D2C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1728099655.0000000000D52000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1728148949.0000000000D5C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1728172009.0000000000D64000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c90000_file.jbxd

Similarity

API ID: Window$ClientMoveRectScreen
String ID:
API String ID: 3880355969-0
Opcode ID: 5218d49105968512bfc35cbea57904f1910eb76be84e619083bfcf6d1f8553ca
Instruction ID: f7498922cfeae0b97aa826bfdbbdd432e8f20d0f331f3d39510dfc377b45c63d
Opcode Fuzzy Hash: 5218d49105968512bfc35cbea57904f1910eb76be84e619083bfcf6d1f8553ca
Instruction Fuzzy Hash: 73511B74900219EFDF20DF64E8809AE7BB5EF65364F188159F825D72A0D731ED41CBA0

Function 00D11AD6 Relevance: 6.1, APIs: 4, Instructions: 138networkCOMMON

Download Yara Rule

APIs

socket.WSOCK32(00000002,00000002,00000011), ref: 00D11AFD
WSAGetLastError.WSOCK32 ref: 00D11B0B
#21.WSOCK32(?,0000FFFF,00000020,00000002,00000004), ref: 00D11B8A
WSAGetLastError.WSOCK32 ref: 00D11B94

Memory Dump Source

Source File: 00000000.00000002.1727992052.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true

Associated: 00000000.00000002.1727967772.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1728099655.0000000000D2C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1728099655.0000000000D52000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1728148949.0000000000D5C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1728172009.0000000000D64000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c90000_file.jbxd

Similarity

API ID: ErrorLast$socket
String ID:
API String ID: 1881357543-0
Opcode ID: ef2d8b6d477b4cda2beb2d2a0b657cf0b3b7586b527ccea46f66a9ef4d92397e
Instruction ID: 334997515db205e48a84900603e5fd51aa6a9f621aad99817ec6eae8992ce1d1
Opcode Fuzzy Hash: ef2d8b6d477b4cda2beb2d2a0b657cf0b3b7586b527ccea46f66a9ef4d92397e
Instruction Fuzzy Hash: 9C41C6396002006FDB20AF24D886F6977E5AB45718F54C458F6199F3D2DB72ED81DBA0

Function 00CCB41F Relevance: 6.1, APIs: 4, Instructions: 133COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1727992052.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true

Associated: 00000000.00000002.1727967772.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1728099655.0000000000D2C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1728099655.0000000000D52000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1728148949.0000000000D5C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1728172009.0000000000D64000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c90000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8a7ab92ec953daede8af29757e641e1838e605ff7d906b220e6f1e41a66974cb
Instruction ID: 061807b4adf0184e5083c488f530bf8396e42d77a0274cf161f75e8c66998788
Opcode Fuzzy Hash: 8a7ab92ec953daede8af29757e641e1838e605ff7d906b220e6f1e41a66974cb
Instruction Fuzzy Hash: D541D075A04314AFD728DFB8CC42FAABBA9EB88710F10452EF551DB682D7719A019B90

Function 00D056D9 Relevance: 6.1, APIs: 4, Instructions: 110fileCOMMON

Download Yara Rule

APIs

CreateHardLinkW.KERNEL32(00000002,?,00000000), ref: 00D05783
GetLastError.KERNEL32(?,00000000), ref: 00D057A9
DeleteFileW.KERNEL32(00000002,?,00000000), ref: 00D057CE
CreateHardLinkW.KERNEL32(00000002,?,00000000,?,00000000), ref: 00D057FA

Memory Dump Source

Source File: 00000000.00000002.1727992052.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true

Associated: 00000000.00000002.1727967772.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1728099655.0000000000D2C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1728099655.0000000000D52000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1728148949.0000000000D5C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1728172009.0000000000D64000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c90000_file.jbxd

Similarity

API ID: CreateHardLink$DeleteErrorFileLast
String ID:
API String ID: 3321077145-0
Opcode ID: b1b84c2baf64e81fe246bc2afe86465283981c644d253859e2cf0b9d39c29b8f
Instruction ID: 15bf0fe9b3b45234caf1d3b8641b20326a5797989af6d52dabef7a505af485d4
Opcode Fuzzy Hash: b1b84c2baf64e81fe246bc2afe86465283981c644d253859e2cf0b9d39c29b8f
Instruction Fuzzy Hash: 4E41F935614610DFCB11DF55C548A5EBBE6AF89320B198488EC4AAB362CB34FD41DBA1

Function 00CCD8C3 Relevance: 6.1, APIs: 4, Instructions: 110COMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(?,00000000,8BE85006,00CB6D71,00000000,00000000,00CB82D9,?,00CB82D9,?,00000001,00CB6D71,8BE85006,00000001,00CB82D9,00CB82D9), ref: 00CCD910
MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 00CCD999
GetStringTypeW.KERNEL32(?,00000000,00000000,?), ref: 00CCD9AB
__freea.LIBCMT ref: 00CCD9B4

Part of subcall function 00CC3820: RtlAllocateHeap.NTDLL(00000000,?,00D61444,?,00CAFDF5,?,?,00C9A976,00000010,00D61440,00C913FC,?,00C913C6,?,00C91129), ref: 00CC3852

Memory Dump Source

Source File: 00000000.00000002.1727992052.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true

Associated: 00000000.00000002.1727967772.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1728099655.0000000000D2C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1728099655.0000000000D52000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1728148949.0000000000D5C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1728172009.0000000000D64000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c90000_file.jbxd

Similarity

API ID: ByteCharMultiWide$AllocateHeapStringType__freea
String ID:
API String ID: 2652629310-0
Opcode ID: 8fafb1274993a6838a86176cef2bbd6d3c81efd0b196afa532bdb509ca948235
Instruction ID: f4bcce097eaa22b8012d6702b3f19b03cdcbcb90e31d26dea6baefa44acb999e
Opcode Fuzzy Hash: 8fafb1274993a6838a86176cef2bbd6d3c81efd0b196afa532bdb509ca948235
Instruction Fuzzy Hash: BF31FC72A1020AABDF24CF65DC81EAE7BA5EB40310F05426CFC15D7290EB35CE50CBA0

Function 00D252C1 Relevance: 6.1, APIs: 4, Instructions: 104windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00001024,00000000,?), ref: 00D25352
GetWindowLongW.USER32(?,000000F0), ref: 00D25375
SetWindowLongW.USER32(?,000000F0,00000000), ref: 00D25382
InvalidateRect.USER32(?,00000000,00000001,?,?,?), ref: 00D253A8

Memory Dump Source

Source File: 00000000.00000002.1727992052.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true

Associated: 00000000.00000002.1727967772.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1728099655.0000000000D2C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1728099655.0000000000D52000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1728148949.0000000000D5C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1728172009.0000000000D64000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c90000_file.jbxd

Similarity

API ID: LongWindow$InvalidateMessageRectSend
String ID:
API String ID: 3340791633-0
Opcode ID: 2ac4d0ad50dd8ceeef0679f4dda7be774c23bdb615d3d8ac4e045c46b5913e0e
Instruction ID: 5a9fdc1a5e0ae054821c8ff7f2398ae866a7b36c17f49f6c807c53c741cee707
Opcode Fuzzy Hash: 2ac4d0ad50dd8ceeef0679f4dda7be774c23bdb615d3d8ac4e045c46b5913e0e
Instruction Fuzzy Hash: 4731E334A55A28EFEB30DE14FC06FE83761AB25398F5C6002FA51D62E4C7B1AD409B71

Function 00CFAB9C Relevance: 6.1, APIs: 4, Instructions: 103keyboardwindowCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?,75C0C0D0,?,00008000), ref: 00CFABF1
SetKeyboardState.USER32(00000080,?,00008000), ref: 00CFAC0D
PostMessageW.USER32(00000000,00000101,00000000), ref: 00CFAC74
SendInput.USER32(00000001,?,0000001C,75C0C0D0,?,00008000), ref: 00CFACC6

Memory Dump Source

Source File: 00000000.00000002.1727992052.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true

Associated: 00000000.00000002.1727967772.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1728099655.0000000000D2C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1728099655.0000000000D52000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1728148949.0000000000D5C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1728172009.0000000000D64000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c90000_file.jbxd

Similarity

API ID: KeyboardState$InputMessagePostSend
String ID:
API String ID: 432972143-0
Opcode ID: 8c85f9d05938cc90c187eac220caac04904fa8ec322a867484f0c181a0f5c3d1
Instruction ID: e35593821fbfc8340f65866df6c170f139a01e1d711a655b11fbfca6da914fa0
Opcode Fuzzy Hash: 8c85f9d05938cc90c187eac220caac04904fa8ec322a867484f0c181a0f5c3d1
Instruction Fuzzy Hash: E43128B0A0071C6FEF74CB658C047FEBBB5AB49310F04421AE699922D0C3768E859763

Function 00D27674 Relevance: 6.1, APIs: 4, Instructions: 102windowCOMMON

Download Yara Rule

APIs

ClientToScreen.USER32(?,?), ref: 00D2769A
GetWindowRect.USER32(?,?), ref: 00D27710
PtInRect.USER32(?,?,00D28B89), ref: 00D27720
MessageBeep.USER32(00000000), ref: 00D2778C

Memory Dump Source

Source File: 00000000.00000002.1727992052.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true

Associated: 00000000.00000002.1727967772.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1728099655.0000000000D2C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1728099655.0000000000D52000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1728148949.0000000000D5C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1728172009.0000000000D64000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c90000_file.jbxd

Similarity

API ID: Rect$BeepClientMessageScreenWindow
String ID:
API String ID: 1352109105-0
Opcode ID: 87168b14847f50fcc068833fc969571034536a98c8d1ed1d14046c02b6960589
Instruction ID: 382bb78fbd6390d0896f9a02c60ae7387459d8377581451e6b86d6dc197ba008
Opcode Fuzzy Hash: 87168b14847f50fcc068833fc969571034536a98c8d1ed1d14046c02b6960589
Instruction Fuzzy Hash: C1418B386052259FCB21CF58E894EA977F4FB68309F1840A9E824DB361C371E942CFB0

Function 00D216DA Relevance: 6.1, APIs: 4, Instructions: 101COMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32 ref: 00D216EB

Part of subcall function 00CF3A3D: GetWindowThreadProcessId.USER32(?,00000000), ref: 00CF3A57
Part of subcall function 00CF3A3D: GetCurrentThreadId.KERNEL32 ref: 00CF3A5E
Part of subcall function 00CF3A3D: AttachThreadInput.USER32(00000000,?,00000000,00000000,?,00CF25B3), ref: 00CF3A65

GetCaretPos.USER32(?), ref: 00D216FF
ClientToScreen.USER32(00000000,?), ref: 00D2174C
GetForegroundWindow.USER32 ref: 00D21752

Memory Dump Source

Source File: 00000000.00000002.1727992052.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true

Associated: 00000000.00000002.1727967772.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1728099655.0000000000D2C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1728099655.0000000000D52000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1728148949.0000000000D5C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1728172009.0000000000D64000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c90000_file.jbxd

Similarity

API ID: ThreadWindow$Foreground$AttachCaretClientCurrentInputProcessScreen
String ID:
API String ID: 2759813231-0
Opcode ID: 509a3cd94797bda76d7bfdabf67dfb122b4d74e4fc2d2524b8ad906bafa19dae
Instruction ID: 674a61d5b96716b81c84322a66ae38be61301ad6e13607abb6814e97881ccaaf
Opcode Fuzzy Hash: 509a3cd94797bda76d7bfdabf67dfb122b4d74e4fc2d2524b8ad906bafa19dae
Instruction Fuzzy Hash: 27315275D00249AFCB10EFAAC8C5CAEB7F9EF98304B548069E415E7251E731DE45DBA0

Function 00CFDF95 Relevance: 6.1, APIs: 4, Instructions: 87COMMON

Download Yara Rule

APIs

Part of subcall function 00C97620: _wcslen.LIBCMT ref: 00C97625

_wcslen.LIBCMT ref: 00CFDFCB
_wcslen.LIBCMT ref: 00CFDFE2
_wcslen.LIBCMT ref: 00CFE00D
GetTextExtentPoint32W.GDI32(?,00000000,00000000,?), ref: 00CFE018

Memory Dump Source

Source File: 00000000.00000002.1727992052.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true

Associated: 00000000.00000002.1727967772.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1728099655.0000000000D2C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1728099655.0000000000D52000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1728148949.0000000000D5C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1728172009.0000000000D64000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c90000_file.jbxd

Similarity

API ID: _wcslen$ExtentPoint32Text
String ID:
API String ID: 3763101759-0
Opcode ID: 6b0f6d9412cd91e637ac59ae5093bb9b2482238c50889cd6f5a6ce24a258674d
Instruction ID: d6403f04f613f2def05e8598cae16be9cd022a19774f6f0f9d106c4ff0cb7982
Opcode Fuzzy Hash: 6b0f6d9412cd91e637ac59ae5093bb9b2482238c50889cd6f5a6ce24a258674d
Instruction Fuzzy Hash: 2B21A171D00219AFCB219FA8D981BBEB7F8EF45750F144065E905BB282D6709E41DBA2

Function 00D28FC9 Relevance: 6.1, APIs: 4, Instructions: 78windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00CA9BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00CA9BB2

GetCursorPos.USER32(?), ref: 00D29001
TrackPopupMenuEx.USER32(?,00000000,?,?,?,00000000,?,00CE7711,?,?,?,?,?), ref: 00D29016
GetCursorPos.USER32(?), ref: 00D2905E
DefDlgProcW.USER32(?,0000007B,?,?,?,?,?,?,?,?,?,?,00CE7711,?,?,?), ref: 00D29094

Memory Dump Source

Source File: 00000000.00000002.1727992052.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true

Associated: 00000000.00000002.1727967772.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1728099655.0000000000D2C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1728099655.0000000000D52000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1728148949.0000000000D5C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1728172009.0000000000D64000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c90000_file.jbxd

Similarity

API ID: Cursor$LongMenuPopupProcTrackWindow
String ID:
API String ID: 2864067406-0
Opcode ID: 3d36bed01ed1471c85936447c0555d3813d536e9246fcf9ead7d123420d2474b
Instruction ID: 7f673177f7821b102a597c754ddcb1e0b529f41e9240292528a667334914677f
Opcode Fuzzy Hash: 3d36bed01ed1471c85936447c0555d3813d536e9246fcf9ead7d123420d2474b
Instruction Fuzzy Hash: AA21AD35600128AFCB258FA4D868EEABBB9FF89354F084155F90587261C3319D50DB70

Function 00CFD2C1 Relevance: 6.1, APIs: 4, Instructions: 78COMMON

Download Yara Rule

APIs

GetFileAttributesW.KERNEL32(?,00D2CB68), ref: 00CFD2FB
GetLastError.KERNEL32 ref: 00CFD30A
CreateDirectoryW.KERNEL32(?,00000000), ref: 00CFD319
CreateDirectoryW.KERNEL32(?,00000000,00000000,000000FF,00D2CB68), ref: 00CFD376

Memory Dump Source

Source File: 00000000.00000002.1727992052.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true

Associated: 00000000.00000002.1727967772.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1728099655.0000000000D2C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1728099655.0000000000D52000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1728148949.0000000000D5C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1728172009.0000000000D64000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c90000_file.jbxd

Similarity

API ID: CreateDirectory$AttributesErrorFileLast
String ID:
API String ID: 2267087916-0
Opcode ID: ccdb37b243c599930a3b22b4acc3ced778844dcf211e9ca72370024ed4a5660b
Instruction ID: 785f43e349faf1160e1d15d910d970fe6de1d68b9d13eef6999b052b62355acd
Opcode Fuzzy Hash: ccdb37b243c599930a3b22b4acc3ced778844dcf211e9ca72370024ed4a5660b
Instruction Fuzzy Hash: E8219C705083059F8710DF28C88586E77E5EF5A324F104A1DF6AAC32A1DB30DE4ACB93

Function 00CF1571 Relevance: 6.1, APIs: 4, Instructions: 78memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 00CF1014: GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),?,00000000,?), ref: 00CF102A
Part of subcall function 00CF1014: GetLastError.KERNEL32(?,TokenIntegrityLevel,?,00000000,?), ref: 00CF1036
Part of subcall function 00CF1014: GetProcessHeap.KERNEL32(00000008,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00CF1045
Part of subcall function 00CF1014: HeapAlloc.KERNEL32(00000000,?,TokenIntegrityLevel,?,00000000,?), ref: 00CF104C
Part of subcall function 00CF1014: GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),00000000,?,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00CF1062

LookupPrivilegeValueW.ADVAPI32(00000000,?,?), ref: 00CF15BE
_memcmp.LIBVCRUNTIME ref: 00CF15E1
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00CF1617
HeapFree.KERNEL32(00000000), ref: 00CF161E

Memory Dump Source

Source File: 00000000.00000002.1727992052.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true

Associated: 00000000.00000002.1727967772.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1728099655.0000000000D2C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1728099655.0000000000D52000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1728148949.0000000000D5C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1728172009.0000000000D64000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c90000_file.jbxd

Similarity

API ID: Heap$InformationProcessToken$AllocErrorFreeLastLookupPrivilegeValue_memcmp
String ID:
API String ID: 1592001646-0
Opcode ID: f42e68828d3e3d3296bbc621e0305980fa511b791eabc791a9a001d50444ecb5
Instruction ID: 677ad4a60794a0bfb5666a25f3a94949b4baa4f5de9082dae8c79f9b13c4a698
Opcode Fuzzy Hash: f42e68828d3e3d3296bbc621e0305980fa511b791eabc791a9a001d50444ecb5
Instruction Fuzzy Hash: 07216631E00208EFDF50DFA4C945BFEB7B8EF54354F094459E951AB241E731AA05DBA1

Function 00D22782 Relevance: 6.1, APIs: 4, Instructions: 75COMMON

Download Yara Rule

APIs

GetWindowLongW.USER32(?,000000EC), ref: 00D2280A
SetWindowLongW.USER32(?,000000EC,00000000), ref: 00D22824
SetWindowLongW.USER32(?,000000EC,00000000), ref: 00D22832
SetLayeredWindowAttributes.USER32(?,00000000,?,00000002), ref: 00D22840

Memory Dump Source

Source File: 00000000.00000002.1727992052.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true

Associated: 00000000.00000002.1727967772.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1728099655.0000000000D2C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1728099655.0000000000D52000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1728148949.0000000000D5C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1728172009.0000000000D64000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c90000_file.jbxd

Similarity

API ID: Window$Long$AttributesLayered
String ID:
API String ID: 2169480361-0
Opcode ID: 1133099255a478c9c08a11771772cee8342b2c36f3fa9996614479b96015b905
Instruction ID: 29e9940c076c4b2b01d7b0bd6c0b0d6298bb0bd957386c2d406d0acc6fb9f039
Opcode Fuzzy Hash: 1133099255a478c9c08a11771772cee8342b2c36f3fa9996614479b96015b905
Instruction Fuzzy Hash: 8C219231208521BFD7149B24D845F7AB795AF65328F148158F426CB6A2C775EC42C7A0

Function 00CF78F5 Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 71stringCOMMON

Download Yara Rule

APIs

Part of subcall function 00CF8D7D: lstrlenW.KERNEL32(?,00000002,000000FF,?,?,?,00CF790A,?,000000FF,?,00CF8754,00000000,?,0000001C,?,?), ref: 00CF8D8C
Part of subcall function 00CF8D7D: lstrcpyW.KERNEL32(00000000,?,?,00CF790A,?,000000FF,?,00CF8754,00000000,?,0000001C,?,?,00000000), ref: 00CF8DB2
Part of subcall function 00CF8D7D: lstrcmpiW.KERNEL32(00000000,?,00CF790A,?,000000FF,?,00CF8754,00000000,?,0000001C,?,?), ref: 00CF8DE3

lstrlenW.KERNEL32(?,00000002,000000FF,?,000000FF,?,00CF8754,00000000,?,0000001C,?,?,00000000), ref: 00CF7923
lstrcpyW.KERNEL32(00000000,?,?,00CF8754,00000000,?,0000001C,?,?,00000000), ref: 00CF7949
lstrcmpiW.KERNEL32(00000002,cdecl,?,00CF8754,00000000,?,0000001C,?,?,00000000), ref: 00CF7984

Strings

cdecl, xrefs: 00CF797B

Memory Dump Source

Source File: 00000000.00000002.1727992052.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true

Associated: 00000000.00000002.1727967772.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1728099655.0000000000D2C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1728099655.0000000000D52000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1728148949.0000000000D5C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1728172009.0000000000D64000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c90000_file.jbxd

Similarity

API ID: lstrcmpilstrcpylstrlen
String ID: cdecl
API String ID: 4031866154-3896280584
Opcode ID: 00ceea762e434cbb4da78efb539a79dc0fe306782726ac4647f4b773f96ca6d7
Instruction ID: 2109e3a6ad57e9f2e2035983d53ad45cfd3c6b40dfd60db9eac97c256d82d15c
Opcode Fuzzy Hash: 00ceea762e434cbb4da78efb539a79dc0fe306782726ac4647f4b773f96ca6d7
Instruction Fuzzy Hash: CC11063A200306ABDF25AF34DC45D7A77A5FF55350B40412AFA02C73A4EB719E12D7A2

Function 00D27CC2 Relevance: 6.1, APIs: 4, Instructions: 70COMMON

Download Yara Rule

APIs

GetWindowLongW.USER32(?,000000F0), ref: 00D27D0B
SetWindowLongW.USER32(00000000,000000F0,?), ref: 00D27D2A
SetWindowLongW.USER32(00000000,000000EC,000000FF), ref: 00D27D42
SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,?,?,?,?,?,?,?,?,00D0B7AD,00000000), ref: 00D27D6B

Part of subcall function 00CA9BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00CA9BB2

Memory Dump Source

Source File: 00000000.00000002.1727992052.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true

Associated: 00000000.00000002.1727967772.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1728099655.0000000000D2C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1728099655.0000000000D52000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1728148949.0000000000D5C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1728172009.0000000000D64000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c90000_file.jbxd

Similarity

API ID: Window$Long
String ID:
API String ID: 847901565-0
Opcode ID: e6459b04bb7d8b53ad7d600738e56ea65dc31aa82b338a7d65cb8b881df05220
Instruction ID: b425ea7634022959889b082cb0af77d0d9055d08ce227f40a38925021569fab0
Opcode Fuzzy Hash: e6459b04bb7d8b53ad7d600738e56ea65dc31aa82b338a7d65cb8b881df05220
Instruction Fuzzy Hash: 9111CD35214625AFCB208F28EC04AAA3BA5AF59364B194724F839C72F0D730DD52DB70

Function 00CC1D09 Relevance: 6.1, APIs: 4, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1727992052.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true

Associated: 00000000.00000002.1727967772.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1728099655.0000000000D2C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1728099655.0000000000D52000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1728148949.0000000000D5C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1728172009.0000000000D64000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c90000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d957806a9d4eb0773cdf9c925442e286f2c98b1d5713fa75eba00c6691214771
Instruction ID: 02b89212e8ed7a94f9e66f5acac2a63075d08caa4d3a8370132ec64d1992161d
Opcode Fuzzy Hash: d957806a9d4eb0773cdf9c925442e286f2c98b1d5713fa75eba00c6691214771
Instruction Fuzzy Hash: 53018FB2605B163EF622167AACC1F2B661CDF423B8B39032DF932912D6DB608D0051B0

Function 00CF1A27 Relevance: 6.1, APIs: 4, Instructions: 56windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,000000B0,?,?), ref: 00CF1A47
SendMessageW.USER32(?,000000C9,?,00000000), ref: 00CF1A59
SendMessageW.USER32(?,000000C9,?,00000000), ref: 00CF1A6F
SendMessageW.USER32(?,000000C9,?,00000000), ref: 00CF1A8A

Memory Dump Source

Source File: 00000000.00000002.1727992052.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true

Associated: 00000000.00000002.1727967772.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1728099655.0000000000D2C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1728099655.0000000000D52000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1728148949.0000000000D5C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1728172009.0000000000D64000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c90000_file.jbxd

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: 7e93453243d018d56cf842c3e592f0b9ba761b307602e25e9b9c4135ea83468a
Instruction ID: 39d141dbf286e930b0ba78d04cdcb1291e183bd7a297da7d880688802c1b57b8
Opcode Fuzzy Hash: 7e93453243d018d56cf842c3e592f0b9ba761b307602e25e9b9c4135ea83468a
Instruction Fuzzy Hash: C311393AD01219FFEB10DBA5CD85FADBB78EB08750F240091EA00B7290D6716F50EB94

Function 00CFE1D6 Relevance: 6.1, APIs: 4, Instructions: 55synchronizationthreadwindowCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 00CFE1FD
MessageBoxW.USER32(?,?,?,?), ref: 00CFE230
WaitForSingleObject.KERNEL32(00000000,000000FF,?,?,?,?), ref: 00CFE246
CloseHandle.KERNEL32(00000000,?,?,?,?), ref: 00CFE24D

Memory Dump Source

Source File: 00000000.00000002.1727992052.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true

Associated: 00000000.00000002.1727967772.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1728099655.0000000000D2C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1728099655.0000000000D52000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1728148949.0000000000D5C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1728172009.0000000000D64000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c90000_file.jbxd

Similarity

API ID: CloseCurrentHandleMessageObjectSingleThreadWait
String ID:
API String ID: 2880819207-0
Opcode ID: 31b4c5ea8b1c83c6204629ec359ee0e57e97c992a970f9380bcf3d5e61103715
Instruction ID: a4cd5c9614c44885d54a297d089f5130c829fa229f389373e54000c6247a8541
Opcode Fuzzy Hash: 31b4c5ea8b1c83c6204629ec359ee0e57e97c992a970f9380bcf3d5e61103715
Instruction Fuzzy Hash: 05112676904358BBD7119FA89C09BAE7FACAB55320F144625F925E33A1E2B0CE0087B1

Function 00CBD1CC Relevance: 6.1, APIs: 4, Instructions: 55threadCOMMON

Download Yara Rule

APIs

CreateThread.KERNEL32(00000000,?,00CBCFF9,00000000,00000004,00000000), ref: 00CBD218
GetLastError.KERNEL32 ref: 00CBD224
__dosmaperr.LIBCMT ref: 00CBD22B
ResumeThread.KERNEL32(00000000), ref: 00CBD249

Memory Dump Source

Source File: 00000000.00000002.1727992052.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true

Associated: 00000000.00000002.1727967772.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1728099655.0000000000D2C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1728099655.0000000000D52000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1728148949.0000000000D5C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1728172009.0000000000D64000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c90000_file.jbxd

Similarity

API ID: Thread$CreateErrorLastResume__dosmaperr
String ID:
API String ID: 173952441-0
Opcode ID: c7efae744a28e86a06afeadf8643fbcadea3e273cf498ae311f256c0cff1e017
Instruction ID: bfb05e2766b9bc353f81abfcdb95303380bcfcd1539a9b52c91bb09eda9c5a2a
Opcode Fuzzy Hash: c7efae744a28e86a06afeadf8643fbcadea3e273cf498ae311f256c0cff1e017
Instruction Fuzzy Hash: 5801D6764052047BCB216BA5DC05BEF7A69DF81331F100219F926921D0EB718D01D7A2

Function 00D29EF3 Relevance: 6.1, APIs: 4, Instructions: 55COMMON

Download Yara Rule

APIs

Part of subcall function 00CA9BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00CA9BB2

GetClientRect.USER32(?,?), ref: 00D29F31
GetCursorPos.USER32(?), ref: 00D29F3B
ScreenToClient.USER32(?,?), ref: 00D29F46
DefDlgProcW.USER32(?,00000020,?,00000000,?,?,?), ref: 00D29F7A

Memory Dump Source

Source File: 00000000.00000002.1727992052.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true

Associated: 00000000.00000002.1727967772.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1728099655.0000000000D2C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1728099655.0000000000D52000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1728148949.0000000000D5C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1728172009.0000000000D64000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c90000_file.jbxd

Similarity

API ID: Client$CursorLongProcRectScreenWindow
String ID:
API String ID: 4127811313-0
Opcode ID: 19167d6df9ccdbadc74eaacecea2359e7545fa7b3d2ebe9aef140da17a910dfd
Instruction ID: 6ad68cd6582d5d964b67416fada7cf68e298606faedbf18797c1703d858ecf27
Opcode Fuzzy Hash: 19167d6df9ccdbadc74eaacecea2359e7545fa7b3d2ebe9aef140da17a910dfd
Instruction Fuzzy Hash: 5D115A3290022AABDB60DF68E9959EEB7B8FF55315F040451F911E3250D330BE82CBB1

Function 00C9600E Relevance: 6.1, APIs: 4, Instructions: 53windowCOMMON

Download Yara Rule

APIs

CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 00C9604C
GetStockObject.GDI32(00000011), ref: 00C96060
SendMessageW.USER32(00000000,00000030,00000000), ref: 00C9606A

Memory Dump Source

Source File: 00000000.00000002.1727992052.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true

Associated: 00000000.00000002.1727967772.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1728099655.0000000000D2C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1728099655.0000000000D52000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1728148949.0000000000D5C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1728172009.0000000000D64000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c90000_file.jbxd

Similarity

API ID: CreateMessageObjectSendStockWindow
String ID:
API String ID: 3970641297-0
Opcode ID: 4b6a158aaeb043652cf629f41bc6d699b1e736da4cf65e02a97e4d8c65c30443
Instruction ID: 6e32c3bbf2474b196d935e13795fdc364575dc76fc812bde8d2d6ae779f9db78
Opcode Fuzzy Hash: 4b6a158aaeb043652cf629f41bc6d699b1e736da4cf65e02a97e4d8c65c30443
Instruction Fuzzy Hash: F311A172501608BFEF224F948C88EEABF69EF18794F041106FA1492250C7329C60DBA0

Function 00CB3B3C Relevance: 6.1, APIs: 4, Instructions: 53COMMONLIBRARYCODE

Download Yara Rule

APIs

___BuildCatchObject.LIBVCRUNTIME ref: 00CB3B56

Part of subcall function 00CB3AA3: BuildCatchObjectHelperInternal.LIBVCRUNTIME ref: 00CB3AD2
Part of subcall function 00CB3AA3: ___AdjustPointer.LIBCMT ref: 00CB3AED

_UnwindNestedFrames.LIBCMT ref: 00CB3B6B
__FrameHandler3::FrameUnwindToState.LIBVCRUNTIME ref: 00CB3B7C
CallCatchBlock.LIBVCRUNTIME ref: 00CB3BA4

Memory Dump Source

Source File: 00000000.00000002.1727992052.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true

Associated: 00000000.00000002.1727967772.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1728099655.0000000000D2C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1728099655.0000000000D52000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1728148949.0000000000D5C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1728172009.0000000000D64000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c90000_file.jbxd

Similarity

API ID: Catch$BuildFrameObjectUnwind$AdjustBlockCallFramesHandler3::HelperInternalNestedPointerState
String ID:
API String ID: 737400349-0
Opcode ID: 12ea49abee573113f57dbd3ec3a577afcc9c348439d29e6cbe32e78011ac24d3
Instruction ID: 7b64739941ab4e551648842bd0d6e454b82a8adcf3c1a6b3fdc0c903c1b215de
Opcode Fuzzy Hash: 12ea49abee573113f57dbd3ec3a577afcc9c348439d29e6cbe32e78011ac24d3
Instruction Fuzzy Hash: F7014C32100188BBDF126E95DC42EEB7F6EFF48754F044014FE5896121C732E961EBA0

Function 00CC3073 Relevance: 6.1, APIs: 4, Instructions: 52libraryCOMMONLIBRARYCODE

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32(00000000,00000000,00000800,00C913C6,00000000,00000000,?,00CC301A,00C913C6,00000000,00000000,00000000,?,00CC328B,00000006,FlsSetValue), ref: 00CC30A5
GetLastError.KERNEL32(?,00CC301A,00C913C6,00000000,00000000,00000000,?,00CC328B,00000006,FlsSetValue,00D32290,FlsSetValue,00000000,00000364,?,00CC2E46), ref: 00CC30B1
LoadLibraryExW.KERNEL32(00000000,00000000,00000000,?,00CC301A,00C913C6,00000000,00000000,00000000,?,00CC328B,00000006,FlsSetValue,00D32290,FlsSetValue,00000000), ref: 00CC30BF

Memory Dump Source

Source File: 00000000.00000002.1727992052.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true

Associated: 00000000.00000002.1727967772.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1728099655.0000000000D2C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1728099655.0000000000D52000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1728148949.0000000000D5C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1728172009.0000000000D64000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c90000_file.jbxd

Similarity

API ID: LibraryLoad$ErrorLast
String ID:
API String ID: 3177248105-0
Opcode ID: f58eead84d9c2b4d0564b4df0bb2330ea07bfe5167672c56202a05cf789ee5cc
Instruction ID: 20bd94eb34d81515ec391a9921c8e5944841021210c7f49442f60e99ded6d3a0
Opcode Fuzzy Hash: f58eead84d9c2b4d0564b4df0bb2330ea07bfe5167672c56202a05cf789ee5cc
Instruction Fuzzy Hash: 5001B533711762ABC7314A69FC44E677B98AF45761B108628E916D3280C721DE0186E0

Function 00CF7464 Relevance: 6.1, APIs: 4, Instructions: 51registryCOMMON

Download Yara Rule

APIs

GetModuleFileNameW.KERNEL32(?,?,00000104,00000000), ref: 00CF747F
LoadTypeLibEx.OLEAUT32(?,00000002,?), ref: 00CF7497
RegisterTypeLib.OLEAUT32(?,?,00000000), ref: 00CF74AC
RegisterTypeLibForUser.OLEAUT32(?,?,00000000), ref: 00CF74CA

Memory Dump Source

Source File: 00000000.00000002.1727992052.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true

Associated: 00000000.00000002.1727967772.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1728099655.0000000000D2C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1728099655.0000000000D52000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1728148949.0000000000D5C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1728172009.0000000000D64000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c90000_file.jbxd

Similarity

API ID: Type$Register$FileLoadModuleNameUser
String ID:
API String ID: 1352324309-0
Opcode ID: fa11497aa72d43e7ee5d49fee6970d512825794f81eba168731e48a9405010d5
Instruction ID: 8e000f7d9753a11c382fd5f96a993d3c93d7e6b526c9cafdb07dcf8f94fe3d98
Opcode Fuzzy Hash: fa11497aa72d43e7ee5d49fee6970d512825794f81eba168731e48a9405010d5
Instruction Fuzzy Hash: BE11ADB1205319ABE7309F14EC09BA67FFCEB00B00F108669E616D7191D7B0E945DFA2

Function 00CFB0A8 Relevance: 6.0, APIs: 4, Instructions: 50sleepCOMMON

Download Yara Rule

APIs

QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,?,?,00CFACD3,?,00008000), ref: 00CFB0C4
Sleep.KERNEL32(00000000,?,?,?,?,?,?,?,?,00CFACD3,?,00008000), ref: 00CFB0E9
QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,?,?,00CFACD3,?,00008000), ref: 00CFB0F3
Sleep.KERNEL32(00000000,?,?,?,?,?,?,?,?,00CFACD3,?,00008000), ref: 00CFB126

Memory Dump Source

Source File: 00000000.00000002.1727992052.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true

Associated: 00000000.00000002.1727967772.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1728099655.0000000000D2C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1728099655.0000000000D52000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1728148949.0000000000D5C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1728172009.0000000000D64000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c90000_file.jbxd

Similarity

API ID: CounterPerformanceQuerySleep
String ID:
API String ID: 2875609808-0
Opcode ID: ff211744ac9dcf61d5c5d892952805e2fff81fbb82a2f2ed089556acd8cd9aae
Instruction ID: a224e5267bef5ce7b4314d76e775238a7ff6b7f1e6e0c54463c4e3cc7dee945e
Opcode Fuzzy Hash: ff211744ac9dcf61d5c5d892952805e2fff81fbb82a2f2ed089556acd8cd9aae
Instruction Fuzzy Hash: BC115B71D01A2DE7CF10AFE5E969AFEBB78FF19711F108085DA51B2281CB305A518B62

Function 00D27E14 Relevance: 6.0, APIs: 4, Instructions: 46COMMON

Download Yara Rule

APIs

GetWindowRect.USER32(?,?), ref: 00D27E33
ScreenToClient.USER32(?,?), ref: 00D27E4B
ScreenToClient.USER32(?,?), ref: 00D27E6F
InvalidateRect.USER32(?,?,?,?,?,?,?,?,?,?,?,?), ref: 00D27E8A

Memory Dump Source

Source File: 00000000.00000002.1727992052.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true

Associated: 00000000.00000002.1727967772.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1728099655.0000000000D2C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1728099655.0000000000D52000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1728148949.0000000000D5C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1728172009.0000000000D64000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c90000_file.jbxd

Similarity

API ID: ClientRectScreen$InvalidateWindow
String ID:
API String ID: 357397906-0
Opcode ID: 990a3f29f79de812d2646dd22d95ec494fc0e9a9e3f734651951b89ad074d366
Instruction ID: 876172116dbc6d3d23cc3cd21d5f3625e0dec85f366a7c356699720aad2152d2
Opcode Fuzzy Hash: 990a3f29f79de812d2646dd22d95ec494fc0e9a9e3f734651951b89ad074d366
Instruction Fuzzy Hash: 451143B9D0420AAFDB51CF98D8849EEBBF5FF18310F505056E915E3210D735AA55CFA0

Function 00CF2DA7 Relevance: 6.0, APIs: 4, Instructions: 34threadwindowtimeCOMMON

Download Yara Rule

APIs

SendMessageTimeoutW.USER32(?,00000000,00000000,00000000,00000002,00001388,?), ref: 00CF2DC5
GetWindowThreadProcessId.USER32(?,00000000), ref: 00CF2DD6
GetCurrentThreadId.KERNEL32 ref: 00CF2DDD
AttachThreadInput.USER32(00000000,?,00000000,00000000), ref: 00CF2DE4

Memory Dump Source

Source File: 00000000.00000002.1727992052.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true

Associated: 00000000.00000002.1727967772.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1728099655.0000000000D2C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1728099655.0000000000D52000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1728148949.0000000000D5C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1728172009.0000000000D64000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c90000_file.jbxd

Similarity

API ID: Thread$AttachCurrentInputMessageProcessSendTimeoutWindow
String ID:
API String ID: 2710830443-0
Opcode ID: 804b931246276a8d9c16e860db46e2f6f50e9894f50f7da206a130e4d73eb8b6
Instruction ID: b529eab0922ab81e11c2b2deefe1441e68e84e7133f8f8513cafa50c03e9207f
Opcode Fuzzy Hash: 804b931246276a8d9c16e860db46e2f6f50e9894f50f7da206a130e4d73eb8b6
Instruction Fuzzy Hash: BBE06D712117287BE7301B629C0EFFB7E6CEB62BA2F401115B205D11909AA48942C6B1

Function 00D28863 Relevance: 6.0, APIs: 4, Instructions: 31COMMON

Download Yara Rule

APIs

Part of subcall function 00CA9639: ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 00CA9693
Part of subcall function 00CA9639: SelectObject.GDI32(?,00000000), ref: 00CA96A2
Part of subcall function 00CA9639: BeginPath.GDI32(?), ref: 00CA96B9
Part of subcall function 00CA9639: SelectObject.GDI32(?,00000000), ref: 00CA96E2

MoveToEx.GDI32(?,00000000,00000000,00000000), ref: 00D28887
LineTo.GDI32(?,?,?), ref: 00D28894
EndPath.GDI32(?), ref: 00D288A4
StrokePath.GDI32(?), ref: 00D288B2

Memory Dump Source

Source File: 00000000.00000002.1727992052.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true

Associated: 00000000.00000002.1727967772.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1728099655.0000000000D2C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1728099655.0000000000D52000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1728148949.0000000000D5C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1728172009.0000000000D64000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c90000_file.jbxd

Similarity

API ID: Path$ObjectSelect$BeginCreateLineMoveStroke
String ID:
API String ID: 1539411459-0
Opcode ID: 989778a75750a462dac0aba1f64274449b774099f782e00f684ae1423883bfbe
Instruction ID: 431507b2dcdf13d60fed6b784cc5e082e800f63d6de0d6f9523719340044990e
Opcode Fuzzy Hash: 989778a75750a462dac0aba1f64274449b774099f782e00f684ae1423883bfbe
Instruction Fuzzy Hash: 5FF05435041755F6EB225F94AD0AFCE3F59AF16314F048001FA11A51E1C7B55911DFF5

Function 00CA98B0 Relevance: 6.0, APIs: 4, Instructions: 23COMMON

Download Yara Rule

APIs

GetSysColor.USER32(00000008), ref: 00CA98CC
SetTextColor.GDI32(?,?), ref: 00CA98D6
SetBkMode.GDI32(?,00000001), ref: 00CA98E9
GetStockObject.GDI32(00000005), ref: 00CA98F1

Memory Dump Source

Source File: 00000000.00000002.1727992052.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true

Associated: 00000000.00000002.1727967772.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1728099655.0000000000D2C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1728099655.0000000000D52000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1728148949.0000000000D5C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1728172009.0000000000D64000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c90000_file.jbxd

Similarity

API ID: Color$ModeObjectStockText
String ID:
API String ID: 4037423528-0
Opcode ID: aa34af1bc39d000a7759a3b28e2d4c375626a336ff3532ae720e56d139a1bc17
Instruction ID: 107947d0f64c007d5aec86615c37664ad12bf92d0f98ff74c4bccee3734eb112
Opcode Fuzzy Hash: aa34af1bc39d000a7759a3b28e2d4c375626a336ff3532ae720e56d139a1bc17
Instruction Fuzzy Hash: EFE06531254780AADB325B75EC0ABDD3F10EB62336F049319F6F9941E1C3714A519B21

Function 00CF162B Relevance: 6.0, APIs: 4, Instructions: 22threadCOMMON

Download Yara Rule

APIs

GetCurrentThread.KERNEL32 ref: 00CF1634
OpenThreadToken.ADVAPI32(00000000,?,?,?,00CF11D9), ref: 00CF163B
GetCurrentProcess.KERNEL32(00000028,?,?,?,?,00CF11D9), ref: 00CF1648
OpenProcessToken.ADVAPI32(00000000,?,?,?,00CF11D9), ref: 00CF164F

Memory Dump Source

Source File: 00000000.00000002.1727992052.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true

Associated: 00000000.00000002.1727967772.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1728099655.0000000000D2C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1728099655.0000000000D52000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1728148949.0000000000D5C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1728172009.0000000000D64000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c90000_file.jbxd

Similarity

API ID: CurrentOpenProcessThreadToken
String ID:
API String ID: 3974789173-0
Opcode ID: 725a3fc4853251b6b8efab95593e8eb4b50f396772c9a68d2dc8d736d8f3f684
Instruction ID: 41ecf6447b00d1ca9316b471ef441903f7b659418f0410a3e7d11e30d8df8a8e
Opcode Fuzzy Hash: 725a3fc4853251b6b8efab95593e8eb4b50f396772c9a68d2dc8d736d8f3f684
Instruction Fuzzy Hash: 9BE08631611311DBD7701FA09E0DB5A3B7CEF64791F185808F745CA080D6344942C775

Function 00CED858 Relevance: 6.0, APIs: 4, Instructions: 19COMMON

Download Yara Rule

APIs

GetDesktopWindow.USER32 ref: 00CED858
GetDC.USER32(00000000), ref: 00CED862
GetDeviceCaps.GDI32(00000000,0000000C), ref: 00CED882
ReleaseDC.USER32(?), ref: 00CED8A3

Memory Dump Source

Source File: 00000000.00000002.1727992052.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true

Associated: 00000000.00000002.1727967772.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1728099655.0000000000D2C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1728099655.0000000000D52000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1728148949.0000000000D5C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1728172009.0000000000D64000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c90000_file.jbxd

Similarity

API ID: CapsDesktopDeviceReleaseWindow
String ID:
API String ID: 2889604237-0
Opcode ID: 2a0fc0a5ec427e433fce7a097109b60b4d91e7be2e11f920b8cb497fa2461dcf
Instruction ID: 5f5a5b2904daa30d8ecf78383d10cf588d4c0cdd49a922fb79debbdf0455f94e
Opcode Fuzzy Hash: 2a0fc0a5ec427e433fce7a097109b60b4d91e7be2e11f920b8cb497fa2461dcf
Instruction Fuzzy Hash: 99E0E5B1810305DFCB619FA1990866DBBB1EB18711B109009F806E7360D7384902AFA0

Function 00CED86C Relevance: 6.0, APIs: 4, Instructions: 18COMMON

Download Yara Rule

APIs

GetDesktopWindow.USER32 ref: 00CED86C
GetDC.USER32(00000000), ref: 00CED876
GetDeviceCaps.GDI32(00000000,0000000C), ref: 00CED882
ReleaseDC.USER32(?), ref: 00CED8A3

Memory Dump Source

Source File: 00000000.00000002.1727992052.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true

Associated: 00000000.00000002.1727967772.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1728099655.0000000000D2C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1728099655.0000000000D52000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1728148949.0000000000D5C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1728172009.0000000000D64000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c90000_file.jbxd

Similarity

API ID: CapsDesktopDeviceReleaseWindow
String ID:
API String ID: 2889604237-0
Opcode ID: 2cfe94b057b315d75b4aa1baa5b06683333d67341df21cf86fcd71f236e8622a
Instruction ID: bae1b08e64ae10b7c69130093f5f16b47ccc6682450c7c49b48b062f9711660c
Opcode Fuzzy Hash: 2cfe94b057b315d75b4aa1baa5b06683333d67341df21cf86fcd71f236e8622a
Instruction Fuzzy Hash: F3E01A71C10300DFCF609FA0D80C66DBBB1FB18711B109008F80AE7360D7385902AF60

Function 00D04D87 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 230shareCOMMON

Download Yara Rule

APIs

Part of subcall function 00C97620: _wcslen.LIBCMT ref: 00C97625

WNetUseConnectionW.MPR(00000000,?,0000002A,00000000,?,?,0000002A,?), ref: 00D04ED4

Strings

*, xrefs: 00D04E10
LPT, xrefs: 00D04DFB

Memory Dump Source

Source File: 00000000.00000002.1727992052.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true

Associated: 00000000.00000002.1727967772.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1728099655.0000000000D2C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1728099655.0000000000D52000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1728148949.0000000000D5C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1728172009.0000000000D64000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c90000_file.jbxd

Similarity

API ID: Connection_wcslen
String ID: *$LPT
API String ID: 1725874428-3443410124
Opcode ID: 92b7d06a10238368c815265fb3ceb470c5a762e349c78c8db2d8ce1a23c8bca2
Instruction ID: ca22cd68d57f5956837e7d7cd7af7197161f480d6b4b34e47f028ff75e80e90d
Opcode Fuzzy Hash: 92b7d06a10238368c815265fb3ceb470c5a762e349c78c8db2d8ce1a23c8bca2
Instruction Fuzzy Hash: D89163B59042059FCB14DF58C484FAABBF1BF44304F198099E94A9F3A2D731ED85CBA1

Function 00CAE187 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 184COMMON

Download Yara Rule

Strings

#, xrefs: 00CAE1B1

Memory Dump Source

Source File: 00000000.00000002.1727992052.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true

Associated: 00000000.00000002.1727967772.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1728099655.0000000000D2C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1728099655.0000000000D52000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1728148949.0000000000D5C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1728172009.0000000000D64000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c90000_file.jbxd

Similarity

API ID:
String ID: #
API String ID: 0-1885708031
Opcode ID: 8a7284816d92d938aafeac30bcb75041d3b3bb3fb6c518b1a2b2dfcb64f7843a
Instruction ID: 172883210a3af04c18e575bab6b09a6b228de7a3a98e39b97cc484a49eecdb89
Opcode Fuzzy Hash: 8a7284816d92d938aafeac30bcb75041d3b3bb3fb6c518b1a2b2dfcb64f7843a
Instruction Fuzzy Hash: DE516735500386DFDF24DF6AC485AFA7BA8EF66350F244159ECA19B2D0D7309E42DBA0

Function 00CAF291 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 144sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNEL32(00000000), ref: 00CAF2A2
GlobalMemoryStatusEx.KERNEL32(?), ref: 00CAF2BB

Strings

@, xrefs: 00CAF2AF

Memory Dump Source

Source File: 00000000.00000002.1727992052.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true

Associated: 00000000.00000002.1727967772.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1728099655.0000000000D2C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1728099655.0000000000D52000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1728148949.0000000000D5C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1728172009.0000000000D64000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c90000_file.jbxd

Similarity

API ID: GlobalMemorySleepStatus
String ID: @
API String ID: 2783356886-2766056989
Opcode ID: 3c94c979d03fea2d8a9ca7abc693a9d168038e85ddecefd0a68e0d2f0dd4f7de
Instruction ID: d1ca65f4dca91f413530b75e0268ffad5b17962cb9016f23029fd831bf942bb1
Opcode Fuzzy Hash: 3c94c979d03fea2d8a9ca7abc693a9d168038e85ddecefd0a68e0d2f0dd4f7de
Instruction Fuzzy Hash: 655158724187449BD720AF54DC8ABAFBBF8FF85300F81484CF1D981195EB708569CB66

Function 00D15745 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 125COMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?,?,00000003,?,?), ref: 00D157E0
_wcslen.LIBCMT ref: 00D157EC

Strings

CALLARGARRAY, xrefs: 00D157E6, 00D157EB

Memory Dump Source

Source File: 00000000.00000002.1727992052.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true

Associated: 00000000.00000002.1727967772.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1728099655.0000000000D2C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1728099655.0000000000D52000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1728148949.0000000000D5C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1728172009.0000000000D64000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c90000_file.jbxd

Similarity

API ID: BuffCharUpper_wcslen
String ID: CALLARGARRAY
API String ID: 157775604-1150593374
Opcode ID: d94f1b320b3f4bcb90e56008737b155f691b6b4602f522ae6bf62bf0fa066971
Instruction ID: 40944a5ab63c71e2972087fc5bafb7863ddd8065cacf76ff3b771757eb868b74
Opcode Fuzzy Hash: d94f1b320b3f4bcb90e56008737b155f691b6b4602f522ae6bf62bf0fa066971
Instruction Fuzzy Hash: A341D131E0010AEFCB14DFA8E8858FEBBB4FF99314F144069E505A7295DB349D81DBA0

Function 00D0D0F4 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 98networkCOMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 00D0D130
InternetCrackUrlW.WININET(?,00000000,00000000,0000007C), ref: 00D0D13A

Strings

|, xrefs: 00D0D10B

Memory Dump Source

Source File: 00000000.00000002.1727992052.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true

Associated: 00000000.00000002.1727967772.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1728099655.0000000000D2C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1728099655.0000000000D52000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1728148949.0000000000D5C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1728172009.0000000000D64000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c90000_file.jbxd

Similarity

API ID: CrackInternet_wcslen
String ID: |
API String ID: 596671847-2343686810
Opcode ID: cdf795d4dd2ef8d56bcaf5f583d5de0642e827056c31ee7ce7a8c488b853e0a6
Instruction ID: 11797b9b253a35c4cbaa5b43aeb7e7b65c19d4a7cfbe9c9ee2bf1df9acc5f5a9
Opcode Fuzzy Hash: cdf795d4dd2ef8d56bcaf5f583d5de0642e827056c31ee7ce7a8c488b853e0a6
Instruction Fuzzy Hash: 28311D71D00219ABCF15EFA5CC85AEE7FBAFF04340F100059F819A61A6DB31AA56DB60

Function 00D2356C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 96COMMON

Download Yara Rule

APIs

DestroyWindow.USER32(?,?,?,?), ref: 00D23621
MoveWindow.USER32(?,?,?,?,?,00000001,?,?,?), ref: 00D2365C

Strings

static, xrefs: 00D235BC

Memory Dump Source

Source File: 00000000.00000002.1727992052.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true

Associated: 00000000.00000002.1727967772.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1728099655.0000000000D2C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1728099655.0000000000D52000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1728148949.0000000000D5C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1728172009.0000000000D64000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c90000_file.jbxd

Similarity

API ID: Window$DestroyMove
String ID: static
API String ID: 2139405536-2160076837
Opcode ID: 6cd1349c7b0dcb9cfbf3eccfd4b82805c1ad71e9ff4eac50c112dec2883531bb
Instruction ID: 27a583383328c6eb6a77aec5310d6ff9c58208b0a83c9a394adde218588aa754
Opcode Fuzzy Hash: 6cd1349c7b0dcb9cfbf3eccfd4b82805c1ad71e9ff4eac50c112dec2883531bb
Instruction Fuzzy Hash: 8E31AF71110614AEDB209F28EC80FBB73A9FF58728F109619F8A5D7290DA34AD91D770

Function 00D24537 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 95windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000027,00001132,00000000,?), ref: 00D2461F
SendMessageW.USER32(?,00001105,00000000,00000000), ref: 00D24634

Strings

', xrefs: 00D2458E

Memory Dump Source

Source File: 00000000.00000002.1727992052.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true

Associated: 00000000.00000002.1727967772.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1728099655.0000000000D2C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1728099655.0000000000D52000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1728148949.0000000000D5C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1728172009.0000000000D64000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c90000_file.jbxd

Similarity

API ID: MessageSend
String ID: '
API String ID: 3850602802-1997036262
Opcode ID: 219aec10ef7ab675213c1fef3e8be11036fc30e58a5be969189a45e2f2670271
Instruction ID: c2bfd679c9ff054c0824788a531fa085367374c2d4df9731a72d992bd22b0c62
Opcode Fuzzy Hash: 219aec10ef7ab675213c1fef3e8be11036fc30e58a5be969189a45e2f2670271
Instruction Fuzzy Hash: 17312574A0132A9FDB14CFA9D980BDABBB5FF19304F14406AED44AB391D771A941CFA0

Function 00D231EF Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 72windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000143,00000000,?), ref: 00D2327C
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 00D23287

Strings

Combobox, xrefs: 00D23249

Memory Dump Source

Source File: 00000000.00000002.1727992052.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true

Associated: 00000000.00000002.1727967772.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1728099655.0000000000D2C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1728099655.0000000000D52000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1728148949.0000000000D5C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1728172009.0000000000D64000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c90000_file.jbxd

Similarity

API ID: MessageSend
String ID: Combobox
API String ID: 3850602802-2096851135
Opcode ID: b86627788556844b153e07147ff6b8439c1ca7fdaee8ce708f7cc407090bf17f
Instruction ID: 7c65d4cb8bc6d131034c100348e91901f4aac3ede598cdad42162b8357ce9471
Opcode Fuzzy Hash: b86627788556844b153e07147ff6b8439c1ca7fdaee8ce708f7cc407090bf17f
Instruction Fuzzy Hash: 9311E271300218BFEF219E54EC84EBB3B6AEFA4368F240124F918A7290D6359D519770

Function 00D23710 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 67COMMON

Download Yara Rule

APIs

Part of subcall function 00C9600E: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 00C9604C
Part of subcall function 00C9600E: GetStockObject.GDI32(00000011), ref: 00C96060
Part of subcall function 00C9600E: SendMessageW.USER32(00000000,00000030,00000000), ref: 00C9606A

GetWindowRect.USER32(00000000,?), ref: 00D2377A
GetSysColor.USER32(00000012), ref: 00D23794

Strings

static, xrefs: 00D23757

Memory Dump Source

Source File: 00000000.00000002.1727992052.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true

Associated: 00000000.00000002.1727967772.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1728099655.0000000000D2C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1728099655.0000000000D52000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1728148949.0000000000D5C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1728172009.0000000000D64000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c90000_file.jbxd

Similarity

API ID: Window$ColorCreateMessageObjectRectSendStock
String ID: static
API String ID: 1983116058-2160076837
Opcode ID: fffb46d0d0a10977edf51274a261320c33fbf579e72c48852e674f5796669564
Instruction ID: 04487adcc1c0b567866e111785d3156fd0147f817d58226a587d32964e54541a
Opcode Fuzzy Hash: fffb46d0d0a10977edf51274a261320c33fbf579e72c48852e674f5796669564
Instruction Fuzzy Hash: D51159B2610219AFDF00DFA8DC45AEE7BB8FB18308F005514F955E3250D774E8119B60

Function 00D0CD1E Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 66networkCOMMON

Download Yara Rule

APIs

InternetOpenW.WININET(?,00000000,00000000,00000000,00000000), ref: 00D0CD7D
InternetSetOptionW.WININET(00000000,00000032,?,00000008), ref: 00D0CDA6

Strings

<local>, xrefs: 00D0CD66

Memory Dump Source

Source File: 00000000.00000002.1727992052.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true

Associated: 00000000.00000002.1727967772.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1728099655.0000000000D2C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1728099655.0000000000D52000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1728148949.0000000000D5C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1728172009.0000000000D64000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c90000_file.jbxd

Similarity

API ID: Internet$OpenOption
String ID: <local>
API String ID: 942729171-4266983199
Opcode ID: 592a07b933e83c93cdadfbfc5eb7b05d80bcf173d093ffcda0429b17cb8d1c8b
Instruction ID: 7a106558e6c45263c54dd1ddee9acbb8300438fef1fed73fbfefb36a4d90b4e9
Opcode Fuzzy Hash: 592a07b933e83c93cdadfbfc5eb7b05d80bcf173d093ffcda0429b17cb8d1c8b
Instruction Fuzzy Hash: F211A071225631BAD7384B668C49FE7BEA8EF227A4F00532AB54D831C0E6609845D6F0

Function 00D23429 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 64windowCOMMON

Download Yara Rule

APIs

GetWindowTextLengthW.USER32(00000000), ref: 00D234AB
SendMessageW.USER32(?,000000B1,00000000,00000000), ref: 00D234BA

Strings

edit, xrefs: 00D2348F

Memory Dump Source

Source File: 00000000.00000002.1727992052.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true

Associated: 00000000.00000002.1727967772.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1728099655.0000000000D2C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1728099655.0000000000D52000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1728148949.0000000000D5C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1728172009.0000000000D64000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c90000_file.jbxd

Similarity

API ID: LengthMessageSendTextWindow
String ID: edit
API String ID: 2978978980-2167791130
Opcode ID: 9c5dea08df9fb9696ae1e8656c65066fb17bf2997054d50bd949edca660f93e2
Instruction ID: 833a59d3abefaca377654bf90ee3448a6b0fc7fe6928e3e38e3b35fedde397ed
Opcode Fuzzy Hash: 9c5dea08df9fb9696ae1e8656c65066fb17bf2997054d50bd949edca660f93e2
Instruction Fuzzy Hash: 9111BF71100228AFEB226E64EC44AAB376AEB24378F544364FA60D31E0C779DC529B70

Function 00CF6C86 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 56COMMON

Download Yara Rule

APIs

Part of subcall function 00C99CB3: _wcslen.LIBCMT ref: 00C99CBD

CharUpperBuffW.USER32(?,?,?), ref: 00CF6CB6
_wcslen.LIBCMT ref: 00CF6CC2

Strings

STOP, xrefs: 00CF6CBC, 00CF6CC1

Memory Dump Source

Source File: 00000000.00000002.1727992052.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true

Associated: 00000000.00000002.1727967772.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1728099655.0000000000D2C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1728099655.0000000000D52000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1728148949.0000000000D5C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1728172009.0000000000D64000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c90000_file.jbxd

Similarity

API ID: _wcslen$BuffCharUpper
String ID: STOP
API String ID: 1256254125-2411985666
Opcode ID: 5fecefa19f8fec40012a27906390f642e9af6893e12054c4a12097df3241ece3
Instruction ID: 520ae972c7f172b6a151cde2cf9d42bf6cd453b905a8ffb29471a6c9d848b0df
Opcode Fuzzy Hash: 5fecefa19f8fec40012a27906390f642e9af6893e12054c4a12097df3241ece3
Instruction Fuzzy Hash: 5601D632A1052B9BCB619FBDDC849BF77B5EF61710B100528E9B297195EB31DA00C661

Function 00CF1CDE Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 52windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00C99CB3: _wcslen.LIBCMT ref: 00C99CBD

Part of subcall function 00CF3CA7: GetClassNameW.USER32(?,?,000000FF), ref: 00CF3CCA

SendMessageW.USER32(?,000001A2,000000FF,?), ref: 00CF1D4C

Strings

ComboBox, xrefs: 00CF1CEB
ListBox, xrefs: 00CF1D16

Memory Dump Source

Source File: 00000000.00000002.1727992052.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true

Associated: 00000000.00000002.1727967772.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1728099655.0000000000D2C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1728099655.0000000000D52000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1728148949.0000000000D5C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1728172009.0000000000D64000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c90000_file.jbxd

Similarity

API ID: ClassMessageNameSend_wcslen
String ID: ComboBox$ListBox
API String ID: 624084870-1403004172
Opcode ID: 5829813af91daedcfefe4a8e2f830cc161fd967d403ba092299b863309bebe3c
Instruction ID: 6924b53b799fafb7b7aba2f42586db624b0d807ece7f35c8c02f364467e01ede
Opcode Fuzzy Hash: 5829813af91daedcfefe4a8e2f830cc161fd967d403ba092299b863309bebe3c
Instruction Fuzzy Hash: 2601F131600218AB8F09EBA4CC299FE73B8EB02350B08060EAD32672D1EA31590C9671

Function 00CF1BD8 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 50windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00C99CB3: _wcslen.LIBCMT ref: 00C99CBD

Part of subcall function 00CF3CA7: GetClassNameW.USER32(?,?,000000FF), ref: 00CF3CCA

SendMessageW.USER32(?,00000180,00000000,?), ref: 00CF1C46

Strings

ComboBox, xrefs: 00CF1BE5
ListBox, xrefs: 00CF1C10

Memory Dump Source

Source File: 00000000.00000002.1727992052.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true

Associated: 00000000.00000002.1727967772.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1728099655.0000000000D2C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1728099655.0000000000D52000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1728148949.0000000000D5C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1728172009.0000000000D64000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c90000_file.jbxd

Similarity

API ID: ClassMessageNameSend_wcslen
String ID: ComboBox$ListBox
API String ID: 624084870-1403004172
Opcode ID: 9942e8ff658421b40517c8d6f9b6b9cd23ada089f4d8067638263404993ee408
Instruction ID: cd1d0993491724a59987ce4d1fef9d41897a2014739404f6ce98258836ab2016
Opcode Fuzzy Hash: 9942e8ff658421b40517c8d6f9b6b9cd23ada089f4d8067638263404993ee408
Instruction Fuzzy Hash: AF01A77578110CAACF18EB95CD65AFF77A8DB12340F14001DAE16772C1EA209F0CD6B2

Function 00CF1C5C Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 49windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00C99CB3: _wcslen.LIBCMT ref: 00C99CBD

Part of subcall function 00CF3CA7: GetClassNameW.USER32(?,?,000000FF), ref: 00CF3CCA

SendMessageW.USER32(?,00000182,?,00000000), ref: 00CF1CC8

Strings

ComboBox, xrefs: 00CF1C69
ListBox, xrefs: 00CF1C94

Memory Dump Source

Source File: 00000000.00000002.1727992052.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true

Associated: 00000000.00000002.1727967772.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1728099655.0000000000D2C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1728099655.0000000000D52000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1728148949.0000000000D5C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1728172009.0000000000D64000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c90000_file.jbxd

Similarity

API ID: ClassMessageNameSend_wcslen
String ID: ComboBox$ListBox
API String ID: 624084870-1403004172
Opcode ID: c086b005f9349c1f659e845c7f7315a4adf16d0d1e9ee19e7ab56af056ec0ed6
Instruction ID: d1870b4fac594f6da4fef701b8f1a54988d024e74e002d7ed60ff212edb3ebad
Opcode Fuzzy Hash: c086b005f9349c1f659e845c7f7315a4adf16d0d1e9ee19e7ab56af056ec0ed6
Instruction Fuzzy Hash: 7B018675B8111CABCF15EBA5CE15BFE77A89B12380F580019BD6273281EA719F0CD672

Function 00CF1D68 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 46windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00C99CB3: _wcslen.LIBCMT ref: 00C99CBD

Part of subcall function 00CF3CA7: GetClassNameW.USER32(?,?,000000FF), ref: 00CF3CCA

SendMessageW.USER32(?,0000018B,00000000,00000000), ref: 00CF1DD3

Strings

ComboBox, xrefs: 00CF1D75
ListBox, xrefs: 00CF1DA0

Memory Dump Source

Source File: 00000000.00000002.1727992052.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true

Associated: 00000000.00000002.1727967772.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1728099655.0000000000D2C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1728099655.0000000000D52000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1728148949.0000000000D5C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1728172009.0000000000D64000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c90000_file.jbxd

Similarity

API ID: ClassMessageNameSend_wcslen
String ID: ComboBox$ListBox
API String ID: 624084870-1403004172
Opcode ID: a6cbd2c1e6ddc16a94fee4166357e5e130c4c8ef0fde9e6ca0253e741f2e7dc9
Instruction ID: fe51cf1efba7493247cd63228f34e1c483953b6e2019d5f57646229c818cfde1
Opcode Fuzzy Hash: a6cbd2c1e6ddc16a94fee4166357e5e130c4c8ef0fde9e6ca0253e741f2e7dc9
Instruction Fuzzy Hash: F8F0A971B51218A6DF19E7A5CC55BFE77B8EB02350F040919BD32632C1DA705A0C9271

Function 00D1747E Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 36COMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 00D17493
_wcslen.LIBCMT ref: 00D174B9

Strings

3, 3, 16, 1, xrefs: 00D17483

Memory Dump Source

Source File: 00000000.00000002.1727992052.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true

Associated: 00000000.00000002.1727967772.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1728099655.0000000000D2C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1728099655.0000000000D52000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1728148949.0000000000D5C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1728172009.0000000000D64000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c90000_file.jbxd

Similarity

API ID: _wcslen
String ID: 3, 3, 16, 1
API String ID: 176396367-3042988571
Opcode ID: bb13dd14f76edfd68e24e3271532d5af62cd2e54d77664c89559794644211548
Instruction ID: 67c80a3f88e9a01a90aecefad8a6a5ba54d45c8aec68835e4bda5041650a104d
Opcode Fuzzy Hash: bb13dd14f76edfd68e24e3271532d5af62cd2e54d77664c89559794644211548
Instruction Fuzzy Hash: 0AE0E5026082202093351269BCC19FF569DCFC97A1B18182AF981C2277EE948DD1A3B0

Function 00CF0B15 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 28windowCOMMON

Download Yara Rule

APIs

MessageBoxW.USER32(00000000,Error allocating memory.,AutoIt,00000010), ref: 00CF0B23

Strings

Error allocating memory., xrefs: 00CF0B1C
AutoIt, xrefs: 00CF0B17

Memory Dump Source

Source File: 00000000.00000002.1727992052.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true

Associated: 00000000.00000002.1727967772.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1728099655.0000000000D2C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1728099655.0000000000D52000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1728148949.0000000000D5C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1728172009.0000000000D64000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c90000_file.jbxd

Similarity

API ID: Message
String ID: AutoIt$Error allocating memory.
API String ID: 2030045667-4017498283
Opcode ID: 52a3e5fda2746548db4a28e845d8987f534f0f2a99fd371d0bb22190c65476c4
Instruction ID: e1153e36b2995898897759b86edee0d28b9a1934ae02c7e32ab06b3101a5e66e
Opcode Fuzzy Hash: 52a3e5fda2746548db4a28e845d8987f534f0f2a99fd371d0bb22190c65476c4
Instruction Fuzzy Hash: 82E0D8312443186AD22536947C03F8D7A848F15F59F10042AFB58955C38AE168912AFA

Function 00CB0D42 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 22COMMON

Download Yara Rule

APIs

Part of subcall function 00CAF7C9: InitializeCriticalSectionAndSpinCount.KERNEL32(?,00000000,?,00CB0D71,?,?,?,00C9100A), ref: 00CAF7CE

IsDebuggerPresent.KERNEL32(?,?,?,00C9100A), ref: 00CB0D75
OutputDebugStringW.KERNEL32(ERROR : Unable to initialize critical section in CAtlBaseModule,?,?,?,00C9100A), ref: 00CB0D84

Strings

ERROR : Unable to initialize critical section in CAtlBaseModule, xrefs: 00CB0D7F

Memory Dump Source

Source File: 00000000.00000002.1727992052.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true

Associated: 00000000.00000002.1727967772.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1728099655.0000000000D2C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1728099655.0000000000D52000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1728148949.0000000000D5C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1728172009.0000000000D64000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c90000_file.jbxd

Similarity

API ID: CountCriticalDebugDebuggerInitializeOutputPresentSectionSpinString
String ID: ERROR : Unable to initialize critical section in CAtlBaseModule
API String ID: 55579361-631824599
Opcode ID: c09da0b5751f79ef56300adbc88a703da067cad911c1fedc3e5a2e74974179ef
Instruction ID: 6b8c6b049ed1b2151e9d7b9ab63a7417b3ed30ee3efd41cea668d3e9af4c6d65
Opcode Fuzzy Hash: c09da0b5751f79ef56300adbc88a703da067cad911c1fedc3e5a2e74974179ef
Instruction Fuzzy Hash: A7E06D742007118FD7309FB8E4083867BF0AF20744F11492DE482C6791DBB0E4858BB1

Function 00D03017 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 18COMMON

Download Yara Rule

APIs

GetTempPathW.KERNEL32(00000104,?,00000001), ref: 00D0302F
GetTempFileNameW.KERNEL32(?,aut,00000000,?), ref: 00D03044

Strings

aut, xrefs: 00D03038

Memory Dump Source

Source File: 00000000.00000002.1727992052.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true

Associated: 00000000.00000002.1727967772.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1728099655.0000000000D2C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1728099655.0000000000D52000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1728148949.0000000000D5C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1728172009.0000000000D64000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c90000_file.jbxd

Similarity

API ID: Temp$FileNamePath
String ID: aut
API String ID: 3285503233-3010740371
Opcode ID: a6ba158a3e7ccbd8fd0fdd49e91e5c1b1cc5826e889123775ae442bdbcaf3c55
Instruction ID: 8e1f282a89286f97efe833d73a30ea74018fd133dd8e1904c41c6d61ce643977
Opcode Fuzzy Hash: a6ba158a3e7ccbd8fd0fdd49e91e5c1b1cc5826e889123775ae442bdbcaf3c55
Instruction Fuzzy Hash: B7D05E72500328ABDA30A7A4AC0EFCB3A6CDF05751F4002A1BA55E2191DEB0D989CAE4

Function 00CED21C Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 17timeCOMMON

Download Yara Rule

APIs

GetLocalTime.KERNEL32(?), ref: 00CED220

Strings

X64, xrefs: 00CED2A8
%.3d, xrefs: 00CED22B

Memory Dump Source

Source File: 00000000.00000002.1727992052.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true

Associated: 00000000.00000002.1727967772.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1728099655.0000000000D2C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1728099655.0000000000D52000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1728148949.0000000000D5C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1728172009.0000000000D64000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c90000_file.jbxd

Similarity

API ID: LocalTime
String ID: %.3d$X64
API String ID: 481472006-1077770165
Opcode ID: 184754a4ff2e4ebafc5cc0af492b7612069b10e69e8ace2885ebd064a0755358
Instruction ID: 61fa414c529661c65fd87ac77dce79e70820d6386c9f50ae7dafeecacea7b994
Opcode Fuzzy Hash: 184754a4ff2e4ebafc5cc0af492b7612069b10e69e8ace2885ebd064a0755358
Instruction Fuzzy Hash: FBD012A1808249EACF5096E3DC458B9B37CAB19341F608452FE17E1040D634CD096771

Function 00CCBDFD Relevance: 5.1, APIs: 4, Instructions: 139COMMONLIBRARYCODE

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(?,00000009,?,00000000,00000000,?,?,?,00000000,?,?,?,?,?,00000000,?), ref: 00CCBE93
GetLastError.KERNEL32 ref: 00CCBEA1
MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 00CCBEFC

Memory Dump Source

Source File: 00000000.00000002.1727992052.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true

Associated: 00000000.00000002.1727967772.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1728099655.0000000000D2C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1728099655.0000000000D52000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1728148949.0000000000D5C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1728172009.0000000000D64000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c90000_file.jbxd

Similarity

API ID: ByteCharMultiWide$ErrorLast
String ID:
API String ID: 1717984340-0
Opcode ID: 557a4fe1717bdf7dc3a54cce9a85214f2774adb5efecbe827a7e25ce33106527
Instruction ID: c54ae6333c8776024ee25db9777b41b16439796a811dc3d2ec9ba0314aae61f4
Opcode Fuzzy Hash: 557a4fe1717bdf7dc3a54cce9a85214f2774adb5efecbe827a7e25ce33106527
Instruction Fuzzy Hash: E941C138604216AFDF21CFE5CC46FAA7BA5AF41720F14416DF9699B3A1DB308E01DB61

Analysis Process: firefox.exePID: 7448, Parent PID: 7696COMMON

Execution Graph

Execution Coverage:	0.4%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	100%
Total number of Nodes:	6
Total number of Limit Nodes:	0

Callgraph

Executed
Not Executed
Opacity -> Relevance
Disassembly available

Executed Functions

Function 000001B4980383F2 Relevance: 26.1, APIs: 1, Strings: 10, Instructions: 6826nativeCOMMON

Download Yara Rule

APIs

NtQuerySystemInformation.NTDLL ref: 000001B498038457

Strings

#, xrefs: 000001B4980367C5
>, xrefs: 000001B4980384B9
>, xrefs: 000001B49803C4FF
z, xrefs: 000001B49803848B
#, xrefs: 000001B498039531
#, xrefs: 000001B498038482
z, xrefs: 000001B498039A36
4, xrefs: 000001B49803C4D9
>, xrefs: 000001B49803925C
A, xrefs: 000001B49803844F

Memory Dump Source

Source File: 00000010.00000002.2922220145.000001B498036000.00000020.00000001.00020000.00000000.sdmp, Offset: 000001B498036000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_1b498036000_firefox.jbxd

Similarity

API ID: InformationQuerySystem
String ID: #$#$#$4$>$>$>$A$z$z
API String ID: 3562636166-3072146587
Opcode ID: a7beeb6ed6d4bd1c13836e24e4a4bf8602c8d7752103ee20adf8d6ea9f6b849f
Instruction ID: 56ec4fafb29d240655e3f50c0b527cc5e0104563d5a3aa76171a92e39a437c7f
Opcode Fuzzy Hash: a7beeb6ed6d4bd1c13836e24e4a4bf8602c8d7752103ee20adf8d6ea9f6b849f
Instruction Fuzzy Hash: 92A3D531618A498BEB2DDF1CDC856EA73E5FB99704F14422ED84AC7256DF34E9028BC1

Source: Joe Sandbox View	IP Address: 34.149.100.209 34.149.100.209
Source: Joe Sandbox View	IP Address: 151.101.65.91 151.101.65.91
Source: Joe Sandbox View	IP Address: 34.117.188.166 34.117.188.166
Source: Joe Sandbox View	IP Address: 34.160.144.191 34.160.144.191

Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache

Source: firefox.exe, 0000000B.00000002.1697822630.00000268A1340000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk "https://www.facebook.com/video" --no-default-browser-check --disable-popup-blocking equals www.facebook.com (Facebook)
Source: firefox.exe, 0000000B.00000002.1697822630.00000268A1340000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk "https://www.facebook.com/video" --no-default-browser-check --disable-popup-blockingB equals www.facebook.com (Facebook)
Source: firefox.exe, 0000000C.00000002.1704588914.00000278A8B10000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://www.facebook.com/video --no-default-browser-check --disable-popup-blocking --attempting-deelevation equals www.facebook.com (Facebook)
Source: firefox.exe, 0000000C.00000002.1704588914.00000278A8B10000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://www.facebook.com/video --no-default-browser-check --disable-popup-blocking --attempting-deelevationMP equals www.facebook.com (Facebook)
Source: firefox.exe, 0000000D.00000003.1850003624.0000021A5A45F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: .S........[tlsflags0x00000000]www.facebook.com:443^partitionKey=%28https%2Cfacebook.com%29 equals www.facebook.com (Facebook)
Source: firefox.exe, 0000000D.00000003.1879465451.0000021A5D8A2000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1849197603.0000021A5D893000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1867237868.0000021A5D893000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: 8://www.youtube.com/ equals www.youtube.com (Youtube)
Source: firefox.exe, 0000000D.00000003.1867514348.0000021A5A409000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1850003624.0000021A5A409000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: 8:https://www.facebook.com/video equals www.facebook.com (Facebook)
Source: firefox.exe, 0000000D.00000003.1806833741.0000021A5AC39000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1809762919.0000021A558CD000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1888979434.0000021A5AC39000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: 8https://www.facebook.com equals www.facebook.com (Facebook)
Source: firefox.exe, 0000000D.00000003.1849197603.0000021A5D893000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1866100287.0000021A5E3EC000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1867514348.0000021A5A409000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: 8https://www.facebook.com/ equals www.facebook.com (Facebook)
Source: firefox.exe, 0000000D.00000003.1885967550.0000021A5BEC9000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1806509772.0000021A5DF8A000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1806509772.0000021A5DF58000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: 8https://www.facebook.com/video equals www.facebook.com (Facebook)
Source: firefox.exe, 0000000D.00000003.1849197603.0000021A5D893000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1866100287.0000021A5E3EC000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1866383948.0000021A5E38F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: 8https://www.youtube.com/ equals www.youtube.com (Youtube)
Source: firefox.exe, 0000000D.00000003.1875522741.0000021A54189000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1868804484.0000021A54189000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: 8www.facebook.com equals www.facebook.com (Facebook)
Source: firefox.exe, 0000000D.00000003.1879465451.0000021A5D8A2000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1849197603.0000021A5D893000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1867237868.0000021A5D893000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: 8www.youtube.com equals www.youtube.com (Youtube)
Source: firefox.exe, 0000000D.00000003.1867514348.0000021A5A409000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1850003624.0000021A5A409000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: 8~predictor-origin,:https://www.facebook.com/ equals www.facebook.com (Facebook)
Source: firefox.exe, 0000000D.00000003.1867514348.0000021A5A409000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1850003624.0000021A5A409000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: :https://www.facebook.com/video equals www.facebook.com (Facebook)
Source: firefox.exe, 0000000F.00000002.2915495501.000002B996320000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: =::=::\ALLUSERSPROFILE=C:\ProgramDataAPPDATA=C:\Users\user\AppData\RoamingCommonProgramFiles=C:\Program Files\Common FilesCommonProgramFiles(x86)=C:\Program Files (x86)\Common FilesCommonProgramW6432=C:\Program Files\Common FilesCOMPUTERNAME=user-PCComSpec=C:\Windows\system32\cmd.exeDriverData=C:\Windows\System32\Drivers\DriverDataFPS_BROWSER_APP_PROFILE_STRING=Internet ExplorerFPS_BROWSER_USER_PROFILE_STRING=DefaultHOMEDRIVE=C:HOMEPATH=\Users\userLOCALAPPDATA=C:\Users\user\AppData\LocalLOGONSERVER=\\user-PCMOZ_CRASHREPORTER_DATA_DIRECTORY=C:\Users\user\AppData\Roaming\Mozilla\Firefox\Crash ReportsMOZ_CRASHREPORTER_EVENTS_DIRECTORY=C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\crashes\eventsMOZ_CRASHREPORTER_PING_DIRECTORY=C:\Users\user\AppData\Roaming\Mozilla\Firefox\Pending PingsMOZ_CRASHREPORTER_RESTART_ARG_0=C:\Program Files\Mozilla Firefox\firefox.exeMOZ_CRASHREPORTER_RESTART_ARG_1=--kioskMOZ_CRASHREPORTER_RESTART_ARG_2=https://www.facebook.com/videoMOZ_CRASHREPORTER_RESTART_ARG_3=--no-default-browser-checkMOZ_CRASHREPORTER_RESTART_ARG_4=--disable-popup-blockingMOZ_CRASHREPORTER_STRINGS_OVERRIDE=C:\Program Files\Mozilla Firefox\browser\crashreporter-override.iniNUMBER_OF_PROCESSORS=2OneDrive=C:\Users\user\OneDriveOS=Windows_NTPath=C:\Program Files\Mozilla Firefox;C:\Program Files (x86)\Common Files\Oracle\Java\javapath;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\;C:\Windows\System32\OpenSSH\;C:\Users\user\AppData\Local\Microsoft\WindowsApps;PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSCPROCESSOR_ARCHITECTURE=AMD64PROCESSOR_IDENTIFIER=Intel64 Family 6 Model 143 Stepping 8, GenuineIntelPROCESSOR_LEVEL=6PROCESSOR_REVISION=8f08ProgramData=C:\ProgramDataProgramFiles=C:\Program FilesProgramFiles(x86)=C:\Program Files (x86)ProgramW6432=C:\Program FilesPSModulePath=C:\Program Files (x86)\WindowsPowerShell\Modules;C:\Windows\system32\WindowsPowerShell\v1.0\Modules;C:\Program Files (x86)\AutoIt3\AutoItXPUBLIC=C:\Users\PublicSESSIONNAME=ConsoleSystemDrive=C:SystemRoot=C:\WindowsTEMP=C:\Users\user\AppData\Local\TempTMP=C:\Users\user\AppData\Local\TempUSERDOMAIN=user-PCUSERDOMAIN_ROAMINGPROFILE=user-PCUSERNAME=userUSERPROFILE=C:\Users\userwindir=C:\Windows equals www.facebook.com (Facebook)
Source: firefox.exe, 00000011.00000002.2914465992.000002AD21800000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: =::=::\ALLUSERSPROFILE=C:\ProgramDataAPPDATA=C:\Users\user\AppData\RoamingCommonProgramFiles=C:\Program Files\Common FilesCommonProgramFiles(x86)=C:\Program Files (x86)\Common FilesCommonProgramW6432=C:\Program Files\Common FilesCOMPUTERNAME=user-PCComSpec=C:\Windows\system32\cmd.exeDriverData=C:\Windows\System32\Drivers\DriverDataFPS_BROWSER_APP_PROFILE_STRING=Internet ExplorerFPS_BROWSER_USER_PROFILE_STRING=DefaultHOMEDRIVE=C:HOMEPATH=\Users\userLOCALAPPDATA=C:\Users\user\AppData\LocalLOGONSERVER=\\user-PCMOZ_CRASHREPORTER_DATA_DIRECTORY=C:\Users\user\AppData\Roaming\Mozilla\Firefox\Crash ReportsMOZ_CRASHREPORTER_EVENTS_DIRECTORY=C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\crashes\eventsMOZ_CRASHREPORTER_PING_DIRECTORY=C:\Users\user\AppData\Roaming\Mozilla\Firefox\Pending PingsMOZ_CRASHREPORTER_RESTART_ARG_0=C:\Program Files\Mozilla Firefox\firefox.exeMOZ_CRASHREPORTER_RESTART_ARG_1=--kioskMOZ_CRASHREPORTER_RESTART_ARG_2=https://www.facebook.com/videoMOZ_CRASHREPORTER_RESTART_ARG_3=--no-default-browser-checkMOZ_CRASHREPORTER_RESTART_ARG_4=--disable-popup-blockingMOZ_CRASHREPORTER_STRINGS_OVERRIDE=C:\Program Files\Mozilla Firefox\browser\crashreporter-override.iniNUMBER_OF_PROCESSORS=2OneDrive=C:\Users\user\OneDriveOS=Windows_NTPath=C:\Program Files\Mozilla Firefox;C:\Program Files (x86)\Common Files\Oracle\Java\javapath;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\;C:\Windows\System32\OpenSSH\;C:\Users\user\AppData\Local\Microsoft\WindowsApps;PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSCPROCESSOR_ARCHITECTURE=AMD64PROCESSOR_IDENTIFIER=Intel64 Family 6 Model 143 Stepping 8, GenuineIntelPROCESSOR_LEVEL=6PROCESSOR_REVISION=8f08ProgramData=C:\ProgramDataProgramFiles=C:\Program FilesProgramFiles(x86)=C:\Program Files (x86)ProgramW6432=C:\Program FilesPSModulePath=C:\Program Files (x86)\WindowsPowerShell\Modules;C:\Windows\system32\WindowsPowerShell\v1.0\Modules;C:\Program Files (x86)\AutoIt3\AutoItXPUBLIC=C:\Users\PublicSESSIONNAME=ConsoleSystemDrive=C:SystemRoot=C:\WindowsTEMP=C:\Users\user\AppData\Local\TempTMP=C:\Users\user\AppData\Local\TempUSERDOMAIN=user-PCUSERDOMAIN_ROAMINGPROFILE=user-PCUSERNAME=userUSERPROFILE=C:\Users\userwindir=C:\Windows0Q equals www.facebook.com (Facebook)
Source: firefox.exe, 00000010.00000002.2914089019.000001B497310000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: =::=::\ALLUSERSPROFILE=C:\ProgramDataAPPDATA=C:\Users\user\AppData\RoamingCommonProgramFiles=C:\Program Files\Common FilesCommonProgramFiles(x86)=C:\Program Files (x86)\Common FilesCommonProgramW6432=C:\Program Files\Common FilesCOMPUTERNAME=user-PCComSpec=C:\Windows\system32\cmd.exeDriverData=C:\Windows\System32\Drivers\DriverDataFPS_BROWSER_APP_PROFILE_STRING=Internet ExplorerFPS_BROWSER_USER_PROFILE_STRING=DefaultHOMEDRIVE=C:HOMEPATH=\Users\userLOCALAPPDATA=C:\Users\user\AppData\LocalLOGONSERVER=\\user-PCMOZ_CRASHREPORTER_DATA_DIRECTORY=C:\Users\user\AppData\Roaming\Mozilla\Firefox\Crash ReportsMOZ_CRASHREPORTER_EVENTS_DIRECTORY=C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\crashes\eventsMOZ_CRASHREPORTER_PING_DIRECTORY=C:\Users\user\AppData\Roaming\Mozilla\Firefox\Pending PingsMOZ_CRASHREPORTER_RESTART_ARG_0=C:\Program Files\Mozilla Firefox\firefox.exeMOZ_CRASHREPORTER_RESTART_ARG_1=--kioskMOZ_CRASHREPORTER_RESTART_ARG_2=https://www.facebook.com/videoMOZ_CRASHREPORTER_RESTART_ARG_3=--no-default-browser-checkMOZ_CRASHREPORTER_RESTART_ARG_4=--disable-popup-blockingMOZ_CRASHREPORTER_STRINGS_OVERRIDE=C:\Program Files\Mozilla Firefox\browser\crashreporter-override.iniNUMBER_OF_PROCESSORS=2OneDrive=C:\Users\user\OneDriveOS=Windows_NTPath=C:\Program Files\Mozilla Firefox;C:\Program Files (x86)\Common Files\Oracle\Java\javapath;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\;C:\Windows\System32\OpenSSH\;C:\Users\user\AppData\Local\Microsoft\WindowsApps;PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSCPROCESSOR_ARCHITECTURE=AMD64PROCESSOR_IDENTIFIER=Intel64 Family 6 Model 143 Stepping 8, GenuineIntelPROCESSOR_LEVEL=6PROCESSOR_REVISION=8f08ProgramData=C:\ProgramDataProgramFiles=C:\Program FilesProgramFiles(x86)=C:\Program Files (x86)ProgramW6432=C:\Program FilesPSModulePath=C:\Program Files (x86)\WindowsPowerShell\Modules;C:\Windows\system32\WindowsPowerShell\v1.0\Modules;C:\Program Files (x86)\AutoIt3\AutoItXPUBLIC=C:\Users\PublicSESSIONNAME=ConsoleSystemDrive=C:SystemRoot=C:\WindowsTEMP=C:\Users\user\AppData\Local\TempTMP=C:\Users\user\AppData\Local\TempUSERDOMAIN=user-PCUSERDOMAIN_ROAMINGPROFILE=user-PCUSERNAME=userUSERPROFILE=C:\Users\userwindir=C:\Windows9s<g" equals www.facebook.com (Facebook)
Source: firefox.exe, 0000000D.00000003.1898032967.0000021A55959000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: >https://www.facebook.com/video equals www.facebook.com (Facebook)
Source: firefox.exe, 0000000F.00000002.2921198756.000002B996774000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: ALLUSERSPROFILE=C:\ProgramDataAPPDATA=C:\Users\user\AppData\RoamingCommonProgramFiles=C:\Program Files\Common FilesCommonProgramFiles(x86)=C:\Program Files (x86)\Common FilesCommonProgramW6432=C:\Program Files\Common FilesCOMPUTERNAME=user-PCComSpec=C:\Windows\system32\cmd.exeDriverData=C:\Windows\System32\Drivers\DriverDataFPS_BROWSER_APP_PROFILE_STRING=Internet ExplorerFPS_BROWSER_USER_PROFILE_STRING=DefaultHOMEDRIVE=C:HOMEPATH=\Users\userLOCALAPPDATA=C:\Users\user\AppData\LocalLOGONSERVER=\\user-PCMOZ_CRASHREPORTER_DATA_DIRECTORY=C:\Users\user\AppData\Roaming\Mozilla\Firefox\Crash ReportsMOZ_CRASHREPORTER_EVENTS_DIRECTORY=C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\crashes\eventsMOZ_CRASHREPORTER_PING_DIRECTORY=C:\Users\user\AppData\Roaming\Mozilla\Firefox\Pending PingsMOZ_CRASHREPORTER_RESTART_ARG_0=C:\Program Files\Mozilla Firefox\firefox.exeMOZ_CRASHREPORTER_RESTART_ARG_1=--kioskMOZ_CRASHREPORTER_RESTART_ARG_2=https://www.facebook.com/videoMOZ_CRASHREPORTER_RESTART_ARG_3=--no-default-browser-checkMOZ_CRASHREPORTER_RESTART_ARG_4=--disable-popup-blockingMOZ_CRASHREPORTER_STRINGS_OVERRIDE=C:\Program Files\Mozilla Firefox\browser\crashreporter-override.iniNUMBER_OF_PROCESSORS=2OneDrive=C:\Users\user\OneDriveOS=Windows_NTPath=C:\Program Files\Mozilla Firefox;C:\Program Files (x86)\Common Files\Oracle\Java\javapath;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\;C:\Windows\System32\OpenSSH\;C:\Users\user\AppData\Local\Microsoft\WindowsApps;PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSCPROCESSOR_ARCHITECTURE=AMD64PROCESSOR_IDENTIFIER=Intel64 Family 6 Model 143 Stepping 8, GenuineIntelPROCESSOR_LEVEL=6PROCESSOR_REVISION=8f08ProgramData=C:\ProgramDataProgramFiles=C:\Program FilesProgramFiles(x86)=C:\Program Files (x86)ProgramW6432=C:\Program FilesPSModulePath=C:\Program Files (x86)\WindowsPowerShell\Modules;C:\Windows\system32\WindowsPowerShell\v1.0\Modules;C:\Program Files (x86)\AutoIt3\AutoItXPUBLIC=C:\Users\PublicSESSIONNAME=ConsoleSystemDrive=C:SystemRoot=C:\WindowsTEMP=C:\Users\user\AppData\Local\TempTMP=C:\Users\user\AppData\Local\TempUSERDOMAIN=user-PCUSERDOMAIN_ROAMINGPROFILE=user-PCUSERNAME=userUSERPROFILE=C:\Users\userwindir=C:\Windows equals www.facebook.com (Facebook)
Source: firefox.exe, 00000011.00000002.2920940666.000002AD21C14000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: ALLUSERSPROFILE=C:\ProgramDataAPPDATA=C:\Users\user\AppData\RoamingCommonProgramFiles=C:\Program Files\Common FilesCommonProgramFiles(x86)=C:\Program Files (x86)\Common FilesCommonProgramW6432=C:\Program Files\Common FilesCOMPUTERNAME=user-PCComSpec=C:\Windows\system32\cmd.exeDriverData=C:\Windows\System32\Drivers\DriverDataFPS_BROWSER_APP_PROFILE_STRING=Internet ExplorerFPS_BROWSER_USER_PROFILE_STRING=DefaultHOMEDRIVE=C:HOMEPATH=\Users\userLOCALAPPDATA=C:\Users\user\AppData\LocalLOGONSERVER=\\user-PCMOZ_CRASHREPORTER_DATA_DIRECTORY=C:\Users\user\AppData\Roaming\Mozilla\Firefox\Crash ReportsMOZ_CRASHREPORTER_EVENTS_DIRECTORY=C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\crashes\eventsMOZ_CRASHREPORTER_PING_DIRECTORY=C:\Users\user\AppData\Roaming\Mozilla\Firefox\Pending PingsMOZ_CRASHREPORTER_RESTART_ARG_0=C:\Program Files\Mozilla Firefox\firefox.exeMOZ_CRASHREPORTER_RESTART_ARG_1=--kioskMOZ_CRASHREPORTER_RESTART_ARG_2=https://www.facebook.com/videoMOZ_CRASHREPORTER_RESTART_ARG_3=--no-default-browser-checkMOZ_CRASHREPORTER_RESTART_ARG_4=--disable-popup-blockingMOZ_CRASHREPORTER_STRINGS_OVERRIDE=C:\Program Files\Mozilla Firefox\browser\crashreporter-override.iniNUMBER_OF_PROCESSORS=2OneDrive=C:\Users\user\OneDriveOS=Windows_NTPath=C:\Program Files\Mozilla Firefox;C:\Program Files (x86)\Common Files\Oracle\Java\javapath;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\;C:\Windows\System32\OpenSSH\;C:\Users\user\AppData\Local\Microsoft\WindowsApps;PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSCPROCESSOR_ARCHITECTURE=AMD64PROCESSOR_IDENTIFIER=Intel64 Family 6 Model 143 Stepping 8, GenuineIntelPROCESSOR_LEVEL=6PROCESSOR_REVISION=8f08ProgramData=C:\ProgramDataProgramFiles=C:\Program FilesProgramFiles(x86)=C:\Program Files (x86)ProgramW6432=C:\Program FilesPSModulePath=C:\Program Files (x86)\WindowsPowerShell\Modules;C:\Windows\system32\WindowsPowerShell\v1.0\Modules;C:\Program Files (x86)\AutoIt3\AutoItXPUBLIC=C:\Users\PublicSESSIONNAME=ConsoleSystemDrive=C:SystemRoot=C:\WindowsTEMP=C:\Users\user\AppData\Local\TempTMP=C:\Users\user\AppData\Local\TempUSERDOMAIN=user-PCUSERDOMAIN_ROAMINGPROFILE=user-PCUSERNAME=userUSERPROFILE=C:\Users\userwindir=C:\Windowsb?6 equals www.facebook.com (Facebook)
Source: firefox.exe, 00000010.00000002.2914688114.000001B497454000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: ALLUSERSPROFILE=C:\ProgramDataAPPDATA=C:\Users\user\AppData\RoamingCommonProgramFiles=C:\Program Files\Common FilesCommonProgramFiles(x86)=C:\Program Files (x86)\Common FilesCommonProgramW6432=C:\Program Files\Common FilesCOMPUTERNAME=user-PCComSpec=C:\Windows\system32\cmd.exeDriverData=C:\Windows\System32\Drivers\DriverDataFPS_BROWSER_APP_PROFILE_STRING=Internet ExplorerFPS_BROWSER_USER_PROFILE_STRING=DefaultHOMEDRIVE=C:HOMEPATH=\Users\userLOCALAPPDATA=C:\Users\user\AppData\LocalLOGONSERVER=\\user-PCMOZ_CRASHREPORTER_DATA_DIRECTORY=C:\Users\user\AppData\Roaming\Mozilla\Firefox\Crash ReportsMOZ_CRASHREPORTER_EVENTS_DIRECTORY=C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\crashes\eventsMOZ_CRASHREPORTER_PING_DIRECTORY=C:\Users\user\AppData\Roaming\Mozilla\Firefox\Pending PingsMOZ_CRASHREPORTER_RESTART_ARG_0=C:\Program Files\Mozilla Firefox\firefox.exeMOZ_CRASHREPORTER_RESTART_ARG_1=--kioskMOZ_CRASHREPORTER_RESTART_ARG_2=https://www.facebook.com/videoMOZ_CRASHREPORTER_RESTART_ARG_3=--no-default-browser-checkMOZ_CRASHREPORTER_RESTART_ARG_4=--disable-popup-blockingMOZ_CRASHREPORTER_STRINGS_OVERRIDE=C:\Program Files\Mozilla Firefox\browser\crashreporter-override.iniNUMBER_OF_PROCESSORS=2OneDrive=C:\Users\user\OneDriveOS=Windows_NTPath=C:\Program Files\Mozilla Firefox;C:\Program Files (x86)\Common Files\Oracle\Java\javapath;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\;C:\Windows\System32\OpenSSH\;C:\Users\user\AppData\Local\Microsoft\WindowsApps;PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSCPROCESSOR_ARCHITECTURE=AMD64PROCESSOR_IDENTIFIER=Intel64 Family 6 Model 143 Stepping 8, GenuineIntelPROCESSOR_LEVEL=6PROCESSOR_REVISION=8f08ProgramData=C:\ProgramDataProgramFiles=C:\Program FilesProgramFiles(x86)=C:\Program Files (x86)ProgramW6432=C:\Program FilesPSModulePath=C:\Program Files (x86)\WindowsPowerShell\Modules;C:\Windows\system32\WindowsPowerShell\v1.0\Modules;C:\Program Files (x86)\AutoIt3\AutoItXPUBLIC=C:\Users\PublicSESSIONNAME=ConsoleSystemDrive=C:SystemRoot=C:\WindowsTEMP=C:\Users\user\AppData\Local\TempTMP=C:\Users\user\AppData\Local\TempUSERDOMAIN=user-PCUSERDOMAIN_ROAMINGPROFILE=user-PCUSERNAME=userUSERPROFILE=C:\Users\userwindir=C:\Windowsw equals www.facebook.com (Facebook)
Source: firefox.exe, 0000000B.00000002.1697822630.00000268A134A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: C:\Program Files\Mozilla Firefox\firefox.exe--kioskhttps://www.facebook.com/video--no-default-browser-check--disable-popup-blocking equals www.facebook.com (Facebook)
Source: firefox.exe, 0000000C.00000002.1704588914.00000278A8B17000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: C:\Program Files\Mozilla Firefox\firefox.exe--kioskhttps://www.facebook.com/video--no-default-browser-check--disable-popup-blocking--attempting-deelevation equals www.facebook.com (Facebook)
Source: firefox.exe, 0000000B.00000002.1697822630.00000268A1340000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: C:\Users\user\Desktop\C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk "https://www.facebook.com/video" --no-default-browser-check --disable-popup-blockingC:\Program Files\Mozilla Firefox\firefox.exeWinsta0\Default equals www.facebook.com (Facebook)
Source: firefox.exe, 0000000C.00000002.1704588914.00000278A8B10000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: C:\Windows\system32\C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://www.facebook.com/video --no-default-browser-check --disable-popup-blocking --attempting-deelevationC:\Program Files\Mozilla Firefox\firefox.exeWinsta0\DefaultP equals www.facebook.com (Facebook)
Source: firefox.exe, 0000000F.00000002.2921198756.000002B996770000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 0000000F.00000002.2921198756.000002B996774000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 0000000F.00000002.2915495501.000002B99632A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: MOZ_CRASHREPORTER_RESTART_ARG_2=https://www.facebook.com/video equals www.facebook.com (Facebook)
Source: firefox.exe, 0000000F.00000002.2915495501.000002B996320000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: MOZ_CRASHREPORTER_RESTART_ARG_2=https://www.facebook.com/video. equals www.facebook.com (Facebook)
Source: firefox.exe, 0000000D.00000003.1806389171.0000021A5DFBB000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1866383948.0000021A5E3A2000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1889707341.0000021A5DFDA000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: about:certerror?e=nssBadCert&u=https%3A//www.facebook.com/video&c=UTF-8&d=%20 equals www.facebook.com (Facebook)
Source: firefox.exe, 0000000F.00000002.2921198756.000002B996770000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: aming\Mozilla\Firefox\Pending PingsMOZ_CRASHREPORTER_RESTART_ARG_0=C:\Program Files\Mozilla Firefox\firefox.exeMOZ_CRASHREPORTER_RESTART_ARG_1=--kioskMOZ_CRASHREPORTER_RESTART_ARG_2=https://www.facebook.com/videoMOZ_CRASHREPORTER_RESTART_ARG_3= equals www.facebook.com (Facebook)
Source: firefox.exe, 00000010.00000002.2914688114.000001B497450000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: aming\Mozilla\Firefox\Pending PingsMOZ_CRASHREPORTER_RESTART_ARG_0=C:\Program Files\Mozilla Firefox\firefox.exeMOZ_CRASHREPORTER_RESTART_ARG_1=--kioskMOZ_CRASHREPORTER_RESTART_ARG_2=https://www.facebook.com/videoMOZ_CRASHREPORTER_RESTART_ARG_3=g equals www.facebook.com (Facebook)
Source: firefox.exe, 00000011.00000002.2920940666.000002AD21C10000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: aming\Mozilla\Firefox\Pending PingsMOZ_CRASHREPORTER_RESTART_ARG_0=C:\Program Files\Mozilla Firefox\firefox.exeMOZ_CRASHREPORTER_RESTART_ARG_1=--kioskMOZ_CRASHREPORTER_RESTART_ARG_2=https://www.facebook.com/videoMOZ_CRASHREPORTER_RESTART_ARG_3=r>6 equals www.facebook.com (Facebook)
Source: firefox.exe, 0000000D.00000003.1747211706.0000021A5A52E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: blockedURIswww.facebook.com equals www.facebook.com (Facebook)
Source: firefox.exe, 0000000D.00000003.1901765250.0000021A53E30000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1848098486.0000021A5E2CC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: e=nssBadCert&u=https%3A//www.facebook.com/video&c=UTF-8&d=%20 equals www.facebook.com (Facebook)
Source: firefox.exe, 0000000D.00000003.1806833741.0000021A5AC39000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1882993187.0000021A547CE000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1853289291.0000021A547C0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.facebook.com equals www.facebook.com (Facebook)
Source: firefox.exe, 0000000D.00000003.1849197603.0000021A5D893000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1866100287.0000021A5E3EC000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1867514348.0000021A5A409000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.facebook.com/ equals www.facebook.com (Facebook)
Source: file.exe, 00000000.00000002.1728220349.0000000000F48000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1885967550.0000021A5BEC9000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1806509772.0000021A5DF8A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.facebook.com/video equals www.facebook.com (Facebook)
Source: firefox.exe, 0000000D.00000003.1849197603.0000021A5D893000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1866100287.0000021A5E3EC000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1866383948.0000021A5E38F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/ equals www.youtube.com (Youtube)
Source: firefox.exe, 0000000D.00000003.1867514348.0000021A5A45F000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1850003624.0000021A5A45F000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000002.2916628420.000001B497603000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.wikipedia.org/,https://www.reddit.com/,https://www.amazon.com/,https://twitter.com/ equals www.facebook.com (Facebook)
Source: firefox.exe, 0000000D.00000003.1867514348.0000021A5A45F000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1850003624.0000021A5A45F000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000002.2916628420.000001B497603000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.wikipedia.org/,https://www.reddit.com/,https://www.amazon.com/,https://twitter.com/ equals www.twitter.com (Twitter)
Source: firefox.exe, 0000000D.00000003.1867514348.0000021A5A45F000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1850003624.0000021A5A45F000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000002.2916628420.000001B497603000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.wikipedia.org/,https://www.reddit.com/,https://www.amazon.com/,https://twitter.com/ equals www.youtube.com (Youtube)
Source: firefox.exe, 0000000D.00000003.1867237868.0000021A5D872000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1885913946.0000021A5D874000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: moz-extension://a581a2f1-688c-434b-8db8-16166b1993d9/injections/js/bug1842437-www.youtube.com-performance-now-precision.js equals www.youtube.com (Youtube)
Source: firefox.exe, 0000000D.00000003.1849197603.0000021A5D872000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: moz-extension://a581a2f1-688c-434b-8db8-16166b1993d9/injections/js/bug1842437-www.youtube.com-performance-now-precision.js+ equals www.youtube.com (Youtube)
Source: firefox.exe, 0000000B.00000002.1697856555.00000268A1362000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 0000000B.00000003.1697603386.00000268A135D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: osk https://www.facebook.com/video --no-default-browser-check --disable-popup-blocking --attempting-deelevation equals www.facebook.com (Facebook)
Source: firefox.exe, 0000000B.00000002.1697856555.00000268A1362000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 0000000B.00000003.1697603386.00000268A135D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: s--kiosk https://www.facebook.com/video --no-default-browser-check --disable-popup-blocking --attempting-deelevationUser equals www.facebook.com (Facebook)
Source: firefox.exe, 0000000D.00000003.1884065564.0000021A53D79000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: s://www.facebook.com/videoguidt.0 equals www.facebook.com (Facebook)
Source: file.exe, 00000000.00000003.1696630808.0000000000AE4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: sk "https://www.facebook.com/video" --no-default-browser-check --disable-popup-blockingC:\Program Files\Mozilla Firefox\firefox.exeWinsta0\Default=::=::\ALLUSERSPROFILE=C:\ProgramDataAPPDATA=C:\Users\user\AppData\RoamingCommonProgramFiles=C:\Program Files\Common FilesCommonProgramFiles(x86)=C:\Program Files (x86)\Common FilesCommonProgramW6432=C:\Program Files\Common FilesCOMPUTERNAME=user-PCComSpec=C:\Windows\system32\cmd.exeDriverData=C:\Windows\System32\Drivers\DriverDataFPS_BROWSER_APP_PROFILE_STRING=Internet ExplorerFPS_BROWSER_USER_PROFILE_STRING=DefaultHOMEDRIVE=C:HOMEPATH=\Users\userLOCALAPPDATA=C:\Users\user\AppData\LocalLOGONSERVER=\\user-PCNUMBER_OF_PROCESSORS=2OneDrive=C:\Users\user\OneDriveOS=Windows_NTPath=C:\Program Files (x86)\Common Files\Oracle\Java\javapath;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\;C:\Windows\System32\OpenSSH\;C:\Users\user\AppData\Local\Microsoft\WindowsApps;PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSCPROCESSOR_ARCHITECTURE=AMD64PROCESSOR_IDENTIFIER=Intel64 Family 6 Model 143 Stepping 8, GenuineIntelPROCESSOR_LEVEL=6PROCESSOR_REg equals www.facebook.com (Facebook)
Source: firefox.exe, 0000000D.00000003.1747986691.0000021A55CE6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: tlsflags0x00000000:www.facebook.com:443^partitionKey=%28https%2Cfacebook.com%29 equals www.facebook.com (Facebook)
Source: firefox.exe, 0000000D.00000003.1747986691.0000021A55CE6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: tlsflags0x00000000:www.facebook.com:443^partitionKey=%28https%2Cfacebook.com%29` equals www.facebook.com (Facebook)
Source: recovery.jsonlz4.tmp.13.dr	String found in binary or memory: url":"https://www.facebook.com/video","title) equals www.facebook.com (Facebook)
Source: firefox.exe, 0000000D.00000003.1875522741.0000021A54189000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1747211706.0000021A5A52E000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1882993187.0000021A547CE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: www.facebook.com equals www.facebook.com (Facebook)
Source: firefox.exe, 0000000D.00000003.1884065564.0000021A53D79000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: www.facebook.com/video equals www.facebook.com (Facebook)
Source: firefox.exe, 0000000D.00000003.1901886292.0000021A53D6A000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1879465451.0000021A5D8A2000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1849197603.0000021A5D893000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: www.youtube.com equals www.youtube.com (Youtube)
Source: firefox.exe, 0000000D.00000003.1826788374.0000021A55AA5000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1829469473.0000021A55AC5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: www.youtube.com/ equals www.youtube.com (Youtube)
Source: firefox.exe, 0000000D.00000003.1875522741.0000021A54189000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1748857160.0000021A535F8000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1884764203.0000021A535F8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: x://www.facebook.com/platform/impression.php equals www.facebook.com (Facebook)
Source: firefox.exe, 0000000D.00000003.1850003624.0000021A5A45F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: x.S........[tlsflags0x00000000]www.facebook.com:443^partitionKey=%28https%2Cfacebook.com%29 equals www.facebook.com (Facebook)
Source: firefox.exe, 0000000D.00000003.1806389171.0000021A5DFBB000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1866383948.0000021A5E3A2000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1889707341.0000021A5DFDA000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: xabout:certerror?e=nssBadCert&u=https%3A//www.facebook.com/video&c=UTF-8&d=%20 equals www.facebook.com (Facebook)
Source: firefox.exe, 0000000D.00000003.1901765250.0000021A53E30000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1848098486.0000021A5E2CC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: xe=nssBadCert&u=https%3A//www.facebook.com/video&c=UTF-8&d=%20 equals www.facebook.com (Facebook)
Source: firefox.exe, 0000000D.00000003.1901765250.0000021A53E30000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1867514348.0000021A5A45F000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1850003624.0000021A5A45F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: xhttps://www.facebook.com/video equals www.facebook.com (Facebook)
Source: firefox.exe, 0000000D.00000003.1867514348.0000021A5A409000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1850003624.0000021A5A409000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: ~predictor-origin,:https://www.facebook.com/ equals www.facebook.com (Facebook)

Source: global traffic	DNS traffic detected: DNS query: prod.classify-client.prod.webservices.mozgcp.net
Source: global traffic	DNS traffic detected: DNS query: detectportal.firefox.com
Source: global traffic	DNS traffic detected: DNS query: www.facebook.com
Source: global traffic	DNS traffic detected: DNS query: star-mini.c10r.facebook.com
Source: global traffic	DNS traffic detected: DNS query: prod.detectportal.prod.cloudops.mozgcp.net
Source: global traffic	DNS traffic detected: DNS query: contile.services.mozilla.com
Source: global traffic	DNS traffic detected: DNS query: spocs.getpocket.com
Source: global traffic	DNS traffic detected: DNS query: prod.ads.prod.webservices.mozgcp.net
Source: global traffic	DNS traffic detected: DNS query: prod.balrog.prod.cloudops.mozgcp.net
Source: global traffic	DNS traffic detected: DNS query: content-signature-2.cdn.mozilla.net
Source: global traffic	DNS traffic detected: DNS query: prod.content-signature-chains.prod.webservices.mozgcp.net
Source: global traffic	DNS traffic detected: DNS query: example.org
Source: global traffic	DNS traffic detected: DNS query: ipv4only.arpa
Source: global traffic	DNS traffic detected: DNS query: shavar.services.mozilla.com
Source: global traffic	DNS traffic detected: DNS query: push.services.mozilla.com
Source: global traffic	DNS traffic detected: DNS query: telemetry-incoming.r53-2.services.mozilla.com
Source: global traffic	DNS traffic detected: DNS query: firefox.settings.services.mozilla.com
Source: global traffic	DNS traffic detected: DNS query: prod.remote-settings.prod.webservices.mozgcp.net
Source: global traffic	DNS traffic detected: DNS query: support.mozilla.org
Source: global traffic	DNS traffic detected: DNS query: us-west1.prod.sumo.prod.webservices.mozgcp.net
Source: global traffic	DNS traffic detected: DNS query: www.youtube.com
Source: global traffic	DNS traffic detected: DNS query: www.wikipedia.org
Source: global traffic	DNS traffic detected: DNS query: www.reddit.com
Source: global traffic	DNS traffic detected: DNS query: reddit.map.fastly.net
Source: global traffic	DNS traffic detected: DNS query: dyna.wikimedia.org
Source: global traffic	DNS traffic detected: DNS query: youtube-ui.l.google.com
Source: global traffic	DNS traffic detected: DNS query: twitter.com
Source: global traffic	DNS traffic detected: DNS query: services.addons.mozilla.org
Source: global traffic	DNS traffic detected: DNS query: normandy.cdn.mozilla.net
Source: global traffic	DNS traffic detected: DNS query: normandy-cdn.services.mozilla.com

Source: unknown	HTTPS traffic detected: 35.244.181.201:443 -> 192.168.2.4:49743 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.160.144.191:443 -> 192.168.2.4:49745 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.160.144.191:443 -> 192.168.2.4:49751 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 35.244.181.201:443 -> 192.168.2.4:49759 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.120.208.123:443 -> 192.168.2.4:49762 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.120.208.123:443 -> 192.168.2.4:49763 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 35.244.181.201:443 -> 192.168.2.4:49771 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.149.100.209:443 -> 192.168.2.4:49772 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 151.101.65.91:443 -> 192.168.2.4:49774 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 35.244.181.201:443 -> 192.168.2.4:49777 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 35.244.181.201:443 -> 192.168.2.4:49778 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 35.244.181.201:443 -> 192.168.2.4:49776 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.149.100.209:443 -> 192.168.2.4:49779 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.120.208.123:443 -> 192.168.2.4:49816 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.120.208.123:443 -> 192.168.2.4:49817 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.120.208.123:443 -> 192.168.2.4:49818 version: TLS 1.2

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49743
Source: unknown	Network traffic detected: HTTP traffic on port 49817 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49742
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49741
Source: unknown	Network traffic detected: HTTP traffic on port 49779 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49740
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49783
Source: unknown	Network traffic detected: HTTP traffic on port 49766 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49743 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49762 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49818
Source: unknown	Network traffic detected: HTTP traffic on port 49776 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49817
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49816
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49738
Source: unknown	Network traffic detected: HTTP traffic on port 49736 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49736
Source: unknown	Network traffic detected: HTTP traffic on port 49759 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49753 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49779
Source: unknown	Network traffic detected: HTTP traffic on port 49772 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49778
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49777
Source: unknown	Network traffic detected: HTTP traffic on port 49816 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49776
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49775
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49774
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49773
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49772
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49771
Source: unknown	Network traffic detected: HTTP traffic on port 49742 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49767 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49749 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49763 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49777 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49969
Source: unknown	Network traffic detected: HTTP traffic on port 49773 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49768
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49767
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49766
Source: unknown	Network traffic detected: HTTP traffic on port 49783 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49763
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49762
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49761
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49760
Source: unknown	Network traffic detected: HTTP traffic on port 49741 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49748 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49760 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49745 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49751 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49759
Source: unknown	Network traffic detected: HTTP traffic on port 49778 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49757
Source: unknown	Network traffic detected: HTTP traffic on port 49774 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49738 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49755 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49755
Source: unknown	Network traffic detected: HTTP traffic on port 49757 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49754
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49753
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49751
Source: unknown	Network traffic detected: HTTP traffic on port 49969 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49818 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49740 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49761 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49747 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49768 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49775 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49749
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49748
Source: unknown	Network traffic detected: HTTP traffic on port 49754 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49747
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49745
Source: unknown	Network traffic detected: HTTP traffic on port 49771 -> 443

Description:	Adversaries may obtain and abuse credentials of existing accounts as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion. Compromised credentials may be used to bypass access controls placed on various resources on systems within the network and may even be used for persistent access to remote systems and externally available services, such as VPNs, Outlook Web Access, network devices, and remote desktop.Compromised credentials may also grant an adversary increased privilege to specific systems or access to restricted areas of the network. Adversaries may choose not to use malware or tools in conjunction with the legitimate access those credentials provide to make it harder to detect their presence.
Tactics:	Defense Evasion, Initial Access, Persistence, Privilege Escalation
Data Sources:	Logon Session: Logon Session Creation, Logon Session: Logon Session Metadata, User Account: User Account Authentication
Platforms:	Azure AD, Containers, Google Workspace, IaaS, Linux, macOS, Network, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to execute malicious commands and payloads. WMI is an administration feature that provides a uniform environment to access Windows system components. The WMI service enables both local and remote access, though the latter is facilitated by Remote Services such as Distributed Component Object Model (DCOM) and Windows Remote Management (WinRM).Remote WMI over DCOM operates using port 135, whereas WMI over WinRM operates over port 5985 when using HTTP and 5986 for HTTPS.
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Connection Creation, Process: Process Creation, WMI: WMI Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may exploit software vulnerabilities in an attempt to elevate privileges. Exploitation of a software vulnerability occurs when an adversary takes advantage of a programming error in a program, service, or within the operating system software or kernel itself to execute adversary-controlled code. Security constructs such as permission levels will often hinder access to information and use of certain techniques, so adversaries will likely need to perform privilege escalation to include use of software exploitation to circumvent those restrictions.
Tactics:	Privilege Escalation
Data Sources:	Driver: Driver Load, Process: Process Creation
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject malicious code into process via Extra Window Memory (EWM) in order to evade process-based defenses as well as possibly elevate privileges. EWM injection is a method of executing arbitrary code in the address space of a separate live process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Process: OS API Execution
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify access tokens to operate under a different user or system security context to perform actions and bypass access controls. Windows uses access tokens to determine the ownership of a running process. A user can manipulate access tokens to make a running process appear as though it is the child of a different process or belongs to someone other than the user that started the process. When this occurs, the process also takes on the security context associated with the new token.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Active Directory: Active Directory Object Modification, Command: Command Execution, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, User Account: User Account Metadata
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	Driver: Driver Load, File: File Modification, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Windows Registry: Windows Registry Key Modification
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of valid accounts, usernames, or email addresses on a system or within a compromised environment. This information can help adversaries determine which accounts exist, which can aid in follow-on behavior such as brute-forcing, spear-phishing attacks, or account takeovers (e.g., Valid Accounts ).
Tactics:	Discovery
Data Sources:	Command: Command Execution, File: File Access, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report file.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Sigma Signatures

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Spreading

Software Vulnerabilities

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

Private

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\ProgramData\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\uninstall_ping_308046B0AF4A39CB_60f973d7-f2f9-4ea4-8e72-c7f40f019b7e.json (copy)

C:\ProgramData\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\uninstall_ping_308046B0AF4A39CB_60f973d7-f2f9-4ea4-8e72-c7f40f019b7e.json.tmp

C:\Users\user\AppData\Local\Temp\mozilla-temp-files\mozilla-temp-41

C:\Users\user\AppData\Local\Temp\tmpaddon

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\ExperimentStoreData.json (copy)

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\ExperimentStoreData.json.tmp

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\addonStartup.json.lz4 (copy)

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\addonStartup.json.lz4.tmp

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\addons.json (copy)

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\addons.json.tmp

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\content-prefs.sqlite

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\crashes\store.json.mozlz4 (copy)

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\crashes\store.json.mozlz4.tmp

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\extensions.json (copy)

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\extensions.json.tmp

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\favicons.sqlite-shm

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll (copy)

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll.tmp

Windows Analysis Report
file.exe

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to identify the primary user, currently logged in user, set of users that commonly uses a system, or whether a user is actively using the system. They may do this, for example, by retrieving account usernames or by using OS Credential Dumping . The information may be collected in a number of different ways using other Discovery techniques, because user and username details are prevalent throughout a system and include running process ownership, file/directory ownership, session information, and system logs. Adversaries may use the information from [System Owner/User Discovery](https://attack.mitre.org/techniques/T1033) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may collect data stored in the clipboard from users copying information within or between applications.
Tactics:	Collection
Data Sources:	Command: Command Execution, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may shutdown/reboot systems to interrupt access to, or aid in the destruction of, those systems. Operating systems may contain commands to initiate a shutdown/reboot of a machine or network device. In some cases, these commands may also be used to initiate a shutdown/reboot of a remote computer or network device via Network Device CLI (e.g. `reload` ).
Tactics:	Impact
Data Sources:	Command: Command Execution, Process: Process Creation, Sensor Health: Host Status
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre