Edit tour

Windows Analysis Report
file.exe

Overview

General Information

Sample name:	file.exe
Analysis ID:	1544229
MD5:	0357e5852cd0e3c44b1092e9338cf930
SHA1:	a3768bf0ad795f9c4e506eeb3f03984282bbd040
SHA256:	eb45c05e8d629f18973a325ec2e42cce259c1a7fb0f518820af62fb249df8804
Tags:	exeuser-Bitsight
Infos:

Detection

Credential Flusher

Score:	72
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Multi AV Scanner detection for submitted file

Yara detected Credential Flusher

AI detected suspicious sample

Binary is likely a compiled AutoIt script file

Found API chain indicative of sandbox detection

Machine Learning detection for sample

Connects to many different domains

Contains functionality for execution timing, often used to detect debuggers

Contains functionality for read data from the clipboard

Contains functionality to block mouse and keyboard input (often used to hinder debugging)

Contains functionality to call native functions

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to check if a window is minimized (may be used to check if an application is visible)

Contains functionality to communicate with device drivers

Contains functionality to dynamically determine API calls

Contains functionality to execute programs as a different user

Contains functionality to launch a process as a different user

Contains functionality to launch a program with higher privileges

Contains functionality to modify clipboard data

Contains functionality to open a port and listen for incoming connection (possibly a backdoor)

Contains functionality to query CPU information (cpuid)

Contains functionality to read the PEB

Contains functionality to read the clipboard data

Contains functionality to retrieve information about pressed keystrokes

Contains functionality to shutdown / reboot the system

Contains functionality to simulate keystroke presses

Contains functionality to simulate mouse events

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Detected potential crypto function

Drops PE files

Enables debug privileges

Found large amount of non-executed APIs

Found potential string decryption / allocating functions

IP address seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

OS version to string mapping found (often used in BOTs)

PE file contains sections with non-standard names

Potential key logger detected (key state polling based)

Sample execution stops while process was sleeping (likely an evasion)

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Uses taskkill to terminate processes

Classification

Process Tree

System is w10x64

file.exe (PID: 7404 cmdline: "C:\Users\user\Desktop\file.exe" MD5: 0357E5852CD0E3C44B1092E9338CF930)

taskkill.exe (PID: 7420 cmdline: taskkill /F /IM firefox.exe /T MD5: CA313FD7E6C2A778FFD21CFB5C1C56CD)

conhost.exe (PID: 7428 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

taskkill.exe (PID: 7520 cmdline: taskkill /F /IM chrome.exe /T MD5: CA313FD7E6C2A778FFD21CFB5C1C56CD)

conhost.exe (PID: 7528 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

taskkill.exe (PID: 7584 cmdline: taskkill /F /IM msedge.exe /T MD5: CA313FD7E6C2A778FFD21CFB5C1C56CD)

conhost.exe (PID: 7592 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

taskkill.exe (PID: 7640 cmdline: taskkill /F /IM opera.exe /T MD5: CA313FD7E6C2A778FFD21CFB5C1C56CD)

conhost.exe (PID: 7648 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

taskkill.exe (PID: 7704 cmdline: taskkill /F /IM brave.exe /T MD5: CA313FD7E6C2A778FFD21CFB5C1C56CD)

conhost.exe (PID: 7712 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

firefox.exe (PID: 7760 cmdline: "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk "https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd" --no-default-browser-check --disable-popup-blocking MD5: C86B1BE9ED6496FE0E0CBE73F81D8045)

firefox.exe (PID: 7796 cmdline: "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd --no-default-browser-check --disable-popup-blocking --attempting-deelevation MD5: C86B1BE9ED6496FE0E0CBE73F81D8045)

firefox.exe (PID: 7812 cmdline: "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd --no-default-browser-check --disable-popup-blocking MD5: C86B1BE9ED6496FE0E0CBE73F81D8045)

firefox.exe (PID: 8060 cmdline: "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2304 -parentBuildID 20230927232528 -prefsHandle 2240 -prefMapHandle 2224 -prefsLen 25359 -prefMapSize 237879 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {0e344c09-d758-4121-afce-22356859a8f5} 7812 "\\.\pipe\gecko-crash-server-pipe.7812" 1da83b6e310 socket MD5: C86B1BE9ED6496FE0E0CBE73F81D8045)

firefox.exe (PID: 7532 cmdline: "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4312 -parentBuildID 20230927232528 -prefsHandle 4304 -prefMapHandle 4308 -prefsLen 26374 -prefMapSize 237879 -appDir "C:\Program Files\Mozilla Firefox\browser" - {6cc68ceb-5b67-429c-b1db-017638af971d} 7812 "\\.\pipe\gecko-crash-server-pipe.7812" 1da83b83310 rdd MD5: C86B1BE9ED6496FE0E0CBE73F81D8045)

firefox.exe (PID: 1220 cmdline: "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5424 -parentBuildID 20230927232528 -sandboxingKind 0 -prefsHandle 5416 -prefMapHandle 5392 -prefsLen 33185 -prefMapSize 237879 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {f49da774-710e-4fab-b5fa-c78f451c86b2} 7812 "\\.\pipe\gecko-crash-server-pipe.7812" 1da95b9e310 utility MD5: C86B1BE9ED6496FE0E0CBE73F81D8045)

cleanup

Yara Signatures

Memory Dumps

Source	Rule	Description	Author	Strings
Process Memory Space: file.exe PID: 7404	JoeSecurity_CredentialFlusher	Yara detected Credential Flusher	Joe Security

Code function: 0_2_00D6EAFF OpenClipboard,IsClipboardFormatAvailable,IsClipboardFormatAvailable,GetClipboardData,CloseClipboard,GlobalLock,CloseClipboard,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,DragQueryFileW,DragQueryFileW,DragQueryFileW,GlobalUnlock,CountClipboardFormats,CloseClipboard,

0_2_00D6EAFF

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00D6ED6A OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,

0_2_00D6ED6A

Source: C:\Users\user\Desktop\file.exe

0_2_00D6EAFF

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00D5AA57 GetKeyboardState,SetKeyboardState,PostMessageW,SendInput,

0_2_00D5AA57

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00D89576 DefDlgProcW,SendMessageW,GetWindowLongW,SendMessageW,SendMessageW,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,SendMessageW,SendMessageW,SendMessageW,ImageList_SetDragCursorImage,ImageList_BeginDrag,SetCapture,ClientToScreen,ImageList_DragEnter,InvalidateRect,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW,

0_2_00D89576

System Summary

Binary is likely a compiled AutoIt script file

Source: file.exe	String found in binary or memory: This is a third-party compiled AutoIt script.
Source: file.exe, 00000000.00000000.1679565299.0000000000DB2000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: This is a third-party compiled AutoIt script.	memstr_83cd88ca-4
Source: file.exe, 00000000.00000000.1679565299.0000000000DB2000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: AnyArabicArmenianAvestanBalineseBamumBassa_VahBatakBengaliBopomofoBrahmiBrailleBugineseBuhidCCanadian_AboriginalCarianCaucasian_AlbanianCcCfChakmaChamCherokeeCnCoCommonCopticCsCuneiformCypriotCyrillicDeseretDevanagariDuployanEgyptian_HieroglyphsElbasanEthiopicGeorgianGlagoliticGothicGranthaGreekGujaratiGurmukhiHanHangulHanunooHebrewHiraganaImperial_AramaicInheritedInscriptional_PahlaviInscriptional_ParthianJavaneseKaithiKannadaKatakanaKayah_LiKharoshthiKhmerKhojkiKhudawadiLL&LaoLatinLepchaLimbuLinear_ALinear_BLisuLlLmLoLtLuLycianLydianMMahajaniMalayalamMandaicManichaeanMcMeMeetei_MayekMende_KikakuiMeroitic_CursiveMeroitic_HieroglyphsMiaoMnModiMongolianMroMyanmarNNabataeanNdNew_Tai_LueNkoNlNoOghamOl_ChikiOld_ItalicOld_North_ArabianOld_PermicOld_PersianOld_South_ArabianOld_TurkicOriyaOsmanyaPPahawh_HmongPalmyrenePau_Cin_HauPcPdPePfPhags_PaPhoenicianPiPoPsPsalter_PahlaviRejangRunicSSamaritanSaurashtraScSharadaShavianSiddhamSinhalaSkSmSoSora_SompengSundaneseSyloti_NagriSyriacTagalogTagbanwaTai_LeTai_ThamTai_VietTakriTamilTeluguThaanaThaiTibetanTifinaghTirhutaUgariticVaiWarang_CitiXanXpsXspXucXwdYiZZlZpZsSDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBoxSHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer	memstr_4d54b1e5-0
Source: file.exe	String found in binary or memory: This is a third-party compiled AutoIt script.	memstr_c372bae7-4
Source: file.exe	String found in binary or memory: AnyArabicArmenianAvestanBalineseBamumBassa_VahBatakBengaliBopomofoBrahmiBrailleBugineseBuhidCCanadian_AboriginalCarianCaucasian_AlbanianCcCfChakmaChamCherokeeCnCoCommonCopticCsCuneiformCypriotCyrillicDeseretDevanagariDuployanEgyptian_HieroglyphsElbasanEthiopicGeorgianGlagoliticGothicGranthaGreekGujaratiGurmukhiHanHangulHanunooHebrewHiraganaImperial_AramaicInheritedInscriptional_PahlaviInscriptional_ParthianJavaneseKaithiKannadaKatakanaKayah_LiKharoshthiKhmerKhojkiKhudawadiLL&LaoLatinLepchaLimbuLinear_ALinear_BLisuLlLmLoLtLuLycianLydianMMahajaniMalayalamMandaicManichaeanMcMeMeetei_MayekMende_KikakuiMeroitic_CursiveMeroitic_HieroglyphsMiaoMnModiMongolianMroMyanmarNNabataeanNdNew_Tai_LueNkoNlNoOghamOl_ChikiOld_ItalicOld_North_ArabianOld_PermicOld_PersianOld_South_ArabianOld_TurkicOriyaOsmanyaPPahawh_HmongPalmyrenePau_Cin_HauPcPdPePfPhags_PaPhoenicianPiPoPsPsalter_PahlaviRejangRunicSSamaritanSaurashtraScSharadaShavianSiddhamSinhalaSkSmSoSora_SompengSundaneseSyloti_NagriSyriacTagalogTagbanwaTai_LeTai_ThamTai_VietTakriTamilTeluguThaanaThaiTibetanTifinaghTirhutaUgariticVaiWarang_CitiXanXpsXspXucXwdYiZZlZpZsSDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBoxSHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer	memstr_459f7b5e-1

Source: C:\Program Files\Mozilla Firefox\firefox.exe	Code function: 16_2_000001882759ABB7 NtQuerySystemInformation,		16_2_000001882759ABB7
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Code function: 16_2_00000188276BA9F2 NtQuerySystemInformation,		16_2_00000188276BA9F2

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00D5D5EB: CreateFileW,DeviceIoControl,CloseHandle,

0_2_00D5D5EB

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00D51201 LogonUserW,DuplicateTokenEx,CloseHandle,OpenWindowStationW,GetProcessWindowStation,SetProcessWindowStation,OpenDesktopW,_wcslen,LoadUserProfileW,CreateEnvironmentBlock,CreateProcessAsUserW,UnloadUserProfile,GetProcessHeap,HeapFree,CloseWindowStation,CloseDesktop,SetProcessWindowStation,CloseHandle,DestroyEnvironmentBlock,

0_2_00D51201

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00D5E8F6 ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState,

0_2_00D5E8F6

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00D62046	0_2_00D62046
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00CF8060	0_2_00CF8060
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00D58298	0_2_00D58298
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00D2E4FF	0_2_00D2E4FF
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00D2676B	0_2_00D2676B
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00D84873	0_2_00D84873
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00CFCAF0	0_2_00CFCAF0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00D1CAA0	0_2_00D1CAA0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00D0CC39	0_2_00D0CC39
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00D26DD9	0_2_00D26DD9
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00CF91C0	0_2_00CF91C0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00D0B119	0_2_00D0B119
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00D11394	0_2_00D11394
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00D11706	0_2_00D11706
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00D1781B	0_2_00D1781B
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00D119B0	0_2_00D119B0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00D0997D	0_2_00D0997D
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00CF7920	0_2_00CF7920
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00D17A4A	0_2_00D17A4A
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00D17CA7	0_2_00D17CA7
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00D11C77	0_2_00D11C77
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00D29EEE	0_2_00D29EEE
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00D7BE44	0_2_00D7BE44
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00D11F32	0_2_00D11F32
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Code function: 16_2_000001882759ABB7	16_2_000001882759ABB7
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Code function: 16_2_00000188276BA9F2	16_2_00000188276BA9F2
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Code function: 16_2_00000188276BAA32	16_2_00000188276BAA32
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Code function: 16_2_00000188276BB11C	16_2_00000188276BB11C

Source: C:\Users\user\Desktop\file.exe	Code function: String function: 00D10A30 appears 46 times
Source: C:\Users\user\Desktop\file.exe	Code function: String function: 00D0F9F2 appears 31 times

Source: file.exe

Static PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE

Source: classification engine

Classification label: mal72.troj.evad.winEXE@34/36@66/12

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00D637B5 GetLastError,FormatMessageW,

0_2_00D637B5

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00D510BF AdjustTokenPrivileges,CloseHandle,		0_2_00D510BF
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00D516C3 LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,		0_2_00D516C3

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00D651CD SetErrorMode,GetDiskFreeSpaceExW,SetErrorMode,

0_2_00D651CD

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00D5D4DC CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,CloseHandle,

0_2_00D5D4DC

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00D6648E _wcslen,CoInitialize,CoCreateInstance,CoUninitialize,

0_2_00D6648E

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00CF42A2 CreateStreamOnHGlobal,FindResourceExW,LoadResource,SizeofResource,LockResource,

0_2_00CF42A2

Source: C:\Program Files\Mozilla Firefox\firefox.exe

File created: C:\Users\user\AppData\Local\Mozilla\Firefox\SkeletonUILock-c388d246

Jump to behavior

Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7712:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7648:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7528:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7428:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7592:120:WilError_03

Source: C:\Program Files\Mozilla Firefox\firefox.exe

File created: C:\Users\user\AppData\Local\Temp\firefox

Jump to behavior

Source: file.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Windows\SysWOW64\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\SysWOW64\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\SysWOW64\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\SysWOW64\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\SysWOW64\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process

Source: C:\Program Files\Mozilla Firefox\firefox.exe

File read: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini

Jump to behavior

Source: C:\Users\user\Desktop\file.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: firefox.exe, 0000000D.00000003.1807986535.000001DA9F74E000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1847579337.000001DA9F74E000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1919780549.000001DA9F74F000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: SELECT * FROM events WHERE timestamp BETWEEN date(:dateFrom) AND date(:dateTo);
Source: firefox.exe, 0000000D.00000003.1807986535.000001DA9F74E000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1847579337.000001DA9F74E000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1919780549.000001DA9F74F000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: CREATE TABLE events (id INTEGER PRIMARY KEY, type INTEGER NOT NULL, count INTEGER NOT NULL, timestamp DATE );
Source: firefox.exe, 0000000D.00000003.1807986535.000001DA9F74E000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1847579337.000001DA9F74E000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1919780549.000001DA9F74F000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: INSERT INTO events (type, count, timestamp) VALUES (:type, 1, date(:date));
Source: firefox.exe, 0000000D.00000003.1807986535.000001DA9F74E000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1847579337.000001DA9F74E000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1919780549.000001DA9F74F000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: SELECT timestamp FROM events ORDER BY timestamp ASC LIMIT 1;;
Source: firefox.exe, 0000000D.00000003.1806938322.000001DA9F9E0000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: SELECT sum(count) FROM events;
Source: firefox.exe, 0000000D.00000003.1807986535.000001DA9F74E000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1847579337.000001DA9F74E000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1919780549.000001DA9F74F000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: SELECT timestamp FROM events ORDER BY timestamp ASC LIMIT 1;;Fy6
Source: firefox.exe, 0000000D.00000003.1807986535.000001DA9F74E000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1847579337.000001DA9F74E000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1919780549.000001DA9F74F000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: UPDATE events SET count = count + 1 WHERE id = :id;-
Source: firefox.exe, 0000000D.00000003.1807986535.000001DA9F74E000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1847579337.000001DA9F74E000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1919780549.000001DA9F74F000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: SELECT sum(count) FROM events;9'
Source: firefox.exe, 0000000D.00000003.1807986535.000001DA9F74E000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1847579337.000001DA9F74E000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1919780549.000001DA9F74F000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: SELECT sum(count) FROM events;9
Source: firefox.exe, 0000000D.00000003.1807986535.000001DA9F74E000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1847579337.000001DA9F74E000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1919780549.000001DA9F74F000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: SELECT * FROM events WHERE type = :type AND timestamp = date(:date);

Source: file.exe

Virustotal: Detection: 41%

Source: unknown	Process created: C:\Users\user\Desktop\file.exe "C:\Users\user\Desktop\file.exe"
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM firefox.exe /T
Source: C:\Windows\SysWOW64\taskkill.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM chrome.exe /T
Source: C:\Windows\SysWOW64\taskkill.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM msedge.exe /T
Source: C:\Windows\SysWOW64\taskkill.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM opera.exe /T
Source: C:\Windows\SysWOW64\taskkill.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM brave.exe /T
Source: C:\Windows\SysWOW64\taskkill.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk "https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd" --no-default-browser-check --disable-popup-blocking
Source: unknown	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd --no-default-browser-check --disable-popup-blocking --attempting-deelevation
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd --no-default-browser-check --disable-popup-blocking
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2304 -parentBuildID 20230927232528 -prefsHandle 2240 -prefMapHandle 2224 -prefsLen 25359 -prefMapSize 237879 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {0e344c09-d758-4121-afce-22356859a8f5} 7812 "\\.\pipe\gecko-crash-server-pipe.7812" 1da83b6e310 socket
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4312 -parentBuildID 20230927232528 -prefsHandle 4304 -prefMapHandle 4308 -prefsLen 26374 -prefMapSize 237879 -appDir "C:\Program Files\Mozilla Firefox\browser" - {6cc68ceb-5b67-429c-b1db-017638af971d} 7812 "\\.\pipe\gecko-crash-server-pipe.7812" 1da83b83310 rdd
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5424 -parentBuildID 20230927232528 -sandboxingKind 0 -prefsHandle 5416 -prefMapHandle 5392 -prefsLen 33185 -prefMapSize 237879 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {f49da774-710e-4fab-b5fa-c78f451c86b2} 7812 "\\.\pipe\gecko-crash-server-pipe.7812" 1da95b9e310 utility
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM firefox.exe /T	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM chrome.exe /T	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM msedge.exe /T	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM opera.exe /T	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM brave.exe /T	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk "https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd" --no-default-browser-check --disable-popup-blocking	Jump to behavior
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd --no-default-browser-check --disable-popup-blocking	Jump to behavior
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2304 -parentBuildID 20230927232528 -prefsHandle 2240 -prefMapHandle 2224 -prefsLen 25359 -prefMapSize 237879 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {0e344c09-d758-4121-afce-22356859a8f5} 7812 "\\.\pipe\gecko-crash-server-pipe.7812" 1da83b6e310 socket	Jump to behavior
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4312 -parentBuildID 20230927232528 -prefsHandle 4304 -prefMapHandle 4308 -prefsLen 26374 -prefMapSize 237879 -appDir "C:\Program Files\Mozilla Firefox\browser" - {6cc68ceb-5b67-429c-b1db-017638af971d} 7812 "\\.\pipe\gecko-crash-server-pipe.7812" 1da83b83310 rdd	Jump to behavior
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5424 -parentBuildID 20230927232528 -sandboxingKind 0 -prefsHandle 5416 -prefMapHandle 5392 -prefsLen 33185 -prefMapSize 237879 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {f49da774-710e-4fab-b5fa-c78f451c86b2} 7812 "\\.\pipe\gecko-crash-server-pipe.7812" 1da95b9e310 utility	Jump to behavior
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: unknown unknown	Jump to behavior

Source: C:\Users\user\Desktop\file.exe	Section loaded: wsock32.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: framedynos.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: dbghelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: winsta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: framedynos.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: dbghelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: winsta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: framedynos.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: dbghelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: winsta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: framedynos.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: dbghelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: winsta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: framedynos.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: dbghelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: winsta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: profapi.dll	Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: file.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: file.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: file.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: file.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: file.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: file.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT

Source: file.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: UxTheme.pdb source: firefox.exe, 0000000D.00000003.1806329907.000001DAA02C6000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: wshbth.pdbGCTL source: firefox.exe, 0000000D.00000003.1814925021.000001DA91157000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: winsta.pdb source: firefox.exe, 0000000D.00000003.1806329907.000001DAA02F4000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: bcrypt.pdb source: firefox.exe, 0000000D.00000003.1806329907.000001DAA02C6000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1806329907.000001DAA02AC000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: ktmw32.pdb source: firefox.exe, 0000000D.00000003.1806329907.000001DAA02F4000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: WscApi.pdb source: firefox.exe, 0000000D.00000003.1806329907.000001DAA02F4000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: NapiNSP.pdb source: firefox.exe, 0000000D.00000003.1806329907.000001DAA02F4000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: msvcrt.pdb source: firefox.exe, 0000000D.00000003.1806329907.000001DAA02C6000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: xWindows.StateRepositoryPS.pdb source: firefox.exe, 0000000D.00000003.1806329907.000001DAA02AC000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: d:\a01\_work\12\s\\binaries\amd64ret\bin\amd64\\vcruntime140_1.amd64.pdb source: firefox.exe, 0000000D.00000003.1806329907.000001DAA02EC000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: webauthn.pdbGCTL source: firefox.exe, 0000000D.00000003.1811773375.000001DAA03A1000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: xul.pdb source: firefox.exe, 0000000D.00000003.1806329907.000001DAA02F4000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: winnsi.pdb source: firefox.exe, 0000000D.00000003.1806329907.000001DAA02F4000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: dcomp.pdb source: firefox.exe, 0000000D.00000003.1806329907.000001DAA02F4000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: 8dhcpcsvc6.pdb source: firefox.exe, 0000000D.00000003.1806329907.000001DAA02F4000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: D:\a\_work\1\s\binaries\amd64ret\bin\amd64\\vcruntime140_1.amd64.pdb source: firefox.exe, 0000000D.00000003.1806329907.000001DAA02EC000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: CLBCatQ.pdb source: firefox.exe, 0000000D.00000003.1806329907.000001DAA02F4000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: ntmarta.pdb source: firefox.exe, 0000000D.00000003.1806329907.000001DAA02C6000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: urlmon.pdb source: firefox.exe, 0000000D.00000003.1806329907.000001DAA02F4000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: propsys.pdbincoming.telemetry.mozilla.org source: firefox.exe, 0000000D.00000003.1806329907.000001DAA02F4000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: d:\a01\_work\12\s\\binaries\amd64ret\bin\amd64\\vcruntime140.amd64.pdb source: firefox.exe, 0000000D.00000003.1806329907.000001DAA02EC000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: 8kernelbase.pdb source: firefox.exe, 0000000D.00000003.1806304972.000001DAA02FD000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: shlwapi.pdb source: firefox.exe, 0000000D.00000003.1806329907.000001DAA02F4000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: netprofm.pdb source: firefox.exe, 0000000D.00000003.1812957724.000001DA9114B000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: d:\a01\_work\12\s\\binaries\amd64ret\bin\amd64\\msvcp140.amd64.pdb source: firefox.exe, 0000000D.00000003.1806329907.000001DAA02EC000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: win32u.pdb source: firefox.exe, 0000000D.00000003.1806329907.000001DAA02C6000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: dwmapi.pdb source: firefox.exe, 0000000D.00000003.1806329907.000001DAA02F4000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: 8bcryptprimitives.pdb source: firefox.exe, 0000000D.00000003.1806329907.000001DAA02C6000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: firefox.pdb source: firefox.exe, 0000000D.00000003.1806708364.000001DAA0297000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: srvcli.pdb source: firefox.exe, 0000000D.00000003.1806329907.000001DAA02F4000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: imm32.pdb source: firefox.exe, 0000000D.00000003.1806329907.000001DAA02C6000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: webauthn.pdb source: firefox.exe, 0000000D.00000003.1811773375.000001DAA03A1000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: D:\a\_work\1\s\binaries\amd64ret\bin\amd64\\msvcp140.amd64.pdb source: firefox.exe, 0000000D.00000003.1806329907.000001DAA02EC000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: ws2_32.pdb source: firefox.exe, 0000000D.00000003.1806329907.000001DAA02F4000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: mswsock.pdb source: firefox.exe, 0000000D.00000003.1806329907.000001DAA02F4000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: 8iphlpapi.pdb source: firefox.exe, 0000000D.00000003.1806329907.000001DAA02F4000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: 8gkcodecs.pdb source: firefox.exe, 0000000D.00000003.1806329907.000001DAA02C6000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: nsi.pdb source: firefox.exe, 0000000D.00000003.1806329907.000001DAA02F4000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: winmm.pdb source: firefox.exe, 0000000D.00000003.1806329907.000001DAA02F4000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: D:\a\_work\1\s\binaries\amd64ret\bin\amd64\\vcruntime140.amd64.pdb source: firefox.exe, 0000000D.00000003.1806329907.000001DAA02EC000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: ole32.pdb source: firefox.exe, 0000000D.00000003.1806329907.000001DAA02F4000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: 8cryptbase.pdb source: firefox.exe, 0000000D.00000003.1806329907.000001DAA02C6000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1806304972.000001DAA02FD000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: 8cfgmgr32.pdb source: firefox.exe, 0000000D.00000003.1806329907.000001DAA02F4000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1806304972.000001DAA02FD000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: msasn1.pdb source: firefox.exe, 0000000D.00000003.1806329907.000001DAA02C6000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: version.pdb source: firefox.exe, 0000000D.00000003.1806329907.000001DAA02C6000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: DWrite.pdb source: firefox.exe, 0000000D.00000003.1806329907.000001DAA02F4000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: combase.pdb source: firefox.exe, 0000000D.00000003.1806329907.000001DAA02C6000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: 8dhcpcsvc.pdb source: firefox.exe, 0000000D.00000003.1806329907.000001DAA02F4000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: 8msvcp140.amd64.pdb source: firefox.exe, 0000000D.00000003.1806329907.000001DAA02F4000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: pnrpnsp.pdbUGP source: firefox.exe, 0000000D.00000003.1814504430.000001DA9114B000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: nss3.pdb source: firefox.exe, 0000000D.00000003.1806329907.000001DAA02F4000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: 8webauthn.pdb source: firefox.exe, 0000000D.00000003.1806329907.000001DAA02C6000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: 8Kernel.Appcore.pdb source: firefox.exe, 0000000D.00000003.1806329907.000001DAA02C6000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: profapi.pdbX-Telemetry-Agent source: firefox.exe, 0000000D.00000003.1806329907.000001DAA02F4000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: wsock32.pdb source: firefox.exe, 0000000D.00000003.1806329907.000001DAA02F4000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: 8oleaut32.pdb source: firefox.exe, 0000000D.00000003.1806329907.000001DAA02C6000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: 8kernel32.pdb source: firefox.exe, 0000000D.00000003.1806304972.000001DAA02FD000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: rpcrt4.pdb source: firefox.exe, 0000000D.00000003.1806329907.000001DAA02C6000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: pnrpnsp.pdb source: firefox.exe, 0000000D.00000003.1806329907.000001DAA02F4000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1814504430.000001DA9114B000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: wshbth.pdb source: firefox.exe, 0000000D.00000003.1806329907.000001DAA02F4000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1814925021.000001DA91157000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: 8ucrtbase.pdb source: firefox.exe, 0000000D.00000003.1806304972.000001DAA02FD000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: shcore.pdb source: firefox.exe, 0000000D.00000003.1806329907.000001DAA02F4000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: shell32.pdb source: firefox.exe, 0000000D.00000003.1806329907.000001DAA02C6000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: 8msvcp_win.pdb source: firefox.exe, 0000000D.00000003.1806329907.000001DAA02C6000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: dnsapi.pdb source: firefox.exe, 0000000D.00000003.1806329907.000001DAA02F4000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: userenv.pdb source: firefox.exe, 0000000D.00000003.1806329907.000001DAA02F4000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: nlaapi.pdb source: firefox.exe, 0000000D.00000003.1806329907.000001DAA02F4000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: devobj.pdb source: firefox.exe, 0000000D.00000003.1806329907.000001DAA02F4000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: d3d11.pdb source: firefox.exe, 0000000D.00000003.1806329907.000001DAA02F4000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: netprofm.pdbUGP source: firefox.exe, 0000000D.00000003.1812957724.000001DA9114B000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: 8advapi32.pdb source: firefox.exe, 0000000D.00000003.1806329907.000001DAA02C6000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: 8Windows.Storage.pdb source: firefox.exe, 0000000D.00000003.1806329907.000001DAA02C6000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: dbghelp.pdb source: firefox.exe, 0000000D.00000003.1806329907.000001DAA02F4000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: 8netprofm.pdb source: firefox.exe, 0000000D.00000003.1806329907.000001DAA02F4000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1806329907.000001DAA02C6000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: profapi.pdb source: firefox.exe, 0000000D.00000003.1806329907.000001DAA02F4000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: gdi32.pdb source: firefox.exe, 0000000D.00000003.1806329907.000001DAA02C6000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: WLDP.pdb source: firefox.exe, 0000000D.00000003.1806329907.000001DAA02C6000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: sechost.pdb source: firefox.exe, 0000000D.00000003.1806329907.000001DAA02C6000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: 8setupapi.pdb source: firefox.exe, 0000000D.00000003.1806329907.000001DAA02F4000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: sechost.pdb source: firefox.exe, 0000000D.00000003.1806329907.000001DAA02C6000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: 8vcruntime140_1.amd64.pdb source: firefox.exe, 0000000D.00000003.1806329907.000001DAA02F4000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1806304972.000001DAA02FD000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: propsys.pdb source: firefox.exe, 0000000D.00000003.1806329907.000001DAA02F4000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: 8lgpllibs.pdb source: firefox.exe, 0000000D.00000003.1806329907.000001DAA02F4000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: z:\task_1551543573\build\openh264\gmpopenh264.pdb source: gmpopenh264.dll.tmp.13.dr
Source:	Binary string: 8gdi32full.pdb source: firefox.exe, 0000000D.00000003.1806329907.000001DAA02C6000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: 8vcruntime140.amd64.pdb source: firefox.exe, 0000000D.00000003.1806329907.000001DAA02C6000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1806304972.000001DAA02FD000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: winrnr.pdb source: firefox.exe, 0000000D.00000003.1806329907.000001DAA02F4000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: msctf.pdb source: firefox.exe, 0000000D.00000003.1806329907.000001DAA02F4000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: version.pdb source: firefox.exe, 0000000D.00000003.1806329907.000001DAA02AC000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: dbgcore.pdb source: firefox.exe, 0000000D.00000003.1806329907.000001DAA02F4000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: mscms.pdb source: firefox.exe, 0000000D.00000003.1806329907.000001DAA02F4000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: user32.pdb source: firefox.exe, 0000000D.00000003.1806329907.000001DAA02C6000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: twinapi.pdb source: firefox.exe, 0000000D.00000003.1806329907.000001DAA02F4000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: z:\task_1551543573\build\openh264\gmpopenh264.pdbV source: gmpopenh264.dll.tmp.13.dr
Source:	Binary string: 8wintrust.pdb source: firefox.exe, 0000000D.00000003.1806329907.000001DAA02F4000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: psapi.pdb source: firefox.exe, 0000000D.00000003.1806329907.000001DAA02C6000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: ntdll.pdb source: firefox.exe, 0000000D.00000003.1806329907.000001DAA02C6000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: dxgi.pdb source: firefox.exe, 0000000D.00000003.1806329907.000001DAA02F4000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: 8npmproxy.pdb source: firefox.exe, 0000000D.00000003.1806329907.000001DAA02F4000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: crypt32.pdb source: firefox.exe, 0000000D.00000003.1806329907.000001DAA02AC000.00000004.00000800.00020000.00000000.sdmp

Source: file.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: file.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: file.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: file.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: file.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00CF42DE GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

0_2_00CF42DE

Source: gmpopenh264.dll.tmp.13.dr

Static PE information: section name: .rodata

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00D10A76 push ecx; ret

0_2_00D10A89

Source: C:\Program Files\Mozilla Firefox\firefox.exe	File created: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll.tmp			Jump to dropped file
Source: C:\Program Files\Mozilla Firefox\firefox.exe	File created: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll (copy)			Jump to dropped file

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00D0F98E GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,		0_2_00D0F98E
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00D81C41 IsWindowVisible,IsWindowEnabled,GetForegroundWindow,IsIconic,IsZoomed,		0_2_00D81C41

Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Found API chain indicative of sandbox detection

Source: C:\Users\user\Desktop\file.exe

Sandbox detection routine: GetForegroundWindow, DecisionNode, Sleep

graph_0-96925

Source: C:\Program Files\Mozilla Firefox\firefox.exe

Code function: 16_2_000001882759ABB7 rdtsc

16_2_000001882759ABB7

Source: C:\Users\user\Desktop\file.exe

API coverage: 3.6 %

Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00D5DBBE lstrlenW,GetFileAttributesW,FindFirstFileW,FindClose,	0_2_00D5DBBE
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00D668EE FindFirstFileW,FindClose,	0_2_00D668EE
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00D6698F FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,FileTimeToSystemTime,FileTimeToSystemTime,	0_2_00D6698F
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00D5D076 FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	0_2_00D5D076
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00D5D3A9 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	0_2_00D5D3A9
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00D69642 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	0_2_00D69642
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00D6979D SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	0_2_00D6979D
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00D69B2B FindFirstFileW,Sleep,FindNextFileW,FindClose,	0_2_00D69B2B
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00D65C97 FindFirstFileW,FindNextFileW,FindClose,	0_2_00D65C97

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00CF42DE GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

0_2_00CF42DE

Source: firefox.exe, 0000000F.00000002.2943173571.000001B1C8240000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllV
Source: firefox.exe, 00000010.00000002.2940788214.0000018827460000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll6
Source: firefox.exe, 0000000D.00000003.1830468677.000001DA94AC9000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1787895189.000001DA94AD9000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1839287089.000001DA94AC9000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 3'QemU
Source: firefox.exe, 00000011.00000002.2935056453.000001E08A13A000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW@6C
Source: firefox.exe, 00000010.00000002.2940788214.0000018827460000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW6634-1002_Classes
Source: firefox.exe, 0000000D.00000003.1830468677.000001DA94AC9000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1787895189.000001DA94AD9000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1839287089.000001DA94AC9000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 'QemU
Source: firefox.exe, 0000000F.00000002.2936611389.000001B1C7A0A000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 00000010.00000002.2934351110.0000018826CAA000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: firefox.exe, 0000000F.00000002.2941676263.000001B1C7E14000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW : 2 : 34 : 1 : 1 : 0x20026 : 0x8 : %SystemRoot%\system32\mswsock.dll : : 1234191b-4bf7-4ca7-86e0-dfd7c32b5445
Source: firefox.exe, 00000010.00000002.2940788214.0000018827460000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllJ
Source: firefox.exe, 00000011.00000002.2941387249.000001E08A430000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWaH
Source: firefox.exe, 0000000F.00000002.2936611389.000001B1C7A0A000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 0000000F.00000002.2943173571.000001B1C8240000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

Source: C:\Users\user\Desktop\file.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Program Files\Mozilla Firefox\firefox.exe

Code function: 16_2_000001882759ABB7 rdtsc

16_2_000001882759ABB7

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00D6EAA2 BlockInput,

0_2_00D6EAA2

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00D22622 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

0_2_00D22622

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00CF42DE GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

0_2_00CF42DE

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00D14CE8 mov eax, dword ptr fs:[00000030h]

0_2_00D14CE8

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00D50B62 GetSecurityDescriptorDacl,GetAclInformation,GetLengthSid,GetLengthSid,GetAce,AddAce,GetLengthSid,GetProcessHeap,HeapAlloc,GetLengthSid,CopySid,AddAce,SetSecurityDescriptorDacl,SetUserObjectSecurity,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,

0_2_00D50B62

Source: C:\Windows\SysWOW64\taskkill.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Process token adjusted: Debug	Jump to behavior

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00D22622 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_00D22622
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00D1083F IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_00D1083F
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00D109D5 SetUnhandledExceptionFilter,	0_2_00D109D5
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00D10C21 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	0_2_00D10C21

Source: C:\Users\user\Desktop\file.exe

0_2_00D51201

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00D32BA5 KiUserCallbackDispatcher,SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW,

0_2_00D32BA5

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00D5B226 SendInput,keybd_event,

0_2_00D5B226

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00D722DA GetForegroundWindow,GetDesktopWindow,GetWindowRect,mouse_event,GetCursorPos,mouse_event,

0_2_00D722DA

Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM firefox.exe /T	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM chrome.exe /T	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM msedge.exe /T	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM opera.exe /T	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM brave.exe /T	Jump to behavior

Source: C:\Users\user\Desktop\file.exe

0_2_00D50B62

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00D51663 AllocateAndInitializeSid,CheckTokenMembership,FreeSid,

0_2_00D51663

Source: file.exe	Binary or memory string: Run Script:AutoIt script files (.au3, .a3x).au3;.a3xAll files (.).au3#include depth exceeded. Make sure there are no recursive includesError opening the file>>>AUTOIT SCRIPT<<<Bad directive syntax errorUnterminated stringCannot parse #includeUnterminated group of commentsONOFF0%d%dShell_TrayWndREMOVEKEYSEXISTSAPPENDblankinfoquestionstopwarning
Source: file.exe	Binary or memory string: Shell_TrayWnd
Source: firefox.exe, 0000000D.00000003.1805612977.000001DAA03A1000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: hSoftware\Policies\Microsoft\Windows\PersonalizationNoChangingStartMenuBackgroundPersonalColors_BackgroundWilStaging_02RtlDisownModuleHeapAllocationRtlQueryFeatureConfigurationRtlRegisterFeatureConfigurationChangeNotificationRtlSubscribeWnfStateChangeNotificationRtlDllShutdownInProgressntdll.dllNtQueryWnfStateDataLocal\SM0:%d:%d:%hs_p0Local\SessionImmersiveColorPreferenceBEGINTHMthmfile\Sessions\%d\Windows\ThemeSectionMessageWindowendthemewndThemeApiConnectionRequest\ThemeApiPortwinsta0SOFTWARE\Microsoft\Windows\CurrentVersion\Themes\PersonalizeAppsUseLightThemeSystemUsesLightThemedefaultshell\themes\uxtheme\render.cppCompositedWindow::WindowdeletedrcacheMDIClientSoftware\Microsoft\Windows\DWMColorPrevalenceSoftware\Microsoft\Windows\CurrentVersion\ImmersiveShellTabletModeMENUAccentColorSoftware\Microsoft\Windows\CurrentVersion\Explorer\AccentDefaultStartColorControl Panel\DesktopAutoColorizationAccentColorMenuStartColorMenuAutoColorSoftware\Microsoft\Windows\CurrentVersion\Themes\History\ColorsSoftware\Microsoft\Windows\CurrentVersion\Themes\HistoryAccentPaletteTab$Shell_TrayWndLocal\SessionImmersiveColorMutex

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00D10698 cpuid

0_2_00D10698

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00D68195 GetLocalTime,SystemTimeToFileTime,LocalFileTimeToFileTime,GetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,

0_2_00D68195

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00D4D27A GetUserNameW,

0_2_00D4D27A

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00D2BB6F _free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,

0_2_00D2BB6F

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00CF42DE GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

0_2_00CF42DE

Stealing of Sensitive Information

Yara detected Credential Flusher

Source: Yara match

File source: Process Memory Space: file.exe PID: 7404, type: MEMORYSTR

Source: file.exe	Binary or memory string: WIN_81
Source: file.exe	Binary or memory string: WIN_XP
Source: file.exe	Binary or memory string: %.3d%S%M%H%m%Y%jX86IA64X64WIN32_NTWIN_11WIN_10WIN_2022WIN_2019WIN_2016WIN_81WIN_2012R2WIN_2012WIN_8WIN_2008R2WIN_7WIN_2008WIN_VISTAWIN_2003WIN_XPeWIN_XPInstallLanguageSYSTEM\CurrentControlSet\Control\Nls\LanguageSchemeLangIDControl Panel\AppearanceUSERPROFILEUSERDOMAINUSERDNSDOMAINGetSystemWow64DirectoryWSeDebugPrivilege:winapistdcallubyte64HKEY_LOCAL_MACHINEHKLMHKEY_CLASSES_ROOTHKCRHKEY_CURRENT_CONFIGHKCCHKEY_CURRENT_USERHKCUHKEY_USERSHKUREG_EXPAND_SZREG_SZREG_MULTI_SZREG_DWORDREG_QWORDREG_BINARYRegDeleteKeyExWadvapi32.dll+.-.\\[\\nrt]\|%%\|%[-+ 0#]?([0-9]\|\)?(\.[0-9]\|\.\)?[hlL]?[diouxXeEfgGs](*UCP)\XISVISIBLEISENABLEDTABLEFTTABRIGHTCURRENTTABSHOWDROPDOWNHIDEDROPDOWNADDSTRINGDELSTRINGFINDSTRINGGETCOUNTSETCURRENTSELECTIONGETCURRENTSELECTIONSELECTSTRINGISCHECKEDCHECKUNCHECKGETSELECTEDGETLINECOUNTGETCURRENTLINEGETCURRENTCOLEDITPASTEGETLINESENDCOMMANDIDGETITEMCOUNTGETSUBITEMCOUNTGETTEXTGETSELECTEDCOUNTISSELECTEDSELECTALLSELECTCLEARSELECTINVERTDESELECTFINDITEMVIEWCHANGEGETTOTALCOUNTCOLLAPSEEXPANDmsctls_statusbar321tooltips_class32%d/%02d/%02dbuttonComboboxListboxSysDateTimePick32SysMonthCal32.icl.exe.dllMsctls_Progress32msctls_trackbar32SysAnimate32msctls_updown32SysTabControl32SysTreeView32SysListView32-----@GUI_DRAGID@GUI_DROPID@GUI_DRAGFILEError text not found (please report)Q\EDEFINEUTF16)UTF)UCP)NO_AUTO_POSSESS)NO_START_OPT)LIMIT_MATCH=LIMIT_RECURSION=CR)LF)CRLF)ANY)ANYCRLF)BSR_ANYCRLF)BSR_UNICODE)argument is not a compiled regular expressionargument not compiled in 16 bit modeinternal error: opcode not recognizedinternal error: missing capturing bracketfailed to get memory
Source: file.exe	Binary or memory string: WIN_XPe
Source: file.exe	Binary or memory string: WIN_VISTA
Source: file.exe	Binary or memory string: WIN_7
Source: file.exe	Binary or memory string: WIN_8

Remote Access Functionality

Yara detected Credential Flusher

Source: Yara match

File source: Process Memory Space: file.exe PID: 7404, type: MEMORYSTR

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00D71204 socket,WSAGetLastError,bind,WSAGetLastError,closesocket,listen,WSAGetLastError,closesocket,		0_2_00D71204
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00D71806 socket,WSAGetLastError,bind,WSAGetLastError,closesocket,		0_2_00D71806

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	2 Valid Accounts	1 Windows Management Instrumentation	1 DLL Side-Loading	1 Exploitation for Privilege Escalation	2 Disable or Modify Tools	21 Input Capture	2 System Time Discovery	Remote Services	1 Archive Collected Data	2 Ingress Tool Transfer	Exfiltration Over Other Network Medium	1 System Shutdown/Reboot
Credentials	Domains	Default Accounts	1 Native API	2 Valid Accounts	1 DLL Side-Loading	1 Deobfuscate/Decode Files or Information	LSASS Memory	1 Account Discovery	Remote Desktop Protocol	21 Input Capture	12 Encrypted Channel	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	1 Extra Window Memory Injection	2 Obfuscated Files or Information	Security Account Manager	2 File and Directory Discovery	SMB/Windows Admin Shares	3 Clipboard Data	2 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	2 Valid Accounts	1 DLL Side-Loading	NTDS	16 System Information Discovery	Distributed Component Object Model	Input Capture	3 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	21 Access Token Manipulation	1 Extra Window Memory Injection	LSA Secrets	131 Security Software Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	2 Process Injection	1 Masquerading	Cached Domain Credentials	1 Virtualization/Sandbox Evasion	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	2 Valid Accounts	DCSync	3 Process Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	1 Virtualization/Sandbox Evasion	Proc Filesystem	1 Application Window Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement
Network Topology	Malvertising	Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	21 Access Token Manipulation	/etc/passwd and /etc/shadow	1 System Owner/User Discovery	Direct Cloud VM Connections	Data Staged	Web Protocols	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Internal Defacement
IP Addresses	Compromise Infrastructure	Supply Chain Compromise	PowerShell	Cron	Cron	2 Process Injection	Network Sniffing	Network Service Discovery	Shared Webroot	Local Data Staging	File Transfer Protocols	Exfiltration Over Asymmetric Encrypted Non-C2 Protocol	External Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
file.exe	42%	Virustotal		Browse
file.exe	100%	Joe Sandbox ML

Dropped Files

Source	Detection	Scanner	Label	Link
C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll (copy)	0%	ReversingLabs
C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll.tmp	0%	ReversingLabs

Unpacked PE Files

⊘No Antivirus matches

Domains

Source	Detection	Scanner	Link
example.org	0%	Virustotal	Browse
star-mini.c10r.facebook.com	0%	Virustotal	Browse
prod.classify-client.prod.webservices.mozgcp.net	0%	Virustotal	Browse

URLs

Source	Detection	Scanner	Label
https://getpocket.cdn.mozilla.net/v3/firefox/trending-topics?version=2&consumer_key=$apiKey&locale_l	0%	URL Reputation	safe
http://detectportal.firefox.com/	0%	URL Reputation	safe
https://services.addons.mozilla.org/api/v5/addons/browser-mappings/?browser=%BROWSER%	0%	URL Reputation	safe
https://datastudio.google.com/embed/reporting/	0%	URL Reputation	safe
http://www.mozilla.com0	0%	URL Reputation	safe
https://bridge.lga1.admarketplace.net/ctp?version=16.0.0&key=1696332238301000001.2&ci=1696332238417.	0%	URL Reputation	safe
https://developer.mozilla.org/en-US/docs/Web/Web_Components/Using_custom_elements#using_the_lifecycl	0%	URL Reputation	safe
https://merino.services.mozilla.com/api/v1/suggest	0%	URL Reputation	safe
https://json-schema.org/draft/2019-09/schema.	0%	URL Reputation	safe
https://monitor.firefox.com/oauth/init?entrypoint=protection_report_monitor&utm_source=about-protect	0%	URL Reputation	safe
https://www.leboncoin.fr/	0%	URL Reputation	safe
https://spocs.getpocket.com/spocs	0%	URL Reputation	safe
https://shavar.services.mozilla.com	0%	URL Reputation	safe
https://completion.amazon.com/search/complete?q=	0%	URL Reputation	safe
https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/social-media-tracking-report	0%	URL Reputation	safe
https://ads.stickyadstv.com/firefox-etp	0%	URL Reputation	safe
https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/send-tab	0%	URL Reputation	safe
https://monitor.firefox.com/breach-details/	0%	URL Reputation	safe
https://versioncheck-bg.addons.mozilla.org/update/VersionCheck.php?reqVersion=%REQ_VERSION%&id=%ITEM	0%	URL Reputation	safe
https://services.addons.mozilla.org/api/v4/addons/addon/	0%	URL Reputation	safe
https://tracking-protection-issues.herokuapp.com/new	0%	URL Reputation	safe
https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/password-manager-report	0%	URL Reputation	safe
https://content-signature-2.cdn.mozilla.net/	0%	URL Reputation	safe
https://json-schema.org/draft/2020-12/schema/=	0%	URL Reputation	safe
https://app.adjust.com/167k4ih?campaign=firefox-desktop&adgroup=pb&creative=focus-omc172&redirect=ht	0%	URL Reputation	safe
https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/fingerprinters-report	0%	URL Reputation	safe
https://api.accounts.firefox.com/v1	0%	URL Reputation	safe
https://ok.ru/	0%	URL Reputation	safe
https://shavar.services.mozilla.com/downloads?client=SAFEBROWSING_ID&appver=118.0&pver=2.2	0%	URL Reputation	safe
https://developer.mozilla.org/docs/Mozilla/Add-ons/WebExtensions/API/tabs/captureTabMozRequestFullSc	0%	URL Reputation	safe
https://monitor.firefox.com/?entrypoint=protection_report_monitor&utm_source=about-protections	0%	URL Reputation	safe
https://bugzilla.mozilla.org/show_bug.cgi?id=1283601	0%	URL Reputation	safe
https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/shield	0%	URL Reputation	safe
https://MD8.mozilla.org/1/m	0%	URL Reputation	safe
https://getpocket.cdn.mozilla.net/v3/firefox/global-recs?version=3&consumer_key=$apiKey&locale_lang=	0%	URL Reputation	safe
https://bugzilla.mozilla.org/show_bug.cgi?id=1266220	0%	URL Reputation	safe
https://searchfox.org/mozilla-central/source/toolkit/components/search/SearchUtils.jsm#145-152	0%	URL Reputation	safe
https://bugzilla.mo	0%	URL Reputation	safe
https://mitmdetection.services.mozilla.com/	0%	URL Reputation	safe
https://static.adsafeprotected.com/firefox-etp-js	0%	URL Reputation	safe
https://shavar.services.mozilla.com/	0%	URL Reputation	safe
https://developer.mozilla.org/docs/Web/API/Element/releasePointerCapture	0%	URL Reputation	safe
https://spocs.getpocket.com/	0%	URL Reputation	safe
https://services.addons.mozilla.org/api/v4/abuse/report/addon/	0%	URL Reputation	safe
https://services.addons.mozilla.org/api/v4/addons/search/?guid=%IDS%&lang=%LOCALE%	0%	URL Reputation	safe
https://color.firefox.com/?utm_source=firefox-browser&utm_medium=firefox-browser&utm_content=theme-f	0%	URL Reputation	safe
https://monitor.firefox.com/user/breach-stats?includeResolved=true	0%	URL Reputation	safe
https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/cross-site-tracking-report	0%	URL Reputation	safe
https://safebrowsing.google.com/safebrowsing/diagnostic?site=	0%	URL Reputation	safe
https://monitor.firefox.com/user/dashboard	0%	URL Reputation	safe
https://versioncheck.addons.mozilla.org/update/VersionCheck.php?reqVersion=%REQ_VERSION%&id=%ITEM_ID	0%	URL Reputation	safe
https://monitor.firefox.com/about	0%	URL Reputation	safe
https://account.bellmedia.c	0%	URL Reputation	safe
https://login.microsoftonline.com	0%	URL Reputation	safe
https://coverage.mozilla.org	0%	URL Reputation	safe
http://crl.thawte.com/ThawteTimestampingCA.crl0	0%	URL Reputation	safe
https://www.zhihu.com/	0%	URL Reputation	safe
http://x1.c.lencr.org/0	0%	URL Reputation	safe
http://x1.i.lencr.org/0	0%	URL Reputation	safe
https://infra.spec.whatwg.org/#ascii-whitespace	0%	URL Reputation	safe
https://blocked.cdn.mozilla.net/	0%	URL Reputation	safe
https://duckduckgo.com/?t=ffab&q=	0%	URL Reputation	safe
https://profiler.firefox.com	0%	URL Reputation	safe
https://outlook.live.com/default.aspx?rru=compose&to=%s	0%	URL Reputation	safe
https://mozilla.cloudflare-dns.com/dns-query	0%	URL Reputation	safe
https://support.mozilla.org/kb/refresh-firefox-reset-add-ons-and-settings2	0%	URL Reputation	safe
https://bugzilla.mozilla.org/show_bug.cgi?id=1678448	0%	URL Reputation	safe
https://contile-images.services.mozilla.com/0TegrVVRalreHILhR2WvtD_CFzj13HCDcLqqpvXSOuY.10862.jpg	0%	URL Reputation	safe
https://contile.services.mozilla.com/v1/tiles	0%	URL Reputation	safe
https://firefox.settings.services.mozilla.com/v1/buckets/main/collections/ms-language-packs/records/	0%	URL Reputation	safe
https://monitor.firefox.com/user/preferences	0%	URL Reputation	safe
https://screenshots.firefox.com/	0%	URL Reputation	safe
https://truecolors.firefox.com/	0%	URL Reputation	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
example.org	93.184.215.14	true	false	0%, Virustotal, Browse	unknown
star-mini.c10r.facebook.com	157.240.0.35	true	false	0%, Virustotal, Browse	unknown
prod.classify-client.prod.webservices.mozgcp.net	35.190.72.216	true	false	0%, Virustotal, Browse	unknown
prod.balrog.prod.cloudops.mozgcp.net	35.244.181.201	true	false		unknown
twitter.com	104.244.42.65	true	false		unknown
prod.detectportal.prod.cloudops.mozgcp.net	34.107.221.82	true	false		unknown
services.addons.mozilla.org	151.101.65.91	true	false		unknown
dyna.wikimedia.org	185.15.59.224	true	false		unknown
prod.remote-settings.prod.webservices.mozgcp.net	34.149.100.209	true	false		unknown
contile.services.mozilla.com	34.117.188.166	true	false		unknown
youtube.com	216.58.206.78	true	false		unknown
prod.content-signature-chains.prod.webservices.mozgcp.net	34.160.144.191	true	false		unknown
youtube-ui.l.google.com	216.58.206.46	true	false		unknown
us-west1.prod.sumo.prod.webservices.mozgcp.net	34.149.128.2	true	false		unknown
reddit.map.fastly.net	151.101.1.140	true	false		unknown
ipv4only.arpa	192.0.0.170	true	false		unknown
prod.ads.prod.webservices.mozgcp.net	34.117.188.166	true	false		unknown
push.services.mozilla.com	34.107.243.93	true	false		unknown
normandy-cdn.services.mozilla.com	35.201.103.21	true	false		unknown
telemetry-incoming.r53-2.services.mozilla.com	34.120.208.123	true	false		unknown
www.reddit.com	unknown	unknown	false		unknown
spocs.getpocket.com	unknown	unknown	false		unknown
content-signature-2.cdn.mozilla.net	unknown	unknown	false		unknown
support.mozilla.org	unknown	unknown	false		unknown
firefox.settings.services.mozilla.com	unknown	unknown	false		unknown
www.youtube.com	unknown	unknown	false		unknown
www.facebook.com	unknown	unknown	false		unknown
detectportal.firefox.com	unknown	unknown	false		unknown
normandy.cdn.mozilla.net	unknown	unknown	false		unknown
shavar.services.mozilla.com	unknown	unknown	false		unknown
www.wikipedia.org	unknown	unknown	false		unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://play.google.com/store/apps/details?id=org.mozilla.firefox.vpn&referrer=utm_source%3Dfirefox-	firefox.exe, 0000000F.00000002.2937121611.000001B1C7A60000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.2936404907.0000018826DB0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.2941532592.000001E08A530000.00000002.10000000.00040000.00000000.sdmp	false		unknown
https://getpocket.cdn.mozilla.net/v3/firefox/trending-topics?version=2&consumer_key=$apiKey&locale_l	firefox.exe, 00000011.00000002.2936968892.000001E08A3C4000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://detectportal.firefox.com/	firefox.exe, 0000000D.00000003.1881842002.000001DA94EF5000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://services.addons.mozilla.org/api/v5/addons/browser-mappings/?browser=%BROWSER%	firefox.exe, 0000000F.00000002.2937121611.000001B1C7A60000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.2936404907.0000018826DB0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.2941532592.000001E08A530000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://datastudio.google.com/embed/reporting/	firefox.exe, 0000000D.00000003.1898148625.000001DA9C176000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1808419066.000001DA9C148000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1848662234.000001DA9C148000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.mozilla.com0	gmpopenh264.dll.tmp.13.dr	false	URL Reputation: safe	unknown
https://bridge.lga1.admarketplace.net/ctp?version=16.0.0&key=1696332238301000001.2&ci=1696332238417.	firefox.exe, 0000000F.00000002.2937652960.000001B1C7CCB000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000002.2937124782.0000018826FE9000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000011.00000002.2941932712.000001E08A603000.00000004.00000800.00020000.00000000.sdmp, prefs-1.js.13.dr	false	URL Reputation: safe	unknown
https://developer.mozilla.org/en-US/docs/Web/Web_Components/Using_custom_elements#using_the_lifecycl	firefox.exe, 0000000D.00000003.1814785402.000001DA9B96E000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1762142356.000001DA9B96E000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1761840366.000001DA9B970000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1828817472.000001DA9B96E000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1760791003.000001DA9B975000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1761445209.000001DA9B96E000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1786911790.000001DA9B96E000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://merino.services.mozilla.com/api/v1/suggest	firefox.exe, 00000011.00000002.2936968892.000001E08A38F000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://json-schema.org/draft/2019-09/schema.	firefox.exe, 0000000D.00000003.1930825681.000001DA94CB7000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1883545210.000001DA94CB7000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://monitor.firefox.com/oauth/init?entrypoint=protection_report_monitor&utm_source=about-protect	firefox.exe, 0000000F.00000002.2937121611.000001B1C7A60000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.2936404907.0000018826DB0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.2941532592.000001E08A530000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://www.leboncoin.fr/	firefox.exe, 0000000D.00000003.1886524197.000001DA94B9D000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://mozilla.o	firefox.exe, 0000000D.00000003.1810080229.000001DA949B9000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1786667578.000001DA949BD000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1786559278.000001DA949BD000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://spocs.getpocket.com/spocs	firefox.exe, 0000000D.00000003.1886769468.000001DA94B4D000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1886769468.000001DA94B8D000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://www.amazon.com/exec/obidos/external-search/?field-keywords=&ie=UTF-8&mode=blended&tag=mozill	firefox.exe, 0000000D.00000003.1849314839.000001DA9C034000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1808624941.000001DA9BCAE000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://shavar.services.mozilla.com	firefox.exe, 0000000D.00000003.1856693104.000001DA97456000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1909344111.000001DA97456000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://completion.amazon.com/search/complete?q=	firefox.exe, 0000000D.00000003.1854429569.000001DA9BBA0000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1724085189.000001DA9395A000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/social-media-tracking-report	firefox.exe, 0000000F.00000002.2937121611.000001B1C7A60000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.2936404907.0000018826DB0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.2941532592.000001E08A530000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://ads.stickyadstv.com/firefox-etp	firefox.exe, 0000000D.00000003.1910567761.000001DA9487C000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1911218785.000001DA945FD000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1911218785.000001DA945AC000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/send-tab	firefox.exe, 0000000F.00000002.2937121611.000001B1C7A60000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.2936404907.0000018826DB0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.2941532592.000001E08A530000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://monitor.firefox.com/breach-details/	firefox.exe, 0000000F.00000002.2937121611.000001B1C7A60000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.2936404907.0000018826DB0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.2941532592.000001E08A530000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://versioncheck-bg.addons.mozilla.org/update/VersionCheck.php?reqVersion=%REQ_VERSION%&id=%ITEM	firefox.exe, 0000000F.00000002.2937121611.000001B1C7A60000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.2936404907.0000018826DB0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.2941532592.000001E08A530000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://www.amazon.com/exec/obidos/external-search/	firefox.exe, 0000000D.00000003.1776294180.000001DA952FE000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1723490030.000001DA9391F000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1724490062.000001DA93977000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1723130248.000001DA93700000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1723798011.000001DA9393C000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1928136367.000001DA9419F000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1724085189.000001DA9395A000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://www.msn.com	firefox.exe, 0000000D.00000003.1856895707.000001DA96F61000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1909448476.000001DA96F61000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1879797130.000001DA96F61000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://github.com/mozilla-services/screenshots	firefox.exe, 0000000D.00000003.1723490030.000001DA9391F000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1724490062.000001DA93977000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1723130248.000001DA93700000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1723798011.000001DA9393C000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1724085189.000001DA9395A000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://services.addons.mozilla.org/api/v4/addons/addon/	firefox.exe, 0000000F.00000002.2937121611.000001B1C7A60000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.2936404907.0000018826DB0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.2941532592.000001E08A530000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://tracking-protection-issues.herokuapp.com/new	firefox.exe, 0000000F.00000002.2937121611.000001B1C7A60000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.2936404907.0000018826DB0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.2941532592.000001E08A530000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/password-manager-report	firefox.exe, 0000000F.00000002.2937121611.000001B1C7A60000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.2936404907.0000018826DB0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.2941532592.000001E08A530000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://youtube.com/	firefox.exe, 0000000D.00000003.1903355970.000001DA9637F000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://content-signature-2.cdn.mozilla.net/	firefox.exe, 0000000D.00000003.1883545210.000001DA94C81000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://json-schema.org/draft/2020-12/schema/=	firefox.exe, 0000000D.00000003.1930825681.000001DA94CB7000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1883545210.000001DA94CB7000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://www.amazon.com/?tag=admarketus-20&ref=pd_sl_7548d4575af019e4c148ccf1a78112802e66a0816a72fc94	firefox.exe, 0000000F.00000002.2937652960.000001B1C7CCB000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000002.2937124782.0000018826FE9000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000011.00000002.2941932712.000001E08A603000.00000004.00000800.00020000.00000000.sdmp, prefs-1.js.13.dr	false		unknown
https://app.adjust.com/167k4ih?campaign=firefox-desktop&adgroup=pb&creative=focus-omc172&redirect=ht	firefox.exe, 0000000D.00000003.1847910614.000001DA9C2B8000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://www.instagram.com/	firefox.exe, 0000000D.00000003.1783046408.000001DA951EE000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/fingerprinters-report	firefox.exe, 0000000F.00000002.2937121611.000001B1C7A60000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.2936404907.0000018826DB0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.2941532592.000001E08A530000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://api.accounts.firefox.com/v1	firefox.exe, 0000000F.00000002.2937121611.000001B1C7A60000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.2936404907.0000018826DB0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.2941532592.000001E08A530000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://ok.ru/	firefox.exe, 0000000D.00000003.1924158910.000001DA95BDC000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://www.amazon.com/	firefox.exe, 0000000D.00000003.1856895707.000001DA96F8B000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1923050851.000001DA97416000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://addons.mozilla.org/%LOCALE%/%APP%/blocked-addon/%addonID%/%addonVersion%/	firefox.exe, 0000000F.00000002.2937121611.000001B1C7A60000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.2936404907.0000018826DB0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.2941532592.000001E08A530000.00000002.10000000.00040000.00000000.sdmp	false		unknown
https://shavar.services.mozilla.com/downloads?client=SAFEBROWSING_ID&appver=118.0&pver=2.2	firefox.exe, 0000000D.00000003.1808624941.000001DA9BCAE000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://developer.mozilla.org/docs/Mozilla/Add-ons/WebExtensions/API/tabs/captureTabMozRequestFullSc	firefox.exe, 0000000D.00000003.1930085772.000001DA9BADD000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1855654959.000001DA9BADD000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://monitor.firefox.com/?entrypoint=protection_report_monitor&utm_source=about-protections	firefox.exe, 0000000F.00000002.2937121611.000001B1C7A60000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.2936404907.0000018826DB0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.2941532592.000001E08A530000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://bridge.lga1.ap01.net/ctp?version=16.0.0&key=1696332238301000001.1&ci=1696332238417.12791&cta	firefox.exe, 0000000F.00000002.2937652960.000001B1C7CCB000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000002.2937124782.0000018826FE9000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000011.00000002.2941932712.000001E08A603000.00000004.00000800.00020000.00000000.sdmp, prefs-1.js.13.dr	false		unknown
https://www.youtube.com/	firefox.exe, 0000000D.00000003.1856895707.000001DA96F8B000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1923050851.000001DA97416000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000002.2937124782.0000018826F0A000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000011.00000002.2936968892.000001E08A30C000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://bugzilla.mozilla.org/show_bug.cgi?id=1283601	firefox.exe, 0000000D.00000003.1788650200.000001DA953AE000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/shield	firefox.exe, 0000000F.00000002.2937121611.000001B1C7A60000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.2936404907.0000018826DB0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.2941532592.000001E08A530000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://MD8.mozilla.org/1/m	firefox.exe, 0000000D.00000003.1892315735.000001DA9BFC1000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://www.bbc.co.uk/	firefox.exe, 0000000D.00000003.1886524197.000001DA94B9D000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://addons.mozilla.org/firefox/addon/to-google-translate/	firefox.exe, 0000000D.00000003.1847910614.000001DA9C2B8000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://getpocket.cdn.mozilla.net/v3/firefox/global-recs?version=3&consumer_key=$apiKey&locale_lang=	firefox.exe, 00000011.00000002.2936968892.000001E08A3C4000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://127.0.0.1:	firefox.exe, 0000000D.00000003.1929393517.000001DA937A1000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000F.00000002.2937121611.000001B1C7A60000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.2936404907.0000018826DB0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.2941532592.000001E08A530000.00000002.10000000.00040000.00000000.sdmp	false		unknown
https://bugzilla.mozilla.org/show_bug.cgi?id=1266220	firefox.exe, 0000000D.00000003.1788300271.000001DA954F7000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://searchfox.org/mozilla-central/source/toolkit/components/search/SearchUtils.jsm#145-152	firefox.exe, 0000000D.00000003.1831589028.000001DA94F61000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1821551384.000001DA94F61000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://bugzilla.mo	firefox.exe, 0000000D.00000003.1848662234.000001DA9C148000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://mitmdetection.services.mozilla.com/	firefox.exe, 0000000F.00000002.2937121611.000001B1C7A60000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.2936404907.0000018826DB0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.2941532592.000001E08A530000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://static.adsafeprotected.com/firefox-etp-js	firefox.exe, 0000000D.00000003.1910567761.000001DA9487C000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://youtube.com/account?=	recovery.jsonlz4.tmp.13.dr	false		unknown
https://shavar.services.mozilla.com/	firefox.exe, 0000000D.00000003.1883545210.000001DA94C81000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://detectportal.firefox.comUT	firefox.exe, 0000000D.00000003.1870870141.000001DA96368000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://developer.mozilla.org/docs/Web/API/Element/releasePointerCapture	firefox.exe, 0000000D.00000003.1930085772.000001DA9BADD000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1855654959.000001DA9BADD000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://spocs.getpocket.com/	firefox.exe, 00000011.00000002.2936968892.000001E08A313000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://services.addons.mozilla.org/api/v4/abuse/report/addon/	firefox.exe, 0000000F.00000002.2937121611.000001B1C7A60000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.2936404907.0000018826DB0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.2941532592.000001E08A530000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://services.addons.mozilla.org/api/v4/addons/search/?guid=%IDS%&lang=%LOCALE%	firefox.exe, 0000000F.00000002.2937121611.000001B1C7A60000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.2936404907.0000018826DB0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.2941532592.000001E08A530000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://color.firefox.com/?utm_source=firefox-browser&utm_medium=firefox-browser&utm_content=theme-f	firefox.exe, 0000000F.00000002.2937121611.000001B1C7A60000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.2936404907.0000018826DB0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.2941532592.000001E08A530000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://www.iqiyi.com/	firefox.exe, 0000000D.00000003.1924158910.000001DA95BDC000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1886524197.000001DA94B9D000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://play.google.com/store/apps/details?id=org.mozilla.firefox&referrer=utm_source%3Dprotection_r	firefox.exe, 0000000F.00000002.2937121611.000001B1C7A60000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.2936404907.0000018826DB0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.2941532592.000001E08A530000.00000002.10000000.00040000.00000000.sdmp	false		unknown
https://monitor.firefox.com/user/breach-stats?includeResolved=true	firefox.exe, 0000000F.00000002.2937121611.000001B1C7A60000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.2936404907.0000018826DB0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.2941532592.000001E08A530000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/cross-site-tracking-report	firefox.exe, 0000000F.00000002.2937121611.000001B1C7A60000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.2936404907.0000018826DB0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.2941532592.000001E08A530000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://safebrowsing.google.com/safebrowsing/diagnostic?site=	firefox.exe, 0000000F.00000002.2937121611.000001B1C7A60000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.2936404907.0000018826DB0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.2941532592.000001E08A530000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://monitor.firefox.com/user/dashboard	firefox.exe, 0000000F.00000002.2937121611.000001B1C7A60000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.2936404907.0000018826DB0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.2941532592.000001E08A530000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
http://developer.mozilla.org/en/docs/DOM:element.addEventListenerUseOfReleaseEventsWarningUse	firefox.exe, 0000000D.00000003.1930085772.000001DA9BADD000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1855654959.000001DA9BADD000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://versioncheck.addons.mozilla.org/update/VersionCheck.php?reqVersion=%REQ_VERSION%&id=%ITEM_ID	firefox.exe, 0000000F.00000002.2937121611.000001B1C7A60000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.2936404907.0000018826DB0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.2941532592.000001E08A530000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://monitor.firefox.com/about	firefox.exe, 0000000F.00000002.2937121611.000001B1C7A60000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.2936404907.0000018826DB0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.2941532592.000001E08A530000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
http://mozilla.org/MPL/2.0/.	firefox.exe, 0000000D.00000003.1783139632.000001DA949CF000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1839287089.000001DA94ABF000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1763552399.000001DA9BE56000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1737790927.000001DA93CF1000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1814785402.000001DA9B969000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1816554204.000001DA97259000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1867907443.000001DA95144000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1812666581.000001DA93CDA000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1868235955.000001DA9513E000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1823778262.000001DA952F4000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1761914414.000001DA9B962000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1786456950.000001DA949C1000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1868386774.000001DA9520D000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1905634603.000001DA95DFA000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1868386774.000001DA95219000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1810080229.000001DA949CF000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1862984254.000001DA93904000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1783139632.000001DA949C3000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1830468677.000001DA94AB9000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1761973051.000001DA9B969000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1879797130.000001DA96F57000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://account.bellmedia.c	firefox.exe, 0000000D.00000003.1856895707.000001DA96F61000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1909448476.000001DA96F61000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1879797130.000001DA96F61000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://login.microsoftonline.com	firefox.exe, 0000000D.00000003.1856895707.000001DA96F61000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1909448476.000001DA96F61000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1879797130.000001DA96F61000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://coverage.mozilla.org	firefox.exe, 0000000F.00000002.2937121611.000001B1C7A60000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.2936404907.0000018826DB0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.2941532592.000001E08A530000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
http://crl.thawte.com/ThawteTimestampingCA.crl0	gmpopenh264.dll.tmp.13.dr	false	URL Reputation: safe	unknown
https://www.zhihu.com/	firefox.exe, 0000000D.00000003.1924158910.000001DA95BDC000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://x1.c.lencr.org/0	firefox.exe, 0000000D.00000003.1807026219.000001DA9F95E000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://x1.i.lencr.org/0	firefox.exe, 0000000D.00000003.1807026219.000001DA9F95E000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://infra.spec.whatwg.org/#ascii-whitespace	firefox.exe, 0000000D.00000003.1814785402.000001DA9B96E000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1762142356.000001DA9B96E000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1761840366.000001DA9B970000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1828817472.000001DA9B96E000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1761445209.000001DA9B96E000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1786911790.000001DA9B96E000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://blocked.cdn.mozilla.net/	firefox.exe, 0000000F.00000002.2937121611.000001B1C7A60000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.2936404907.0000018826DB0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.2941532592.000001E08A530000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://duckduckgo.com/?t=ffab&q=	firefox.exe, 0000000D.00000003.1849142368.000001DA9C0E5000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://profiler.firefox.com	firefox.exe, 0000000F.00000002.2937121611.000001B1C7A60000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.2936404907.0000018826DB0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.2941532592.000001E08A530000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://outlook.live.com/default.aspx?rru=compose&to=%s	firefox.exe, 0000000D.00000003.1732469345.000001DA93433000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1731430057.000001DA93433000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1732086272.000001DA93429000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://mozilla.cloudflare-dns.com/dns-query	firefox.exe, 0000000F.00000002.2937121611.000001B1C7A60000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.2936404907.0000018826DB0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.2941532592.000001E08A530000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://support.mozilla.org/kb/refresh-firefox-reset-add-ons-and-settings2	firefox.exe, 0000000D.00000003.1879797130.000001DA96F8B000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1930465824.000001DA96F8D000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1902779706.000001DA96F8B000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1894262769.000001DA96F8B000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1856895707.000001DA96F8B000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://bugzilla.mozilla.org/show_bug.cgi?id=1678448	firefox.exe, 0000000D.00000003.1788650200.000001DA953AE000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://mail.yahoo.co.jp/compose/?To=%s	firefox.exe, 0000000D.00000003.1732469345.000001DA93433000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1731430057.000001DA93433000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1732086272.000001DA93429000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://www.msn.	firefox.exe, 0000000D.00000003.1810024556.000001DA9516E000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1772189317.000001DA95163000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://addons.mozilla.org/firefox/addon/reddit-enhancement-suite/	firefox.exe, 0000000D.00000003.1847910614.000001DA9C2B8000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://contile-images.services.mozilla.com/0TegrVVRalreHILhR2WvtD_CFzj13HCDcLqqpvXSOuY.10862.jpg	firefox.exe, 0000000F.00000002.2937652960.000001B1C7CCB000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000002.2937124782.0000018826FE9000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000011.00000002.2941932712.000001E08A603000.00000004.00000800.00020000.00000000.sdmp, prefs-1.js.13.dr	false	URL Reputation: safe	unknown
https://contile.services.mozilla.com/v1/tiles	firefox.exe, 0000000D.00000003.1808624941.000001DA9BCAE000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000F.00000002.2937121611.000001B1C7A60000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.2936404907.0000018826DB0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.2941532592.000001E08A530000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://www.amazon.co.uk/	firefox.exe, 0000000D.00000003.1886524197.000001DA94B9D000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://firefox.settings.services.mozilla.com/v1/buckets/main/collections/ms-language-packs/records/	firefox.exe, 0000000D.00000003.1807026219.000001DA9F9D7000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://monitor.firefox.com/user/preferences	firefox.exe, 0000000F.00000002.2937121611.000001B1C7A60000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.2936404907.0000018826DB0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.2941532592.000001E08A530000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://screenshots.firefox.com/	firefox.exe, 0000000D.00000003.1724085189.000001DA9395A000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://truecolors.firefox.com/	firefox.exe, 0000000D.00000003.1808881591.000001DA9BC2C000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://www.google.com/search	firefox.exe, 0000000D.00000003.1808624941.000001DA9BC60000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1776294180.000001DA952FE000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1723490030.000001DA9391F000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1724490062.000001DA93977000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1723130248.000001DA93700000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1723798011.000001DA9393C000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1928136367.000001DA9419F000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1928561688.000001DA93DE8000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1724085189.000001DA9395A000.00000004.00000800.00020000.00000000.sdmp	false		unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
216.58.206.78	youtube.com	United States	15169	GOOGLEUS	false
34.149.100.209	prod.remote-settings.prod.webservices.mozgcp.net	United States	2686	ATGS-MMD-ASUS	false
34.107.243.93	push.services.mozilla.com	United States	15169	GOOGLEUS	false
151.101.65.91	services.addons.mozilla.org	United States	54113	FASTLYUS	false
34.107.221.82	prod.detectportal.prod.cloudops.mozgcp.net	United States	15169	GOOGLEUS	false
35.244.181.201	prod.balrog.prod.cloudops.mozgcp.net	United States	15169	GOOGLEUS	false
34.117.188.166	contile.services.mozilla.com	United States	139070	GOOGLE-AS-APGoogleAsiaPacificPteLtdSG	false
35.201.103.21	normandy-cdn.services.mozilla.com	United States	15169	GOOGLEUS	false
35.190.72.216	prod.classify-client.prod.webservices.mozgcp.net	United States	15169	GOOGLEUS	false
34.160.144.191	prod.content-signature-chains.prod.webservices.mozgcp.net	United States	2686	ATGS-MMD-ASUS	false
34.120.208.123	telemetry-incoming.r53-2.services.mozilla.com	United States	15169	GOOGLEUS	false

Private

IP
127.0.0.1

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1544229
Start date and time:	2024-10-29 04:26:06 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 7m 6s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	22
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	file.exe
Detection:	MAL
Classification:	mal72.troj.evad.winEXE@34/36@66/12
EGA Information:	Successful, ratio: 50%
HCA Information:	Successful, ratio: 95% Number of executed functions: 42 Number of non-executed functions: 308
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, svchost.exe
Excluded IPs from analysis (whitelisted): 34.218.156.47, 52.32.18.233, 34.211.181.209, 2.22.61.56, 2.22.61.59, 142.250.186.110, 216.58.212.170, 172.217.18.10, 172.217.16.206, 142.250.185.206
Excluded domains from analysis (whitelisted): fs.microsoft.com, shavar.prod.mozaws.net, ciscobinary.openh264.org, slscr.update.microsoft.com, otelrules.azureedge.net, incoming.telemetry.mozilla.org, ctldl.windowsupdate.com, a17.rackcdn.com.mdc.edgesuite.net, detectportal.prod.mozaws.net, aus5.mozilla.org, fe3cr.delivery.mp.microsoft.com, a19.dscg10.akamai.net, ocsp.digicert.com, redirector.gvt1.com, safebrowsing.googleapis.com, location.services.mozilla.com
Not all processes where analyzed, report is missing behavior information
Report size exceeded maximum capacity and may have missing disassembly code.
Report size getting too big, too many NtCreateFile calls found.
Report size getting too big, too many NtOpenFile calls found.

Simulations

Behavior and APIs

Time	Type	Description
23:27:08	API Interceptor	1x Sleep call for process: firefox.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
34.117.188.166	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
34.149.100.209	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
151.101.65.91	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Unknown	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Unknown	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	XlKQ797V2E.exe	Get hash	malicious	Unknown	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
example.org	file.exe	Get hash	malicious	Credential Flusher	Browse	93.184.215.14
	file.exe	Get hash	malicious	Credential Flusher	Browse	93.184.215.14
	file.exe	Get hash	malicious	Credential Flusher	Browse	93.184.215.14
	file.exe	Get hash	malicious	Credential Flusher	Browse	93.184.215.14
	file.exe	Get hash	malicious	Credential Flusher	Browse	93.184.215.14
	file.exe	Get hash	malicious	Credential Flusher	Browse	93.184.215.14
	file.exe	Get hash	malicious	Credential Flusher	Browse	93.184.215.14
	file.exe	Get hash	malicious	Credential Flusher	Browse	93.184.215.14
	file.exe	Get hash	malicious	Credential Flusher	Browse	93.184.215.14
	file.exe	Get hash	malicious	Credential Flusher	Browse	93.184.215.14
twitter.com	file.exe	Get hash	malicious	Credential Flusher	Browse	104.244.42.65
	file.exe	Get hash	malicious	Credential Flusher	Browse	104.244.42.65
	file.exe	Get hash	malicious	Credential Flusher	Browse	104.244.42.65
	file.exe	Get hash	malicious	Credential Flusher	Browse	104.244.42.193
	file.exe	Get hash	malicious	Credential Flusher	Browse	104.244.42.129
	file.exe	Get hash	malicious	Credential Flusher	Browse	104.244.42.1
	file.exe	Get hash	malicious	Credential Flusher	Browse	104.244.42.65
	file.exe	Get hash	malicious	Credential Flusher	Browse	104.244.42.1
	file.exe	Get hash	malicious	Credential Flusher	Browse	104.244.42.65
star-mini.c10r.facebook.com	Salary_Structure_Benefits_for_Sebastien.daveauIyNURVhUTlVNUkFORE9NMTkjIw==.html	Get hash	malicious	HTMLPhisher	Browse	157.240.251.35
	file.exe	Get hash	malicious	Credential Flusher	Browse	157.240.251.35
	file.exe	Get hash	malicious	Credential Flusher	Browse	157.240.0.35
	file.exe	Get hash	malicious	Credential Flusher	Browse	157.240.0.35
	file.exe	Get hash	malicious	Credential Flusher	Browse	157.240.252.35
	https://api.inspectrealestate.com.au/email/track?eta=1&t=B32-5UARLGTXC6GHXC7PJPHCGUP7HMF6FJEQ76L6MOL7WYB6P6EYQNBONANBBGKOXFRO3HPDET5TXGOZXG5FJNMJJC437YUYUWDF5VEVIWPK6LECEZJV3OMRCXF6VI76ZOGYOFIOERVACTHYB4KHK22IKKEWLYPTUBLONXLA7QVY2SW2TZMW4ULVG2UAKDR3DM3RL4TTJAF3F3ROXQ3ZLRVYS7Z2T4TIQETEEUV73V42AQLF65YKSUX6JMYEW3ZHXPREAMXXBOQV32GKOYOISFZKX4GPTPR2IMSMCULLR2V4QUSMU3MWF7NQ%3D%3D%3D%3D	Get hash	malicious	Unknown	Browse	157.240.0.35
	file.exe	Get hash	malicious	Credential Flusher	Browse	157.240.253.35
	file.exe	Get hash	malicious	Credential Flusher	Browse	157.240.253.35
	file.exe	Get hash	malicious	Credential Flusher	Browse	157.240.253.35
	file.exe	Get hash	malicious	Credential Flusher	Browse	157.240.253.35

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
GOOGLE-AS-APGoogleAsiaPacificPteLtdSG	file.exe	Get hash	malicious	Credential Flusher	Browse	34.117.188.166
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.117.188.166
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.117.188.166
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.117.188.166
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.117.188.166
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.117.188.166
	https://hianime.to	Get hash	malicious	Unknown	Browse	34.117.77.79
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.117.188.166
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.117.188.166
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.117.188.166
FASTLYUS	Salary_Structure_Benefits_for_Sebastien.daveauIyNURVhUTlVNUkFORE9NMTkjIw==.html	Get hash	malicious	HTMLPhisher	Browse	151.101.193.44
	file.exe	Get hash	malicious	Credential Flusher	Browse	151.101.1.91
	file.exe	Get hash	malicious	Credential Flusher	Browse	151.101.65.91
	file.exe	Get hash	malicious	Credential Flusher	Browse	151.101.193.91
	file.exe	Get hash	malicious	Credential Flusher	Browse	151.101.193.91
	https://api.inspectrealestate.com.au/email/track?eta=1&t=B32-5UARLGTXC6GHXC7PJPHCGUP7HMF6FJEQ76L6MOL7WYB6P6EYQNBONANBBGKOXFRO3HPDET5TXGOZXG5FJNMJJC437YUYUWDF5VEVIWPK6LECEZJV3OMRCXF6VI76ZOGYOFIOERVACTHYB4KHK22IKKEWLYPTUBLONXLA7QVY2SW2TZMW4ULVG2UAKDR3DM3RL4TTJAF3F3ROXQ3ZLRVYS7Z2T4TIQETEEUV73V42AQLF65YKSUX6JMYEW3ZHXPREAMXXBOQV32GKOYOISFZKX4GPTPR2IMSMCULLR2V4QUSMU3MWF7NQ%3D%3D%3D%3D	Get hash	malicious	Unknown	Browse	151.101.65.229
	file.exe	Get hash	malicious	Credential Flusher	Browse	151.101.1.91
	file.exe	Get hash	malicious	Credential Flusher	Browse	151.101.193.91
	(No subject) (98).eml	Get hash	malicious	HTMLPhisher	Browse	151.101.193.229
	file.exe	Get hash	malicious	Credential Flusher	Browse	151.101.193.91
ATGS-MMD-ASUS	file.exe	Get hash	malicious	Credential Flusher	Browse	34.160.144.191
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.160.144.191
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.160.144.191
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.160.144.191
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.160.144.191
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.160.144.191
	https://hianime.to	Get hash	malicious	Unknown	Browse	57.129.18.105
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.160.144.191
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.160.144.191
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.160.144.191

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
fb0aa01abe9d8e4037eb3473ca6e2dca	file.exe	Get hash	malicious	Credential Flusher	Browse	35.244.181.201 34.149.100.209 34.160.144.191 151.101.65.91 34.120.208.123
	file.exe	Get hash	malicious	Credential Flusher	Browse	35.244.181.201 34.149.100.209 34.160.144.191 151.101.65.91 34.120.208.123
	file.exe	Get hash	malicious	Credential Flusher	Browse	35.244.181.201 34.149.100.209 34.160.144.191 151.101.65.91 34.120.208.123
	file.exe	Get hash	malicious	Credential Flusher	Browse	35.244.181.201 34.149.100.209 34.160.144.191 151.101.65.91 34.120.208.123
	file.exe	Get hash	malicious	Credential Flusher	Browse	35.244.181.201 34.149.100.209 34.160.144.191 151.101.65.91 34.120.208.123
	file.exe	Get hash	malicious	Credential Flusher	Browse	35.244.181.201 34.149.100.209 34.160.144.191 151.101.65.91 34.120.208.123
	file.exe	Get hash	malicious	Credential Flusher	Browse	35.244.181.201 34.149.100.209 34.160.144.191 151.101.65.91 34.120.208.123
	file.exe	Get hash	malicious	Credential Flusher	Browse	35.244.181.201 34.149.100.209 34.160.144.191 151.101.65.91 34.120.208.123
	file.exe	Get hash	malicious	Credential Flusher	Browse	35.244.181.201 34.149.100.209 34.160.144.191 151.101.65.91 34.120.208.123
	file.exe	Get hash	malicious	Credential Flusher	Browse	35.244.181.201 34.149.100.209 34.160.144.191 151.101.65.91 34.120.208.123

Dropped Files

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll (copy)	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse

Created / dropped Files

C:\ProgramData\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\uninstall_ping_308046B0AF4A39CB_b126bd3d-9c00-4518-b6ae-2e2abafcd518.json (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	7813
Entropy (8bit):	5.18106438273559
Encrypted:	false
SSDEEP:	192:zjMX1BCcbhbVbTbfbRbObtbyEl7nVr0JA6WnSrDtTUd/SkDrs:zYacNhnzFSJ1rHBnSrDhUd/W
MD5:	2A5963E27A4F11EF235516D8D2508E33
SHA1:	AE7A6AAE543BD5A10454494DF373292CD7F542E0
SHA-256:	3EA2EEF4E5F37ED7752F3B911257436B3CB8EEFAC1776930B536902F03253735
SHA-512:	7565202E63451BCFBF1EA8C3714800CAE71EC11C561D389197B45F3472A0672CAB329252C4732B2708C3E38D490A9665F67DF385DF408663886E2F5F7BB1F3A7
Malicious:	false
Preview:	{"type":"uninstall","id":"b126bd3d-9c00-4518-b6ae-2e2abafcd518","creationDate":"2024-10-29T04:43:28.490Z","version":4,"application":{"architecture":"x86-64","buildId":"20230927232528","name":"Firefox","version":"118.0.1","displayVersion":"118.0.1","vendor":"Mozilla","platformVersion":"118.0.1","xpcomAbi":"x86_64-msvc","channel":"release"},"payload":{"otherInstalls":0},"clientId":"65e71c9e-6ac3-4903-9066-b134350de32c","environment":{"build":{"applicationId":"{ec8030f7-c20a-464f-9b0e-13a3a9e97384}","applicationName":"Firefox","architecture":"x86-64","buildId":"20230927232528","version":"118.0.1","vendor":"Mozilla","displayVersion":"118.0.1","platformVersion":"118.0.1","xpcomAbi":"x86_64-msvc","updaterAvailable":true},"partner":{"distributionId":null,"distributionVersion":null,"partnerId":null,"distributor":null,"distributorChannel":null,"partnerNames":[]},"system":{"memoryMB":8191,"virtualMaxMB":134217728,"cpu":{"isWindowsSMode":false,"count":4,"cores":2,"vendor":"GenuineIntel","name":"I

C:\ProgramData\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\uninstall_ping_308046B0AF4A39CB_b126bd3d-9c00-4518-b6ae-2e2abafcd518.json.tmp

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	7813
Entropy (8bit):	5.18106438273559
Encrypted:	false
SSDEEP:	192:zjMX1BCcbhbVbTbfbRbObtbyEl7nVr0JA6WnSrDtTUd/SkDrs:zYacNhnzFSJ1rHBnSrDhUd/W
MD5:	2A5963E27A4F11EF235516D8D2508E33
SHA1:	AE7A6AAE543BD5A10454494DF373292CD7F542E0
SHA-256:	3EA2EEF4E5F37ED7752F3B911257436B3CB8EEFAC1776930B536902F03253735
SHA-512:	7565202E63451BCFBF1EA8C3714800CAE71EC11C561D389197B45F3472A0672CAB329252C4732B2708C3E38D490A9665F67DF385DF408663886E2F5F7BB1F3A7
Malicious:	false
Preview:	{"type":"uninstall","id":"b126bd3d-9c00-4518-b6ae-2e2abafcd518","creationDate":"2024-10-29T04:43:28.490Z","version":4,"application":{"architecture":"x86-64","buildId":"20230927232528","name":"Firefox","version":"118.0.1","displayVersion":"118.0.1","vendor":"Mozilla","platformVersion":"118.0.1","xpcomAbi":"x86_64-msvc","channel":"release"},"payload":{"otherInstalls":0},"clientId":"65e71c9e-6ac3-4903-9066-b134350de32c","environment":{"build":{"applicationId":"{ec8030f7-c20a-464f-9b0e-13a3a9e97384}","applicationName":"Firefox","architecture":"x86-64","buildId":"20230927232528","version":"118.0.1","vendor":"Mozilla","displayVersion":"118.0.1","platformVersion":"118.0.1","xpcomAbi":"x86_64-msvc","updaterAvailable":true},"partner":{"distributionId":null,"distributionVersion":null,"partnerId":null,"distributor":null,"distributorChannel":null,"partnerNames":[]},"system":{"memoryMB":8191,"virtualMaxMB":134217728,"cpu":{"isWindowsSMode":false,"count":4,"cores":2,"vendor":"GenuineIntel","name":"I

C:\Users\user\AppData\Local\Temp\mozilla-temp-files\mozilla-temp-41

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	ISO Media, MP4 Base Media v1 [ISO 14496-12:2003]
Category:	dropped
Size (bytes):	32768
Entropy (8bit):	0.4593089050301797
Encrypted:	false
SSDEEP:	48:9SP0nUgwyZXYI65yFRX2D3GNTTfyn0Mk1iA:9SDKaIjo3UzyE1L
MD5:	D910AD167F0217587501FDCDB33CC544
SHA1:	2F57441CEFDC781011B53C1C5D29AC54835AFC1D
SHA-256:	E3699D9404A3FFC1AFF0CA8A3972DC0EF38BDAB927741E9F627C7C55CEA42E81
SHA-512:	F1871BF28FF25EE52BDB99C7A80AB715C7CAC164DCD2FD87E681168EE927FD2C5E80E03C91BB638D955A4627213BF575FF4D9EECAEDA7718C128CF2CE8F7CB3D
Malicious:	false
Preview:	... ftypisom....isomiso2avc1mp41....free....mdat..........E...H..,. .#..x264 - core 152 r2851 ba24899 - H.264/MPEG-4 AVC codec - Copyleft 2003-2017 - http://www.videolan.org/x264.html - options: cabac=1 ref=3 deblock=1:0:0 analyse=0x3:0x113 me=hex subme=7 psy=1 psy_rd=1.00:0.00 mixed_ref=1 me_range=16 chroma_me=1 trellis=1 8x8dct=1 cqm=0 deadzone=21,11 fast_pskip=1 chroma_qp_offset=-2 threads=4 lookahead_threads=1 sliced_threads=0 nr=0 decimate=1 interlaced=0 bluray_compat=0 constrained_intra=0 bframes=3 b_pyramid=2 b_adapt=1 b_bias=0 direct=1 weightb=1 open_gop=0 weightp=2 keyint=250 keyint_min=25 scenecut=40 intra_refresh=0 rc_lookahead=40 rc=crf mbtree=1 crf=23.0 qcomp=0.60 qpmin=0 qpmax=69 qpstep=4 ip_ratio=1.40 aq=1:1.00......e...+...s\|.kG3...'.u.."...,J.w.~.d\..(K....!.+..;....h....(.T.*...M......0..~L..8..B..A.y..R..,.zBP.';j.@.].w..........c......C=.'f....gI.$^.......m5V.L...{U..%V[....8......B..i..^,....:...,..5.m.%dA....moov...lmvhd...................(...........

C:\Users\user\AppData\Local\Temp\tmpaddon

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	Zip archive data, at least v2.0 to extract, compression method=deflate
Category:	dropped
Size (bytes):	453023
Entropy (8bit):	7.997718157581587
Encrypted:	true
SSDEEP:	12288:tESTeqTI2r4ZbCgUKWKNeRcPMb6qlV7hVZe3:tEsed2Xh9/bdzZe3
MD5:	85430BAED3398695717B0263807CF97C
SHA1:	FFFBEE923CEA216F50FCE5D54219A188A5100F41
SHA-256:	A9F4281F82B3579581C389E8583DC9F477C7FD0E20C9DFC91A2E611E21E3407E
SHA-512:	06511F1F6C6D44D076B3C593528C26A602348D9C41689DBF5FF716B671C3CA5756B12CB2E5869F836DEDCE27B1A5CFE79B93C707FD01F8E84B620923BB61B5F1
Malicious:	false
Preview:	PK.........bN...R..........gmpopenh264.dll..\|.E.0.=..I.....1....4f1q.`.........q.....'+....hm{.z..o_.{w........$..($A!...\|L...B&A2.s.{..Dd......c.U.U..9u.S...K.l`...../.d.-....\|.....&....9......wn..x......i.#O.+.Y.l......+....,3.3f..\..c.SSS,............N...GG...F.'.&.:'.K.Z&.>.@.g..M...M.`............ZR....^jg.G.Kb.o~va.....<Z..1.#.O.e.....D..X..i..$imBW..Q&.......P.....,M.,..:.c...-...\...........-i.K.I..4.a..6.....Ov=...W..F.CH.>...a.'.x...#@f...d..u.1....OV.1o}....g.5.._.3.J.Hi.Z.ipM....b.Z....%.G..F................/..3.q..J.....o...%.g.N..}..).3.N%.!..q........^I.m..~...6.#.~+.....A...I]r...x...<IYj....p0..`S.M@.E..f.=.;!.@.....E..E....... .0.n....Jd..d......uM.-.qI.lR..z..=}..r.D.XLZ....x.$..\|c.1.cUkM.&.Qn]..a]t.h...!.6 7..Jd.DvKJ"Wgd*%n...w...Jni.inmr.@M.$'Z.s....#)%..Rs..:.h....R....\..t.6..'.g.........Uj+F.cr:\|..!..K.W.Y...17......,....r.....>.N..3.R.Y.._\...Ir.DNJdM... .k...&V-....z.%...-...D..i..&...6....7.2T).>..0..%.&.

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\ExperimentStoreData.json (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	3621
Entropy (8bit):	4.926756708710528
Encrypted:	false
SSDEEP:	96:8S+OfJQPUFpOdwNIOdYVjvYcXaNLLes8P:8S+OBIUjOdwiOdYVjjwLLes8P
MD5:	0C9332B42796AEB82BDD3FADC37FFA12
SHA1:	252A954E5C09F563325FC848D19CE9EB28666E5E
SHA-256:	AEF7B3D6A22F56824547359084E42DCD30BC86182299AE23D1D39635446F1C98
SHA-512:	5D3ACB02E5B20273D7DACDECF60F584611748FBA3927813CC6A8640666977532A0B31498588F1DA5C5E63B0A5448CBCCF8E820C9B1C7E63439B3D940418F71FA
Malicious:	false
Preview:	{"csv-import-release-rollout":{"slug":"csv-import-release-rollout","branch":{"slug":"enable-csv-import","ratio":1,"feature":{"value":{},"enabled":false,"featureId":"this-is-included-for-desktop-pre-95-support"},"features":[{"value":{"csvImport":true},"enabled":true,"featureId":"cm-csv-import"}]},"active":true,"enrollmentId":"c5d95379-f4ee-4629-a507-6f15a0e93cd4","experimentType":"rollout","source":"rs-loader","userFacingName":"CSV Import (Release Rollout)","userFacingDescription":"This rollout enables users to import logins from a CSV file from the about:logins page.","lastSeen":"2023-10-03T11:50:29.548Z","featureIds":["cm-csv-import"],"prefs":[{"name":"signon.management.page.fileImport.enabled","branch":"default","featureId":"cm-csv-import","variable":"csvImport","originalValue":false}],"isRollout":true},"serp-ad-telemetry-rollout":{"slug":"serp-ad-telemetry-rollout","branch":{"slug":"control","ratio":1,"feature":{"value":{},"enabled":false,"featureId":"this-is-included-for-desktop-pr

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\ExperimentStoreData.json.tmp

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	3621
Entropy (8bit):	4.926756708710528
Encrypted:	false
SSDEEP:	96:8S+OfJQPUFpOdwNIOdYVjvYcXaNLLes8P:8S+OBIUjOdwiOdYVjjwLLes8P
MD5:	0C9332B42796AEB82BDD3FADC37FFA12
SHA1:	252A954E5C09F563325FC848D19CE9EB28666E5E
SHA-256:	AEF7B3D6A22F56824547359084E42DCD30BC86182299AE23D1D39635446F1C98
SHA-512:	5D3ACB02E5B20273D7DACDECF60F584611748FBA3927813CC6A8640666977532A0B31498588F1DA5C5E63B0A5448CBCCF8E820C9B1C7E63439B3D940418F71FA
Malicious:	false
Preview:	{"csv-import-release-rollout":{"slug":"csv-import-release-rollout","branch":{"slug":"enable-csv-import","ratio":1,"feature":{"value":{},"enabled":false,"featureId":"this-is-included-for-desktop-pre-95-support"},"features":[{"value":{"csvImport":true},"enabled":true,"featureId":"cm-csv-import"}]},"active":true,"enrollmentId":"c5d95379-f4ee-4629-a507-6f15a0e93cd4","experimentType":"rollout","source":"rs-loader","userFacingName":"CSV Import (Release Rollout)","userFacingDescription":"This rollout enables users to import logins from a CSV file from the about:logins page.","lastSeen":"2023-10-03T11:50:29.548Z","featureIds":["cm-csv-import"],"prefs":[{"name":"signon.management.page.fileImport.enabled","branch":"default","featureId":"cm-csv-import","variable":"csvImport","originalValue":false}],"isRollout":true},"serp-ad-telemetry-rollout":{"slug":"serp-ad-telemetry-rollout","branch":{"slug":"control","ratio":1,"feature":{"value":{},"enabled":false,"featureId":"this-is-included-for-desktop-pr

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\addonStartup.json.lz4 (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	Mozilla lz4 compressed data, originally 23432 bytes
Category:	dropped
Size (bytes):	5312
Entropy (8bit):	6.615424734763731
Encrypted:	false
SSDEEP:	96:V2YbKsKNU2xWrp327tGmD4wBON6h6cHaJVJuZMd0JGkkrw2D:VTx2x2t0FDJ4NpwZMd0EJws
MD5:	1B9C8056D3619CE5A8C59B0C09873F17
SHA1:	1015C630E1937AA63F6AB31743782ECB5D78CCD8
SHA-256:	A6AE5DE0733FED050AB570AD9374FF4593D554F695B5AE4E2495871D171D34A3
SHA-512:	B1DC9CC675D5476C270A2D5B214D3DF2B3856576ED7EFE92D9A606C2D9D34E781018902AE75CE9C1E25007BB7F8D8F7B52997E6F05B845EF44BAF22F614FE899
Malicious:	false
Preview:	mozLz40..[....{"app-system-defaults":{"addon....formautofill@mozilla.org&..Gdependencies":[],"enabled":true,"lastModifiedTime":1695865283000,"loader":null,"path":s.....xpi","recommendationStateA...rootURI":"jar:file:///C:/Program%20Files/M.......refox/browser/features/...... !/...unInSafeMode..wsignedD...telemetryKey..7%40R...:1.0.1","version":"..`},"pic..#in.....T.n..w...........S.......(.[......0....0"},"screenshots..T.r.....[.......(.V....-39.......},"webcompat-reporter...Ofals..&.z.....[.......(.]....=1.5.............<.)....p....d......1.z.!18...5.....startupData...pX.astentL..!er...webRequest%..onBefore...[[{"incognitoi.UtabId..!yp...."main_frame"],"url...."://login.microsoftonline.com/","..@us/L.dwindows...},["blocking"]],...Iimag...https://smartT.".f.....etp/facebook.svg",...Aplay....8`script...P.....-....-testbed.herokuapp\.`shims_..3.jsh.bexampl\|.......Pexten{..Q../?..s...S.J/_2..@&_3U..s7.addthis . ic...officialK......-angularjs/current/dist(..t.min.js...track.adB...net/s

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\addonStartup.json.lz4.tmp

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	Mozilla lz4 compressed data, originally 23432 bytes
Category:	dropped
Size (bytes):	5312
Entropy (8bit):	6.615424734763731
Encrypted:	false
SSDEEP:	96:V2YbKsKNU2xWrp327tGmD4wBON6h6cHaJVJuZMd0JGkkrw2D:VTx2x2t0FDJ4NpwZMd0EJws
MD5:	1B9C8056D3619CE5A8C59B0C09873F17
SHA1:	1015C630E1937AA63F6AB31743782ECB5D78CCD8
SHA-256:	A6AE5DE0733FED050AB570AD9374FF4593D554F695B5AE4E2495871D171D34A3
SHA-512:	B1DC9CC675D5476C270A2D5B214D3DF2B3856576ED7EFE92D9A606C2D9D34E781018902AE75CE9C1E25007BB7F8D8F7B52997E6F05B845EF44BAF22F614FE899
Malicious:	false
Preview:	mozLz40..[....{"app-system-defaults":{"addon....formautofill@mozilla.org&..Gdependencies":[],"enabled":true,"lastModifiedTime":1695865283000,"loader":null,"path":s.....xpi","recommendationStateA...rootURI":"jar:file:///C:/Program%20Files/M.......refox/browser/features/...... !/...unInSafeMode..wsignedD...telemetryKey..7%40R...:1.0.1","version":"..`},"pic..#in.....T.n..w...........S.......(.[......0....0"},"screenshots..T.r.....[.......(.V....-39.......},"webcompat-reporter...Ofals..&.z.....[.......(.]....=1.5.............<.)....p....d......1.z.!18...5.....startupData...pX.astentL..!er...webRequest%..onBefore...[[{"incognitoi.UtabId..!yp...."main_frame"],"url...."://login.microsoftonline.com/","..@us/L.dwindows...},["blocking"]],...Iimag...https://smartT.".f.....etp/facebook.svg",...Aplay....8`script...P.....-....-testbed.herokuapp\.`shims_..3.jsh.bexampl\|.......Pexten{..Q../?..s...S.J/_2..@&_3U..s7.addthis . ic...officialK......-angularjs/current/dist(..t.min.js...track.adB...net/s

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\addons.json (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	24
Entropy (8bit):	3.91829583405449
Encrypted:	false
SSDEEP:	3:YWGifTJE6iHQ:YWGif9EE
MD5:	3088F0272D29FAA42ED452C5E8120B08
SHA1:	C72AA542EF60AFA3DF5DFE1F9FCC06C0B135BE23
SHA-256:	D587CEC944023447DC91BC5F71E2291711BA5ADD337464837909A26F34BC5A06
SHA-512:	B662414EDD6DEF8589304904263584847586ECCA0B0E6296FB3ADB2192D92FB48697C99BD27C4375D192150E3F99102702AF2391117FFF50A9763C74C193D798
Malicious:	false
Preview:	{"schema":6,"addons":[]}

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\addons.json.tmp

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	24
Entropy (8bit):	3.91829583405449
Encrypted:	false
SSDEEP:	3:YWGifTJE6iHQ:YWGif9EE
MD5:	3088F0272D29FAA42ED452C5E8120B08
SHA1:	C72AA542EF60AFA3DF5DFE1F9FCC06C0B135BE23
SHA-256:	D587CEC944023447DC91BC5F71E2291711BA5ADD337464837909A26F34BC5A06
SHA-512:	B662414EDD6DEF8589304904263584847586ECCA0B0E6296FB3ADB2192D92FB48697C99BD27C4375D192150E3F99102702AF2391117FFF50A9763C74C193D798
Malicious:	false
Preview:	{"schema":6,"addons":[]}

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\content-prefs.sqlite

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	SQLite 3.x database, user version 5, last written using SQLite version 3042000, page size 32768, file counter 5, database pages 8, cookie 0x6, schema 4, largest root page 8, UTF-8, vacuum mode 1, version-valid-for 5
Category:	dropped
Size (bytes):	262144
Entropy (8bit):	0.04905391753567332
Encrypted:	false
SSDEEP:	24:DLivwae+Q8Uu50xj0aWe9LxYkKA25Q5tvAA:D6wae+QtMImelekKDa5
MD5:	DD9D28E87ED57D16E65B14501B4E54D1
SHA1:	793839B47326441BE2D1336BA9A61C9B948C578D
SHA-256:	BB4E6C58C50BD6399ED70468C02B584595C29F010B66F864CD4D6B427FA365BC
SHA-512:	A2626F6A3CBADE62E38DA5987729D99830D0C6AA134D4A9E615026A5F18ACBB11A2C3C80917DAD76DA90ED5BAA9B0454D4A3C2DD04436735E78C974BA1D035B1
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j......\|....~.}.}z}-\|.................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\crashes\store.json.mozlz4 (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	Mozilla lz4 compressed data, originally 56 bytes
Category:	dropped
Size (bytes):	66
Entropy (8bit):	4.837595020998689
Encrypted:	false
SSDEEP:	3:3fX/xH8IXl/I3v0lb7iioW:vXpH1RPXt
MD5:	A6338865EB252D0EF8FCF11FA9AF3F0D
SHA1:	CECDD4C4DCAE10C2FFC8EB938121B6231DE48CD3
SHA-256:	078648C042B9B08483CE246B7F01371072541A2E90D1BEB0C8009A6118CBD965
SHA-512:	D950227AC83F4E8246D73F9F35C19E88CE65D0CA5F1EF8CCBB02ED6EFC66B1B7E683E2BA0200279D7CA4B49831FD8C3CEB0584265B10ACCFF2611EC1CA8C0C6C
Malicious:	false
Preview:	mozLz40.8.....{"v":1,"crashes":{},"countsByDay....rruptDate":null}

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\crashes\store.json.mozlz4.tmp

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	Mozilla lz4 compressed data, originally 56 bytes
Category:	dropped
Size (bytes):	66
Entropy (8bit):	4.837595020998689
Encrypted:	false
SSDEEP:	3:3fX/xH8IXl/I3v0lb7iioW:vXpH1RPXt
MD5:	A6338865EB252D0EF8FCF11FA9AF3F0D
SHA1:	CECDD4C4DCAE10C2FFC8EB938121B6231DE48CD3
SHA-256:	078648C042B9B08483CE246B7F01371072541A2E90D1BEB0C8009A6118CBD965
SHA-512:	D950227AC83F4E8246D73F9F35C19E88CE65D0CA5F1EF8CCBB02ED6EFC66B1B7E683E2BA0200279D7CA4B49831FD8C3CEB0584265B10ACCFF2611EC1CA8C0C6C
Malicious:	false
Preview:	mozLz40.8.....{"v":1,"crashes":{},"countsByDay....rruptDate":null}

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\extensions.json (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	36830
Entropy (8bit):	5.185924656884556
Encrypted:	false
SSDEEP:	768:wI43DvfWXf4E6C4p4EC4Y4QfEWvM4B4QS4z4444XQ4U:wUfdvk
MD5:	5656BA69BD2966108A461AAE35F60226
SHA1:	9C2E5AE52D82CEA43C4A5FFF205A7700CF54D61C
SHA-256:	587596712960B26EAC18CB354CCD633FFDB218E374A9D59EFEA843914D7AB299
SHA-512:	38F715AD9156558B5D57CA2E75FB0FFE0C5C6728BD94484B8F15E090120DDD02DCE42DBC9CC7143AD6552460A5F3A40E577FAF1D76D5D40B25CDBE636F250054
Malicious:	false
Preview:	{"schemaVersion":35,"addons":[{"id":"formautofill@mozilla.org","syncGUID":"{60024e8e-cfd0-41e5-965d-7128c7dcf0e8}","version":"1.0.1","type":"extension","loader":null,"updateURL":null,"installOrigins":null,"manifestVersion":2,"optionsURL":null,"optionsType":null,"optionsBrowserStyle":true,"aboutURL":null,"defaultLocale":{"name":"Form Autofill","creator":null,"developers":null,"translators":null,"contributors":null},"visible":true,"active":true,"userDisabled":false,"appDisabled":false,"embedderDisabled":false,"installDate":1695865283000,"updateDate":1695865283000,"applyBackgroundUpdates":1,"path":"C:\\Program Files\\Mozilla Firefox\\browser\\features\\formautofill@mozilla.org.xpi","skinnable":false,"sourceURI":null,"releaseNotesURI":null,"softDisabled":false,"foreignInstall":false,"strictCompatibility":true,"locales":[],"targetApplications":[{"id":"toolkit@mozilla.org","minVersion":null,"maxVersion":null}],"targetPlatforms":[],"signedDate":null,"seen":true,"dependencies":[],"incognito":"

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\extensions.json.tmp

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	36830
Entropy (8bit):	5.185924656884556
Encrypted:	false
SSDEEP:	768:wI43DvfWXf4E6C4p4EC4Y4QfEWvM4B4QS4z4444XQ4U:wUfdvk
MD5:	5656BA69BD2966108A461AAE35F60226
SHA1:	9C2E5AE52D82CEA43C4A5FFF205A7700CF54D61C
SHA-256:	587596712960B26EAC18CB354CCD633FFDB218E374A9D59EFEA843914D7AB299
SHA-512:	38F715AD9156558B5D57CA2E75FB0FFE0C5C6728BD94484B8F15E090120DDD02DCE42DBC9CC7143AD6552460A5F3A40E577FAF1D76D5D40B25CDBE636F250054
Malicious:	false
Preview:	{"schemaVersion":35,"addons":[{"id":"formautofill@mozilla.org","syncGUID":"{60024e8e-cfd0-41e5-965d-7128c7dcf0e8}","version":"1.0.1","type":"extension","loader":null,"updateURL":null,"installOrigins":null,"manifestVersion":2,"optionsURL":null,"optionsType":null,"optionsBrowserStyle":true,"aboutURL":null,"defaultLocale":{"name":"Form Autofill","creator":null,"developers":null,"translators":null,"contributors":null},"visible":true,"active":true,"userDisabled":false,"appDisabled":false,"embedderDisabled":false,"installDate":1695865283000,"updateDate":1695865283000,"applyBackgroundUpdates":1,"path":"C:\\Program Files\\Mozilla Firefox\\browser\\features\\formautofill@mozilla.org.xpi","skinnable":false,"sourceURI":null,"releaseNotesURI":null,"softDisabled":false,"foreignInstall":false,"strictCompatibility":true,"locales":[],"targetApplications":[{"id":"toolkit@mozilla.org","minVersion":null,"maxVersion":null}],"targetPlatforms":[],"signedDate":null,"seen":true,"dependencies":[],"incognito":"

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\favicons.sqlite-shm

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	data
Category:	dropped
Size (bytes):	32768
Entropy (8bit):	0.017262956703125623
Encrypted:	false
SSDEEP:	3:G8lQs2TSlElQs2TtPRp//:G0QjSaQjrpX
MD5:	B7C14EC6110FA820CA6B65F5AEC85911
SHA1:	608EEB7488042453C9CA40F7E1398FC1A270F3F4
SHA-256:	FD4C9FDA9CD3F9AE7C962B0DDF37232294D55580E1AA165AA06129B8549389EB
SHA-512:	D8D75760F29B1E27AC9430BC4F4FFCEC39F1590BE5AEF2BFB5A535850302E067C288EF59CF3B2C5751009A22A6957733F9F80FA18F2B0D33D90C068A3F08F3B0
Malicious:	false
Preview:	..-.....................................8...5.....-.....................................8...5...........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	1021904
Entropy (8bit):	6.648417932394748
Encrypted:	false
SSDEEP:	12288:vYLdTfFKbNSjv92eFN+3wH+NYriA0Iq6lh6VawYIpAvwHN/Uf1h47HAfg1oet:vYLdTZ923NYrjwNpgwef1hzfg1x
MD5:	FE3355639648C417E8307C6D051E3E37
SHA1:	F54602D4B4778DA21BC97C7238FC66AA68C8EE34
SHA-256:	1ED7877024BE63A049DA98733FD282C16BD620530A4FB580DACEC3A78ACE914E
SHA-512:	8F4030BB2464B98ECCBEA6F06EB186D7216932702D94F6B84C56419E9CF65A18309711AB342D1513BF85AED402BC3535A70DB4395874828F0D35C278DD2EAC9C
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Joe Sandbox View:	Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......NH...)...)...)..eM...)..eM...)..eM..)..eM...)...)..i)..XA...)..XA..;)..XA...)...)..g)..cA...)..cA...)..Rich.)..........PE..d....z\.........." .....t................................................................`.........................................P...,...\|...(............P...H...z.................T...........................0...................p............................text...$s.......t.................. ..`.rdata...~...........x..............@..@.data....3..........................@....pdata...H...P...J..................@..@.rodata..............^..............@..@.reloc...............j..............@..B........................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll.tmp

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	1021904
Entropy (8bit):	6.648417932394748
Encrypted:	false
SSDEEP:	12288:vYLdTfFKbNSjv92eFN+3wH+NYriA0Iq6lh6VawYIpAvwHN/Uf1h47HAfg1oet:vYLdTZ923NYrjwNpgwef1hzfg1x
MD5:	FE3355639648C417E8307C6D051E3E37
SHA1:	F54602D4B4778DA21BC97C7238FC66AA68C8EE34
SHA-256:	1ED7877024BE63A049DA98733FD282C16BD620530A4FB580DACEC3A78ACE914E
SHA-512:	8F4030BB2464B98ECCBEA6F06EB186D7216932702D94F6B84C56419E9CF65A18309711AB342D1513BF85AED402BC3535A70DB4395874828F0D35C278DD2EAC9C
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......NH...)...)...)..eM...)..eM...)..eM..)..eM...)...)..i)..XA...)..XA..;)..XA...)...)..g)..cA...)..cA...)..Rich.)..........PE..d....z\.........." .....t................................................................`.........................................P...,...\|...(............P...H...z.................T...........................0...................p............................text...$s.......t.................. ..`.rdata...~...........x..............@..@.data....3..........................@....pdata...H...P...J..................@..@.rodata..............^..............@..@.reloc...............j..............@..B........................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.info (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	116
Entropy (8bit):	4.968220104601006
Encrypted:	false
SSDEEP:	3:C3OuN9RAM7VDXcEzq+rEakOvTMBv+FdBAIABv+FEn:0BDUmHlvAWeWEn
MD5:	3D33CDC0B3D281E67DD52E14435DD04F
SHA1:	4DB88689282FD4F9E9E6AB95FCBB23DF6E6485DB
SHA-256:	F526E9F98841D987606EFEAFF7F3E017BA9FD516C4BE83890C7F9A093EA4C47B
SHA-512:	A4A96743332CC8EF0F86BC2E6122618BFC75ED46781DADBAC9E580CD73DF89E74738638A2CCCB4CAA4CBBF393D771D7F2C73F825737CDB247362450A0D4A4BC1
Malicious:	false
Preview:	Name: gmpopenh264.Description: GMP Plugin for OpenH264..Version: 1.8.1.APIs: encode-video[h264], decode-video[h264].

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.info.tmp

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	116
Entropy (8bit):	4.968220104601006
Encrypted:	false
SSDEEP:	3:C3OuN9RAM7VDXcEzq+rEakOvTMBv+FdBAIABv+FEn:0BDUmHlvAWeWEn
MD5:	3D33CDC0B3D281E67DD52E14435DD04F
SHA1:	4DB88689282FD4F9E9E6AB95FCBB23DF6E6485DB
SHA-256:	F526E9F98841D987606EFEAFF7F3E017BA9FD516C4BE83890C7F9A093EA4C47B
SHA-512:	A4A96743332CC8EF0F86BC2E6122618BFC75ED46781DADBAC9E580CD73DF89E74738638A2CCCB4CAA4CBBF393D771D7F2C73F825737CDB247362450A0D4A4BC1
Malicious:	false
Preview:	Name: gmpopenh264.Description: GMP Plugin for OpenH264..Version: 1.8.1.APIs: encode-video[h264], decode-video[h264].

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\permissions.sqlite

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	SQLite 3.x database, user version 12, last written using SQLite version 3042000, page size 32768, file counter 4, database pages 3, cookie 0x2, schema 4, UTF-8, version-valid-for 4
Category:	dropped
Size (bytes):	98304
Entropy (8bit):	0.07327282336911276
Encrypted:	false
SSDEEP:	12:DBl/A0OWla0mwPxRymgObsCVR45wcYR4fmnsCVR4zkivZL:DLhesh7Owd4+jih
MD5:	EB06B9982C9072B0A357498C997B251E
SHA1:	4D9959ABE137E690CC17B7F6B3F5B6411E59CFE5
SHA-256:	CE761D0E7FD735FD3B37EA7001558188DAC015C26452FEAE867C7A6B276FFB0E
SHA-512:	211FD3382F5E40D46E2807DCD47A54245154A0DA60438356F721E39698AA8013243D4CEF7AB7D69603555E2422764F9243CFAD055BEACDAD1E0B16EE13648AD4
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j......~s..F~s........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\places.sqlite-shm

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	data
Category:	dropped
Size (bytes):	32768
Entropy (8bit):	0.035455806264726504
Encrypted:	false
SSDEEP:	3:GtlstFDcod+dyYtlstFDcod+d4/L89//alEl:GtWtnuptWtnu4L89XuM
MD5:	5DCA228B012F89DEF717F5595E5EE522
SHA1:	EE98B30D5A9830182371C60DCA1760E672B0B26F
SHA-256:	41A8E4F187056F9627A24C755D9E5B07D58E8E8A0CA7D1895C38431D1953BE0E
SHA-512:	FCA542738A0D09E878B4C24FAD7D1F2A46499B16C26A8D63E47F47648B20D529D02FBE4CC58A2B55260244E9587AEF99A366BDF2C70CB29F31683DAD7069023D
Malicious:	false
Preview:	..-......................K..G.G..'-.vu...U.0.1]...-......................K..G.G..'-.vu...U.0.1].........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\places.sqlite-wal

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	SQLite Write-Ahead Log, version 3007000
Category:	dropped
Size (bytes):	32824
Entropy (8bit):	0.03987425719201706
Encrypted:	false
SSDEEP:	3:Ol1fIosOfv3g3TjW+qiv/lll8rEXsxdwhml8XW3R2:KTSeEll8dMhm93w
MD5:	397123CED279284E12730861EA053983
SHA1:	DDA2D4909130CBD2CBACCBC5DA6288A57F28367D
SHA-256:	CFB1666A67A5A53EE111FA0CA83DF377D99B584C1685C1C314909EB63C7A3800
SHA-512:	FDB3CCF564F059E5F0FE1C3141622781A96311C3520309EC23B6EE74A262F681756D0330B5F3E96622DB0FF75EB087774D2F2AE5FF300107478ABA10B3B5EF47
Malicious:	false
Preview:	7....-...........'-.vu..{.*.@Qw..........'-.vu....K..G.G................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\prefs-1.js

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	ASCII text, with very long lines (1809), with CRLF line terminators
Category:	dropped
Size (bytes):	13254
Entropy (8bit):	5.495068817701366
Encrypted:	false
SSDEEP:	192:MnaRtLYbBp6jhj4qyaaXs6K2aN7fG/5RfGNBw8dxSl:hexqkNWqTcwu0
MD5:	206A0F7FC4634FA2FF9D7E599AF2607A
SHA1:	1EFA813622BF97B4448EA26E08BAB56A9FD10B86
SHA-256:	0A6C8525A669AECEDEFB47E6278A60A4ECD7835040DF32717C7A39ABC3DA42E2
SHA-512:	786C755E32B555D7A6D5F2BBCD910ED675380FD3131902182051307A4EA562443CF8020B4DF1A0095BACBE40C9BC8C2D13A9997E1B10C64FB93EF542B0EC3244
Malicious:	false
Preview:	// Mozilla User Preferences....// DO NOT EDIT THIS FILE...//..// If you make changes to this file while the application is running,..// the changes will be overwritten when the application exits...//..// To change a preference value, you can either:..// - modify it via the UI (e.g. via about:config in the browser); or..// - set it within a user.js file in your profile.....user_pref("app.normandy.first_run", false);..user_pref("app.normandy.migrationsApplied", 12);..user_pref("app.normandy.user_id", "57f16a19-e119-4073-bf01-28f88011f783");..user_pref("app.update.auto.migrated", true);..user_pref("app.update.background.rolledout", true);..user_pref("app.update.backgroundErrors", 2);..user_pref("app.update.lastUpdateTime.addon-background-update-timer", 1730176979);..user_pref("app.update.lastUpdateTime.background-update-timer", 1730176979);..user_pref("app.update.lastUpdateTime.browser-cleanup-thumbnails", 1730176979);..user_pref("app.update.lastUpdateTime.recipe-client-addon-run", 173017

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\prefs.js (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	ASCII text, with very long lines (1809), with CRLF line terminators
Category:	dropped
Size (bytes):	13254
Entropy (8bit):	5.495068817701366
Encrypted:	false
SSDEEP:	192:MnaRtLYbBp6jhj4qyaaXs6K2aN7fG/5RfGNBw8dxSl:hexqkNWqTcwu0
MD5:	206A0F7FC4634FA2FF9D7E599AF2607A
SHA1:	1EFA813622BF97B4448EA26E08BAB56A9FD10B86
SHA-256:	0A6C8525A669AECEDEFB47E6278A60A4ECD7835040DF32717C7A39ABC3DA42E2
SHA-512:	786C755E32B555D7A6D5F2BBCD910ED675380FD3131902182051307A4EA562443CF8020B4DF1A0095BACBE40C9BC8C2D13A9997E1B10C64FB93EF542B0EC3244
Malicious:	false
Preview:	// Mozilla User Preferences....// DO NOT EDIT THIS FILE...//..// If you make changes to this file while the application is running,..// the changes will be overwritten when the application exits...//..// To change a preference value, you can either:..// - modify it via the UI (e.g. via about:config in the browser); or..// - set it within a user.js file in your profile.....user_pref("app.normandy.first_run", false);..user_pref("app.normandy.migrationsApplied", 12);..user_pref("app.normandy.user_id", "57f16a19-e119-4073-bf01-28f88011f783");..user_pref("app.update.auto.migrated", true);..user_pref("app.update.background.rolledout", true);..user_pref("app.update.backgroundErrors", 2);..user_pref("app.update.lastUpdateTime.addon-background-update-timer", 1730176979);..user_pref("app.update.lastUpdateTime.background-update-timer", 1730176979);..user_pref("app.update.lastUpdateTime.browser-cleanup-thumbnails", 1730176979);..user_pref("app.update.lastUpdateTime.recipe-client-addon-run", 173017

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\protections.sqlite

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	SQLite 3.x database, user version 1, last written using SQLite version 3042000, page size 32768, file counter 5, database pages 2, cookie 0x1, schema 4, UTF-8, version-valid-for 5
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	0.04062825861060003
Encrypted:	false
SSDEEP:	6:ltBl/l4/WN1h4BEJYqWvLue3FMOrMZ0l:DBl/WuntfJiFxMZO
MD5:	18F65713B07CB441E6A98655B726D098
SHA1:	2CEFA32BC26B25BE81C411B60C9925CB0F1F8F88
SHA-256:	B6C268E48546B113551A5AF9CA86BB6A462A512DE6C9289315E125CEB0FD8621
SHA-512:	A6871076C7D7ED53B630F9F144ED04303AD54A2E60B94ECA2AA96964D1AB375EEFDCA86CE0D3EB0E9DBB81470C6BD159877125A080C95EB17E54A52427F805FB
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j.......x..x..........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\saved-telemetry-pings\5617ebd2-ec1e-417f-840c-27ef116f9e72 (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	493
Entropy (8bit):	4.955800360108547
Encrypted:	false
SSDEEP:	12:YZFgB145ZxIVHlW8cOlZGV1AQIYzvZcyBuLZ2d:Y04RSlCOlZGV1AQIWZcy6Z2d
MD5:	63CFA633A047DEAA14D6BF80252EE7FD
SHA1:	A4634165785BBB9EFFF427C7D872568306769F7A
SHA-256:	C4E771BDF6F08CA34B945F36A527F2FC33BB162DB01D262D154F91EBC6017C7D
SHA-512:	526165CE6E034180D6D0BCF4056C2E416596C865DAC3318A48673436ECE14E45B67390EDB163B10822262C9756C8E92BF919A67C3654F7AE58DC0A5EA563DFEB
Malicious:	false
Preview:	{"type":"health","id":"5617ebd2-ec1e-417f-840c-27ef116f9e72","creationDate":"2024-10-29T04:43:29.147Z","version":4,"application":{"architecture":"x86-64","buildId":"20230927232528","name":"Firefox","version":"118.0.1","displayVersion":"118.0.1","vendor":"Mozilla","platformVersion":"118.0.1","xpcomAbi":"x86_64-msvc","channel":"release"},"payload":{"os":{"name":"WINNT","version":"10.0"},"reason":"immediate","sendFailure":{"eUnreachable":1}},"clientId":"65e71c9e-6ac3-4903-9066-b134350de32c"}

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\saved-telemetry-pings\5617ebd2-ec1e-417f-840c-27ef116f9e72.tmp

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	modified
Size (bytes):	493
Entropy (8bit):	4.955800360108547
Encrypted:	false
SSDEEP:	12:YZFgB145ZxIVHlW8cOlZGV1AQIYzvZcyBuLZ2d:Y04RSlCOlZGV1AQIWZcy6Z2d
MD5:	63CFA633A047DEAA14D6BF80252EE7FD
SHA1:	A4634165785BBB9EFFF427C7D872568306769F7A
SHA-256:	C4E771BDF6F08CA34B945F36A527F2FC33BB162DB01D262D154F91EBC6017C7D
SHA-512:	526165CE6E034180D6D0BCF4056C2E416596C865DAC3318A48673436ECE14E45B67390EDB163B10822262C9756C8E92BF919A67C3654F7AE58DC0A5EA563DFEB
Malicious:	false
Preview:	{"type":"health","id":"5617ebd2-ec1e-417f-840c-27ef116f9e72","creationDate":"2024-10-29T04:43:29.147Z","version":4,"application":{"architecture":"x86-64","buildId":"20230927232528","name":"Firefox","version":"118.0.1","displayVersion":"118.0.1","vendor":"Mozilla","platformVersion":"118.0.1","xpcomAbi":"x86_64-msvc","channel":"release"},"payload":{"os":{"name":"WINNT","version":"10.0"},"reason":"immediate","sendFailure":{"eUnreachable":1}},"clientId":"65e71c9e-6ac3-4903-9066-b134350de32c"}

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\sessionCheckpoints.json (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	90
Entropy (8bit):	4.194538242412464
Encrypted:	false
SSDEEP:	3:YVXKQJAyiVLQwJtJDBA+AJ2LKZXJ3YFwHY:Y9KQOy6Lb1BA+m2L69Yr
MD5:	C4AB2EE59CA41B6D6A6EA911F35BDC00
SHA1:	5942CD6505FC8A9DABA403B082067E1CDEFDFBC4
SHA-256:	00AD9799527C3FD21F3A85012565EAE817490F3E0D417413BF9567BB5909F6A2
SHA-512:	71EA16900479E6AF161E0AAD08C8D1E9DED5868A8D848E7647272F3002E2F2013E16382B677ABE3C6F17792A26293B9E27EC78E16F00BD24BA3D21072BD1CAE2
Malicious:	false
Preview:	{"profile-after-change":true,"final-ui-startup":true,"sessionstore-windows-restored":true}

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\sessionCheckpoints.json.tmp

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	90
Entropy (8bit):	4.194538242412464
Encrypted:	false
SSDEEP:	3:YVXKQJAyiVLQwJtJDBA+AJ2LKZXJ3YFwHY:Y9KQOy6Lb1BA+m2L69Yr
MD5:	C4AB2EE59CA41B6D6A6EA911F35BDC00
SHA1:	5942CD6505FC8A9DABA403B082067E1CDEFDFBC4
SHA-256:	00AD9799527C3FD21F3A85012565EAE817490F3E0D417413BF9567BB5909F6A2
SHA-512:	71EA16900479E6AF161E0AAD08C8D1E9DED5868A8D848E7647272F3002E2F2013E16382B677ABE3C6F17792A26293B9E27EC78E16F00BD24BA3D21072BD1CAE2
Malicious:	false
Preview:	{"profile-after-change":true,"final-ui-startup":true,"sessionstore-windows-restored":true}

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\sessionstore-backups\recovery.baklz4 (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	Mozilla lz4 compressed data, originally 5861 bytes
Category:	dropped
Size (bytes):	1567
Entropy (8bit):	6.344733803979136
Encrypted:	false
SSDEEP:	24:v+USUGlcAxSRLXnIgtL/pnxQwRlscT5sKtK3eHV4DjuTVNamhujJlOsIomNVr0ay:GUpOx01FnRfo3e7TVN4JlIquR4
MD5:	CE7786E710F37C2F6B1AEF6C9021DFC9
SHA1:	8D7B046C5036238DC8F462DC99A88463FF99B777
SHA-256:	85F822AC029C0A7C752E96E0351805DA04F3665654292FC8AFCF1535271D086C
SHA-512:	B220C4753B355D394DB392637C1F5DAEED1D2CBE6C1776F7BAF3FCF5668CB9CD5B7E35533E73A4AA0C00276F03366E68EFD846CDE51A2B476E265CD932150C98
Malicious:	false
Preview:	mozLz40.......{"version":["ses....restore",1],"windows":[{"tab..bentrie....url":"https://youtube.com/account?=.....rs.googl%...v3/signin/challenge/pwd","title[.C..cacheKey":0,"ID":6,"docshellUU...D"{b2cf714e-d6f2-4a7e-8cae-6c4b72ae1c70}","resultPrincipalURI":null,"hasUserInteracte...true,"triggering8.p_base64z..\"3\":{}^...docIdentifier":7,"persistK..+}],"lastAccessed":1730176984604,"hidden":false,"searchMode...userContextId...attribut...{},"index":1...questedI..p0,"imag....chrome://global/skin/icons/warning.svg"..aselect...,"_closedTZ.@],"_...C..`GroupCF..":-1,"busy...t...Flags":2167541758...dth":116....eight":891,"screenX":4...Y..Aizem..."maximize......BeforeMin...&..workspace9...1a5ccf63-1000-409f-b5c1-afec7f75d4d9","zD..1...Wm..l........j..:....1":{..mUpdate...startTim..P48348...centCrash..B0},".....Dcook.. hoc..."addons.mozilla.org","valu...%8bad2467092e6ddeb0dfa9e5ea54d86d26790ca7ba2ce88d10cb...fe726755","pa..p"/","na..a"taarI\|.Recure...,`.Donly..fexpiry...53128,"originA...."firs

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\sessionstore-backups\recovery.jsonlz4 (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	Mozilla lz4 compressed data, originally 5861 bytes
Category:	dropped
Size (bytes):	1567
Entropy (8bit):	6.344733803979136
Encrypted:	false
SSDEEP:	24:v+USUGlcAxSRLXnIgtL/pnxQwRlscT5sKtK3eHV4DjuTVNamhujJlOsIomNVr0ay:GUpOx01FnRfo3e7TVN4JlIquR4
MD5:	CE7786E710F37C2F6B1AEF6C9021DFC9
SHA1:	8D7B046C5036238DC8F462DC99A88463FF99B777
SHA-256:	85F822AC029C0A7C752E96E0351805DA04F3665654292FC8AFCF1535271D086C
SHA-512:	B220C4753B355D394DB392637C1F5DAEED1D2CBE6C1776F7BAF3FCF5668CB9CD5B7E35533E73A4AA0C00276F03366E68EFD846CDE51A2B476E265CD932150C98
Malicious:	false
Preview:	mozLz40.......{"version":["ses....restore",1],"windows":[{"tab..bentrie....url":"https://youtube.com/account?=.....rs.googl%...v3/signin/challenge/pwd","title[.C..cacheKey":0,"ID":6,"docshellUU...D"{b2cf714e-d6f2-4a7e-8cae-6c4b72ae1c70}","resultPrincipalURI":null,"hasUserInteracte...true,"triggering8.p_base64z..\"3\":{}^...docIdentifier":7,"persistK..+}],"lastAccessed":1730176984604,"hidden":false,"searchMode...userContextId...attribut...{},"index":1...questedI..p0,"imag....chrome://global/skin/icons/warning.svg"..aselect...,"_closedTZ.@],"_...C..`GroupCF..":-1,"busy...t...Flags":2167541758...dth":116....eight":891,"screenX":4...Y..Aizem..."maximize......BeforeMin...&..workspace9...1a5ccf63-1000-409f-b5c1-afec7f75d4d9","zD..1...Wm..l........j..:....1":{..mUpdate...startTim..P48348...centCrash..B0},".....Dcook.. hoc..."addons.mozilla.org","valu...%8bad2467092e6ddeb0dfa9e5ea54d86d26790ca7ba2ce88d10cb...fe726755","pa..p"/","na..a"taarI\|.Recure...,`.Donly..fexpiry...53128,"originA...."firs

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\sessionstore-backups\recovery.jsonlz4.tmp

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	Mozilla lz4 compressed data, originally 5861 bytes
Category:	dropped
Size (bytes):	1567
Entropy (8bit):	6.344733803979136
Encrypted:	false
SSDEEP:	24:v+USUGlcAxSRLXnIgtL/pnxQwRlscT5sKtK3eHV4DjuTVNamhujJlOsIomNVr0ay:GUpOx01FnRfo3e7TVN4JlIquR4
MD5:	CE7786E710F37C2F6B1AEF6C9021DFC9
SHA1:	8D7B046C5036238DC8F462DC99A88463FF99B777
SHA-256:	85F822AC029C0A7C752E96E0351805DA04F3665654292FC8AFCF1535271D086C
SHA-512:	B220C4753B355D394DB392637C1F5DAEED1D2CBE6C1776F7BAF3FCF5668CB9CD5B7E35533E73A4AA0C00276F03366E68EFD846CDE51A2B476E265CD932150C98
Malicious:	false
Preview:	mozLz40.......{"version":["ses....restore",1],"windows":[{"tab..bentrie....url":"https://youtube.com/account?=.....rs.googl%...v3/signin/challenge/pwd","title[.C..cacheKey":0,"ID":6,"docshellUU...D"{b2cf714e-d6f2-4a7e-8cae-6c4b72ae1c70}","resultPrincipalURI":null,"hasUserInteracte...true,"triggering8.p_base64z..\"3\":{}^...docIdentifier":7,"persistK..+}],"lastAccessed":1730176984604,"hidden":false,"searchMode...userContextId...attribut...{},"index":1...questedI..p0,"imag....chrome://global/skin/icons/warning.svg"..aselect...,"_closedTZ.@],"_...C..`GroupCF..":-1,"busy...t...Flags":2167541758...dth":116....eight":891,"screenX":4...Y..Aizem..."maximize......BeforeMin...&..workspace9...1a5ccf63-1000-409f-b5c1-afec7f75d4d9","zD..1...Wm..l........j..:....1":{..mUpdate...startTim..P48348...centCrash..B0},".....Dcook.. hoc..."addons.mozilla.org","valu...%8bad2467092e6ddeb0dfa9e5ea54d86d26790ca7ba2ce88d10cb...fe726755","pa..p"/","na..a"taarI\|.Recure...,`.Donly..fexpiry...53128,"originA...."firs

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\storage.sqlite

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	SQLite 3.x database, user version 131075, last written using SQLite version 3042000, page size 512, file counter 6, database pages 8, cookie 0x4, schema 4, UTF-8, version-valid-for 6
Category:	dropped
Size (bytes):	4096
Entropy (8bit):	2.0836444556178684
Encrypted:	false
SSDEEP:	24:JBwdh/cEUcR9PzNFPFHx/GJRBdkOrDcRB1trwDeAq2gRMyxr3:jnEUo9LXtR+JdkOnohYsl
MD5:	8B40B1534FF0F4B533AF767EB5639A05
SHA1:	63EDB539EA39AD09D701A36B535C4C087AE08CC9
SHA-256:	AF275A19A5C2C682139266065D90C237282274D11C5619A121B7BDBDB252861B
SHA-512:	54AF707698CED33C206B1B193DA414D630901762E88E37E99885A50D4D5F8DDC28367C9B401DFE251CF0552B4FA446EE28F78A97C9096AFB0F2898BFBB673B53
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\targeting.snapshot.json (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	4537
Entropy (8bit):	5.034587353406188
Encrypted:	false
SSDEEP:	48:YrSAY96UQZpExB1+anOsW4Vh351VxWRzzc8eYMsku7f86SLAVL7if5FtsfAcbyJW:yc9yTEr5QFRzzcMvbw6KkCrrc2Rn27
MD5:	E3E8AF25FAB105B3A77708AEDD4033A0
SHA1:	74C1B0F065F1695BAF0E9530ACCB3A882DC75D32
SHA-256:	8F6C65342BFB48596C82861DDF2EA104C6D1B1FDC271B0F17BD0B7C803EB03D6
SHA-512:	DF9BD40ADC217644B5232AB8EF33D0B07E1C8FFF21B4B7D05C36DA90379685944F498122609E839E7F92564A98078F25434A88BAC9B8A2EF3DC4280C4631C724
Malicious:	false
Preview:	{"environment":{"locale":"en-US","localeLanguageCode":"en","browserSettings":{"update":{"channel":"release","enabled":true,"autoDownload":true,"background":true}},"attributionData":{"campaign":"%2528not%2Bset%2529","content":"%2528not%2Bset%2529","dlsource":"mozorg","dltoken":"cd09ae95-e2cf-4b8b-8929-791b0dd48cdd","experiment":"%2528not%2Bset%2529","medium":"referral","source":"www.google.com","ua":"chrome","variation":"%2528not%2Bset%2529"},"currentDate":"2024-10-29T04:42:40.866Z","profileAgeCreated":1696333826043,"usesFirefoxSync":false,"isFxAEnabled":true,"isFxASignedIn":false,"sync":{"desktopDevices":0,"mobileDevices":0,"totalDevices":0},"xpinstallEnabled":true,"addonsInfo":{"addons":{"formautofill@mozilla.org":{"version":"1.0.1","type":"extension","isSystem":true,"isWebExtension":true,"name":"Form Autofill","userDisabled":false,"installDate":"2023-09-28T01:41:23.000Z"},"pictureinpicture@mozilla.org":{"version":"1.0.0","type":"extension","isSystem":true,"isWebExtension":true,"name"

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\targeting.snapshot.json.tmp

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	4537
Entropy (8bit):	5.034587353406188
Encrypted:	false
SSDEEP:	48:YrSAY96UQZpExB1+anOsW4Vh351VxWRzzc8eYMsku7f86SLAVL7if5FtsfAcbyJW:yc9yTEr5QFRzzcMvbw6KkCrrc2Rn27
MD5:	E3E8AF25FAB105B3A77708AEDD4033A0
SHA1:	74C1B0F065F1695BAF0E9530ACCB3A882DC75D32
SHA-256:	8F6C65342BFB48596C82861DDF2EA104C6D1B1FDC271B0F17BD0B7C803EB03D6
SHA-512:	DF9BD40ADC217644B5232AB8EF33D0B07E1C8FFF21B4B7D05C36DA90379685944F498122609E839E7F92564A98078F25434A88BAC9B8A2EF3DC4280C4631C724
Malicious:	false
Preview:	{"environment":{"locale":"en-US","localeLanguageCode":"en","browserSettings":{"update":{"channel":"release","enabled":true,"autoDownload":true,"background":true}},"attributionData":{"campaign":"%2528not%2Bset%2529","content":"%2528not%2Bset%2529","dlsource":"mozorg","dltoken":"cd09ae95-e2cf-4b8b-8929-791b0dd48cdd","experiment":"%2528not%2Bset%2529","medium":"referral","source":"www.google.com","ua":"chrome","variation":"%2528not%2Bset%2529"},"currentDate":"2024-10-29T04:42:40.866Z","profileAgeCreated":1696333826043,"usesFirefoxSync":false,"isFxAEnabled":true,"isFxASignedIn":false,"sync":{"desktopDevices":0,"mobileDevices":0,"totalDevices":0},"xpinstallEnabled":true,"addonsInfo":{"addons":{"formautofill@mozilla.org":{"version":"1.0.1","type":"extension","isSystem":true,"isWebExtension":true,"name":"Form Autofill","userDisabled":false,"installDate":"2023-09-28T01:41:23.000Z"},"pictureinpicture@mozilla.org":{"version":"1.0.0","type":"extension","isSystem":true,"isWebExtension":true,"name"

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	6.584691346070295
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	file.exe
File size:	919'552 bytes
MD5:	0357e5852cd0e3c44b1092e9338cf930
SHA1:	a3768bf0ad795f9c4e506eeb3f03984282bbd040
SHA256:	eb45c05e8d629f18973a325ec2e42cce259c1a7fb0f518820af62fb249df8804
SHA512:	d1f4512a1f520173ffe212f9fb4ea508fbcc36de1dd5a9c45b8e4ef85765801323fdef1473013060f0dcd9440ab84a2b381f980735d1868cd0a5f8fc323aa6bd
SSDEEP:	12288:9qDEvFo+yo4DdbbMWu/jrQu4M9lBAlKhQcDGB3cuBNGE6iOrpfe4JdaDga/Ti:9qDEvCTbMWu7rQYlBQcBiT6rprG8abi
TLSH:	42159E0273D1C062FFAB92334B5AF6515BBC69260123E61F13981DB9BE701B1563E7A3
File Content Preview:	MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$.......................j:......j:..C...j:......@.*...............................n.......~.............{.......{.......{.........z....

File Icon


Icon Hash:	aaf3e3e3938382a0

Static PE Info

General

Entrypoint:	0x420577
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, TERMINAL_SERVER_AWARE
Time Stamp:	0x67205592 [Tue Oct 29 03:25:06 2024 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	5
OS Version Minor:	1
File Version Major:	5
File Version Minor:	1
Subsystem Version Major:	5
Subsystem Version Minor:	1
Import Hash:	948cc502fe9226992dce9417f952fce3

Entrypoint Preview

Instruction
call 00007F563D5336A3h
jmp 00007F563D532FAFh
push ebp
mov ebp, esp
push esi
push dword ptr [ebp+08h]
mov esi, ecx
call 00007F563D53318Dh
mov dword ptr [esi], 0049FDF0h
mov eax, esi
pop esi
pop ebp
retn 0004h
and dword ptr [ecx+04h], 00000000h
mov eax, ecx
and dword ptr [ecx+08h], 00000000h
mov dword ptr [ecx+04h], 0049FDF8h
mov dword ptr [ecx], 0049FDF0h
ret
push ebp
mov ebp, esp
push esi
push dword ptr [ebp+08h]
mov esi, ecx
call 00007F563D53315Ah
mov dword ptr [esi], 0049FE0Ch
mov eax, esi
pop esi
pop ebp
retn 0004h
and dword ptr [ecx+04h], 00000000h
mov eax, ecx
and dword ptr [ecx+08h], 00000000h
mov dword ptr [ecx+04h], 0049FE14h
mov dword ptr [ecx], 0049FE0Ch
ret
push ebp
mov ebp, esp
push esi
mov esi, ecx
lea eax, dword ptr [esi+04h]
mov dword ptr [esi], 0049FDD0h
and dword ptr [eax], 00000000h
and dword ptr [eax+04h], 00000000h
push eax
mov eax, dword ptr [ebp+08h]
add eax, 04h
push eax
call 00007F563D535D4Dh
pop ecx
pop ecx
mov eax, esi
pop esi
pop ebp
retn 0004h
lea eax, dword ptr [ecx+04h]
mov dword ptr [ecx], 0049FDD0h
push eax
call 00007F563D535D98h
pop ecx
ret
push ebp
mov ebp, esp
push esi
mov esi, ecx
lea eax, dword ptr [esi+04h]
mov dword ptr [esi], 0049FDD0h
push eax
call 00007F563D535D81h
test byte ptr [ebp+08h], 00000001h
pop ecx

Rich Headers

Programming Language:

[ C ] VS2008 SP1 build 30729
[IMP] VS2008 SP1 build 30729

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0xc8e64	0x17c	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0xd4000	0x9c28	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0xde000	0x7594	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0xb0ff0	0x1c	.rdata
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0xc3400	0x18	.rdata
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0xb1010	0x40	.rdata
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x9c000	0x894	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x9ab1d	0x9ac00	0a1473f3064dcbc32ef93c5c8a90f3a6	False	0.565500681542811	data	6.668273581389308	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x9c000	0x2fb82	0x2fc00	c9cf2468b60bf4f80f136ed54b3989fb	False	0.35289185209424084	data	5.691811547483722	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0xcc000	0x706c	0x4800	53b9025d545d65e23295e30afdbd16d9	False	0.04356553819444445	DOS executable (block device driver @\273\)	0.5846666986982398	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0xd4000	0x9c28	0x9e00	63f4d91970cd11dc8aa0cb0dbceea3ac	False	0.3156398338607595	data	5.373848602885072	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0xde000	0x7594	0x7600	c68ee8931a32d45eb82dc450ee40efc3	False	0.7628111758474576	data	6.7972128181359786	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_ICON	0xd45a8	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 192	English	Great Britain	0.7466216216216216
RT_ICON	0xd46d0	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 128, 16 important colors	English	Great Britain	0.3277027027027027
RT_ICON	0xd47f8	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 192	English	Great Britain	0.3885135135135135
RT_ICON	0xd4920	0x2e8	Device independent bitmap graphic, 32 x 64 x 4, image size 0	English	Great Britain	0.3333333333333333
RT_ICON	0xd4c08	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 0	English	Great Britain	0.5
RT_ICON	0xd4d30	0xea8	Device independent bitmap graphic, 48 x 96 x 8, image size 0	English	Great Britain	0.2835820895522388
RT_ICON	0xd5bd8	0x8a8	Device independent bitmap graphic, 32 x 64 x 8, image size 0	English	Great Britain	0.37906137184115524
RT_ICON	0xd6480	0x568	Device independent bitmap graphic, 16 x 32 x 8, image size 0	English	Great Britain	0.23699421965317918
RT_ICON	0xd69e8	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 0	English	Great Britain	0.13858921161825727
RT_ICON	0xd8f90	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 0	English	Great Britain	0.25070356472795496
RT_ICON	0xda038	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 0	English	Great Britain	0.3173758865248227
RT_MENU	0xda4a0	0x50	data	English	Great Britain	0.9
RT_STRING	0xda4f0	0x594	data	English	Great Britain	0.3333333333333333
RT_STRING	0xdaa84	0x68a	data	English	Great Britain	0.2735961768219833
RT_STRING	0xdb110	0x490	data	English	Great Britain	0.3715753424657534
RT_STRING	0xdb5a0	0x5fc	data	English	Great Britain	0.3087467362924282
RT_STRING	0xdbb9c	0x65c	data	English	Great Britain	0.34336609336609336
RT_STRING	0xdc1f8	0x466	data	English	Great Britain	0.3605683836589698
RT_STRING	0xdc660	0x158	Matlab v4 mat-file (little endian) n, numeric, rows 0, columns 0	English	Great Britain	0.502906976744186
RT_RCDATA	0xdc7b8	0xef0	data			1.0028765690376569
RT_GROUP_ICON	0xdd6a8	0x76	data	English	Great Britain	0.6610169491525424
RT_GROUP_ICON	0xdd720	0x14	data	English	Great Britain	1.25
RT_GROUP_ICON	0xdd734	0x14	data	English	Great Britain	1.15
RT_GROUP_ICON	0xdd748	0x14	data	English	Great Britain	1.25
RT_VERSION	0xdd75c	0xdc	data	English	Great Britain	0.6181818181818182
RT_MANIFEST	0xdd838	0x3ef	ASCII text, with CRLF line terminators	English	Great Britain	0.5074478649453823

Imports

DLL	Import
WSOCK32.dll	gethostbyname, recv, send, socket, inet_ntoa, setsockopt, ntohs, WSACleanup, WSAStartup, sendto, htons, __WSAFDIsSet, select, accept, listen, bind, inet_addr, ioctlsocket, recvfrom, WSAGetLastError, closesocket, gethostname, connect
VERSION.dll	GetFileVersionInfoW, VerQueryValueW, GetFileVersionInfoSizeW
WINMM.dll	timeGetTime, waveOutSetVolume, mciSendStringW
COMCTL32.dll	ImageList_ReplaceIcon, ImageList_Destroy, ImageList_Remove, ImageList_SetDragCursorImage, ImageList_BeginDrag, ImageList_DragEnter, ImageList_DragLeave, ImageList_EndDrag, ImageList_DragMove, InitCommonControlsEx, ImageList_Create
MPR.dll	WNetGetConnectionW, WNetCancelConnection2W, WNetUseConnectionW, WNetAddConnection2W
WININET.dll	HttpOpenRequestW, InternetCloseHandle, InternetOpenW, InternetSetOptionW, InternetCrackUrlW, HttpQueryInfoW, InternetQueryOptionW, InternetConnectW, HttpSendRequestW, FtpOpenFileW, FtpGetFileSize, InternetOpenUrlW, InternetReadFile, InternetQueryDataAvailable
PSAPI.DLL	GetProcessMemoryInfo
IPHLPAPI.DLL	IcmpSendEcho, IcmpCloseHandle, IcmpCreateFile
USERENV.dll	DestroyEnvironmentBlock, LoadUserProfileW, CreateEnvironmentBlock, UnloadUserProfile
UxTheme.dll	IsThemeActive
KERNEL32.dll	DuplicateHandle, CreateThread, WaitForSingleObject, HeapAlloc, GetProcessHeap, HeapFree, Sleep, GetCurrentThreadId, MultiByteToWideChar, MulDiv, GetVersionExW, IsWow64Process, GetSystemInfo, FreeLibrary, LoadLibraryA, GetProcAddress, SetErrorMode, GetModuleFileNameW, WideCharToMultiByte, lstrcpyW, lstrlenW, GetModuleHandleW, QueryPerformanceCounter, VirtualFreeEx, OpenProcess, VirtualAllocEx, WriteProcessMemory, ReadProcessMemory, CreateFileW, SetFilePointerEx, SetEndOfFile, ReadFile, WriteFile, FlushFileBuffers, TerminateProcess, CreateToolhelp32Snapshot, Process32FirstW, Process32NextW, SetFileTime, GetFileAttributesW, FindFirstFileW, FindClose, GetLongPathNameW, GetShortPathNameW, DeleteFileW, IsDebuggerPresent, CopyFileExW, MoveFileW, CreateDirectoryW, RemoveDirectoryW, SetSystemPowerState, QueryPerformanceFrequency, LoadResource, LockResource, SizeofResource, OutputDebugStringW, GetTempPathW, GetTempFileNameW, DeviceIoControl, LoadLibraryW, GetLocalTime, CompareStringW, GetCurrentThread, EnterCriticalSection, LeaveCriticalSection, GetStdHandle, CreatePipe, InterlockedExchange, TerminateThread, LoadLibraryExW, FindResourceExW, CopyFileW, VirtualFree, FormatMessageW, GetExitCodeProcess, GetPrivateProfileStringW, WritePrivateProfileStringW, GetPrivateProfileSectionW, WritePrivateProfileSectionW, GetPrivateProfileSectionNamesW, FileTimeToLocalFileTime, FileTimeToSystemTime, SystemTimeToFileTime, LocalFileTimeToFileTime, GetDriveTypeW, GetDiskFreeSpaceExW, GetDiskFreeSpaceW, GetVolumeInformationW, SetVolumeLabelW, CreateHardLinkW, SetFileAttributesW, CreateEventW, SetEvent, GetEnvironmentVariableW, SetEnvironmentVariableW, GlobalLock, GlobalUnlock, GlobalAlloc, GetFileSize, GlobalFree, GlobalMemoryStatusEx, Beep, GetSystemDirectoryW, HeapReAlloc, HeapSize, GetComputerNameW, GetWindowsDirectoryW, GetCurrentProcessId, GetProcessIoCounters, CreateProcessW, GetProcessId, SetPriorityClass, VirtualAlloc, GetCurrentDirectoryW, lstrcmpiW, DecodePointer, GetLastError, RaiseException, InitializeCriticalSectionAndSpinCount, DeleteCriticalSection, InterlockedDecrement, InterlockedIncrement, ResetEvent, WaitForSingleObjectEx, IsProcessorFeaturePresent, UnhandledExceptionFilter, SetUnhandledExceptionFilter, GetCurrentProcess, CloseHandle, GetFullPathNameW, GetStartupInfoW, GetSystemTimeAsFileTime, InitializeSListHead, RtlUnwind, SetLastError, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, EncodePointer, ExitProcess, GetModuleHandleExW, ExitThread, ResumeThread, FreeLibraryAndExitThread, GetACP, GetDateFormatW, GetTimeFormatW, LCMapStringW, GetStringTypeW, GetFileType, SetStdHandle, GetConsoleCP, GetConsoleMode, ReadConsoleW, GetTimeZoneInformation, FindFirstFileExW, IsValidCodePage, GetOEMCP, GetCPInfo, GetCommandLineA, GetCommandLineW, GetEnvironmentStringsW, FreeEnvironmentStringsW, SetEnvironmentVariableA, SetCurrentDirectoryW, FindNextFileW, WriteConsoleW
USER32.dll	GetKeyboardLayoutNameW, IsCharAlphaW, IsCharAlphaNumericW, IsCharLowerW, IsCharUpperW, GetMenuStringW, GetSubMenu, GetCaretPos, IsZoomed, GetMonitorInfoW, SetWindowLongW, SetLayeredWindowAttributes, FlashWindow, GetClassLongW, TranslateAcceleratorW, IsDialogMessageW, GetSysColor, InflateRect, DrawFocusRect, DrawTextW, FrameRect, DrawFrameControl, FillRect, PtInRect, DestroyAcceleratorTable, CreateAcceleratorTableW, SetCursor, GetWindowDC, GetSystemMetrics, GetActiveWindow, CharNextW, wsprintfW, RedrawWindow, DrawMenuBar, DestroyMenu, SetMenu, GetWindowTextLengthW, CreateMenu, IsDlgButtonChecked, DefDlgProcW, CallWindowProcW, ReleaseCapture, SetCapture, PeekMessageW, GetInputState, UnregisterHotKey, CharLowerBuffW, MonitorFromPoint, MonitorFromRect, LoadImageW, mouse_event, ExitWindowsEx, SetActiveWindow, FindWindowExW, EnumThreadWindows, SetMenuDefaultItem, InsertMenuItemW, IsMenu, ClientToScreen, GetCursorPos, DeleteMenu, CheckMenuRadioItem, GetMenuItemID, GetMenuItemCount, SetMenuItemInfoW, GetMenuItemInfoW, SetForegroundWindow, IsIconic, FindWindowW, SystemParametersInfoW, LockWindowUpdate, SendInput, GetAsyncKeyState, SetKeyboardState, GetKeyboardState, GetKeyState, VkKeyScanW, LoadStringW, DialogBoxParamW, MessageBeep, EndDialog, SendDlgItemMessageW, GetDlgItem, SetWindowTextW, CopyRect, ReleaseDC, GetDC, EndPaint, BeginPaint, GetClientRect, GetMenu, DestroyWindow, EnumWindows, GetDesktopWindow, IsWindow, IsWindowEnabled, IsWindowVisible, EnableWindow, InvalidateRect, GetWindowLongW, GetWindowThreadProcessId, AttachThreadInput, GetFocus, GetWindowTextW, SendMessageTimeoutW, EnumChildWindows, CharUpperBuffW, GetClassNameW, GetParent, GetDlgCtrlID, SendMessageW, MapVirtualKeyW, PostMessageW, GetWindowRect, SetUserObjectSecurity, CloseDesktop, CloseWindowStation, OpenDesktopW, RegisterHotKey, GetCursorInfo, SetWindowPos, CopyImage, AdjustWindowRectEx, SetRect, SetClipboardData, EmptyClipboard, CountClipboardFormats, CloseClipboard, GetClipboardData, IsClipboardFormatAvailable, OpenClipboard, BlockInput, TrackPopupMenuEx, GetMessageW, SetProcessWindowStation, GetProcessWindowStation, OpenWindowStationW, GetUserObjectSecurity, MessageBoxW, DefWindowProcW, MoveWindow, SetFocus, PostQuitMessage, KillTimer, CreatePopupMenu, RegisterWindowMessageW, SetTimer, ShowWindow, CreateWindowExW, RegisterClassExW, LoadIconW, LoadCursorW, GetSysColorBrush, GetForegroundWindow, MessageBoxA, DestroyIcon, DispatchMessageW, keybd_event, TranslateMessage, ScreenToClient
GDI32.dll	EndPath, DeleteObject, GetTextExtentPoint32W, ExtCreatePen, StrokeAndFillPath, GetDeviceCaps, SetPixel, CloseFigure, LineTo, AngleArc, MoveToEx, Ellipse, CreateCompatibleBitmap, CreateCompatibleDC, PolyDraw, BeginPath, Rectangle, SetViewportOrgEx, GetObjectW, SetBkMode, RoundRect, SetBkColor, CreatePen, SelectObject, StretchBlt, CreateSolidBrush, SetTextColor, CreateFontW, GetTextFaceW, GetStockObject, CreateDCW, GetPixel, DeleteDC, GetDIBits, StrokePath
COMDLG32.dll	GetSaveFileNameW, GetOpenFileNameW
ADVAPI32.dll	GetAce, RegEnumValueW, RegDeleteValueW, RegDeleteKeyW, RegEnumKeyExW, RegSetValueExW, RegOpenKeyExW, RegCloseKey, RegQueryValueExW, RegConnectRegistryW, InitializeSecurityDescriptor, InitializeAcl, AdjustTokenPrivileges, OpenThreadToken, OpenProcessToken, LookupPrivilegeValueW, DuplicateTokenEx, CreateProcessAsUserW, CreateProcessWithLogonW, GetLengthSid, CopySid, LogonUserW, AllocateAndInitializeSid, CheckTokenMembership, FreeSid, GetTokenInformation, RegCreateKeyExW, GetSecurityDescriptorDacl, GetAclInformation, GetUserNameW, AddAce, SetSecurityDescriptorDacl, InitiateSystemShutdownExW
SHELL32.dll	DragFinish, DragQueryPoint, ShellExecuteExW, DragQueryFileW, SHEmptyRecycleBinW, SHGetPathFromIDListW, SHBrowseForFolderW, SHCreateShellItem, SHGetDesktopFolder, SHGetSpecialFolderLocation, SHGetFolderPathW, SHFileOperationW, ExtractIconExW, Shell_NotifyIconW, ShellExecuteW
ole32.dll	CoTaskMemAlloc, CoTaskMemFree, CLSIDFromString, ProgIDFromCLSID, CLSIDFromProgID, OleSetMenuDescriptor, MkParseDisplayName, OleSetContainedObject, CoCreateInstance, IIDFromString, StringFromGUID2, CreateStreamOnHGlobal, OleInitialize, OleUninitialize, CoInitialize, CoUninitialize, GetRunningObjectTable, CoGetInstanceFromFile, CoGetObject, CoInitializeSecurity, CoCreateInstanceEx, CoSetProxyBlanket
OLEAUT32.dll	CreateStdDispatch, CreateDispTypeInfo, UnRegisterTypeLib, UnRegisterTypeLibForUser, RegisterTypeLibForUser, RegisterTypeLib, LoadTypeLibEx, VariantCopyInd, SysReAllocString, SysFreeString, VariantChangeType, SafeArrayDestroyData, SafeArrayUnaccessData, SafeArrayAccessData, SafeArrayAllocData, SafeArrayAllocDescriptorEx, SafeArrayCreateVector, SysStringLen, QueryPathOfRegTypeLib, SysAllocString, VariantInit, VariantClear, DispCallFunc, VariantTimeToSystemTime, VarR8FromDec, SafeArrayGetVartype, SafeArrayDestroyDescriptor, VariantCopy, OleLoadPicture

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	Great Britain

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Oct 29, 2024 04:27:05.431834936 CET	49736	443	192.168.2.4	35.190.72.216
Oct 29, 2024 04:27:05.431936979 CET	443	49736	35.190.72.216	192.168.2.4
Oct 29, 2024 04:27:05.433993101 CET	49736	443	192.168.2.4	35.190.72.216
Oct 29, 2024 04:27:05.438844919 CET	49736	443	192.168.2.4	35.190.72.216
Oct 29, 2024 04:27:05.438879967 CET	443	49736	35.190.72.216	192.168.2.4
Oct 29, 2024 04:27:06.056893110 CET	443	49736	35.190.72.216	192.168.2.4
Oct 29, 2024 04:27:06.056972027 CET	49736	443	192.168.2.4	35.190.72.216
Oct 29, 2024 04:27:06.064780951 CET	49736	443	192.168.2.4	35.190.72.216
Oct 29, 2024 04:27:06.064805031 CET	443	49736	35.190.72.216	192.168.2.4
Oct 29, 2024 04:27:06.064907074 CET	49736	443	192.168.2.4	35.190.72.216
Oct 29, 2024 04:27:06.064987898 CET	443	49736	35.190.72.216	192.168.2.4
Oct 29, 2024 04:27:06.065057039 CET	49736	443	192.168.2.4	35.190.72.216
Oct 29, 2024 04:27:07.474809885 CET	49738	443	192.168.2.4	216.58.206.78
Oct 29, 2024 04:27:07.474858046 CET	443	49738	216.58.206.78	192.168.2.4
Oct 29, 2024 04:27:07.475119114 CET	49738	443	192.168.2.4	216.58.206.78
Oct 29, 2024 04:27:07.476644039 CET	49738	443	192.168.2.4	216.58.206.78
Oct 29, 2024 04:27:07.476669073 CET	443	49738	216.58.206.78	192.168.2.4
Oct 29, 2024 04:27:07.603929996 CET	49739	443	192.168.2.4	216.58.206.78
Oct 29, 2024 04:27:07.604027033 CET	443	49739	216.58.206.78	192.168.2.4
Oct 29, 2024 04:27:07.614348888 CET	49739	443	192.168.2.4	216.58.206.78
Oct 29, 2024 04:27:07.616235971 CET	49739	443	192.168.2.4	216.58.206.78
Oct 29, 2024 04:27:07.616295099 CET	443	49739	216.58.206.78	192.168.2.4
Oct 29, 2024 04:27:07.620866060 CET	49740	80	192.168.2.4	34.107.221.82
Oct 29, 2024 04:27:07.626272917 CET	80	49740	34.107.221.82	192.168.2.4
Oct 29, 2024 04:27:07.629956961 CET	49740	80	192.168.2.4	34.107.221.82
Oct 29, 2024 04:27:07.647979975 CET	49740	80	192.168.2.4	34.107.221.82
Oct 29, 2024 04:27:07.653352022 CET	80	49740	34.107.221.82	192.168.2.4
Oct 29, 2024 04:27:08.342246056 CET	80	49740	34.107.221.82	192.168.2.4
Oct 29, 2024 04:27:08.345474005 CET	49741	443	192.168.2.4	35.244.181.201
Oct 29, 2024 04:27:08.345508099 CET	443	49741	35.244.181.201	192.168.2.4
Oct 29, 2024 04:27:08.345684052 CET	49742	443	192.168.2.4	34.117.188.166
Oct 29, 2024 04:27:08.345690012 CET	443	49742	34.117.188.166	192.168.2.4
Oct 29, 2024 04:27:08.346009970 CET	49741	443	192.168.2.4	35.244.181.201
Oct 29, 2024 04:27:08.346090078 CET	49742	443	192.168.2.4	34.117.188.166
Oct 29, 2024 04:27:08.346199989 CET	49741	443	192.168.2.4	35.244.181.201
Oct 29, 2024 04:27:08.346206903 CET	443	49741	35.244.181.201	192.168.2.4
Oct 29, 2024 04:27:08.347742081 CET	49742	443	192.168.2.4	34.117.188.166
Oct 29, 2024 04:27:08.347749949 CET	443	49742	34.117.188.166	192.168.2.4
Oct 29, 2024 04:27:08.348109961 CET	49743	443	192.168.2.4	34.117.188.166
Oct 29, 2024 04:27:08.348193884 CET	443	49743	34.117.188.166	192.168.2.4
Oct 29, 2024 04:27:08.348277092 CET	49743	443	192.168.2.4	34.117.188.166
Oct 29, 2024 04:27:08.349694014 CET	49743	443	192.168.2.4	34.117.188.166
Oct 29, 2024 04:27:08.349729061 CET	443	49743	34.117.188.166	192.168.2.4
Oct 29, 2024 04:27:08.361099005 CET	443	49738	216.58.206.78	192.168.2.4
Oct 29, 2024 04:27:08.361170053 CET	49738	443	192.168.2.4	216.58.206.78
Oct 29, 2024 04:27:08.361802101 CET	443	49738	216.58.206.78	192.168.2.4
Oct 29, 2024 04:27:08.361851931 CET	49738	443	192.168.2.4	216.58.206.78
Oct 29, 2024 04:27:08.366461992 CET	49738	443	192.168.2.4	216.58.206.78
Oct 29, 2024 04:27:08.366475105 CET	443	49738	216.58.206.78	192.168.2.4
Oct 29, 2024 04:27:08.366549015 CET	49738	443	192.168.2.4	216.58.206.78
Oct 29, 2024 04:27:08.366703033 CET	443	49738	216.58.206.78	192.168.2.4
Oct 29, 2024 04:27:08.366751909 CET	49738	443	192.168.2.4	216.58.206.78
Oct 29, 2024 04:27:08.400942087 CET	49740	80	192.168.2.4	34.107.221.82
Oct 29, 2024 04:27:08.416131020 CET	49744	443	192.168.2.4	34.160.144.191
Oct 29, 2024 04:27:08.416186094 CET	443	49744	34.160.144.191	192.168.2.4
Oct 29, 2024 04:27:08.416590929 CET	49744	443	192.168.2.4	34.160.144.191
Oct 29, 2024 04:27:08.416724920 CET	49744	443	192.168.2.4	34.160.144.191
Oct 29, 2024 04:27:08.416744947 CET	443	49744	34.160.144.191	192.168.2.4
Oct 29, 2024 04:27:08.465361118 CET	443	49739	216.58.206.78	192.168.2.4
Oct 29, 2024 04:27:08.465382099 CET	443	49739	216.58.206.78	192.168.2.4
Oct 29, 2024 04:27:08.465431929 CET	49739	443	192.168.2.4	216.58.206.78
Oct 29, 2024 04:27:08.466851950 CET	443	49739	216.58.206.78	192.168.2.4
Oct 29, 2024 04:27:08.466906071 CET	49739	443	192.168.2.4	216.58.206.78
Oct 29, 2024 04:27:08.466928005 CET	443	49739	216.58.206.78	192.168.2.4
Oct 29, 2024 04:27:08.471009970 CET	49739	443	192.168.2.4	216.58.206.78
Oct 29, 2024 04:27:08.471041918 CET	443	49739	216.58.206.78	192.168.2.4
Oct 29, 2024 04:27:08.471124887 CET	49739	443	192.168.2.4	216.58.206.78
Oct 29, 2024 04:27:08.471283913 CET	443	49739	216.58.206.78	192.168.2.4
Oct 29, 2024 04:27:08.471420050 CET	49746	443	192.168.2.4	216.58.206.78
Oct 29, 2024 04:27:08.471450090 CET	443	49746	216.58.206.78	192.168.2.4
Oct 29, 2024 04:27:08.471477985 CET	49739	443	192.168.2.4	216.58.206.78
Oct 29, 2024 04:27:08.471795082 CET	49746	443	192.168.2.4	216.58.206.78
Oct 29, 2024 04:27:08.473102093 CET	49746	443	192.168.2.4	216.58.206.78
Oct 29, 2024 04:27:08.473128080 CET	443	49746	216.58.206.78	192.168.2.4
Oct 29, 2024 04:27:08.519711018 CET	49747	80	192.168.2.4	34.107.221.82
Oct 29, 2024 04:27:08.525108099 CET	80	49747	34.107.221.82	192.168.2.4
Oct 29, 2024 04:27:08.526318073 CET	49747	80	192.168.2.4	34.107.221.82
Oct 29, 2024 04:27:08.526585102 CET	49747	80	192.168.2.4	34.107.221.82
Oct 29, 2024 04:27:08.531848907 CET	80	49747	34.107.221.82	192.168.2.4
Oct 29, 2024 04:27:08.929477930 CET	49749	443	192.168.2.4	34.107.243.93
Oct 29, 2024 04:27:08.929517984 CET	443	49749	34.107.243.93	192.168.2.4
Oct 29, 2024 04:27:08.932516098 CET	49749	443	192.168.2.4	34.107.243.93
Oct 29, 2024 04:27:08.934195995 CET	49749	443	192.168.2.4	34.107.243.93
Oct 29, 2024 04:27:08.934216976 CET	443	49749	34.107.243.93	192.168.2.4
Oct 29, 2024 04:27:08.970858097 CET	443	49741	35.244.181.201	192.168.2.4
Oct 29, 2024 04:27:08.970937014 CET	49741	443	192.168.2.4	35.244.181.201
Oct 29, 2024 04:27:08.973011017 CET	443	49743	34.117.188.166	192.168.2.4
Oct 29, 2024 04:27:08.973119974 CET	49743	443	192.168.2.4	34.117.188.166
Oct 29, 2024 04:27:08.975274086 CET	49741	443	192.168.2.4	35.244.181.201
Oct 29, 2024 04:27:08.975280046 CET	443	49741	35.244.181.201	192.168.2.4
Oct 29, 2024 04:27:08.975567102 CET	443	49742	34.117.188.166	192.168.2.4
Oct 29, 2024 04:27:08.975703001 CET	443	49741	35.244.181.201	192.168.2.4
Oct 29, 2024 04:27:08.977941990 CET	49741	443	192.168.2.4	35.244.181.201
Oct 29, 2024 04:27:08.978024006 CET	49741	443	192.168.2.4	35.244.181.201
Oct 29, 2024 04:27:08.978156090 CET	443	49741	35.244.181.201	192.168.2.4
Oct 29, 2024 04:27:08.979518890 CET	49743	443	192.168.2.4	34.117.188.166
Oct 29, 2024 04:27:08.979540110 CET	443	49743	34.117.188.166	192.168.2.4
Oct 29, 2024 04:27:08.979589939 CET	49743	443	192.168.2.4	34.117.188.166
Oct 29, 2024 04:27:08.979810953 CET	443	49743	34.117.188.166	192.168.2.4
Oct 29, 2024 04:27:08.980554104 CET	49741	443	192.168.2.4	35.244.181.201
Oct 29, 2024 04:27:08.980567932 CET	49741	443	192.168.2.4	35.244.181.201
Oct 29, 2024 04:27:08.980583906 CET	49742	443	192.168.2.4	34.117.188.166
Oct 29, 2024 04:27:08.980585098 CET	49743	443	192.168.2.4	34.117.188.166
Oct 29, 2024 04:27:08.984743118 CET	49742	443	192.168.2.4	34.117.188.166
Oct 29, 2024 04:27:08.984747887 CET	443	49742	34.117.188.166	192.168.2.4
Oct 29, 2024 04:27:08.984819889 CET	49742	443	192.168.2.4	34.117.188.166
Oct 29, 2024 04:27:08.984963894 CET	443	49742	34.117.188.166	192.168.2.4
Oct 29, 2024 04:27:08.988526106 CET	49742	443	192.168.2.4	34.117.188.166
Oct 29, 2024 04:27:09.031168938 CET	443	49744	34.160.144.191	192.168.2.4
Oct 29, 2024 04:27:09.031251907 CET	49744	443	192.168.2.4	34.160.144.191
Oct 29, 2024 04:27:09.034466028 CET	49744	443	192.168.2.4	34.160.144.191
Oct 29, 2024 04:27:09.034493923 CET	443	49744	34.160.144.191	192.168.2.4
Oct 29, 2024 04:27:09.034729004 CET	443	49744	34.160.144.191	192.168.2.4
Oct 29, 2024 04:27:09.037095070 CET	49744	443	192.168.2.4	34.160.144.191
Oct 29, 2024 04:27:09.037203074 CET	49744	443	192.168.2.4	34.160.144.191
Oct 29, 2024 04:27:09.037240982 CET	443	49744	34.160.144.191	192.168.2.4
Oct 29, 2024 04:27:09.037544966 CET	49750	443	192.168.2.4	34.160.144.191
Oct 29, 2024 04:27:09.037570000 CET	49744	443	192.168.2.4	34.160.144.191
Oct 29, 2024 04:27:09.037631035 CET	443	49750	34.160.144.191	192.168.2.4
Oct 29, 2024 04:27:09.037710905 CET	49750	443	192.168.2.4	34.160.144.191
Oct 29, 2024 04:27:09.037825108 CET	49750	443	192.168.2.4	34.160.144.191
Oct 29, 2024 04:27:09.037842035 CET	443	49750	34.160.144.191	192.168.2.4
Oct 29, 2024 04:27:09.123693943 CET	80	49747	34.107.221.82	192.168.2.4
Oct 29, 2024 04:27:09.165493965 CET	49747	80	192.168.2.4	34.107.221.82
Oct 29, 2024 04:27:09.214610100 CET	49740	80	192.168.2.4	34.107.221.82
Oct 29, 2024 04:27:09.214649916 CET	49747	80	192.168.2.4	34.107.221.82
Oct 29, 2024 04:27:09.220432997 CET	80	49740	34.107.221.82	192.168.2.4
Oct 29, 2024 04:27:09.221051931 CET	80	49747	34.107.221.82	192.168.2.4
Oct 29, 2024 04:27:09.234509945 CET	49740	80	192.168.2.4	34.107.221.82
Oct 29, 2024 04:27:09.234524965 CET	49747	80	192.168.2.4	34.107.221.82
Oct 29, 2024 04:27:09.320776939 CET	443	49746	216.58.206.78	192.168.2.4
Oct 29, 2024 04:27:09.321372986 CET	443	49746	216.58.206.78	192.168.2.4
Oct 29, 2024 04:27:09.330430984 CET	49746	443	192.168.2.4	216.58.206.78
Oct 29, 2024 04:27:09.330502033 CET	443	49746	216.58.206.78	192.168.2.4
Oct 29, 2024 04:27:09.349661112 CET	49746	443	192.168.2.4	216.58.206.78
Oct 29, 2024 04:27:09.349706888 CET	443	49746	216.58.206.78	192.168.2.4
Oct 29, 2024 04:27:09.349761009 CET	49746	443	192.168.2.4	216.58.206.78
Oct 29, 2024 04:27:09.349879980 CET	443	49746	216.58.206.78	192.168.2.4
Oct 29, 2024 04:27:09.358623028 CET	49746	443	192.168.2.4	216.58.206.78
Oct 29, 2024 04:27:09.526535034 CET	49751	443	192.168.2.4	34.117.188.166
Oct 29, 2024 04:27:09.526557922 CET	443	49751	34.117.188.166	192.168.2.4
Oct 29, 2024 04:27:09.539881945 CET	49751	443	192.168.2.4	34.117.188.166
Oct 29, 2024 04:27:09.553045034 CET	49751	443	192.168.2.4	34.117.188.166
Oct 29, 2024 04:27:09.553052902 CET	443	49751	34.117.188.166	192.168.2.4
Oct 29, 2024 04:27:09.554289103 CET	443	49749	34.107.243.93	192.168.2.4
Oct 29, 2024 04:27:09.558444977 CET	49752	80	192.168.2.4	34.107.221.82
Oct 29, 2024 04:27:09.560087919 CET	49749	443	192.168.2.4	34.107.243.93
Oct 29, 2024 04:27:09.563716888 CET	80	49752	34.107.221.82	192.168.2.4
Oct 29, 2024 04:27:09.564132929 CET	49749	443	192.168.2.4	34.107.243.93
Oct 29, 2024 04:27:09.564146042 CET	443	49749	34.107.243.93	192.168.2.4
Oct 29, 2024 04:27:09.564194918 CET	49749	443	192.168.2.4	34.107.243.93
Oct 29, 2024 04:27:09.564449072 CET	443	49749	34.107.243.93	192.168.2.4
Oct 29, 2024 04:27:09.568820000 CET	49749	443	192.168.2.4	34.107.243.93
Oct 29, 2024 04:27:09.568903923 CET	49752	80	192.168.2.4	34.107.221.82
Oct 29, 2024 04:27:09.568979979 CET	49752	80	192.168.2.4	34.107.221.82
Oct 29, 2024 04:27:09.574187040 CET	80	49752	34.107.221.82	192.168.2.4
Oct 29, 2024 04:27:09.643681049 CET	443	49750	34.160.144.191	192.168.2.4
Oct 29, 2024 04:27:09.644335032 CET	49750	443	192.168.2.4	34.160.144.191
Oct 29, 2024 04:27:09.647422075 CET	49750	443	192.168.2.4	34.160.144.191
Oct 29, 2024 04:27:09.647448063 CET	443	49750	34.160.144.191	192.168.2.4
Oct 29, 2024 04:27:09.647691965 CET	443	49750	34.160.144.191	192.168.2.4
Oct 29, 2024 04:27:09.650136948 CET	49750	443	192.168.2.4	34.160.144.191
Oct 29, 2024 04:27:09.650202036 CET	49750	443	192.168.2.4	34.160.144.191
Oct 29, 2024 04:27:09.650304079 CET	443	49750	34.160.144.191	192.168.2.4
Oct 29, 2024 04:27:09.650402069 CET	49750	443	192.168.2.4	34.160.144.191
Oct 29, 2024 04:27:10.164074898 CET	443	49751	34.117.188.166	192.168.2.4
Oct 29, 2024 04:27:10.164083958 CET	443	49751	34.117.188.166	192.168.2.4
Oct 29, 2024 04:27:10.164213896 CET	49751	443	192.168.2.4	34.117.188.166
Oct 29, 2024 04:27:10.169205904 CET	49751	443	192.168.2.4	34.117.188.166
Oct 29, 2024 04:27:10.169218063 CET	443	49751	34.117.188.166	192.168.2.4
Oct 29, 2024 04:27:10.169333935 CET	49751	443	192.168.2.4	34.117.188.166
Oct 29, 2024 04:27:10.169344902 CET	443	49751	34.117.188.166	192.168.2.4
Oct 29, 2024 04:27:10.169730902 CET	49754	443	192.168.2.4	34.117.188.166
Oct 29, 2024 04:27:10.169770956 CET	49751	443	192.168.2.4	34.117.188.166
Oct 29, 2024 04:27:10.169821978 CET	443	49754	34.117.188.166	192.168.2.4
Oct 29, 2024 04:27:10.169898987 CET	49754	443	192.168.2.4	34.117.188.166
Oct 29, 2024 04:27:10.171219110 CET	49754	443	192.168.2.4	34.117.188.166
Oct 29, 2024 04:27:10.171256065 CET	443	49754	34.117.188.166	192.168.2.4
Oct 29, 2024 04:27:10.173109055 CET	80	49752	34.107.221.82	192.168.2.4
Oct 29, 2024 04:27:10.229084015 CET	49752	80	192.168.2.4	34.107.221.82
Oct 29, 2024 04:27:10.384891033 CET	49755	80	192.168.2.4	34.107.221.82
Oct 29, 2024 04:27:10.425204039 CET	49752	80	192.168.2.4	34.107.221.82
Oct 29, 2024 04:27:10.596606016 CET	80	49755	34.107.221.82	192.168.2.4
Oct 29, 2024 04:27:10.596642971 CET	80	49752	34.107.221.82	192.168.2.4
Oct 29, 2024 04:27:10.598100901 CET	49755	80	192.168.2.4	34.107.221.82
Oct 29, 2024 04:27:10.598274946 CET	49755	80	192.168.2.4	34.107.221.82
Oct 29, 2024 04:27:10.603743076 CET	80	49755	34.107.221.82	192.168.2.4
Oct 29, 2024 04:27:10.717672110 CET	80	49752	34.107.221.82	192.168.2.4
Oct 29, 2024 04:27:10.761797905 CET	49752	80	192.168.2.4	34.107.221.82
Oct 29, 2024 04:27:10.783215046 CET	49755	80	192.168.2.4	34.107.221.82
Oct 29, 2024 04:27:10.787936926 CET	443	49754	34.117.188.166	192.168.2.4
Oct 29, 2024 04:27:10.793149948 CET	49754	443	192.168.2.4	34.117.188.166
Oct 29, 2024 04:27:10.815839052 CET	49756	80	192.168.2.4	34.107.221.82
Oct 29, 2024 04:27:10.821294069 CET	80	49756	34.107.221.82	192.168.2.4
Oct 29, 2024 04:27:10.826798916 CET	49754	443	192.168.2.4	34.117.188.166
Oct 29, 2024 04:27:10.826853991 CET	443	49754	34.117.188.166	192.168.2.4
Oct 29, 2024 04:27:10.826888084 CET	49754	443	192.168.2.4	34.117.188.166
Oct 29, 2024 04:27:10.827018976 CET	443	49754	34.117.188.166	192.168.2.4
Oct 29, 2024 04:27:10.830909967 CET	49754	443	192.168.2.4	34.117.188.166
Oct 29, 2024 04:27:10.830934048 CET	49756	80	192.168.2.4	34.107.221.82
Oct 29, 2024 04:27:10.831154108 CET	49756	80	192.168.2.4	34.107.221.82
Oct 29, 2024 04:27:10.831222057 CET	80	49755	34.107.221.82	192.168.2.4
Oct 29, 2024 04:27:10.836493015 CET	80	49756	34.107.221.82	192.168.2.4
Oct 29, 2024 04:27:11.069214106 CET	80	49755	34.107.221.82	192.168.2.4
Oct 29, 2024 04:27:11.078787088 CET	49755	80	192.168.2.4	34.107.221.82
Oct 29, 2024 04:27:11.098578930 CET	49752	80	192.168.2.4	34.107.221.82
Oct 29, 2024 04:27:11.103857040 CET	80	49752	34.107.221.82	192.168.2.4
Oct 29, 2024 04:27:11.113334894 CET	49757	443	192.168.2.4	35.244.181.201
Oct 29, 2024 04:27:11.113440037 CET	443	49757	35.244.181.201	192.168.2.4
Oct 29, 2024 04:27:11.113711119 CET	49757	443	192.168.2.4	35.244.181.201
Oct 29, 2024 04:27:11.113780975 CET	49757	443	192.168.2.4	35.244.181.201
Oct 29, 2024 04:27:11.113811970 CET	443	49757	35.244.181.201	192.168.2.4
Oct 29, 2024 04:27:11.215820074 CET	49758	443	192.168.2.4	34.149.100.209
Oct 29, 2024 04:27:11.215917110 CET	443	49758	34.149.100.209	192.168.2.4
Oct 29, 2024 04:27:11.216258049 CET	49758	443	192.168.2.4	34.149.100.209
Oct 29, 2024 04:27:11.217678070 CET	49758	443	192.168.2.4	34.149.100.209
Oct 29, 2024 04:27:11.217713118 CET	443	49758	34.149.100.209	192.168.2.4
Oct 29, 2024 04:27:11.225826979 CET	80	49752	34.107.221.82	192.168.2.4
Oct 29, 2024 04:27:11.226562023 CET	49756	80	192.168.2.4	34.107.221.82
Oct 29, 2024 04:27:11.229415894 CET	49759	80	192.168.2.4	34.107.221.82
Oct 29, 2024 04:27:11.235851049 CET	80	49759	34.107.221.82	192.168.2.4
Oct 29, 2024 04:27:11.236562014 CET	49759	80	192.168.2.4	34.107.221.82
Oct 29, 2024 04:27:11.247147083 CET	49759	80	192.168.2.4	34.107.221.82
Oct 29, 2024 04:27:11.253587961 CET	80	49759	34.107.221.82	192.168.2.4
Oct 29, 2024 04:27:11.275902987 CET	80	49756	34.107.221.82	192.168.2.4
Oct 29, 2024 04:27:11.279428959 CET	49752	80	192.168.2.4	34.107.221.82
Oct 29, 2024 04:27:11.299841881 CET	80	49756	34.107.221.82	192.168.2.4
Oct 29, 2024 04:27:11.300422907 CET	49756	80	192.168.2.4	34.107.221.82
Oct 29, 2024 04:27:11.721695900 CET	443	49757	35.244.181.201	192.168.2.4
Oct 29, 2024 04:27:11.728511095 CET	49757	443	192.168.2.4	35.244.181.201
Oct 29, 2024 04:27:11.734683037 CET	49757	443	192.168.2.4	35.244.181.201
Oct 29, 2024 04:27:11.734724045 CET	443	49757	35.244.181.201	192.168.2.4
Oct 29, 2024 04:27:11.734985113 CET	443	49757	35.244.181.201	192.168.2.4
Oct 29, 2024 04:27:11.736829042 CET	49757	443	192.168.2.4	35.244.181.201
Oct 29, 2024 04:27:11.736918926 CET	49757	443	192.168.2.4	35.244.181.201
Oct 29, 2024 04:27:11.737034082 CET	443	49757	35.244.181.201	192.168.2.4
Oct 29, 2024 04:27:11.748496056 CET	49757	443	192.168.2.4	35.244.181.201
Oct 29, 2024 04:27:11.748697042 CET	49757	443	192.168.2.4	35.244.181.201
Oct 29, 2024 04:27:11.832415104 CET	80	49759	34.107.221.82	192.168.2.4
Oct 29, 2024 04:27:11.838361025 CET	443	49758	34.149.100.209	192.168.2.4
Oct 29, 2024 04:27:11.838623047 CET	49758	443	192.168.2.4	34.149.100.209
Oct 29, 2024 04:27:11.842674017 CET	49758	443	192.168.2.4	34.149.100.209
Oct 29, 2024 04:27:11.842699051 CET	443	49758	34.149.100.209	192.168.2.4
Oct 29, 2024 04:27:11.842744112 CET	49758	443	192.168.2.4	34.149.100.209
Oct 29, 2024 04:27:11.842981100 CET	443	49758	34.149.100.209	192.168.2.4
Oct 29, 2024 04:27:11.843177080 CET	49758	443	192.168.2.4	34.149.100.209
Oct 29, 2024 04:27:11.890444040 CET	49759	80	192.168.2.4	34.107.221.82
Oct 29, 2024 04:27:12.011135101 CET	49752	80	192.168.2.4	34.107.221.82
Oct 29, 2024 04:27:12.016587019 CET	80	49752	34.107.221.82	192.168.2.4
Oct 29, 2024 04:27:12.033888102 CET	49760	443	192.168.2.4	34.120.208.123
Oct 29, 2024 04:27:12.033915997 CET	443	49760	34.120.208.123	192.168.2.4
Oct 29, 2024 04:27:12.034518003 CET	49760	443	192.168.2.4	34.120.208.123
Oct 29, 2024 04:27:12.036050081 CET	49760	443	192.168.2.4	34.120.208.123
Oct 29, 2024 04:27:12.036062002 CET	443	49760	34.120.208.123	192.168.2.4
Oct 29, 2024 04:27:12.050741911 CET	49761	443	192.168.2.4	34.120.208.123
Oct 29, 2024 04:27:12.050786972 CET	443	49761	34.120.208.123	192.168.2.4
Oct 29, 2024 04:27:12.050973892 CET	49762	443	192.168.2.4	34.120.208.123
Oct 29, 2024 04:27:12.050986052 CET	443	49762	34.120.208.123	192.168.2.4
Oct 29, 2024 04:27:12.050997019 CET	49761	443	192.168.2.4	34.120.208.123
Oct 29, 2024 04:27:12.051129103 CET	49761	443	192.168.2.4	34.120.208.123
Oct 29, 2024 04:27:12.051146984 CET	443	49761	34.120.208.123	192.168.2.4
Oct 29, 2024 04:27:12.051485062 CET	49762	443	192.168.2.4	34.120.208.123
Oct 29, 2024 04:27:12.051609039 CET	49762	443	192.168.2.4	34.120.208.123
Oct 29, 2024 04:27:12.051620007 CET	443	49762	34.120.208.123	192.168.2.4
Oct 29, 2024 04:27:12.137751102 CET	80	49752	34.107.221.82	192.168.2.4
Oct 29, 2024 04:27:12.140791893 CET	49759	80	192.168.2.4	34.107.221.82
Oct 29, 2024 04:27:12.146238089 CET	80	49759	34.107.221.82	192.168.2.4
Oct 29, 2024 04:27:12.185956001 CET	49752	80	192.168.2.4	34.107.221.82
Oct 29, 2024 04:27:12.265816927 CET	80	49759	34.107.221.82	192.168.2.4
Oct 29, 2024 04:27:12.317825079 CET	49759	80	192.168.2.4	34.107.221.82
Oct 29, 2024 04:27:12.654820919 CET	443	49760	34.120.208.123	192.168.2.4
Oct 29, 2024 04:27:12.654967070 CET	49760	443	192.168.2.4	34.120.208.123
Oct 29, 2024 04:27:12.672157049 CET	443	49761	34.120.208.123	192.168.2.4
Oct 29, 2024 04:27:12.672244072 CET	49761	443	192.168.2.4	34.120.208.123
Oct 29, 2024 04:27:12.688549042 CET	443	49762	34.120.208.123	192.168.2.4
Oct 29, 2024 04:27:12.688633919 CET	49762	443	192.168.2.4	34.120.208.123
Oct 29, 2024 04:27:12.693017006 CET	49761	443	192.168.2.4	34.120.208.123
Oct 29, 2024 04:27:12.693063021 CET	443	49761	34.120.208.123	192.168.2.4
Oct 29, 2024 04:27:12.693396091 CET	443	49761	34.120.208.123	192.168.2.4
Oct 29, 2024 04:27:12.695868015 CET	49762	443	192.168.2.4	34.120.208.123
Oct 29, 2024 04:27:12.695883989 CET	443	49762	34.120.208.123	192.168.2.4
Oct 29, 2024 04:27:12.696765900 CET	443	49762	34.120.208.123	192.168.2.4
Oct 29, 2024 04:27:12.699467897 CET	49760	443	192.168.2.4	34.120.208.123
Oct 29, 2024 04:27:12.699480057 CET	443	49760	34.120.208.123	192.168.2.4
Oct 29, 2024 04:27:12.699646950 CET	443	49760	34.120.208.123	192.168.2.4
Oct 29, 2024 04:27:12.699790001 CET	49760	443	192.168.2.4	34.120.208.123
Oct 29, 2024 04:27:12.700052977 CET	49760	443	192.168.2.4	34.120.208.123
Oct 29, 2024 04:27:12.700076103 CET	443	49760	34.120.208.123	192.168.2.4
Oct 29, 2024 04:27:12.700419903 CET	49761	443	192.168.2.4	34.120.208.123
Oct 29, 2024 04:27:12.700486898 CET	49761	443	192.168.2.4	34.120.208.123
Oct 29, 2024 04:27:12.700628996 CET	443	49761	34.120.208.123	192.168.2.4
Oct 29, 2024 04:27:12.700661898 CET	49762	443	192.168.2.4	34.120.208.123
Oct 29, 2024 04:27:12.700715065 CET	49762	443	192.168.2.4	34.120.208.123
Oct 29, 2024 04:27:12.700721025 CET	49761	443	192.168.2.4	34.120.208.123
Oct 29, 2024 04:27:12.701069117 CET	443	49762	34.120.208.123	192.168.2.4
Oct 29, 2024 04:27:12.701148987 CET	49762	443	192.168.2.4	34.120.208.123
Oct 29, 2024 04:27:16.234829903 CET	49752	80	192.168.2.4	34.107.221.82
Oct 29, 2024 04:27:16.240277052 CET	80	49752	34.107.221.82	192.168.2.4
Oct 29, 2024 04:27:16.361776114 CET	80	49752	34.107.221.82	192.168.2.4
Oct 29, 2024 04:27:16.411786079 CET	49752	80	192.168.2.4	34.107.221.82
Oct 29, 2024 04:27:16.538938046 CET	49763	443	192.168.2.4	34.107.243.93
Oct 29, 2024 04:27:16.538964033 CET	443	49763	34.107.243.93	192.168.2.4
Oct 29, 2024 04:27:16.539385080 CET	49764	443	192.168.2.4	34.120.208.123
Oct 29, 2024 04:27:16.539416075 CET	443	49764	34.120.208.123	192.168.2.4
Oct 29, 2024 04:27:16.540648937 CET	49764	443	192.168.2.4	34.120.208.123
Oct 29, 2024 04:27:16.540657997 CET	49763	443	192.168.2.4	34.107.243.93
Oct 29, 2024 04:27:16.542256117 CET	49763	443	192.168.2.4	34.107.243.93
Oct 29, 2024 04:27:16.542268038 CET	443	49763	34.107.243.93	192.168.2.4
Oct 29, 2024 04:27:16.545084000 CET	49764	443	192.168.2.4	34.120.208.123
Oct 29, 2024 04:27:16.545097113 CET	443	49764	34.120.208.123	192.168.2.4
Oct 29, 2024 04:27:17.147870064 CET	443	49763	34.107.243.93	192.168.2.4
Oct 29, 2024 04:27:17.147973061 CET	49763	443	192.168.2.4	34.107.243.93
Oct 29, 2024 04:27:17.162254095 CET	443	49764	34.120.208.123	192.168.2.4
Oct 29, 2024 04:27:17.162328005 CET	49764	443	192.168.2.4	34.120.208.123
Oct 29, 2024 04:27:17.492471933 CET	49763	443	192.168.2.4	34.107.243.93
Oct 29, 2024 04:27:17.492487907 CET	443	49763	34.107.243.93	192.168.2.4
Oct 29, 2024 04:27:17.492628098 CET	49764	443	192.168.2.4	34.120.208.123
Oct 29, 2024 04:27:17.492630005 CET	49763	443	192.168.2.4	34.107.243.93
Oct 29, 2024 04:27:17.492652893 CET	443	49764	34.120.208.123	192.168.2.4
Oct 29, 2024 04:27:17.492685080 CET	49764	443	192.168.2.4	34.120.208.123
Oct 29, 2024 04:27:17.493010998 CET	443	49763	34.107.243.93	192.168.2.4
Oct 29, 2024 04:27:17.493135929 CET	49763	443	192.168.2.4	34.107.243.93
Oct 29, 2024 04:27:17.493174076 CET	443	49764	34.120.208.123	192.168.2.4
Oct 29, 2024 04:27:17.493303061 CET	49764	443	192.168.2.4	34.120.208.123
Oct 29, 2024 04:27:18.508136034 CET	49759	80	192.168.2.4	34.107.221.82
Oct 29, 2024 04:27:18.513528109 CET	80	49759	34.107.221.82	192.168.2.4
Oct 29, 2024 04:27:18.633842945 CET	80	49759	34.107.221.82	192.168.2.4
Oct 29, 2024 04:27:18.680985928 CET	49759	80	192.168.2.4	34.107.221.82
Oct 29, 2024 04:27:19.083152056 CET	49752	80	192.168.2.4	34.107.221.82
Oct 29, 2024 04:27:19.088637114 CET	80	49752	34.107.221.82	192.168.2.4
Oct 29, 2024 04:27:19.200459957 CET	49768	443	192.168.2.4	34.120.208.123
Oct 29, 2024 04:27:19.200489998 CET	443	49768	34.120.208.123	192.168.2.4
Oct 29, 2024 04:27:19.201292992 CET	49768	443	192.168.2.4	34.120.208.123
Oct 29, 2024 04:27:19.202666044 CET	49768	443	192.168.2.4	34.120.208.123
Oct 29, 2024 04:27:19.202681065 CET	443	49768	34.120.208.123	192.168.2.4
Oct 29, 2024 04:27:19.210103989 CET	80	49752	34.107.221.82	192.168.2.4
Oct 29, 2024 04:27:19.251477003 CET	49752	80	192.168.2.4	34.107.221.82
Oct 29, 2024 04:27:19.329428911 CET	49759	80	192.168.2.4	34.107.221.82
Oct 29, 2024 04:27:19.334876060 CET	80	49759	34.107.221.82	192.168.2.4
Oct 29, 2024 04:27:19.612632990 CET	80	49759	34.107.221.82	192.168.2.4
Oct 29, 2024 04:27:19.652560949 CET	49759	80	192.168.2.4	34.107.221.82
Oct 29, 2024 04:27:19.801914930 CET	443	49768	34.120.208.123	192.168.2.4
Oct 29, 2024 04:27:19.802063942 CET	49768	443	192.168.2.4	34.120.208.123
Oct 29, 2024 04:27:20.474951029 CET	49768	443	192.168.2.4	34.120.208.123
Oct 29, 2024 04:27:20.474972010 CET	443	49768	34.120.208.123	192.168.2.4
Oct 29, 2024 04:27:20.475030899 CET	49768	443	192.168.2.4	34.120.208.123
Oct 29, 2024 04:27:20.475327015 CET	443	49768	34.120.208.123	192.168.2.4
Oct 29, 2024 04:27:20.481273890 CET	49768	443	192.168.2.4	34.120.208.123
Oct 29, 2024 04:27:20.638874054 CET	49752	80	192.168.2.4	34.107.221.82
Oct 29, 2024 04:27:20.644411087 CET	80	49752	34.107.221.82	192.168.2.4
Oct 29, 2024 04:27:20.765727043 CET	80	49752	34.107.221.82	192.168.2.4
Oct 29, 2024 04:27:20.822001934 CET	49752	80	192.168.2.4	34.107.221.82
Oct 29, 2024 04:27:22.397349119 CET	49759	80	192.168.2.4	34.107.221.82
Oct 29, 2024 04:27:22.402889967 CET	80	49759	34.107.221.82	192.168.2.4
Oct 29, 2024 04:27:22.647888899 CET	80	49759	34.107.221.82	192.168.2.4
Oct 29, 2024 04:27:22.695180893 CET	49759	80	192.168.2.4	34.107.221.82
Oct 29, 2024 04:27:29.087755919 CET	49772	443	192.168.2.4	34.107.243.93
Oct 29, 2024 04:27:29.087860107 CET	443	49772	34.107.243.93	192.168.2.4
Oct 29, 2024 04:27:29.088015079 CET	49772	443	192.168.2.4	34.107.243.93
Oct 29, 2024 04:27:29.089401960 CET	49772	443	192.168.2.4	34.107.243.93
Oct 29, 2024 04:27:29.089452982 CET	443	49772	34.107.243.93	192.168.2.4
Oct 29, 2024 04:27:29.695023060 CET	443	49772	34.107.243.93	192.168.2.4
Oct 29, 2024 04:27:29.695121050 CET	49772	443	192.168.2.4	34.107.243.93
Oct 29, 2024 04:27:29.699692011 CET	49772	443	192.168.2.4	34.107.243.93
Oct 29, 2024 04:27:29.699736118 CET	443	49772	34.107.243.93	192.168.2.4
Oct 29, 2024 04:27:29.699788094 CET	49772	443	192.168.2.4	34.107.243.93
Oct 29, 2024 04:27:29.699882030 CET	443	49772	34.107.243.93	192.168.2.4
Oct 29, 2024 04:27:29.700109005 CET	49772	443	192.168.2.4	34.107.243.93
Oct 29, 2024 04:27:29.703784943 CET	49752	80	192.168.2.4	34.107.221.82
Oct 29, 2024 04:27:29.709844112 CET	80	49752	34.107.221.82	192.168.2.4
Oct 29, 2024 04:27:29.831309080 CET	80	49752	34.107.221.82	192.168.2.4
Oct 29, 2024 04:27:29.834912062 CET	49759	80	192.168.2.4	34.107.221.82
Oct 29, 2024 04:27:29.841195107 CET	80	49759	34.107.221.82	192.168.2.4
Oct 29, 2024 04:27:29.884516001 CET	49752	80	192.168.2.4	34.107.221.82
Oct 29, 2024 04:27:29.960576057 CET	80	49759	34.107.221.82	192.168.2.4
Oct 29, 2024 04:27:30.016055107 CET	49759	80	192.168.2.4	34.107.221.82
Oct 29, 2024 04:27:34.116585016 CET	49773	443	192.168.2.4	35.244.181.201
Oct 29, 2024 04:27:34.116641998 CET	443	49773	35.244.181.201	192.168.2.4
Oct 29, 2024 04:27:34.117258072 CET	49773	443	192.168.2.4	35.244.181.201
Oct 29, 2024 04:27:34.117404938 CET	49773	443	192.168.2.4	35.244.181.201
Oct 29, 2024 04:27:34.117444992 CET	443	49773	35.244.181.201	192.168.2.4
Oct 29, 2024 04:27:34.136971951 CET	49774	443	192.168.2.4	34.149.100.209
Oct 29, 2024 04:27:34.137059927 CET	443	49774	34.149.100.209	192.168.2.4
Oct 29, 2024 04:27:34.137188911 CET	49774	443	192.168.2.4	34.149.100.209
Oct 29, 2024 04:27:34.137288094 CET	49774	443	192.168.2.4	34.149.100.209
Oct 29, 2024 04:27:34.137315035 CET	443	49774	34.149.100.209	192.168.2.4
Oct 29, 2024 04:27:34.145021915 CET	49775	443	192.168.2.4	151.101.65.91
Oct 29, 2024 04:27:34.145056009 CET	443	49775	151.101.65.91	192.168.2.4
Oct 29, 2024 04:27:34.145365953 CET	49775	443	192.168.2.4	151.101.65.91
Oct 29, 2024 04:27:34.145431042 CET	49775	443	192.168.2.4	151.101.65.91
Oct 29, 2024 04:27:34.145442009 CET	443	49775	151.101.65.91	192.168.2.4
Oct 29, 2024 04:27:34.157699108 CET	49776	443	192.168.2.4	35.190.72.216
Oct 29, 2024 04:27:34.157749891 CET	443	49776	35.190.72.216	192.168.2.4
Oct 29, 2024 04:27:34.163959980 CET	49776	443	192.168.2.4	35.190.72.216
Oct 29, 2024 04:27:34.172136068 CET	49776	443	192.168.2.4	35.190.72.216
Oct 29, 2024 04:27:34.172173977 CET	443	49776	35.190.72.216	192.168.2.4
Oct 29, 2024 04:27:34.175235033 CET	49777	443	192.168.2.4	35.201.103.21
Oct 29, 2024 04:27:34.175249100 CET	443	49777	35.201.103.21	192.168.2.4
Oct 29, 2024 04:27:34.183001041 CET	49777	443	192.168.2.4	35.201.103.21
Oct 29, 2024 04:27:34.194552898 CET	49777	443	192.168.2.4	35.201.103.21
Oct 29, 2024 04:27:34.194566011 CET	443	49777	35.201.103.21	192.168.2.4
Oct 29, 2024 04:27:34.715678930 CET	443	49773	35.244.181.201	192.168.2.4
Oct 29, 2024 04:27:34.723988056 CET	49773	443	192.168.2.4	35.244.181.201
Oct 29, 2024 04:27:34.727190971 CET	49773	443	192.168.2.4	35.244.181.201
Oct 29, 2024 04:27:34.727226019 CET	443	49773	35.244.181.201	192.168.2.4
Oct 29, 2024 04:27:34.727499962 CET	443	49773	35.244.181.201	192.168.2.4
Oct 29, 2024 04:27:34.733906031 CET	49773	443	192.168.2.4	35.244.181.201
Oct 29, 2024 04:27:34.734015942 CET	49773	443	192.168.2.4	35.244.181.201
Oct 29, 2024 04:27:34.734055042 CET	443	49773	35.244.181.201	192.168.2.4
Oct 29, 2024 04:27:34.734600067 CET	49773	443	192.168.2.4	35.244.181.201
Oct 29, 2024 04:27:34.737746954 CET	49752	80	192.168.2.4	34.107.221.82
Oct 29, 2024 04:27:34.743537903 CET	80	49752	34.107.221.82	192.168.2.4
Oct 29, 2024 04:27:34.745285988 CET	443	49774	34.149.100.209	192.168.2.4
Oct 29, 2024 04:27:34.745383978 CET	49774	443	192.168.2.4	34.149.100.209
Oct 29, 2024 04:27:34.748338938 CET	49774	443	192.168.2.4	34.149.100.209
Oct 29, 2024 04:27:34.748359919 CET	443	49774	34.149.100.209	192.168.2.4
Oct 29, 2024 04:27:34.748698950 CET	443	49774	34.149.100.209	192.168.2.4
Oct 29, 2024 04:27:34.750760078 CET	49774	443	192.168.2.4	34.149.100.209
Oct 29, 2024 04:27:34.750840902 CET	49774	443	192.168.2.4	34.149.100.209
Oct 29, 2024 04:27:34.750998020 CET	443	49774	34.149.100.209	192.168.2.4
Oct 29, 2024 04:27:34.751868010 CET	49774	443	192.168.2.4	34.149.100.209
Oct 29, 2024 04:27:34.762381077 CET	443	49775	151.101.65.91	192.168.2.4
Oct 29, 2024 04:27:34.762465000 CET	49775	443	192.168.2.4	151.101.65.91
Oct 29, 2024 04:27:34.765321970 CET	49775	443	192.168.2.4	151.101.65.91
Oct 29, 2024 04:27:34.765331984 CET	443	49775	151.101.65.91	192.168.2.4
Oct 29, 2024 04:27:34.765721083 CET	443	49775	151.101.65.91	192.168.2.4
Oct 29, 2024 04:27:34.767766953 CET	49775	443	192.168.2.4	151.101.65.91
Oct 29, 2024 04:27:34.767838001 CET	49775	443	192.168.2.4	151.101.65.91
Oct 29, 2024 04:27:34.767947912 CET	443	49775	151.101.65.91	192.168.2.4
Oct 29, 2024 04:27:34.772691011 CET	49775	443	192.168.2.4	151.101.65.91
Oct 29, 2024 04:27:34.774589062 CET	49778	443	192.168.2.4	35.244.181.201
Oct 29, 2024 04:27:34.774679899 CET	443	49778	35.244.181.201	192.168.2.4
Oct 29, 2024 04:27:34.775183916 CET	49778	443	192.168.2.4	35.244.181.201
Oct 29, 2024 04:27:34.775290012 CET	49778	443	192.168.2.4	35.244.181.201
Oct 29, 2024 04:27:34.775341034 CET	443	49778	35.244.181.201	192.168.2.4
Oct 29, 2024 04:27:34.776532888 CET	49779	443	192.168.2.4	35.244.181.201
Oct 29, 2024 04:27:34.776561975 CET	443	49779	35.244.181.201	192.168.2.4
Oct 29, 2024 04:27:34.776866913 CET	49779	443	192.168.2.4	35.244.181.201
Oct 29, 2024 04:27:34.776973963 CET	49779	443	192.168.2.4	35.244.181.201
Oct 29, 2024 04:27:34.776984930 CET	443	49779	35.244.181.201	192.168.2.4
Oct 29, 2024 04:27:34.778656006 CET	49780	443	192.168.2.4	35.244.181.201
Oct 29, 2024 04:27:34.778691053 CET	443	49780	35.244.181.201	192.168.2.4
Oct 29, 2024 04:27:34.778879881 CET	49780	443	192.168.2.4	35.244.181.201
Oct 29, 2024 04:27:34.778989077 CET	49780	443	192.168.2.4	35.244.181.201
Oct 29, 2024 04:27:34.779004097 CET	443	49780	35.244.181.201	192.168.2.4
Oct 29, 2024 04:27:34.786609888 CET	443	49776	35.190.72.216	192.168.2.4
Oct 29, 2024 04:27:34.786722898 CET	49776	443	192.168.2.4	35.190.72.216
Oct 29, 2024 04:27:34.791328907 CET	49776	443	192.168.2.4	35.190.72.216
Oct 29, 2024 04:27:34.791352987 CET	443	49776	35.190.72.216	192.168.2.4
Oct 29, 2024 04:27:34.791404963 CET	49776	443	192.168.2.4	35.190.72.216
Oct 29, 2024 04:27:34.791497946 CET	443	49776	35.190.72.216	192.168.2.4
Oct 29, 2024 04:27:34.791760921 CET	49776	443	192.168.2.4	35.190.72.216
Oct 29, 2024 04:27:34.814102888 CET	443	49777	35.201.103.21	192.168.2.4
Oct 29, 2024 04:27:34.814116001 CET	443	49777	35.201.103.21	192.168.2.4
Oct 29, 2024 04:27:34.814197063 CET	49777	443	192.168.2.4	35.201.103.21
Oct 29, 2024 04:27:34.818259954 CET	49777	443	192.168.2.4	35.201.103.21
Oct 29, 2024 04:27:34.818267107 CET	443	49777	35.201.103.21	192.168.2.4
Oct 29, 2024 04:27:34.818336010 CET	49777	443	192.168.2.4	35.201.103.21
Oct 29, 2024 04:27:34.818401098 CET	443	49777	35.201.103.21	192.168.2.4
Oct 29, 2024 04:27:34.818689108 CET	49777	443	192.168.2.4	35.201.103.21
Oct 29, 2024 04:27:34.832149982 CET	49781	443	192.168.2.4	34.149.100.209
Oct 29, 2024 04:27:34.832206011 CET	443	49781	34.149.100.209	192.168.2.4
Oct 29, 2024 04:27:34.832309008 CET	49781	443	192.168.2.4	34.149.100.209
Oct 29, 2024 04:27:34.832396984 CET	49781	443	192.168.2.4	34.149.100.209
Oct 29, 2024 04:27:34.832417011 CET	443	49781	34.149.100.209	192.168.2.4
Oct 29, 2024 04:27:34.865183115 CET	80	49752	34.107.221.82	192.168.2.4
Oct 29, 2024 04:27:34.867549896 CET	49759	80	192.168.2.4	34.107.221.82
Oct 29, 2024 04:27:34.872966051 CET	80	49759	34.107.221.82	192.168.2.4
Oct 29, 2024 04:27:34.910731077 CET	49752	80	192.168.2.4	34.107.221.82
Oct 29, 2024 04:27:34.992418051 CET	80	49759	34.107.221.82	192.168.2.4
Oct 29, 2024 04:27:35.042279959 CET	49759	80	192.168.2.4	34.107.221.82
Oct 29, 2024 04:27:35.382324934 CET	443	49778	35.244.181.201	192.168.2.4
Oct 29, 2024 04:27:35.382410049 CET	49778	443	192.168.2.4	35.244.181.201
Oct 29, 2024 04:27:35.385014057 CET	49778	443	192.168.2.4	35.244.181.201
Oct 29, 2024 04:27:35.385042906 CET	443	49778	35.244.181.201	192.168.2.4
Oct 29, 2024 04:27:35.385304928 CET	443	49778	35.244.181.201	192.168.2.4
Oct 29, 2024 04:27:35.387558937 CET	49778	443	192.168.2.4	35.244.181.201
Oct 29, 2024 04:27:35.387708902 CET	49778	443	192.168.2.4	35.244.181.201
Oct 29, 2024 04:27:35.387720108 CET	443	49778	35.244.181.201	192.168.2.4
Oct 29, 2024 04:27:35.387731075 CET	443	49778	35.244.181.201	192.168.2.4
Oct 29, 2024 04:27:35.388736963 CET	49778	443	192.168.2.4	35.244.181.201
Oct 29, 2024 04:27:35.389995098 CET	443	49779	35.244.181.201	192.168.2.4
Oct 29, 2024 04:27:35.392143965 CET	49752	80	192.168.2.4	34.107.221.82
Oct 29, 2024 04:27:35.392927885 CET	49779	443	192.168.2.4	35.244.181.201
Oct 29, 2024 04:27:35.395606041 CET	49779	443	192.168.2.4	35.244.181.201
Oct 29, 2024 04:27:35.395617962 CET	443	49779	35.244.181.201	192.168.2.4
Oct 29, 2024 04:27:35.396003008 CET	443	49779	35.244.181.201	192.168.2.4
Oct 29, 2024 04:27:35.397460938 CET	80	49752	34.107.221.82	192.168.2.4
Oct 29, 2024 04:27:35.397754908 CET	443	49780	35.244.181.201	192.168.2.4
Oct 29, 2024 04:27:35.398546934 CET	49779	443	192.168.2.4	35.244.181.201
Oct 29, 2024 04:27:35.398608923 CET	49779	443	192.168.2.4	35.244.181.201
Oct 29, 2024 04:27:35.398777962 CET	443	49779	35.244.181.201	192.168.2.4
Oct 29, 2024 04:27:35.401320934 CET	49779	443	192.168.2.4	35.244.181.201
Oct 29, 2024 04:27:35.401343107 CET	49780	443	192.168.2.4	35.244.181.201
Oct 29, 2024 04:27:35.403894901 CET	49780	443	192.168.2.4	35.244.181.201
Oct 29, 2024 04:27:35.403907061 CET	443	49780	35.244.181.201	192.168.2.4
Oct 29, 2024 04:27:35.404687881 CET	443	49780	35.244.181.201	192.168.2.4
Oct 29, 2024 04:27:35.406704903 CET	49780	443	192.168.2.4	35.244.181.201
Oct 29, 2024 04:27:35.406780958 CET	49780	443	192.168.2.4	35.244.181.201
Oct 29, 2024 04:27:35.407085896 CET	443	49780	35.244.181.201	192.168.2.4
Oct 29, 2024 04:27:35.407388926 CET	49780	443	192.168.2.4	35.244.181.201
Oct 29, 2024 04:27:35.435935974 CET	443	49781	34.149.100.209	192.168.2.4
Oct 29, 2024 04:27:35.436022043 CET	49781	443	192.168.2.4	34.149.100.209
Oct 29, 2024 04:27:35.438596964 CET	49781	443	192.168.2.4	34.149.100.209
Oct 29, 2024 04:27:35.438626051 CET	443	49781	34.149.100.209	192.168.2.4
Oct 29, 2024 04:27:35.438925028 CET	443	49781	34.149.100.209	192.168.2.4
Oct 29, 2024 04:27:35.440535069 CET	49781	443	192.168.2.4	34.149.100.209
Oct 29, 2024 04:27:35.440599918 CET	49781	443	192.168.2.4	34.149.100.209
Oct 29, 2024 04:27:35.440685034 CET	443	49781	34.149.100.209	192.168.2.4
Oct 29, 2024 04:27:35.441611052 CET	49781	443	192.168.2.4	34.149.100.209
Oct 29, 2024 04:27:35.441648960 CET	49781	443	192.168.2.4	34.149.100.209
Oct 29, 2024 04:27:35.518685102 CET	80	49752	34.107.221.82	192.168.2.4
Oct 29, 2024 04:27:35.522140026 CET	49759	80	192.168.2.4	34.107.221.82
Oct 29, 2024 04:27:35.527509928 CET	80	49759	34.107.221.82	192.168.2.4
Oct 29, 2024 04:27:35.574968100 CET	49752	80	192.168.2.4	34.107.221.82
Oct 29, 2024 04:27:35.647074938 CET	80	49759	34.107.221.82	192.168.2.4
Oct 29, 2024 04:27:35.697403908 CET	49759	80	192.168.2.4	34.107.221.82
Oct 29, 2024 04:27:42.100368023 CET	49752	80	192.168.2.4	34.107.221.82
Oct 29, 2024 04:27:42.105891943 CET	80	49752	34.107.221.82	192.168.2.4
Oct 29, 2024 04:27:42.227356911 CET	80	49752	34.107.221.82	192.168.2.4
Oct 29, 2024 04:27:42.233376980 CET	49759	80	192.168.2.4	34.107.221.82
Oct 29, 2024 04:27:42.238837957 CET	80	49759	34.107.221.82	192.168.2.4
Oct 29, 2024 04:27:42.278799057 CET	49752	80	192.168.2.4	34.107.221.82
Oct 29, 2024 04:27:42.358453989 CET	80	49759	34.107.221.82	192.168.2.4
Oct 29, 2024 04:27:42.416878939 CET	49759	80	192.168.2.4	34.107.221.82
Oct 29, 2024 04:27:49.974220991 CET	49784	443	192.168.2.4	34.107.243.93
Oct 29, 2024 04:27:49.974261045 CET	443	49784	34.107.243.93	192.168.2.4
Oct 29, 2024 04:27:49.974347115 CET	49784	443	192.168.2.4	34.107.243.93
Oct 29, 2024 04:27:49.975605011 CET	49784	443	192.168.2.4	34.107.243.93
Oct 29, 2024 04:27:49.975621939 CET	443	49784	34.107.243.93	192.168.2.4
Oct 29, 2024 04:27:50.582717896 CET	443	49784	34.107.243.93	192.168.2.4
Oct 29, 2024 04:27:50.582825899 CET	49784	443	192.168.2.4	34.107.243.93
Oct 29, 2024 04:27:50.586925030 CET	49784	443	192.168.2.4	34.107.243.93
Oct 29, 2024 04:27:50.586937904 CET	443	49784	34.107.243.93	192.168.2.4
Oct 29, 2024 04:27:50.587050915 CET	49784	443	192.168.2.4	34.107.243.93
Oct 29, 2024 04:27:50.587127924 CET	443	49784	34.107.243.93	192.168.2.4
Oct 29, 2024 04:27:50.587706089 CET	49784	443	192.168.2.4	34.107.243.93
Oct 29, 2024 04:27:50.589639902 CET	49752	80	192.168.2.4	34.107.221.82
Oct 29, 2024 04:27:50.595331907 CET	80	49752	34.107.221.82	192.168.2.4
Oct 29, 2024 04:27:50.717350006 CET	80	49752	34.107.221.82	192.168.2.4
Oct 29, 2024 04:27:50.720603943 CET	49759	80	192.168.2.4	34.107.221.82
Oct 29, 2024 04:27:50.726102114 CET	80	49759	34.107.221.82	192.168.2.4
Oct 29, 2024 04:27:50.757877111 CET	49752	80	192.168.2.4	34.107.221.82
Oct 29, 2024 04:27:50.845489979 CET	80	49759	34.107.221.82	192.168.2.4
Oct 29, 2024 04:27:50.903168917 CET	49759	80	192.168.2.4	34.107.221.82
Oct 29, 2024 04:28:00.730999947 CET	49752	80	192.168.2.4	34.107.221.82
Oct 29, 2024 04:28:00.736308098 CET	80	49752	34.107.221.82	192.168.2.4
Oct 29, 2024 04:28:00.869221926 CET	49759	80	192.168.2.4	34.107.221.82
Oct 29, 2024 04:28:00.875022888 CET	80	49759	34.107.221.82	192.168.2.4
Oct 29, 2024 04:28:03.889425993 CET	49822	443	192.168.2.4	34.120.208.123
Oct 29, 2024 04:28:03.889487982 CET	443	49822	34.120.208.123	192.168.2.4
Oct 29, 2024 04:28:03.889688969 CET	49823	443	192.168.2.4	34.120.208.123
Oct 29, 2024 04:28:03.889739037 CET	443	49823	34.120.208.123	192.168.2.4
Oct 29, 2024 04:28:03.889854908 CET	49824	443	192.168.2.4	34.120.208.123
Oct 29, 2024 04:28:03.889874935 CET	443	49824	34.120.208.123	192.168.2.4
Oct 29, 2024 04:28:03.890455961 CET	49822	443	192.168.2.4	34.120.208.123
Oct 29, 2024 04:28:03.890470982 CET	49824	443	192.168.2.4	34.120.208.123
Oct 29, 2024 04:28:03.890474081 CET	49823	443	192.168.2.4	34.120.208.123
Oct 29, 2024 04:28:03.890665054 CET	49822	443	192.168.2.4	34.120.208.123
Oct 29, 2024 04:28:03.890696049 CET	443	49822	34.120.208.123	192.168.2.4
Oct 29, 2024 04:28:03.890886068 CET	49824	443	192.168.2.4	34.120.208.123
Oct 29, 2024 04:28:03.890897989 CET	443	49824	34.120.208.123	192.168.2.4
Oct 29, 2024 04:28:03.890995026 CET	49823	443	192.168.2.4	34.120.208.123
Oct 29, 2024 04:28:03.891027927 CET	443	49823	34.120.208.123	192.168.2.4
Oct 29, 2024 04:28:04.496491909 CET	443	49823	34.120.208.123	192.168.2.4
Oct 29, 2024 04:28:04.496572018 CET	49823	443	192.168.2.4	34.120.208.123
Oct 29, 2024 04:28:04.499689102 CET	443	49824	34.120.208.123	192.168.2.4
Oct 29, 2024 04:28:04.499881983 CET	49824	443	192.168.2.4	34.120.208.123
Oct 29, 2024 04:28:04.500046015 CET	49823	443	192.168.2.4	34.120.208.123
Oct 29, 2024 04:28:04.500076056 CET	443	49823	34.120.208.123	192.168.2.4
Oct 29, 2024 04:28:04.501034975 CET	443	49823	34.120.208.123	192.168.2.4
Oct 29, 2024 04:28:04.502546072 CET	49824	443	192.168.2.4	34.120.208.123
Oct 29, 2024 04:28:04.502553940 CET	443	49824	34.120.208.123	192.168.2.4
Oct 29, 2024 04:28:04.502876043 CET	443	49824	34.120.208.123	192.168.2.4
Oct 29, 2024 04:28:04.505325079 CET	49823	443	192.168.2.4	34.120.208.123
Oct 29, 2024 04:28:04.505414963 CET	49823	443	192.168.2.4	34.120.208.123
Oct 29, 2024 04:28:04.505461931 CET	443	49822	34.120.208.123	192.168.2.4
Oct 29, 2024 04:28:04.505584002 CET	49824	443	192.168.2.4	34.120.208.123
Oct 29, 2024 04:28:04.505647898 CET	49824	443	192.168.2.4	34.120.208.123
Oct 29, 2024 04:28:04.505757093 CET	443	49823	34.120.208.123	192.168.2.4
Oct 29, 2024 04:28:04.505816936 CET	443	49824	34.120.208.123	192.168.2.4
Oct 29, 2024 04:28:04.505983114 CET	49823	443	192.168.2.4	34.120.208.123
Oct 29, 2024 04:28:04.506000996 CET	49824	443	192.168.2.4	34.120.208.123
Oct 29, 2024 04:28:04.506019115 CET	49824	443	192.168.2.4	34.120.208.123
Oct 29, 2024 04:28:04.506035089 CET	49822	443	192.168.2.4	34.120.208.123
Oct 29, 2024 04:28:04.506037951 CET	49823	443	192.168.2.4	34.120.208.123
Oct 29, 2024 04:28:04.508766890 CET	49822	443	192.168.2.4	34.120.208.123
Oct 29, 2024 04:28:04.508790970 CET	443	49822	34.120.208.123	192.168.2.4
Oct 29, 2024 04:28:04.509000063 CET	443	49822	34.120.208.123	192.168.2.4
Oct 29, 2024 04:28:04.511039019 CET	49822	443	192.168.2.4	34.120.208.123
Oct 29, 2024 04:28:04.511104107 CET	49822	443	192.168.2.4	34.120.208.123
Oct 29, 2024 04:28:04.511167049 CET	443	49822	34.120.208.123	192.168.2.4
Oct 29, 2024 04:28:04.512522936 CET	49822	443	192.168.2.4	34.120.208.123
Oct 29, 2024 04:28:04.512522936 CET	49822	443	192.168.2.4	34.120.208.123
Oct 29, 2024 04:28:04.543409109 CET	49752	80	192.168.2.4	34.107.221.82
Oct 29, 2024 04:28:04.545320988 CET	49826	443	192.168.2.4	34.120.208.123
Oct 29, 2024 04:28:04.545341969 CET	443	49826	34.120.208.123	192.168.2.4
Oct 29, 2024 04:28:04.545495987 CET	49826	443	192.168.2.4	34.120.208.123
Oct 29, 2024 04:28:04.545758963 CET	49826	443	192.168.2.4	34.120.208.123
Oct 29, 2024 04:28:04.545773983 CET	443	49826	34.120.208.123	192.168.2.4
Oct 29, 2024 04:28:04.548747063 CET	80	49752	34.107.221.82	192.168.2.4
Oct 29, 2024 04:28:04.554785967 CET	49827	443	192.168.2.4	34.120.208.123
Oct 29, 2024 04:28:04.554831028 CET	443	49827	34.120.208.123	192.168.2.4
Oct 29, 2024 04:28:04.554913044 CET	49828	443	192.168.2.4	34.120.208.123
Oct 29, 2024 04:28:04.554971933 CET	443	49828	34.120.208.123	192.168.2.4
Oct 29, 2024 04:28:04.555005074 CET	49827	443	192.168.2.4	34.120.208.123
Oct 29, 2024 04:28:04.555108070 CET	49827	443	192.168.2.4	34.120.208.123
Oct 29, 2024 04:28:04.555145979 CET	443	49827	34.120.208.123	192.168.2.4
Oct 29, 2024 04:28:04.555797100 CET	49828	443	192.168.2.4	34.120.208.123
Oct 29, 2024 04:28:04.555923939 CET	49828	443	192.168.2.4	34.120.208.123
Oct 29, 2024 04:28:04.555952072 CET	443	49828	34.120.208.123	192.168.2.4
Oct 29, 2024 04:28:04.575103045 CET	49830	443	192.168.2.4	34.120.208.123
Oct 29, 2024 04:28:04.575134993 CET	443	49830	34.120.208.123	192.168.2.4
Oct 29, 2024 04:28:04.576773882 CET	49830	443	192.168.2.4	34.120.208.123
Oct 29, 2024 04:28:04.577023029 CET	49830	443	192.168.2.4	34.120.208.123
Oct 29, 2024 04:28:04.577050924 CET	443	49830	34.120.208.123	192.168.2.4
Oct 29, 2024 04:28:04.670666933 CET	80	49752	34.107.221.82	192.168.2.4
Oct 29, 2024 04:28:04.676000118 CET	49759	80	192.168.2.4	34.107.221.82
Oct 29, 2024 04:28:04.681386948 CET	80	49759	34.107.221.82	192.168.2.4
Oct 29, 2024 04:28:04.713781118 CET	49752	80	192.168.2.4	34.107.221.82
Oct 29, 2024 04:28:04.801055908 CET	80	49759	34.107.221.82	192.168.2.4
Oct 29, 2024 04:28:04.854739904 CET	49759	80	192.168.2.4	34.107.221.82
Oct 29, 2024 04:28:05.163213968 CET	443	49827	34.120.208.123	192.168.2.4
Oct 29, 2024 04:28:05.163753033 CET	443	49826	34.120.208.123	192.168.2.4
Oct 29, 2024 04:28:05.167551041 CET	49826	443	192.168.2.4	34.120.208.123
Oct 29, 2024 04:28:05.167562962 CET	49827	443	192.168.2.4	34.120.208.123
Oct 29, 2024 04:28:05.170871019 CET	49827	443	192.168.2.4	34.120.208.123
Oct 29, 2024 04:28:05.170898914 CET	443	49827	34.120.208.123	192.168.2.4
Oct 29, 2024 04:28:05.171117067 CET	443	49827	34.120.208.123	192.168.2.4
Oct 29, 2024 04:28:05.173192024 CET	49826	443	192.168.2.4	34.120.208.123
Oct 29, 2024 04:28:05.173204899 CET	443	49826	34.120.208.123	192.168.2.4
Oct 29, 2024 04:28:05.173633099 CET	443	49826	34.120.208.123	192.168.2.4
Oct 29, 2024 04:28:05.176620960 CET	49827	443	192.168.2.4	34.120.208.123
Oct 29, 2024 04:28:05.176630020 CET	49826	443	192.168.2.4	34.120.208.123
Oct 29, 2024 04:28:05.176753044 CET	49827	443	192.168.2.4	34.120.208.123
Oct 29, 2024 04:28:05.176773071 CET	443	49827	34.120.208.123	192.168.2.4
Oct 29, 2024 04:28:05.176810980 CET	49826	443	192.168.2.4	34.120.208.123
Oct 29, 2024 04:28:05.176981926 CET	49827	443	192.168.2.4	34.120.208.123
Oct 29, 2024 04:28:05.177001953 CET	49826	443	192.168.2.4	34.120.208.123
Oct 29, 2024 04:28:05.177016020 CET	49827	443	192.168.2.4	34.120.208.123
Oct 29, 2024 04:28:05.178875923 CET	443	49828	34.120.208.123	192.168.2.4
Oct 29, 2024 04:28:05.180860043 CET	49828	443	192.168.2.4	34.120.208.123
Oct 29, 2024 04:28:05.183677912 CET	49828	443	192.168.2.4	34.120.208.123
Oct 29, 2024 04:28:05.183696985 CET	443	49828	34.120.208.123	192.168.2.4
Oct 29, 2024 04:28:05.183902025 CET	443	49828	34.120.208.123	192.168.2.4
Oct 29, 2024 04:28:05.186992884 CET	49828	443	192.168.2.4	34.120.208.123
Oct 29, 2024 04:28:05.186992884 CET	49828	443	192.168.2.4	34.120.208.123
Oct 29, 2024 04:28:05.187133074 CET	443	49828	34.120.208.123	192.168.2.4
Oct 29, 2024 04:28:05.192873955 CET	49828	443	192.168.2.4	34.120.208.123
Oct 29, 2024 04:28:05.192874908 CET	49828	443	192.168.2.4	34.120.208.123
Oct 29, 2024 04:28:05.211298943 CET	49752	80	192.168.2.4	34.107.221.82
Oct 29, 2024 04:28:05.216694117 CET	80	49752	34.107.221.82	192.168.2.4
Oct 29, 2024 04:28:05.229727030 CET	443	49830	34.120.208.123	192.168.2.4
Oct 29, 2024 04:28:05.229882002 CET	49830	443	192.168.2.4	34.120.208.123
Oct 29, 2024 04:28:05.232543945 CET	49830	443	192.168.2.4	34.120.208.123
Oct 29, 2024 04:28:05.232559919 CET	443	49830	34.120.208.123	192.168.2.4
Oct 29, 2024 04:28:05.233581066 CET	443	49830	34.120.208.123	192.168.2.4
Oct 29, 2024 04:28:05.234493971 CET	49830	443	192.168.2.4	34.120.208.123
Oct 29, 2024 04:28:05.234576941 CET	49830	443	192.168.2.4	34.120.208.123
Oct 29, 2024 04:28:05.234699011 CET	443	49830	34.120.208.123	192.168.2.4
Oct 29, 2024 04:28:05.234761000 CET	49830	443	192.168.2.4	34.120.208.123
Oct 29, 2024 04:28:05.338207960 CET	80	49752	34.107.221.82	192.168.2.4
Oct 29, 2024 04:28:05.341170073 CET	49759	80	192.168.2.4	34.107.221.82
Oct 29, 2024 04:28:05.346544981 CET	80	49759	34.107.221.82	192.168.2.4
Oct 29, 2024 04:28:05.393449068 CET	49752	80	192.168.2.4	34.107.221.82
Oct 29, 2024 04:28:05.466866016 CET	80	49759	34.107.221.82	192.168.2.4
Oct 29, 2024 04:28:05.509360075 CET	49759	80	192.168.2.4	34.107.221.82
Oct 29, 2024 04:28:15.352714062 CET	49752	80	192.168.2.4	34.107.221.82
Oct 29, 2024 04:28:15.399748087 CET	80	49752	34.107.221.82	192.168.2.4
Oct 29, 2024 04:28:15.468611002 CET	49759	80	192.168.2.4	34.107.221.82
Oct 29, 2024 04:28:15.474288940 CET	80	49759	34.107.221.82	192.168.2.4
Oct 29, 2024 04:28:25.410998106 CET	49752	80	192.168.2.4	34.107.221.82
Oct 29, 2024 04:28:25.416240931 CET	80	49752	34.107.221.82	192.168.2.4
Oct 29, 2024 04:28:25.489116907 CET	49759	80	192.168.2.4	34.107.221.82
Oct 29, 2024 04:28:25.494504929 CET	80	49759	34.107.221.82	192.168.2.4
Oct 29, 2024 04:28:30.696119070 CET	49971	443	192.168.2.4	34.107.243.93
Oct 29, 2024 04:28:30.696202040 CET	443	49971	34.107.243.93	192.168.2.4
Oct 29, 2024 04:28:30.697165012 CET	49971	443	192.168.2.4	34.107.243.93
Oct 29, 2024 04:28:30.699075937 CET	49971	443	192.168.2.4	34.107.243.93
Oct 29, 2024 04:28:30.699114084 CET	443	49971	34.107.243.93	192.168.2.4
Oct 29, 2024 04:28:31.325330973 CET	443	49971	34.107.243.93	192.168.2.4
Oct 29, 2024 04:28:31.325794935 CET	49971	443	192.168.2.4	34.107.243.93
Oct 29, 2024 04:28:31.332642078 CET	49971	443	192.168.2.4	34.107.243.93
Oct 29, 2024 04:28:31.332669973 CET	443	49971	34.107.243.93	192.168.2.4
Oct 29, 2024 04:28:31.332736015 CET	49971	443	192.168.2.4	34.107.243.93
Oct 29, 2024 04:28:31.332887888 CET	443	49971	34.107.243.93	192.168.2.4
Oct 29, 2024 04:28:31.333682060 CET	49971	443	192.168.2.4	34.107.243.93
Oct 29, 2024 04:28:31.335434914 CET	49752	80	192.168.2.4	34.107.221.82
Oct 29, 2024 04:28:31.340806007 CET	80	49752	34.107.221.82	192.168.2.4
Oct 29, 2024 04:28:31.461929083 CET	80	49752	34.107.221.82	192.168.2.4
Oct 29, 2024 04:28:31.465194941 CET	49759	80	192.168.2.4	34.107.221.82
Oct 29, 2024 04:28:31.470513105 CET	80	49759	34.107.221.82	192.168.2.4
Oct 29, 2024 04:28:31.506712914 CET	49752	80	192.168.2.4	34.107.221.82
Oct 29, 2024 04:28:31.589943886 CET	80	49759	34.107.221.82	192.168.2.4
Oct 29, 2024 04:28:31.644802094 CET	49759	80	192.168.2.4	34.107.221.82
Oct 29, 2024 04:28:41.475610971 CET	49752	80	192.168.2.4	34.107.221.82
Oct 29, 2024 04:28:41.480894089 CET	80	49752	34.107.221.82	192.168.2.4
Oct 29, 2024 04:28:41.598154068 CET	49759	80	192.168.2.4	34.107.221.82
Oct 29, 2024 04:28:41.603507042 CET	80	49759	34.107.221.82	192.168.2.4
Oct 29, 2024 04:28:51.489437103 CET	49752	80	192.168.2.4	34.107.221.82
Oct 29, 2024 04:28:51.494863987 CET	80	49752	34.107.221.82	192.168.2.4
Oct 29, 2024 04:28:51.605350018 CET	49759	80	192.168.2.4	34.107.221.82
Oct 29, 2024 04:28:51.610675097 CET	80	49759	34.107.221.82	192.168.2.4
Oct 29, 2024 04:29:01.502517939 CET	49752	80	192.168.2.4	34.107.221.82
Oct 29, 2024 04:29:01.507986069 CET	80	49752	34.107.221.82	192.168.2.4
Oct 29, 2024 04:29:01.618555069 CET	49759	80	192.168.2.4	34.107.221.82
Oct 29, 2024 04:29:01.623979092 CET	80	49759	34.107.221.82	192.168.2.4

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Oct 29, 2024 04:27:05.433454990 CET	50275	53	192.168.2.4	1.1.1.1
Oct 29, 2024 04:27:05.483325005 CET	53	50275	1.1.1.1	192.168.2.4
Oct 29, 2024 04:27:05.485537052 CET	62102	53	192.168.2.4	1.1.1.1
Oct 29, 2024 04:27:05.502458096 CET	53	62102	1.1.1.1	192.168.2.4
Oct 29, 2024 04:27:07.463346958 CET	55910	53	192.168.2.4	1.1.1.1
Oct 29, 2024 04:27:07.466475964 CET	60284	53	192.168.2.4	1.1.1.1
Oct 29, 2024 04:27:07.471887112 CET	52825	53	192.168.2.4	1.1.1.1
Oct 29, 2024 04:27:07.474014997 CET	53	60284	1.1.1.1	192.168.2.4
Oct 29, 2024 04:27:07.475428104 CET	55443	53	192.168.2.4	1.1.1.1
Oct 29, 2024 04:27:07.479675055 CET	53	52825	1.1.1.1	192.168.2.4
Oct 29, 2024 04:27:07.480150938 CET	49955	53	192.168.2.4	1.1.1.1
Oct 29, 2024 04:27:07.482579947 CET	53	55443	1.1.1.1	192.168.2.4
Oct 29, 2024 04:27:07.483108997 CET	54200	53	192.168.2.4	1.1.1.1
Oct 29, 2024 04:27:07.487263918 CET	53	49955	1.1.1.1	192.168.2.4
Oct 29, 2024 04:27:07.490235090 CET	53	54200	1.1.1.1	192.168.2.4
Oct 29, 2024 04:27:08.179582119 CET	58626	53	192.168.2.4	1.1.1.1
Oct 29, 2024 04:27:08.200004101 CET	62223	53	192.168.2.4	1.1.1.1
Oct 29, 2024 04:27:08.344511986 CET	53	62223	1.1.1.1	192.168.2.4
Oct 29, 2024 04:27:08.344794989 CET	53	58626	1.1.1.1	192.168.2.4
Oct 29, 2024 04:27:08.345846891 CET	63786	53	192.168.2.4	1.1.1.1
Oct 29, 2024 04:27:08.346184969 CET	57012	53	192.168.2.4	1.1.1.1
Oct 29, 2024 04:27:08.347079992 CET	52708	53	192.168.2.4	1.1.1.1
Oct 29, 2024 04:27:08.353283882 CET	53	57012	1.1.1.1	192.168.2.4
Oct 29, 2024 04:27:08.353446007 CET	53	63786	1.1.1.1	192.168.2.4
Oct 29, 2024 04:27:08.353795052 CET	50424	53	192.168.2.4	1.1.1.1
Oct 29, 2024 04:27:08.354209900 CET	64458	53	192.168.2.4	1.1.1.1
Oct 29, 2024 04:27:08.354291916 CET	53	52708	1.1.1.1	192.168.2.4
Oct 29, 2024 04:27:08.354733944 CET	61401	53	192.168.2.4	1.1.1.1
Oct 29, 2024 04:27:08.361171007 CET	53	64458	1.1.1.1	192.168.2.4
Oct 29, 2024 04:27:08.361706018 CET	53	61401	1.1.1.1	192.168.2.4
Oct 29, 2024 04:27:08.361825943 CET	53	50424	1.1.1.1	192.168.2.4
Oct 29, 2024 04:27:08.402880907 CET	52028	53	192.168.2.4	1.1.1.1
Oct 29, 2024 04:27:08.403640032 CET	49184	53	192.168.2.4	1.1.1.1
Oct 29, 2024 04:27:08.410233021 CET	53	52028	1.1.1.1	192.168.2.4
Oct 29, 2024 04:27:08.416491032 CET	64238	53	192.168.2.4	1.1.1.1
Oct 29, 2024 04:27:08.425120115 CET	53	64238	1.1.1.1	192.168.2.4
Oct 29, 2024 04:27:08.432995081 CET	62258	53	192.168.2.4	1.1.1.1
Oct 29, 2024 04:27:08.441117048 CET	53	51504	1.1.1.1	192.168.2.4
Oct 29, 2024 04:27:08.441133022 CET	53	62258	1.1.1.1	192.168.2.4
Oct 29, 2024 04:27:08.496737957 CET	63377	53	192.168.2.4	1.1.1.1
Oct 29, 2024 04:27:08.496944904 CET	63601	53	192.168.2.4	1.1.1.1
Oct 29, 2024 04:27:08.503793001 CET	53	63377	1.1.1.1	192.168.2.4
Oct 29, 2024 04:27:08.503881931 CET	53	63601	1.1.1.1	192.168.2.4
Oct 29, 2024 04:27:08.511430979 CET	64183	53	192.168.2.4	1.1.1.1
Oct 29, 2024 04:27:08.534495115 CET	65108	53	192.168.2.4	1.1.1.1
Oct 29, 2024 04:27:08.542046070 CET	53	65108	1.1.1.1	192.168.2.4
Oct 29, 2024 04:27:08.542962074 CET	58637	53	192.168.2.4	1.1.1.1
Oct 29, 2024 04:27:08.550921917 CET	53	58637	1.1.1.1	192.168.2.4
Oct 29, 2024 04:27:08.551390886 CET	50574	53	192.168.2.4	1.1.1.1
Oct 29, 2024 04:27:08.558475018 CET	53	50574	1.1.1.1	192.168.2.4
Oct 29, 2024 04:27:11.207194090 CET	51180	53	192.168.2.4	1.1.1.1
Oct 29, 2024 04:27:11.214504004 CET	53	51180	1.1.1.1	192.168.2.4
Oct 29, 2024 04:27:11.216166019 CET	56207	53	192.168.2.4	1.1.1.1
Oct 29, 2024 04:27:11.225438118 CET	53	56207	1.1.1.1	192.168.2.4
Oct 29, 2024 04:27:11.225948095 CET	55517	53	192.168.2.4	1.1.1.1
Oct 29, 2024 04:27:11.234329939 CET	53	55517	1.1.1.1	192.168.2.4
Oct 29, 2024 04:27:12.034446001 CET	56599	53	192.168.2.4	1.1.1.1
Oct 29, 2024 04:27:12.041656971 CET	53	56599	1.1.1.1	192.168.2.4
Oct 29, 2024 04:27:12.042402983 CET	55058	53	192.168.2.4	1.1.1.1
Oct 29, 2024 04:27:12.049937963 CET	53	55058	1.1.1.1	192.168.2.4
Oct 29, 2024 04:27:15.868208885 CET	58511	53	192.168.2.4	1.1.1.1
Oct 29, 2024 04:27:15.876100063 CET	53	58511	1.1.1.1	192.168.2.4
Oct 29, 2024 04:27:15.879935026 CET	54853	53	192.168.2.4	1.1.1.1
Oct 29, 2024 04:27:15.887583971 CET	53	54853	1.1.1.1	192.168.2.4
Oct 29, 2024 04:27:15.911670923 CET	57666	53	192.168.2.4	1.1.1.1
Oct 29, 2024 04:27:15.919497967 CET	53	57666	1.1.1.1	192.168.2.4
Oct 29, 2024 04:27:16.020344019 CET	65043	53	192.168.2.4	1.1.1.1
Oct 29, 2024 04:27:16.020344019 CET	51652	53	192.168.2.4	1.1.1.1
Oct 29, 2024 04:27:16.020617962 CET	57683	53	192.168.2.4	1.1.1.1
Oct 29, 2024 04:27:16.027709007 CET	53	57683	1.1.1.1	192.168.2.4
Oct 29, 2024 04:27:16.027894020 CET	53	51652	1.1.1.1	192.168.2.4
Oct 29, 2024 04:27:16.028203011 CET	53	65043	1.1.1.1	192.168.2.4
Oct 29, 2024 04:27:16.028403044 CET	56845	53	192.168.2.4	1.1.1.1
Oct 29, 2024 04:27:16.029036999 CET	61197	53	192.168.2.4	1.1.1.1
Oct 29, 2024 04:27:16.030569077 CET	65117	53	192.168.2.4	1.1.1.1
Oct 29, 2024 04:27:16.036035061 CET	53	56845	1.1.1.1	192.168.2.4
Oct 29, 2024 04:27:16.036484957 CET	61231	53	192.168.2.4	1.1.1.1
Oct 29, 2024 04:27:16.036578894 CET	53	61197	1.1.1.1	192.168.2.4
Oct 29, 2024 04:27:16.037015915 CET	55573	53	192.168.2.4	1.1.1.1
Oct 29, 2024 04:27:16.038444996 CET	53	65117	1.1.1.1	192.168.2.4
Oct 29, 2024 04:27:16.039140940 CET	64591	53	192.168.2.4	1.1.1.1
Oct 29, 2024 04:27:16.044135094 CET	53	55573	1.1.1.1	192.168.2.4
Oct 29, 2024 04:27:16.044359922 CET	53	61231	1.1.1.1	192.168.2.4
Oct 29, 2024 04:27:16.046257973 CET	53	64591	1.1.1.1	192.168.2.4
Oct 29, 2024 04:27:16.048110962 CET	60446	53	192.168.2.4	1.1.1.1
Oct 29, 2024 04:27:16.048360109 CET	60838	53	192.168.2.4	1.1.1.1
Oct 29, 2024 04:27:16.058876038 CET	53	60446	1.1.1.1	192.168.2.4
Oct 29, 2024 04:27:16.058924913 CET	53	60838	1.1.1.1	192.168.2.4
Oct 29, 2024 04:27:16.059479952 CET	50686	53	192.168.2.4	1.1.1.1
Oct 29, 2024 04:27:16.059520006 CET	64041	53	192.168.2.4	1.1.1.1
Oct 29, 2024 04:27:16.067658901 CET	53	64041	1.1.1.1	192.168.2.4
Oct 29, 2024 04:27:16.067691088 CET	53	50686	1.1.1.1	192.168.2.4
Oct 29, 2024 04:27:16.068105936 CET	51688	53	192.168.2.4	1.1.1.1
Oct 29, 2024 04:27:16.068178892 CET	56078	53	192.168.2.4	1.1.1.1
Oct 29, 2024 04:27:16.077744961 CET	53	51688	1.1.1.1	192.168.2.4
Oct 29, 2024 04:27:16.078145981 CET	53	56078	1.1.1.1	192.168.2.4
Oct 29, 2024 04:27:16.540327072 CET	62682	53	192.168.2.4	1.1.1.1
Oct 29, 2024 04:27:16.547663927 CET	53	62682	1.1.1.1	192.168.2.4
Oct 29, 2024 04:27:19.201231956 CET	54243	53	192.168.2.4	1.1.1.1
Oct 29, 2024 04:27:19.208636045 CET	53	54243	1.1.1.1	192.168.2.4
Oct 29, 2024 04:27:22.397629023 CET	52229	53	192.168.2.4	1.1.1.1
Oct 29, 2024 04:27:29.087954998 CET	52141	53	192.168.2.4	1.1.1.1
Oct 29, 2024 04:27:29.096060991 CET	53	52141	1.1.1.1	192.168.2.4
Oct 29, 2024 04:27:34.124588013 CET	49692	53	192.168.2.4	1.1.1.1
Oct 29, 2024 04:27:34.131824970 CET	53	49692	1.1.1.1	192.168.2.4
Oct 29, 2024 04:27:34.134380102 CET	58611	53	192.168.2.4	1.1.1.1
Oct 29, 2024 04:27:34.144354105 CET	53	58611	1.1.1.1	192.168.2.4
Oct 29, 2024 04:27:34.145327091 CET	65032	53	192.168.2.4	1.1.1.1
Oct 29, 2024 04:27:34.152597904 CET	53	65032	1.1.1.1	192.168.2.4
Oct 29, 2024 04:27:34.152960062 CET	54020	53	192.168.2.4	1.1.1.1
Oct 29, 2024 04:27:34.160430908 CET	53	54020	1.1.1.1	192.168.2.4
Oct 29, 2024 04:27:34.163594007 CET	64720	53	192.168.2.4	1.1.1.1
Oct 29, 2024 04:27:34.171900034 CET	53	64720	1.1.1.1	192.168.2.4
Oct 29, 2024 04:27:34.175692081 CET	49741	53	192.168.2.4	1.1.1.1
Oct 29, 2024 04:27:34.183514118 CET	53	49741	1.1.1.1	192.168.2.4
Oct 29, 2024 04:27:34.187201977 CET	55606	53	192.168.2.4	1.1.1.1
Oct 29, 2024 04:27:34.195024967 CET	53	55606	1.1.1.1	192.168.2.4
Oct 29, 2024 04:27:49.973773003 CET	49660	53	192.168.2.4	1.1.1.1
Oct 29, 2024 04:27:49.981225967 CET	53	49660	1.1.1.1	192.168.2.4
Oct 29, 2024 04:27:49.982477903 CET	54717	53	192.168.2.4	1.1.1.1
Oct 29, 2024 04:27:49.990047932 CET	53	54717	1.1.1.1	192.168.2.4
Oct 29, 2024 04:28:03.889985085 CET	55835	53	192.168.2.4	1.1.1.1
Oct 29, 2024 04:28:03.897233009 CET	53	55835	1.1.1.1	192.168.2.4
Oct 29, 2024 04:28:30.629970074 CET	56892	53	192.168.2.4	1.1.1.1
Oct 29, 2024 04:28:30.693778992 CET	53	56892	1.1.1.1	192.168.2.4
Oct 29, 2024 04:28:30.696813107 CET	62041	53	192.168.2.4	1.1.1.1
Oct 29, 2024 04:28:30.704097033 CET	53	62041	1.1.1.1	192.168.2.4
Oct 29, 2024 04:28:31.335695982 CET	56329	53	192.168.2.4	1.1.1.1

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Oct 29, 2024 04:27:05.433454990 CET	192.168.2.4	1.1.1.1	0x7bd5	Standard query (0)	prod.classify-client.prod.webservices.mozgcp.net	A (IP address)	IN (0x0001)	false
Oct 29, 2024 04:27:05.485537052 CET	192.168.2.4	1.1.1.1	0x17e0	Standard query (0)	prod.classify-client.prod.webservices.mozgcp.net	28	IN (0x0001)	false
Oct 29, 2024 04:27:07.463346958 CET	192.168.2.4	1.1.1.1	0xafd5	Standard query (0)	detectportal.firefox.com	A (IP address)	IN (0x0001)	false
Oct 29, 2024 04:27:07.466475964 CET	192.168.2.4	1.1.1.1	0x998b	Standard query (0)	youtube.com	A (IP address)	IN (0x0001)	false
Oct 29, 2024 04:27:07.471887112 CET	192.168.2.4	1.1.1.1	0xca56	Standard query (0)	prod.detectportal.prod.cloudops.mozgcp.net	A (IP address)	IN (0x0001)	false
Oct 29, 2024 04:27:07.475428104 CET	192.168.2.4	1.1.1.1	0x8d4f	Standard query (0)	youtube.com	A (IP address)	IN (0x0001)	false
Oct 29, 2024 04:27:07.480150938 CET	192.168.2.4	1.1.1.1	0xdf7f	Standard query (0)	prod.detectportal.prod.cloudops.mozgcp.net	28	IN (0x0001)	false
Oct 29, 2024 04:27:07.483108997 CET	192.168.2.4	1.1.1.1	0xda	Standard query (0)	youtube.com	28	IN (0x0001)	false
Oct 29, 2024 04:27:08.179582119 CET	192.168.2.4	1.1.1.1	0x2b84	Standard query (0)	contile.services.mozilla.com	A (IP address)	IN (0x0001)	false
Oct 29, 2024 04:27:08.200004101 CET	192.168.2.4	1.1.1.1	0xc69d	Standard query (0)	spocs.getpocket.com	A (IP address)	IN (0x0001)	false
Oct 29, 2024 04:27:08.345846891 CET	192.168.2.4	1.1.1.1	0x7f6f	Standard query (0)	prod.balrog.prod.cloudops.mozgcp.net	A (IP address)	IN (0x0001)	false
Oct 29, 2024 04:27:08.346184969 CET	192.168.2.4	1.1.1.1	0xa4f9	Standard query (0)	prod.ads.prod.webservices.mozgcp.net	A (IP address)	IN (0x0001)	false
Oct 29, 2024 04:27:08.347079992 CET	192.168.2.4	1.1.1.1	0x37ab	Standard query (0)	contile.services.mozilla.com	A (IP address)	IN (0x0001)	false
Oct 29, 2024 04:27:08.353795052 CET	192.168.2.4	1.1.1.1	0xe8ab	Standard query (0)	prod.ads.prod.webservices.mozgcp.net	28	IN (0x0001)	false
Oct 29, 2024 04:27:08.354209900 CET	192.168.2.4	1.1.1.1	0x6e9f	Standard query (0)	prod.balrog.prod.cloudops.mozgcp.net	28	IN (0x0001)	false
Oct 29, 2024 04:27:08.354733944 CET	192.168.2.4	1.1.1.1	0x9d7d	Standard query (0)	contile.services.mozilla.com	28	IN (0x0001)	false
Oct 29, 2024 04:27:08.402880907 CET	192.168.2.4	1.1.1.1	0x1682	Standard query (0)	content-signature-2.cdn.mozilla.net	A (IP address)	IN (0x0001)	false
Oct 29, 2024 04:27:08.403640032 CET	192.168.2.4	1.1.1.1	0xc0d7	Standard query (0)	shavar.services.mozilla.com	A (IP address)	IN (0x0001)	false
Oct 29, 2024 04:27:08.416491032 CET	192.168.2.4	1.1.1.1	0x9a5b	Standard query (0)	prod.content-signature-chains.prod.webservices.mozgcp.net	A (IP address)	IN (0x0001)	false
Oct 29, 2024 04:27:08.432995081 CET	192.168.2.4	1.1.1.1	0x6a29	Standard query (0)	prod.content-signature-chains.prod.webservices.mozgcp.net	28	IN (0x0001)	false
Oct 29, 2024 04:27:08.496737957 CET	192.168.2.4	1.1.1.1	0xe712	Standard query (0)	example.org	A (IP address)	IN (0x0001)	false
Oct 29, 2024 04:27:08.496944904 CET	192.168.2.4	1.1.1.1	0x879f	Standard query (0)	ipv4only.arpa	A (IP address)	IN (0x0001)	false
Oct 29, 2024 04:27:08.511430979 CET	192.168.2.4	1.1.1.1	0x2425	Standard query (0)	detectportal.firefox.com	A (IP address)	IN (0x0001)	false
Oct 29, 2024 04:27:08.534495115 CET	192.168.2.4	1.1.1.1	0x9ca	Standard query (0)	push.services.mozilla.com	A (IP address)	IN (0x0001)	false
Oct 29, 2024 04:27:08.542962074 CET	192.168.2.4	1.1.1.1	0x49b6	Standard query (0)	push.services.mozilla.com	A (IP address)	IN (0x0001)	false
Oct 29, 2024 04:27:08.551390886 CET	192.168.2.4	1.1.1.1	0xe0be	Standard query (0)	push.services.mozilla.com	28	IN (0x0001)	false
Oct 29, 2024 04:27:11.207194090 CET	192.168.2.4	1.1.1.1	0xc78	Standard query (0)	firefox.settings.services.mozilla.com	A (IP address)	IN (0x0001)	false
Oct 29, 2024 04:27:11.216166019 CET	192.168.2.4	1.1.1.1	0x8f64	Standard query (0)	prod.remote-settings.prod.webservices.mozgcp.net	A (IP address)	IN (0x0001)	false
Oct 29, 2024 04:27:11.225948095 CET	192.168.2.4	1.1.1.1	0xa74c	Standard query (0)	prod.remote-settings.prod.webservices.mozgcp.net	28	IN (0x0001)	false
Oct 29, 2024 04:27:12.034446001 CET	192.168.2.4	1.1.1.1	0x1d64	Standard query (0)	telemetry-incoming.r53-2.services.mozilla.com	A (IP address)	IN (0x0001)	false
Oct 29, 2024 04:27:12.042402983 CET	192.168.2.4	1.1.1.1	0x1f94	Standard query (0)	telemetry-incoming.r53-2.services.mozilla.com	28	IN (0x0001)	false
Oct 29, 2024 04:27:15.868208885 CET	192.168.2.4	1.1.1.1	0xd5ef	Standard query (0)	support.mozilla.org	A (IP address)	IN (0x0001)	false
Oct 29, 2024 04:27:15.879935026 CET	192.168.2.4	1.1.1.1	0x2d63	Standard query (0)	us-west1.prod.sumo.prod.webservices.mozgcp.net	A (IP address)	IN (0x0001)	false
Oct 29, 2024 04:27:15.911670923 CET	192.168.2.4	1.1.1.1	0xb9f5	Standard query (0)	us-west1.prod.sumo.prod.webservices.mozgcp.net	28	IN (0x0001)	false
Oct 29, 2024 04:27:16.020344019 CET	192.168.2.4	1.1.1.1	0x9cdd	Standard query (0)	www.youtube.com	A (IP address)	IN (0x0001)	false
Oct 29, 2024 04:27:16.020344019 CET	192.168.2.4	1.1.1.1	0xeb81	Standard query (0)	www.facebook.com	A (IP address)	IN (0x0001)	false
Oct 29, 2024 04:27:16.020617962 CET	192.168.2.4	1.1.1.1	0x7a65	Standard query (0)	www.wikipedia.org	A (IP address)	IN (0x0001)	false
Oct 29, 2024 04:27:16.028403044 CET	192.168.2.4	1.1.1.1	0xc69b	Standard query (0)	dyna.wikimedia.org	A (IP address)	IN (0x0001)	false
Oct 29, 2024 04:27:16.029036999 CET	192.168.2.4	1.1.1.1	0x41d2	Standard query (0)	star-mini.c10r.facebook.com	A (IP address)	IN (0x0001)	false
Oct 29, 2024 04:27:16.030569077 CET	192.168.2.4	1.1.1.1	0x920b	Standard query (0)	youtube-ui.l.google.com	A (IP address)	IN (0x0001)	false
Oct 29, 2024 04:27:16.036484957 CET	192.168.2.4	1.1.1.1	0x16aa	Standard query (0)	dyna.wikimedia.org	28	IN (0x0001)	false
Oct 29, 2024 04:27:16.037015915 CET	192.168.2.4	1.1.1.1	0xa800	Standard query (0)	star-mini.c10r.facebook.com	28	IN (0x0001)	false
Oct 29, 2024 04:27:16.039140940 CET	192.168.2.4	1.1.1.1	0x8aec	Standard query (0)	youtube-ui.l.google.com	28	IN (0x0001)	false
Oct 29, 2024 04:27:16.048110962 CET	192.168.2.4	1.1.1.1	0xd375	Standard query (0)	www.reddit.com	A (IP address)	IN (0x0001)	false
Oct 29, 2024 04:27:16.048360109 CET	192.168.2.4	1.1.1.1	0x54d7	Standard query (0)	twitter.com	A (IP address)	IN (0x0001)	false
Oct 29, 2024 04:27:16.059479952 CET	192.168.2.4	1.1.1.1	0x56e3	Standard query (0)	reddit.map.fastly.net	A (IP address)	IN (0x0001)	false
Oct 29, 2024 04:27:16.059520006 CET	192.168.2.4	1.1.1.1	0x8690	Standard query (0)	twitter.com	A (IP address)	IN (0x0001)	false
Oct 29, 2024 04:27:16.068105936 CET	192.168.2.4	1.1.1.1	0xc3c	Standard query (0)	twitter.com	28	IN (0x0001)	false
Oct 29, 2024 04:27:16.068178892 CET	192.168.2.4	1.1.1.1	0xdf9	Standard query (0)	reddit.map.fastly.net	28	IN (0x0001)	false
Oct 29, 2024 04:27:16.540327072 CET	192.168.2.4	1.1.1.1	0x2806	Standard query (0)	push.services.mozilla.com	28	IN (0x0001)	false
Oct 29, 2024 04:27:19.201231956 CET	192.168.2.4	1.1.1.1	0x6890	Standard query (0)	telemetry-incoming.r53-2.services.mozilla.com	28	IN (0x0001)	false
Oct 29, 2024 04:27:22.397629023 CET	192.168.2.4	1.1.1.1	0x8544	Standard query (0)	detectportal.firefox.com	A (IP address)	IN (0x0001)	false
Oct 29, 2024 04:27:29.087954998 CET	192.168.2.4	1.1.1.1	0x53f1	Standard query (0)	push.services.mozilla.com	28	IN (0x0001)	false
Oct 29, 2024 04:27:34.124588013 CET	192.168.2.4	1.1.1.1	0xd0e1	Standard query (0)	prod.balrog.prod.cloudops.mozgcp.net	28	IN (0x0001)	false
Oct 29, 2024 04:27:34.134380102 CET	192.168.2.4	1.1.1.1	0xedef	Standard query (0)	services.addons.mozilla.org	A (IP address)	IN (0x0001)	false
Oct 29, 2024 04:27:34.145327091 CET	192.168.2.4	1.1.1.1	0xe2	Standard query (0)	services.addons.mozilla.org	A (IP address)	IN (0x0001)	false
Oct 29, 2024 04:27:34.152960062 CET	192.168.2.4	1.1.1.1	0xac76	Standard query (0)	services.addons.mozilla.org	28	IN (0x0001)	false
Oct 29, 2024 04:27:34.163594007 CET	192.168.2.4	1.1.1.1	0xf33e	Standard query (0)	normandy.cdn.mozilla.net	A (IP address)	IN (0x0001)	false
Oct 29, 2024 04:27:34.175692081 CET	192.168.2.4	1.1.1.1	0xf817	Standard query (0)	normandy-cdn.services.mozilla.com	A (IP address)	IN (0x0001)	false
Oct 29, 2024 04:27:34.187201977 CET	192.168.2.4	1.1.1.1	0xbe11	Standard query (0)	normandy-cdn.services.mozilla.com	28	IN (0x0001)	false
Oct 29, 2024 04:27:49.973773003 CET	192.168.2.4	1.1.1.1	0x3be5	Standard query (0)	push.services.mozilla.com	A (IP address)	IN (0x0001)	false
Oct 29, 2024 04:27:49.982477903 CET	192.168.2.4	1.1.1.1	0x7d53	Standard query (0)	push.services.mozilla.com	28	IN (0x0001)	false
Oct 29, 2024 04:28:03.889985085 CET	192.168.2.4	1.1.1.1	0xc091	Standard query (0)	telemetry-incoming.r53-2.services.mozilla.com	28	IN (0x0001)	false
Oct 29, 2024 04:28:30.629970074 CET	192.168.2.4	1.1.1.1	0xc9c	Standard query (0)	push.services.mozilla.com	A (IP address)	IN (0x0001)	false
Oct 29, 2024 04:28:30.696813107 CET	192.168.2.4	1.1.1.1	0x6c34	Standard query (0)	push.services.mozilla.com	28	IN (0x0001)	false
Oct 29, 2024 04:28:31.335695982 CET	192.168.2.4	1.1.1.1	0xa513	Standard query (0)	detectportal.firefox.com	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Oct 29, 2024 04:27:05.416887045 CET	1.1.1.1	192.168.2.4	0xa1a2	No error (0)	prod.classify-client.prod.webservices.mozgcp.net		35.190.72.216	A (IP address)	IN (0x0001)	false
Oct 29, 2024 04:27:05.483325005 CET	1.1.1.1	192.168.2.4	0x7bd5	No error (0)	prod.classify-client.prod.webservices.mozgcp.net		35.190.72.216	A (IP address)	IN (0x0001)	false
Oct 29, 2024 04:27:07.470695019 CET	1.1.1.1	192.168.2.4	0xafd5	No error (0)	detectportal.firefox.com	detectportal.prod.mozaws.net		CNAME (Canonical name)	IN (0x0001)	false
Oct 29, 2024 04:27:07.470695019 CET	1.1.1.1	192.168.2.4	0xafd5	No error (0)	prod.detectportal.prod.cloudops.mozgcp.net		34.107.221.82	A (IP address)	IN (0x0001)	false
Oct 29, 2024 04:27:07.474014997 CET	1.1.1.1	192.168.2.4	0x998b	No error (0)	youtube.com		216.58.206.78	A (IP address)	IN (0x0001)	false
Oct 29, 2024 04:27:07.479675055 CET	1.1.1.1	192.168.2.4	0xca56	No error (0)	prod.detectportal.prod.cloudops.mozgcp.net		34.107.221.82	A (IP address)	IN (0x0001)	false
Oct 29, 2024 04:27:07.482579947 CET	1.1.1.1	192.168.2.4	0x8d4f	No error (0)	youtube.com		172.217.16.142	A (IP address)	IN (0x0001)	false
Oct 29, 2024 04:27:07.487263918 CET	1.1.1.1	192.168.2.4	0xdf7f	No error (0)	prod.detectportal.prod.cloudops.mozgcp.net			28	IN (0x0001)	false
Oct 29, 2024 04:27:07.490235090 CET	1.1.1.1	192.168.2.4	0xda	No error (0)	youtube.com			28	IN (0x0001)	false
Oct 29, 2024 04:27:08.344455957 CET	1.1.1.1	192.168.2.4	0x3447	No error (0)	balrog-aus5.r53-2.services.mozilla.com	prod.balrog.prod.cloudops.mozgcp.net		CNAME (Canonical name)	IN (0x0001)	false
Oct 29, 2024 04:27:08.344455957 CET	1.1.1.1	192.168.2.4	0x3447	No error (0)	prod.balrog.prod.cloudops.mozgcp.net		35.244.181.201	A (IP address)	IN (0x0001)	false
Oct 29, 2024 04:27:08.344511986 CET	1.1.1.1	192.168.2.4	0xc69d	No error (0)	spocs.getpocket.com	prod.ads.prod.webservices.mozgcp.net		CNAME (Canonical name)	IN (0x0001)	false
Oct 29, 2024 04:27:08.344511986 CET	1.1.1.1	192.168.2.4	0xc69d	No error (0)	prod.ads.prod.webservices.mozgcp.net		34.117.188.166	A (IP address)	IN (0x0001)	false
Oct 29, 2024 04:27:08.344794989 CET	1.1.1.1	192.168.2.4	0x2b84	No error (0)	contile.services.mozilla.com		34.117.188.166	A (IP address)	IN (0x0001)	false
Oct 29, 2024 04:27:08.353283882 CET	1.1.1.1	192.168.2.4	0xa4f9	No error (0)	prod.ads.prod.webservices.mozgcp.net		34.117.188.166	A (IP address)	IN (0x0001)	false
Oct 29, 2024 04:27:08.353446007 CET	1.1.1.1	192.168.2.4	0x7f6f	No error (0)	prod.balrog.prod.cloudops.mozgcp.net		35.244.181.201	A (IP address)	IN (0x0001)	false
Oct 29, 2024 04:27:08.354291916 CET	1.1.1.1	192.168.2.4	0x37ab	No error (0)	contile.services.mozilla.com		34.117.188.166	A (IP address)	IN (0x0001)	false
Oct 29, 2024 04:27:08.410233021 CET	1.1.1.1	192.168.2.4	0x1682	No error (0)	content-signature-2.cdn.mozilla.net	content-signature-chains.prod.autograph.services.mozaws.net		CNAME (Canonical name)	IN (0x0001)	false
Oct 29, 2024 04:27:08.410233021 CET	1.1.1.1	192.168.2.4	0x1682	No error (0)	content-signature-chains.prod.autograph.services.mozaws.net	prod.content-signature-chains.prod.webservices.mozgcp.net		CNAME (Canonical name)	IN (0x0001)	false
Oct 29, 2024 04:27:08.410233021 CET	1.1.1.1	192.168.2.4	0x1682	No error (0)	prod.content-signature-chains.prod.webservices.mozgcp.net		34.160.144.191	A (IP address)	IN (0x0001)	false
Oct 29, 2024 04:27:08.410975933 CET	1.1.1.1	192.168.2.4	0xc0d7	No error (0)	shavar.services.mozilla.com	shavar.prod.mozaws.net		CNAME (Canonical name)	IN (0x0001)	false
Oct 29, 2024 04:27:08.425120115 CET	1.1.1.1	192.168.2.4	0x9a5b	No error (0)	prod.content-signature-chains.prod.webservices.mozgcp.net		34.160.144.191	A (IP address)	IN (0x0001)	false
Oct 29, 2024 04:27:08.441133022 CET	1.1.1.1	192.168.2.4	0x6a29	No error (0)	prod.content-signature-chains.prod.webservices.mozgcp.net			28	IN (0x0001)	false
Oct 29, 2024 04:27:08.503793001 CET	1.1.1.1	192.168.2.4	0xe712	No error (0)	example.org		93.184.215.14	A (IP address)	IN (0x0001)	false
Oct 29, 2024 04:27:08.503881931 CET	1.1.1.1	192.168.2.4	0x879f	No error (0)	ipv4only.arpa		192.0.0.170	A (IP address)	IN (0x0001)	false
Oct 29, 2024 04:27:08.503881931 CET	1.1.1.1	192.168.2.4	0x879f	No error (0)	ipv4only.arpa		192.0.0.171	A (IP address)	IN (0x0001)	false
Oct 29, 2024 04:27:08.518942118 CET	1.1.1.1	192.168.2.4	0x2425	No error (0)	detectportal.firefox.com	detectportal.prod.mozaws.net		CNAME (Canonical name)	IN (0x0001)	false
Oct 29, 2024 04:27:08.518942118 CET	1.1.1.1	192.168.2.4	0x2425	No error (0)	prod.detectportal.prod.cloudops.mozgcp.net		34.107.221.82	A (IP address)	IN (0x0001)	false
Oct 29, 2024 04:27:08.542046070 CET	1.1.1.1	192.168.2.4	0x9ca	No error (0)	push.services.mozilla.com		34.107.243.93	A (IP address)	IN (0x0001)	false
Oct 29, 2024 04:27:08.550921917 CET	1.1.1.1	192.168.2.4	0x49b6	No error (0)	push.services.mozilla.com		34.107.243.93	A (IP address)	IN (0x0001)	false
Oct 29, 2024 04:27:11.108592033 CET	1.1.1.1	192.168.2.4	0x9321	No error (0)	balrog-aus5.r53-2.services.mozilla.com	prod.balrog.prod.cloudops.mozgcp.net		CNAME (Canonical name)	IN (0x0001)	false
Oct 29, 2024 04:27:11.108592033 CET	1.1.1.1	192.168.2.4	0x9321	No error (0)	prod.balrog.prod.cloudops.mozgcp.net		35.244.181.201	A (IP address)	IN (0x0001)	false
Oct 29, 2024 04:27:11.214504004 CET	1.1.1.1	192.168.2.4	0xc78	No error (0)	firefox.settings.services.mozilla.com	prod.remote-settings.prod.webservices.mozgcp.net		CNAME (Canonical name)	IN (0x0001)	false
Oct 29, 2024 04:27:11.214504004 CET	1.1.1.1	192.168.2.4	0xc78	No error (0)	prod.remote-settings.prod.webservices.mozgcp.net		34.149.100.209	A (IP address)	IN (0x0001)	false
Oct 29, 2024 04:27:11.225438118 CET	1.1.1.1	192.168.2.4	0x8f64	No error (0)	prod.remote-settings.prod.webservices.mozgcp.net		34.149.100.209	A (IP address)	IN (0x0001)	false
Oct 29, 2024 04:27:12.020731926 CET	1.1.1.1	192.168.2.4	0xd628	No error (0)	telemetry-incoming.r53-2.services.mozilla.com		34.120.208.123	A (IP address)	IN (0x0001)	false
Oct 29, 2024 04:27:12.041656971 CET	1.1.1.1	192.168.2.4	0x1d64	No error (0)	telemetry-incoming.r53-2.services.mozilla.com		34.120.208.123	A (IP address)	IN (0x0001)	false
Oct 29, 2024 04:27:15.876100063 CET	1.1.1.1	192.168.2.4	0xd5ef	No error (0)	support.mozilla.org	prod.sumo.prod.webservices.mozgcp.net		CNAME (Canonical name)	IN (0x0001)	false
Oct 29, 2024 04:27:15.876100063 CET	1.1.1.1	192.168.2.4	0xd5ef	No error (0)	prod.sumo.prod.webservices.mozgcp.net	us-west1.prod.sumo.prod.webservices.mozgcp.net		CNAME (Canonical name)	IN (0x0001)	false
Oct 29, 2024 04:27:15.876100063 CET	1.1.1.1	192.168.2.4	0xd5ef	No error (0)	us-west1.prod.sumo.prod.webservices.mozgcp.net		34.149.128.2	A (IP address)	IN (0x0001)	false
Oct 29, 2024 04:27:15.887583971 CET	1.1.1.1	192.168.2.4	0x2d63	No error (0)	us-west1.prod.sumo.prod.webservices.mozgcp.net		34.149.128.2	A (IP address)	IN (0x0001)	false
Oct 29, 2024 04:27:16.027709007 CET	1.1.1.1	192.168.2.4	0x7a65	No error (0)	www.wikipedia.org	dyna.wikimedia.org		CNAME (Canonical name)	IN (0x0001)	false
Oct 29, 2024 04:27:16.027709007 CET	1.1.1.1	192.168.2.4	0x7a65	No error (0)	dyna.wikimedia.org		185.15.59.224	A (IP address)	IN (0x0001)	false
Oct 29, 2024 04:27:16.027894020 CET	1.1.1.1	192.168.2.4	0xeb81	No error (0)	www.facebook.com	star-mini.c10r.facebook.com		CNAME (Canonical name)	IN (0x0001)	false
Oct 29, 2024 04:27:16.027894020 CET	1.1.1.1	192.168.2.4	0xeb81	No error (0)	star-mini.c10r.facebook.com		157.240.0.35	A (IP address)	IN (0x0001)	false
Oct 29, 2024 04:27:16.028203011 CET	1.1.1.1	192.168.2.4	0x9cdd	No error (0)	www.youtube.com	youtube-ui.l.google.com		CNAME (Canonical name)	IN (0x0001)	false
Oct 29, 2024 04:27:16.028203011 CET	1.1.1.1	192.168.2.4	0x9cdd	No error (0)	youtube-ui.l.google.com		216.58.206.46	A (IP address)	IN (0x0001)	false
Oct 29, 2024 04:27:16.028203011 CET	1.1.1.1	192.168.2.4	0x9cdd	No error (0)	youtube-ui.l.google.com		172.217.23.110	A (IP address)	IN (0x0001)	false
Oct 29, 2024 04:27:16.028203011 CET	1.1.1.1	192.168.2.4	0x9cdd	No error (0)	youtube-ui.l.google.com		142.250.186.78	A (IP address)	IN (0x0001)	false
Oct 29, 2024 04:27:16.028203011 CET	1.1.1.1	192.168.2.4	0x9cdd	No error (0)	youtube-ui.l.google.com		142.250.184.206	A (IP address)	IN (0x0001)	false
Oct 29, 2024 04:27:16.028203011 CET	1.1.1.1	192.168.2.4	0x9cdd	No error (0)	youtube-ui.l.google.com		142.250.185.110	A (IP address)	IN (0x0001)	false
Oct 29, 2024 04:27:16.028203011 CET	1.1.1.1	192.168.2.4	0x9cdd	No error (0)	youtube-ui.l.google.com		142.250.186.142	A (IP address)	IN (0x0001)	false
Oct 29, 2024 04:27:16.028203011 CET	1.1.1.1	192.168.2.4	0x9cdd	No error (0)	youtube-ui.l.google.com		142.250.181.238	A (IP address)	IN (0x0001)	false
Oct 29, 2024 04:27:16.028203011 CET	1.1.1.1	192.168.2.4	0x9cdd	No error (0)	youtube-ui.l.google.com		142.250.185.206	A (IP address)	IN (0x0001)	false
Oct 29, 2024 04:27:16.028203011 CET	1.1.1.1	192.168.2.4	0x9cdd	No error (0)	youtube-ui.l.google.com		142.250.186.46	A (IP address)	IN (0x0001)	false
Oct 29, 2024 04:27:16.028203011 CET	1.1.1.1	192.168.2.4	0x9cdd	No error (0)	youtube-ui.l.google.com		142.250.185.78	A (IP address)	IN (0x0001)	false
Oct 29, 2024 04:27:16.028203011 CET	1.1.1.1	192.168.2.4	0x9cdd	No error (0)	youtube-ui.l.google.com		142.250.185.142	A (IP address)	IN (0x0001)	false
Oct 29, 2024 04:27:16.028203011 CET	1.1.1.1	192.168.2.4	0x9cdd	No error (0)	youtube-ui.l.google.com		142.250.186.174	A (IP address)	IN (0x0001)	false
Oct 29, 2024 04:27:16.028203011 CET	1.1.1.1	192.168.2.4	0x9cdd	No error (0)	youtube-ui.l.google.com		216.58.206.78	A (IP address)	IN (0x0001)	false
Oct 29, 2024 04:27:16.028203011 CET	1.1.1.1	192.168.2.4	0x9cdd	No error (0)	youtube-ui.l.google.com		142.250.185.174	A (IP address)	IN (0x0001)	false
Oct 29, 2024 04:27:16.028203011 CET	1.1.1.1	192.168.2.4	0x9cdd	No error (0)	youtube-ui.l.google.com		142.250.185.238	A (IP address)	IN (0x0001)	false
Oct 29, 2024 04:27:16.028203011 CET	1.1.1.1	192.168.2.4	0x9cdd	No error (0)	youtube-ui.l.google.com		142.250.184.238	A (IP address)	IN (0x0001)	false
Oct 29, 2024 04:27:16.036035061 CET	1.1.1.1	192.168.2.4	0xc69b	No error (0)	dyna.wikimedia.org		185.15.59.224	A (IP address)	IN (0x0001)	false
Oct 29, 2024 04:27:16.036578894 CET	1.1.1.1	192.168.2.4	0x41d2	No error (0)	star-mini.c10r.facebook.com		157.240.0.35	A (IP address)	IN (0x0001)	false
Oct 29, 2024 04:27:16.038444996 CET	1.1.1.1	192.168.2.4	0x920b	No error (0)	youtube-ui.l.google.com		172.217.18.110	A (IP address)	IN (0x0001)	false
Oct 29, 2024 04:27:16.038444996 CET	1.1.1.1	192.168.2.4	0x920b	No error (0)	youtube-ui.l.google.com		172.217.16.206	A (IP address)	IN (0x0001)	false
Oct 29, 2024 04:27:16.038444996 CET	1.1.1.1	192.168.2.4	0x920b	No error (0)	youtube-ui.l.google.com		142.250.185.174	A (IP address)	IN (0x0001)	false
Oct 29, 2024 04:27:16.038444996 CET	1.1.1.1	192.168.2.4	0x920b	No error (0)	youtube-ui.l.google.com		142.250.185.78	A (IP address)	IN (0x0001)	false
Oct 29, 2024 04:27:16.038444996 CET	1.1.1.1	192.168.2.4	0x920b	No error (0)	youtube-ui.l.google.com		216.58.206.78	A (IP address)	IN (0x0001)	false
Oct 29, 2024 04:27:16.038444996 CET	1.1.1.1	192.168.2.4	0x920b	No error (0)	youtube-ui.l.google.com		142.250.186.174	A (IP address)	IN (0x0001)	false
Oct 29, 2024 04:27:16.038444996 CET	1.1.1.1	192.168.2.4	0x920b	No error (0)	youtube-ui.l.google.com		142.250.185.238	A (IP address)	IN (0x0001)	false
Oct 29, 2024 04:27:16.038444996 CET	1.1.1.1	192.168.2.4	0x920b	No error (0)	youtube-ui.l.google.com		142.250.185.206	A (IP address)	IN (0x0001)	false
Oct 29, 2024 04:27:16.038444996 CET	1.1.1.1	192.168.2.4	0x920b	No error (0)	youtube-ui.l.google.com		172.217.18.14	A (IP address)	IN (0x0001)	false
Oct 29, 2024 04:27:16.038444996 CET	1.1.1.1	192.168.2.4	0x920b	No error (0)	youtube-ui.l.google.com		172.217.23.110	A (IP address)	IN (0x0001)	false
Oct 29, 2024 04:27:16.038444996 CET	1.1.1.1	192.168.2.4	0x920b	No error (0)	youtube-ui.l.google.com		142.250.185.110	A (IP address)	IN (0x0001)	false
Oct 29, 2024 04:27:16.038444996 CET	1.1.1.1	192.168.2.4	0x920b	No error (0)	youtube-ui.l.google.com		142.250.184.206	A (IP address)	IN (0x0001)	false
Oct 29, 2024 04:27:16.038444996 CET	1.1.1.1	192.168.2.4	0x920b	No error (0)	youtube-ui.l.google.com		142.250.185.142	A (IP address)	IN (0x0001)	false
Oct 29, 2024 04:27:16.038444996 CET	1.1.1.1	192.168.2.4	0x920b	No error (0)	youtube-ui.l.google.com		142.250.186.110	A (IP address)	IN (0x0001)	false
Oct 29, 2024 04:27:16.038444996 CET	1.1.1.1	192.168.2.4	0x920b	No error (0)	youtube-ui.l.google.com		142.250.184.238	A (IP address)	IN (0x0001)	false
Oct 29, 2024 04:27:16.038444996 CET	1.1.1.1	192.168.2.4	0x920b	No error (0)	youtube-ui.l.google.com		142.250.186.142	A (IP address)	IN (0x0001)	false
Oct 29, 2024 04:27:16.044135094 CET	1.1.1.1	192.168.2.4	0xa800	No error (0)	star-mini.c10r.facebook.com			28	IN (0x0001)	false
Oct 29, 2024 04:27:16.044359922 CET	1.1.1.1	192.168.2.4	0x16aa	No error (0)	dyna.wikimedia.org			28	IN (0x0001)	false
Oct 29, 2024 04:27:16.046257973 CET	1.1.1.1	192.168.2.4	0x8aec	No error (0)	youtube-ui.l.google.com			28	IN (0x0001)	false
Oct 29, 2024 04:27:16.046257973 CET	1.1.1.1	192.168.2.4	0x8aec	No error (0)	youtube-ui.l.google.com			28	IN (0x0001)	false
Oct 29, 2024 04:27:16.046257973 CET	1.1.1.1	192.168.2.4	0x8aec	No error (0)	youtube-ui.l.google.com			28	IN (0x0001)	false
Oct 29, 2024 04:27:16.046257973 CET	1.1.1.1	192.168.2.4	0x8aec	No error (0)	youtube-ui.l.google.com			28	IN (0x0001)	false
Oct 29, 2024 04:27:16.058876038 CET	1.1.1.1	192.168.2.4	0xd375	No error (0)	www.reddit.com	reddit.map.fastly.net		CNAME (Canonical name)	IN (0x0001)	false
Oct 29, 2024 04:27:16.058876038 CET	1.1.1.1	192.168.2.4	0xd375	No error (0)	reddit.map.fastly.net		151.101.1.140	A (IP address)	IN (0x0001)	false
Oct 29, 2024 04:27:16.058876038 CET	1.1.1.1	192.168.2.4	0xd375	No error (0)	reddit.map.fastly.net		151.101.65.140	A (IP address)	IN (0x0001)	false
Oct 29, 2024 04:27:16.058876038 CET	1.1.1.1	192.168.2.4	0xd375	No error (0)	reddit.map.fastly.net		151.101.129.140	A (IP address)	IN (0x0001)	false
Oct 29, 2024 04:27:16.058876038 CET	1.1.1.1	192.168.2.4	0xd375	No error (0)	reddit.map.fastly.net		151.101.193.140	A (IP address)	IN (0x0001)	false
Oct 29, 2024 04:27:16.058924913 CET	1.1.1.1	192.168.2.4	0x54d7	No error (0)	twitter.com		104.244.42.65	A (IP address)	IN (0x0001)	false
Oct 29, 2024 04:27:16.067658901 CET	1.1.1.1	192.168.2.4	0x8690	No error (0)	twitter.com		104.244.42.65	A (IP address)	IN (0x0001)	false
Oct 29, 2024 04:27:16.067691088 CET	1.1.1.1	192.168.2.4	0x56e3	No error (0)	reddit.map.fastly.net		151.101.1.140	A (IP address)	IN (0x0001)	false
Oct 29, 2024 04:27:16.067691088 CET	1.1.1.1	192.168.2.4	0x56e3	No error (0)	reddit.map.fastly.net		151.101.65.140	A (IP address)	IN (0x0001)	false
Oct 29, 2024 04:27:16.067691088 CET	1.1.1.1	192.168.2.4	0x56e3	No error (0)	reddit.map.fastly.net		151.101.129.140	A (IP address)	IN (0x0001)	false
Oct 29, 2024 04:27:16.067691088 CET	1.1.1.1	192.168.2.4	0x56e3	No error (0)	reddit.map.fastly.net		151.101.193.140	A (IP address)	IN (0x0001)	false
Oct 29, 2024 04:27:16.243479013 CET	1.1.1.1	192.168.2.4	0x5c27	No error (0)	telemetry-incoming.r53-2.services.mozilla.com		34.120.208.123	A (IP address)	IN (0x0001)	false
Oct 29, 2024 04:27:22.404890060 CET	1.1.1.1	192.168.2.4	0x8544	No error (0)	detectportal.firefox.com	detectportal.prod.mozaws.net		CNAME (Canonical name)	IN (0x0001)	false
Oct 29, 2024 04:27:22.404890060 CET	1.1.1.1	192.168.2.4	0x8544	No error (0)	prod.detectportal.prod.cloudops.mozgcp.net		34.107.221.82	A (IP address)	IN (0x0001)	false
Oct 29, 2024 04:27:34.123603106 CET	1.1.1.1	192.168.2.4	0xfe08	No error (0)	balrog-aus5.r53-2.services.mozilla.com	prod.balrog.prod.cloudops.mozgcp.net		CNAME (Canonical name)	IN (0x0001)	false
Oct 29, 2024 04:27:34.123603106 CET	1.1.1.1	192.168.2.4	0xfe08	No error (0)	prod.balrog.prod.cloudops.mozgcp.net		35.244.181.201	A (IP address)	IN (0x0001)	false
Oct 29, 2024 04:27:34.144354105 CET	1.1.1.1	192.168.2.4	0xedef	No error (0)	services.addons.mozilla.org		151.101.65.91	A (IP address)	IN (0x0001)	false
Oct 29, 2024 04:27:34.144354105 CET	1.1.1.1	192.168.2.4	0xedef	No error (0)	services.addons.mozilla.org		151.101.193.91	A (IP address)	IN (0x0001)	false
Oct 29, 2024 04:27:34.144354105 CET	1.1.1.1	192.168.2.4	0xedef	No error (0)	services.addons.mozilla.org		151.101.1.91	A (IP address)	IN (0x0001)	false
Oct 29, 2024 04:27:34.144354105 CET	1.1.1.1	192.168.2.4	0xedef	No error (0)	services.addons.mozilla.org		151.101.129.91	A (IP address)	IN (0x0001)	false
Oct 29, 2024 04:27:34.152597904 CET	1.1.1.1	192.168.2.4	0xe2	No error (0)	services.addons.mozilla.org		151.101.65.91	A (IP address)	IN (0x0001)	false
Oct 29, 2024 04:27:34.152597904 CET	1.1.1.1	192.168.2.4	0xe2	No error (0)	services.addons.mozilla.org		151.101.1.91	A (IP address)	IN (0x0001)	false
Oct 29, 2024 04:27:34.152597904 CET	1.1.1.1	192.168.2.4	0xe2	No error (0)	services.addons.mozilla.org		151.101.129.91	A (IP address)	IN (0x0001)	false
Oct 29, 2024 04:27:34.152597904 CET	1.1.1.1	192.168.2.4	0xe2	No error (0)	services.addons.mozilla.org		151.101.193.91	A (IP address)	IN (0x0001)	false
Oct 29, 2024 04:27:34.160430908 CET	1.1.1.1	192.168.2.4	0xac76	No error (0)	services.addons.mozilla.org			28	IN (0x0001)	false
Oct 29, 2024 04:27:34.160430908 CET	1.1.1.1	192.168.2.4	0xac76	No error (0)	services.addons.mozilla.org			28	IN (0x0001)	false
Oct 29, 2024 04:27:34.160430908 CET	1.1.1.1	192.168.2.4	0xac76	No error (0)	services.addons.mozilla.org			28	IN (0x0001)	false
Oct 29, 2024 04:27:34.160430908 CET	1.1.1.1	192.168.2.4	0xac76	No error (0)	services.addons.mozilla.org			28	IN (0x0001)	false
Oct 29, 2024 04:27:34.171900034 CET	1.1.1.1	192.168.2.4	0xf33e	No error (0)	normandy.cdn.mozilla.net	normandy-cdn.services.mozilla.com		CNAME (Canonical name)	IN (0x0001)	false
Oct 29, 2024 04:27:34.171900034 CET	1.1.1.1	192.168.2.4	0xf33e	No error (0)	normandy-cdn.services.mozilla.com		35.201.103.21	A (IP address)	IN (0x0001)	false
Oct 29, 2024 04:27:34.183514118 CET	1.1.1.1	192.168.2.4	0xf817	No error (0)	normandy-cdn.services.mozilla.com		35.201.103.21	A (IP address)	IN (0x0001)	false
Oct 29, 2024 04:27:35.402839899 CET	1.1.1.1	192.168.2.4	0xd223	No error (0)	a21ed24aedde648804e7-228765c84088fef4ff5e70f2710398e9.r17.cf1.rackcdn.com	a17.rackcdn.com		CNAME (Canonical name)	IN (0x0001)	false
Oct 29, 2024 04:27:35.402839899 CET	1.1.1.1	192.168.2.4	0xd223	No error (0)	a17.rackcdn.com	a17.rackcdn.com.mdc.edgesuite.net		CNAME (Canonical name)	IN (0x0001)	false
Oct 29, 2024 04:27:49.981225967 CET	1.1.1.1	192.168.2.4	0x3be5	No error (0)	push.services.mozilla.com		34.107.243.93	A (IP address)	IN (0x0001)	false
Oct 29, 2024 04:28:03.883946896 CET	1.1.1.1	192.168.2.4	0xd3d	No error (0)	telemetry-incoming.r53-2.services.mozilla.com		34.120.208.123	A (IP address)	IN (0x0001)	false
Oct 29, 2024 04:28:30.693778992 CET	1.1.1.1	192.168.2.4	0xc9c	No error (0)	push.services.mozilla.com		34.107.243.93	A (IP address)	IN (0x0001)	false
Oct 29, 2024 04:28:31.342830896 CET	1.1.1.1	192.168.2.4	0xa513	No error (0)	detectportal.firefox.com	detectportal.prod.mozaws.net		CNAME (Canonical name)	IN (0x0001)	false
Oct 29, 2024 04:28:31.342830896 CET	1.1.1.1	192.168.2.4	0xa513	No error (0)	prod.detectportal.prod.cloudops.mozgcp.net		34.107.221.82	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

detectportal.firefox.com

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.4	49740	34.107.221.82	80	7812	C:\Program Files\Mozilla Firefox\firefox.exe

Timestamp	Bytes transferred	Direction	Data
Oct 29, 2024 04:27:07.647979975 CET	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Oct 29, 2024 04:27:08.342246056 CET	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Mon, 28 Oct 2024 14:39:46 GMT Age: 46042 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.4	49747	34.107.221.82	80	7812	C:\Program Files\Mozilla Firefox\firefox.exe

Timestamp	Bytes transferred	Direction	Data
Oct 29, 2024 04:27:08.526585102 CET	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Oct 29, 2024 04:27:09.123693943 CET	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Mon, 28 Oct 2024 12:53:45 GMT Age: 52404 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.4	49752	34.107.221.82	80	7812	C:\Program Files\Mozilla Firefox\firefox.exe

Timestamp	Bytes transferred	Direction	Data
Oct 29, 2024 04:27:09.568979979 CET	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Oct 29, 2024 04:27:10.173109055 CET	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Mon, 28 Oct 2024 14:39:46 GMT Age: 46044 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Oct 29, 2024 04:27:10.425204039 CET	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Oct 29, 2024 04:27:10.717672110 CET	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Mon, 28 Oct 2024 14:39:46 GMT Age: 46044 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Oct 29, 2024 04:27:11.098578930 CET	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Oct 29, 2024 04:27:11.225826979 CET	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Mon, 28 Oct 2024 14:39:46 GMT Age: 46045 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Oct 29, 2024 04:27:12.011135101 CET	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Oct 29, 2024 04:27:12.137751102 CET	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Mon, 28 Oct 2024 14:39:46 GMT Age: 46046 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Oct 29, 2024 04:27:16.234829903 CET	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Oct 29, 2024 04:27:16.361776114 CET	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Mon, 28 Oct 2024 14:39:46 GMT Age: 46050 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Oct 29, 2024 04:27:19.083152056 CET	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Oct 29, 2024 04:27:19.210103989 CET	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Mon, 28 Oct 2024 14:39:46 GMT Age: 46053 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Oct 29, 2024 04:27:20.638874054 CET	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Oct 29, 2024 04:27:20.765727043 CET	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Mon, 28 Oct 2024 14:39:46 GMT Age: 46054 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Oct 29, 2024 04:27:29.703784943 CET	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Oct 29, 2024 04:27:29.831309080 CET	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Mon, 28 Oct 2024 14:39:46 GMT Age: 46063 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Oct 29, 2024 04:27:34.737746954 CET	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Oct 29, 2024 04:27:34.865183115 CET	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Mon, 28 Oct 2024 14:39:46 GMT Age: 46068 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Oct 29, 2024 04:27:35.392143965 CET	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Oct 29, 2024 04:27:35.518685102 CET	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Mon, 28 Oct 2024 14:39:46 GMT Age: 46069 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Oct 29, 2024 04:27:42.100368023 CET	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Oct 29, 2024 04:27:42.227356911 CET	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Mon, 28 Oct 2024 14:39:46 GMT Age: 46076 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Oct 29, 2024 04:27:50.589639902 CET	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Oct 29, 2024 04:27:50.717350006 CET	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Mon, 28 Oct 2024 14:39:46 GMT Age: 46084 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Oct 29, 2024 04:28:00.730999947 CET	6	OUT	Data Raw: 00 Data Ascii:
Oct 29, 2024 04:28:04.543409109 CET	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Oct 29, 2024 04:28:04.670666933 CET	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Mon, 28 Oct 2024 14:39:46 GMT Age: 46098 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Oct 29, 2024 04:28:05.211298943 CET	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Oct 29, 2024 04:28:05.338207960 CET	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Mon, 28 Oct 2024 14:39:46 GMT Age: 46099 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Oct 29, 2024 04:28:15.352714062 CET	6	OUT	Data Raw: 00 Data Ascii:
Oct 29, 2024 04:28:25.410998106 CET	6	OUT	Data Raw: 00 Data Ascii:
Oct 29, 2024 04:28:31.335434914 CET	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Oct 29, 2024 04:28:31.461929083 CET	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Mon, 28 Oct 2024 14:39:46 GMT Age: 46125 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Oct 29, 2024 04:28:41.475610971 CET	6	OUT	Data Raw: 00 Data Ascii:
Oct 29, 2024 04:28:51.489437103 CET	6	OUT	Data Raw: 00 Data Ascii:
Oct 29, 2024 04:29:01.502517939 CET	6	OUT	Data Raw: 00 Data Ascii:

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
3	192.168.2.4	49755	34.107.221.82	80	7812	C:\Program Files\Mozilla Firefox\firefox.exe

Timestamp	Bytes transferred	Direction	Data
Oct 29, 2024 04:27:10.598274946 CET	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
4	192.168.2.4	49756	34.107.221.82	80	7812	C:\Program Files\Mozilla Firefox\firefox.exe

Timestamp	Bytes transferred	Direction	Data
Oct 29, 2024 04:27:10.831154108 CET	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
5	192.168.2.4	49759	34.107.221.82	80	7812	C:\Program Files\Mozilla Firefox\firefox.exe

Timestamp	Bytes transferred	Direction	Data
Oct 29, 2024 04:27:11.247147083 CET	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Oct 29, 2024 04:27:11.832415104 CET	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Mon, 28 Oct 2024 12:53:45 GMT Age: 52406 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Oct 29, 2024 04:27:12.140791893 CET	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Oct 29, 2024 04:27:12.265816927 CET	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Mon, 28 Oct 2024 12:53:45 GMT Age: 52407 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Oct 29, 2024 04:27:18.508136034 CET	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Oct 29, 2024 04:27:18.633842945 CET	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Mon, 28 Oct 2024 12:53:45 GMT Age: 52413 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Oct 29, 2024 04:27:19.329428911 CET	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Oct 29, 2024 04:27:19.612632990 CET	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Mon, 28 Oct 2024 12:53:45 GMT Age: 52414 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Oct 29, 2024 04:27:22.397349119 CET	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Oct 29, 2024 04:27:22.647888899 CET	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Mon, 28 Oct 2024 12:53:45 GMT Age: 52417 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Oct 29, 2024 04:27:29.834912062 CET	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Oct 29, 2024 04:27:29.960576057 CET	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Mon, 28 Oct 2024 12:53:45 GMT Age: 52424 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Oct 29, 2024 04:27:34.867549896 CET	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Oct 29, 2024 04:27:34.992418051 CET	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Mon, 28 Oct 2024 12:53:45 GMT Age: 52429 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Oct 29, 2024 04:27:35.522140026 CET	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Oct 29, 2024 04:27:35.647074938 CET	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Mon, 28 Oct 2024 12:53:45 GMT Age: 52430 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Oct 29, 2024 04:27:42.233376980 CET	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Oct 29, 2024 04:27:42.358453989 CET	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Mon, 28 Oct 2024 12:53:45 GMT Age: 52437 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Oct 29, 2024 04:27:50.720603943 CET	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Oct 29, 2024 04:27:50.845489979 CET	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Mon, 28 Oct 2024 12:53:45 GMT Age: 52445 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Oct 29, 2024 04:28:00.869221926 CET	6	OUT	Data Raw: 00 Data Ascii:
Oct 29, 2024 04:28:04.676000118 CET	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Oct 29, 2024 04:28:04.801055908 CET	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Mon, 28 Oct 2024 12:53:45 GMT Age: 52459 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Oct 29, 2024 04:28:05.341170073 CET	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Oct 29, 2024 04:28:05.466866016 CET	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Mon, 28 Oct 2024 12:53:45 GMT Age: 52460 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Oct 29, 2024 04:28:15.468611002 CET	6	OUT	Data Raw: 00 Data Ascii:
Oct 29, 2024 04:28:25.489116907 CET	6	OUT	Data Raw: 00 Data Ascii:
Oct 29, 2024 04:28:31.465194941 CET	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Oct 29, 2024 04:28:31.589943886 CET	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Mon, 28 Oct 2024 12:53:45 GMT Age: 52486 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Oct 29, 2024 04:28:41.598154068 CET	6	OUT	Data Raw: 00 Data Ascii:
Oct 29, 2024 04:28:51.605350018 CET	6	OUT	Data Raw: 00 Data Ascii:
Oct 29, 2024 04:29:01.618555069 CET	6	OUT	Data Raw: 00 Data Ascii:

Target ID:	0
Start time:	23:26:58
Start date:	28/10/2024
Path:	C:\Users\user\Desktop\file.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\file.exe"
Imagebase:	0xcf0000
File size:	919'552 bytes
MD5 hash:	0357E5852CD0E3C44B1092E9338CF930
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	1
Start time:	23:26:58
Start date:	28/10/2024
Path:	C:\Windows\SysWOW64\taskkill.exe
Wow64 process (32bit):	true
Commandline:	taskkill /F /IM firefox.exe /T
Imagebase:	0xf0000
File size:	74'240 bytes
MD5 hash:	CA313FD7E6C2A778FFD21CFB5C1C56CD
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	2
Start time:	23:26:58
Start date:	28/10/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	3
Start time:	23:27:00
Start date:	28/10/2024
Path:	C:\Windows\SysWOW64\taskkill.exe
Wow64 process (32bit):	true
Commandline:	taskkill /F /IM chrome.exe /T
Imagebase:	0xf0000
File size:	74'240 bytes
MD5 hash:	CA313FD7E6C2A778FFD21CFB5C1C56CD
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	4
Start time:	23:27:00
Start date:	28/10/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	5
Start time:	23:27:00
Start date:	28/10/2024
Path:	C:\Windows\SysWOW64\taskkill.exe
Wow64 process (32bit):	true
Commandline:	taskkill /F /IM msedge.exe /T
Imagebase:	0xf0000
File size:	74'240 bytes
MD5 hash:	CA313FD7E6C2A778FFD21CFB5C1C56CD
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	6
Start time:	23:27:00
Start date:	28/10/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	7
Start time:	23:27:00
Start date:	28/10/2024
Path:	C:\Windows\SysWOW64\taskkill.exe
Wow64 process (32bit):	true
Commandline:	taskkill /F /IM opera.exe /T
Imagebase:	0xf0000
File size:	74'240 bytes
MD5 hash:	CA313FD7E6C2A778FFD21CFB5C1C56CD
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	8
Start time:	23:27:00
Start date:	28/10/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x180000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	9
Start time:	23:27:01
Start date:	28/10/2024
Path:	C:\Windows\SysWOW64\taskkill.exe
Wow64 process (32bit):	true
Commandline:	taskkill /F /IM brave.exe /T
Imagebase:	0xf0000
File size:	74'240 bytes
MD5 hash:	CA313FD7E6C2A778FFD21CFB5C1C56CD
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	10
Start time:	23:27:01
Start date:	28/10/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	11
Start time:	23:27:01
Start date:	28/10/2024
Path:	C:\Program Files\Mozilla Firefox\firefox.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk "https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd" --no-default-browser-check --disable-popup-blocking
Imagebase:	0x7ff6bf500000
File size:	676'768 bytes
MD5 hash:	C86B1BE9ED6496FE0E0CBE73F81D8045
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	12
Start time:	23:27:01
Start date:	28/10/2024
Path:	C:\Program Files\Mozilla Firefox\firefox.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd --no-default-browser-check --disable-popup-blocking --attempting-deelevation
Imagebase:	0x7ff6bf500000
File size:	676'768 bytes
MD5 hash:	C86B1BE9ED6496FE0E0CBE73F81D8045
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	13
Start time:	23:27:01
Start date:	28/10/2024
Path:	C:\Program Files\Mozilla Firefox\firefox.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd --no-default-browser-check --disable-popup-blocking
Imagebase:	0x7ff6bf500000
File size:	676'768 bytes
MD5 hash:	C86B1BE9ED6496FE0E0CBE73F81D8045
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Target ID:	15
Start time:	23:27:02
Start date:	28/10/2024
Path:	C:\Program Files\Mozilla Firefox\firefox.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2304 -parentBuildID 20230927232528 -prefsHandle 2240 -prefMapHandle 2224 -prefsLen 25359 -prefMapSize 237879 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {0e344c09-d758-4121-afce-22356859a8f5} 7812 "\\.\pipe\gecko-crash-server-pipe.7812" 1da83b6e310 socket
Imagebase:	0x7ff6bf500000
File size:	676'768 bytes
MD5 hash:	C86B1BE9ED6496FE0E0CBE73F81D8045
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Target ID:	16
Start time:	23:27:04
Start date:	28/10/2024
Path:	C:\Program Files\Mozilla Firefox\firefox.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4312 -parentBuildID 20230927232528 -prefsHandle 4304 -prefMapHandle 4308 -prefsLen 26374 -prefMapSize 237879 -appDir "C:\Program Files\Mozilla Firefox\browser" - {6cc68ceb-5b67-429c-b1db-017638af971d} 7812 "\\.\pipe\gecko-crash-server-pipe.7812" 1da83b83310 rdd
Imagebase:	0x7ff6bf500000
File size:	676'768 bytes
MD5 hash:	C86B1BE9ED6496FE0E0CBE73F81D8045
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Target ID:	17
Start time:	23:27:09
Start date:	28/10/2024
Path:	C:\Program Files\Mozilla Firefox\firefox.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5424 -parentBuildID 20230927232528 -sandboxingKind 0 -prefsHandle 5416 -prefMapHandle 5392 -prefsLen 33185 -prefMapSize 237879 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {f49da774-710e-4fab-b5fa-c78f451c86b2} 7812 "\\.\pipe\gecko-crash-server-pipe.7812" 1da95b9e310 utility
Imagebase:	0x7ff6bf500000
File size:	676'768 bytes
MD5 hash:	C86B1BE9ED6496FE0E0CBE73F81D8045
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Execution Graph

Execution Coverage:	2.1%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	4.3%
Total number of Nodes:	1614
Total number of Limit Nodes:	81

Executed Functions

Function 00CF42DE Relevance: 21.2, APIs: 9, Strings: 3, Instructions: 235
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetVersionExW.KERNEL32(?), ref: 00CF430D

Part of subcall function 00CF6B57: _wcslen.LIBCMT ref: 00CF6B6A

GetCurrentProcess.KERNEL32(?,00D8CB64,00000000,?,?), ref: 00CF4422
IsWow64Process.KERNEL32(00000000,?,?), ref: 00CF4429
LoadLibraryA.KERNEL32(kernel32.dll,?,?), ref: 00CF4454
GetProcAddress.KERNEL32(00000000,GetNativeSystemInfo), ref: 00CF4466
GetNativeSystemInfo.KERNELBASE(?,?,?), ref: 00CF4474
FreeLibrary.KERNEL32(00000000,?,?), ref: 00CF447B
GetSystemInfo.KERNEL32(?,?,?), ref: 00CF44A0

Strings

kernel32.dll, xrefs: 00CF444F
|O, xrefs: 00D336F8
GetNativeSystemInfo, xrefs: 00CF4460

Memory Dump Source

Source File: 00000000.00000002.1741723192.0000000000CF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CF0000, based on PE: true

Associated: 00000000.00000002.1741689844.0000000000CF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741822052.0000000000D8C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741822052.0000000000DB2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741916293.0000000000DBC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741947371.0000000000DC4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cf0000_file.jbxd

Similarity

API ID: InfoLibraryProcessSystem$AddressCurrentFreeLoadNativeProcVersionWow64_wcslen
String ID: GetNativeSystemInfo$kernel32.dll$|O
API String ID: 3290436268-3101561225
Opcode ID: 1fa2a4a28c3b82fb4449eb422e48b1cc4588d2b4ad9acb66b4a4aeb438709c92
Instruction ID: 71f95fc7f2530d479c434bced5aad693c32a86ffc070653f8e80b3a7b7b9ed5b
Opcode Fuzzy Hash: 1fa2a4a28c3b82fb4449eb422e48b1cc4588d2b4ad9acb66b4a4aeb438709c92
Instruction Fuzzy Hash: B1A1F67A92A3E7CFCB16DB697C819A53FE46B67308B185598D041E3B23D2304608DB32

Function 00CF42A2 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 61
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateStreamOnHGlobal.COMBASE(00000000,00000001,?,?,?,?,?,00CF50AA,?,?,00000000,00000000), ref: 00CF42B2
FindResourceExW.KERNEL32(?,0000000A,SCRIPT,00000000,?,?,00CF50AA,?,?,00000000,00000000), ref: 00CF42C9
LoadResource.KERNEL32(?,00000000,?,?,00CF50AA,?,?,00000000,00000000,?,?,?,?,?,?,00CF4F20), ref: 00D335BE
SizeofResource.KERNEL32(?,00000000,?,?,00CF50AA,?,?,00000000,00000000,?,?,?,?,?,?,00CF4F20), ref: 00D335D3
LockResource.KERNEL32(00CF50AA,?,?,00CF50AA,?,?,00000000,00000000,?,?,?,?,?,?,00CF4F20,?), ref: 00D335E6

Strings

SCRIPT, xrefs: 00CF42BF

Memory Dump Source

Source File: 00000000.00000002.1741723192.0000000000CF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CF0000, based on PE: true

Associated: 00000000.00000002.1741689844.0000000000CF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741822052.0000000000D8C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741822052.0000000000DB2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741916293.0000000000DBC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741947371.0000000000DC4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cf0000_file.jbxd

Similarity

API ID: Resource$CreateFindGlobalLoadLockSizeofStream
String ID: SCRIPT
API String ID: 3051347437-3967369404
Opcode ID: b33d692010b76d434fb79846e048d01cc44ec68429a3a1614c0013266eb41c68
Instruction ID: d67357c11661bb51684844c0422af3d947764ad05d084a4e2df1ad3fed74a5e9
Opcode Fuzzy Hash: b33d692010b76d434fb79846e048d01cc44ec68429a3a1614c0013266eb41c68
Instruction Fuzzy Hash: 9C117970210704FFEB258BA5DC48F277BB9EBC5B51F248169B512DA6A0DB71E8008B31

Function 00D32BA5 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 62
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetCurrentDirectoryW.KERNEL32(?), ref: 00CF2B6B

Part of subcall function 00CF3A5A: GetModuleFileNameW.KERNEL32(00000000,?,00007FFF,00DC1418,?,00CF2E7F,?,?,?,00000000), ref: 00CF3A78

Part of subcall function 00CF9CB3: _wcslen.LIBCMT ref: 00CF9CBD

GetForegroundWindow.USER32(runas,?,?,?,?,?,00DB2224), ref: 00D32C10
ShellExecuteW.SHELL32(00000000,?,?,00DB2224), ref: 00D32C17

Strings

runas, xrefs: 00D32C0B

Memory Dump Source

Source File: 00000000.00000002.1741723192.0000000000CF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CF0000, based on PE: true

Associated: 00000000.00000002.1741689844.0000000000CF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741822052.0000000000D8C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741822052.0000000000DB2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741916293.0000000000DBC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741947371.0000000000DC4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cf0000_file.jbxd

Similarity

API ID: CurrentDirectoryExecuteFileForegroundModuleNameShellWindow_wcslen
String ID: runas
API String ID: 448630720-4000483414
Opcode ID: 6af1b2ecd2a5770cdfadc647f6ef9030fffc4638fb15d09396a041b7c300184d
Instruction ID: 9ea0663c8004feb03fa23b83adee239da3f080f6b15a5dd85d3cea8338cb66ba
Opcode Fuzzy Hash: 6af1b2ecd2a5770cdfadc647f6ef9030fffc4638fb15d09396a041b7c300184d
Instruction Fuzzy Hash: 9211A53110834AABCB85FF60D851EBD77A4DB91340F44141DF652521A3DF31864AA723

Function 00D5D4DC Relevance: 6.1, APIs: 4, Instructions: 86
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateToolhelp32Snapshot.KERNEL32 ref: 00D5D501
Process32FirstW.KERNEL32(00000000,?), ref: 00D5D50F
Process32NextW.KERNEL32(00000000,?), ref: 00D5D52F
CloseHandle.KERNELBASE(00000000), ref: 00D5D5DC

Memory Dump Source

Source File: 00000000.00000002.1741723192.0000000000CF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CF0000, based on PE: true

Associated: 00000000.00000002.1741689844.0000000000CF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741822052.0000000000D8C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741822052.0000000000DB2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741916293.0000000000DBC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741947371.0000000000DC4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cf0000_file.jbxd

Similarity

API ID: Process32$CloseCreateFirstHandleNextSnapshotToolhelp32
String ID:
API String ID: 420147892-0
Opcode ID: 5bd1715008b5b42a0911855172f1b76e6a64a0c9dae5e5e4dec6cfa741b40907
Instruction ID: 6fb9089ea61afc58ca1b571a4eb0778aad2a73034fbade6e643ad98c5ce8abd3
Opcode Fuzzy Hash: 5bd1715008b5b42a0911855172f1b76e6a64a0c9dae5e5e4dec6cfa741b40907
Instruction Fuzzy Hash: 7A3190711083049FD710EF54C885ABFBBE8EF99344F14052DFA85822A1EB719A48DBB3

Function 00D5DBBE Relevance: 6.0, APIs: 4, Instructions: 29
filestringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

lstrlenW.KERNEL32(?,00D35222), ref: 00D5DBCE
GetFileAttributesW.KERNELBASE(?), ref: 00D5DBDD
FindFirstFileW.KERNEL32(?,?), ref: 00D5DBEE
FindClose.KERNEL32(00000000), ref: 00D5DBFA

Memory Dump Source

Source File: 00000000.00000002.1741723192.0000000000CF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CF0000, based on PE: true

Associated: 00000000.00000002.1741689844.0000000000CF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741822052.0000000000D8C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741822052.0000000000DB2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741916293.0000000000DBC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741947371.0000000000DC4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cf0000_file.jbxd

Similarity

API ID: FileFind$AttributesCloseFirstlstrlen
String ID:
API String ID: 2695905019-0
Opcode ID: eaa102abcec64c8e3c2732b783dbe537798a976b3744ef57e84534b04523916e
Instruction ID: 3b0544d8f1ee9ef74a608ee70cfc3fe77bfd4c03a5adfdbc8114c7769447caa1
Opcode Fuzzy Hash: eaa102abcec64c8e3c2732b783dbe537798a976b3744ef57e84534b04523916e
Instruction Fuzzy Hash: 61F0A030830A109786306B78AC0D9BE37BD9E05336B144702FC76C22E0EBB0995886B9

Function 00D14CE8 Relevance: 4.5, APIs: 3, Instructions: 20COMMONLIBRARYCODE

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(00D228E9,?,00D14CBE,00D228E9,00DB88B8,0000000C,00D14E15,00D228E9,00000002,00000000,?,00D228E9), ref: 00D14D09
TerminateProcess.KERNEL32(00000000,?,00D14CBE,00D228E9,00DB88B8,0000000C,00D14E15,00D228E9,00000002,00000000,?,00D228E9), ref: 00D14D10
ExitProcess.KERNEL32 ref: 00D14D22

Memory Dump Source

Source File: 00000000.00000002.1741723192.0000000000CF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CF0000, based on PE: true

Associated: 00000000.00000002.1741689844.0000000000CF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741822052.0000000000D8C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741822052.0000000000DB2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741916293.0000000000DBC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741947371.0000000000DC4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cf0000_file.jbxd

Similarity

API ID: Process$CurrentExitTerminate
String ID:
API String ID: 1703294689-0
Opcode ID: 0d0a6c6b6fce981814cb112820db685f36a4042e5d366ee79a70ec0e0908f9c3
Instruction ID: 50a048b0cf4f8aeb4fd6bacae8465cdf4db463ee4a662354c2f0f65f8a6be89a
Opcode Fuzzy Hash: 0d0a6c6b6fce981814cb112820db685f36a4042e5d366ee79a70ec0e0908f9c3
Instruction Fuzzy Hash: 7BE0B671020248FBCF11AF54FD09A983B69FB42B95B144014FC09CA222CB35DD82DBB0

Function 00D7AFF9 Relevance: 24.4, APIs: 16, Instructions: 418
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_wcslen.LIBCMT ref: 00D7B198
GetSystemDirectoryW.KERNEL32(00000000,00000000), ref: 00D7B1B0
GetSystemDirectoryW.KERNEL32(00000000,00000000), ref: 00D7B1D4
_wcslen.LIBCMT ref: 00D7B200
GetCurrentDirectoryW.KERNEL32(00000000,00000000), ref: 00D7B214
GetCurrentDirectoryW.KERNEL32(00000000,00000000), ref: 00D7B236
_wcslen.LIBCMT ref: 00D7B332

Part of subcall function 00D605A7: GetStdHandle.KERNEL32(000000F6), ref: 00D605C6

_wcslen.LIBCMT ref: 00D7B34B
_wcslen.LIBCMT ref: 00D7B366
CreateProcessW.KERNELBASE(00000000,?,00000000,00000000,?,?,00000000,?,?,?), ref: 00D7B3B6
GetLastError.KERNEL32(00000000), ref: 00D7B407
CloseHandle.KERNEL32(?), ref: 00D7B439
CloseHandle.KERNEL32(00000000), ref: 00D7B44A
CloseHandle.KERNEL32(00000000), ref: 00D7B45C
CloseHandle.KERNEL32(00000000), ref: 00D7B46E
CloseHandle.KERNEL32(?), ref: 00D7B4E3

Memory Dump Source

Source File: 00000000.00000002.1741723192.0000000000CF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CF0000, based on PE: true

Associated: 00000000.00000002.1741689844.0000000000CF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741822052.0000000000D8C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741822052.0000000000DB2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741916293.0000000000DBC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741947371.0000000000DC4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cf0000_file.jbxd

Similarity

API ID: Handle$Close_wcslen$Directory$CurrentSystem$CreateErrorLastProcess
String ID:
API String ID: 2178637699-0
Opcode ID: 49e9e1f9fd0f39045f23349fe51652dfdb7294134f64802eb1779ca81aea157f
Instruction ID: e55dde289a71510179057e84bf5f005068091545a89b4e6f739d89524213d354
Opcode Fuzzy Hash: 49e9e1f9fd0f39045f23349fe51652dfdb7294134f64802eb1779ca81aea157f
Instruction Fuzzy Hash: 3BF17D315043449FC714EF24C891B6EBBE5EF85324F18855EF9999B2A2DB31EC44CB62

Function 00CFD733 Relevance: 21.6, APIs: 14, Instructions: 623windowsleeptimeCOMMON

Download Yara Rule

APIs

GetInputState.USER32 ref: 00CFD807
timeGetTime.WINMM ref: 00CFDA07
PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00CFDB28
TranslateMessage.USER32(?), ref: 00CFDB7B
DispatchMessageW.USER32(?), ref: 00CFDB89
PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00CFDB9F
Sleep.KERNELBASE(0000000A), ref: 00CFDBB1

Memory Dump Source

Source File: 00000000.00000002.1741723192.0000000000CF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CF0000, based on PE: true

Associated: 00000000.00000002.1741689844.0000000000CF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741822052.0000000000D8C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741822052.0000000000DB2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741916293.0000000000DBC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741947371.0000000000DC4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cf0000_file.jbxd

Similarity

API ID: Message$Peek$DispatchInputSleepStateTimeTranslatetime
String ID:
API String ID: 2189390790-0
Opcode ID: d6dbba1b59b6ca02a5080075f8219afb82dfc9e9d272dc7a58ea107349d41c31
Instruction ID: 31dae5df194a9145d2215e6f403890fd245191fb75e6728db7b7a174243d4211
Opcode Fuzzy Hash: d6dbba1b59b6ca02a5080075f8219afb82dfc9e9d272dc7a58ea107349d41c31
Instruction Fuzzy Hash: F742F130608346DFD768CF24C885B7AB7A2FF45304F544619FAA687291DB70E984DBA3

Function 00CF2CD4 Relevance: 19.3, APIs: 7, Strings: 4, Instructions: 53
windowregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSysColorBrush.USER32(0000000F), ref: 00CF2D07
RegisterClassExW.USER32(00000030), ref: 00CF2D31
RegisterWindowMessageW.USER32(TaskbarCreated), ref: 00CF2D42
InitCommonControlsEx.COMCTL32(?), ref: 00CF2D5F
ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 00CF2D6F
LoadIconW.USER32(000000A9), ref: 00CF2D85
ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 00CF2D94

Strings

AutoIt v3 GUI, xrefs: 00CF2D23
+, xrefs: 00CF2CF0
TaskbarCreated, xrefs: 00CF2D37
0, xrefs: 00CF2CE9

Memory Dump Source

Source File: 00000000.00000002.1741723192.0000000000CF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CF0000, based on PE: true

Associated: 00000000.00000002.1741689844.0000000000CF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741822052.0000000000D8C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741822052.0000000000DB2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741916293.0000000000DBC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741947371.0000000000DC4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cf0000_file.jbxd

Similarity

API ID: IconImageList_Register$BrushClassColorCommonControlsCreateInitLoadMessageReplaceWindow
String ID: +$0$AutoIt v3 GUI$TaskbarCreated
API String ID: 2914291525-1005189915
Opcode ID: ae84387d088919b8418faea78c35fb71b77cf02725e39585a37ed767e6ccc550
Instruction ID: fb4e9120bc3ef5fe2ec34d6288143e348e8e18fa7e8e77cd795b523eb2781688
Opcode Fuzzy Hash: ae84387d088919b8418faea78c35fb71b77cf02725e39585a37ed767e6ccc550
Instruction Fuzzy Hash: 4B21D0B992131AEFDB009FA4EC49B9DBBB4FB09700F10511AE511E63A0DBB145448FB1

Function 00D3065B Relevance: 17.8, APIs: 9, Strings: 1, Instructions: 272
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00D3039A: CreateFileW.KERNELBASE(00000000,00000000,?,00D30704,?,?,00000000,?,00D30704,00000000,0000000C), ref: 00D303B7

GetLastError.KERNEL32 ref: 00D3076F
__dosmaperr.LIBCMT ref: 00D30776
GetFileType.KERNELBASE(00000000), ref: 00D30782
GetLastError.KERNEL32 ref: 00D3078C
__dosmaperr.LIBCMT ref: 00D30795
CloseHandle.KERNEL32(00000000), ref: 00D307B5
CloseHandle.KERNEL32(?), ref: 00D308FF
GetLastError.KERNEL32 ref: 00D30931
__dosmaperr.LIBCMT ref: 00D30938

Strings

H, xrefs: 00D308BD

Memory Dump Source

Source File: 00000000.00000002.1741723192.0000000000CF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CF0000, based on PE: true

Associated: 00000000.00000002.1741689844.0000000000CF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741822052.0000000000D8C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741822052.0000000000DB2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741916293.0000000000DBC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741947371.0000000000DC4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cf0000_file.jbxd

Similarity

API ID: ErrorLast__dosmaperr$CloseFileHandle$CreateType
String ID: H
API String ID: 4237864984-2852464175
Opcode ID: d3db5802854910875154473685c0da4bb923fd2d81ed1f9000ed4db66901bcdf
Instruction ID: d0246487d4b70da8c7c95b646f40a5b4409ed7fb96723b3be407e0378c194340
Opcode Fuzzy Hash: d3db5802854910875154473685c0da4bb923fd2d81ed1f9000ed4db66901bcdf
Instruction Fuzzy Hash: 1CA10632A142099FDF19AF68DC62BAD7FA1EB06320F18015DF815DB391DB319952CBB1

Function 00CF344D Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 201
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00CF3A5A: GetModuleFileNameW.KERNEL32(00000000,?,00007FFF,00DC1418,?,00CF2E7F,?,?,?,00000000), ref: 00CF3A78

Part of subcall function 00CF3357: GetFullPathNameW.KERNEL32(?,00007FFF,?,?), ref: 00CF3379

RegOpenKeyExW.KERNELBASE(80000001,Software\AutoIt v3\AutoIt,00000000,00000001,?,?,\Include\), ref: 00CF356A
RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,00000000,?), ref: 00D3318D
RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,?,?,00000000), ref: 00D331CE
RegCloseKey.ADVAPI32(?), ref: 00D33210
_wcslen.LIBCMT ref: 00D33277
_wcslen.LIBCMT ref: 00D33286

Strings

Include, xrefs: 00D33184, 00D331C5
Software\AutoIt v3\AutoIt, xrefs: 00CF3560
\, xrefs: 00D3328C
\Include\, xrefs: 00CF3527

Memory Dump Source

Source File: 00000000.00000002.1741723192.0000000000CF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CF0000, based on PE: true

Associated: 00000000.00000002.1741689844.0000000000CF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741822052.0000000000D8C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741822052.0000000000DB2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741916293.0000000000DBC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741947371.0000000000DC4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cf0000_file.jbxd

Similarity

API ID: NameQueryValue_wcslen$CloseFileFullModuleOpenPath
String ID: Include$Software\AutoIt v3\AutoIt$\$\Include\
API String ID: 98802146-2727554177
Opcode ID: 7d9aee24fa3a4abd699b57cec86e5843738c383b14f89b8912f910c6c625b8c3
Instruction ID: e8e21a24b6024649550ee027c16c93e028123f4533d585f9ce0ead6689ca341c
Opcode Fuzzy Hash: 7d9aee24fa3a4abd699b57cec86e5843738c383b14f89b8912f910c6c625b8c3
Instruction Fuzzy Hash: 5A714771414346AEC714EF65EC81DABBBE8FF85740F50052EF645C32A0EB749A498B72

Function 00CF2B83 Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 63
windowregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSysColorBrush.USER32(0000000F), ref: 00CF2B8E
LoadCursorW.USER32(00000000,00007F00), ref: 00CF2B9D
LoadIconW.USER32(00000063), ref: 00CF2BB3
LoadIconW.USER32(000000A4), ref: 00CF2BC5
LoadIconW.USER32(000000A2), ref: 00CF2BD7
LoadImageW.USER32(00000063,00000001,00000010,00000010,00000000), ref: 00CF2BEF
RegisterClassExW.USER32(?), ref: 00CF2C40

Part of subcall function 00CF2CD4: GetSysColorBrush.USER32(0000000F), ref: 00CF2D07
Part of subcall function 00CF2CD4: RegisterClassExW.USER32(00000030), ref: 00CF2D31
Part of subcall function 00CF2CD4: RegisterWindowMessageW.USER32(TaskbarCreated), ref: 00CF2D42
Part of subcall function 00CF2CD4: InitCommonControlsEx.COMCTL32(?), ref: 00CF2D5F
Part of subcall function 00CF2CD4: ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 00CF2D6F
Part of subcall function 00CF2CD4: LoadIconW.USER32(000000A9), ref: 00CF2D85
Part of subcall function 00CF2CD4: ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 00CF2D94

Strings

#, xrefs: 00CF2C16
0, xrefs: 00CF2C0F
AutoIt v3, xrefs: 00CF2C2F

Memory Dump Source

Source File: 00000000.00000002.1741723192.0000000000CF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CF0000, based on PE: true

Associated: 00000000.00000002.1741689844.0000000000CF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741822052.0000000000D8C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741822052.0000000000DB2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741916293.0000000000DBC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741947371.0000000000DC4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cf0000_file.jbxd

Similarity

API ID: Load$Icon$ImageRegister$BrushClassColorList_$CommonControlsCreateCursorInitMessageReplaceWindow
String ID: #$0$AutoIt v3
API String ID: 423443420-4155596026
Opcode ID: 0b2d68f3e0f664cccbb18d6c5a8307ed3c993207bb64db85bb2a6ca1dbfd1873
Instruction ID: 766c9373b0941b9b9a03dbf7a12dd2ea2aefddf4030715bad2cd124a7b7bef0f
Opcode Fuzzy Hash: 0b2d68f3e0f664cccbb18d6c5a8307ed3c993207bb64db85bb2a6ca1dbfd1873
Instruction Fuzzy Hash: 90213A78E1036AABDB109FA5EC45EA97FB4FB49B54F10001AE600E67A1D3B55550CFB0

Function 00CF3170 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 145
windowtimeregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DefWindowProcW.USER32(?,?,?,?,?,?,?,?,?,00CF316A,?,?), ref: 00CF31D8
KillTimer.USER32(?,00000001,?,?,?,?,?,00CF316A,?,?), ref: 00CF3204
SetTimer.USER32(?,00000001,000002EE,00000000), ref: 00CF3227
RegisterWindowMessageW.USER32(TaskbarCreated,?,?,?,?,?,00CF316A,?,?), ref: 00CF3232
CreatePopupMenu.USER32 ref: 00CF3246
PostQuitMessage.USER32(00000000), ref: 00CF3267

Strings

TaskbarCreated, xrefs: 00CF322D

Memory Dump Source

Source File: 00000000.00000002.1741723192.0000000000CF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CF0000, based on PE: true

Associated: 00000000.00000002.1741689844.0000000000CF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741822052.0000000000D8C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741822052.0000000000DB2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741916293.0000000000DBC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741947371.0000000000DC4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cf0000_file.jbxd

Similarity

API ID: MessageTimerWindow$CreateKillMenuPopupPostProcQuitRegister
String ID: TaskbarCreated
API String ID: 129472671-2362178303
Opcode ID: a370d34b681fa85f3df03336b1c6af187c2af4f7b9c5d959558dd3888093bea2
Instruction ID: 009e17647aec9279713971c938af39ee150400c7b6ce7a2b8caed001f66d0c83
Opcode Fuzzy Hash: a370d34b681fa85f3df03336b1c6af187c2af4f7b9c5d959558dd3888093bea2
Instruction Fuzzy Hash: 6241E43525039AF6DF552B689D09BBD3A19E706344F04411AFA16C6393CA71DB4097B2

Function 00CF1410 Relevance: 14.3, APIs: 7, Strings: 1, Instructions: 332
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

mciSendStringW.WINMM(close all,00000000,00000000,00000000), ref: 00CF1459
CoUninitialize.COMBASE ref: 00CF14F8
UnregisterHotKey.USER32(?), ref: 00CF16DD
DestroyWindow.USER32(?), ref: 00D324B9
FreeLibrary.KERNEL32(?), ref: 00D3251E
VirtualFree.KERNEL32(?,00000000,00008000), ref: 00D3254B

Strings

close all, xrefs: 00CF1454

Memory Dump Source

Source File: 00000000.00000002.1741723192.0000000000CF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CF0000, based on PE: true

Associated: 00000000.00000002.1741689844.0000000000CF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741822052.0000000000D8C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741822052.0000000000DB2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741916293.0000000000DBC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741947371.0000000000DC4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cf0000_file.jbxd

Similarity

API ID: Free$DestroyLibrarySendStringUninitializeUnregisterVirtualWindow
String ID: close all
API String ID: 469580280-3243417748
Opcode ID: d3b52f84cdd7f9a67a74383eefb1fc10e804f30ba0ca9192e4f970809d50ecda
Instruction ID: eaa71f1b9d42df16fd9c9dd864645d2b39c85d24b609bb06bb3224177dd589de
Opcode Fuzzy Hash: d3b52f84cdd7f9a67a74383eefb1fc10e804f30ba0ca9192e4f970809d50ecda
Instruction Fuzzy Hash: 84D12831A01212CFCB69EF15D895B39F7A4BF05710F2841ADE94AAB291DB31AD12CF61

Function 00CF2C63 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 44
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateWindowExW.USER32(00000000,AutoIt v3,AutoIt v3,00CF0000,80000000,80000000,0000012C,00000064,00000000,00000000,00000000,00000001), ref: 00CF2C91
CreateWindowExW.USER32(00000000,edit,00000000,50B008C4,00000000,00000000,00000000,00000000,00000000,00000001,00000000), ref: 00CF2CB2
ShowWindow.USER32(00000000,?,?,?,?,?,?,00CF1CAD,?), ref: 00CF2CC6
ShowWindow.USER32(00000000,?,?,?,?,?,?,00CF1CAD,?), ref: 00CF2CCF

Strings

AutoIt v3, xrefs: 00CF2C89, 00CF2C8E, 00CF2C8F
edit, xrefs: 00CF2CAC

Memory Dump Source

Source File: 00000000.00000002.1741723192.0000000000CF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CF0000, based on PE: true

Associated: 00000000.00000002.1741689844.0000000000CF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741822052.0000000000D8C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741822052.0000000000DB2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741916293.0000000000DBC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741947371.0000000000DC4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cf0000_file.jbxd

Similarity

API ID: Window$CreateShow
String ID: AutoIt v3$edit
API String ID: 1584632944-3779509399
Opcode ID: 371968291ec484a67ac7c3c6fb2d503c474d50d8ca7ece204dac4c3ac9a6ca70
Instruction ID: 6b79cd46289f92765fda50ce55544b7fb4193dc85fcc600039f88d702113cf85
Opcode Fuzzy Hash: 371968291ec484a67ac7c3c6fb2d503c474d50d8ca7ece204dac4c3ac9a6ca70
Instruction Fuzzy Hash: 93F0DA795503E2BAEB311757AC08E772EBDD7C7F54B01105AF900E27A1C6751850DEB0

Function 00CF3B1C Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 58
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RegOpenKeyExW.KERNELBASE(80000001,Control Panel\Mouse,00000000,00000001,00000000,?,?,80000001,80000001,?,00CF3B0F,SwapMouseButtons,00000004,?), ref: 00CF3B40
RegQueryValueExW.KERNELBASE(00000000,00000000,00000000,00000000,?,?,?,?,?,80000001,80000001,?,00CF3B0F,SwapMouseButtons,00000004,?), ref: 00CF3B61
RegCloseKey.KERNELBASE(00000000,?,?,?,80000001,80000001,?,00CF3B0F,SwapMouseButtons,00000004,?), ref: 00CF3B83

Strings

Control Panel\Mouse, xrefs: 00CF3B3E

Memory Dump Source

Source File: 00000000.00000002.1741723192.0000000000CF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CF0000, based on PE: true

Associated: 00000000.00000002.1741689844.0000000000CF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741822052.0000000000D8C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741822052.0000000000DB2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741916293.0000000000DBC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741947371.0000000000DC4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cf0000_file.jbxd

Similarity

API ID: CloseOpenQueryValue
String ID: Control Panel\Mouse
API String ID: 3677997916-824357125
Opcode ID: 26a5f3d65e5296d1b7d9bd2e75172ea3d5df4068addce1e3837f4d6189600e73
Instruction ID: c9b184e63a0cf0f0fdf164e8d5e582320e93b7690d703f149bf43549d418f801
Opcode Fuzzy Hash: 26a5f3d65e5296d1b7d9bd2e75172ea3d5df4068addce1e3837f4d6189600e73
Instruction Fuzzy Hash: 22112AB5521248FFDB618FA5DC54ABEB7B8EF04784B10445AA905D7210D2319F419761

Function 00CF3923 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 94windowCOMMON

Download Yara Rule

APIs

LoadStringW.USER32(00000065,?,0000007F,00000104), ref: 00D333A2

Part of subcall function 00CF6B57: _wcslen.LIBCMT ref: 00CF6B6A

Shell_NotifyIconW.SHELL32(00000001,?), ref: 00CF3A04

Strings

Line: , xrefs: 00D333EB

Memory Dump Source

Source File: 00000000.00000002.1741723192.0000000000CF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CF0000, based on PE: true

Associated: 00000000.00000002.1741689844.0000000000CF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741822052.0000000000D8C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741822052.0000000000DB2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741916293.0000000000DBC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741947371.0000000000DC4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cf0000_file.jbxd

Similarity

API ID: IconLoadNotifyShell_String_wcslen
String ID: Line:
API String ID: 2289894680-1585850449
Opcode ID: 80604c1189559aeb0ca9717899f28a124d02c3e1806b81ed5228cfa5c65b898b
Instruction ID: 74da053e2b7cc42f1db048168bc5f41dc6dcf24bb4f79d05c843a60e3cf1b701
Opcode Fuzzy Hash: 80604c1189559aeb0ca9717899f28a124d02c3e1806b81ed5228cfa5c65b898b
Instruction Fuzzy Hash: 8331C271408399AAC361EB60DC45FFBB7E8AB41754F00452EF69983192EB709B48C7E3

Function 00D0FDDB Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 43COMMON

Download Yara Rule

APIs

__CxxThrowException@8.LIBVCRUNTIME ref: 00D10668

Part of subcall function 00D132A4: RaiseException.KERNEL32(?,?,?,00D1068A,?,00DC1444,?,?,?,?,?,?,00D1068A,00CF1129,00DB8738,00CF1129), ref: 00D13304

__CxxThrowException@8.LIBVCRUNTIME ref: 00D10685

Strings

Unknown exception, xrefs: 00D10692

Memory Dump Source

Source File: 00000000.00000002.1741723192.0000000000CF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CF0000, based on PE: true

Associated: 00000000.00000002.1741689844.0000000000CF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741822052.0000000000D8C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741822052.0000000000DB2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741916293.0000000000DBC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741947371.0000000000DC4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cf0000_file.jbxd

Similarity

API ID: Exception@8Throw$ExceptionRaise
String ID: Unknown exception
API String ID: 3476068407-410509341
Opcode ID: 038233c0cea723ab4006778aec84a986356da351aa360210c8f2f64089361d43
Instruction ID: 5c21b987d752ea4630f28f5a17831105ff4158a953aaa34d12e77714d2746b25
Opcode Fuzzy Hash: 038233c0cea723ab4006778aec84a986356da351aa360210c8f2f64089361d43
Instruction Fuzzy Hash: 04F0AF3490030DB7CB10B6A4F846DDE7B6D9E00350B704131B918969D1EFB1DAEAC6B0

Function 00CF10F3 Relevance: 4.7, APIs: 3, Instructions: 153comCOMMON

Download Yara Rule

APIs

Part of subcall function 00CF1BC3: MapVirtualKeyW.USER32(0000005B,00000000), ref: 00CF1BF4
Part of subcall function 00CF1BC3: MapVirtualKeyW.USER32(00000010,00000000), ref: 00CF1BFC
Part of subcall function 00CF1BC3: MapVirtualKeyW.USER32(000000A0,00000000), ref: 00CF1C07
Part of subcall function 00CF1BC3: MapVirtualKeyW.USER32(000000A1,00000000), ref: 00CF1C12
Part of subcall function 00CF1BC3: MapVirtualKeyW.USER32(00000011,00000000), ref: 00CF1C1A
Part of subcall function 00CF1BC3: MapVirtualKeyW.USER32(00000012,00000000), ref: 00CF1C22

Part of subcall function 00CF1B4A: RegisterWindowMessageW.USER32(00000004,?,00CF12C4), ref: 00CF1BA2

GetStdHandle.KERNEL32(000000F6,00000000,00000000), ref: 00CF136A
OleInitialize.OLE32 ref: 00CF1388
CloseHandle.KERNEL32(00000000,00000000), ref: 00D324AB

Memory Dump Source

Source File: 00000000.00000002.1741723192.0000000000CF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CF0000, based on PE: true

Associated: 00000000.00000002.1741689844.0000000000CF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741822052.0000000000D8C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741822052.0000000000DB2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741916293.0000000000DBC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741947371.0000000000DC4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cf0000_file.jbxd

Similarity

API ID: Virtual$Handle$CloseInitializeMessageRegisterWindow
String ID:
API String ID: 1986988660-0
Opcode ID: a48fff0d69f082eb0041403fc56ff9314e09ec4ba884112fedb346fc8a3ed316
Instruction ID: f0377feecc5dcb901d5440b3b5f21a605ace4e4c3a2682b238f0120a656b4cc1
Opcode Fuzzy Hash: a48fff0d69f082eb0041403fc56ff9314e09ec4ba884112fedb346fc8a3ed316
Instruction Fuzzy Hash: 5B719EBC9253279FC784EF79A945E653AF0BB8A340754422ED50AC7363EB3084059F75

Function 00D5C161 Relevance: 4.6, APIs: 3, Instructions: 74timewindowCOMMON

Download Yara Rule

APIs

Part of subcall function 00CF3923: Shell_NotifyIconW.SHELL32(00000001,?), ref: 00CF3A04

Shell_NotifyIconW.SHELL32(00000001,000003A8), ref: 00D5C259
KillTimer.USER32(?,00000001,?,?), ref: 00D5C261
SetTimer.USER32(?,00000001,000002EE,00000000), ref: 00D5C270

Memory Dump Source

Source File: 00000000.00000002.1741723192.0000000000CF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CF0000, based on PE: true

Associated: 00000000.00000002.1741689844.0000000000CF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741822052.0000000000D8C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741822052.0000000000DB2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741916293.0000000000DBC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741947371.0000000000DC4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cf0000_file.jbxd

Similarity

API ID: IconNotifyShell_Timer$Kill
String ID:
API String ID: 3500052701-0
Opcode ID: aec6917b2ccd58a6971610a89472c9e85ff7de94aa4264856fcaf7acbe3400c7
Instruction ID: f896548de681deb1ad8fac92571be3fa4b5646477ddef48669b4f8523f09f69d
Opcode Fuzzy Hash: aec6917b2ccd58a6971610a89472c9e85ff7de94aa4264856fcaf7acbe3400c7
Instruction Fuzzy Hash: 9131D770914344AFEF328F648855BE7BBECAF06309F04149EDADA97242C7745A88CB75

Function 00D286AE Relevance: 4.6, APIs: 3, Instructions: 61COMMONLIBRARYCODE

Download Yara Rule

APIs

CloseHandle.KERNELBASE(00000000,00000000,?,?,00D285CC,?,00DB8CC8,0000000C), ref: 00D28704
GetLastError.KERNEL32(?,00D285CC,?,00DB8CC8,0000000C), ref: 00D2870E
__dosmaperr.LIBCMT ref: 00D28739

Memory Dump Source

Source File: 00000000.00000002.1741723192.0000000000CF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CF0000, based on PE: true

Associated: 00000000.00000002.1741689844.0000000000CF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741822052.0000000000D8C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741822052.0000000000DB2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741916293.0000000000DBC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741947371.0000000000DC4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cf0000_file.jbxd

Similarity

API ID: CloseErrorHandleLast__dosmaperr
String ID:
API String ID: 2583163307-0
Opcode ID: 8066825f7dfaadeb232402e8c827aede49726c1f78a7340653e91c8c66b7d51d
Instruction ID: 01db09a5427d0ae8f38da22e78f549b106d408b059ad35e8f1c9d3994a4bd849
Opcode Fuzzy Hash: 8066825f7dfaadeb232402e8c827aede49726c1f78a7340653e91c8c66b7d51d
Instruction Fuzzy Hash: 63012B3261663066D624A334B849F7E6B598BB177EF3D1119F814CB1D3DEB1CC81A2B0

Function 00CFDB38 Relevance: 4.5, APIs: 3, Instructions: 29windowsleepCOMMON

Download Yara Rule

APIs

TranslateMessage.USER32(?), ref: 00CFDB7B
DispatchMessageW.USER32(?), ref: 00CFDB89
PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00CFDB9F
Sleep.KERNELBASE(0000000A), ref: 00CFDBB1
TranslateAcceleratorW.USER32(?,?,?), ref: 00D41CC9

Memory Dump Source

Source File: 00000000.00000002.1741723192.0000000000CF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CF0000, based on PE: true

Associated: 00000000.00000002.1741689844.0000000000CF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741822052.0000000000D8C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741822052.0000000000DB2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741916293.0000000000DBC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741947371.0000000000DC4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cf0000_file.jbxd

Similarity

API ID: Message$Translate$AcceleratorDispatchPeekSleep
String ID:
API String ID: 3288985973-0
Opcode ID: 75a74397cda6d43e43077f7da3c9854f2da82e819868b4427aed51abf6c16669
Instruction ID: 64b475ff5c305f7400932d5a77066877dee9586705ef47013e1f04ba958416ce
Opcode Fuzzy Hash: 75a74397cda6d43e43077f7da3c9854f2da82e819868b4427aed51abf6c16669
Instruction Fuzzy Hash: 87F05E30614345DBEB70CB618C89FAA73A9EF45351F504A18E61AC31D0DB3094888B36

Function 00D01310 Relevance: 4.0, APIs: 1, Strings: 1, Instructions: 531COMMON

Download Yara Rule

APIs

__Init_thread_footer.LIBCMT ref: 00D017F6

Strings

CALL, xrefs: 00D017C6

Memory Dump Source

Source File: 00000000.00000002.1741723192.0000000000CF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CF0000, based on PE: true

Associated: 00000000.00000002.1741689844.0000000000CF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741822052.0000000000D8C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741822052.0000000000DB2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741916293.0000000000DBC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741947371.0000000000DC4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cf0000_file.jbxd

Similarity

API ID: Init_thread_footer
String ID: CALL
API String ID: 1385522511-4196123274
Opcode ID: 04d6e25c851a3444d2168bdc006a310f7d0cfbf6d60cec96b17b1f5a9b3d02ad
Instruction ID: b98a19e084091ac0297e5bbbd1d00a71a257a9f5facfdd4c322ece08a83415d2
Opcode Fuzzy Hash: 04d6e25c851a3444d2168bdc006a310f7d0cfbf6d60cec96b17b1f5a9b3d02ad
Instruction Fuzzy Hash: 7E2248746082419FC714DF14C884B2ABBF1FF85314F28895DF59A8B3A1D772E945CBA2

Function 00CF2DE3 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 64COMMON

Download Yara Rule

APIs

GetOpenFileNameW.COMDLG32(?), ref: 00D32C8C

Part of subcall function 00CF3AA2: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00CF3A97,?,?,00CF2E7F,?,?,?,00000000), ref: 00CF3AC2

Part of subcall function 00CF2DA5: GetLongPathNameW.KERNELBASE(?,?,00007FFF), ref: 00CF2DC4

Strings

X, xrefs: 00D32C5A

Memory Dump Source

Source File: 00000000.00000002.1741723192.0000000000CF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CF0000, based on PE: true

Associated: 00000000.00000002.1741689844.0000000000CF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741822052.0000000000D8C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741822052.0000000000DB2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741916293.0000000000DBC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741947371.0000000000DC4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cf0000_file.jbxd

Similarity

API ID: Name$Path$FileFullLongOpen
String ID: X
API String ID: 779396738-3081909835
Opcode ID: 2fe10bf9241564a3ae3b9f7f7f014c74943e472bfe263653251ede83ca191533
Instruction ID: 79ef315def9f1cf0fbdf3af8d47cfd5de310e733213c6ccb8755a65569c502e7
Opcode Fuzzy Hash: 2fe10bf9241564a3ae3b9f7f7f014c74943e472bfe263653251ede83ca191533
Instruction Fuzzy Hash: 16219371A1029CABCB45DF94C845BEE7BF8AF49304F104059E505B7341DBB89A899F72

Function 00CF3837 Relevance: 3.1, APIs: 2, Instructions: 77windowCOMMON

Download Yara Rule

APIs

Shell_NotifyIconW.SHELL32(00000000,?), ref: 00CF3908

Memory Dump Source

Source File: 00000000.00000002.1741723192.0000000000CF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CF0000, based on PE: true

Associated: 00000000.00000002.1741689844.0000000000CF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741822052.0000000000D8C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741822052.0000000000DB2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741916293.0000000000DBC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741947371.0000000000DC4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cf0000_file.jbxd

Similarity

API ID: IconNotifyShell_
String ID:
API String ID: 1144537725-0
Opcode ID: 4c3626a0f50e8bb2506db4f85a395b3a15bb87ceaf41f0c71ce9f4d0242a2f30
Instruction ID: a76897e335c2b39f6ba10091b7a5f46b6ad4f2c52986daa7e6f6cea365054a24
Opcode Fuzzy Hash: 4c3626a0f50e8bb2506db4f85a395b3a15bb87ceaf41f0c71ce9f4d0242a2f30
Instruction Fuzzy Hash: ED31A0705043469FD760DF64D884BA7BBE4FB49748F00092EFA99C7381E775AA44CB62

Function 00D0F645 Relevance: 3.0, APIs: 2, Instructions: 29sleeptimeCOMMON

Download Yara Rule

APIs

timeGetTime.WINMM ref: 00D0F661

Part of subcall function 00CFD733: GetInputState.USER32 ref: 00CFD807

Sleep.KERNEL32(00000000), ref: 00D4F2DE

Memory Dump Source

Source File: 00000000.00000002.1741723192.0000000000CF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CF0000, based on PE: true

Associated: 00000000.00000002.1741689844.0000000000CF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741822052.0000000000D8C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741822052.0000000000DB2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741916293.0000000000DBC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741947371.0000000000DC4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cf0000_file.jbxd

Similarity

API ID: InputSleepStateTimetime
String ID:
API String ID: 4149333218-0
Opcode ID: 645be1b95cc4e5aaa1d38376e31c9306f27bafba705372c232ac4af9826b395b
Instruction ID: f8f61e76cbbaec67294a67537f19e7e36e04fdb276b6796dc148bcf30f6a76ad
Opcode Fuzzy Hash: 645be1b95cc4e5aaa1d38376e31c9306f27bafba705372c232ac4af9826b395b
Instruction Fuzzy Hash: D3F08C31250309AFD350EF69D859B6AB7F9EF45760F00002AE95AC73A0DBB0AC00DBA1

Function 00CFB710 Relevance: 2.1, APIs: 1, Instructions: 587COMMON

Download Yara Rule

APIs

__Init_thread_footer.LIBCMT ref: 00CFBB4E

Memory Dump Source

Source File: 00000000.00000002.1741723192.0000000000CF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CF0000, based on PE: true

Associated: 00000000.00000002.1741689844.0000000000CF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741822052.0000000000D8C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741822052.0000000000DB2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741916293.0000000000DBC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741947371.0000000000DC4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cf0000_file.jbxd

Similarity

API ID: Init_thread_footer
String ID:
API String ID: 1385522511-0
Opcode ID: 1887932cac3350be8bcd96b24c9b39142a0d4e2d376e2b22ee83581d620f998e
Instruction ID: 9042558f10124c9796ad44f8e04c15e4da89e04d915eb8aba100bfa374f7a234
Opcode Fuzzy Hash: 1887932cac3350be8bcd96b24c9b39142a0d4e2d376e2b22ee83581d620f998e
Instruction Fuzzy Hash: 60328074A0020ADFDB14DF54C894FBABBB5EF44350F188059EA15AB391D7B4EE41CBA2

Function 00CFACEB Relevance: 1.6, APIs: 1, Instructions: 114COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1741723192.0000000000CF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CF0000, based on PE: true

Associated: 00000000.00000002.1741689844.0000000000CF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741822052.0000000000D8C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741822052.0000000000DB2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741916293.0000000000DBC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741947371.0000000000DC4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cf0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b4f147549914ce6ef1db74b199835c959e53cca80323211595840efdbeb15b3c
Instruction ID: 986a4088eb3f3b199380e68108eb2adab789a64094c432aea87ea30d0c8c0ba8
Opcode Fuzzy Hash: b4f147549914ce6ef1db74b199835c959e53cca80323211595840efdbeb15b3c
Instruction Fuzzy Hash: 9E31E6B16003089BCB759F19C441B39F3A1EF41712F38482DE69D9A995C779AC81DB73

Function 00CF4ECB Relevance: 1.6, APIs: 1, Instructions: 65libraryCOMMON

Download Yara Rule

APIs

Part of subcall function 00CF4E90: LoadLibraryA.KERNEL32(kernel32.dll,?,?,00CF4EDD,?,00DC1418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00CF4E9C
Part of subcall function 00CF4E90: GetProcAddress.KERNEL32(00000000,Wow64DisableWow64FsRedirection), ref: 00CF4EAE
Part of subcall function 00CF4E90: FreeLibrary.KERNEL32(00000000,?,?,00CF4EDD,?,00DC1418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00CF4EC0

LoadLibraryExW.KERNEL32(?,00000000,00000002,?,00DC1418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00CF4EFD

Part of subcall function 00CF4E59: LoadLibraryA.KERNEL32(kernel32.dll,?,?,00D33CDE,?,00DC1418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00CF4E62
Part of subcall function 00CF4E59: GetProcAddress.KERNEL32(00000000,Wow64RevertWow64FsRedirection), ref: 00CF4E74
Part of subcall function 00CF4E59: FreeLibrary.KERNEL32(00000000,?,?,00D33CDE,?,00DC1418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00CF4E87

Memory Dump Source

Source File: 00000000.00000002.1741723192.0000000000CF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CF0000, based on PE: true

Associated: 00000000.00000002.1741689844.0000000000CF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741822052.0000000000D8C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741822052.0000000000DB2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741916293.0000000000DBC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741947371.0000000000DC4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cf0000_file.jbxd

Similarity

API ID: Library$Load$AddressFreeProc
String ID:
API String ID: 2632591731-0
Opcode ID: ae393ea90415e3afbb63a6292f5faa7ab48124c08c5e8fb4ccf9f7177745709b
Instruction ID: d0517bb3ef237b79d89eedbc2cc2de42edc5125ff697c8bdd83ebc4870e24de4
Opcode Fuzzy Hash: ae393ea90415e3afbb63a6292f5faa7ab48124c08c5e8fb4ccf9f7177745709b
Instruction Fuzzy Hash: BF11E731610209ABDB58FBA4DD02FBE77A59F40710F20842DF646A61C1DE709A45A761

Function 00D28402 Relevance: 1.6, APIs: 1, Instructions: 54COMMON

Download Yara Rule

APIs

__wsopen_s.LIBCMT ref: 00D28440

Memory Dump Source

Source File: 00000000.00000002.1741723192.0000000000CF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CF0000, based on PE: true

Associated: 00000000.00000002.1741689844.0000000000CF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741822052.0000000000D8C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741822052.0000000000DB2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741916293.0000000000DBC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741947371.0000000000DC4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cf0000_file.jbxd

Similarity

API ID: __wsopen_s
String ID:
API String ID: 3347428461-0
Opcode ID: 946cdc89a01bba6fe657ee752530d35dbccbfd7a2d51df6cb60f7b2ca0c58643
Instruction ID: 14416826334c24d8fadeaec1d36458212a427ccee71d807a95fc874d72b23f42
Opcode Fuzzy Hash: 946cdc89a01bba6fe657ee752530d35dbccbfd7a2d51df6cb60f7b2ca0c58643
Instruction Fuzzy Hash: B411187590420AAFCB05DF58E94199ABBF5EF48314F144059F808AB312DA31DA21DBB5

Function 00D25000 Relevance: 1.6, APIs: 1, Instructions: 52COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 00D24C7D: RtlAllocateHeap.NTDLL(00000008,00CF1129,00000000,?,00D22E29,00000001,00000364,?,?,?,00D1F2DE,00D23863,00DC1444,?,00D0FDF5,?), ref: 00D24CBE

_free.LIBCMT ref: 00D2506C

Memory Dump Source

Source File: 00000000.00000002.1741723192.0000000000CF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CF0000, based on PE: true

Associated: 00000000.00000002.1741689844.0000000000CF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741822052.0000000000D8C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741822052.0000000000DB2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741916293.0000000000DBC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741947371.0000000000DC4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cf0000_file.jbxd

Similarity

API ID: AllocateHeap_free
String ID:
API String ID: 614378929-0
Opcode ID: 9ba45ce058d1080761d5af908226540236078fd1fc19e2e0238d0ad147f07c6e
Instruction ID: 614027ca369b2cff21d7effe04b98c5787161b20108390a2f0ca858dd0e0198e
Opcode Fuzzy Hash: 9ba45ce058d1080761d5af908226540236078fd1fc19e2e0238d0ad147f07c6e
Instruction Fuzzy Hash: 060104722046146BE3218E69AC81E5AFBE8EB99374F69051DE58483280EA30A80587B4

Function 00D1E602 Relevance: 1.5, APIs: 1, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1741723192.0000000000CF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CF0000, based on PE: true

Associated: 00000000.00000002.1741689844.0000000000CF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741822052.0000000000D8C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741822052.0000000000DB2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741916293.0000000000DBC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741947371.0000000000DC4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cf0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d6c69ec2a70ac845cc05b5f137181c3f07394ab8b33ef369e8c7ef627d5c9574
Instruction ID: 237064a22ca5e0e73773b5494014583a5a397a54ddee10f211a520534a6696c3
Opcode Fuzzy Hash: d6c69ec2a70ac845cc05b5f137181c3f07394ab8b33ef369e8c7ef627d5c9574
Instruction Fuzzy Hash: 01F0F432511A20BAC6313B69BC05BDA3399DF62339F140B15FC21931D2CF70E8828AB5

Function 00D24C7D Relevance: 1.5, APIs: 1, Instructions: 39memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(00000008,00CF1129,00000000,?,00D22E29,00000001,00000364,?,?,?,00D1F2DE,00D23863,00DC1444,?,00D0FDF5,?), ref: 00D24CBE

Memory Dump Source

Source File: 00000000.00000002.1741723192.0000000000CF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CF0000, based on PE: true

Associated: 00000000.00000002.1741689844.0000000000CF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741822052.0000000000D8C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741822052.0000000000DB2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741916293.0000000000DBC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741947371.0000000000DC4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cf0000_file.jbxd

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: b757b384f7b7e6735e3cc703680d4b8e34cda15caafd0964bc9850c444ec6196
Instruction ID: 40644286f6a208d3919c9c7d50384d96e90ad7e6f35ae1f63317e088454081b5
Opcode Fuzzy Hash: b757b384f7b7e6735e3cc703680d4b8e34cda15caafd0964bc9850c444ec6196
Instruction Fuzzy Hash: C2F0E931607335B7DB215F6AFD09F9A3788FFA17A8B184121BC15E6285CE71D801A6F0

Function 00D23820 Relevance: 1.5, APIs: 1, Instructions: 32memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(00000000,?,00DC1444,?,00D0FDF5,?,?,00CFA976,00000010,00DC1440,00CF13FC,?,00CF13C6,?,00CF1129), ref: 00D23852

Memory Dump Source

Source File: 00000000.00000002.1741723192.0000000000CF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CF0000, based on PE: true

Associated: 00000000.00000002.1741689844.0000000000CF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741822052.0000000000D8C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741822052.0000000000DB2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741916293.0000000000DBC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741947371.0000000000DC4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cf0000_file.jbxd

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: 628136ff6fcabc7b4986bcb0df3a31ffa1952332fc57ac989a72dac3e8a3f220
Instruction ID: 022604bc8c92cfeadaa57e83320059c8df784f4126ff28718704adaf9790e3a7
Opcode Fuzzy Hash: 628136ff6fcabc7b4986bcb0df3a31ffa1952332fc57ac989a72dac3e8a3f220
Instruction Fuzzy Hash: FEE0E532201335A6D6212666BC04BDAB659EF62BB8F1A0020BD45DA681CF29DD0182F0

Function 00CF4F39 Relevance: 1.5, APIs: 1, Instructions: 28COMMON

Download Yara Rule

APIs

FreeLibrary.KERNEL32(?,?,00DC1418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00CF4F6D

Memory Dump Source

Source File: 00000000.00000002.1741723192.0000000000CF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CF0000, based on PE: true

Associated: 00000000.00000002.1741689844.0000000000CF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741822052.0000000000D8C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741822052.0000000000DB2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741916293.0000000000DBC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741947371.0000000000DC4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cf0000_file.jbxd

Similarity

API ID: FreeLibrary
String ID:
API String ID: 3664257935-0
Opcode ID: a9a822e164d8ef321f3e95a0b2c38b90cc372c41615feeb4cb309441983435e3
Instruction ID: 216924185598fe60ebdedb3592b4661c36a92a7cb6cad1289fc305ef392c9185
Opcode Fuzzy Hash: a9a822e164d8ef321f3e95a0b2c38b90cc372c41615feeb4cb309441983435e3
Instruction Fuzzy Hash: 62F01C71505755CFDB789FA5D494823B7E4AF14329310896EE2EE82621CB319884DB21

Function 00D82A55 Relevance: 1.5, APIs: 1, Instructions: 25COMMON

Download Yara Rule

APIs

IsWindow.USER32(00000000), ref: 00D82A66

Memory Dump Source

Source File: 00000000.00000002.1741723192.0000000000CF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CF0000, based on PE: true

Associated: 00000000.00000002.1741689844.0000000000CF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741822052.0000000000D8C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741822052.0000000000DB2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741916293.0000000000DBC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741947371.0000000000DC4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cf0000_file.jbxd

Similarity

API ID: Window
String ID:
API String ID: 2353593579-0
Opcode ID: 6c8893718f7dd059cc2e5a5f4376ac732345931038be2cc031c29f712090ccf2
Instruction ID: 9f288e484ebf158df37de26a68719f2d19e0bd995317f2e9d96ee3c97223bdf9
Opcode Fuzzy Hash: 6c8893718f7dd059cc2e5a5f4376ac732345931038be2cc031c29f712090ccf2
Instruction Fuzzy Hash: 42E04F76350216AACB18FB30DC808FE735CEF503957104536BC66C2210EB30D9958BB0

Function 00CF30F2 Relevance: 1.5, APIs: 1, Instructions: 24windowCOMMON

Download Yara Rule

APIs

Shell_NotifyIconW.SHELL32(00000002,?), ref: 00CF314E

Memory Dump Source

Source File: 00000000.00000002.1741723192.0000000000CF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CF0000, based on PE: true

Associated: 00000000.00000002.1741689844.0000000000CF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741822052.0000000000D8C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741822052.0000000000DB2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741916293.0000000000DBC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741947371.0000000000DC4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cf0000_file.jbxd

Similarity

API ID: IconNotifyShell_
String ID:
API String ID: 1144537725-0
Opcode ID: c8a8374cd5c213d1fa598bef2d277d17bf19b16583766b5068a1fe91d3c7bcb5
Instruction ID: b456e1dfdcc1cc2a51c526509085451af7e5de0a84a37edb154eae24ae1ce283
Opcode Fuzzy Hash: c8a8374cd5c213d1fa598bef2d277d17bf19b16583766b5068a1fe91d3c7bcb5
Instruction Fuzzy Hash: C4F0A7709103599FE7529B64DC45BD97BBCB70170CF0000E9A688D6283DB705798CF61

Function 00CF2DA5 Relevance: 1.5, APIs: 1, Instructions: 23COMMON

Download Yara Rule

APIs

GetLongPathNameW.KERNELBASE(?,?,00007FFF), ref: 00CF2DC4

Part of subcall function 00CF6B57: _wcslen.LIBCMT ref: 00CF6B6A

Memory Dump Source

Source File: 00000000.00000002.1741723192.0000000000CF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CF0000, based on PE: true

Associated: 00000000.00000002.1741689844.0000000000CF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741822052.0000000000D8C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741822052.0000000000DB2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741916293.0000000000DBC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741947371.0000000000DC4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cf0000_file.jbxd

Similarity

API ID: LongNamePath_wcslen
String ID:
API String ID: 541455249-0
Opcode ID: 98bb1462a2d0d4a5161a93a6d1f07c84ac1386957c8ff2d0b8284bec58549672
Instruction ID: 0db0077ab5c03a08177456396d265002a29432d4c1a51746b01df87fa073c390
Opcode Fuzzy Hash: 98bb1462a2d0d4a5161a93a6d1f07c84ac1386957c8ff2d0b8284bec58549672
Instruction Fuzzy Hash: ADE0C276A042285BCB20A2989C06FEA77EDDFC8790F0400B1FD09E7248DA70AD8086B1

Function 00CF2B3D Relevance: 1.5, APIs: 1, Instructions: 22COMMON

Download Yara Rule

APIs

Part of subcall function 00CF3837: Shell_NotifyIconW.SHELL32(00000000,?), ref: 00CF3908

Part of subcall function 00CFD733: GetInputState.USER32 ref: 00CFD807

SetCurrentDirectoryW.KERNEL32(?), ref: 00CF2B6B

Part of subcall function 00CF30F2: Shell_NotifyIconW.SHELL32(00000002,?), ref: 00CF314E

Memory Dump Source

Source File: 00000000.00000002.1741723192.0000000000CF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CF0000, based on PE: true

Associated: 00000000.00000002.1741689844.0000000000CF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741822052.0000000000D8C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741822052.0000000000DB2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741916293.0000000000DBC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741947371.0000000000DC4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cf0000_file.jbxd

Similarity

API ID: IconNotifyShell_$CurrentDirectoryInputState
String ID:
API String ID: 3667716007-0
Opcode ID: 807c6201e1e5328efe65ad68531c0850c449cc136b979973b36159044556d505
Instruction ID: d94b69010a7ab7bf647129d1708349a6a7cc6c2628384155997b47db7f5ac8fa
Opcode Fuzzy Hash: 807c6201e1e5328efe65ad68531c0850c449cc136b979973b36159044556d505
Instruction Fuzzy Hash: 55E0863131439E17CA48BB75985297DA759DBD2352F40153FF743872A3CE2486455363

Function 00D3039A Relevance: 1.5, APIs: 1, Instructions: 15fileCOMMONLIBRARYCODE

Download Yara Rule

APIs

CreateFileW.KERNELBASE(00000000,00000000,?,00D30704,?,?,00000000,?,00D30704,00000000,0000000C), ref: 00D303B7

Memory Dump Source

Source File: 00000000.00000002.1741723192.0000000000CF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CF0000, based on PE: true

Associated: 00000000.00000002.1741689844.0000000000CF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741822052.0000000000D8C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741822052.0000000000DB2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741916293.0000000000DBC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741947371.0000000000DC4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cf0000_file.jbxd

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: 1c38ad555d5fd5422162e92fe5fafeab825863a00be14226419cb6482411ee68
Instruction ID: 4704a12f7b9885404963e6e88ce33170fbf5293f141462a844f1e9ade4749993
Opcode Fuzzy Hash: 1c38ad555d5fd5422162e92fe5fafeab825863a00be14226419cb6482411ee68
Instruction Fuzzy Hash: 9AD06C3205020DFBDF028F84DD46EDA3BAAFB48714F014000BE1896120C732E821ABA0

Function 00CF1CAD Relevance: 1.5, APIs: 1, Instructions: 8COMMON

Download Yara Rule

APIs

SystemParametersInfoW.USER32(00002001,00000000,00000002), ref: 00CF1CBC

Memory Dump Source

Source File: 00000000.00000002.1741723192.0000000000CF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CF0000, based on PE: true

Associated: 00000000.00000002.1741689844.0000000000CF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741822052.0000000000D8C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741822052.0000000000DB2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741916293.0000000000DBC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741947371.0000000000DC4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cf0000_file.jbxd

Similarity

API ID: InfoParametersSystem
String ID:
API String ID: 3098949447-0
Opcode ID: 2d2768d3ce7f3ec27ce3a99bb04cf4742bc1b9d9642ddaeb6c60c79eb7562add
Instruction ID: 1f5664de20243c50ced5969f9a43acc97790b9de40d95d71a571bdb374637396
Opcode Fuzzy Hash: 2d2768d3ce7f3ec27ce3a99bb04cf4742bc1b9d9642ddaeb6c60c79eb7562add
Instruction Fuzzy Hash: 54C04C352A03069AE6145780BC4AF117764A348B04F044001F609D5AE382A124119670

Non-executed Functions

Function 00D89576 Relevance: 72.4, APIs: 39, Strings: 2, Instructions: 625windowkeyboardCOMMON

Download Yara Rule

APIs

Part of subcall function 00D09BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00D09BB2

DefDlgProcW.USER32(?,0000004E,?,?,?,?,?,?), ref: 00D8961A
SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 00D8965B
GetWindowLongW.USER32(FFFFFDD9,000000F0), ref: 00D8969F
SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 00D896C9
SendMessageW.USER32 ref: 00D896F2
GetKeyState.USER32(00000011), ref: 00D8978B
GetKeyState.USER32(00000009), ref: 00D89798
SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 00D897AE
GetKeyState.USER32(00000010), ref: 00D897B8
SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 00D897E9
SendMessageW.USER32 ref: 00D89810
SendMessageW.USER32(?,00001030,?,00D87E95), ref: 00D89918
ImageList_SetDragCursorImage.COMCTL32(00000000,00000000,00000000,?,?,?), ref: 00D8992E
ImageList_BeginDrag.COMCTL32(00000000,000000F8,000000F0), ref: 00D89941
SetCapture.USER32(?), ref: 00D8994A
ClientToScreen.USER32(?,?), ref: 00D899AF
ImageList_DragEnter.COMCTL32(00000000,?,?), ref: 00D899BC
InvalidateRect.USER32(?,00000000,00000001,?,?,?), ref: 00D899D6
ReleaseCapture.USER32 ref: 00D899E1
GetCursorPos.USER32(?), ref: 00D89A19
ScreenToClient.USER32(?,?), ref: 00D89A26
SendMessageW.USER32(?,00001012,00000000,?), ref: 00D89A80
SendMessageW.USER32 ref: 00D89AAE
SendMessageW.USER32(?,00001111,00000000,?), ref: 00D89AEB
SendMessageW.USER32 ref: 00D89B1A
SendMessageW.USER32(?,0000110B,00000009,00000000), ref: 00D89B3B
SendMessageW.USER32(?,0000110B,00000009,?), ref: 00D89B4A
GetCursorPos.USER32(?), ref: 00D89B68
ScreenToClient.USER32(?,?), ref: 00D89B75
GetParent.USER32(?), ref: 00D89B93
SendMessageW.USER32(?,00001012,00000000,?), ref: 00D89BFA
SendMessageW.USER32 ref: 00D89C2B
ClientToScreen.USER32(?,?), ref: 00D89C84
TrackPopupMenuEx.USER32(?,00000000,?,?,?,00000000), ref: 00D89CB4
SendMessageW.USER32(?,00001111,00000000,?), ref: 00D89CDE
SendMessageW.USER32 ref: 00D89D01
ClientToScreen.USER32(?,?), ref: 00D89D4E
TrackPopupMenuEx.USER32(?,00000080,?,?,?,00000000), ref: 00D89D82

Part of subcall function 00D09944: GetWindowLongW.USER32(?,000000EB), ref: 00D09952

GetWindowLongW.USER32(?,000000F0), ref: 00D89E05

Strings

@GUI_DRAGID, xrefs: 00D8997D
F, xrefs: 00D89D07

Memory Dump Source

Source File: 00000000.00000002.1741723192.0000000000CF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CF0000, based on PE: true

Associated: 00000000.00000002.1741689844.0000000000CF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741822052.0000000000D8C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741822052.0000000000DB2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741916293.0000000000DBC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741947371.0000000000DC4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cf0000_file.jbxd

Similarity

API ID: MessageSend$ClientScreen$ImageLongWindow$CursorDragList_State$CaptureMenuPopupTrack$BeginEnterInvalidateParentProcRectRelease
String ID: @GUI_DRAGID$F
API String ID: 3429851547-4164748364
Opcode ID: 4d39bae2f685a4a051fc04477a1c34173f908356cf60ee827cd1f418cbad1944
Instruction ID: 193a7e44537eabc472476196071bc1cc7e6135dd7f5c0461257484d92967a391
Opcode Fuzzy Hash: 4d39bae2f685a4a051fc04477a1c34173f908356cf60ee827cd1f418cbad1944
Instruction Fuzzy Hash: E8425874214301AFDB25EF28CC65EBABBE5EF49310F180619F699872A1E731E854CF61

Function 00D84873 Relevance: 60.1, APIs: 33, Strings: 1, Instructions: 566windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000408,00000000,00000000), ref: 00D848F3
SendMessageW.USER32(00000000,00000188,00000000,00000000), ref: 00D84908
SendMessageW.USER32(00000000,0000018A,00000000,00000000), ref: 00D84927
SendMessageW.USER32(?,00000148,00000000,00000000), ref: 00D8494B
SendMessageW.USER32(00000000,00000147,00000000,00000000), ref: 00D8495C
SendMessageW.USER32(00000000,00000149,00000000,00000000), ref: 00D8497B
SendMessageW.USER32(00000000,0000130B,00000000,00000000), ref: 00D849AE
SendMessageW.USER32(00000000,0000133C,00000000,?), ref: 00D849D4
SendMessageW.USER32(00000000,0000110A,00000009,00000000), ref: 00D84A0F
SendMessageW.USER32(00000000,0000113E,00000000,00000004), ref: 00D84A56
SendMessageW.USER32(00000000,0000113E,00000000,00000004), ref: 00D84A7E
IsMenu.USER32(?), ref: 00D84A97
GetMenuItemInfoW.USER32(?,?,00000000,?), ref: 00D84AF2
GetMenuItemInfoW.USER32(?,?,00000000,?), ref: 00D84B20
GetWindowLongW.USER32(?,000000F0), ref: 00D84B94
SendMessageW.USER32(?,0000113E,00000000,00000008), ref: 00D84BE3
SendMessageW.USER32(00000000,00001001,00000000,?), ref: 00D84C82
wsprintfW.USER32 ref: 00D84CAE
SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 00D84CC9
GetWindowTextW.USER32(?,00000000,00000001), ref: 00D84CF1
SendMessageW.USER32(00000000,000000F0,00000000,00000000), ref: 00D84D13
SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 00D84D33
GetWindowTextW.USER32(?,00000000,00000001), ref: 00D84D5A

Strings

%d/%02d/%02d, xrefs: 00D84CA8

Memory Dump Source

Source File: 00000000.00000002.1741723192.0000000000CF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CF0000, based on PE: true

Associated: 00000000.00000002.1741689844.0000000000CF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741822052.0000000000D8C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741822052.0000000000DB2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741916293.0000000000DBC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741947371.0000000000DC4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cf0000_file.jbxd

Similarity

API ID: MessageSend$MenuWindow$InfoItemText$Longwsprintf
String ID: %d/%02d/%02d
API String ID: 4054740463-328681919
Opcode ID: dc556687b30d3249d73bba2f0e489310b72313746080ec2f9ed3912499b6738e
Instruction ID: c116ed7787ad4a345d0681b6fab9e7aedc92359eb6846569832c02f570832676
Opcode Fuzzy Hash: dc556687b30d3249d73bba2f0e489310b72313746080ec2f9ed3912499b6738e
Instruction Fuzzy Hash: E912EE71610256ABEB25AF28CC49FAE7BB8EF45310F144129F51AEB2E1DB74D940CB70

Function 00D0F98E Relevance: 43.9, APIs: 24, Strings: 1, Instructions: 130keyboardthreadwindowCOMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32(00000000,00000000,00000000), ref: 00D0F998
FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 00D4F474
IsIconic.USER32(00000000), ref: 00D4F47D
ShowWindow.USER32(00000000,00000009), ref: 00D4F48A
SetForegroundWindow.USER32(00000000), ref: 00D4F494
GetWindowThreadProcessId.USER32(00000000,00000000), ref: 00D4F4AA
GetCurrentThreadId.KERNEL32 ref: 00D4F4B1
GetWindowThreadProcessId.USER32(00000000,00000000), ref: 00D4F4BD
AttachThreadInput.USER32(?,00000000,00000001), ref: 00D4F4CE
AttachThreadInput.USER32(?,00000000,00000001), ref: 00D4F4D6
AttachThreadInput.USER32(00000000,000000FF,00000001), ref: 00D4F4DE
SetForegroundWindow.USER32(00000000), ref: 00D4F4E1
MapVirtualKeyW.USER32(00000012,00000000), ref: 00D4F4F6
keybd_event.USER32(00000012,00000000), ref: 00D4F501
MapVirtualKeyW.USER32(00000012,00000000), ref: 00D4F50B
keybd_event.USER32(00000012,00000000), ref: 00D4F510
MapVirtualKeyW.USER32(00000012,00000000), ref: 00D4F519
keybd_event.USER32(00000012,00000000), ref: 00D4F51E
MapVirtualKeyW.USER32(00000012,00000000), ref: 00D4F528
keybd_event.USER32(00000012,00000000), ref: 00D4F52D
SetForegroundWindow.USER32(00000000), ref: 00D4F530
AttachThreadInput.USER32(?,000000FF,00000000), ref: 00D4F557

Strings

Shell_TrayWnd, xrefs: 00D4F46F

Memory Dump Source

Source File: 00000000.00000002.1741723192.0000000000CF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CF0000, based on PE: true

Associated: 00000000.00000002.1741689844.0000000000CF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741822052.0000000000D8C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741822052.0000000000DB2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741916293.0000000000DBC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741947371.0000000000DC4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cf0000_file.jbxd

Similarity

API ID: Window$Thread$AttachForegroundInputVirtualkeybd_event$Process$CurrentFindIconicShow
String ID: Shell_TrayWnd
API String ID: 4125248594-2988720461
Opcode ID: 112eeb77d8266abce96c1a5ff16830639164e25570a2d3f5a3f6fa21b26c7533
Instruction ID: 08efa7bf4b0807c484198b25b411563df788a88e01fb66e03ae74eeb2d41e460
Opcode Fuzzy Hash: 112eeb77d8266abce96c1a5ff16830639164e25570a2d3f5a3f6fa21b26c7533
Instruction Fuzzy Hash: 17314371A60318BBEB206BB59C4AFBF7E6CEB44B50F141065F605E62E1D6B19D00AB70

Function 00D51201 Relevance: 38.7, APIs: 19, Strings: 3, Instructions: 241COMMON

Download Yara Rule

APIs

Part of subcall function 00D516C3: LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 00D5170D
Part of subcall function 00D516C3: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 00D5173A
Part of subcall function 00D516C3: GetLastError.KERNEL32 ref: 00D5174A

LogonUserW.ADVAPI32(?,?,?,00000000,00000000,?), ref: 00D51286
DuplicateTokenEx.ADVAPI32(?,00000000,00000000,00000002,00000001,?), ref: 00D512A8
CloseHandle.KERNEL32(?), ref: 00D512B9
OpenWindowStationW.USER32(winsta0,00000000,00060000), ref: 00D512D1
GetProcessWindowStation.USER32 ref: 00D512EA
SetProcessWindowStation.USER32(00000000), ref: 00D512F4
OpenDesktopW.USER32(default,00000000,00000000,00060081), ref: 00D51310

Part of subcall function 00D510BF: AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000,?,00D511FC), ref: 00D510D4
Part of subcall function 00D510BF: CloseHandle.KERNEL32(?,?,00D511FC), ref: 00D510E9

Strings

winsta0, xrefs: 00D512CC
default, xrefs: 00D5130B
, xrefs: 00D5125A

Memory Dump Source

Source File: 00000000.00000002.1741723192.0000000000CF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CF0000, based on PE: true

Associated: 00000000.00000002.1741689844.0000000000CF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741822052.0000000000D8C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741822052.0000000000DB2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741916293.0000000000DBC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741947371.0000000000DC4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cf0000_file.jbxd

Similarity

API ID: StationTokenWindow$AdjustCloseHandleOpenPrivilegesProcess$DesktopDuplicateErrorLastLogonLookupPrivilegeUserValue
String ID: $default$winsta0
API String ID: 22674027-1027155976
Opcode ID: 610284f0fcd3805af0dcc2f1312ab9d1b6461d4dda4baea45e74fa677245326b
Instruction ID: 01c74f9c1c8854ff88c982f11a87ef90e5115c2a2343bca7b405f0b23d865b44
Opcode Fuzzy Hash: 610284f0fcd3805af0dcc2f1312ab9d1b6461d4dda4baea45e74fa677245326b
Instruction Fuzzy Hash: 7A817575A10209ABDF209FA4DC49FEE7BB9EF08705F185129FD11E62A0D7758A48CB30

Function 00D50B62 Relevance: 31.7, APIs: 21, Instructions: 202memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 00D510F9: GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 00D51114
Part of subcall function 00D510F9: GetLastError.KERNEL32(?,00000000,00000000,?,?,00D50B9B,?,?,?), ref: 00D51120
Part of subcall function 00D510F9: GetProcessHeap.KERNEL32(00000008,?,?,00000000,00000000,?,?,00D50B9B,?,?,?), ref: 00D5112F
Part of subcall function 00D510F9: HeapAlloc.KERNEL32(00000000,?,00000000,00000000,?,?,00D50B9B,?,?,?), ref: 00D51136
Part of subcall function 00D510F9: GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 00D5114D

GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 00D50BCC
GetAclInformation.ADVAPI32(?,?,0000000C,00000002), ref: 00D50C00
GetLengthSid.ADVAPI32(?), ref: 00D50C17
GetAce.ADVAPI32(?,00000000,?), ref: 00D50C51
AddAce.ADVAPI32(?,00000002,000000FF,?,?), ref: 00D50C6D
GetLengthSid.ADVAPI32(?), ref: 00D50C84
GetProcessHeap.KERNEL32(00000008,00000008), ref: 00D50C8C
HeapAlloc.KERNEL32(00000000), ref: 00D50C93
GetLengthSid.ADVAPI32(?,00000008,?), ref: 00D50CB4
CopySid.ADVAPI32(00000000), ref: 00D50CBB
AddAce.ADVAPI32(?,00000002,000000FF,00000000,?), ref: 00D50CEA
SetSecurityDescriptorDacl.ADVAPI32(?,00000001,?,00000000), ref: 00D50D0C
SetUserObjectSecurity.USER32(?,00000004,?), ref: 00D50D1E
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00D50D45
HeapFree.KERNEL32(00000000), ref: 00D50D4C
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00D50D55
HeapFree.KERNEL32(00000000), ref: 00D50D5C
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00D50D65
HeapFree.KERNEL32(00000000), ref: 00D50D6C
GetProcessHeap.KERNEL32(00000000,?), ref: 00D50D78
HeapFree.KERNEL32(00000000), ref: 00D50D7F

Part of subcall function 00D51193: GetProcessHeap.KERNEL32(00000008,00D50BB1,?,00000000,?,00D50BB1,?), ref: 00D511A1
Part of subcall function 00D51193: HeapAlloc.KERNEL32(00000000,?,00000000,?,00D50BB1,?), ref: 00D511A8
Part of subcall function 00D51193: InitializeSecurityDescriptor.ADVAPI32(00000000,00000001,?,00000000,?,00D50BB1,?), ref: 00D511B7

Memory Dump Source

Source File: 00000000.00000002.1741723192.0000000000CF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CF0000, based on PE: true

Associated: 00000000.00000002.1741689844.0000000000CF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741822052.0000000000D8C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741822052.0000000000DB2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741916293.0000000000DBC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741947371.0000000000DC4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cf0000_file.jbxd

Similarity

API ID: Heap$Process$Security$Free$AllocDescriptorLengthObjectUser$Dacl$CopyErrorInformationInitializeLast
String ID:
API String ID: 4175595110-0
Opcode ID: a47b9cf0af62fc18e9a99d9e23322007fe66d288c1f1a041f831d8a1c192c5e1
Instruction ID: b42d468093f81fa8ae1efa1b31efe08764d031d4560544b27fc0f384fd0d8e48
Opcode Fuzzy Hash: a47b9cf0af62fc18e9a99d9e23322007fe66d288c1f1a041f831d8a1c192c5e1
Instruction Fuzzy Hash: 6F7149B6A1020AEBDF109FA4DC88FEEBBBCAF05341F184515ED14E6291D771A909CB70

Function 00D6EAFF Relevance: 30.2, APIs: 20, Instructions: 191clipboardfileCOMMON

Download Yara Rule

APIs

OpenClipboard.USER32(00D8CC08), ref: 00D6EB29
IsClipboardFormatAvailable.USER32(0000000D), ref: 00D6EB37
GetClipboardData.USER32(0000000D), ref: 00D6EB43
CloseClipboard.USER32 ref: 00D6EB4F
GlobalLock.KERNEL32(00000000), ref: 00D6EB87
CloseClipboard.USER32 ref: 00D6EB91
GlobalUnlock.KERNEL32(00000000), ref: 00D6EBBC
IsClipboardFormatAvailable.USER32(00000001), ref: 00D6EBC9
GetClipboardData.USER32(00000001), ref: 00D6EBD1
GlobalLock.KERNEL32(00000000), ref: 00D6EBE2
GlobalUnlock.KERNEL32(00000000), ref: 00D6EC22
IsClipboardFormatAvailable.USER32(0000000F), ref: 00D6EC38
GetClipboardData.USER32(0000000F), ref: 00D6EC44
GlobalLock.KERNEL32(00000000), ref: 00D6EC55
DragQueryFileW.SHELL32(00000000,000000FF,00000000,00000000), ref: 00D6EC77
DragQueryFileW.SHELL32(00000000,?,?,00000104), ref: 00D6EC94
DragQueryFileW.SHELL32(00000000,?,?,00000104), ref: 00D6ECD2
GlobalUnlock.KERNEL32(00000000), ref: 00D6ECF3
CountClipboardFormats.USER32 ref: 00D6ED14
CloseClipboard.USER32 ref: 00D6ED59

Memory Dump Source

Source File: 00000000.00000002.1741723192.0000000000CF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CF0000, based on PE: true

Associated: 00000000.00000002.1741689844.0000000000CF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741822052.0000000000D8C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741822052.0000000000DB2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741916293.0000000000DBC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741947371.0000000000DC4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cf0000_file.jbxd

Similarity

API ID: Clipboard$Global$AvailableCloseDataDragFileFormatLockQueryUnlock$CountFormatsOpen
String ID:
API String ID: 420908878-0
Opcode ID: d095e5cc252802143ab24454b2544788a5cdb181c93160e90b7d0dcaa338ab79
Instruction ID: 376edda475d01b4157df9c1b129a8156b6317a70d1273bd3ce9e139bf196e9e3
Opcode Fuzzy Hash: d095e5cc252802143ab24454b2544788a5cdb181c93160e90b7d0dcaa338ab79
Instruction Fuzzy Hash: 6661DD38214306AFD300EF24D889F7AB7A4EF84754F185519F586C72A2DB71E909DBB2

Function 00D6698F Relevance: 21.4, APIs: 7, Strings: 5, Instructions: 363timefileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?), ref: 00D669BE
FindClose.KERNEL32(00000000), ref: 00D66A12
FileTimeToLocalFileTime.KERNEL32(?,?), ref: 00D66A4E
FileTimeToLocalFileTime.KERNEL32(?,?), ref: 00D66A75

Part of subcall function 00CF9CB3: _wcslen.LIBCMT ref: 00CF9CBD

FileTimeToSystemTime.KERNEL32(?,?), ref: 00D66AB2
FileTimeToSystemTime.KERNEL32(?,?), ref: 00D66ADF

Strings

%4d%02d%02d%02d%02d%02d, xrefs: 00D66B6A
%03d, xrefs: 00D66DA2
%4d, xrefs: 00D66BB1
%02d, xrefs: 00D66C00, 00D66C0A, 00D66C5A, 00D66CAA, 00D66CFA, 00D66D4A
%4d%02d%02d%02d%02d%02d%03d, xrefs: 00D66B32

Memory Dump Source

Source File: 00000000.00000002.1741723192.0000000000CF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CF0000, based on PE: true

Associated: 00000000.00000002.1741689844.0000000000CF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741822052.0000000000D8C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741822052.0000000000DB2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741916293.0000000000DBC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741947371.0000000000DC4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cf0000_file.jbxd

Similarity

API ID: Time$File$FindLocalSystem$CloseFirst_wcslen
String ID: %02d$%03d$%4d$%4d%02d%02d%02d%02d%02d$%4d%02d%02d%02d%02d%02d%03d
API String ID: 3830820486-3289030164
Opcode ID: 3547065ef8164dc47fb6eed84f6e5c3a8ed79f83e76a7a5954dcfd2405c56033
Instruction ID: e46d267763a0749c8a35c3413a4e1f7f433181ba0f0aa6260070a055887b1f79
Opcode Fuzzy Hash: 3547065ef8164dc47fb6eed84f6e5c3a8ed79f83e76a7a5954dcfd2405c56033
Instruction Fuzzy Hash: E3D13E71508304AFC754EBA4C991EBBB7ECAF88704F044919F689C6291EB74DA44DB62

Function 00D69642 Relevance: 21.1, APIs: 11, Strings: 1, Instructions: 118fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?,74DE8FB0,?,00000000), ref: 00D69663
GetFileAttributesW.KERNEL32(?), ref: 00D696A1
SetFileAttributesW.KERNEL32(?,?), ref: 00D696BB
FindNextFileW.KERNEL32(00000000,?), ref: 00D696D3
FindClose.KERNEL32(00000000), ref: 00D696DE
FindFirstFileW.KERNEL32(*.*,?), ref: 00D696FA
SetCurrentDirectoryW.KERNEL32(?), ref: 00D6974A
SetCurrentDirectoryW.KERNEL32(00DB6B7C), ref: 00D69768
FindNextFileW.KERNEL32(00000000,00000010), ref: 00D69772
FindClose.KERNEL32(00000000), ref: 00D6977F
FindClose.KERNEL32(00000000), ref: 00D6978F

Strings

*.*, xrefs: 00D696F5

Memory Dump Source

Source File: 00000000.00000002.1741723192.0000000000CF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CF0000, based on PE: true

Associated: 00000000.00000002.1741689844.0000000000CF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741822052.0000000000D8C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741822052.0000000000DB2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741916293.0000000000DBC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741947371.0000000000DC4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cf0000_file.jbxd

Similarity

API ID: Find$File$Close$AttributesCurrentDirectoryFirstNext
String ID: *.*
API String ID: 1409584000-438819550
Opcode ID: 1e410a05d7ca7b9ed0c88650f01e1ec32e287c34df2f12b13733476c341de906
Instruction ID: 5f266123f43fe06b7b6abcb72df4807e49b2cc4703c2f9b1c0f7d04dae7de8c7
Opcode Fuzzy Hash: 1e410a05d7ca7b9ed0c88650f01e1ec32e287c34df2f12b13733476c341de906
Instruction Fuzzy Hash: 8A31A232550319AFDF14AFB4EC59AEEB7ACDF49321F144165F815E2190DB34D9848B38

Function 00D6979D Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 111fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?,74DE8FB0,?,00000000), ref: 00D697BE
FindNextFileW.KERNEL32(00000000,?), ref: 00D69819
FindClose.KERNEL32(00000000), ref: 00D69824
FindFirstFileW.KERNEL32(*.*,?), ref: 00D69840
SetCurrentDirectoryW.KERNEL32(?), ref: 00D69890
SetCurrentDirectoryW.KERNEL32(00DB6B7C), ref: 00D698AE
FindNextFileW.KERNEL32(00000000,00000010), ref: 00D698B8
FindClose.KERNEL32(00000000), ref: 00D698C5
FindClose.KERNEL32(00000000), ref: 00D698D5

Part of subcall function 00D5DAE5: CreateFileW.KERNEL32(?,40000000,00000001,00000000,00000003,02000080,00000000), ref: 00D5DB00

Strings

*.*, xrefs: 00D6983B

Memory Dump Source

Source File: 00000000.00000002.1741723192.0000000000CF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CF0000, based on PE: true

Associated: 00000000.00000002.1741689844.0000000000CF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741822052.0000000000D8C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741822052.0000000000DB2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741916293.0000000000DBC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741947371.0000000000DC4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cf0000_file.jbxd

Similarity

API ID: Find$File$Close$CurrentDirectoryFirstNext$Create
String ID: *.*
API String ID: 2640511053-438819550
Opcode ID: faa2186179b014bd1f1e0a0850f8c2a8834e019fdd2f92414152bbaedd61f567
Instruction ID: 893ec0c29192dd285c53263140794fda9ca869b560a37fca80a0d0817d3c6796
Opcode Fuzzy Hash: faa2186179b014bd1f1e0a0850f8c2a8834e019fdd2f92414152bbaedd61f567
Instruction Fuzzy Hash: 56319032550619AFDB10AFB4EC58ADEB7ACDF4A320F184156E854E3190DB34DA89CB78

Function 00D7BE44 Relevance: 17.0, APIs: 11, Instructions: 456registryCOMMON

Download Yara Rule

APIs

Part of subcall function 00D7C998: CharUpperBuffW.USER32(?,?,?,?,?,?,?,00D7B6AE,?,?), ref: 00D7C9B5
Part of subcall function 00D7C998: _wcslen.LIBCMT ref: 00D7C9F1
Part of subcall function 00D7C998: _wcslen.LIBCMT ref: 00D7CA68
Part of subcall function 00D7C998: _wcslen.LIBCMT ref: 00D7CA9E

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 00D7BF3E
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?,?,?), ref: 00D7BFA9
RegCloseKey.ADVAPI32(00000000), ref: 00D7BFCD
RegQueryValueExW.ADVAPI32(?,?,00000000,?,00000000,?), ref: 00D7C02C
RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,?,00000008), ref: 00D7C0E7
RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,?,?,?,00000000), ref: 00D7C154
RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,?,?,?,00000000), ref: 00D7C1E9
RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,00000000,?,?,?,00000000), ref: 00D7C23A
RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,?,?,?,00000000), ref: 00D7C2E3
RegCloseKey.ADVAPI32(?,?,00000000), ref: 00D7C382
RegCloseKey.ADVAPI32(00000000), ref: 00D7C38F

Memory Dump Source

Source File: 00000000.00000002.1741723192.0000000000CF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CF0000, based on PE: true

Associated: 00000000.00000002.1741689844.0000000000CF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741822052.0000000000D8C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741822052.0000000000DB2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741916293.0000000000DBC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741947371.0000000000DC4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cf0000_file.jbxd

Similarity

API ID: QueryValue$Close_wcslen$BuffCharConnectOpenRegistryUpper
String ID:
API String ID: 3102970594-0
Opcode ID: a54bd1710cbc88c99ce660b81be2aebb8b77e62ad366f9b8fa802b48ed0443e5
Instruction ID: ba87ba16d4b3a7e5e1095b5279918f7fd5f89e42674fe2eac1ef3d6ecc3daf17
Opcode Fuzzy Hash: a54bd1710cbc88c99ce660b81be2aebb8b77e62ad366f9b8fa802b48ed0443e5
Instruction Fuzzy Hash: 48024F71614200AFD714DF28C895E2ABBE5EF49318F18C49DF84ADB2A2D731ED45CB62

Function 00D68195 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 186timeCOMMON

Download Yara Rule

APIs

GetLocalTime.KERNEL32(?), ref: 00D68257
SystemTimeToFileTime.KERNEL32(?,?), ref: 00D68267
LocalFileTimeToFileTime.KERNEL32(?,?), ref: 00D68273
GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 00D68310
SetCurrentDirectoryW.KERNEL32(?), ref: 00D68324
SetCurrentDirectoryW.KERNEL32(?), ref: 00D68356
SetCurrentDirectoryW.KERNEL32(?,?,?,?,?), ref: 00D6838C
SetCurrentDirectoryW.KERNEL32(?), ref: 00D68395

Strings

*.*, xrefs: 00D6839B

Memory Dump Source

Source File: 00000000.00000002.1741723192.0000000000CF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CF0000, based on PE: true

Associated: 00000000.00000002.1741689844.0000000000CF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741822052.0000000000D8C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741822052.0000000000DB2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741916293.0000000000DBC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741947371.0000000000DC4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cf0000_file.jbxd

Similarity

API ID: CurrentDirectoryTime$File$Local$System
String ID: *.*
API String ID: 1464919966-438819550
Opcode ID: f75a6906c4266a556200357813a6c4815bdeb10c86a1bfaf638699fc7f00d092
Instruction ID: f38c5d94bce07ebf361ad851f5239d8c896186838a8a36cabc1d3edb78612403
Opcode Fuzzy Hash: f75a6906c4266a556200357813a6c4815bdeb10c86a1bfaf638699fc7f00d092
Instruction Fuzzy Hash: FD617CB25043059FCB10EF64C8509AEB3E9FF89314F04491EF989C7251DB35E945DBA2

Function 00D5D076 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 172fileCOMMON

Download Yara Rule

APIs

Part of subcall function 00CF3AA2: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00CF3A97,?,?,00CF2E7F,?,?,?,00000000), ref: 00CF3AC2

Part of subcall function 00D5E199: GetFileAttributesW.KERNEL32(?,00D5CF95), ref: 00D5E19A

FindFirstFileW.KERNEL32(?,?), ref: 00D5D122
DeleteFileW.KERNEL32(?,?,?,?,?,00000000,?,?,?), ref: 00D5D1DD
MoveFileW.KERNEL32(?,?), ref: 00D5D1F0
DeleteFileW.KERNEL32(?,?,?,?), ref: 00D5D20D
FindNextFileW.KERNEL32(00000000,00000010), ref: 00D5D237

Part of subcall function 00D5D29C: CopyFileExW.KERNEL32(?,?,00000000,00000000,00000000,00000008,?,?,00D5D21C,?,?), ref: 00D5D2B2

FindClose.KERNEL32(00000000,?,?,?), ref: 00D5D253
FindClose.KERNEL32(00000000), ref: 00D5D264

Strings

\*.*, xrefs: 00D5D0CD, 00D5D0D6, 00D5D0EB

Memory Dump Source

Source File: 00000000.00000002.1741723192.0000000000CF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CF0000, based on PE: true

Associated: 00000000.00000002.1741689844.0000000000CF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741822052.0000000000D8C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741822052.0000000000DB2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741916293.0000000000DBC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741947371.0000000000DC4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cf0000_file.jbxd

Similarity

API ID: File$Find$CloseDelete$AttributesCopyFirstFullMoveNameNextPath
String ID: \*.*
API String ID: 1946585618-1173974218
Opcode ID: 879312a500ee1f7b383ab8a8b0fe971ac2f2a77829710dbd3ff00c6f9a84d394
Instruction ID: 1e36b84ae4099eaee4e2351fa53b14023319b8b3882ad0a47e23a58934ee0f27
Opcode Fuzzy Hash: 879312a500ee1f7b383ab8a8b0fe971ac2f2a77829710dbd3ff00c6f9a84d394
Instruction Fuzzy Hash: 9D616D3180120DAACF15EBE0C952AFDB7B6AF55341F244165E906B72A1EB30AF0DDB71

Function 00D6ED6A Relevance: 13.6, APIs: 9, Instructions: 102clipboardmemoryCOMMON

Download Yara Rule

APIs

OpenClipboard.USER32 ref: 00D6ED91
EmptyClipboard.USER32 ref: 00D6ED97
GlobalAlloc.KERNEL32(00000002,?), ref: 00D6EDAC
CloseClipboard.USER32 ref: 00D6EEA3

Memory Dump Source

Source File: 00000000.00000002.1741723192.0000000000CF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CF0000, based on PE: true

Associated: 00000000.00000002.1741689844.0000000000CF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741822052.0000000000D8C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741822052.0000000000DB2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741916293.0000000000DBC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741947371.0000000000DC4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cf0000_file.jbxd

Similarity

API ID: Clipboard$AllocCloseEmptyGlobalOpen
String ID:
API String ID: 1737998785-0
Opcode ID: 1e915c4b815a5165dc8c5e0689cddba6b143b02a4f506b26681b07acbb1095f9
Instruction ID: 1004530e5e124840b52895f80187b3a580293eb2f60d2f5c381a1b4c28af4f14
Opcode Fuzzy Hash: 1e915c4b815a5165dc8c5e0689cddba6b143b02a4f506b26681b07acbb1095f9
Instruction Fuzzy Hash: DE417C39214611EFE710DF19E889B29BBA5EF44318F188099E4558B7A2D736EC41CBA0

Function 00D5E8F6 Relevance: 12.3, APIs: 3, Strings: 4, Instructions: 57shutdownCOMMON

Download Yara Rule

APIs

Part of subcall function 00D516C3: LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 00D5170D
Part of subcall function 00D516C3: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 00D5173A
Part of subcall function 00D516C3: GetLastError.KERNEL32 ref: 00D5174A

ExitWindowsEx.USER32(?,00000000), ref: 00D5E932

Strings

@, xrefs: 00D5E925
, xrefs: 00D5E920
SeShutdownPrivilege, xrefs: 00D5E902
, xrefs: 00D5E95C

Memory Dump Source

Source File: 00000000.00000002.1741723192.0000000000CF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CF0000, based on PE: true

Associated: 00000000.00000002.1741689844.0000000000CF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741822052.0000000000D8C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741822052.0000000000DB2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741916293.0000000000DBC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741947371.0000000000DC4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cf0000_file.jbxd

Similarity

API ID: AdjustErrorExitLastLookupPrivilegePrivilegesTokenValueWindows
String ID: $ $@$SeShutdownPrivilege
API String ID: 2234035333-3163812486
Opcode ID: f6fb885eab734fbc7cbd70a4bcf934c682d8d928358a59df0310a5748b6ba0c4
Instruction ID: 7cb45cbb37c1d7c16735c2cef0f03a074fa057ade093e586f3f78377a8ab0475
Opcode Fuzzy Hash: f6fb885eab734fbc7cbd70a4bcf934c682d8d928358a59df0310a5748b6ba0c4
Instruction Fuzzy Hash: 9E01A772A20311ABEF583774AC86BBA735CDB14752F190422FC13E21D1D5649D488EB4

Function 00D71204 Relevance: 12.1, APIs: 8, Instructions: 113networkCOMMON

Download Yara Rule

APIs

socket.WSOCK32(00000002,00000001,00000006,?,00000002,00000000), ref: 00D71276
WSAGetLastError.WSOCK32 ref: 00D71283
bind.WSOCK32(00000000,?,00000010), ref: 00D712BA
WSAGetLastError.WSOCK32 ref: 00D712C5
closesocket.WSOCK32(00000000), ref: 00D712F4
listen.WSOCK32(00000000,00000005), ref: 00D71303
WSAGetLastError.WSOCK32 ref: 00D7130D
closesocket.WSOCK32(00000000), ref: 00D7133C

Memory Dump Source

Source File: 00000000.00000002.1741723192.0000000000CF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CF0000, based on PE: true

Associated: 00000000.00000002.1741689844.0000000000CF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741822052.0000000000D8C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741822052.0000000000DB2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741916293.0000000000DBC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741947371.0000000000DC4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cf0000_file.jbxd

Similarity

API ID: ErrorLast$closesocket$bindlistensocket
String ID:
API String ID: 540024437-0
Opcode ID: 31f66b1e65828c8627dc5a25e0b0191420b60a7406212878e7ca3ce4b8a2a313
Instruction ID: 3b013022ac3511071311e8a3b78e92ba5089954cb45d3d9ba557cc2096443e97
Opcode Fuzzy Hash: 31f66b1e65828c8627dc5a25e0b0191420b60a7406212878e7ca3ce4b8a2a313
Instruction Fuzzy Hash: AF415D356002019FD710DF68C489B29BBE6AF46318F18C298E95A9F393D771ED85CBB1

Function 00D5D3A9 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 91fileCOMMON

Download Yara Rule

APIs

Part of subcall function 00CF3AA2: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00CF3A97,?,?,00CF2E7F,?,?,?,00000000), ref: 00CF3AC2

Part of subcall function 00D5E199: GetFileAttributesW.KERNEL32(?,00D5CF95), ref: 00D5E19A

FindFirstFileW.KERNEL32(?,?), ref: 00D5D420
DeleteFileW.KERNEL32(?,?,?,?), ref: 00D5D470
FindNextFileW.KERNEL32(00000000,00000010), ref: 00D5D481
FindClose.KERNEL32(00000000), ref: 00D5D498
FindClose.KERNEL32(00000000), ref: 00D5D4A1

Strings

\*.*, xrefs: 00D5D3F2

Memory Dump Source

Source File: 00000000.00000002.1741723192.0000000000CF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CF0000, based on PE: true

Associated: 00000000.00000002.1741689844.0000000000CF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741822052.0000000000D8C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741822052.0000000000DB2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741916293.0000000000DBC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741947371.0000000000DC4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cf0000_file.jbxd

Similarity

API ID: FileFind$Close$AttributesDeleteFirstFullNameNextPath
String ID: \*.*
API String ID: 2649000838-1173974218
Opcode ID: 5c5c0600d0ca17f50439d9afd0efca41ba1411d8c2929e4de4e717dc6592e738
Instruction ID: f22ee7e52d1757f59c6e538dd7a07444d9c3af57b433d9abd593faf23606b85d
Opcode Fuzzy Hash: 5c5c0600d0ca17f50439d9afd0efca41ba1411d8c2929e4de4e717dc6592e738
Instruction Fuzzy Hash: 3031BE71018349ABC710EF64C8919BFB7E8AE91341F444A1DF9D5822A1EB30EA0DD773

Function 00D2E4FF Relevance: 10.1, APIs: 1, Strings: 4, Instructions: 1381COMMON

Download Yara Rule

APIs

__floor_pentium4.LIBCMT ref: 00D2E645

Strings

1#SNAN, xrefs: 00D2F844
1#IND, xrefs: 00D2F83D
1#QNAN, xrefs: 00D2F84B
1#INF, xrefs: 00D2F852

Memory Dump Source

Source File: 00000000.00000002.1741723192.0000000000CF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CF0000, based on PE: true

Associated: 00000000.00000002.1741689844.0000000000CF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741822052.0000000000D8C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741822052.0000000000DB2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741916293.0000000000DBC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741947371.0000000000DC4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cf0000_file.jbxd

Similarity

API ID: __floor_pentium4
String ID: 1#IND$1#INF$1#QNAN$1#SNAN
API String ID: 4168288129-2761157908
Opcode ID: 1a3719b79ecb39a7d962a599b5fce3c98e936e2ce040ba316f083c76cef3c4ff
Instruction ID: 58278437ac0d9d4dc741980f9392d6d55ce069c1ffd2d7bf45204fc88c1a3b2b
Opcode Fuzzy Hash: 1a3719b79ecb39a7d962a599b5fce3c98e936e2ce040ba316f083c76cef3c4ff
Instruction Fuzzy Hash: 51C23C71E086288FDB25CF28ED407EAB7B5EB54309F1845EAD44DE7241E774AE818F60

Function 00D6648E Relevance: 9.1, APIs: 4, Strings: 1, Instructions: 367comCOMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 00D664DC
CoInitialize.OLE32(00000000), ref: 00D66639
CoCreateInstance.OLE32(00D8FCF8,00000000,00000001,00D8FB68,?), ref: 00D66650
CoUninitialize.OLE32 ref: 00D668D4

Strings

.lnk, xrefs: 00D664BA, 00D66524, 00D665E0

Memory Dump Source

Source File: 00000000.00000002.1741723192.0000000000CF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CF0000, based on PE: true

Associated: 00000000.00000002.1741689844.0000000000CF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741822052.0000000000D8C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741822052.0000000000DB2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741916293.0000000000DBC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741947371.0000000000DC4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cf0000_file.jbxd

Similarity

API ID: CreateInitializeInstanceUninitialize_wcslen
String ID: .lnk
API String ID: 886957087-24824748
Opcode ID: 40eaf80adfe6694e3649ec28c8196484637e84f2355cf8cefea35112e8c436ba
Instruction ID: 3761df91ab86cad94314f8b2687e87603257f29d3213862c035dcfbf28dfa0e7
Opcode Fuzzy Hash: 40eaf80adfe6694e3649ec28c8196484637e84f2355cf8cefea35112e8c436ba
Instruction Fuzzy Hash: 4ED14B71608305AFC314EF64C881A6BB7E9FF94704F14496DF5968B2A1DB70ED09CBA2

Function 00D722DA Relevance: 9.1, APIs: 6, Instructions: 103COMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32(?,?,00000000), ref: 00D722E8

Part of subcall function 00D6E4EC: GetWindowRect.USER32(?,?), ref: 00D6E504

GetDesktopWindow.USER32 ref: 00D72312
GetWindowRect.USER32(00000000), ref: 00D72319
mouse_event.USER32(00008001,?,?,00000002,00000002), ref: 00D72355
GetCursorPos.USER32(?), ref: 00D72381
mouse_event.USER32(00008001,?,?,00000000,00000000), ref: 00D723DF

Memory Dump Source

Source File: 00000000.00000002.1741723192.0000000000CF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CF0000, based on PE: true

Associated: 00000000.00000002.1741689844.0000000000CF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741822052.0000000000D8C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741822052.0000000000DB2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741916293.0000000000DBC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741947371.0000000000DC4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cf0000_file.jbxd

Similarity

API ID: Window$Rectmouse_event$CursorDesktopForeground
String ID:
API String ID: 2387181109-0
Opcode ID: b3f3502ee8ad30b4023dbde2486cae4f536d9d12968ca91eeb3e2bfe82adade8
Instruction ID: e53bf0450ca72008ddcd35185978d6fae0705e38ec98cdbf604fff5ff9436d90
Opcode Fuzzy Hash: b3f3502ee8ad30b4023dbde2486cae4f536d9d12968ca91eeb3e2bfe82adade8
Instruction Fuzzy Hash: E031CF72504355ABDB20DF14D845A6BBBAAFF84310F00491DF989D7291EB34EA08CBB2

Function 00D69B2B Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 119filesleepCOMMON

Download Yara Rule

APIs

Part of subcall function 00CF9CB3: _wcslen.LIBCMT ref: 00CF9CBD

FindFirstFileW.KERNEL32(00000001,?,*.*,?,?,00000000,00000000), ref: 00D69B78
FindClose.KERNEL32(00000000,?,00000000,00000000), ref: 00D69C8B

Part of subcall function 00D63874: GetInputState.USER32 ref: 00D638CB
Part of subcall function 00D63874: PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00D63966

Sleep.KERNEL32(0000000A,?,00000000,00000000), ref: 00D69BA8
FindNextFileW.KERNEL32(?,?,?,00000000,00000000), ref: 00D69C75

Strings

*.*, xrefs: 00D69B5D

Memory Dump Source

Source File: 00000000.00000002.1741723192.0000000000CF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CF0000, based on PE: true

Associated: 00000000.00000002.1741689844.0000000000CF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741822052.0000000000D8C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741822052.0000000000DB2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741916293.0000000000DBC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741947371.0000000000DC4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cf0000_file.jbxd

Similarity

API ID: Find$File$CloseFirstInputMessageNextPeekSleepState_wcslen
String ID: *.*
API String ID: 1972594611-438819550
Opcode ID: 26d1589f3a29fadae5ea4bbf0be6e6e8a5204bdbeec97c3510d76410721a7718
Instruction ID: 0db8023fc8a4bd34b5d7397b0f3630a9d228ecc9c281612e337389598cd30ccb
Opcode Fuzzy Hash: 26d1589f3a29fadae5ea4bbf0be6e6e8a5204bdbeec97c3510d76410721a7718
Instruction Fuzzy Hash: 95416D7194020AEFCF54DFA4C999AEEBBB8EF45350F244056F805A2291EB309E84DF71

Function 00D0997D Relevance: 7.9, APIs: 5, Instructions: 375COMMON

Download Yara Rule

APIs

Part of subcall function 00D09BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00D09BB2

DefDlgProcW.USER32(?,?,?,?,?), ref: 00D09A4E
GetSysColor.USER32(0000000F), ref: 00D09B23
SetBkColor.GDI32(?,00000000), ref: 00D09B36

Memory Dump Source

Source File: 00000000.00000002.1741723192.0000000000CF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CF0000, based on PE: true

Associated: 00000000.00000002.1741689844.0000000000CF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741822052.0000000000D8C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741822052.0000000000DB2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741916293.0000000000DBC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741947371.0000000000DC4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cf0000_file.jbxd

Similarity

API ID: Color$LongProcWindow
String ID:
API String ID: 3131106179-0
Opcode ID: a2b3b94d2aee9a5b59d29d8fcd5f74bdbd7a18d687b175c07bb2ec3ff4cd0db6
Instruction ID: 9de35bcfcd41db9927cf65247c222311cda736d60bec16ef1cb2a8abdf85d296
Opcode Fuzzy Hash: a2b3b94d2aee9a5b59d29d8fcd5f74bdbd7a18d687b175c07bb2ec3ff4cd0db6
Instruction Fuzzy Hash: 2CA12570309550BFE728AA2C8CA8F7BBA9DDB86310F190209F096D66D3CB25DD01D776

Function 00D71806 Relevance: 7.7, APIs: 5, Instructions: 153networkCOMMON

Download Yara Rule

APIs

Part of subcall function 00D7304E: inet_addr.WSOCK32(?,?,?,?,?,00000000), ref: 00D7307A
Part of subcall function 00D7304E: _wcslen.LIBCMT ref: 00D7309B

socket.WSOCK32(00000002,00000002,00000011,?,?,00000000), ref: 00D7185D
WSAGetLastError.WSOCK32 ref: 00D71884
bind.WSOCK32(00000000,?,00000010), ref: 00D718DB
WSAGetLastError.WSOCK32 ref: 00D718E6
closesocket.WSOCK32(00000000), ref: 00D71915

Memory Dump Source

Source File: 00000000.00000002.1741723192.0000000000CF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CF0000, based on PE: true

Associated: 00000000.00000002.1741689844.0000000000CF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741822052.0000000000D8C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741822052.0000000000DB2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741916293.0000000000DBC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741947371.0000000000DC4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cf0000_file.jbxd

Similarity

API ID: ErrorLast$_wcslenbindclosesocketinet_addrsocket
String ID:
API String ID: 1601658205-0
Opcode ID: 2cb30d727535a9561853f6a2cb0cc93ef4ee92724f382aad97b748a29b8bd075
Instruction ID: 493fe50b7fd47620e8a1bbc53333fa5d845c152018c195a30ccd8e495409a6c0
Opcode Fuzzy Hash: 2cb30d727535a9561853f6a2cb0cc93ef4ee92724f382aad97b748a29b8bd075
Instruction Fuzzy Hash: 6651B275A00204AFD710AF28C886F3A77E5AB48718F088158FA599F3D3D771ED418BB2

Function 00D81C41 Relevance: 7.6, APIs: 5, Instructions: 83windowCOMMON

Download Yara Rule

APIs

IsWindowVisible.USER32 ref: 00D81CC0
IsWindowEnabled.USER32 ref: 00D81CCE
GetForegroundWindow.USER32(?,?,00000001,?), ref: 00D81CDB
IsIconic.USER32 ref: 00D81CE9
IsZoomed.USER32 ref: 00D81CF7

Memory Dump Source

Source File: 00000000.00000002.1741723192.0000000000CF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CF0000, based on PE: true

Associated: 00000000.00000002.1741689844.0000000000CF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741822052.0000000000D8C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741822052.0000000000DB2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741916293.0000000000DBC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741947371.0000000000DC4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cf0000_file.jbxd

Similarity

API ID: Window$EnabledForegroundIconicVisibleZoomed
String ID:
API String ID: 292994002-0
Opcode ID: a089e568c901a16953748699e455288e2de8c34d3055a1545f04badedd173bef
Instruction ID: 77ed67910d00d68b1b4039ab920706fccd28359ad6c3ac15f991e0229c2f4a61
Opcode Fuzzy Hash: a089e568c901a16953748699e455288e2de8c34d3055a1545f04badedd173bef
Instruction Fuzzy Hash: 3721D3357502019FD720AF1AC884B2ABBA9EF85314B1D8068E846CB351C771EC47CBB0

Function 00CF8060 Relevance: 7.4, Strings: 5, Instructions: 1151COMMON

Download Yara Rule

Strings

VUUU, xrefs: 00CF843C
ERCP, xrefs: 00CF813C
VUUU, xrefs: 00D35DF0
VUUU, xrefs: 00CF83E8
VUUU, xrefs: 00CF83FA

Memory Dump Source

Source File: 00000000.00000002.1741723192.0000000000CF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CF0000, based on PE: true

Associated: 00000000.00000002.1741689844.0000000000CF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741822052.0000000000D8C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741822052.0000000000DB2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741916293.0000000000DBC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741947371.0000000000DC4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cf0000_file.jbxd

Similarity

API ID:
String ID: ERCP$VUUU$VUUU$VUUU$VUUU
API String ID: 0-1546025612
Opcode ID: c71dd8f5efef0b7e7d8d9059af3e67fb60b97c6d0f693940fa69e467fbdf0090
Instruction ID: fbd44d2a47def798d0548943f2c2f8d3600353822e3d927b4676aa4795f09821
Opcode Fuzzy Hash: c71dd8f5efef0b7e7d8d9059af3e67fb60b97c6d0f693940fa69e467fbdf0090
Instruction Fuzzy Hash: 11A27E75A0061ECBDF64CF58C8407BEB7B1BF54314F2881AAE915AB284DB70DE85CB61

Function 00D5AA57 Relevance: 6.1, APIs: 4, Instructions: 107keyboardwindowCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?,00000001,00000040,00000000), ref: 00D5AAAC
SetKeyboardState.USER32(00000080), ref: 00D5AAC8
PostMessageW.USER32(?,00000102,00000001,00000001), ref: 00D5AB36
SendInput.USER32(00000001,?,0000001C,00000001,00000040,00000000), ref: 00D5AB88

Memory Dump Source

Source File: 00000000.00000002.1741723192.0000000000CF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CF0000, based on PE: true

Associated: 00000000.00000002.1741689844.0000000000CF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741822052.0000000000D8C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741822052.0000000000DB2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741916293.0000000000DBC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741947371.0000000000DC4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cf0000_file.jbxd

Similarity

API ID: KeyboardState$InputMessagePostSend
String ID:
API String ID: 432972143-0
Opcode ID: 0a968c21ccc6b09a6cdd6e2cf9a9119eb24e1f45a07a45f10669ea9f97f20e23
Instruction ID: fa1bd77cc2e7f4147fcb3cbabf2c5dbb52a03aa94117170669d04d2420192c27
Opcode Fuzzy Hash: 0a968c21ccc6b09a6cdd6e2cf9a9119eb24e1f45a07a45f10669ea9f97f20e23
Instruction Fuzzy Hash: 2831FA30A50268AEFF358A6CCC05BFA77A6AB45312F08431BFD91961D1D3758989C7F2

Function 00D2BB6F Relevance: 6.1, APIs: 4, Instructions: 90timeCOMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 00D2BB7F

Part of subcall function 00D229C8: RtlFreeHeap.NTDLL(00000000,00000000,?,00D2D7D1,00000000,00000000,00000000,00000000,?,00D2D7F8,00000000,00000007,00000000,?,00D2DBF5,00000000), ref: 00D229DE
Part of subcall function 00D229C8: GetLastError.KERNEL32(00000000,?,00D2D7D1,00000000,00000000,00000000,00000000,?,00D2D7F8,00000000,00000007,00000000,?,00D2DBF5,00000000,00000000), ref: 00D229F0

GetTimeZoneInformation.KERNEL32 ref: 00D2BB91
WideCharToMultiByte.KERNEL32(00000000,?,00DC121C,000000FF,?,0000003F,?,?), ref: 00D2BC09
WideCharToMultiByte.KERNEL32(00000000,?,00DC1270,000000FF,?,0000003F,?,?,?,00DC121C,000000FF,?,0000003F,?,?), ref: 00D2BC36

Memory Dump Source

Source File: 00000000.00000002.1741723192.0000000000CF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CF0000, based on PE: true

Associated: 00000000.00000002.1741689844.0000000000CF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741822052.0000000000D8C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741822052.0000000000DB2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741916293.0000000000DBC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741947371.0000000000DC4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cf0000_file.jbxd

Similarity

API ID: ByteCharMultiWide$ErrorFreeHeapInformationLastTimeZone_free
String ID:
API String ID: 806657224-0
Opcode ID: 29cc640df661125f7e181997182c56e00c1fa2f201083494722518769d3c85b5
Instruction ID: 9c81d39b64553bb5c75dc8d02a41742a411c78f0227d818237f275563e1627ca
Opcode Fuzzy Hash: 29cc640df661125f7e181997182c56e00c1fa2f201083494722518769d3c85b5
Instruction Fuzzy Hash: F831C074904226DFCB10DF68EC81969FBB8FF66324718426AE060E73A2D7709D00DB70

Function 00D6CE44 Relevance: 6.1, APIs: 4, Instructions: 75filenetworkCOMMON

Download Yara Rule

APIs

InternetReadFile.WININET(?,?,00000400,?), ref: 00D6CE89
GetLastError.KERNEL32(?,00000000), ref: 00D6CEEA
SetEvent.KERNEL32(?,?,00000000), ref: 00D6CEFE

Memory Dump Source

Source File: 00000000.00000002.1741723192.0000000000CF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CF0000, based on PE: true

Associated: 00000000.00000002.1741689844.0000000000CF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741822052.0000000000D8C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741822052.0000000000DB2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741916293.0000000000DBC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741947371.0000000000DC4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cf0000_file.jbxd

Similarity

API ID: ErrorEventFileInternetLastRead
String ID:
API String ID: 234945975-0
Opcode ID: ae2ea2023444b4e65b6999884e16655df031e4a26d91a4f6c0190116e83fa195
Instruction ID: 89bb90307e323b9f061a80340a9de414c823299f1651c9eab0337580c31c32d7
Opcode Fuzzy Hash: ae2ea2023444b4e65b6999884e16655df031e4a26d91a4f6c0190116e83fa195
Instruction Fuzzy Hash: 5421AC71620305EBEB20DF65D948BA6B7F8EF10314F14541AEA86D2152EB71EE448B74

Function 00D58298 Relevance: 5.1, APIs: 1, Strings: 2, Instructions: 568stringCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(?,?,?,00000000), ref: 00D582AA

Strings

(, xrefs: 00D582F0
|, xrefs: 00D582DA

Memory Dump Source

Source File: 00000000.00000002.1741723192.0000000000CF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CF0000, based on PE: true

Associated: 00000000.00000002.1741689844.0000000000CF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741822052.0000000000D8C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741822052.0000000000DB2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741916293.0000000000DBC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741947371.0000000000DC4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cf0000_file.jbxd

Similarity

API ID: lstrlen
String ID: ($|
API String ID: 1659193697-1631851259
Opcode ID: c9c47044c0ae050c287614915d3740ea417e062d85929fdfb9557811b737a6fd
Instruction ID: c4204be85482b8909b14981b3e3b612c3338374a092d1011add98b640a6bf7fb
Opcode Fuzzy Hash: c9c47044c0ae050c287614915d3740ea417e062d85929fdfb9557811b737a6fd
Instruction Fuzzy Hash: 21323775A00705DFDB28CF59C481A6AB7F0FF48710B15846EE89AEB3A1EB70E941CB54

Function 00D65C97 Relevance: 4.6, APIs: 3, Instructions: 138fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?), ref: 00D65CC1
FindNextFileW.KERNEL32(00000000,?), ref: 00D65D17
FindClose.KERNEL32(?), ref: 00D65D5F

Memory Dump Source

Source File: 00000000.00000002.1741723192.0000000000CF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CF0000, based on PE: true

Associated: 00000000.00000002.1741689844.0000000000CF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741822052.0000000000D8C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741822052.0000000000DB2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741916293.0000000000DBC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741947371.0000000000DC4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cf0000_file.jbxd

Similarity

API ID: Find$File$CloseFirstNext
String ID:
API String ID: 3541575487-0
Opcode ID: 7eeee83b24750bd6ebf116a399f71543c524d15b54ed7dc3838c1521bbc7d264
Instruction ID: 42907216107b69a55697a9359e7db4965156a388eec19825359a036942795b3b
Opcode Fuzzy Hash: 7eeee83b24750bd6ebf116a399f71543c524d15b54ed7dc3838c1521bbc7d264
Instruction Fuzzy Hash: 4B518A34604A019FC714CF28D494E9AB7E4FF49314F14855DE99A8B3A2CB30ED84CFA1

Function 00D22622 Relevance: 4.6, APIs: 3, Instructions: 78COMMONLIBRARYCODE

Download Yara Rule

APIs

IsDebuggerPresent.KERNEL32 ref: 00D2271A
SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 00D22724
UnhandledExceptionFilter.KERNEL32(?), ref: 00D22731

Memory Dump Source

Source File: 00000000.00000002.1741723192.0000000000CF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CF0000, based on PE: true

Associated: 00000000.00000002.1741689844.0000000000CF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741822052.0000000000D8C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741822052.0000000000DB2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741916293.0000000000DBC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741947371.0000000000DC4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cf0000_file.jbxd

Similarity

API ID: ExceptionFilterUnhandled$DebuggerPresent
String ID:
API String ID: 3906539128-0
Opcode ID: 7cc24e7a787b2b3ede11535003d8f78cd35f92f3cb41c811415afe9ab8229cbd
Instruction ID: ec1296c6b9fe52d7ab20a73407ecfa620397490c9897629810046b54da918db6
Opcode Fuzzy Hash: 7cc24e7a787b2b3ede11535003d8f78cd35f92f3cb41c811415afe9ab8229cbd
Instruction Fuzzy Hash: 3531C574911328ABCB21DF64D8887DDBBB8AF18310F5041DAE41CA7261EB709F818F64

Function 00D651CD Relevance: 4.6, APIs: 3, Instructions: 76COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 00D651DA
GetDiskFreeSpaceExW.KERNEL32(?,?,?,?), ref: 00D65238
SetErrorMode.KERNEL32(00000000), ref: 00D652A1

Memory Dump Source

Source File: 00000000.00000002.1741723192.0000000000CF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CF0000, based on PE: true

Associated: 00000000.00000002.1741689844.0000000000CF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741822052.0000000000D8C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741822052.0000000000DB2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741916293.0000000000DBC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741947371.0000000000DC4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cf0000_file.jbxd

Similarity

API ID: ErrorMode$DiskFreeSpace
String ID:
API String ID: 1682464887-0
Opcode ID: f90c24e9f9eb661e0f6e49868702013ff0b47079bf75c7e601c5564d7daf7021
Instruction ID: 5cc5e44293d40265e1f75a2f53e10bb0c993f1ef1e8cae934d031b3b13cdd513
Opcode Fuzzy Hash: f90c24e9f9eb661e0f6e49868702013ff0b47079bf75c7e601c5564d7daf7021
Instruction Fuzzy Hash: D3318035A10608DFDB00DF54D8C4EADBBB4FF09314F088099E9059B396CB31E845CB61

Function 00D516C3 Relevance: 4.6, APIs: 3, Instructions: 68COMMON

Download Yara Rule

APIs

Part of subcall function 00D0FDDB: __CxxThrowException@8.LIBVCRUNTIME ref: 00D10668
Part of subcall function 00D0FDDB: __CxxThrowException@8.LIBVCRUNTIME ref: 00D10685

LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 00D5170D
AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 00D5173A
GetLastError.KERNEL32 ref: 00D5174A

Memory Dump Source

Source File: 00000000.00000002.1741723192.0000000000CF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CF0000, based on PE: true

Associated: 00000000.00000002.1741689844.0000000000CF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741822052.0000000000D8C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741822052.0000000000DB2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741916293.0000000000DBC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741947371.0000000000DC4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cf0000_file.jbxd

Similarity

API ID: Exception@8Throw$AdjustErrorLastLookupPrivilegePrivilegesTokenValue
String ID:
API String ID: 577356006-0
Opcode ID: def782786dc86c6d79f8e6ba06b4e5d8639164a3c6546145da2094eb06ffdd05
Instruction ID: 9abfb6deebeb4310af26c70c44ecbaa15dd9eedde8a621d39f4c028987912f09
Opcode Fuzzy Hash: def782786dc86c6d79f8e6ba06b4e5d8639164a3c6546145da2094eb06ffdd05
Instruction Fuzzy Hash: AF11C1B2410305EFD7289F64EC86E6BB7B9EB44755B20852EE85693681EB70FC458B30

Function 00D5D5EB Relevance: 4.6, APIs: 3, Instructions: 58fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(?,00000080,00000003,00000000,00000003,00000080,00000000), ref: 00D5D608
DeviceIoControl.KERNEL32(00000000,002D1400,?,0000000C,?,00000028,?,00000000), ref: 00D5D645
CloseHandle.KERNEL32(?,?,00000080,00000003,00000000,00000003,00000080,00000000), ref: 00D5D650

Memory Dump Source

Source File: 00000000.00000002.1741723192.0000000000CF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CF0000, based on PE: true

Associated: 00000000.00000002.1741689844.0000000000CF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741822052.0000000000D8C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741822052.0000000000DB2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741916293.0000000000DBC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741947371.0000000000DC4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cf0000_file.jbxd

Similarity

API ID: CloseControlCreateDeviceFileHandle
String ID:
API String ID: 33631002-0
Opcode ID: 1c3b2a6ad72a8ab0eb0e8ac214a5b3751e22781cbf626f9f63f81a0a2b7d3a92
Instruction ID: b08ac1b1e1c66ca01309166601777922b204a717c2047d6cd3ac59fb105a4078
Opcode Fuzzy Hash: 1c3b2a6ad72a8ab0eb0e8ac214a5b3751e22781cbf626f9f63f81a0a2b7d3a92
Instruction Fuzzy Hash: AD113C75E05328BBDB208F959C45FAFBBBCEB45B50F108115FD14E7290D6704A058BB1

Function 00D51663 Relevance: 4.5, APIs: 3, Instructions: 40memoryCOMMON

Download Yara Rule

APIs

AllocateAndInitializeSid.ADVAPI32(?,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,?,?), ref: 00D5168C
CheckTokenMembership.ADVAPI32(00000000,?,?), ref: 00D516A1
FreeSid.ADVAPI32(?), ref: 00D516B1

Memory Dump Source

Source File: 00000000.00000002.1741723192.0000000000CF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CF0000, based on PE: true

Associated: 00000000.00000002.1741689844.0000000000CF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741822052.0000000000D8C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741822052.0000000000DB2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741916293.0000000000DBC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741947371.0000000000DC4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cf0000_file.jbxd

Similarity

API ID: AllocateCheckFreeInitializeMembershipToken
String ID:
API String ID: 3429775523-0
Opcode ID: 3b0839bbee39f1aa2e31de606d1ae29f31dfdabe6d35a589855dda19dfd20c90
Instruction ID: 0b79910e60e48b646faf8c615280794795bac2c9d8e161e299b64693699f94d2
Opcode Fuzzy Hash: 3b0839bbee39f1aa2e31de606d1ae29f31dfdabe6d35a589855dda19dfd20c90
Instruction Fuzzy Hash: 13F0F475960309FBDF00DFE49C89EAEBBBCEB08645F504565E901E2281E774AA449B60

Function 00D4D27A Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 10COMMON

Download Yara Rule

APIs

GetUserNameW.ADVAPI32(?,?), ref: 00D4D28C

Strings

X64, xrefs: 00D4D2A8

Memory Dump Source

Source File: 00000000.00000002.1741723192.0000000000CF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CF0000, based on PE: true

Associated: 00000000.00000002.1741689844.0000000000CF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741822052.0000000000D8C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741822052.0000000000DB2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741916293.0000000000DBC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741947371.0000000000DC4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cf0000_file.jbxd

Similarity

API ID: NameUser
String ID: X64
API String ID: 2645101109-893830106
Opcode ID: b7e9aa9cee5dc140178a5c7d8fcc788b5630f6a6b0e050f0613891974502a682
Instruction ID: bf2ebc49eeba57c62cf2baefc1f84441dc469c8e0917b5cf4cc3966ca9215874
Opcode Fuzzy Hash: b7e9aa9cee5dc140178a5c7d8fcc788b5630f6a6b0e050f0613891974502a682
Instruction Fuzzy Hash: 0BD0C9B481111DFBCB90CB90DCC8DD9B37CBB04345F100152F14AE2140D77095488F30

Function 00D1CAA0 Relevance: 3.5, APIs: 2, Instructions: 464COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1741723192.0000000000CF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CF0000, based on PE: true

Associated: 00000000.00000002.1741689844.0000000000CF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741822052.0000000000D8C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741822052.0000000000DB2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741916293.0000000000DBC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741947371.0000000000DC4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cf0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2fbdbeface8d474e65e3d830227d731b015bc4fe83c76ff0107a9da6199ccf29
Instruction ID: 1c473ba17c9f684b5210f2ac06a8227521f09a583afa058aa2bc033c102f428a
Opcode Fuzzy Hash: 2fbdbeface8d474e65e3d830227d731b015bc4fe83c76ff0107a9da6199ccf29
Instruction Fuzzy Hash: FE022D71E51219ABDF14CFA9E8806EDFBF2EF48314F295169E819E7340DB30AD418B94

Function 00D668EE Relevance: 3.1, APIs: 2, Instructions: 57fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?), ref: 00D66918
FindClose.KERNEL32(00000000), ref: 00D66961

Memory Dump Source

Source File: 00000000.00000002.1741723192.0000000000CF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CF0000, based on PE: true

Associated: 00000000.00000002.1741689844.0000000000CF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741822052.0000000000D8C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741822052.0000000000DB2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741916293.0000000000DBC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741947371.0000000000DC4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cf0000_file.jbxd

Similarity

API ID: Find$CloseFileFirst
String ID:
API String ID: 2295610775-0
Opcode ID: ab442c661cf73ad5281e37ee21a5e34b70e9f53513062d48804de514777c68aa
Instruction ID: ae1a77732fc1c269ad20889b4cf08687b457211008d14be0f01049d41b950faa
Opcode Fuzzy Hash: ab442c661cf73ad5281e37ee21a5e34b70e9f53513062d48804de514777c68aa
Instruction Fuzzy Hash: DF11D0316142059FC710CF69C484A26BBE4FF84328F08C69AE9698F3A2C730EC05CFA1

Function 00D637B5 Relevance: 3.0, APIs: 2, Instructions: 33windowCOMMON

Download Yara Rule

APIs

GetLastError.KERNEL32(00000000,?,00000FFF,00000000,?,?,?,00D74891,?,?,00000035,?), ref: 00D637E4
FormatMessageW.KERNEL32(00001000,00000000,?,00000000,?,00000FFF,00000000,?,?,?,00D74891,?,?,00000035,?), ref: 00D637F4

Memory Dump Source

Source File: 00000000.00000002.1741723192.0000000000CF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CF0000, based on PE: true

Associated: 00000000.00000002.1741689844.0000000000CF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741822052.0000000000D8C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741822052.0000000000DB2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741916293.0000000000DBC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741947371.0000000000DC4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cf0000_file.jbxd

Similarity

API ID: ErrorFormatLastMessage
String ID:
API String ID: 3479602957-0
Opcode ID: b8404995faceeada80f65ecda9139835867fe9f850c8bebc3203fb2eb4844f13
Instruction ID: 5ea92b2ea8ea7f663841e655f0e12a289ad622f7bbdce286d39a94825a062ed2
Opcode Fuzzy Hash: b8404995faceeada80f65ecda9139835867fe9f850c8bebc3203fb2eb4844f13
Instruction Fuzzy Hash: D3F0E5B17143296BEB2017769C4DFEB3BAEEFC5761F000165F509D2291D9709904C7B0

Function 00D5B226 Relevance: 3.0, APIs: 2, Instructions: 29keyboardCOMMON

Download Yara Rule

APIs

SendInput.USER32(00000001,?,0000001C,?,?,00000002), ref: 00D5B25D
keybd_event.USER32(?,75C0C0D0,?,00000000), ref: 00D5B270

Memory Dump Source

Source File: 00000000.00000002.1741723192.0000000000CF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CF0000, based on PE: true

Associated: 00000000.00000002.1741689844.0000000000CF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741822052.0000000000D8C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741822052.0000000000DB2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741916293.0000000000DBC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741947371.0000000000DC4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cf0000_file.jbxd

Similarity

API ID: InputSendkeybd_event
String ID:
API String ID: 3536248340-0
Opcode ID: 100905fc2228f17aceb1eb01e6285d17db0b6b935768949537c05c0ca7c8ea41
Instruction ID: 5674493b76f69616d199f98487069376bbcb914271b48bc2e81ddaedc321820f
Opcode Fuzzy Hash: 100905fc2228f17aceb1eb01e6285d17db0b6b935768949537c05c0ca7c8ea41
Instruction Fuzzy Hash: 31F01D7181424DEBDF059FA0C805BAE7BB4FF04315F04904AFD65A5191C779C6159FA4

Function 00D510BF Relevance: 3.0, APIs: 2, Instructions: 24COMMON

Download Yara Rule

APIs

AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000,?,00D511FC), ref: 00D510D4
CloseHandle.KERNEL32(?,?,00D511FC), ref: 00D510E9

Memory Dump Source

Source File: 00000000.00000002.1741723192.0000000000CF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CF0000, based on PE: true

Associated: 00000000.00000002.1741689844.0000000000CF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741822052.0000000000D8C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741822052.0000000000DB2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741916293.0000000000DBC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741947371.0000000000DC4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cf0000_file.jbxd

Similarity

API ID: AdjustCloseHandlePrivilegesToken
String ID:
API String ID: 81990902-0
Opcode ID: 0196bb920a00df3ecc7441a0d84f5e8d7c5b7d8320f86811799071d4457f76fa
Instruction ID: 25fccb755a9de982c607f6c7772aa751fa7713c9fb270573c7a809b6b3d36220
Opcode Fuzzy Hash: 0196bb920a00df3ecc7441a0d84f5e8d7c5b7d8320f86811799071d4457f76fa
Instruction Fuzzy Hash: DCE01A32024600EEE7252B61FC05F7377A9EB04310B24882DB8A5804B1DB62AC90DB70

Function 00CFCAF0 Relevance: 1.9, Strings: 1, Instructions: 659COMMON

Download Yara Rule

Strings

Variable is not of type 'Object'., xrefs: 00D40C40

Memory Dump Source

Source File: 00000000.00000002.1741723192.0000000000CF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CF0000, based on PE: true

Associated: 00000000.00000002.1741689844.0000000000CF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741822052.0000000000D8C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741822052.0000000000DB2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741916293.0000000000DBC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741947371.0000000000DC4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cf0000_file.jbxd

Similarity

API ID:
String ID: Variable is not of type 'Object'.
API String ID: 0-1840281001
Opcode ID: e6b55e2b8df1236a7cde179b31e74027af868acd5f97aae3737869fe45159dbe
Instruction ID: 57b1e6d7d2062a285700da6228016221607f66c4209444c252de8abb71c41170
Opcode Fuzzy Hash: e6b55e2b8df1236a7cde179b31e74027af868acd5f97aae3737869fe45159dbe
Instruction Fuzzy Hash: 54328B70A0021CDBCF54DF94CA81AFDBBB5BF04304F144069EA16AB292D775AE45DB62

Function 00D2676B Relevance: 1.8, APIs: 1, Instructions: 269COMMONLIBRARYCODE

Download Yara Rule

APIs

RaiseException.KERNEL32(C000000D,00000000,00000001,?,?,00000008,?,?,00D26766,?,?,00000008,?,?,00D2FEFE,00000000), ref: 00D26998

Memory Dump Source

Source File: 00000000.00000002.1741723192.0000000000CF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CF0000, based on PE: true

Associated: 00000000.00000002.1741689844.0000000000CF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741822052.0000000000D8C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741822052.0000000000DB2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741916293.0000000000DBC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741947371.0000000000DC4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cf0000_file.jbxd

Similarity

API ID: ExceptionRaise
String ID:
API String ID: 3997070919-0
Opcode ID: daa7e906b1a0081f1686c5f7f6abbbc375a9d5f7370b2e07d38413f0d5640734
Instruction ID: 0f116003b9c848e4114ac7707c88c44c61dd1c2a8f96df37561e0372a177bd9e
Opcode Fuzzy Hash: daa7e906b1a0081f1686c5f7f6abbbc375a9d5f7370b2e07d38413f0d5640734
Instruction Fuzzy Hash: 17B158316107189FD719CF28D48AB647BA0FF55368F298698E8D9CF2A2C735E981CB50

Function 00D0B119 Relevance: 1.8, Strings: 1, Instructions: 511COMMON

Download Yara Rule

Strings

, xrefs: 00D4851F

Memory Dump Source

Source File: 00000000.00000002.1741723192.0000000000CF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CF0000, based on PE: true

Associated: 00000000.00000002.1741689844.0000000000CF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741822052.0000000000D8C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741822052.0000000000DB2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741916293.0000000000DBC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741947371.0000000000DC4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cf0000_file.jbxd

Similarity

API ID:
String ID:
API String ID: 0-3916222277
Opcode ID: da635296685ee8a438338923a14917cb1aa3ecbfa77963ffb5aa0f1df17afa02
Instruction ID: 339092b401d67ca4c9244f0cecf2e40bbf87ff0fdf712ce9ae87d8a3be0b9753
Opcode Fuzzy Hash: da635296685ee8a438338923a14917cb1aa3ecbfa77963ffb5aa0f1df17afa02
Instruction Fuzzy Hash: 65124E759042299FDB14CF58C8807AEB7F5FF48710F14819AE849EB295DB34DA81DFA0

Function 00D6EAA2 Relevance: 1.5, APIs: 1, Instructions: 25keyboardCOMMON

Download Yara Rule

APIs

BlockInput.USER32(00000001), ref: 00D6EABD

Memory Dump Source

Source File: 00000000.00000002.1741723192.0000000000CF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CF0000, based on PE: true

Associated: 00000000.00000002.1741689844.0000000000CF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741822052.0000000000D8C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741822052.0000000000DB2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741916293.0000000000DBC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741947371.0000000000DC4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cf0000_file.jbxd

Similarity

API ID: BlockInput
String ID:
API String ID: 3456056419-0
Opcode ID: 49f5f82533c67b4d6970398d464a640554758fd1a7702bae6af6d3d7c55f8e86
Instruction ID: 2bd483bd132699d9140a22456debfde1923438842e73f0086715e039ca119e63
Opcode Fuzzy Hash: 49f5f82533c67b4d6970398d464a640554758fd1a7702bae6af6d3d7c55f8e86
Instruction Fuzzy Hash: DFE04F352102099FC710EF99D845E9AF7E9AF98760F008426FD49C7361DB70EC408BA1

Function 00D109D5 Relevance: 1.5, APIs: 1, Instructions: 3COMMON

Download Yara Rule

APIs

SetUnhandledExceptionFilter.KERNEL32(Function_000209E1,00D103EE), ref: 00D109DA

Memory Dump Source

Source File: 00000000.00000002.1741723192.0000000000CF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CF0000, based on PE: true

Associated: 00000000.00000002.1741689844.0000000000CF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741822052.0000000000D8C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741822052.0000000000DB2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741916293.0000000000DBC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741947371.0000000000DC4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cf0000_file.jbxd

Similarity

API ID: ExceptionFilterUnhandled
String ID:
API String ID: 3192549508-0
Opcode ID: b9e080940723d44a9d05696495645015100e0fe1b86c253bd678d869b7f86b34
Instruction ID: d0f25ade91ee057b7509b138c6885b7ee3f0c60428fa1089c7874c7bb9d6091f
Opcode Fuzzy Hash: b9e080940723d44a9d05696495645015100e0fe1b86c253bd678d869b7f86b34
Instruction Fuzzy Hash:

Function 00D1781B Relevance: 1.5, Strings: 1, Instructions: 214COMMON

Download Yara Rule

Strings

0, xrefs: 00D1798B

Memory Dump Source

Source File: 00000000.00000002.1741723192.0000000000CF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CF0000, based on PE: true

Associated: 00000000.00000002.1741689844.0000000000CF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741822052.0000000000D8C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741822052.0000000000DB2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741916293.0000000000DBC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741947371.0000000000DC4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cf0000_file.jbxd

Similarity

API ID:
String ID: 0
API String ID: 0-4108050209
Opcode ID: 9084b4e029052128895840c3c28e948f6724b1d83b91d22a18243ac96ad56844
Instruction ID: 3412287453167c5b967cc4650dfe9e704d3b4be6a76dab6e92bd0a81cd5ebbd7
Opcode Fuzzy Hash: 9084b4e029052128895840c3c28e948f6724b1d83b91d22a18243ac96ad56844
Instruction Fuzzy Hash: B051487164C60577DB388568B8597FE63B5DB02340F1C050AE886D72B2CE15DECAE772

Function 00D26DD9 Relevance: .6, Instructions: 637COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1741723192.0000000000CF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CF0000, based on PE: true

Associated: 00000000.00000002.1741689844.0000000000CF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741822052.0000000000D8C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741822052.0000000000DB2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741916293.0000000000DBC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741947371.0000000000DC4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cf0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 65e594a3d9d9cb5cdde934bec815466afe2fdfeaa873a1697ddd36ab00d33f99
Instruction ID: c9526832d177eacc45c5c6ce4b456f56a95f46c0bece852c98ed7b4a303f4abb
Opcode Fuzzy Hash: 65e594a3d9d9cb5cdde934bec815466afe2fdfeaa873a1697ddd36ab00d33f99
Instruction Fuzzy Hash: F1325622D29F114DD7339634EC62335A289AFB73C9F15C737F81AB5AA9EB28C4834150

Function 00D0CC39 Relevance: .6, Instructions: 635COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1741723192.0000000000CF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CF0000, based on PE: true

Associated: 00000000.00000002.1741689844.0000000000CF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741822052.0000000000D8C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741822052.0000000000DB2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741916293.0000000000DBC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741947371.0000000000DC4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cf0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ed4e5b96251176d4c2d4764ff35b169c911b1ca198d4c8c2452e8fb790043ddb
Instruction ID: 5406bd6f5ad7ee06140312179dd878f4590f0926aa8b963efe81df34442bb0cd
Opcode Fuzzy Hash: ed4e5b96251176d4c2d4764ff35b169c911b1ca198d4c8c2452e8fb790043ddb
Instruction Fuzzy Hash: CA322531A211158BDF68CF29C4D067D77A1EB85304F2DA66AD48ADB2D2E330DD81DB74

Function 00CF7920 Relevance: .6, Instructions: 563COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1741723192.0000000000CF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CF0000, based on PE: true

Associated: 00000000.00000002.1741689844.0000000000CF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741822052.0000000000D8C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741822052.0000000000DB2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741916293.0000000000DBC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741947371.0000000000DC4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cf0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 238c99e61d10272874f91081b6c19d8d5702cbca8f69bd93b6d66ba98ce7a448
Instruction ID: e5aa8422ecc4e54d11d57441da632325b439c7738ec420e469e11a977eb66974
Opcode Fuzzy Hash: 238c99e61d10272874f91081b6c19d8d5702cbca8f69bd93b6d66ba98ce7a448
Instruction Fuzzy Hash: 2F22D170A00609DFDF14CF65D881ABEB7F6FF44300F244229E816A7295EB36AE51DB61

Function 00CF91C0 Relevance: .5, Instructions: 475COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1741723192.0000000000CF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CF0000, based on PE: true

Associated: 00000000.00000002.1741689844.0000000000CF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741822052.0000000000D8C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741822052.0000000000DB2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741916293.0000000000DBC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741947371.0000000000DC4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cf0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: eee5e3568eb1618aa3a0f416f11d00671cd891ad0154a55b4e7fbdcc71be5c2b
Instruction ID: dc2aa5b76fe1d5f19f8f41f64fe906894370036b4e29d0e74495b0e373e38e31
Opcode Fuzzy Hash: eee5e3568eb1618aa3a0f416f11d00671cd891ad0154a55b4e7fbdcc71be5c2b
Instruction Fuzzy Hash: 2302A4B0A00209EBDF14DF54D881BAEB7B1FF44300F258165E91A9B3D1EB31EA55DBA1

Function 00D29EEE Relevance: .3, Instructions: 294COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1741723192.0000000000CF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CF0000, based on PE: true

Associated: 00000000.00000002.1741689844.0000000000CF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741822052.0000000000D8C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741822052.0000000000DB2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741916293.0000000000DBC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741947371.0000000000DC4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cf0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 88ad02a8a2dd1602a3bdc38badf873efb52b2939cd8bc332f79ac2cf7fba0526
Instruction ID: c4b0507931dc8a1c83c2a2a58cc23ac0831578a081b1ee639d1b529f82738293
Opcode Fuzzy Hash: 88ad02a8a2dd1602a3bdc38badf873efb52b2939cd8bc332f79ac2cf7fba0526
Instruction Fuzzy Hash: 7CB11520D6AF505DD32396399831336B75CAFBB6D5F91D71BFC16B4E22EB2185834140

Function 00D11C77 Relevance: .3, Instructions: 254COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1741723192.0000000000CF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CF0000, based on PE: true

Associated: 00000000.00000002.1741689844.0000000000CF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741822052.0000000000D8C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741822052.0000000000DB2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741916293.0000000000DBC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741947371.0000000000DC4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cf0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 93657a121f16255c59120ad0d08fdbba6372c273009ad596b4ecdf6e8f3c6909
Instruction ID: 4caeab93a62d1df8d9a1a2688f86bb2965c2190b83af8dcd972093ae2f811e9f
Opcode Fuzzy Hash: 93657a121f16255c59120ad0d08fdbba6372c273009ad596b4ecdf6e8f3c6909
Instruction Fuzzy Hash: 0591897A2080A359DB29467EB5740BEFFE15A923A131E079DE5F2CA1C1FE20C598D630

Function 00D11F32 Relevance: .2, Instructions: 244COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1741723192.0000000000CF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CF0000, based on PE: true

Associated: 00000000.00000002.1741689844.0000000000CF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741822052.0000000000D8C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741822052.0000000000DB2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741916293.0000000000DBC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741947371.0000000000DC4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cf0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 05e0b846b00456d0f1e87463b9d189974beed2fe63262d4392584e128a114ea2
Instruction ID: ca44ebf28ae5e8326da09b41dfbf5ffc43568b2abafbcc23b5e9b51b71480f8d
Opcode Fuzzy Hash: 05e0b846b00456d0f1e87463b9d189974beed2fe63262d4392584e128a114ea2
Instruction Fuzzy Hash: 699199772091E32ADB298239A4740BDFFE15A923A131E079DD5F2CB1C5EE25C5E8D630

Function 00D119B0 Relevance: .2, Instructions: 240COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1741723192.0000000000CF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CF0000, based on PE: true

Associated: 00000000.00000002.1741689844.0000000000CF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741822052.0000000000D8C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741822052.0000000000DB2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741916293.0000000000DBC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741947371.0000000000DC4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cf0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 40101273f58913c3cb3bc7eb54df01d47b4121c3e67d19f11ec2cb23d33ea445
Instruction ID: 6eb9363a5a03a8a50a14faf40901f381f2a0dc466d048026aa1ea66fa80bda3e
Opcode Fuzzy Hash: 40101273f58913c3cb3bc7eb54df01d47b4121c3e67d19f11ec2cb23d33ea445
Instruction Fuzzy Hash: 3691C57A20D0A31ADB2D427AA5740BEFFE15A923A131E079DD5F2CA1C1FD24C5D9DA30

Function 00D17A4A Relevance: .2, Instructions: 237COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1741723192.0000000000CF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CF0000, based on PE: true

Associated: 00000000.00000002.1741689844.0000000000CF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741822052.0000000000D8C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741822052.0000000000DB2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741916293.0000000000DBC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741947371.0000000000DC4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cf0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e7955813fa2534748ca84c1b038bbed79a263202e7e577ea7d99a8f419fcffb9
Instruction ID: b03423b9d961c5ef3ac120892585764239ede2ffe0d716217efce74af7ce35a0
Opcode Fuzzy Hash: e7955813fa2534748ca84c1b038bbed79a263202e7e577ea7d99a8f419fcffb9
Instruction Fuzzy Hash: 1E61477160C70976DA349A68BA95BFE23B5DF41700F280919F886DB2B1DF11DEC28375

Function 00D17CA7 Relevance: .2, Instructions: 237COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1741723192.0000000000CF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CF0000, based on PE: true

Associated: 00000000.00000002.1741689844.0000000000CF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741822052.0000000000D8C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741822052.0000000000DB2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741916293.0000000000DBC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741947371.0000000000DC4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cf0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5a3042be6867e4bc7af9f65f8ab410fd9b675eacdf22849c2c0fa1215569d813
Instruction ID: 533feb48ae7216741b0ae3df695d05446c8df41d985168543694dc641d1a9423
Opcode Fuzzy Hash: 5a3042be6867e4bc7af9f65f8ab410fd9b675eacdf22849c2c0fa1215569d813
Instruction Fuzzy Hash: AC61476160870EF6DA388A687851BFE23F4EF41704F180959F882CB2B1DE12DDC29275

Function 00D11706 Relevance: .2, Instructions: 232COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1741723192.0000000000CF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CF0000, based on PE: true

Associated: 00000000.00000002.1741689844.0000000000CF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741822052.0000000000D8C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741822052.0000000000DB2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741916293.0000000000DBC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741947371.0000000000DC4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cf0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 70da388f96bbbf26b230a155b4728740b34f0d100ea60ab2bbadb9d7d0befbf0
Instruction ID: fea64b0c3fdee8ec8d1dabe5ab9377f9e97dfa9ca6d04d99d0e1e47ee162d069
Opcode Fuzzy Hash: 70da388f96bbbf26b230a155b4728740b34f0d100ea60ab2bbadb9d7d0befbf0
Instruction Fuzzy Hash: 5981987A6090A36DDB6D423DA5340BEFFE15A923A131E079DD5F2CB1C1EE24C598DA30

Function 00D62046 Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1741723192.0000000000CF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CF0000, based on PE: true

Associated: 00000000.00000002.1741689844.0000000000CF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741822052.0000000000D8C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741822052.0000000000DB2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741916293.0000000000DBC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741947371.0000000000DC4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cf0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0319bd9f12f35c4e25b3ba0e7b394f79cc3c7f252b4cbf60c44eb53756b99aca
Instruction ID: 071cef21ed55733e8c2567d761be936bbb2ac9db1ac0d8c55b1db197f80fd1e0
Opcode Fuzzy Hash: 0319bd9f12f35c4e25b3ba0e7b394f79cc3c7f252b4cbf60c44eb53756b99aca
Instruction Fuzzy Hash: EE21BB326606168BD728CF79C81367E73E5A754310F19862EE4A7C37D0DE35A904C760

Function 00D72ADE Relevance: 77.5, APIs: 40, Strings: 4, Instructions: 486filecommemoryCOMMON

Download Yara Rule

APIs

DeleteObject.GDI32(00000000), ref: 00D72B30
DeleteObject.GDI32(00000000), ref: 00D72B43
DestroyWindow.USER32 ref: 00D72B52
GetDesktopWindow.USER32 ref: 00D72B6D
GetWindowRect.USER32(00000000), ref: 00D72B74
SetRect.USER32(?,00000000,00000000,00000007,00000002), ref: 00D72CA3
AdjustWindowRectEx.USER32(?,88C00000,00000000,?), ref: 00D72CB1
CreateWindowExW.USER32(?,AutoIt v3,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00D72CF8
GetClientRect.USER32(00000000,?), ref: 00D72D04
CreateWindowExW.USER32(00000000,static,00000000,5000000E,00000000,00000000,?,?,00000000,00000000,00000000), ref: 00D72D40
CreateFileW.KERNEL32(?,80000000,00000000,00000000,00000003,00000000,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00D72D62
GetFileSize.KERNEL32(00000000,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00D72D75
GlobalAlloc.KERNEL32(00000002,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00D72D80
GlobalLock.KERNEL32(00000000), ref: 00D72D89
ReadFile.KERNEL32(00000000,00000000,00000000,?,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00D72D98
GlobalUnlock.KERNEL32(00000000), ref: 00D72DA1
CloseHandle.KERNEL32(00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00D72DA8
GlobalFree.KERNEL32(00000000), ref: 00D72DB3
CreateStreamOnHGlobal.OLE32(00000000,00000001,?,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00D72DC5
OleLoadPicture.OLEAUT32(?,00000000,00000000,00D8FC38,00000000), ref: 00D72DDB
GlobalFree.KERNEL32(00000000), ref: 00D72DEB
CopyImage.USER32(00000007,00000000,00000000,00000000,00002000), ref: 00D72E11
SendMessageW.USER32(00000000,00000172,00000000,00000007), ref: 00D72E30
SetWindowPos.USER32(00000000,00000000,00000000,00000000,?,?,00000020,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00D72E52
ShowWindow.USER32(00000004,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00D7303F

Strings

static, xrefs: 00D72D3A, 00D72E91
AutoIt v3, xrefs: 00D72CF2
DISPLAY, xrefs: 00D72EA2
, xrefs: 00D72FC5

Memory Dump Source

Source File: 00000000.00000002.1741723192.0000000000CF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CF0000, based on PE: true

Associated: 00000000.00000002.1741689844.0000000000CF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741822052.0000000000D8C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741822052.0000000000DB2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741916293.0000000000DBC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741947371.0000000000DC4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cf0000_file.jbxd

Similarity

API ID: Window$Global$CreateRect$File$DeleteFreeObject$AdjustAllocClientCloseCopyDesktopDestroyHandleImageLoadLockMessagePictureReadSendShowSizeStreamUnlock
String ID: $AutoIt v3$DISPLAY$static
API String ID: 2211948467-2373415609
Opcode ID: 26f15399841e86d3ba4b89c4c0a7732feb0ffa51d2b86c2087fd3b344ca7d385
Instruction ID: ca3611678965cdf0daafb5e2b738ce111570a7eaaf26787abeb30760ab243479
Opcode Fuzzy Hash: 26f15399841e86d3ba4b89c4c0a7732feb0ffa51d2b86c2087fd3b344ca7d385
Instruction Fuzzy Hash: 3C025775910219EFDB14DFA4CC89EAE7BB9EB49710F048118F919EB2A1DB74AD01CB70

Function 00D870D5 Relevance: 49.8, APIs: 33, Instructions: 273COMMON

Download Yara Rule

APIs

SetTextColor.GDI32(?,00000000), ref: 00D8712F
GetSysColorBrush.USER32(0000000F), ref: 00D87160
GetSysColor.USER32(0000000F), ref: 00D8716C
SetBkColor.GDI32(?,000000FF), ref: 00D87186
SelectObject.GDI32(?,?), ref: 00D87195
InflateRect.USER32(?,000000FF,000000FF), ref: 00D871C0
GetSysColor.USER32(00000010), ref: 00D871C8
CreateSolidBrush.GDI32(00000000), ref: 00D871CF
FrameRect.USER32(?,?,00000000), ref: 00D871DE
DeleteObject.GDI32(00000000), ref: 00D871E5
InflateRect.USER32(?,000000FE,000000FE), ref: 00D87230
FillRect.USER32(?,?,?), ref: 00D87262
GetWindowLongW.USER32(?,000000F0), ref: 00D87284

Part of subcall function 00D873E8: GetSysColor.USER32(00000012), ref: 00D87421
Part of subcall function 00D873E8: SetTextColor.GDI32(?,?), ref: 00D87425
Part of subcall function 00D873E8: GetSysColorBrush.USER32(0000000F), ref: 00D8743B
Part of subcall function 00D873E8: GetSysColor.USER32(0000000F), ref: 00D87446
Part of subcall function 00D873E8: GetSysColor.USER32(00000011), ref: 00D87463
Part of subcall function 00D873E8: CreatePen.GDI32(00000000,00000001,00743C00), ref: 00D87471
Part of subcall function 00D873E8: SelectObject.GDI32(?,00000000), ref: 00D87482
Part of subcall function 00D873E8: SetBkColor.GDI32(?,00000000), ref: 00D8748B
Part of subcall function 00D873E8: SelectObject.GDI32(?,?), ref: 00D87498
Part of subcall function 00D873E8: InflateRect.USER32(?,000000FF,000000FF), ref: 00D874B7
Part of subcall function 00D873E8: RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 00D874CE
Part of subcall function 00D873E8: GetWindowLongW.USER32(00000000,000000F0), ref: 00D874DB

Memory Dump Source

Source File: 00000000.00000002.1741723192.0000000000CF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CF0000, based on PE: true

Associated: 00000000.00000002.1741689844.0000000000CF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741822052.0000000000D8C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741822052.0000000000DB2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741916293.0000000000DBC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741947371.0000000000DC4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cf0000_file.jbxd

Similarity

API ID: Color$Rect$Object$BrushInflateSelect$CreateLongTextWindow$DeleteFillFrameRoundSolid
String ID:
API String ID: 4124339563-0
Opcode ID: cc4cec5bd407ccbb56a7d2522b4a58a784b8b7028881297130036085e982a2ca
Instruction ID: 0333fdb9a40e2641d7f2716d824e774cc1ccfaf5a50f96ec6023d1b91937b758
Opcode Fuzzy Hash: cc4cec5bd407ccbb56a7d2522b4a58a784b8b7028881297130036085e982a2ca
Instruction Fuzzy Hash: 02A17F72028301EFDB10AF64DC48B5A7BA9FB49320F241A19F9A2D62E1D775E9448B71

Function 00D08D85 Relevance: 47.7, APIs: 26, Strings: 1, Instructions: 480windowCOMMON

Download Yara Rule

APIs

DestroyWindow.USER32(?,?), ref: 00D08E14
SendMessageW.USER32(?,00001308,?,00000000), ref: 00D46AC5
ImageList_Remove.COMCTL32(?,000000FF,?), ref: 00D46AFE
MoveWindow.USER32(?,?,?,?,?,00000000), ref: 00D46F43

Part of subcall function 00D08F62: InvalidateRect.USER32(?,00000000,00000001,?,?,?,00D08BE8,?,00000000,?,?,?,?,00D08BBA,00000000,?), ref: 00D08FC5

SendMessageW.USER32(?,00001053), ref: 00D46F7F
SendMessageW.USER32(?,00001008,000000FF,00000000), ref: 00D46F96
ImageList_Destroy.COMCTL32(00000000,?), ref: 00D46FAC
ImageList_Destroy.COMCTL32(00000000,?), ref: 00D46FB7

Strings

0, xrefs: 00D46DCF

Memory Dump Source

Source File: 00000000.00000002.1741723192.0000000000CF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CF0000, based on PE: true

Associated: 00000000.00000002.1741689844.0000000000CF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741822052.0000000000D8C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741822052.0000000000DB2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741916293.0000000000DBC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741947371.0000000000DC4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cf0000_file.jbxd

Similarity

API ID: DestroyImageList_MessageSend$Window$InvalidateMoveRectRemove
String ID: 0
API String ID: 2760611726-4108050209
Opcode ID: ddd530abeb947cf5d4794484ef95d19709a8f5db0034d1ffba2f8d527304b950
Instruction ID: e3f87c567ccc4827d10ecb4d1bfbf3d5bbe3c587d738415f858a6f51282dee05
Opcode Fuzzy Hash: ddd530abeb947cf5d4794484ef95d19709a8f5db0034d1ffba2f8d527304b950
Instruction Fuzzy Hash: 4D128C34600212DFDB25CF24C884BA5BBE5FB46301F584469F59ADB2A2CB32E851DF72

Function 00D72711 Relevance: 45.8, APIs: 22, Strings: 4, Instructions: 330windowCOMMON

Download Yara Rule

APIs

DestroyWindow.USER32(00000000), ref: 00D7273E
SystemParametersInfoW.USER32(00000030,00000000,?,00000000), ref: 00D7286A
SetRect.USER32(?,00000000,00000000,0000012C,?), ref: 00D728A9
AdjustWindowRectEx.USER32(?,88C00000,00000000,00000008), ref: 00D728B9
CreateWindowExW.USER32(00000008,AutoIt v3,?,88C00000,000000FF,?,?,?,00000000,00000000,00000000), ref: 00D72900
GetClientRect.USER32(00000000,?), ref: 00D7290C
CreateWindowExW.USER32(00000000,static,?,50000000,?,00000004,00000500,-00000017,00000000,00000000,00000000), ref: 00D72955
CreateDCW.GDI32(DISPLAY,00000000,00000000,00000000), ref: 00D72964
GetStockObject.GDI32(00000011), ref: 00D72974
SelectObject.GDI32(00000000,00000000), ref: 00D72978
GetTextFaceW.GDI32(00000000,00000040,?,?,50000000,?,00000004,00000500,-00000017,00000000,00000000,00000000,?,88C00000,000000FF,?), ref: 00D72988
GetDeviceCaps.GDI32(00000000,0000005A), ref: 00D72991
DeleteDC.GDI32(00000000), ref: 00D7299A
CreateFontW.GDI32(00000000,00000000,00000000,00000000,00000258,00000000,00000000,00000000,00000001,00000004,00000000,00000002,00000000,?), ref: 00D729C6
SendMessageW.USER32(00000030,00000000,00000001), ref: 00D729DD
CreateWindowExW.USER32(00000200,msctls_progress32,00000000,50000001,?,-0000001D,00000104,00000014,00000000,00000000,00000000), ref: 00D72A1D
SendMessageW.USER32(00000000,00000401,00000000,00640000), ref: 00D72A31
SendMessageW.USER32(00000404,00000001,00000000), ref: 00D72A42
CreateWindowExW.USER32(00000000,static,?,50000000,?,00000041,00000500,-00000027,00000000,00000000,00000000), ref: 00D72A77
GetStockObject.GDI32(00000011), ref: 00D72A82
SendMessageW.USER32(00000030,00000000,?,50000000), ref: 00D72A8D
ShowWindow.USER32(00000004,?,50000000,?,00000004,00000500,-00000017,00000000,00000000,00000000,?,88C00000,000000FF,?,?,?), ref: 00D72A97

Strings

msctls_progress32, xrefs: 00D72A13
static, xrefs: 00D7294F, 00D72A71
AutoIt v3, xrefs: 00D728F8
DISPLAY, xrefs: 00D7295A

Memory Dump Source

Source File: 00000000.00000002.1741723192.0000000000CF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CF0000, based on PE: true

Associated: 00000000.00000002.1741689844.0000000000CF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741822052.0000000000D8C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741822052.0000000000DB2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741916293.0000000000DBC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741947371.0000000000DC4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cf0000_file.jbxd

Similarity

API ID: Window$Create$MessageSend$ObjectRect$Stock$AdjustCapsClientDeleteDestroyDeviceFaceFontInfoParametersSelectShowSystemText
String ID: AutoIt v3$DISPLAY$msctls_progress32$static
API String ID: 2910397461-517079104
Opcode ID: 348d471aa9bb15d1e68abf125ad2892a041c7b48d74fa950135489411a15985d
Instruction ID: bbad835b6696205e5c1bbfb5c226d23a1632e59528c0648b3623ecee2cf405f0
Opcode Fuzzy Hash: 348d471aa9bb15d1e68abf125ad2892a041c7b48d74fa950135489411a15985d
Instruction Fuzzy Hash: 37B14C75A1021AAFEB14DF68DD89FAA7BB9EB04714F008214FA15E7291D774ED40CBA0

Function 00D64ADF Relevance: 45.7, APIs: 3, Strings: 23, Instructions: 191COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 00D64AED
GetDriveTypeW.KERNEL32(?,00D8CB68,?,\\.\,00D8CC08), ref: 00D64BCA
SetErrorMode.KERNEL32(00000000,00D8CB68,?,\\.\,00D8CC08), ref: 00D64D36

Strings

CDROM, xrefs: 00D64BFB
\\.\, xrefs: 00D64B3F
MMC, xrefs: 00D64CDE
Network, xrefs: 00D64C02
Removable, xrefs: 00D64C10, 00D64C15
PhysicalDrive, xrefs: 00D64B76
RAID, xrefs: 00D64CBB
USB, xrefs: 00D64CB4
SSA, xrefs: 00D64CA6
RAMDisk, xrefs: 00D64BF4
SCSI, xrefs: 00D64C8A
iSCSI, xrefs: 00D64CC2
SAS, xrefs: 00D64CC9
Unknown, xrefs: 00D64BED, 00D64C83
Virtual, xrefs: 00D64CE5
Fibre, xrefs: 00D64CAD
ATAPI, xrefs: 00D64C91
SATA, xrefs: 00D64CD0
Fixed, xrefs: 00D64C09
SSD, xrefs: 00D64C4A
ATA, xrefs: 00D64C98
1394, xrefs: 00D64C9F
FileBackedVirtual, xrefs: 00D64CEC

Memory Dump Source

Source File: 00000000.00000002.1741723192.0000000000CF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CF0000, based on PE: true

Associated: 00000000.00000002.1741689844.0000000000CF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741822052.0000000000D8C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741822052.0000000000DB2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741916293.0000000000DBC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741947371.0000000000DC4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cf0000_file.jbxd

Similarity

API ID: ErrorMode$DriveType
String ID: 1394$ATA$ATAPI$CDROM$Fibre$FileBackedVirtual$Fixed$MMC$Network$PhysicalDrive$RAID$RAMDisk$Removable$SAS$SATA$SCSI$SSA$SSD$USB$Unknown$Virtual$\\.\$iSCSI
API String ID: 2907320926-4222207086
Opcode ID: 7f96d0938e4ab74f8a9afd08b20e9b1c0c1545962d7bde4687c785926cfcef47
Instruction ID: 2874ca5f493f639e468e3ea5dbdc4a010b5c04a1644edca769de8def6fa0a413
Opcode Fuzzy Hash: 7f96d0938e4ab74f8a9afd08b20e9b1c0c1545962d7bde4687c785926cfcef47
Instruction Fuzzy Hash: 8161CF7060120ADFCB44DF28CA829B97BB1EF44340B298415F847AB391DB39ED45EB72

Function 00D873E8 Relevance: 39.2, APIs: 26, Instructions: 201windowCOMMON

Download Yara Rule

APIs

GetSysColor.USER32(00000012), ref: 00D87421
SetTextColor.GDI32(?,?), ref: 00D87425
GetSysColorBrush.USER32(0000000F), ref: 00D8743B
GetSysColor.USER32(0000000F), ref: 00D87446
CreateSolidBrush.GDI32(?), ref: 00D8744B
GetSysColor.USER32(00000011), ref: 00D87463
CreatePen.GDI32(00000000,00000001,00743C00), ref: 00D87471
SelectObject.GDI32(?,00000000), ref: 00D87482
SetBkColor.GDI32(?,00000000), ref: 00D8748B
SelectObject.GDI32(?,?), ref: 00D87498
InflateRect.USER32(?,000000FF,000000FF), ref: 00D874B7
RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 00D874CE
GetWindowLongW.USER32(00000000,000000F0), ref: 00D874DB
SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 00D8752A
GetWindowTextW.USER32(00000000,00000000,00000001), ref: 00D87554
InflateRect.USER32(?,000000FD,000000FD), ref: 00D87572
DrawFocusRect.USER32(?,?), ref: 00D8757D
GetSysColor.USER32(00000011), ref: 00D8758E
SetTextColor.GDI32(?,00000000), ref: 00D87596
DrawTextW.USER32(?,00D870F5,000000FF,?,00000000), ref: 00D875A8
SelectObject.GDI32(?,?), ref: 00D875BF
DeleteObject.GDI32(?), ref: 00D875CA
SelectObject.GDI32(?,?), ref: 00D875D0
DeleteObject.GDI32(?), ref: 00D875D5
SetTextColor.GDI32(?,?), ref: 00D875DB
SetBkColor.GDI32(?,?), ref: 00D875E5

Memory Dump Source

Source File: 00000000.00000002.1741723192.0000000000CF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CF0000, based on PE: true

Associated: 00000000.00000002.1741689844.0000000000CF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741822052.0000000000D8C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741822052.0000000000DB2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741916293.0000000000DBC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741947371.0000000000DC4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cf0000_file.jbxd

Similarity

API ID: Color$Object$Text$RectSelect$BrushCreateDeleteDrawInflateWindow$FocusLongMessageRoundSendSolid
String ID:
API String ID: 1996641542-0
Opcode ID: 0b585b277815a2b281e31613fa0559ef737b12aa5b8cffd2d695626dd4a9feaa
Instruction ID: c5749c89c86ebb20d26e1e7853c532303ea74fcc566a3690e2b1ad583155837e
Opcode Fuzzy Hash: 0b585b277815a2b281e31613fa0559ef737b12aa5b8cffd2d695626dd4a9feaa
Instruction Fuzzy Hash: CB615D72910218EFDF019FA8DC49EAE7FB9EB08320F255155F915EB2A1D7749940CBB0

Function 00D80FF3 Relevance: 37.0, APIs: 18, Strings: 3, Instructions: 284windowCOMMON

Download Yara Rule

APIs

GetCursorPos.USER32(?), ref: 00D81128
GetDesktopWindow.USER32 ref: 00D8113D
GetWindowRect.USER32(00000000), ref: 00D81144
GetWindowLongW.USER32(?,000000F0), ref: 00D81199
DestroyWindow.USER32(?), ref: 00D811B9
CreateWindowExW.USER32(00000008,tooltips_class32,00000000,7FFFFFFD,80000000,80000000,80000000,80000000,00000000,00000000,00000000,00000000), ref: 00D811ED
SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 00D8120B
SendMessageW.USER32(00000000,00000418,00000000,?), ref: 00D8121D
SendMessageW.USER32(00000000,00000421,?,?), ref: 00D81232
SendMessageW.USER32(00000000,0000041D,00000000,00000000), ref: 00D81245
IsWindowVisible.USER32(00000000), ref: 00D812A1
SendMessageW.USER32(00000000,00000412,00000000,D8F0D8F0), ref: 00D812BC
SendMessageW.USER32(00000000,00000411,00000001,00000030), ref: 00D812D0
GetWindowRect.USER32(00000000,?), ref: 00D812E8
MonitorFromPoint.USER32(?,?,00000002), ref: 00D8130E
GetMonitorInfoW.USER32(00000000,?), ref: 00D81328
CopyRect.USER32(?,?), ref: 00D8133F
SendMessageW.USER32(00000000,00000412,00000000), ref: 00D813AA

Strings

0, xrefs: 00D810D3
tooltips_class32, xrefs: 00D811E6
(, xrefs: 00D8131B

Memory Dump Source

Source File: 00000000.00000002.1741723192.0000000000CF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CF0000, based on PE: true

Associated: 00000000.00000002.1741689844.0000000000CF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741822052.0000000000D8C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741822052.0000000000DB2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741916293.0000000000DBC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741947371.0000000000DC4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cf0000_file.jbxd

Similarity

API ID: MessageSendWindow$Rect$Monitor$CopyCreateCursorDesktopDestroyFromInfoLongPointVisible
String ID: ($0$tooltips_class32
API String ID: 698492251-4156429822
Opcode ID: 76de9074d58632048bffb452e1cecc5972b229f5ca57a381f3c3fda2e921d9ad
Instruction ID: c7cd0a38c273b4773501b9198a474beb917cdf3705dc45b9c971e616696a7e78
Opcode Fuzzy Hash: 76de9074d58632048bffb452e1cecc5972b229f5ca57a381f3c3fda2e921d9ad
Instruction Fuzzy Hash: 30B18D71614341EFD750EF64C885B6EBBE8FF84350F008918F9999B2A1D731E849CBA2

Function 00D08891 Relevance: 33.5, APIs: 18, Strings: 1, Instructions: 282windowtimeCOMMON

Download Yara Rule

APIs

SystemParametersInfoW.USER32(00000030,00000000,000000FF,00000000), ref: 00D08968
GetSystemMetrics.USER32(00000007), ref: 00D08970
SystemParametersInfoW.USER32(00000030,00000000,000000FF,00000000), ref: 00D0899B
GetSystemMetrics.USER32(00000008), ref: 00D089A3
GetSystemMetrics.USER32(00000004), ref: 00D089C8
SetRect.USER32(000000FF,00000000,00000000,000000FF,000000FF), ref: 00D089E5
AdjustWindowRectEx.USER32(000000FF,?,00000000,?), ref: 00D089F5
CreateWindowExW.USER32(?,AutoIt v3 GUI,?,?,?,000000FF,000000FF,000000FF,?,00000000,00000000), ref: 00D08A28
SetWindowLongW.USER32(00000000,000000EB,00000000), ref: 00D08A3C
GetClientRect.USER32(00000000,000000FF), ref: 00D08A5A
GetStockObject.GDI32(00000011), ref: 00D08A76
SendMessageW.USER32(00000000,00000030,00000000), ref: 00D08A81

Part of subcall function 00D0912D: GetCursorPos.USER32(?), ref: 00D09141
Part of subcall function 00D0912D: ScreenToClient.USER32(00000000,?), ref: 00D0915E
Part of subcall function 00D0912D: GetAsyncKeyState.USER32(00000001), ref: 00D09183
Part of subcall function 00D0912D: GetAsyncKeyState.USER32(00000002), ref: 00D0919D

SetTimer.USER32(00000000,00000000,00000028,00D090FC), ref: 00D08AA8

Strings

AutoIt v3 GUI, xrefs: 00D08A20

Memory Dump Source

Source File: 00000000.00000002.1741723192.0000000000CF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CF0000, based on PE: true

Associated: 00000000.00000002.1741689844.0000000000CF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741822052.0000000000D8C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741822052.0000000000DB2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741916293.0000000000DBC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741947371.0000000000DC4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cf0000_file.jbxd

Similarity

API ID: System$MetricsRectWindow$AsyncClientInfoParametersState$AdjustCreateCursorLongMessageObjectScreenSendStockTimer
String ID: AutoIt v3 GUI
API String ID: 1458621304-248962490
Opcode ID: fdb1eb14296a133f869a61310793e64fdd20ac10e57053e188249a106e2a76db
Instruction ID: adafc0792ed396ce9c86be1932e7798b3bf10535e9d5587fc131021f77b73b34
Opcode Fuzzy Hash: fdb1eb14296a133f869a61310793e64fdd20ac10e57053e188249a106e2a76db
Instruction Fuzzy Hash: 4EB15A75A1020AEFDB14DFA8DC55BAA3BA5EB49314F144229FA56E72D0DB30E840CF71

Function 00D50D8B Relevance: 31.7, APIs: 21, Instructions: 202memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 00D510F9: GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 00D51114
Part of subcall function 00D510F9: GetLastError.KERNEL32(?,00000000,00000000,?,?,00D50B9B,?,?,?), ref: 00D51120
Part of subcall function 00D510F9: GetProcessHeap.KERNEL32(00000008,?,?,00000000,00000000,?,?,00D50B9B,?,?,?), ref: 00D5112F
Part of subcall function 00D510F9: HeapAlloc.KERNEL32(00000000,?,00000000,00000000,?,?,00D50B9B,?,?,?), ref: 00D51136
Part of subcall function 00D510F9: GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 00D5114D

GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 00D50DF5
GetAclInformation.ADVAPI32(?,?,0000000C,00000002), ref: 00D50E29
GetLengthSid.ADVAPI32(?), ref: 00D50E40
GetAce.ADVAPI32(?,00000000,?), ref: 00D50E7A
AddAce.ADVAPI32(?,00000002,000000FF,?,?), ref: 00D50E96
GetLengthSid.ADVAPI32(?), ref: 00D50EAD
GetProcessHeap.KERNEL32(00000008,00000008), ref: 00D50EB5
HeapAlloc.KERNEL32(00000000), ref: 00D50EBC
GetLengthSid.ADVAPI32(?,00000008,?), ref: 00D50EDD
CopySid.ADVAPI32(00000000), ref: 00D50EE4
AddAce.ADVAPI32(?,00000002,000000FF,00000000,?), ref: 00D50F13
SetSecurityDescriptorDacl.ADVAPI32(?,00000001,?,00000000), ref: 00D50F35
SetUserObjectSecurity.USER32(?,00000004,?), ref: 00D50F47
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00D50F6E
HeapFree.KERNEL32(00000000), ref: 00D50F75
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00D50F7E
HeapFree.KERNEL32(00000000), ref: 00D50F85
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00D50F8E
HeapFree.KERNEL32(00000000), ref: 00D50F95
GetProcessHeap.KERNEL32(00000000,?), ref: 00D50FA1
HeapFree.KERNEL32(00000000), ref: 00D50FA8

Part of subcall function 00D51193: GetProcessHeap.KERNEL32(00000008,00D50BB1,?,00000000,?,00D50BB1,?), ref: 00D511A1
Part of subcall function 00D51193: HeapAlloc.KERNEL32(00000000,?,00000000,?,00D50BB1,?), ref: 00D511A8
Part of subcall function 00D51193: InitializeSecurityDescriptor.ADVAPI32(00000000,00000001,?,00000000,?,00D50BB1,?), ref: 00D511B7

Memory Dump Source

Source File: 00000000.00000002.1741723192.0000000000CF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CF0000, based on PE: true

Associated: 00000000.00000002.1741689844.0000000000CF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741822052.0000000000D8C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741822052.0000000000DB2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741916293.0000000000DBC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741947371.0000000000DC4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cf0000_file.jbxd

Similarity

API ID: Heap$Process$Security$Free$AllocDescriptorLengthObjectUser$Dacl$CopyErrorInformationInitializeLast
String ID:
API String ID: 4175595110-0
Opcode ID: 2e44d467c31eef1e1871f4c1231a642ca042fc8297555532f39c64b5f83baa7a
Instruction ID: 4de5deb2b7d104aee8d253434eef38caaef224dc9584c3cd0676bf2769bdc3b2
Opcode Fuzzy Hash: 2e44d467c31eef1e1871f4c1231a642ca042fc8297555532f39c64b5f83baa7a
Instruction Fuzzy Hash: 7E7149B291430AEBDF209FA4DC49FAEBBB8AF04341F184115FD19E6291D7319909CB70

Function 00D7C3B7 Relevance: 30.2, APIs: 11, Strings: 6, Instructions: 495registryCOMMON

Download Yara Rule

APIs

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 00D7C4BD
RegCreateKeyExW.ADVAPI32(?,?,00000000,00D8CC08,00000000,?,00000000,?,?), ref: 00D7C544
RegCloseKey.ADVAPI32(00000000,00000000,00000000), ref: 00D7C5A4
_wcslen.LIBCMT ref: 00D7C5F4
_wcslen.LIBCMT ref: 00D7C66F
RegSetValueExW.ADVAPI32(00000001,?,00000000,00000001,?,?), ref: 00D7C6B2
RegSetValueExW.ADVAPI32(00000001,?,00000000,00000007,?,?), ref: 00D7C7C1
RegSetValueExW.ADVAPI32(00000001,?,00000000,0000000B,?,00000008), ref: 00D7C84D
RegCloseKey.ADVAPI32(?), ref: 00D7C881
RegCloseKey.ADVAPI32(00000000), ref: 00D7C88E
RegSetValueExW.ADVAPI32(00000001,?,00000000,00000003,00000000,00000000), ref: 00D7C960

Strings

REG_SZ, xrefs: 00D7C644
REG_BINARY, xrefs: 00D7C913
REG_DWORD, xrefs: 00D7C804
REG_QWORD, xrefs: 00D7C8C3
REG_EXPAND_SZ, xrefs: 00D7C5CD
REG_MULTI_SZ, xrefs: 00D7C6F5

Memory Dump Source

Source File: 00000000.00000002.1741723192.0000000000CF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CF0000, based on PE: true

Associated: 00000000.00000002.1741689844.0000000000CF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741822052.0000000000D8C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741822052.0000000000DB2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741916293.0000000000DBC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741947371.0000000000DC4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cf0000_file.jbxd

Similarity

API ID: Value$Close$_wcslen$ConnectCreateRegistry
String ID: REG_BINARY$REG_DWORD$REG_EXPAND_SZ$REG_MULTI_SZ$REG_QWORD$REG_SZ
API String ID: 9721498-966354055
Opcode ID: 2ff8e8e738e592215978b7d16229fbf6bbb4f0de328d697831c3e130868a90bd
Instruction ID: 704e36b7bc23ea6350cbec055de1b64fe19f18e61aa53d3daeaee854b109ab19
Opcode Fuzzy Hash: 2ff8e8e738e592215978b7d16229fbf6bbb4f0de328d697831c3e130868a90bd
Instruction Fuzzy Hash: 341269356142019FC714DF14C881A2AB7E5FF88714F09895CF98A9B3A2EB31FD45DBA2

Function 00D8091E Relevance: 30.1, APIs: 6, Strings: 11, Instructions: 372windowCOMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?), ref: 00D809C6
_wcslen.LIBCMT ref: 00D80A01
SendMessageW.USER32(?,00001105,00000000,00000000), ref: 00D80A54
_wcslen.LIBCMT ref: 00D80A8A
_wcslen.LIBCMT ref: 00D80B06
_wcslen.LIBCMT ref: 00D80B81

Part of subcall function 00D0F9F2: _wcslen.LIBCMT ref: 00D0F9FD

Part of subcall function 00D52BE8: SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 00D52BFA

Strings

ISCHECKED, xrefs: 00D80CE1
EXISTS, xrefs: 00D80B7C, 00D80B97
GETITEMCOUNT, xrefs: 00D80C1E
SELECT, xrefs: 00D80D11
EXPAND, xrefs: 00D80BF8
UNCHECK, xrefs: 00D80D3E
COLLAPSE, xrefs: 00D80B01, 00D80B1C
GETTOTALCOUNT, xrefs: 00D809F2, 00D80A17
CHECK, xrefs: 00D80A85, 00D80AA0
GETTEXT, xrefs: 00D80C97
GETSELECTED, xrefs: 00D80C4E

Memory Dump Source

Source File: 00000000.00000002.1741723192.0000000000CF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CF0000, based on PE: true

Associated: 00000000.00000002.1741689844.0000000000CF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741822052.0000000000D8C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741822052.0000000000DB2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741916293.0000000000DBC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741947371.0000000000DC4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cf0000_file.jbxd

Similarity

API ID: _wcslen$MessageSend$BuffCharUpper
String ID: CHECK$COLLAPSE$EXISTS$EXPAND$GETITEMCOUNT$GETSELECTED$GETTEXT$GETTOTALCOUNT$ISCHECKED$SELECT$UNCHECK
API String ID: 1103490817-4258414348
Opcode ID: 02c414c7081de8fac815178a396210db761ed8ad0aa4185c0624fd86a9448b02
Instruction ID: 23c4e3286897085f58c79f6e94c3a8bd762796d8316b954de5fe62810dba577c
Opcode Fuzzy Hash: 02c414c7081de8fac815178a396210db761ed8ad0aa4185c0624fd86a9448b02
Instruction Fuzzy Hash: E3E19E31208301DFCB54EF24C45096ABBE1FF98314B15895DF89A9B7A2D730ED49CBA2

Function 00D7C998 Relevance: 30.0, APIs: 7, Strings: 10, Instructions: 242COMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?,?,?,?,?,?,00D7B6AE,?,?), ref: 00D7C9B5
_wcslen.LIBCMT ref: 00D7C9F1
_wcslen.LIBCMT ref: 00D7CA68
_wcslen.LIBCMT ref: 00D7CA9E
_wcslen.LIBCMT ref: 00D7CAF9
_wcslen.LIBCMT ref: 00D7CB2F
_wcslen.LIBCMT ref: 00D7CB7F

Strings

HKCC, xrefs: 00D7CBAC
HKLM, xrefs: 00D7CA98, 00D7CA9D
HKEY_CURRENT_USER, xrefs: 00D7CBBD
HKEY_USERS, xrefs: 00D7CBDF
HKCU, xrefs: 00D7CBCE
HKCR, xrefs: 00D7CB29, 00D7CB2E
HKEY_CURRENT_CONFIG, xrefs: 00D7CB79, 00D7CB7E
HKU, xrefs: 00D7CBF0
HKEY_CLASSES_ROOT, xrefs: 00D7CAF3, 00D7CAF8
HKEY_LOCAL_MACHINE, xrefs: 00D7CA62, 00D7CA67

Memory Dump Source

Source File: 00000000.00000002.1741723192.0000000000CF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CF0000, based on PE: true

Associated: 00000000.00000002.1741689844.0000000000CF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741822052.0000000000D8C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741822052.0000000000DB2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741916293.0000000000DBC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741947371.0000000000DC4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cf0000_file.jbxd

Similarity

API ID: _wcslen$BuffCharUpper
String ID: HKCC$HKCR$HKCU$HKEY_CLASSES_ROOT$HKEY_CURRENT_CONFIG$HKEY_CURRENT_USER$HKEY_LOCAL_MACHINE$HKEY_USERS$HKLM$HKU
API String ID: 1256254125-909552448
Opcode ID: 6af8addab213f01a3072afc1f093631e92506cb0c3bac90e66720c254cc472ec
Instruction ID: 09a31a8e902b7ecb49344b817a79f9628a7180f002550b3e2b4f716e39981495
Opcode Fuzzy Hash: 6af8addab213f01a3072afc1f093631e92506cb0c3bac90e66720c254cc472ec
Instruction Fuzzy Hash: 6871E63262012A8FCB20DE7CD9426FE3391ABA4754B29952DF85E97284FA31CD4587B0

Function 00D8833C Relevance: 29.9, APIs: 14, Strings: 3, Instructions: 196windowlibraryCOMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 00D8835A
_wcslen.LIBCMT ref: 00D8836E
_wcslen.LIBCMT ref: 00D88391
_wcslen.LIBCMT ref: 00D883B4
LoadImageW.USER32(00000000,?,00000001,?,?,00002010), ref: 00D883F2
LoadLibraryExW.KERNEL32(?,00000000,00000032,?,?,00000001,?,?,?,00D8361A,?), ref: 00D8844E
LoadImageW.USER32(?,?,00000001,?,?,00000000), ref: 00D88487
LoadImageW.USER32(00000000,?,00000001,?,?,00000000), ref: 00D884CA
LoadImageW.USER32(?,?,00000001,?,?,00000000), ref: 00D88501
FreeLibrary.KERNEL32(?), ref: 00D8850D
ExtractIconExW.SHELL32(?,00000000,00000000,00000000,00000001), ref: 00D8851D
DestroyIcon.USER32(?), ref: 00D8852C
SendMessageW.USER32(?,00000170,00000000,00000000), ref: 00D88549
SendMessageW.USER32(?,00000064,00000172,00000001), ref: 00D88555

Strings

.dll, xrefs: 00D883AB
.exe, xrefs: 00D88388
.icl, xrefs: 00D88368

Memory Dump Source

Source File: 00000000.00000002.1741723192.0000000000CF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CF0000, based on PE: true

Associated: 00000000.00000002.1741689844.0000000000CF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741822052.0000000000D8C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741822052.0000000000DB2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741916293.0000000000DBC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741947371.0000000000DC4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cf0000_file.jbxd

Similarity

API ID: Load$Image_wcslen$IconLibraryMessageSend$DestroyExtractFree
String ID: .dll$.exe$.icl
API String ID: 799131459-1154884017
Opcode ID: be6eb85806a5b42e25bb9e9c543288b8428bcec28e5464944db7ecb343d2c738
Instruction ID: 744fcd876b1f5fb7945258cfab01a618cf85599bced440cfa33a0b20444e443a
Opcode Fuzzy Hash: be6eb85806a5b42e25bb9e9c543288b8428bcec28e5464944db7ecb343d2c738
Instruction Fuzzy Hash: 9261CD7251020AFAEB14AF64DC81BFE77A8EF04B21F504649F815E61D1DB74A980EBB0

Function 00CF7778 Relevance: 28.3, APIs: 1, Strings: 15, Instructions: 273COMMON

Download Yara Rule

Strings

#comments-start, xrefs: 00CF785F, 00CF78B1
#comments-end, xrefs: 00CF78D9
#include, xrefs: 00CF7847
#OnAutoItStartRegister, xrefs: 00CF7817
#cs, xrefs: 00CF7873, 00CF78C5
', xrefs: 00D35169
#ce, xrefs: 00CF78ED
Bad directive syntax error, xrefs: 00D3519A
", xrefs: 00D35153
Unterminated group of comments, xrefs: 00D3528C
Cannot parse #include, xrefs: 00D35279
#include-once, xrefs: 00CF782F
#notrayicon, xrefs: 00CF77E7
#pragma compile, xrefs: 00CF77D3
#requireadmin, xrefs: 00CF77FF

Memory Dump Source

Source File: 00000000.00000002.1741723192.0000000000CF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CF0000, based on PE: true

Associated: 00000000.00000002.1741689844.0000000000CF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741822052.0000000000D8C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741822052.0000000000DB2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741916293.0000000000DBC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741947371.0000000000DC4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cf0000_file.jbxd

Similarity

API ID:
String ID: "$#OnAutoItStartRegister$#ce$#comments-end$#comments-start$#cs$#include$#include-once$#notrayicon$#pragma compile$#requireadmin$'$Bad directive syntax error$Cannot parse #include$Unterminated group of comments
API String ID: 0-1645009161
Opcode ID: bce33352fbcff6c932c41a61fd03b53da0805426fff08918b5f21552c85d0b01
Instruction ID: deaf72c641e5565cf81a7caf3b1c75be24941b756fe9708cbf767832ebdc7f96
Opcode Fuzzy Hash: bce33352fbcff6c932c41a61fd03b53da0805426fff08918b5f21552c85d0b01
Instruction Fuzzy Hash: 02810271A04209BBDF65BF60EC42FBE37A8EF15300F044125FA04AA196EB71DA55D7B2

Function 00D63E79 Relevance: 28.2, APIs: 8, Strings: 8, Instructions: 205COMMON

Download Yara Rule

APIs

CharLowerBuffW.USER32(?,?), ref: 00D63EF8
_wcslen.LIBCMT ref: 00D63F03
_wcslen.LIBCMT ref: 00D63F5A
_wcslen.LIBCMT ref: 00D63F98
GetDriveTypeW.KERNEL32(?), ref: 00D63FD6
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 00D6401E
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 00D64059
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 00D64087

Strings

wait, xrefs: 00D64044
type cdaudio alias cd wait, xrefs: 00D64001
open , xrefs: 00D63FE5
close cd wait, xrefs: 00D64072
close, xrefs: 00D63EFE, 00D63F18
set cd door , xrefs: 00D64028
closed, xrefs: 00D63F08, 00D63F2D, 00D63F46, 00D63F7E, 00D63F97
open, xrefs: 00D63F54, 00D63F59

Memory Dump Source

Source File: 00000000.00000002.1741723192.0000000000CF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CF0000, based on PE: true

Associated: 00000000.00000002.1741689844.0000000000CF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741822052.0000000000D8C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741822052.0000000000DB2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741916293.0000000000DBC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741947371.0000000000DC4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cf0000_file.jbxd

Similarity

API ID: SendString_wcslen$BuffCharDriveLowerType
String ID: type cdaudio alias cd wait$ wait$close$close cd wait$closed$open$open $set cd door
API String ID: 1839972693-4113822522
Opcode ID: d338add74acbabb88ad1d551fb99a58f24a2bdd6461912cc758a4f6cecdd33fc
Instruction ID: cf0c59068239251cd1f99af8db884dbc5db5950c32a7d69bf739f2f9a14afccc
Opcode Fuzzy Hash: d338add74acbabb88ad1d551fb99a58f24a2bdd6461912cc758a4f6cecdd33fc
Instruction Fuzzy Hash: 8271D2326043169FC710DF24C8819BABBF4EF94754F04492DF99697291EB31DD49CB62

Function 00D55A1B Relevance: 27.2, APIs: 18, Instructions: 198windowtimeCOMMON

Download Yara Rule

APIs

LoadIconW.USER32(00000063), ref: 00D55A2E
SendMessageW.USER32(?,00000080,00000000,00000000), ref: 00D55A40
SetWindowTextW.USER32(?,?), ref: 00D55A57
GetDlgItem.USER32(?,000003EA), ref: 00D55A6C
SetWindowTextW.USER32(00000000,?), ref: 00D55A72
GetDlgItem.USER32(?,000003E9), ref: 00D55A82
SetWindowTextW.USER32(00000000,?), ref: 00D55A88
SendDlgItemMessageW.USER32(?,000003E9,000000CC,?,00000000), ref: 00D55AA9
SendDlgItemMessageW.USER32(?,000003E9,000000C5,00000000,00000000), ref: 00D55AC3
GetWindowRect.USER32(?,?), ref: 00D55ACC
_wcslen.LIBCMT ref: 00D55B33
SetWindowTextW.USER32(?,?), ref: 00D55B6F
GetDesktopWindow.USER32 ref: 00D55B75
GetWindowRect.USER32(00000000), ref: 00D55B7C
MoveWindow.USER32(?,?,00000080,00000000,?,00000000), ref: 00D55BD3
GetClientRect.USER32(?,?), ref: 00D55BE0
PostMessageW.USER32(?,00000005,00000000,?), ref: 00D55C05
SetTimer.USER32(?,0000040A,00000000,00000000), ref: 00D55C2F

Memory Dump Source

Source File: 00000000.00000002.1741723192.0000000000CF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CF0000, based on PE: true

Associated: 00000000.00000002.1741689844.0000000000CF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741822052.0000000000D8C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741822052.0000000000DB2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741916293.0000000000DBC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741947371.0000000000DC4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cf0000_file.jbxd

Similarity

API ID: Window$ItemMessageText$RectSend$ClientDesktopIconLoadMovePostTimer_wcslen
String ID:
API String ID: 895679908-0
Opcode ID: 35b1080dafaacfb5379c845e1eb47756572d5ff4adbfa8b028538786a4c4f74f
Instruction ID: a3765bf39bc24504ababf887c54ea18e21c52da65d9b2f493f82479b8efefc3f
Opcode Fuzzy Hash: 35b1080dafaacfb5379c845e1eb47756572d5ff4adbfa8b028538786a4c4f74f
Instruction Fuzzy Hash: 54718B31910B05EFCB21DFA8DE59B6EBBF5FF48705F140518E982A26A4D775E904CB20

Function 00D6FE0E Relevance: 27.1, APIs: 18, Instructions: 128COMMON

Download Yara Rule

APIs

LoadCursorW.USER32(00000000,00007F89), ref: 00D6FE27
LoadCursorW.USER32(00000000,00007F8A), ref: 00D6FE32
LoadCursorW.USER32(00000000,00007F00), ref: 00D6FE3D
LoadCursorW.USER32(00000000,00007F03), ref: 00D6FE48
LoadCursorW.USER32(00000000,00007F8B), ref: 00D6FE53
LoadCursorW.USER32(00000000,00007F01), ref: 00D6FE5E
LoadCursorW.USER32(00000000,00007F81), ref: 00D6FE69
LoadCursorW.USER32(00000000,00007F88), ref: 00D6FE74
LoadCursorW.USER32(00000000,00007F80), ref: 00D6FE7F
LoadCursorW.USER32(00000000,00007F86), ref: 00D6FE8A
LoadCursorW.USER32(00000000,00007F83), ref: 00D6FE95
LoadCursorW.USER32(00000000,00007F85), ref: 00D6FEA0
LoadCursorW.USER32(00000000,00007F82), ref: 00D6FEAB
LoadCursorW.USER32(00000000,00007F84), ref: 00D6FEB6
LoadCursorW.USER32(00000000,00007F04), ref: 00D6FEC1
LoadCursorW.USER32(00000000,00007F02), ref: 00D6FECC
GetCursorInfo.USER32(?), ref: 00D6FEDC
GetLastError.KERNEL32 ref: 00D6FF1E

Memory Dump Source

Source File: 00000000.00000002.1741723192.0000000000CF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CF0000, based on PE: true

Associated: 00000000.00000002.1741689844.0000000000CF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741822052.0000000000D8C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741822052.0000000000DB2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741916293.0000000000DBC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741947371.0000000000DC4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cf0000_file.jbxd

Similarity

API ID: Cursor$Load$ErrorInfoLast
String ID:
API String ID: 3215588206-0
Opcode ID: c7f163b72834b77b18d9fca732bd996186bb36c88c802d6e06c63fe6b31110f7
Instruction ID: e31dcd62d82d5400cdb107604e7657e869315c42a75a1ef77938ea1da342558a
Opcode Fuzzy Hash: c7f163b72834b77b18d9fca732bd996186bb36c88c802d6e06c63fe6b31110f7
Instruction Fuzzy Hash: 984174B0D04319ABDB10DFBA9C8585EBFE8FF04754B54452AE11DE7281DB789901CFA1

Function 00D100C6 Relevance: 26.3, APIs: 10, Strings: 5, Instructions: 81COMMON

Download Yara Rule

APIs

__scrt_initialize_thread_safe_statics_platform_specific.LIBCMT ref: 00D100C6

Part of subcall function 00D100ED: InitializeCriticalSectionAndSpinCount.KERNEL32(00DC070C,00000FA0,E3DF99E6,?,?,?,?,00D323B3,000000FF), ref: 00D1011C
Part of subcall function 00D100ED: GetModuleHandleW.KERNEL32(api-ms-win-core-synch-l1-2-0.dll,?,?,?,?,00D323B3,000000FF), ref: 00D10127
Part of subcall function 00D100ED: GetModuleHandleW.KERNEL32(kernel32.dll,?,?,?,?,00D323B3,000000FF), ref: 00D10138
Part of subcall function 00D100ED: GetProcAddress.KERNEL32(00000000,InitializeConditionVariable), ref: 00D1014E
Part of subcall function 00D100ED: GetProcAddress.KERNEL32(00000000,SleepConditionVariableCS), ref: 00D1015C
Part of subcall function 00D100ED: GetProcAddress.KERNEL32(00000000,WakeAllConditionVariable), ref: 00D1016A
Part of subcall function 00D100ED: __crt_fast_encode_pointer.LIBVCRUNTIME ref: 00D10195
Part of subcall function 00D100ED: __crt_fast_encode_pointer.LIBVCRUNTIME ref: 00D101A0

___scrt_fastfail.LIBCMT ref: 00D100E7

Part of subcall function 00D100A3: __onexit.LIBCMT ref: 00D100A9

Strings

kernel32.dll, xrefs: 00D10133
SleepConditionVariableCS, xrefs: 00D10154
InitializeConditionVariable, xrefs: 00D10148
api-ms-win-core-synch-l1-2-0.dll, xrefs: 00D10122
WakeAllConditionVariable, xrefs: 00D10162

Memory Dump Source

Source File: 00000000.00000002.1741723192.0000000000CF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CF0000, based on PE: true

Associated: 00000000.00000002.1741689844.0000000000CF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741822052.0000000000D8C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741822052.0000000000DB2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741916293.0000000000DBC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741947371.0000000000DC4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cf0000_file.jbxd

Similarity

API ID: AddressProc$HandleModule__crt_fast_encode_pointer$CountCriticalInitializeSectionSpin___scrt_fastfail__onexit__scrt_initialize_thread_safe_statics_platform_specific
String ID: InitializeConditionVariable$SleepConditionVariableCS$WakeAllConditionVariable$api-ms-win-core-synch-l1-2-0.dll$kernel32.dll
API String ID: 66158676-1714406822
Opcode ID: fe36162f07a8bf8cc0418c301af4e5a6192937125bfc3203c34aeb53189e51e7
Instruction ID: f1c77eea627d8304cf41e0d3abb42d26af687f276c9c2792c6d834926a9beacb
Opcode Fuzzy Hash: fe36162f07a8bf8cc0418c301af4e5a6192937125bfc3203c34aeb53189e51e7
Instruction Fuzzy Hash: C121B032A64711FFE7217B64BC49BAA3A94EB04B61F140129F901E27D1DEB498C48BB0

Function 00D530F7 Relevance: 24.9, APIs: 8, Strings: 6, Instructions: 400COMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 00D5318D
_wcslen.LIBCMT ref: 00D531F8

Strings

REGEXPCLASS, xrefs: 00D53255, 00D53266
INSTANCE, xrefs: 00D53453
CLASS, xrefs: 00D53188, 00D531A5
NAME, xrefs: 00D53335, 00D53346
CLASSNN, xrefs: 00D531F3, 00D53204
TEXT, xrefs: 00D5347C

Memory Dump Source

Source File: 00000000.00000002.1741723192.0000000000CF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CF0000, based on PE: true

Associated: 00000000.00000002.1741689844.0000000000CF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741822052.0000000000D8C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741822052.0000000000DB2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741916293.0000000000DBC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741947371.0000000000DC4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cf0000_file.jbxd

Similarity

API ID: _wcslen
String ID: CLASS$CLASSNN$INSTANCE$NAME$REGEXPCLASS$TEXT
API String ID: 176396367-1603158881
Opcode ID: 79f9a5e61de42f521eafa7b0e61a41c41c00c0fe28634a787a0c5e257fe27b08
Instruction ID: e39618ff48daa8d20bebd6f0adcf4599f120520b69c94829f343341aac21d644
Opcode Fuzzy Hash: 79f9a5e61de42f521eafa7b0e61a41c41c00c0fe28634a787a0c5e257fe27b08
Instruction Fuzzy Hash: ADE18432A00616ABCF149F78C4517EDBBB4FF54791F688119EC56A7240DB30AE8D9BB0

Function 00D644C0 Relevance: 24.8, APIs: 7, Strings: 7, Instructions: 309COMMON

Download Yara Rule

APIs

CharLowerBuffW.USER32(00000000,00000000,00D8CC08), ref: 00D64527
_wcslen.LIBCMT ref: 00D6453B
_wcslen.LIBCMT ref: 00D64599
_wcslen.LIBCMT ref: 00D645F4
_wcslen.LIBCMT ref: 00D6463F
_wcslen.LIBCMT ref: 00D646A7

Part of subcall function 00D0F9F2: _wcslen.LIBCMT ref: 00D0F9FD

GetDriveTypeW.KERNEL32(?,00DB6BF0,00000061), ref: 00D64743

Strings

fixed, xrefs: 00D64635, 00D6463A
ramdisk, xrefs: 00D646F1
unknown, xrefs: 00D64708
network, xrefs: 00D6469D, 00D646A2
all, xrefs: 00D64531, 00D64536
cdrom, xrefs: 00D6458F, 00D64594
removable, xrefs: 00D645EA, 00D645EF

Memory Dump Source

Source File: 00000000.00000002.1741723192.0000000000CF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CF0000, based on PE: true

Associated: 00000000.00000002.1741689844.0000000000CF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741822052.0000000000D8C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741822052.0000000000DB2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741916293.0000000000DBC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741947371.0000000000DC4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cf0000_file.jbxd

Similarity

API ID: _wcslen$BuffCharDriveLowerType
String ID: all$cdrom$fixed$network$ramdisk$removable$unknown
API String ID: 2055661098-1000479233
Opcode ID: 244601bc261746e6ff88efe3e94f2675486206bf9db9193fc04b8d547351bde5
Instruction ID: c143891d1bfa7e253cbc85d5ea7f470d1d815b40214607c558a4c0321dc6d371
Opcode Fuzzy Hash: 244601bc261746e6ff88efe3e94f2675486206bf9db9193fc04b8d547351bde5
Instruction Fuzzy Hash: 20B1D0716083029FC714DF28D890ABAB7E5EFA5760F54891DF596C7291DB30D848CBB2

Function 00D73FE9 Relevance: 23.2, APIs: 11, Strings: 2, Instructions: 478libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,?,00D8CC08), ref: 00D740BB
GetProcAddress.KERNEL32(00000000,GetModuleHandleExW), ref: 00D740CD
GetModuleFileNameW.KERNEL32(?,?,00000104,?,?,?,00D8CC08), ref: 00D740F2
FreeLibrary.KERNEL32(00000000,?,00D8CC08), ref: 00D7413E
StringFromGUID2.OLE32(?,?,00000028,?,00D8CC08), ref: 00D741A8
SysFreeString.OLEAUT32(00000009), ref: 00D74262
QueryPathOfRegTypeLib.OLEAUT32(?,?,?,?,?), ref: 00D742C8
SysFreeString.OLEAUT32(?), ref: 00D742F2

Strings

kernel32.dll, xrefs: 00D740B6
GetModuleHandleExW, xrefs: 00D740C7

Memory Dump Source

Source File: 00000000.00000002.1741723192.0000000000CF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CF0000, based on PE: true

Associated: 00000000.00000002.1741689844.0000000000CF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741822052.0000000000D8C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741822052.0000000000DB2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741916293.0000000000DBC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741947371.0000000000DC4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cf0000_file.jbxd

Similarity

API ID: FreeString$Library$AddressFileFromLoadModuleNamePathProcQueryType
String ID: GetModuleHandleExW$kernel32.dll
API String ID: 354098117-199464113
Opcode ID: 9ef4324b0564b31072afb4ac52e0f4ef8fb8ee66956171ffafd7d7f5a1fd74d0
Instruction ID: af58bc45f880932436ee118ee5ad189d4788b3b64488a38b5b3941bdecbfc27a
Opcode Fuzzy Hash: 9ef4324b0564b31072afb4ac52e0f4ef8fb8ee66956171ffafd7d7f5a1fd74d0
Instruction Fuzzy Hash: 2E125C71A00219EFDB15DF94C884EAEB7B5FF45318F28C098E9099B251E771ED46CBA0

Function 00CF326F Relevance: 23.0, APIs: 12, Strings: 1, Instructions: 214windowCOMMON

Download Yara Rule

APIs

GetMenuItemCount.USER32(00DC1990), ref: 00D32F8D
GetMenuItemCount.USER32(00DC1990), ref: 00D3303D
GetCursorPos.USER32(?), ref: 00D33081
SetForegroundWindow.USER32(00000000), ref: 00D3308A
TrackPopupMenuEx.USER32(00DC1990,00000000,?,00000000,00000000,00000000), ref: 00D3309D
PostMessageW.USER32(00000000,00000000,00000000,00000000), ref: 00D330A9

Strings

0, xrefs: 00CF327D

Memory Dump Source

Source File: 00000000.00000002.1741723192.0000000000CF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CF0000, based on PE: true

Associated: 00000000.00000002.1741689844.0000000000CF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741822052.0000000000D8C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741822052.0000000000DB2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741916293.0000000000DBC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741947371.0000000000DC4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cf0000_file.jbxd

Similarity

API ID: Menu$CountItem$CursorForegroundMessagePopupPostTrackWindow
String ID: 0
API String ID: 36266755-4108050209
Opcode ID: d2f159653b1ee553b8c94ef862233e93f8e82c212958f840188fb14948cea77b
Instruction ID: 2c33139681b566e5075fb04bb53a3f953340a1d572071c613375c7576fd5067b
Opcode Fuzzy Hash: d2f159653b1ee553b8c94ef862233e93f8e82c212958f840188fb14948cea77b
Instruction Fuzzy Hash: 3B713A3064024ABEEB259F25CC49FBABF64FF01364F244216FA24A62E1C7B1A914D771

Function 00D86CD9 Relevance: 22.9, APIs: 11, Strings: 2, Instructions: 194windowCOMMON

Download Yara Rule

APIs

DestroyWindow.USER32(00000000,?), ref: 00D86DEB

Part of subcall function 00CF6B57: _wcslen.LIBCMT ref: 00CF6B6A

CreateWindowExW.USER32(00000008,tooltips_class32,00000000,?,80000000,80000000,80000000,80000000,?,00000000,00000000,?), ref: 00D86E5F
SendMessageW.USER32(00000000,00000433,00000000,00000030), ref: 00D86E81
SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 00D86E94
DestroyWindow.USER32(?), ref: 00D86EB5
CreateWindowExW.USER32(00000008,tooltips_class32,00000000,?,80000000,80000000,80000000,80000000,?,00000000,00CF0000,00000000), ref: 00D86EE4
SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 00D86EFD
GetDesktopWindow.USER32 ref: 00D86F16
GetWindowRect.USER32(00000000), ref: 00D86F1D
SendMessageW.USER32(00000000,00000418,00000000,?), ref: 00D86F35
SendMessageW.USER32(00000000,00000421,?,00000000), ref: 00D86F4D

Part of subcall function 00D09944: GetWindowLongW.USER32(?,000000EB), ref: 00D09952

Strings

0, xrefs: 00D86D98
tooltips_class32, xrefs: 00D86E58, 00D86EDD

Memory Dump Source

Source File: 00000000.00000002.1741723192.0000000000CF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CF0000, based on PE: true

Associated: 00000000.00000002.1741689844.0000000000CF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741822052.0000000000D8C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741822052.0000000000DB2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741916293.0000000000DBC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741947371.0000000000DC4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cf0000_file.jbxd

Similarity

API ID: Window$MessageSend$CreateDestroy$DesktopLongRect_wcslen
String ID: 0$tooltips_class32
API String ID: 2429346358-3619404913
Opcode ID: 947c91e2c8955588935510e9dc6a9f903c6b74d64488440af73b3b2a82d49c9e
Instruction ID: 822474d689e5de657676964200bef1182e31c96147814bcd5076e51a4b81d093
Opcode Fuzzy Hash: 947c91e2c8955588935510e9dc6a9f903c6b74d64488440af73b3b2a82d49c9e
Instruction Fuzzy Hash: 04714674114345AFDB21DF18D848FAABBE9FF89314F08441DFA9987261DB70E909DB22

Function 00D8911E Relevance: 22.9, APIs: 10, Strings: 3, Instructions: 181windowfileCOMMON

Download Yara Rule

APIs

Part of subcall function 00D09BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00D09BB2

DragQueryPoint.SHELL32(?,?), ref: 00D89147

Part of subcall function 00D87674: ClientToScreen.USER32(?,?), ref: 00D8769A
Part of subcall function 00D87674: GetWindowRect.USER32(?,?), ref: 00D87710
Part of subcall function 00D87674: PtInRect.USER32(?,?,00D88B89), ref: 00D87720

SendMessageW.USER32(?,000000B0,?,?), ref: 00D891B0
DragQueryFileW.SHELL32(?,000000FF,00000000,00000000), ref: 00D891BB
DragQueryFileW.SHELL32(?,00000000,?,00000104), ref: 00D891DE
SendMessageW.USER32(?,000000C2,00000001,?), ref: 00D89225
SendMessageW.USER32(?,000000B0,?,?), ref: 00D8923E
SendMessageW.USER32(?,000000B1,?,?), ref: 00D89255
SendMessageW.USER32(?,000000B1,?,?), ref: 00D89277
DragFinish.SHELL32(?), ref: 00D8927E
DefDlgProcW.USER32(?,00000233,?,00000000,?,?,?), ref: 00D89371

Strings

@GUI_DRAGFILE, xrefs: 00D89320
@GUI_DRAGID, xrefs: 00D892E9
@GUI_DROPID, xrefs: 00D8929E

Memory Dump Source

Source File: 00000000.00000002.1741723192.0000000000CF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CF0000, based on PE: true

Associated: 00000000.00000002.1741689844.0000000000CF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741822052.0000000000D8C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741822052.0000000000DB2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741916293.0000000000DBC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741947371.0000000000DC4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cf0000_file.jbxd

Similarity

API ID: MessageSend$Drag$Query$FileRectWindow$ClientFinishLongPointProcScreen
String ID: @GUI_DRAGFILE$@GUI_DRAGID$@GUI_DROPID
API String ID: 221274066-3440237614
Opcode ID: 1b1b8061f1774dac7b9151ed98ba78954a85fcb293a38c0d4c5a33cb397b3412
Instruction ID: 880c2649bb6c7fb3c011901a800fb97b79e0ef0bdf7a5e0f3a5341402121efe9
Opcode Fuzzy Hash: 1b1b8061f1774dac7b9151ed98ba78954a85fcb293a38c0d4c5a33cb397b3412
Instruction Fuzzy Hash: 05617C71108305AFC701EF54DC85EAFBBE8EF89750F00092DF595922A1DB309A49CB72

Function 00D6C476 Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 143networkCOMMON

Download Yara Rule

APIs

InternetConnectW.WININET(?,?,?,?,?,?,00000000,00000000), ref: 00D6C4B0
GetLastError.KERNEL32(?,00000003,?,?,?,?,?,?), ref: 00D6C4C3
SetEvent.KERNEL32(?,?,00000003,?,?,?,?,?,?), ref: 00D6C4D7
HttpOpenRequestW.WININET(00000000,00000000,?,00000000,00000000,00000000,?,00000000), ref: 00D6C4F0
InternetQueryOptionW.WININET(00000000,0000001F,?,?), ref: 00D6C533
InternetSetOptionW.WININET(00000000,0000001F,00000100,00000004), ref: 00D6C549
HttpSendRequestW.WININET(00000000,00000000,00000000,00000000,00000000), ref: 00D6C554
HttpQueryInfoW.WININET(00000000,00000005,?,?,?), ref: 00D6C584
GetLastError.KERNEL32(?,00000003,?,?,?,?,?,?), ref: 00D6C5DC
SetEvent.KERNEL32(?,?,00000003,?,?,?,?,?,?), ref: 00D6C5F0
InternetCloseHandle.WININET(00000000), ref: 00D6C5FB

Strings

, xrefs: 00D6C575

Memory Dump Source

Source File: 00000000.00000002.1741723192.0000000000CF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CF0000, based on PE: true

Associated: 00000000.00000002.1741689844.0000000000CF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741822052.0000000000D8C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741822052.0000000000DB2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741916293.0000000000DBC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741947371.0000000000DC4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cf0000_file.jbxd

Similarity

API ID: Internet$Http$ErrorEventLastOptionQueryRequest$CloseConnectHandleInfoOpenSend
String ID:
API String ID: 3800310941-3916222277
Opcode ID: 8d9880983b5bfb34532cb6db915e2a76028b535a6cee3fc54937b56bc28765ad
Instruction ID: 7f8bd6c7cb69646af571c96cd364406361d420beabbf7ab75d823e4e5503b3f8
Opcode Fuzzy Hash: 8d9880983b5bfb34532cb6db915e2a76028b535a6cee3fc54937b56bc28765ad
Instruction Fuzzy Hash: 12513AB1520308BFDB219F60CD88ABA7BBCEB08754F04541AF986D6650EB34E9449B70

Function 00D8856F Relevance: 22.6, APIs: 15, Instructions: 131filecommemoryCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(?,80000000,00000000,00000000,00000003,00000000,00000000,?,00000000,?), ref: 00D88592
GetFileSize.KERNEL32(00000000,00000000), ref: 00D885A2
GlobalAlloc.KERNEL32(00000002,00000000), ref: 00D885AD
CloseHandle.KERNEL32(00000000), ref: 00D885BA
GlobalLock.KERNEL32(00000000), ref: 00D885C8
ReadFile.KERNEL32(00000000,00000000,00000000,?,00000000), ref: 00D885D7
GlobalUnlock.KERNEL32(00000000), ref: 00D885E0
CloseHandle.KERNEL32(00000000), ref: 00D885E7
CreateStreamOnHGlobal.OLE32(00000000,00000001,?), ref: 00D885F8
OleLoadPicture.OLEAUT32(?,00000000,00000000,00D8FC38,?), ref: 00D88611
GlobalFree.KERNEL32(00000000), ref: 00D88621
GetObjectW.GDI32(?,00000018,000000FF), ref: 00D88641
CopyImage.USER32(?,00000000,00000000,?,00002000), ref: 00D88671
DeleteObject.GDI32(00000000), ref: 00D88699
SendMessageW.USER32(?,00000172,00000000,00000000), ref: 00D886AF

Memory Dump Source

Source File: 00000000.00000002.1741723192.0000000000CF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CF0000, based on PE: true

Associated: 00000000.00000002.1741689844.0000000000CF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741822052.0000000000D8C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741822052.0000000000DB2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741916293.0000000000DBC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741947371.0000000000DC4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cf0000_file.jbxd

Similarity

API ID: Global$File$CloseCreateHandleObject$AllocCopyDeleteFreeImageLoadLockMessagePictureReadSendSizeStreamUnlock
String ID:
API String ID: 3840717409-0
Opcode ID: c53fabe5fd113ffa146902526d86e0dea349a823b34a3f153b3f148ea5d04adc
Instruction ID: 7b4988cb5828c1c7effe782ce27507bbd5288394c8c70db39d57520e4b76a6e8
Opcode Fuzzy Hash: c53fabe5fd113ffa146902526d86e0dea349a823b34a3f153b3f148ea5d04adc
Instruction Fuzzy Hash: CC41F775620308FFDB119FA5DC89EAA7BB9EF89B11F144058F906E72A0DB309901DB70

Function 00D614BD Relevance: 21.4, APIs: 10, Strings: 2, Instructions: 360timeCOMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(00000000), ref: 00D61502
VariantCopy.OLEAUT32(?,?), ref: 00D6150B
VariantClear.OLEAUT32(?), ref: 00D61517
VariantTimeToSystemTime.OLEAUT32(?,?,?), ref: 00D615FB
VarR8FromDec.OLEAUT32(?,?), ref: 00D61657
VariantInit.OLEAUT32(?), ref: 00D61708
SysFreeString.OLEAUT32(?), ref: 00D6178C
VariantClear.OLEAUT32(?), ref: 00D617D8
VariantClear.OLEAUT32(?), ref: 00D617E7
VariantInit.OLEAUT32(00000000), ref: 00D61823

Strings

Default, xrefs: 00D616AF
%4d%02d%02d%02d%02d%02d, xrefs: 00D61625

Memory Dump Source

Source File: 00000000.00000002.1741723192.0000000000CF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CF0000, based on PE: true

Associated: 00000000.00000002.1741689844.0000000000CF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741822052.0000000000D8C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741822052.0000000000DB2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741916293.0000000000DBC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741947371.0000000000DC4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cf0000_file.jbxd

Similarity

API ID: Variant$ClearInit$Time$CopyFreeFromStringSystem
String ID: %4d%02d%02d%02d%02d%02d$Default
API String ID: 1234038744-3931177956
Opcode ID: bb1962e28c1ccdd941231f3de9ff5547765f81b0fb7ade43598842506a4f6e2c
Instruction ID: 8b11c753a856798d4e4fbb4cc5c907fe3ca82b6b076228d42116d2b491115bbb
Opcode Fuzzy Hash: bb1962e28c1ccdd941231f3de9ff5547765f81b0fb7ade43598842506a4f6e2c
Instruction Fuzzy Hash: AAD1EF75A00215EBDB10AF65E885B79F7B5FF44700F28845AE447AB680EB30EC44DBB2

Function 00D7B60E Relevance: 21.3, APIs: 10, Strings: 2, Instructions: 285registrylibraryloaderCOMMON

Download Yara Rule

APIs

Part of subcall function 00CF9CB3: _wcslen.LIBCMT ref: 00CF9CBD

Part of subcall function 00D7C998: CharUpperBuffW.USER32(?,?,?,?,?,?,?,00D7B6AE,?,?), ref: 00D7C9B5
Part of subcall function 00D7C998: _wcslen.LIBCMT ref: 00D7C9F1
Part of subcall function 00D7C998: _wcslen.LIBCMT ref: 00D7CA68
Part of subcall function 00D7C998: _wcslen.LIBCMT ref: 00D7CA9E

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 00D7B6F4
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 00D7B772
RegDeleteValueW.ADVAPI32(?,?), ref: 00D7B80A
RegCloseKey.ADVAPI32(?), ref: 00D7B87E
RegCloseKey.ADVAPI32(?), ref: 00D7B89C
LoadLibraryA.KERNEL32(advapi32.dll), ref: 00D7B8F2
GetProcAddress.KERNEL32(00000000,RegDeleteKeyExW), ref: 00D7B904
RegDeleteKeyW.ADVAPI32(?,?), ref: 00D7B922
FreeLibrary.KERNEL32(00000000), ref: 00D7B983
RegCloseKey.ADVAPI32(00000000), ref: 00D7B994

Strings

advapi32.dll, xrefs: 00D7B8ED
RegDeleteKeyExW, xrefs: 00D7B8FE

Memory Dump Source

Source File: 00000000.00000002.1741723192.0000000000CF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CF0000, based on PE: true

Associated: 00000000.00000002.1741689844.0000000000CF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741822052.0000000000D8C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741822052.0000000000DB2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741916293.0000000000DBC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741947371.0000000000DC4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cf0000_file.jbxd

Similarity

API ID: _wcslen$Close$DeleteLibrary$AddressBuffCharConnectFreeLoadOpenProcRegistryUpperValue
String ID: RegDeleteKeyExW$advapi32.dll
API String ID: 146587525-4033151799
Opcode ID: 5c3b2a6912250615a86ee32368989f75b03b6a384c2a9a7a6a945e5f462a69a8
Instruction ID: 64c1a40f44dc4033ca0007b45f2a416c9d946801e8ea7cb6c77da0fade3edd96
Opcode Fuzzy Hash: 5c3b2a6912250615a86ee32368989f75b03b6a384c2a9a7a6a945e5f462a69a8
Instruction Fuzzy Hash: C8C16A30214201AFD714DF14C495B2ABBE5FF84318F18C55DE5AA8B2A2DB71E945CBA2

Function 00D7255C Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 169windowCOMMON

Download Yara Rule

APIs

GetDC.USER32(00000000), ref: 00D725D8
CreateCompatibleBitmap.GDI32(00000000,?,?), ref: 00D725E8
CreateCompatibleDC.GDI32(?), ref: 00D725F4
SelectObject.GDI32(00000000,?), ref: 00D72601
StretchBlt.GDI32(?,00000000,00000000,?,?,?,00000006,?,?,?,00CC0020), ref: 00D7266D
GetDIBits.GDI32(?,?,00000000,00000000,00000000,00000028,00000000), ref: 00D726AC
GetDIBits.GDI32(?,?,00000000,?,00000000,00000028,00000000), ref: 00D726D0
SelectObject.GDI32(?,?), ref: 00D726D8
DeleteObject.GDI32(?), ref: 00D726E1
DeleteDC.GDI32(?), ref: 00D726E8
ReleaseDC.USER32(00000000,?), ref: 00D726F3

Strings

(, xrefs: 00D7268D

Memory Dump Source

Source File: 00000000.00000002.1741723192.0000000000CF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CF0000, based on PE: true

Associated: 00000000.00000002.1741689844.0000000000CF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741822052.0000000000D8C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741822052.0000000000DB2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741916293.0000000000DBC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741947371.0000000000DC4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cf0000_file.jbxd

Similarity

API ID: Object$BitsCompatibleCreateDeleteSelect$BitmapReleaseStretch
String ID: (
API String ID: 2598888154-3887548279
Opcode ID: 95ecacb5549cefd9496b2031eab9f5bbd512c635bc5bf07d9f4a5abe15a526cf
Instruction ID: e904127aee3013c3dbb7d0eb14cb0525841ff7c4fd82d2c88cdc9b58a349ed63
Opcode Fuzzy Hash: 95ecacb5549cefd9496b2031eab9f5bbd512c635bc5bf07d9f4a5abe15a526cf
Instruction Fuzzy Hash: 8C61D275D10219EFCF14CFA4D884AAEBBB6FF48310F20852AE959A7350E770A941CF60

Function 00D2DA5D Relevance: 19.6, APIs: 13, Instructions: 114COMMONLIBRARYCODE

Download Yara Rule

APIs

___free_lconv_mon.LIBCMT ref: 00D2DAA1

Part of subcall function 00D2D63C: _free.LIBCMT ref: 00D2D659
Part of subcall function 00D2D63C: _free.LIBCMT ref: 00D2D66B
Part of subcall function 00D2D63C: _free.LIBCMT ref: 00D2D67D
Part of subcall function 00D2D63C: _free.LIBCMT ref: 00D2D68F
Part of subcall function 00D2D63C: _free.LIBCMT ref: 00D2D6A1
Part of subcall function 00D2D63C: _free.LIBCMT ref: 00D2D6B3
Part of subcall function 00D2D63C: _free.LIBCMT ref: 00D2D6C5
Part of subcall function 00D2D63C: _free.LIBCMT ref: 00D2D6D7
Part of subcall function 00D2D63C: _free.LIBCMT ref: 00D2D6E9
Part of subcall function 00D2D63C: _free.LIBCMT ref: 00D2D6FB
Part of subcall function 00D2D63C: _free.LIBCMT ref: 00D2D70D
Part of subcall function 00D2D63C: _free.LIBCMT ref: 00D2D71F
Part of subcall function 00D2D63C: _free.LIBCMT ref: 00D2D731

_free.LIBCMT ref: 00D2DA96

Part of subcall function 00D229C8: RtlFreeHeap.NTDLL(00000000,00000000,?,00D2D7D1,00000000,00000000,00000000,00000000,?,00D2D7F8,00000000,00000007,00000000,?,00D2DBF5,00000000), ref: 00D229DE
Part of subcall function 00D229C8: GetLastError.KERNEL32(00000000,?,00D2D7D1,00000000,00000000,00000000,00000000,?,00D2D7F8,00000000,00000007,00000000,?,00D2DBF5,00000000,00000000), ref: 00D229F0

_free.LIBCMT ref: 00D2DAB8
_free.LIBCMT ref: 00D2DACD
_free.LIBCMT ref: 00D2DAD8
_free.LIBCMT ref: 00D2DAFA
_free.LIBCMT ref: 00D2DB0D
_free.LIBCMT ref: 00D2DB1B
_free.LIBCMT ref: 00D2DB26
_free.LIBCMT ref: 00D2DB5E
_free.LIBCMT ref: 00D2DB65
_free.LIBCMT ref: 00D2DB82
_free.LIBCMT ref: 00D2DB9A

Memory Dump Source

Source File: 00000000.00000002.1741723192.0000000000CF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CF0000, based on PE: true

Associated: 00000000.00000002.1741689844.0000000000CF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741822052.0000000000D8C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741822052.0000000000DB2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741916293.0000000000DBC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741947371.0000000000DC4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cf0000_file.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast___free_lconv_mon
String ID:
API String ID: 161543041-0
Opcode ID: 94c787b71454157199b68b30efb2d37eebe608ed7741f4e4ef980183f1b88993
Instruction ID: 4a4b913a7a2551dbe538f67ddc263bfa4e46f43ad76151fd8d51bf7bd3e59160
Opcode Fuzzy Hash: 94c787b71454157199b68b30efb2d37eebe608ed7741f4e4ef980183f1b88993
Instruction Fuzzy Hash: B5315A31644324AFEB21AB39F845B6A77EAFF34319F694419F449D7191DB31AC808B30

Function 00D5365B Relevance: 19.5, APIs: 10, Strings: 1, Instructions: 267windowtimeCOMMON

Download Yara Rule

APIs

GetClassNameW.USER32(?,?,00000100), ref: 00D5369C
_wcslen.LIBCMT ref: 00D536A7
SendMessageTimeoutW.USER32(?,?,00000101,00000000,00000002,00001388,?), ref: 00D53797
GetClassNameW.USER32(?,?,00000400), ref: 00D5380C
GetDlgCtrlID.USER32(?), ref: 00D5385D
GetWindowRect.USER32(?,?), ref: 00D53882
GetParent.USER32(?), ref: 00D538A0
ScreenToClient.USER32(00000000), ref: 00D538A7
GetClassNameW.USER32(?,?,00000100), ref: 00D53921
GetWindowTextW.USER32(?,?,00000400), ref: 00D5395D

Strings

%s%u, xrefs: 00D53734

Memory Dump Source

Source File: 00000000.00000002.1741723192.0000000000CF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CF0000, based on PE: true

Associated: 00000000.00000002.1741689844.0000000000CF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741822052.0000000000D8C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741822052.0000000000DB2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741916293.0000000000DBC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741947371.0000000000DC4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cf0000_file.jbxd

Similarity

API ID: ClassName$Window$ClientCtrlMessageParentRectScreenSendTextTimeout_wcslen
String ID: %s%u
API String ID: 4010501982-679674701
Opcode ID: b4617f8519a78afaf622b6036b9779f1ba5181ea57abf987b36320a7d79b4486
Instruction ID: d1d08e3f0b35c963f4135d703951bd52311e419020d07145ca67dc474f4e6471
Opcode Fuzzy Hash: b4617f8519a78afaf622b6036b9779f1ba5181ea57abf987b36320a7d79b4486
Instruction Fuzzy Hash: 2991B1B1204706AFDB19DF24C885BAAB7A8FF44391F044529FD99C2190DB30EA59CFB1

Function 00D54954 Relevance: 19.5, APIs: 10, Strings: 1, Instructions: 253COMMON

Download Yara Rule

APIs

GetClassNameW.USER32(?,?,00000400), ref: 00D54994
GetWindowTextW.USER32(?,?,00000400), ref: 00D549DA
_wcslen.LIBCMT ref: 00D549EB
CharUpperBuffW.USER32(?,00000000), ref: 00D549F7
_wcsstr.LIBVCRUNTIME ref: 00D54A2C
GetClassNameW.USER32(00000018,?,00000400), ref: 00D54A64
GetWindowTextW.USER32(?,?,00000400), ref: 00D54A9D
GetClassNameW.USER32(00000018,?,00000400), ref: 00D54AE6
GetClassNameW.USER32(?,?,00000400), ref: 00D54B20
GetWindowRect.USER32(?,?), ref: 00D54B8B

Strings

ThumbnailClass, xrefs: 00D54A6F, 00D54AF1

Memory Dump Source

Source File: 00000000.00000002.1741723192.0000000000CF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CF0000, based on PE: true

Associated: 00000000.00000002.1741689844.0000000000CF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741822052.0000000000D8C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741822052.0000000000DB2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741916293.0000000000DBC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741947371.0000000000DC4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cf0000_file.jbxd

Similarity

API ID: ClassName$Window$Text$BuffCharRectUpper_wcslen_wcsstr
String ID: ThumbnailClass
API String ID: 1311036022-1241985126
Opcode ID: 0042a90a9cf05286f92d9c3e40afb8328b28f677d450e5326d3b2dc859823a33
Instruction ID: 2efa81a4df1a6a60e9c93a98f601fe61dbe32eed42e84e0e9c2faf334fbbc2ae
Opcode Fuzzy Hash: 0042a90a9cf05286f92d9c3e40afb8328b28f677d450e5326d3b2dc859823a33
Instruction Fuzzy Hash: 7691CE711042059FDF04CF14D985BAA77E8FF8435AF088469FD859A196EB30ED89CBB2

Function 00D5BF30 Relevance: 19.4, APIs: 10, Strings: 1, Instructions: 190windowsleepCOMMON

Download Yara Rule

APIs

GetMenuItemInfoW.USER32(00DC1990,000000FF,00000000,00000030), ref: 00D5BFAC
SetMenuItemInfoW.USER32(00DC1990,00000004,00000000,00000030), ref: 00D5BFE1
Sleep.KERNEL32(000001F4), ref: 00D5BFF3
GetMenuItemCount.USER32(?), ref: 00D5C039
GetMenuItemID.USER32(?,00000000), ref: 00D5C056
GetMenuItemID.USER32(?,-00000001), ref: 00D5C082
GetMenuItemID.USER32(?,?), ref: 00D5C0C9
CheckMenuRadioItem.USER32(?,00000000,?,00000000,00000400), ref: 00D5C10F
GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00D5C124
SetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00D5C145

Strings

0, xrefs: 00D5BF3D

Memory Dump Source

Source File: 00000000.00000002.1741723192.0000000000CF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CF0000, based on PE: true

Associated: 00000000.00000002.1741689844.0000000000CF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741822052.0000000000D8C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741822052.0000000000DB2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741916293.0000000000DBC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741947371.0000000000DC4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cf0000_file.jbxd

Similarity

API ID: ItemMenu$Info$CheckCountRadioSleep
String ID: 0
API String ID: 1460738036-4108050209
Opcode ID: e989e4a186787ce196a01487387a08f35935c41de883d6266ee964a2ebd98ec1
Instruction ID: e2b24a167aa8d5be9fa3434d46c6b5eca307b6cc1c054dcd27782d4f789e30b0
Opcode Fuzzy Hash: e989e4a186787ce196a01487387a08f35935c41de883d6266ee964a2ebd98ec1
Instruction Fuzzy Hash: 20617BB092034AAFDF11CF68DD88EAEBBB8EB05356F041055ED51A3292D771AD48CB70

Function 00D7CC34 Relevance: 19.4, APIs: 9, Strings: 2, Instructions: 104registryCOMMON

Download Yara Rule

APIs

RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?,?,?,00000000), ref: 00D7CC64
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?,?,?,00000000), ref: 00D7CC8D
FreeLibrary.KERNEL32(00000000,?,?,00000000), ref: 00D7CD48

Part of subcall function 00D7CC34: RegCloseKey.ADVAPI32(?,?,?,00000000), ref: 00D7CCAA
Part of subcall function 00D7CC34: LoadLibraryA.KERNEL32(advapi32.dll,?,?,00000000), ref: 00D7CCBD
Part of subcall function 00D7CC34: GetProcAddress.KERNEL32(00000000,RegDeleteKeyExW), ref: 00D7CCCF
Part of subcall function 00D7CC34: FreeLibrary.KERNEL32(00000000,?,?,00000000), ref: 00D7CD05
Part of subcall function 00D7CC34: RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?,?,?,00000000), ref: 00D7CD28

RegDeleteKeyW.ADVAPI32(?,?), ref: 00D7CCF3

Strings

advapi32.dll, xrefs: 00D7CCB8
RegDeleteKeyExW, xrefs: 00D7CCC9

Memory Dump Source

Source File: 00000000.00000002.1741723192.0000000000CF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CF0000, based on PE: true

Associated: 00000000.00000002.1741689844.0000000000CF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741822052.0000000000D8C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741822052.0000000000DB2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741916293.0000000000DBC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741947371.0000000000DC4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cf0000_file.jbxd

Similarity

API ID: Library$EnumFree$AddressCloseDeleteLoadOpenProc
String ID: RegDeleteKeyExW$advapi32.dll
API String ID: 2734957052-4033151799
Opcode ID: 66b3a9accd11384aa9ffe445e5561fc1414ce0ce695b0e1d03b6b1c5c6c4c73e
Instruction ID: f304900a47c3e99831eeec808f5e1ae1c61932bac41ee877525e50d69051a4a6
Opcode Fuzzy Hash: 66b3a9accd11384aa9ffe445e5561fc1414ce0ce695b0e1d03b6b1c5c6c4c73e
Instruction Fuzzy Hash: 09318E71921228FFDB218B50DC88EFFBB7CEF45740F045169A90AE2240EA309A459BB0

Function 00D63D1E Relevance: 19.4, APIs: 8, Strings: 3, Instructions: 101fileCOMMON

Download Yara Rule

APIs

GetFullPathNameW.KERNEL32(?,00007FFF,?,?), ref: 00D63D40
_wcslen.LIBCMT ref: 00D63D6D
CreateDirectoryW.KERNEL32(?,00000000), ref: 00D63D9D
CreateFileW.KERNEL32(?,40000000,00000000,00000000,00000003,02200000,00000000), ref: 00D63DBE
RemoveDirectoryW.KERNEL32(?), ref: 00D63DCE
DeviceIoControl.KERNEL32(00000000,000900A4,?,?,00000000,00000000,?,00000000), ref: 00D63E55
CloseHandle.KERNEL32(00000000), ref: 00D63E60
CloseHandle.KERNEL32(00000000), ref: 00D63E6B

Strings

:, xrefs: 00D63D82
\, xrefs: 00D63D77
\??\%s, xrefs: 00D63D5B

Memory Dump Source

Source File: 00000000.00000002.1741723192.0000000000CF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CF0000, based on PE: true

Associated: 00000000.00000002.1741689844.0000000000CF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741822052.0000000000D8C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741822052.0000000000DB2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741916293.0000000000DBC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741947371.0000000000DC4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cf0000_file.jbxd

Similarity

API ID: CloseCreateDirectoryHandle$ControlDeviceFileFullNamePathRemove_wcslen
String ID: :$\$\??\%s
API String ID: 1149970189-3457252023
Opcode ID: c7d5421bceaf4031b1f37e99d83daa4cea5c08bf3f38669f3db0b1b69c6f7042
Instruction ID: 081954e1449cea3cd09af07b1469d8792e1341dc77e3589d341aff0cf3a2dd06
Opcode Fuzzy Hash: c7d5421bceaf4031b1f37e99d83daa4cea5c08bf3f38669f3db0b1b69c6f7042
Instruction Fuzzy Hash: 61318F72910209ABDB219BA0DC49FEF77BDEF89700F1441A5F619D61A0EB7497848B34

Function 00D5E6B0 Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 72sleepwindowtimeCOMMON

Download Yara Rule

APIs

timeGetTime.WINMM ref: 00D5E6B4

Part of subcall function 00D0E551: timeGetTime.WINMM(?,?,00D5E6D4), ref: 00D0E555

Sleep.KERNEL32(0000000A), ref: 00D5E6E1
EnumThreadWindows.USER32(?,Function_0006E665,00000000), ref: 00D5E705
FindWindowExW.USER32(00000000,00000000,BUTTON,00000000), ref: 00D5E727
SetActiveWindow.USER32 ref: 00D5E746
SendMessageW.USER32(00000000,000000F5,00000000,00000000), ref: 00D5E754
SendMessageW.USER32(00000010,00000000,00000000), ref: 00D5E773
Sleep.KERNEL32(000000FA), ref: 00D5E77E
IsWindow.USER32 ref: 00D5E78A
EndDialog.USER32(00000000), ref: 00D5E79B

Strings

BUTTON, xrefs: 00D5E719

Memory Dump Source

Source File: 00000000.00000002.1741723192.0000000000CF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CF0000, based on PE: true

Associated: 00000000.00000002.1741689844.0000000000CF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741822052.0000000000D8C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741822052.0000000000DB2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741916293.0000000000DBC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741947371.0000000000DC4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cf0000_file.jbxd

Similarity

API ID: Window$MessageSendSleepTimetime$ActiveDialogEnumFindThreadWindows
String ID: BUTTON
API String ID: 1194449130-3405671355
Opcode ID: a6df85e392f34057a613d5ca7be29cfade55c5bbfa7d229ed6ce88825858eb6d
Instruction ID: 1cdad04330bcd190dc4ea5deb4c25c2367da02e34d5c22dbd9bc9afc0235e528
Opcode Fuzzy Hash: a6df85e392f34057a613d5ca7be29cfade55c5bbfa7d229ed6ce88825858eb6d
Instruction Fuzzy Hash: C4214CB0260346EFEF046B21EC8AE353B69EB5538AF142825FC55C13A1DB71AD089B34

Function 00D5E9FC Relevance: 19.3, APIs: 5, Strings: 6, Instructions: 71COMMON

Download Yara Rule

APIs

Part of subcall function 00CF9CB3: _wcslen.LIBCMT ref: 00CF9CBD

mciSendStringW.WINMM(status PlayMe mode,?,00000100,00000000), ref: 00D5EA5D
mciSendStringW.WINMM(close PlayMe,00000000,00000000,00000000), ref: 00D5EA73
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 00D5EA84
mciSendStringW.WINMM(play PlayMe wait,00000000,00000000,00000000), ref: 00D5EA96
mciSendStringW.WINMM(play PlayMe,00000000,00000000,00000000), ref: 00D5EAA7

Strings

status PlayMe mode, xrefs: 00D5EA58
alias PlayMe, xrefs: 00D5EA36
close PlayMe, xrefs: 00D5EA6E, 00D5EA9B
open , xrefs: 00D5EA0C
play PlayMe, xrefs: 00D5EAA2
play PlayMe wait, xrefs: 00D5EA91

Memory Dump Source

Source File: 00000000.00000002.1741723192.0000000000CF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CF0000, based on PE: true

Associated: 00000000.00000002.1741689844.0000000000CF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741822052.0000000000D8C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741822052.0000000000DB2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741916293.0000000000DBC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741947371.0000000000DC4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cf0000_file.jbxd

Similarity

API ID: SendString$_wcslen
String ID: alias PlayMe$close PlayMe$open $play PlayMe$play PlayMe wait$status PlayMe mode
API String ID: 2420728520-1007645807
Opcode ID: 42c654b35b4911839e2cbb8e403c88965c9a6959aa3f705711f73646c5953a12
Instruction ID: e80c98f2657a40014ccc37d8fef596bd3387fae26e0508da59d916801427adea
Opcode Fuzzy Hash: 42c654b35b4911839e2cbb8e403c88965c9a6959aa3f705711f73646c5953a12
Instruction Fuzzy Hash: 6611583165025DBDDB24B772DC45DFF6B7CEBD1B40F0414257911920D1EE704A49C9B1

Function 00D59F91 Relevance: 18.2, APIs: 12, Instructions: 188keyboardCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?), ref: 00D5A012
SetKeyboardState.USER32(?), ref: 00D5A07D
GetAsyncKeyState.USER32(000000A0), ref: 00D5A09D
GetKeyState.USER32(000000A0), ref: 00D5A0B4
GetAsyncKeyState.USER32(000000A1), ref: 00D5A0E3
GetKeyState.USER32(000000A1), ref: 00D5A0F4
GetAsyncKeyState.USER32(00000011), ref: 00D5A120
GetKeyState.USER32(00000011), ref: 00D5A12E
GetAsyncKeyState.USER32(00000012), ref: 00D5A157
GetKeyState.USER32(00000012), ref: 00D5A165
GetAsyncKeyState.USER32(0000005B), ref: 00D5A18E
GetKeyState.USER32(0000005B), ref: 00D5A19C

Memory Dump Source

Source File: 00000000.00000002.1741723192.0000000000CF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CF0000, based on PE: true

Associated: 00000000.00000002.1741689844.0000000000CF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741822052.0000000000D8C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741822052.0000000000DB2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741916293.0000000000DBC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741947371.0000000000DC4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cf0000_file.jbxd

Similarity

API ID: State$Async$Keyboard
String ID:
API String ID: 541375521-0
Opcode ID: f440b774b7bc58f255aec0070b1ded2900c4b0e50a3f60460f5ea15299071fcf
Instruction ID: 3ca487449e48e7a465d6d613e75593cf4a6eab45f64b5f8f2b6a8f431b08cb86
Opcode Fuzzy Hash: f440b774b7bc58f255aec0070b1ded2900c4b0e50a3f60460f5ea15299071fcf
Instruction Fuzzy Hash: F651E93090479869FF35DB748811BEAEFB49F12381F0C469ADDC25B1C2DA64AA4CC776

Function 00D55CC6 Relevance: 18.2, APIs: 12, Instructions: 173COMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,00000001), ref: 00D55CE2
GetWindowRect.USER32(00000000,?), ref: 00D55CFB
MoveWindow.USER32(?,0000000A,00000004,?,?,00000004,00000000), ref: 00D55D59
GetDlgItem.USER32(?,00000002), ref: 00D55D69
GetWindowRect.USER32(00000000,?), ref: 00D55D7B
MoveWindow.USER32(?,?,00000004,00000000,?,00000004,00000000), ref: 00D55DCF
GetDlgItem.USER32(?,000003E9), ref: 00D55DDD
GetWindowRect.USER32(00000000,?), ref: 00D55DEF
MoveWindow.USER32(?,0000000A,00000000,?,00000004,00000000), ref: 00D55E31
GetDlgItem.USER32(?,000003EA), ref: 00D55E44
MoveWindow.USER32(00000000,0000000A,0000000A,?,-00000005,00000000), ref: 00D55E5A
InvalidateRect.USER32(?,00000000,00000001), ref: 00D55E67

Memory Dump Source

Source File: 00000000.00000002.1741723192.0000000000CF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CF0000, based on PE: true

Associated: 00000000.00000002.1741689844.0000000000CF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741822052.0000000000D8C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741822052.0000000000DB2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741916293.0000000000DBC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741947371.0000000000DC4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cf0000_file.jbxd

Similarity

API ID: Window$ItemMoveRect$Invalidate
String ID:
API String ID: 3096461208-0
Opcode ID: 7e53cf7040465543d41b765607f7b8708122a81a7f89d677e8b3f0006ba7a562
Instruction ID: bd3a2177083574c1c63c38a7235fca4a5e4497a888585cfd0148b2b1e6434aee
Opcode Fuzzy Hash: 7e53cf7040465543d41b765607f7b8708122a81a7f89d677e8b3f0006ba7a562
Instruction Fuzzy Hash: AB512F71A10705AFDF18CF68DD9AAAE7BB9EF48301F148129F915E6294D7709E04CB60

Function 00D08BCD Relevance: 18.2, APIs: 12, Instructions: 168timeCOMMON

Download Yara Rule

APIs

Part of subcall function 00D08F62: InvalidateRect.USER32(?,00000000,00000001,?,?,?,00D08BE8,?,00000000,?,?,?,?,00D08BBA,00000000,?), ref: 00D08FC5

DestroyWindow.USER32(?), ref: 00D08C81
KillTimer.USER32(00000000,?,?,?,?,00D08BBA,00000000,?), ref: 00D08D1B
DestroyAcceleratorTable.USER32(00000000), ref: 00D46973
ImageList_Destroy.COMCTL32(00000000,?,?,?,?,?,?,00000000,?,?,?,?,00D08BBA,00000000,?), ref: 00D469A1
ImageList_Destroy.COMCTL32(?,?,?,?,?,?,?,00000000,?,?,?,?,00D08BBA,00000000,?), ref: 00D469B8
ImageList_Destroy.COMCTL32(00000000,?,?,?,?,?,?,?,?,00000000,?,?,?,?,00D08BBA,00000000), ref: 00D469D4
DeleteObject.GDI32(00000000), ref: 00D469E6

Memory Dump Source

Source File: 00000000.00000002.1741723192.0000000000CF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CF0000, based on PE: true

Associated: 00000000.00000002.1741689844.0000000000CF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741822052.0000000000D8C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741822052.0000000000DB2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741916293.0000000000DBC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741947371.0000000000DC4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cf0000_file.jbxd

Similarity

API ID: Destroy$ImageList_$AcceleratorDeleteInvalidateKillObjectRectTableTimerWindow
String ID:
API String ID: 641708696-0
Opcode ID: 0e86aadd7798aaeb954dbfeea291f9e0e04bf13eb80d8322810bbc7abed7f7ea
Instruction ID: 28e5a73a973453319198614e66e8144136c06604287aba6c3f1a2b377c18b61e
Opcode Fuzzy Hash: 0e86aadd7798aaeb954dbfeea291f9e0e04bf13eb80d8322810bbc7abed7f7ea
Instruction Fuzzy Hash: 5761AA34512712DFEB259F24D948B29B7F1FB46312F184518E0879AAA0CB71E890EFB5

Function 00D09838 Relevance: 18.1, APIs: 12, Instructions: 137COMMON

Download Yara Rule

APIs

Part of subcall function 00D09944: GetWindowLongW.USER32(?,000000EB), ref: 00D09952

GetSysColor.USER32(0000000F), ref: 00D09862

Memory Dump Source

Source File: 00000000.00000002.1741723192.0000000000CF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CF0000, based on PE: true

Associated: 00000000.00000002.1741689844.0000000000CF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741822052.0000000000D8C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741822052.0000000000DB2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741916293.0000000000DBC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741947371.0000000000DC4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cf0000_file.jbxd

Similarity

API ID: ColorLongWindow
String ID:
API String ID: 259745315-0
Opcode ID: 60b90266e7976e138703db825ee2fbf8a56470506314b829c12e8caccccf4355
Instruction ID: ad22aa3f248d290736fcffdd21c7068046c04a0f41955d352e64b8416c805e74
Opcode Fuzzy Hash: 60b90266e7976e138703db825ee2fbf8a56470506314b829c12e8caccccf4355
Instruction Fuzzy Hash: 7241A071114740DFDB205F389CA8BB97B65AB06320F189616F9A68B3E3D7319C42DB30

Function 00D596E2 Relevance: 17.6, APIs: 5, Strings: 5, Instructions: 137windowCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,?,00000FFF,00000001,00000000,?,?,00D3F7F8,00000001,0000138C,00000001,?,00000001,00000000,?,?), ref: 00D59717
LoadStringW.USER32(00000000,?,00D3F7F8,00000001), ref: 00D59720

Part of subcall function 00CF9CB3: _wcslen.LIBCMT ref: 00CF9CBD

GetModuleHandleW.KERNEL32(00000000,00000001,?,00000FFF,?,?,00D3F7F8,00000001,0000138C,00000001,?,00000001,00000000,?,?,00000000), ref: 00D59742
LoadStringW.USER32(00000000,?,00D3F7F8,00000001), ref: 00D59745
MessageBoxW.USER32(00000000,00000000,?,00011010), ref: 00D59866

Strings

Error: , xrefs: 00D5981D
Line %d (File "%s"):, xrefs: 00D5978F
Line %d:, xrefs: 00D597A0
^ ERROR, xrefs: 00D597FB
%s (%d) : ==> %s: %s %s, xrefs: 00D5984A

Memory Dump Source

Source File: 00000000.00000002.1741723192.0000000000CF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CF0000, based on PE: true

Associated: 00000000.00000002.1741689844.0000000000CF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741822052.0000000000D8C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741822052.0000000000DB2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741916293.0000000000DBC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741947371.0000000000DC4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cf0000_file.jbxd

Similarity

API ID: HandleLoadModuleString$Message_wcslen
String ID: Error: $%s (%d) : ==> %s: %s %s$Line %d (File "%s"):$Line %d:$^ ERROR
API String ID: 747408836-2268648507
Opcode ID: 144682e60b22a1754d324418a6678c66c1c2691952fb7eb984a7306bb9f85270
Instruction ID: df05d51698eded0dcb24d6d9ef8bae2c2d5bb4f039ac5524bb430a24817ebf41
Opcode Fuzzy Hash: 144682e60b22a1754d324418a6678c66c1c2691952fb7eb984a7306bb9f85270
Instruction Fuzzy Hash: 33412A7280021DAACF04EBA0DD96EFEB778EF55341F100065FA05721A2EA356F49DB72

Function 00D506DE Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 127registryshareCOMMON

Download Yara Rule

APIs

Part of subcall function 00CF6B57: _wcslen.LIBCMT ref: 00CF6B6A

WNetAddConnection2W.MPR(?,?,?,00000000), ref: 00D507A2
RegConnectRegistryW.ADVAPI32(?,80000002,?), ref: 00D507BE
RegOpenKeyExW.ADVAPI32(?,?,00000000,00020019,?,?,SOFTWARE\Classes\), ref: 00D507DA
RegQueryValueExW.ADVAPI32(?,00000000,00000000,00000000,?,?,?,SOFTWARE\Classes\), ref: 00D50804
CLSIDFromString.OLE32(?,000001FE,?,SOFTWARE\Classes\), ref: 00D5082C
RegCloseKey.ADVAPI32(?,?,SOFTWARE\Classes\), ref: 00D50837
RegCloseKey.ADVAPI32(?,?,SOFTWARE\Classes\), ref: 00D5083C

Strings

\CLSID, xrefs: 00D50724
SOFTWARE\Classes\, xrefs: 00D5070E
\IPC$, xrefs: 00D50784

Memory Dump Source

Source File: 00000000.00000002.1741723192.0000000000CF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CF0000, based on PE: true

Associated: 00000000.00000002.1741689844.0000000000CF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741822052.0000000000D8C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741822052.0000000000DB2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741916293.0000000000DBC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741947371.0000000000DC4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cf0000_file.jbxd

Similarity

API ID: Close$ConnectConnection2FromOpenQueryRegistryStringValue_wcslen
String ID: SOFTWARE\Classes\$\CLSID$\IPC$
API String ID: 323675364-22481851
Opcode ID: 25904688412f68b4009e96c7255d8d1f190eeeafdec9f125caa7f80e19dabc15
Instruction ID: 24fface0bf4d6d70f58c9571393e96e93747605a38451cf980091147c9c50e6c
Opcode Fuzzy Hash: 25904688412f68b4009e96c7255d8d1f190eeeafdec9f125caa7f80e19dabc15
Instruction Fuzzy Hash: 8741E57281022DEBDF11EBA4DC85DFDB778AF44390F044129E915A32A1EB709E08DBA1

Function 00D83F98 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 101windowCOMMON

Download Yara Rule

APIs

MoveWindow.USER32(?,?,?,000000FF,000000FF,00000000,?,?,000000FF,000000FF,?,?,static,00000000,00000000,?), ref: 00D8403B
CreateCompatibleDC.GDI32(00000000), ref: 00D84042
SendMessageW.USER32(?,00000173,00000000,00000000), ref: 00D84055
SelectObject.GDI32(00000000,00000000), ref: 00D8405D
GetPixel.GDI32(00000000,00000000,00000000), ref: 00D84068
DeleteDC.GDI32(00000000), ref: 00D84072
GetWindowLongW.USER32(?,000000EC), ref: 00D8407C
SetLayeredWindowAttributes.USER32(?,?,00000000,00000001,?,00000000,?), ref: 00D84092
DestroyWindow.USER32(?,?,?,000000FF,000000FF,?,?,static,00000000,00000000,?,?,00000000,00000000,?), ref: 00D8409E

Strings

static, xrefs: 00D83FD3

Memory Dump Source

Source File: 00000000.00000002.1741723192.0000000000CF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CF0000, based on PE: true

Associated: 00000000.00000002.1741689844.0000000000CF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741822052.0000000000D8C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741822052.0000000000DB2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741916293.0000000000DBC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741947371.0000000000DC4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cf0000_file.jbxd

Similarity

API ID: Window$AttributesCompatibleCreateDeleteDestroyLayeredLongMessageMoveObjectPixelSelectSend
String ID: static
API String ID: 2559357485-2160076837
Opcode ID: 54cccc0307b28a7720ef6276ed96cade02c7482b7466d98a43e3d9ffbeef68cf
Instruction ID: 4a6dfbf28e7008f26abd26e0a421133ee1a62d337efebb44e7e58f20754300a8
Opcode Fuzzy Hash: 54cccc0307b28a7720ef6276ed96cade02c7482b7466d98a43e3d9ffbeef68cf
Instruction Fuzzy Hash: 1F317C32521216EBDF21AFA4DC49FEA3B69EF0D720F100211FA18E61A0D735D810DBB0

Function 00D73C30 Relevance: 16.8, APIs: 11, Instructions: 344fileCOMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 00D73C5C
CoInitialize.OLE32(00000000), ref: 00D73C8A
CoUninitialize.OLE32 ref: 00D73C94
_wcslen.LIBCMT ref: 00D73D2D
GetRunningObjectTable.OLE32(00000000,?), ref: 00D73DB1
SetErrorMode.KERNEL32(00000001,00000029), ref: 00D73ED5
CoGetInstanceFromFile.OLE32(00000000,?,00000000,00000015,00000002,?,00000001,?), ref: 00D73F0E
CoGetObject.OLE32(?,00000000,00D8FB98,?), ref: 00D73F2D
SetErrorMode.KERNEL32(00000000), ref: 00D73F40
SetErrorMode.KERNEL32(00000000,00000000,00000000,00000000,00000000), ref: 00D73FC4
VariantClear.OLEAUT32(?), ref: 00D73FD8

Memory Dump Source

Source File: 00000000.00000002.1741723192.0000000000CF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CF0000, based on PE: true

Associated: 00000000.00000002.1741689844.0000000000CF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741822052.0000000000D8C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741822052.0000000000DB2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741916293.0000000000DBC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741947371.0000000000DC4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cf0000_file.jbxd

Similarity

API ID: ErrorMode$ObjectVariant$ClearFileFromInitInitializeInstanceRunningTableUninitialize_wcslen
String ID:
API String ID: 429561992-0
Opcode ID: 5fbf6510b73a830278c9673a1c91a5046ee7a7024db4c497a9e1b781870a800f
Instruction ID: e823e59e46d8dd4e6ebc5f3c7dcb6cdfe7b8ef19a1c76173731308f4fd786057
Opcode Fuzzy Hash: 5fbf6510b73a830278c9673a1c91a5046ee7a7024db4c497a9e1b781870a800f
Instruction Fuzzy Hash: 12C144716083059FC710DF68C88492BBBE9FF89744F14895DF98A9B210E731EE05DB62

Function 00D67A96 Relevance: 16.8, APIs: 11, Instructions: 298comCOMMON

Download Yara Rule

APIs

CoInitialize.OLE32(00000000), ref: 00D67AF3
SHGetSpecialFolderLocation.SHELL32(00000000,00000000,?), ref: 00D67B8F
SHGetDesktopFolder.SHELL32(?), ref: 00D67BA3
CoCreateInstance.OLE32(00D8FD08,00000000,00000001,00DB6E6C,?), ref: 00D67BEF
SHCreateShellItem.SHELL32(00000000,00000000,?,00000003), ref: 00D67C74
CoTaskMemFree.OLE32(?,?), ref: 00D67CCC
SHBrowseForFolderW.SHELL32(?), ref: 00D67D57
SHGetPathFromIDListW.SHELL32(00000000,?), ref: 00D67D7A
CoTaskMemFree.OLE32(00000000), ref: 00D67D81
CoTaskMemFree.OLE32(00000000), ref: 00D67DD6
CoUninitialize.OLE32 ref: 00D67DDC

Memory Dump Source

Source File: 00000000.00000002.1741723192.0000000000CF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CF0000, based on PE: true

Associated: 00000000.00000002.1741689844.0000000000CF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741822052.0000000000D8C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741822052.0000000000DB2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741916293.0000000000DBC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741947371.0000000000DC4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cf0000_file.jbxd

Similarity

API ID: FolderFreeTask$Create$BrowseDesktopFromInitializeInstanceItemListLocationPathShellSpecialUninitialize
String ID:
API String ID: 2762341140-0
Opcode ID: 66d516ef6402382a2387e42b03ecb9c52f704ed2f22df745d688c79eade19688
Instruction ID: 9c7275d424bdc06d415901ac3473b5e60aee17dd5a97593606224c838e7ece76
Opcode Fuzzy Hash: 66d516ef6402382a2387e42b03ecb9c52f704ed2f22df745d688c79eade19688
Instruction Fuzzy Hash: 27C1F875A04209EFCB14DFA4C884DAEBBB9FF48304B158599E919DB361D730EE45CBA0

Function 00D8541D Relevance: 16.7, APIs: 11, Instructions: 191windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00000158,000000FF,00000158), ref: 00D85504
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 00D85515
CharNextW.USER32(00000158), ref: 00D85544
SendMessageW.USER32(?,0000014B,00000000,00000000), ref: 00D85585
SendMessageW.USER32(?,00000158,000000FF,0000014E), ref: 00D8559B
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 00D855AC

Memory Dump Source

Source File: 00000000.00000002.1741723192.0000000000CF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CF0000, based on PE: true

Associated: 00000000.00000002.1741689844.0000000000CF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741822052.0000000000D8C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741822052.0000000000DB2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741916293.0000000000DBC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741947371.0000000000DC4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cf0000_file.jbxd

Similarity

API ID: MessageSend$CharNext
String ID:
API String ID: 1350042424-0
Opcode ID: 5db8ba55f077fbf677ffd9850f577bf88fd4da81fe1da65c784a72c89378df4d
Instruction ID: 64486d5c2078c102dfc52cb3e53ff5b648fe4c2aac9a6070ab6c3ad45e288a57
Opcode Fuzzy Hash: 5db8ba55f077fbf677ffd9850f577bf88fd4da81fe1da65c784a72c89378df4d
Instruction Fuzzy Hash: 0B61BC34910609EFDF10AF54EC85EFE7BB9EF0A321F144155F965AA2A4D7348A80DB70

Function 00D4FA88 Relevance: 16.6, APIs: 11, Instructions: 122memoryCOMMON

Download Yara Rule

APIs

SafeArrayAllocDescriptorEx.OLEAUT32(0000000C,?,?), ref: 00D4FAAF
SafeArrayAllocData.OLEAUT32(?), ref: 00D4FB08
VariantInit.OLEAUT32(?), ref: 00D4FB1A
SafeArrayAccessData.OLEAUT32(?,?), ref: 00D4FB3A
VariantCopy.OLEAUT32(?,?), ref: 00D4FB8D
SafeArrayUnaccessData.OLEAUT32(?), ref: 00D4FBA1
VariantClear.OLEAUT32(?), ref: 00D4FBB6
SafeArrayDestroyData.OLEAUT32(?), ref: 00D4FBC3
SafeArrayDestroyDescriptor.OLEAUT32(?), ref: 00D4FBCC
VariantClear.OLEAUT32(?), ref: 00D4FBDE
SafeArrayDestroyDescriptor.OLEAUT32(?), ref: 00D4FBE9

Memory Dump Source

Source File: 00000000.00000002.1741723192.0000000000CF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CF0000, based on PE: true

Associated: 00000000.00000002.1741689844.0000000000CF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741822052.0000000000D8C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741822052.0000000000DB2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741916293.0000000000DBC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741947371.0000000000DC4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cf0000_file.jbxd

Similarity

API ID: ArraySafe$DataVariant$DescriptorDestroy$AllocClear$AccessCopyInitUnaccess
String ID:
API String ID: 2706829360-0
Opcode ID: b7349847e18ea8009545c583e2e63f876c9d1e32eedd637f8842de3d6a284844
Instruction ID: 20addfddc988ed79d2053ca6967d9189e57ad69851f20a6cbc6e108752772157
Opcode Fuzzy Hash: b7349847e18ea8009545c583e2e63f876c9d1e32eedd637f8842de3d6a284844
Instruction Fuzzy Hash: 9E413D75A10219DFCB04DFA8D854DAEBBB9EF48344F008069E956E7361CB30A945CFB1

Function 00D59C79 Relevance: 16.6, APIs: 11, Instructions: 119keyboardCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?), ref: 00D59CA1
GetAsyncKeyState.USER32(000000A0), ref: 00D59D22
GetKeyState.USER32(000000A0), ref: 00D59D3D
GetAsyncKeyState.USER32(000000A1), ref: 00D59D57
GetKeyState.USER32(000000A1), ref: 00D59D6C
GetAsyncKeyState.USER32(00000011), ref: 00D59D84
GetKeyState.USER32(00000011), ref: 00D59D96
GetAsyncKeyState.USER32(00000012), ref: 00D59DAE
GetKeyState.USER32(00000012), ref: 00D59DC0
GetAsyncKeyState.USER32(0000005B), ref: 00D59DD8
GetKeyState.USER32(0000005B), ref: 00D59DEA

Memory Dump Source

Source File: 00000000.00000002.1741723192.0000000000CF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CF0000, based on PE: true

Associated: 00000000.00000002.1741689844.0000000000CF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741822052.0000000000D8C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741822052.0000000000DB2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741916293.0000000000DBC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741947371.0000000000DC4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cf0000_file.jbxd

Similarity

API ID: State$Async$Keyboard
String ID:
API String ID: 541375521-0
Opcode ID: d638d363b5f38648d76da939b15a707264bea7913d589b9c319d635d4da0dd8f
Instruction ID: aaa90a698ab8b1f6335230bd06d93e7bc265fa4dc4201d457119861753a7c9c4
Opcode Fuzzy Hash: d638d363b5f38648d76da939b15a707264bea7913d589b9c319d635d4da0dd8f
Instruction Fuzzy Hash: 3A41A5345147C9E9FF31966088243B5FEB0AB11346F0C805ADEC6566C2EBB599CCC7B2

Function 00D7055B Relevance: 16.0, APIs: 8, Strings: 1, Instructions: 207networkfileCOMMON

Download Yara Rule

APIs

WSAStartup.WSOCK32(00000101,?), ref: 00D705BC
inet_addr.WSOCK32(?), ref: 00D7061C
gethostbyname.WSOCK32(?), ref: 00D70628
IcmpCreateFile.IPHLPAPI ref: 00D70636
IcmpSendEcho.IPHLPAPI(?,?,?,00000005,00000000,?,00000029,00000FA0), ref: 00D706C6
IcmpSendEcho.IPHLPAPI(00000000,00000000,?,00000005,00000000,?,00000029,00000FA0), ref: 00D706E5
IcmpCloseHandle.IPHLPAPI(?), ref: 00D707B9
WSACleanup.WSOCK32 ref: 00D707BF

Strings

Ping, xrefs: 00D70676

Memory Dump Source

Source File: 00000000.00000002.1741723192.0000000000CF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CF0000, based on PE: true

Associated: 00000000.00000002.1741689844.0000000000CF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741822052.0000000000D8C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741822052.0000000000DB2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741916293.0000000000DBC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741947371.0000000000DC4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cf0000_file.jbxd

Similarity

API ID: Icmp$EchoSend$CleanupCloseCreateFileHandleStartupgethostbynameinet_addr
String ID: Ping
API String ID: 1028309954-2246546115
Opcode ID: 2198d7784d54ac7633b45184c074792630a718d077bc091010620b810f17d57a
Instruction ID: 75fc33f4f4905c3c787f9a1a2cab14d8a7cc67c685820f66186546ce487eca30
Opcode Fuzzy Hash: 2198d7784d54ac7633b45184c074792630a718d077bc091010620b810f17d57a
Instruction Fuzzy Hash: F1915935604201DFD724DF15C889B1ABBE0AF48318F18C5A9E5A98B7A2D730ED45CFA2

Function 00D78CD3 Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 193COMMON

Download Yara Rule

APIs

CharLowerBuffW.USER32(?,?,00000000,?), ref: 00D78CF3

Part of subcall function 00D58E54: _wcslen.LIBCMT ref: 00D58E77

_wcslen.LIBCMT ref: 00D78D4E
_wcslen.LIBCMT ref: 00D78D9C
_wcslen.LIBCMT ref: 00D78DDC
_wcslen.LIBCMT ref: 00D78E6E

Strings

none, xrefs: 00D78E65, 00D78E6A
cdecl, xrefs: 00D78D48, 00D78D4D
winapi, xrefs: 00D78D96, 00D78D9B
stdcall, xrefs: 00D78DD6, 00D78DDB

Memory Dump Source

Source File: 00000000.00000002.1741723192.0000000000CF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CF0000, based on PE: true

Associated: 00000000.00000002.1741689844.0000000000CF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741822052.0000000000D8C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741822052.0000000000DB2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741916293.0000000000DBC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741947371.0000000000DC4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cf0000_file.jbxd

Similarity

API ID: _wcslen$BuffCharLower
String ID: cdecl$none$stdcall$winapi
API String ID: 707087890-567219261
Opcode ID: 1245af1c29e766addfdc51af5e28a9c640c635450f866097613ac315f570d35e
Instruction ID: e8ab686d289da401617e274915325b0593a2123821436d7f76ac25a50ff51e7b
Opcode Fuzzy Hash: 1245af1c29e766addfdc51af5e28a9c640c635450f866097613ac315f570d35e
Instruction Fuzzy Hash: 42519031A401169BCF24DF68C9449BEB7A5EF64720B248229F56AE72C4EB31DD40E7B0

Function 00D7372C Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 187comCOMMON

Download Yara Rule

APIs

CoInitialize.OLE32 ref: 00D73774
CoUninitialize.OLE32 ref: 00D7377F
CoCreateInstance.OLE32(?,00000000,00000017,00D8FB78,?), ref: 00D737D9
IIDFromString.OLE32(?,?), ref: 00D7384C
VariantInit.OLEAUT32(?), ref: 00D738E4
VariantClear.OLEAUT32(?), ref: 00D73936

Strings

NULL Pointer assignment, xrefs: 00D7381E
Invalid parameter, xrefs: 00D73865
Failed to create object, xrefs: 00D737E4, 00D7389A

Memory Dump Source

Source File: 00000000.00000002.1741723192.0000000000CF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CF0000, based on PE: true

Associated: 00000000.00000002.1741689844.0000000000CF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741822052.0000000000D8C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741822052.0000000000DB2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741916293.0000000000DBC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741947371.0000000000DC4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cf0000_file.jbxd

Similarity

API ID: Variant$ClearCreateFromInitInitializeInstanceStringUninitialize
String ID: Failed to create object$Invalid parameter$NULL Pointer assignment
API String ID: 636576611-1287834457
Opcode ID: db8e1164b8484751cea5b75d416f0fa9616a970f9ce3536fae9d07765b98b94f
Instruction ID: bbcaf6a37df7565b28aef1e49feb072443dae30c364ca8d0b06a319c8b630798
Opcode Fuzzy Hash: db8e1164b8484751cea5b75d416f0fa9616a970f9ce3536fae9d07765b98b94f
Instruction Fuzzy Hash: 69618E70608301EFD710DF54C849B6ABBE4EF48711F148909F9899B291E770EE48DBB2

Function 00D63388 Relevance: 15.9, APIs: 3, Strings: 6, Instructions: 149COMMON

Download Yara Rule

APIs

LoadStringW.USER32(00000066,?,00000FFF,?), ref: 00D633CF

Part of subcall function 00CF9CB3: _wcslen.LIBCMT ref: 00CF9CBD

LoadStringW.USER32(00000072,?,00000FFF,?), ref: 00D633F0

Strings

Error: , xrefs: 00D634D1
Line %d (File "%s"):, xrefs: 00D63443, 00D6345C
^ ERROR , xrefs: 00D6349E
"%s" (%d) : ==> %s:, xrefs: 00D63522
"%s" (%d) : ==> %s:%s%s, xrefs: 00D63504
Incorrect parameters to object property !, xrefs: 00D634AB

Memory Dump Source

Source File: 00000000.00000002.1741723192.0000000000CF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CF0000, based on PE: true

Associated: 00000000.00000002.1741689844.0000000000CF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741822052.0000000000D8C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741822052.0000000000DB2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741916293.0000000000DBC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741947371.0000000000DC4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cf0000_file.jbxd

Similarity

API ID: LoadString$_wcslen
String ID: Error: $"%s" (%d) : ==> %s:$"%s" (%d) : ==> %s:%s%s$Incorrect parameters to object property !$Line %d (File "%s"):$^ ERROR
API String ID: 4099089115-3080491070
Opcode ID: 3b24165b437f84b275141ff63c45c22b18a9e06718aebf5e2994db98cf0fb946
Instruction ID: 554cfe9685df503a3d22436ca6d5e9da5d14a7cbade69388db0360928729a675
Opcode Fuzzy Hash: 3b24165b437f84b275141ff63c45c22b18a9e06718aebf5e2994db98cf0fb946
Instruction Fuzzy Hash: B6515B7190025AABDF15EBA0CD42EFEB778EF14340F144065B605B21A2EB356F58EB71

Function 00D5B5C8 Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 142COMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?), ref: 00D5B5FC
_wcslen.LIBCMT ref: 00D5B608
_wcslen.LIBCMT ref: 00D5B64D
_wcslen.LIBCMT ref: 00D5B68C
_wcslen.LIBCMT ref: 00D5B6C7

Strings

KEYS, xrefs: 00D5B647, 00D5B64C
EXISTS, xrefs: 00D5B686, 00D5B68B
REMOVE, xrefs: 00D5B602, 00D5B607
APPEND, xrefs: 00D5B6C1, 00D5B6C6

Memory Dump Source

Source File: 00000000.00000002.1741723192.0000000000CF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CF0000, based on PE: true

Associated: 00000000.00000002.1741689844.0000000000CF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741822052.0000000000D8C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741822052.0000000000DB2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741916293.0000000000DBC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741947371.0000000000DC4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cf0000_file.jbxd

Similarity

API ID: _wcslen$BuffCharUpper
String ID: APPEND$EXISTS$KEYS$REMOVE
API String ID: 1256254125-769500911
Opcode ID: 94839dcd377dc10885c383e646d11608d61858688dfbdfd6fa6e487cff01c91d
Instruction ID: fbfe8ace64864839c436d35139a3dddec23c49f745d2c11c0207253a3d6aca38
Opcode Fuzzy Hash: 94839dcd377dc10885c383e646d11608d61858688dfbdfd6fa6e487cff01c91d
Instruction Fuzzy Hash: 1241C732A001269ACF105F7D88905BE77A5EF60775B28412BEC61DF284E735CD85C7B0

Function 00D65393 Relevance: 15.9, APIs: 4, Strings: 5, Instructions: 103COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 00D653A0
GetDiskFreeSpaceW.KERNEL32(?,?,?,?,?,00000002,00000001), ref: 00D65416
GetLastError.KERNEL32 ref: 00D65420
SetErrorMode.KERNEL32(00000000,READY), ref: 00D654A7

Strings

READY, xrefs: 00D65460, 00D65468
INVALID, xrefs: 00D65459
UNKNOWN, xrefs: 00D65444
READONLY, xrefs: 00D65452
NOTREADY, xrefs: 00D6544B

Memory Dump Source

Source File: 00000000.00000002.1741723192.0000000000CF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CF0000, based on PE: true

Associated: 00000000.00000002.1741689844.0000000000CF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741822052.0000000000D8C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741822052.0000000000DB2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741916293.0000000000DBC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741947371.0000000000DC4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cf0000_file.jbxd

Similarity

API ID: Error$Mode$DiskFreeLastSpace
String ID: INVALID$NOTREADY$READONLY$READY$UNKNOWN
API String ID: 4194297153-14809454
Opcode ID: ca091302de87e4c4593ec8ee50e788a05e520f047a40c46066eaf07b5710d881
Instruction ID: 02c79985609b41b9901fcb9d2de73952109a4f4c52c12d8ca786061457cbffba
Opcode Fuzzy Hash: ca091302de87e4c4593ec8ee50e788a05e520f047a40c46066eaf07b5710d881
Instruction Fuzzy Hash: BB318035A00604DFCB10DF68D484AAA7BB4EF45305F1880A5E506CB396DB75EDC6CBB1

Function 00D83C46 Relevance: 15.9, APIs: 7, Strings: 2, Instructions: 101windowCOMMON

Download Yara Rule

APIs

CreateMenu.USER32 ref: 00D83C79
SetMenu.USER32(?,00000000), ref: 00D83C88
GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00D83D10
IsMenu.USER32(?), ref: 00D83D24
CreatePopupMenu.USER32 ref: 00D83D2E
InsertMenuItemW.USER32(?,?,00000001,00000030), ref: 00D83D5B
DrawMenuBar.USER32 ref: 00D83D63

Strings

0, xrefs: 00D83C54
F, xrefs: 00D83D4E

Memory Dump Source

Source File: 00000000.00000002.1741723192.0000000000CF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CF0000, based on PE: true

Associated: 00000000.00000002.1741689844.0000000000CF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741822052.0000000000D8C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741822052.0000000000DB2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741916293.0000000000DBC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741947371.0000000000DC4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cf0000_file.jbxd

Similarity

API ID: Menu$CreateItem$DrawInfoInsertPopup
String ID: 0$F
API String ID: 161812096-3044882817
Opcode ID: ac092b05791b01466afc55a5295d674cbdbe4b7fcff10c3ed9428cbcc4f16c98
Instruction ID: 59e81f7f4dabf8843c721d5a078495fb1a5b7cb89304801cac3c571c23fa6002
Opcode Fuzzy Hash: ac092b05791b01466afc55a5295d674cbdbe4b7fcff10c3ed9428cbcc4f16c98
Instruction Fuzzy Hash: 7F418CB9A1130AEFDF14DF64D844EAA77B5FF49300F144068E94A97360D730AA10CF60

Function 00D51EDF Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 78windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00CF9CB3: _wcslen.LIBCMT ref: 00CF9CBD

Part of subcall function 00D53CA7: GetClassNameW.USER32(?,?,000000FF), ref: 00D53CCA

SendMessageW.USER32(?,0000018C,000000FF,00020000), ref: 00D51F64
GetDlgCtrlID.USER32 ref: 00D51F6F
GetParent.USER32 ref: 00D51F8B
SendMessageW.USER32(00000000,?,00000111,?), ref: 00D51F8E
GetDlgCtrlID.USER32(?), ref: 00D51F97
GetParent.USER32(?), ref: 00D51FAB
SendMessageW.USER32(00000000,?,00000111,?), ref: 00D51FAE

Strings

ComboBox, xrefs: 00D51EEC
ListBox, xrefs: 00D51F21

Memory Dump Source

Source File: 00000000.00000002.1741723192.0000000000CF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CF0000, based on PE: true

Associated: 00000000.00000002.1741689844.0000000000CF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741822052.0000000000D8C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741822052.0000000000DB2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741916293.0000000000DBC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741947371.0000000000DC4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cf0000_file.jbxd

Similarity

API ID: MessageSend$CtrlParent$ClassName_wcslen
String ID: ComboBox$ListBox
API String ID: 711023334-1403004172
Opcode ID: 6cdce0be519131db795d89eaabe77c26046faf3bcb354a8b5d5d360231057b12
Instruction ID: 8e1e159e33930eb5ce701daea9b0fedf6ad2b2f7accd56364c4492dac1e9992a
Opcode Fuzzy Hash: 6cdce0be519131db795d89eaabe77c26046faf3bcb354a8b5d5d360231057b12
Instruction Fuzzy Hash: 0921BE75A10218BBCF04AFA0DC85AFEBBB8EF16350F001115FE61A72A1DB3599089B70

Function 00D51FC0 Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 77windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00CF9CB3: _wcslen.LIBCMT ref: 00CF9CBD

Part of subcall function 00D53CA7: GetClassNameW.USER32(?,?,000000FF), ref: 00D53CCA

SendMessageW.USER32(?,00000186,00020000,00000000), ref: 00D52043
GetDlgCtrlID.USER32 ref: 00D5204E
GetParent.USER32 ref: 00D5206A
SendMessageW.USER32(00000000,?,00000111,?), ref: 00D5206D
GetDlgCtrlID.USER32(?), ref: 00D52076
GetParent.USER32(?), ref: 00D5208A
SendMessageW.USER32(00000000,?,00000111,?), ref: 00D5208D

Strings

ComboBox, xrefs: 00D51FCD
ListBox, xrefs: 00D52002

Memory Dump Source

Source File: 00000000.00000002.1741723192.0000000000CF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CF0000, based on PE: true

Associated: 00000000.00000002.1741689844.0000000000CF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741822052.0000000000D8C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741822052.0000000000DB2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741916293.0000000000DBC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741947371.0000000000DC4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cf0000_file.jbxd

Similarity

API ID: MessageSend$CtrlParent$ClassName_wcslen
String ID: ComboBox$ListBox
API String ID: 711023334-1403004172
Opcode ID: 600407bd5a7ebf0a585e028d7adffff9920168ecea28e340f8a12df7608fd17e
Instruction ID: b619bbb73d0417196f34d53e5b2377af628cb1549ec956d523b4b1d89d645173
Opcode Fuzzy Hash: 600407bd5a7ebf0a585e028d7adffff9920168ecea28e340f8a12df7608fd17e
Instruction Fuzzy Hash: A2218E75A10218BBCF10AFA4DC85AFEBBB8EF16340F005015BD51A72A1DA75991CDB70

Function 00D83A23 Relevance: 15.2, APIs: 10, Instructions: 182windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,0000101F,00000000,00000000), ref: 00D83A9D
SendMessageW.USER32(00000000,?,0000101F,00000000), ref: 00D83AA0
GetWindowLongW.USER32(?,000000F0), ref: 00D83AC7
SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00D83AEA
SendMessageW.USER32(?,0000104D,00000000,00000007), ref: 00D83B62
SendMessageW.USER32(?,00001074,00000000,00000007), ref: 00D83BAC
SendMessageW.USER32(?,00001057,00000000,00000000), ref: 00D83BC7
SendMessageW.USER32(?,0000101D,00001004,00000000), ref: 00D83BE2
SendMessageW.USER32(?,0000101E,00001004,00000000), ref: 00D83BF6
SendMessageW.USER32(?,00001008,00000000,00000007), ref: 00D83C13

Memory Dump Source

Source File: 00000000.00000002.1741723192.0000000000CF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CF0000, based on PE: true

Associated: 00000000.00000002.1741689844.0000000000CF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741822052.0000000000D8C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741822052.0000000000DB2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741916293.0000000000DBC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741947371.0000000000DC4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cf0000_file.jbxd

Similarity

API ID: MessageSend$LongWindow
String ID:
API String ID: 312131281-0
Opcode ID: 6e9e638cef40e5a294c69e29f5d6854d64b3a6d7864b59e90691b9a79e99a33e
Instruction ID: 9dc209c42e1944d7a9344c1229493078e5d1210e7ec2fcd15a3af93782b749ea
Opcode Fuzzy Hash: 6e9e638cef40e5a294c69e29f5d6854d64b3a6d7864b59e90691b9a79e99a33e
Instruction Fuzzy Hash: 40617BB5900259AFDB11DFA8CC81EEE77B8EF09700F140099FA15E72A2D774AA45DB60

Function 00D5B12F Relevance: 15.1, APIs: 10, Instructions: 88threadCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 00D5B151
GetForegroundWindow.USER32(00000000,?,?,?,?,?,00D5A1E1,?,00000001), ref: 00D5B165
GetWindowThreadProcessId.USER32(00000000), ref: 00D5B16C
AttachThreadInput.USER32(00000000,00000000,00000001,?,?,?,?,?,00D5A1E1,?,00000001), ref: 00D5B17B
GetWindowThreadProcessId.USER32(?,00000000), ref: 00D5B18D
AttachThreadInput.USER32(?,00000000,00000001,?,?,?,?,?,00D5A1E1,?,00000001), ref: 00D5B1A6
AttachThreadInput.USER32(00000000,00000000,00000001,?,?,?,?,?,00D5A1E1,?,00000001), ref: 00D5B1B8
AttachThreadInput.USER32(00000000,00000000,?,?,?,?,?,00D5A1E1,?,00000001), ref: 00D5B1FD
AttachThreadInput.USER32(?,?,00000000,?,?,?,?,?,00D5A1E1,?,00000001), ref: 00D5B212
AttachThreadInput.USER32(00000000,?,00000000,?,?,?,?,?,00D5A1E1,?,00000001), ref: 00D5B21D

Memory Dump Source

Source File: 00000000.00000002.1741723192.0000000000CF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CF0000, based on PE: true

Associated: 00000000.00000002.1741689844.0000000000CF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741822052.0000000000D8C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741822052.0000000000DB2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741916293.0000000000DBC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741947371.0000000000DC4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cf0000_file.jbxd

Similarity

API ID: Thread$AttachInput$Window$Process$CurrentForeground
String ID:
API String ID: 2156557900-0
Opcode ID: 8730c5d5fa3ada1cf3bb9ed7933a2ea1d240912f806fb415983b32ac5ace5b80
Instruction ID: 52864e5e54966cb9e029f99616de2541e9939e55a27edc7196a706de3f8e49c5
Opcode Fuzzy Hash: 8730c5d5fa3ada1cf3bb9ed7933a2ea1d240912f806fb415983b32ac5ace5b80
Instruction Fuzzy Hash: B63189B2620706EFDF109F24EC49FAD7BA9BB51322F149016FE01D62A0D7B49A448F74

Function 00D22C80 Relevance: 15.1, APIs: 10, Instructions: 54COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 00D22C94

Part of subcall function 00D229C8: RtlFreeHeap.NTDLL(00000000,00000000,?,00D2D7D1,00000000,00000000,00000000,00000000,?,00D2D7F8,00000000,00000007,00000000,?,00D2DBF5,00000000), ref: 00D229DE
Part of subcall function 00D229C8: GetLastError.KERNEL32(00000000,?,00D2D7D1,00000000,00000000,00000000,00000000,?,00D2D7F8,00000000,00000007,00000000,?,00D2DBF5,00000000,00000000), ref: 00D229F0

_free.LIBCMT ref: 00D22CA0
_free.LIBCMT ref: 00D22CAB
_free.LIBCMT ref: 00D22CB6
_free.LIBCMT ref: 00D22CC1
_free.LIBCMT ref: 00D22CCC
_free.LIBCMT ref: 00D22CD7
_free.LIBCMT ref: 00D22CE2
_free.LIBCMT ref: 00D22CED
_free.LIBCMT ref: 00D22CFB

Memory Dump Source

Source File: 00000000.00000002.1741723192.0000000000CF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CF0000, based on PE: true

Associated: 00000000.00000002.1741689844.0000000000CF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741822052.0000000000D8C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741822052.0000000000DB2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741916293.0000000000DBC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741947371.0000000000DC4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cf0000_file.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: dd96c30515dff3adb00a9636da758fd1f0547de7451d9b4228c61d613e73bd83
Instruction ID: 76c271b887767a2520fce520bf5f76b8efadc411824e4b0369b55cf9524bc81e
Opcode Fuzzy Hash: dd96c30515dff3adb00a9636da758fd1f0547de7451d9b4228c61d613e73bd83
Instruction Fuzzy Hash: 6A119676140118BFCB02EF54E842CED3BA5FF19354F8144A5F9485B222D731EA909FB0

Function 00D67DF0 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 230COMMON

Download Yara Rule

APIs

GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 00D67FAD
SetCurrentDirectoryW.KERNEL32(?), ref: 00D67FC1
GetFileAttributesW.KERNEL32(?), ref: 00D67FEB
SetFileAttributesW.KERNEL32(?,00000000), ref: 00D68005
SetCurrentDirectoryW.KERNEL32(?), ref: 00D68017
SetCurrentDirectoryW.KERNEL32(?), ref: 00D68060
SetCurrentDirectoryW.KERNEL32(?,?,?,?,?), ref: 00D680B0

Strings

*.*, xrefs: 00D68066

Memory Dump Source

Source File: 00000000.00000002.1741723192.0000000000CF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CF0000, based on PE: true

Associated: 00000000.00000002.1741689844.0000000000CF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741822052.0000000000D8C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741822052.0000000000DB2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741916293.0000000000DBC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741947371.0000000000DC4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cf0000_file.jbxd

Similarity

API ID: CurrentDirectory$AttributesFile
String ID: *.*
API String ID: 769691225-438819550
Opcode ID: 300a702776b2dba93aca9fd5ac0a27c1e7a4008a3d6d951b8886cfdbe7cf3420
Instruction ID: 62ef50be74d931c42938fe1fded200fe3e3dc3408328ac599e5b689956b74c15
Opcode Fuzzy Hash: 300a702776b2dba93aca9fd5ac0a27c1e7a4008a3d6d951b8886cfdbe7cf3420
Instruction Fuzzy Hash: 3381C17250830A9BCB24EF54C450AAAB3E8BF88314F184D5EF885C7251EB36DD49CB72

Function 00CF5BEA Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 184windowCOMMON

Download Yara Rule

APIs

SetWindowLongW.USER32(?,000000EB), ref: 00CF5C7A

Part of subcall function 00CF5D0A: GetClientRect.USER32(?,?), ref: 00CF5D30
Part of subcall function 00CF5D0A: GetWindowRect.USER32(?,?), ref: 00CF5D71
Part of subcall function 00CF5D0A: ScreenToClient.USER32(?,?), ref: 00CF5D99

GetDC.USER32 ref: 00D346F5
SendMessageW.USER32(?,00000031,00000000,00000000), ref: 00D34708
SelectObject.GDI32(00000000,00000000), ref: 00D34716
SelectObject.GDI32(00000000,00000000), ref: 00D3472B
ReleaseDC.USER32(?,00000000), ref: 00D34733
MoveWindow.USER32(?,?,?,?,?,?,?,00000031,00000000,00000000), ref: 00D347C4

Strings

U, xrefs: 00D34693

Memory Dump Source

Source File: 00000000.00000002.1741723192.0000000000CF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CF0000, based on PE: true

Associated: 00000000.00000002.1741689844.0000000000CF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741822052.0000000000D8C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741822052.0000000000DB2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741916293.0000000000DBC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741947371.0000000000DC4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cf0000_file.jbxd

Similarity

API ID: Window$ClientObjectRectSelect$LongMessageMoveReleaseScreenSend
String ID: U
API String ID: 4009187628-3372436214
Opcode ID: 346afe828a806af89364abaa1b8816397d163585f7c177de5cdb06c76d2fe502
Instruction ID: 7fc3fc71186bf8ee18bb901115b780ec9a9280a1a8737243982ffcaa74b2c87a
Opcode Fuzzy Hash: 346afe828a806af89364abaa1b8816397d163585f7c177de5cdb06c76d2fe502
Instruction Fuzzy Hash: 6671E375400209DFCF218F64CD85AFA3BB5FF4A350F184269EE565A266C734A841DFB1

Function 00D6359C Relevance: 14.2, APIs: 3, Strings: 5, Instructions: 150COMMON

Download Yara Rule

APIs

LoadStringW.USER32(00000066,?,00000FFF,00000000), ref: 00D635E4

Part of subcall function 00CF9CB3: _wcslen.LIBCMT ref: 00CF9CBD

LoadStringW.USER32(00DC2390,?,00000FFF,?), ref: 00D6360A

Strings

Error: , xrefs: 00D636EF
Line %d (File "%s"):, xrefs: 00D6366B
^ ERROR, xrefs: 00D636C9
"%s" (%d) : ==> %s:, xrefs: 00D63742
"%s" (%d) : ==> %s:%s%s, xrefs: 00D63724

Memory Dump Source

Source File: 00000000.00000002.1741723192.0000000000CF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CF0000, based on PE: true

Associated: 00000000.00000002.1741689844.0000000000CF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741822052.0000000000D8C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741822052.0000000000DB2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741916293.0000000000DBC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741947371.0000000000DC4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cf0000_file.jbxd

Similarity

API ID: LoadString$_wcslen
String ID: Error: $"%s" (%d) : ==> %s:$"%s" (%d) : ==> %s:%s%s$Line %d (File "%s"):$^ ERROR
API String ID: 4099089115-2391861430
Opcode ID: 484d462a3dbb1d0426165ce9ed486583eeb4559db7fccca6b42736b4249aa2fc
Instruction ID: f94d67723a9251a348faccc69af4e1eaf0df920ca9b761fcd6c58c222944ef9c
Opcode Fuzzy Hash: 484d462a3dbb1d0426165ce9ed486583eeb4559db7fccca6b42736b4249aa2fc
Instruction Fuzzy Hash: CD514A7180025ABBDF15EBA0DC42EEEBB78EF05340F145125F605721A2EB316A99EF71

Function 00D6C253 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 94networkCOMMON

Download Yara Rule

APIs

InternetOpenUrlW.WININET(?,?,00000000,00000000,?,00000000), ref: 00D6C272
HttpSendRequestW.WININET(00000000,00000000,00000000,00000000,00000000), ref: 00D6C29A
HttpQueryInfoW.WININET(00000000,00000005,?,?,?), ref: 00D6C2CA
GetLastError.KERNEL32 ref: 00D6C322
SetEvent.KERNEL32(?), ref: 00D6C336
InternetCloseHandle.WININET(00000000), ref: 00D6C341

Strings

, xrefs: 00D6C2BB

Memory Dump Source

Source File: 00000000.00000002.1741723192.0000000000CF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CF0000, based on PE: true

Associated: 00000000.00000002.1741689844.0000000000CF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741822052.0000000000D8C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741822052.0000000000DB2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741916293.0000000000DBC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741947371.0000000000DC4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cf0000_file.jbxd

Similarity

API ID: HttpInternet$CloseErrorEventHandleInfoLastOpenQueryRequestSend
String ID:
API String ID: 3113390036-3916222277
Opcode ID: f7f2f39221c22c5ba1133fa3bae3d8428fbcf85669fdf3bc7d66abd576a3b53b
Instruction ID: bc6f9cbc16b39e79e52392504e479cfb044e01e7f85a508e7aa9498bd460bacd
Opcode Fuzzy Hash: f7f2f39221c22c5ba1133fa3bae3d8428fbcf85669fdf3bc7d66abd576a3b53b
Instruction Fuzzy Hash: 8B3169B1620308EFD7219FA49C88ABB7AFCEB49744B14A51EF486D2310DB34ED049B70

Function 00D5989B Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 74windowCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,?,?,00000FFF,00000000,?,00D33AAF,?,?,Bad directive syntax error,00D8CC08,00000000,00000010,?,?,>>>AUTOIT SCRIPT<<<), ref: 00D598BC
LoadStringW.USER32(00000000,?,00D33AAF,?), ref: 00D598C3

Part of subcall function 00CF9CB3: _wcslen.LIBCMT ref: 00CF9CBD

MessageBoxW.USER32(00000000,00000001,00000001,00011010), ref: 00D59987

Strings

Error: , xrefs: 00D59955
%s (%d) : ==> %s.: %s %s, xrefs: 00D598F1
Line %d (File "%s"):, xrefs: 00D5992D
Line %d:, xrefs: 00D59912
., xrefs: 00D5996D

Memory Dump Source

Source File: 00000000.00000002.1741723192.0000000000CF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CF0000, based on PE: true

Associated: 00000000.00000002.1741689844.0000000000CF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741822052.0000000000D8C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741822052.0000000000DB2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741916293.0000000000DBC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741947371.0000000000DC4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cf0000_file.jbxd

Similarity

API ID: HandleLoadMessageModuleString_wcslen
String ID: Error: $%s (%d) : ==> %s.: %s %s$.$Line %d (File "%s"):$Line %d:
API String ID: 858772685-4153970271
Opcode ID: 43134b8f6f505720f83d36733a4a54826cfa0698068a18543cd0c4cb4f2f3006
Instruction ID: bab0c460952b0d9aba07dec3dabbe54444c298726d0bf728236bedb4a9ddd367
Opcode Fuzzy Hash: 43134b8f6f505720f83d36733a4a54826cfa0698068a18543cd0c4cb4f2f3006
Instruction Fuzzy Hash: 3721593295021EEBCF12AF90CC16EEE7779FF18341F045429FA15620A2EA359618DF31

Function 00D5209F Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 71windowCOMMON

Download Yara Rule

APIs

GetParent.USER32 ref: 00D520AB
GetClassNameW.USER32(00000000,?,00000100), ref: 00D520C0
SendMessageW.USER32(00000000,00000111,0000702B,00000000), ref: 00D5214D

Strings

details, xrefs: 00D520FB
smallicons, xrefs: 00D52115
list, xrefs: 00D5212F
SHELLDLL_DefView, xrefs: 00D520CC
largeicons, xrefs: 00D520E1

Memory Dump Source

Source File: 00000000.00000002.1741723192.0000000000CF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CF0000, based on PE: true

Associated: 00000000.00000002.1741689844.0000000000CF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741822052.0000000000D8C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741822052.0000000000DB2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741916293.0000000000DBC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741947371.0000000000DC4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cf0000_file.jbxd

Similarity

API ID: ClassMessageNameParentSend
String ID: SHELLDLL_DefView$details$largeicons$list$smallicons
API String ID: 1290815626-3381328864
Opcode ID: 1aff22e924ed422367c82de8f2dc4b3f9e6d96927b96a97c21ac022086764aef
Instruction ID: 33c899aafd2e4ddcbb656ca0d5f2b672acdc6f94e278af847db1b3b150eeb00b
Opcode Fuzzy Hash: 1aff22e924ed422367c82de8f2dc4b3f9e6d96927b96a97c21ac022086764aef
Instruction Fuzzy Hash: 6D11C176698B06F9FA152220FC07EF7379CCF06325B200026FE05A50E5FE61A84D5A78

Function 00D28D45 Relevance: 13.8, APIs: 9, Instructions: 300COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1741723192.0000000000CF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CF0000, based on PE: true

Associated: 00000000.00000002.1741689844.0000000000CF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741822052.0000000000D8C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741822052.0000000000DB2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741916293.0000000000DBC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741947371.0000000000DC4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cf0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1dc0382fe23dc561c7156ad94ccd31d4c08490896574319f20b14358931ba18f
Instruction ID: 9c0f363aa523cd59ec888d34611141ec6f7f534e5ac95daa14b9a17231c8576d
Opcode Fuzzy Hash: 1dc0382fe23dc561c7156ad94ccd31d4c08490896574319f20b14358931ba18f
Instruction Fuzzy Hash: B2C10175E04369AFCB11DFA8E950BADBBB0BF29314F084099F515A7392CB319981CB70

Function 00D2CE90 Relevance: 13.7, APIs: 9, Instructions: 209COMMON

Download Yara Rule

APIs

___from_strstr_to_strchr.LIBCMT ref: 00D2CEB7
_free.LIBCMT ref: 00D2CF22
_free.LIBCMT ref: 00D2CF48
_free.LIBCMT ref: 00D2CF71
_free.LIBCMT ref: 00D2CFA9
_free.LIBCMT ref: 00D2CFDA
_free.LIBCMT ref: 00D2D01B
SetEnvironmentVariableA.KERNEL32(00000000,00000000), ref: 00D2D09C
_free.LIBCMT ref: 00D2D0B5

Memory Dump Source

Source File: 00000000.00000002.1741723192.0000000000CF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CF0000, based on PE: true

Associated: 00000000.00000002.1741689844.0000000000CF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741822052.0000000000D8C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741822052.0000000000DB2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741916293.0000000000DBC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741947371.0000000000DC4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cf0000_file.jbxd

Similarity

API ID: _free$EnvironmentVariable___from_strstr_to_strchr
String ID:
API String ID: 1282221369-0
Opcode ID: d661a7cea534101c26599e8bd87ce5b7721efce646ffd4547c52cecaa075b2fa
Instruction ID: f154fb95157e1503c11612ed934a84eff410cf757cc63c3160edafe1eb2178bb
Opcode Fuzzy Hash: d661a7cea534101c26599e8bd87ce5b7721efce646ffd4547c52cecaa075b2fa
Instruction Fuzzy Hash: 12615671905322AFDB21AFB4BD81A7E7BA6EF25318F08426DF845D7281E7319D4087B0

Function 00D850D4 Relevance: 13.7, APIs: 9, Instructions: 162windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00002001,00000000,00000000), ref: 00D85186
ShowWindow.USER32(?,00000000), ref: 00D851C7
ShowWindow.USER32(?,00000005,?,00000000), ref: 00D851CD
SetFocus.USER32(?,?,00000005,?,00000000), ref: 00D851D1

Part of subcall function 00D86FBA: DeleteObject.GDI32(00000000), ref: 00D86FE6

GetWindowLongW.USER32(?,000000F0), ref: 00D8520D
SetWindowLongW.USER32(?,000000F0,00000000), ref: 00D8521A
InvalidateRect.USER32(?,00000000,00000001,?,00000001), ref: 00D8524D
SendMessageW.USER32(?,00001001,00000000,000000FE), ref: 00D85287
SendMessageW.USER32(?,00001026,00000000,000000FE), ref: 00D85296

Memory Dump Source

Source File: 00000000.00000002.1741723192.0000000000CF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CF0000, based on PE: true

Associated: 00000000.00000002.1741689844.0000000000CF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741822052.0000000000D8C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741822052.0000000000DB2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741916293.0000000000DBC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741947371.0000000000DC4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cf0000_file.jbxd

Similarity

API ID: Window$MessageSend$LongShow$DeleteFocusInvalidateObjectRect
String ID:
API String ID: 3210457359-0
Opcode ID: 99330ac6ffe6b38a38852a4721d8d5c9b1d074e56c7ee74e1fabdd6e70e433c6
Instruction ID: 66611d6f95daf64ac4ff6f69764a7fa184ec85638b9e3bc662a1fb5f6b4bb2ef
Opcode Fuzzy Hash: 99330ac6ffe6b38a38852a4721d8d5c9b1d074e56c7ee74e1fabdd6e70e433c6
Instruction Fuzzy Hash: 2C51BF30A50B09FFEF20AF24EC4ABD87B65FB05321F184011F629962E5CB75A990DB75

Function 00D08B06 Relevance: 13.7, APIs: 9, Instructions: 155windowCOMMON

Download Yara Rule

APIs

LoadImageW.USER32(00000000,?,?,00000010,00000010,00000010), ref: 00D46890
ExtractIconExW.SHELL32(?,?,00000000,00000000,00000001), ref: 00D468A9
LoadImageW.USER32(00000000,?,00000001,00000000,00000000,00000050), ref: 00D468B9
ExtractIconExW.SHELL32(?,?,?,00000000,00000001), ref: 00D468D1
SendMessageW.USER32(00000000,00000080,00000000,00000000), ref: 00D468F2
DestroyIcon.USER32(00000000,?,00000010,00000010,00000010,?,?,?,?,?,00D08874,00000000,00000000,00000000,000000FF,00000000), ref: 00D46901
SendMessageW.USER32(00000000,00000080,00000001,00000000), ref: 00D4691E
DestroyIcon.USER32(00000000,?,00000010,00000010,00000010,?,?,?,?,?,00D08874,00000000,00000000,00000000,000000FF,00000000), ref: 00D4692D

Memory Dump Source

Source File: 00000000.00000002.1741723192.0000000000CF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CF0000, based on PE: true

Associated: 00000000.00000002.1741689844.0000000000CF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741822052.0000000000D8C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741822052.0000000000DB2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741916293.0000000000DBC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741947371.0000000000DC4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cf0000_file.jbxd

Similarity

API ID: Icon$DestroyExtractImageLoadMessageSend
String ID:
API String ID: 1268354404-0
Opcode ID: c2810bdc9e5a7cc23e871da45d772dfc2fb54c018eb11a45610039a01e691e1a
Instruction ID: 9d054ee1c312d403b0e20eeebf1fcb721d60003210445be833c9fb196c7dfc5b
Opcode Fuzzy Hash: c2810bdc9e5a7cc23e871da45d772dfc2fb54c018eb11a45610039a01e691e1a
Instruction Fuzzy Hash: A451697061030AEFDB208F24CC55FAA7BA5EB49750F144518F99AD62E0DB70E990EB70

Function 00D6C143 Relevance: 13.6, APIs: 9, Instructions: 95networkCOMMON

Download Yara Rule

APIs

InternetConnectW.WININET(?,?,?,?,?,?,00000000,00000000), ref: 00D6C182
GetLastError.KERNEL32 ref: 00D6C195
SetEvent.KERNEL32(?), ref: 00D6C1A9

Part of subcall function 00D6C253: InternetOpenUrlW.WININET(?,?,00000000,00000000,?,00000000), ref: 00D6C272
Part of subcall function 00D6C253: GetLastError.KERNEL32 ref: 00D6C322
Part of subcall function 00D6C253: SetEvent.KERNEL32(?), ref: 00D6C336
Part of subcall function 00D6C253: InternetCloseHandle.WININET(00000000), ref: 00D6C341

Memory Dump Source

Source File: 00000000.00000002.1741723192.0000000000CF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CF0000, based on PE: true

Associated: 00000000.00000002.1741689844.0000000000CF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741822052.0000000000D8C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741822052.0000000000DB2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741916293.0000000000DBC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741947371.0000000000DC4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cf0000_file.jbxd

Similarity

API ID: Internet$ErrorEventLast$CloseConnectHandleOpen
String ID:
API String ID: 337547030-0
Opcode ID: 0b3d320fa8500336d2525987b516c5a86344f83698b60e906cb752f0200ed479
Instruction ID: 81dcd8b2d0cd905dea62725a6737f45189293b2098ca97cb0e2df0c25caeca8b
Opcode Fuzzy Hash: 0b3d320fa8500336d2525987b516c5a86344f83698b60e906cb752f0200ed479
Instruction Fuzzy Hash: 27317871220705EFDB219FA5DC54A76BBF8FF19300B04A42EF99AC6620D735E8149BB4

Function 00D525A2 Relevance: 13.6, APIs: 9, Instructions: 60sleepkeyboardwindowCOMMON

Download Yara Rule

APIs

Part of subcall function 00D53A3D: GetWindowThreadProcessId.USER32(?,00000000), ref: 00D53A57
Part of subcall function 00D53A3D: GetCurrentThreadId.KERNEL32 ref: 00D53A5E
Part of subcall function 00D53A3D: AttachThreadInput.USER32(00000000,?,00000000,00000000,?,00D525B3), ref: 00D53A65

MapVirtualKeyW.USER32(00000025,00000000), ref: 00D525BD
PostMessageW.USER32(?,00000100,00000025,00000000), ref: 00D525DB
Sleep.KERNEL32(00000000,?,00000100,00000025,00000000), ref: 00D525DF
MapVirtualKeyW.USER32(00000025,00000000), ref: 00D525E9
PostMessageW.USER32(?,00000100,00000027,00000000), ref: 00D52601
Sleep.KERNEL32(00000000,?,00000100,00000027,00000000), ref: 00D52605
MapVirtualKeyW.USER32(00000025,00000000), ref: 00D5260F
PostMessageW.USER32(?,00000101,00000027,00000000), ref: 00D52623
Sleep.KERNEL32(00000000,?,00000101,00000027,00000000,?,00000100,00000027,00000000), ref: 00D52627

Memory Dump Source

Source File: 00000000.00000002.1741723192.0000000000CF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CF0000, based on PE: true

Associated: 00000000.00000002.1741689844.0000000000CF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741822052.0000000000D8C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741822052.0000000000DB2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741916293.0000000000DBC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741947371.0000000000DC4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cf0000_file.jbxd

Similarity

API ID: MessagePostSleepThreadVirtual$AttachCurrentInputProcessWindow
String ID:
API String ID: 2014098862-0
Opcode ID: f69860dc7b34035994459566e4631573e37747dab10b181af7c14c7f5d157002
Instruction ID: 0d0bea8fe8dc11f0345218862fb8e0566811f79734ffaaf579185f7658c5b2bb
Opcode Fuzzy Hash: f69860dc7b34035994459566e4631573e37747dab10b181af7c14c7f5d157002
Instruction Fuzzy Hash: C701B1713A0310BBFB1067689CCEF693F59DB5AB52F101011F758EE1E5C9F264488A79

Function 00D51803 Relevance: 13.5, APIs: 9, Instructions: 49memorythreadCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000008,0000000C,?,00000000,?,00D51449,?,?,00000000), ref: 00D5180C
HeapAlloc.KERNEL32(00000000,?,00D51449,?,?,00000000), ref: 00D51813
GetCurrentProcess.KERNEL32(00000000,00000000,00000000,00000002,?,00D51449,?,?,00000000), ref: 00D51828
GetCurrentProcess.KERNEL32(?,00000000,?,00D51449,?,?,00000000), ref: 00D51830
DuplicateHandle.KERNEL32(00000000,?,00D51449,?,?,00000000), ref: 00D51833
GetCurrentProcess.KERNEL32(00000000,00000000,00000000,00000002,?,00D51449,?,?,00000000), ref: 00D51843
GetCurrentProcess.KERNEL32(00D51449,00000000,?,00D51449,?,?,00000000), ref: 00D5184B
DuplicateHandle.KERNEL32(00000000,?,00D51449,?,?,00000000), ref: 00D5184E
CreateThread.KERNEL32(00000000,00000000,00D51874,00000000,00000000,00000000), ref: 00D51868

Memory Dump Source

Source File: 00000000.00000002.1741723192.0000000000CF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CF0000, based on PE: true

Associated: 00000000.00000002.1741689844.0000000000CF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741822052.0000000000D8C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741822052.0000000000DB2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741916293.0000000000DBC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741947371.0000000000DC4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cf0000_file.jbxd

Similarity

API ID: Process$Current$DuplicateHandleHeap$AllocCreateThread
String ID:
API String ID: 1957940570-0
Opcode ID: a9bff81673d92f0d1a9eb7fc43c971614e895b63c6ef67cdf556155f2d3b00df
Instruction ID: ba90768acfeca5cfd1aa4cd7552740afa7e91b066e0abe54f8b718776b4e7189
Opcode Fuzzy Hash: a9bff81673d92f0d1a9eb7fc43c971614e895b63c6ef67cdf556155f2d3b00df
Instruction Fuzzy Hash: E701BFB5260304FFE710ABA5DC8DF573B6CEB89B11F005411FA05DB291DA719804CB30

Function 00D7A0E2 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 160COMMON

Download Yara Rule

APIs

Part of subcall function 00D5D4DC: CreateToolhelp32Snapshot.KERNEL32 ref: 00D5D501
Part of subcall function 00D5D4DC: Process32FirstW.KERNEL32(00000000,?), ref: 00D5D50F
Part of subcall function 00D5D4DC: CloseHandle.KERNELBASE(00000000), ref: 00D5D5DC

OpenProcess.KERNEL32(00000001,00000000,?), ref: 00D7A16D
GetLastError.KERNEL32 ref: 00D7A180
OpenProcess.KERNEL32(00000001,00000000,?), ref: 00D7A1B3
TerminateProcess.KERNEL32(00000000,00000000), ref: 00D7A268
GetLastError.KERNEL32(00000000), ref: 00D7A273
CloseHandle.KERNEL32(00000000), ref: 00D7A2C4

Strings

SeDebugPrivilege, xrefs: 00D7A18F

Memory Dump Source

Source File: 00000000.00000002.1741723192.0000000000CF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CF0000, based on PE: true

Associated: 00000000.00000002.1741689844.0000000000CF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741822052.0000000000D8C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741822052.0000000000DB2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741916293.0000000000DBC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741947371.0000000000DC4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cf0000_file.jbxd

Similarity

API ID: Process$CloseErrorHandleLastOpen$CreateFirstProcess32SnapshotTerminateToolhelp32
String ID: SeDebugPrivilege
API String ID: 2533919879-2896544425
Opcode ID: b56d243daa908a6b16e7265309b71acc30b20333279113d643cb7eeeb8978107
Instruction ID: d3cea446316b5575a5d86a6bf8f570bd4a5ea4e06cf90921b0698a2107fd5b80
Opcode Fuzzy Hash: b56d243daa908a6b16e7265309b71acc30b20333279113d643cb7eeeb8978107
Instruction Fuzzy Hash: D2617F31204242AFD714DF18C494F29BBA1AF84318F58C49CE45A8B7A3D776ED49CBA2

Function 00D83886 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 141windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00001036,00000010,00000010), ref: 00D83925
SendMessageW.USER32(00000000,00001036,00000000,?), ref: 00D8393A
SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000013), ref: 00D83954
_wcslen.LIBCMT ref: 00D83999
SendMessageW.USER32(?,00001057,00000000,?), ref: 00D839C6
SendMessageW.USER32(?,00001061,?,0000000F), ref: 00D839F4

Strings

SysListView32, xrefs: 00D838F7

Memory Dump Source

Source File: 00000000.00000002.1741723192.0000000000CF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CF0000, based on PE: true

Associated: 00000000.00000002.1741689844.0000000000CF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741822052.0000000000D8C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741822052.0000000000DB2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741916293.0000000000DBC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741947371.0000000000DC4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cf0000_file.jbxd

Similarity

API ID: MessageSend$Window_wcslen
String ID: SysListView32
API String ID: 2147712094-78025650
Opcode ID: 27d297186a3276bba566a426abd7e167115690832b5aea9bdc93bd73bd1c18af
Instruction ID: 4945ddd807be6e1cf663dd58db12f6c4b68d7508afbad4ec0bbdc6d879dd279d
Opcode Fuzzy Hash: 27d297186a3276bba566a426abd7e167115690832b5aea9bdc93bd73bd1c18af
Instruction Fuzzy Hash: 9E41B271A10319ABDF21AF64CC45FEA77A9EF08750F140526F948E7291D771DA84CBB0

Function 00D5BC5E Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 137windowCOMMON

Download Yara Rule

APIs

GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00D5BCFD
IsMenu.USER32(00000000), ref: 00D5BD1D
CreatePopupMenu.USER32 ref: 00D5BD53
GetMenuItemCount.USER32(010762B8), ref: 00D5BDA4
InsertMenuItemW.USER32(010762B8,?,00000001,00000030), ref: 00D5BDCC

Strings

0, xrefs: 00D5BCA8
2, xrefs: 00D5BD37

Memory Dump Source

Source File: 00000000.00000002.1741723192.0000000000CF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CF0000, based on PE: true

Associated: 00000000.00000002.1741689844.0000000000CF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741822052.0000000000D8C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741822052.0000000000DB2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741916293.0000000000DBC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741947371.0000000000DC4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cf0000_file.jbxd

Similarity

API ID: Menu$Item$CountCreateInfoInsertPopup
String ID: 0$2
API String ID: 93392585-3793063076
Opcode ID: 8ee4a357d545ae2ba2e070938d89380f142b566a2f91b780febbad9e841d3fac
Instruction ID: 789497f114c052f29d3f0f6efe3ace943f71cae8e9df4383b9d821baa34b46a5
Opcode Fuzzy Hash: 8ee4a357d545ae2ba2e070938d89380f142b566a2f91b780febbad9e841d3fac
Instruction Fuzzy Hash: 52516C70A002099BDF10DFA8D884BAEBBF4EF45326F18415BEC52D7291E7749949CB71

Function 00D5C874 Relevance: 12.3, APIs: 2, Strings: 5, Instructions: 81windowCOMMON

Download Yara Rule

APIs

LoadIconW.USER32(00000000,00007F03), ref: 00D5C913

Strings

warning, xrefs: 00D5C8FC
info, xrefs: 00D5C8B4
stop, xrefs: 00D5C8E4
blank, xrefs: 00D5C895
question, xrefs: 00D5C8CC

Memory Dump Source

Source File: 00000000.00000002.1741723192.0000000000CF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CF0000, based on PE: true

Associated: 00000000.00000002.1741689844.0000000000CF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741822052.0000000000D8C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741822052.0000000000DB2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741916293.0000000000DBC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741947371.0000000000DC4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cf0000_file.jbxd

Similarity

API ID: IconLoad
String ID: blank$info$question$stop$warning
API String ID: 2457776203-404129466
Opcode ID: 80e5068df49bca65e886ce8a816a5d042f30ef3ae1b358ac59fc432914cf3669
Instruction ID: 20bb12293fec1806f2c96e5e6259acde2d84ff27418c824de74c9a5fb3a858de
Opcode Fuzzy Hash: 80e5068df49bca65e886ce8a816a5d042f30ef3ae1b358ac59fc432914cf3669
Instruction Fuzzy Hash: 8A113D326A9306FEEF005B14AC83CEA679CDF1575BB20102AFD00A62C2DB74DD485A74

Function 00D5DE27 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 70networkCOMMON

Download Yara Rule

APIs

WSAStartup.WSOCK32(00000101,?), ref: 00D5DE42
gethostname.WSOCK32(?,00000100), ref: 00D5DE5C
gethostbyname.WSOCK32(?), ref: 00D5DE69
inet_ntoa.WSOCK32(?), ref: 00D5DEAB
_strcat.LIBCMT ref: 00D5DEB9
WSACleanup.WSOCK32 ref: 00D5DEDE

Strings

0.0.0.0, xrefs: 00D5DE87

Memory Dump Source

Source File: 00000000.00000002.1741723192.0000000000CF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CF0000, based on PE: true

Associated: 00000000.00000002.1741689844.0000000000CF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741822052.0000000000D8C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741822052.0000000000DB2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741916293.0000000000DBC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741947371.0000000000DC4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cf0000_file.jbxd

Similarity

API ID: CleanupStartup_strcatgethostbynamegethostnameinet_ntoa
String ID: 0.0.0.0
API String ID: 642191829-3771769585
Opcode ID: 6294083296449cae73dce46c5d1778e017cfb521d17446a9ac4ada01a1468440
Instruction ID: fb1b8a59164a3540e231e9a57cc26e0453de05cc97d1ced4f9a93061ebb82bdb
Opcode Fuzzy Hash: 6294083296449cae73dce46c5d1778e017cfb521d17446a9ac4ada01a1468440
Instruction Fuzzy Hash: 0511D231914219AFDB34AB20AC0AEEA77ADDB11712F040169FD85E6191EF708A858B70

Function 00D89F86 Relevance: 12.3, APIs: 8, Instructions: 260windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00D09BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00D09BB2

GetSystemMetrics.USER32(0000000F), ref: 00D89FC7
GetSystemMetrics.USER32(0000000F), ref: 00D89FE7
MoveWindow.USER32(00000003,?,?,?,?,00000000,?,?,?), ref: 00D8A224
SendMessageW.USER32(00000003,00000142,00000000,0000FFFF), ref: 00D8A242
SendMessageW.USER32(00000003,00000469,?,00000000), ref: 00D8A263
ShowWindow.USER32(00000003,00000000), ref: 00D8A282
InvalidateRect.USER32(?,00000000,00000001), ref: 00D8A2A7
DefDlgProcW.USER32(?,00000005,?,?), ref: 00D8A2CA

Memory Dump Source

Source File: 00000000.00000002.1741723192.0000000000CF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CF0000, based on PE: true

Associated: 00000000.00000002.1741689844.0000000000CF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741822052.0000000000D8C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741822052.0000000000DB2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741916293.0000000000DBC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741947371.0000000000DC4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cf0000_file.jbxd

Similarity

API ID: Window$MessageMetricsSendSystem$InvalidateLongMoveProcRectShow
String ID:
API String ID: 1211466189-0
Opcode ID: b33f9bb3565a51a7612798c3a684f939a8dded8acab530192d4a3cc277d21669
Instruction ID: adae2d52baa5c01bf88ed5e486645711ec93273ff4517a2c190fa4b9fe506e95
Opcode Fuzzy Hash: b33f9bb3565a51a7612798c3a684f939a8dded8acab530192d4a3cc277d21669
Instruction Fuzzy Hash: FCB18A31600215DFEF24DF6CC989BAE7BB2FF44701F09906AEC899B295D731A940CB61

Function 00D5ED19 Relevance: 12.1, APIs: 8, Instructions: 137timeCOMMON

Download Yara Rule

APIs

GetLocalTime.KERNEL32 ref: 00D5ED2A
_wcslen.LIBCMT ref: 00D5ED3B
_wcslen.LIBCMT ref: 00D5ED79
_wcslen.LIBCMT ref: 00D5EDAF
_wcslen.LIBCMT ref: 00D5EDDF
_wcslen.LIBCMT ref: 00D5EDEF
_wcslen.LIBCMT ref: 00D5EE2B
_wcslen.LIBCMT ref: 00D5EE5A

Memory Dump Source

Source File: 00000000.00000002.1741723192.0000000000CF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CF0000, based on PE: true

Associated: 00000000.00000002.1741689844.0000000000CF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741822052.0000000000D8C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741822052.0000000000DB2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741916293.0000000000DBC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741947371.0000000000DC4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cf0000_file.jbxd

Similarity

API ID: _wcslen$LocalTime
String ID:
API String ID: 952045576-0
Opcode ID: 652b5f334e2573fcbba818121946289140421a71aa3cdefd5d36794e65e8dddc
Instruction ID: 1743dd96a5c2baf2697882cbe9f7bda9846a4958b01aabaebd28bb3d4f1ef680
Opcode Fuzzy Hash: 652b5f334e2573fcbba818121946289140421a71aa3cdefd5d36794e65e8dddc
Instruction Fuzzy Hash: 3D418F65C1021875CB11EBB4988A9CFB7A9EF45710F508466F928E3122EF34E395C7B9

Function 00D0F8D8 Relevance: 12.1, APIs: 8, Instructions: 124COMMON

Download Yara Rule

APIs

ShowWindow.USER32(FFFFFFFF,000000FF,?,00000000,?,00D4682C,00000004,00000000,00000000), ref: 00D0F953
ShowWindow.USER32(FFFFFFFF,00000006,?,00000000,?,00D4682C,00000004,00000000,00000000), ref: 00D4F3D1
ShowWindow.USER32(FFFFFFFF,000000FF,?,00000000,?,00D4682C,00000004,00000000,00000000), ref: 00D4F454

Memory Dump Source

Source File: 00000000.00000002.1741723192.0000000000CF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CF0000, based on PE: true

Associated: 00000000.00000002.1741689844.0000000000CF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741822052.0000000000D8C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741822052.0000000000DB2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741916293.0000000000DBC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741947371.0000000000DC4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cf0000_file.jbxd

Similarity

API ID: ShowWindow
String ID:
API String ID: 1268545403-0
Opcode ID: ef4e1817663888d9247a338e1f22aa740d8a91a7d2ea1f83b70214830b06648e
Instruction ID: 8f89338672f313bbfa955b95c1c088b7aeecda9f66472d1ff4259361f2fdb75e
Opcode Fuzzy Hash: ef4e1817663888d9247a338e1f22aa740d8a91a7d2ea1f83b70214830b06648e
Instruction Fuzzy Hash: B441DB31614740BBD7359B29A888B6E7B95AB56314F38443DE08F96EF1D631E481CF31

Function 00D82D03 Relevance: 12.1, APIs: 8, Instructions: 95windowCOMMON

Download Yara Rule

APIs

DeleteObject.GDI32(00000000), ref: 00D82D1B
GetDC.USER32(00000000), ref: 00D82D23
GetDeviceCaps.GDI32(00000000,0000005A), ref: 00D82D2E
ReleaseDC.USER32(00000000,00000000), ref: 00D82D3A
CreateFontW.GDI32(?,00000000,00000000,00000000,?,00000000,00000000,00000000,00000001,00000004,00000000,?,00000000,?), ref: 00D82D76
SendMessageW.USER32(?,00000030,00000000,00000001), ref: 00D82D87
MoveWindow.USER32(?,?,?,?,?,00000000,?,?,00D85A65,?,?,000000FF,00000000,?,000000FF,?), ref: 00D82DC2
SendMessageW.USER32(?,00000142,00000000,00000000), ref: 00D82DE1

Memory Dump Source

Source File: 00000000.00000002.1741723192.0000000000CF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CF0000, based on PE: true

Associated: 00000000.00000002.1741689844.0000000000CF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741822052.0000000000D8C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741822052.0000000000DB2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741916293.0000000000DBC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741947371.0000000000DC4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cf0000_file.jbxd

Similarity

API ID: MessageSend$CapsCreateDeleteDeviceFontMoveObjectReleaseWindow
String ID:
API String ID: 3864802216-0
Opcode ID: 6ff1265b88742eb9fac5c2eca8925a28b89012ebd1eaf85d57b9f025389909f2
Instruction ID: 9865b52c0a9abbb010b2418a67c725155ae493289238140b23ac301552967113
Opcode Fuzzy Hash: 6ff1265b88742eb9fac5c2eca8925a28b89012ebd1eaf85d57b9f025389909f2
Instruction Fuzzy Hash: 29318B72221214BBEB118F508C8AFFB3FA9EF09751F084065FE08DA2A1D6759C40CBB0

Function 00D55622 Relevance: 12.1, APIs: 8, Instructions: 92COMMON

Download Yara Rule

APIs

_memcmp.LIBVCRUNTIME ref: 00D55637
_memcmp.LIBVCRUNTIME ref: 00D55659
_memcmp.LIBVCRUNTIME ref: 00D55671
_memcmp.LIBVCRUNTIME ref: 00D55684
_memcmp.LIBVCRUNTIME ref: 00D5569E
_memcmp.LIBVCRUNTIME ref: 00D556B1
_memcmp.LIBVCRUNTIME ref: 00D556C9
_memcmp.LIBVCRUNTIME ref: 00D556E4

Memory Dump Source

Source File: 00000000.00000002.1741723192.0000000000CF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CF0000, based on PE: true

Associated: 00000000.00000002.1741689844.0000000000CF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741822052.0000000000D8C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741822052.0000000000DB2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741916293.0000000000DBC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741947371.0000000000DC4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cf0000_file.jbxd

Similarity

API ID: _memcmp
String ID:
API String ID: 2931989736-0
Opcode ID: 234e22baaa47bcf2ab99dbb4c0d2154dd1e27c60ef4790f3ee0f202b6df043fe
Instruction ID: 2e7009e47979c24629edc113875382e90aa15396c63cf992157be90462c2731b
Opcode Fuzzy Hash: 234e22baaa47bcf2ab99dbb4c0d2154dd1e27c60ef4790f3ee0f202b6df043fe
Instruction Fuzzy Hash: A121FC6574190DBBDA156611BDE2FFA335CEF14386F580020FE145A549FB20EE1C86B5

Function 00D74FAE Relevance: 10.9, APIs: 4, Strings: 2, Instructions: 359COMMON

Download Yara Rule

Strings

Not an Object type, xrefs: 00D75007
NULL Pointer assignment, xrefs: 00D7502E, 00D75383

Memory Dump Source

Source File: 00000000.00000002.1741723192.0000000000CF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CF0000, based on PE: true

Associated: 00000000.00000002.1741689844.0000000000CF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741822052.0000000000D8C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741822052.0000000000DB2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741916293.0000000000DBC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741947371.0000000000DC4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cf0000_file.jbxd

Similarity

API ID:
String ID: NULL Pointer assignment$Not an Object type
API String ID: 0-572801152
Opcode ID: 71e6d00aa59b9d9686db0ca118d4c808201ae1f3dea51afdb12ffc8215eaea23
Instruction ID: 3b4bfab2a57c418a7f133dbe147e1d83c4ccd8e91f525b90b8b9c6a4461b0d34
Opcode Fuzzy Hash: 71e6d00aa59b9d9686db0ca118d4c808201ae1f3dea51afdb12ffc8215eaea23
Instruction Fuzzy Hash: 0AD1B071A0060A9FDF10CF98D881AAEB7B5FB48344F14C069E919AB295E7B0DD45CBB1

Function 00D31522 Relevance: 10.8, APIs: 7, Instructions: 268COMMON

Download Yara Rule

APIs

GetCPInfo.KERNEL32(?,?), ref: 00D315CE
MultiByteToWideChar.KERNEL32(?,00000009,?,?,00000000,00000000), ref: 00D31651
MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 00D316E4
MultiByteToWideChar.KERNEL32(?,00000009,?,?,00000000,00000000), ref: 00D316FB

Part of subcall function 00D23820: RtlAllocateHeap.NTDLL(00000000,?,00DC1444,?,00D0FDF5,?,?,00CFA976,00000010,00DC1440,00CF13FC,?,00CF13C6,?,00CF1129), ref: 00D23852

MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 00D31777
__freea.LIBCMT ref: 00D317A2
__freea.LIBCMT ref: 00D317AE

Memory Dump Source

Source File: 00000000.00000002.1741723192.0000000000CF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CF0000, based on PE: true

Associated: 00000000.00000002.1741689844.0000000000CF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741822052.0000000000D8C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741822052.0000000000DB2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741916293.0000000000DBC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741947371.0000000000DC4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cf0000_file.jbxd

Similarity

API ID: ByteCharMultiWide$__freea$AllocateHeapInfo
String ID:
API String ID: 2829977744-0
Opcode ID: 2e7aa6b9f82c5e5dd95d9290e231717c408010cee40c4b14368926f86d527d54
Instruction ID: 629610052eda1476a162676b56a154b97addfa8ee61689ecee0a20db6cc322d3
Opcode Fuzzy Hash: 2e7aa6b9f82c5e5dd95d9290e231717c408010cee40c4b14368926f86d527d54
Instruction Fuzzy Hash: 2391807AE102179ADB218FA4CC81AEEBBB5EF49710F1C4669E801E7281DB35DD44CB70

Function 00D74523 Relevance: 10.8, APIs: 4, Strings: 2, Instructions: 262COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 00D74648
VariantInit.OLEAUT32(?), ref: 00D74749
VariantClear.OLEAUT32(?), ref: 00D74753
VariantClear.OLEAUT32(?), ref: 00D747B0

Strings

Incorrect Object type in FOR..IN loop, xrefs: 00D7472C
Null Object assignment in FOR..IN loop, xrefs: 00D745D8, 00D74706, 00D747BE

Memory Dump Source

Source File: 00000000.00000002.1741723192.0000000000CF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CF0000, based on PE: true

Associated: 00000000.00000002.1741689844.0000000000CF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741822052.0000000000D8C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741822052.0000000000DB2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741916293.0000000000DBC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741947371.0000000000DC4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cf0000_file.jbxd

Similarity

API ID: Variant$ClearInit
String ID: Incorrect Object type in FOR..IN loop$Null Object assignment in FOR..IN loop
API String ID: 2610073882-625585964
Opcode ID: a9de3917d0ff3bf8a662f252b7bd7d6c706db8d68cbba533f56afa0ca3cf28d2
Instruction ID: a332552956420ccbf69f0b5f82c1d25e9d86f868cf2a4e774c6ad1eb6c20878a
Opcode Fuzzy Hash: a9de3917d0ff3bf8a662f252b7bd7d6c706db8d68cbba533f56afa0ca3cf28d2
Instruction Fuzzy Hash: E0917C71A00219EBDF25CFA5C884FAEBBB8EF46710F148559F519AB280E7709945CBB0

Function 00D61187 Relevance: 10.8, APIs: 7, Instructions: 254COMMON

Download Yara Rule

APIs

SafeArrayGetVartype.OLEAUT32(00000001,?), ref: 00D6125C
SafeArrayAccessData.OLEAUT32(00000000,?), ref: 00D61284
SafeArrayUnaccessData.OLEAUT32(00000001), ref: 00D612A8
SafeArrayAccessData.OLEAUT32(00000001,?), ref: 00D612D8
SafeArrayAccessData.OLEAUT32(00000001,?), ref: 00D6135F
SafeArrayAccessData.OLEAUT32(00000001,?), ref: 00D613C4
SafeArrayAccessData.OLEAUT32(00000001,?), ref: 00D61430

Memory Dump Source

Source File: 00000000.00000002.1741723192.0000000000CF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CF0000, based on PE: true

Associated: 00000000.00000002.1741689844.0000000000CF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741822052.0000000000D8C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741822052.0000000000DB2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741916293.0000000000DBC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741947371.0000000000DC4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cf0000_file.jbxd

Similarity

API ID: ArraySafe$Data$Access$UnaccessVartype
String ID:
API String ID: 2550207440-0
Opcode ID: 233c556da56bca093d8a99246a2dcbcc43743f8e093ad024f3859b631395261b
Instruction ID: 346ddddfba1ca2e4c3ab2e30e2257458e3434bf34e124fa54b9fe5746f6d681b
Opcode Fuzzy Hash: 233c556da56bca093d8a99246a2dcbcc43743f8e093ad024f3859b631395261b
Instruction Fuzzy Hash: FA91F179A00208AFDB00DFA8C895BBEB7B5FF44310F194029E941EB291DB74E945CBB4

Function 00D0948A Relevance: 10.8, APIs: 7, Instructions: 254COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1741723192.0000000000CF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CF0000, based on PE: true

Associated: 00000000.00000002.1741689844.0000000000CF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741822052.0000000000D8C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741822052.0000000000DB2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741916293.0000000000DBC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741947371.0000000000DC4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cf0000_file.jbxd

Similarity

API ID: ObjectSelect$BeginCreatePath
String ID:
API String ID: 3225163088-0
Opcode ID: 545c46b91da7b70cbbcd61dfd082ed12212fccc412e87e7106ca41f6e62b1a2f
Instruction ID: b924796e7cc1325d029eb04290a808ee9e312cfd1c17f61eecb8c8d3c0a1ebb3
Opcode Fuzzy Hash: 545c46b91da7b70cbbcd61dfd082ed12212fccc412e87e7106ca41f6e62b1a2f
Instruction Fuzzy Hash: 9E910471900219EFCB10CFA9CC98AEEBBB8FF49320F148555E515B7292D775AA42CB70

Function 00D73947 Relevance: 10.7, APIs: 4, Strings: 2, Instructions: 240COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 00D7396B
CharUpperBuffW.USER32(?,?), ref: 00D73A7A
_wcslen.LIBCMT ref: 00D73A8A
VariantClear.OLEAUT32(?), ref: 00D73C1F

Part of subcall function 00D60CDF: VariantInit.OLEAUT32(00000000), ref: 00D60D1F
Part of subcall function 00D60CDF: VariantCopy.OLEAUT32(?,?), ref: 00D60D28
Part of subcall function 00D60CDF: VariantClear.OLEAUT32(?), ref: 00D60D34

Strings

AUTOIT.ERROR, xrefs: 00D73A80, 00D73A85
Incorrect Parameter format, xrefs: 00D739A6, 00D73BA1

Memory Dump Source

Source File: 00000000.00000002.1741723192.0000000000CF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CF0000, based on PE: true

Associated: 00000000.00000002.1741689844.0000000000CF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741822052.0000000000D8C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741822052.0000000000DB2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741916293.0000000000DBC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741947371.0000000000DC4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cf0000_file.jbxd

Similarity

API ID: Variant$ClearInit$BuffCharCopyUpper_wcslen
String ID: AUTOIT.ERROR$Incorrect Parameter format
API String ID: 4137639002-1221869570
Opcode ID: ffa174585324f2c52df0c14b23eae52b197298a1a4092342c835c45510cc725e
Instruction ID: 09de2827c3dcbf3c568c9b6423620966c5c2cf905edba11923ee3316941524ff
Opcode Fuzzy Hash: ffa174585324f2c52df0c14b23eae52b197298a1a4092342c835c45510cc725e
Instruction Fuzzy Hash: E7917B756083059FCB04DF28C48196AB7E4FF88314F14892EF98A97351EB30EE45DBA2

Function 00D74BAD Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 236COMMON

Download Yara Rule

APIs

Part of subcall function 00D5000E: CLSIDFromProgID.OLE32(?,?,?,00000000,?,?,?,-C000001E,00000001,?,00D4FF41,80070057,?,?,?,00D5035E), ref: 00D5002B
Part of subcall function 00D5000E: ProgIDFromCLSID.OLE32(?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,00D4FF41,80070057,?,?), ref: 00D50046
Part of subcall function 00D5000E: lstrcmpiW.KERNEL32(?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,00D4FF41,80070057,?,?), ref: 00D50054
Part of subcall function 00D5000E: CoTaskMemFree.OLE32(00000000,?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,00D4FF41,80070057,?), ref: 00D50064

CoInitializeSecurity.OLE32(00000000,000000FF,00000000,00000000,00000002,00000003,00000000,00000000,00000000,00000001,?,?), ref: 00D74C51
_wcslen.LIBCMT ref: 00D74D59
CoCreateInstanceEx.OLE32(?,00000000,00000015,?,00000001,?), ref: 00D74DCF
CoTaskMemFree.OLE32(?), ref: 00D74DDA

Strings

NULL Pointer assignment, xrefs: 00D74E23, 00D74E52

Memory Dump Source

Source File: 00000000.00000002.1741723192.0000000000CF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CF0000, based on PE: true

Associated: 00000000.00000002.1741689844.0000000000CF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741822052.0000000000D8C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741822052.0000000000DB2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741916293.0000000000DBC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741947371.0000000000DC4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cf0000_file.jbxd

Similarity

API ID: FreeFromProgTask$CreateInitializeInstanceSecurity_wcslenlstrcmpi
String ID: NULL Pointer assignment
API String ID: 614568839-2785691316
Opcode ID: 2b025437ff0ee804b9b8f2bdb47c92badb8773cb3694210ee97252b47877f498
Instruction ID: f5eb4007e086630fbca4c4f576302c8b625306d4712b57d05e75810a9fb1e597
Opcode Fuzzy Hash: 2b025437ff0ee804b9b8f2bdb47c92badb8773cb3694210ee97252b47877f498
Instruction Fuzzy Hash: 5E91F571D0021DAFDF15DFA4D891AEEB7B9FF08310F108169E919A7291EB709A448FB1

Function 00D820FD Relevance: 10.7, APIs: 7, Instructions: 196windowCOMMON

Download Yara Rule

APIs

GetMenu.USER32(?), ref: 00D82183
GetMenuItemCount.USER32(00000000), ref: 00D821B5
GetMenuStringW.USER32(00000000,00000000,?,00007FFF,00000400), ref: 00D821DD
_wcslen.LIBCMT ref: 00D82213
GetMenuItemID.USER32(?,?), ref: 00D8224D
GetSubMenu.USER32(?,?), ref: 00D8225B

Part of subcall function 00D53A3D: GetWindowThreadProcessId.USER32(?,00000000), ref: 00D53A57
Part of subcall function 00D53A3D: GetCurrentThreadId.KERNEL32 ref: 00D53A5E
Part of subcall function 00D53A3D: AttachThreadInput.USER32(00000000,?,00000000,00000000,?,00D525B3), ref: 00D53A65

PostMessageW.USER32(?,00000111,00000000,00000000), ref: 00D822E3

Part of subcall function 00D5E97B: Sleep.KERNEL32 ref: 00D5E9F3

Memory Dump Source

Source File: 00000000.00000002.1741723192.0000000000CF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CF0000, based on PE: true

Associated: 00000000.00000002.1741689844.0000000000CF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741822052.0000000000D8C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741822052.0000000000DB2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741916293.0000000000DBC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741947371.0000000000DC4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cf0000_file.jbxd

Similarity

API ID: Menu$Thread$Item$AttachCountCurrentInputMessagePostProcessSleepStringWindow_wcslen
String ID:
API String ID: 4196846111-0
Opcode ID: 31c112b10a3a46f982f8e31ba372a87e702c00c6de4825e5a44f06bbc1a1766c
Instruction ID: 922c2217626c92e6b2f1ab349c0a60b80e7c3ca2f0cad8056fa4246eaa2250f4
Opcode Fuzzy Hash: 31c112b10a3a46f982f8e31ba372a87e702c00c6de4825e5a44f06bbc1a1766c
Instruction Fuzzy Hash: 45715E75A00205AFCB14EF68C885ABEB7F5EF48310F158459E956EB351DB34E9418BB0

Function 00D87E9E Relevance: 10.7, APIs: 7, Instructions: 193windowCOMMON

Download Yara Rule

APIs

IsWindow.USER32(01076218), ref: 00D87F37
IsWindowEnabled.USER32(01076218), ref: 00D87F43
SendMessageW.USER32(00000000,0000041C,00000000,00000000), ref: 00D8801E
SendMessageW.USER32(01076218,000000B0,?,?), ref: 00D88051
IsDlgButtonChecked.USER32(?,?), ref: 00D88089
GetWindowLongW.USER32(01076218,000000EC), ref: 00D880AB
SendMessageW.USER32(?,000000A1,00000002,00000000), ref: 00D880C3

Memory Dump Source

Source File: 00000000.00000002.1741723192.0000000000CF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CF0000, based on PE: true

Associated: 00000000.00000002.1741689844.0000000000CF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741822052.0000000000D8C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741822052.0000000000DB2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741916293.0000000000DBC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741947371.0000000000DC4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cf0000_file.jbxd

Similarity

API ID: MessageSendWindow$ButtonCheckedEnabledLong
String ID:
API String ID: 4072528602-0
Opcode ID: 5aff76aac3e44982e9456d9703bc1ae4c1c37772da6d1e5b2eda032ba401fdf9
Instruction ID: d670d67002d06feea511ab042eab6ed2520e63efbd5cb27b8d3d409a698369ef
Opcode Fuzzy Hash: 5aff76aac3e44982e9456d9703bc1ae4c1c37772da6d1e5b2eda032ba401fdf9
Instruction Fuzzy Hash: A3717F74608205AFEB21AF55C894FBABBB9EF09340F284459FA55973A1CB31E845DB30

Function 00D5AEBA Relevance: 10.7, APIs: 7, Instructions: 162windowCOMMON

Download Yara Rule

APIs

GetParent.USER32(?), ref: 00D5AEF9
GetKeyboardState.USER32(?), ref: 00D5AF0E
SetKeyboardState.USER32(?), ref: 00D5AF6F
PostMessageW.USER32(?,00000101,00000010,?), ref: 00D5AF9D
PostMessageW.USER32(?,00000101,00000011,?), ref: 00D5AFBC
PostMessageW.USER32(?,00000101,00000012,?), ref: 00D5AFFD
PostMessageW.USER32(?,00000101,0000005B,?), ref: 00D5B020

Memory Dump Source

Source File: 00000000.00000002.1741723192.0000000000CF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CF0000, based on PE: true

Associated: 00000000.00000002.1741689844.0000000000CF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741822052.0000000000D8C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741822052.0000000000DB2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741916293.0000000000DBC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741947371.0000000000DC4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cf0000_file.jbxd

Similarity

API ID: MessagePost$KeyboardState$Parent
String ID:
API String ID: 87235514-0
Opcode ID: bca07d2ac6974739ae5cd64983576a5b3ad9b4a55cf4066063913f79b1557cbd
Instruction ID: 45541a28c4e2f00137e0b09dffb0907c057f56972f9f17d1e05a6c1e2d7376e7
Opcode Fuzzy Hash: bca07d2ac6974739ae5cd64983576a5b3ad9b4a55cf4066063913f79b1557cbd
Instruction Fuzzy Hash: 9C51D3A06147E53DFF3642388845BBABEA95F06315F0C858AFDD5454C2D398AC8CD771

Function 00D5ACDA Relevance: 10.7, APIs: 7, Instructions: 161windowCOMMON

Download Yara Rule

APIs

GetParent.USER32(00000000), ref: 00D5AD19
GetKeyboardState.USER32(?), ref: 00D5AD2E
SetKeyboardState.USER32(?), ref: 00D5AD8F
PostMessageW.USER32(00000000,00000100,00000010,?), ref: 00D5ADBB
PostMessageW.USER32(00000000,00000100,00000011,?), ref: 00D5ADD8
PostMessageW.USER32(00000000,00000100,00000012,?), ref: 00D5AE17
PostMessageW.USER32(00000000,00000100,0000005B,?), ref: 00D5AE38

Memory Dump Source

Source File: 00000000.00000002.1741723192.0000000000CF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CF0000, based on PE: true

Associated: 00000000.00000002.1741689844.0000000000CF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741822052.0000000000D8C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741822052.0000000000DB2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741916293.0000000000DBC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741947371.0000000000DC4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cf0000_file.jbxd

Similarity

API ID: MessagePost$KeyboardState$Parent
String ID:
API String ID: 87235514-0
Opcode ID: 7452f5ba37e64815dfab5303a5099a5df026889f254b9d2e124b40995e8e78be
Instruction ID: a7ecca00bf67116faff09909d47909ebb12834fa87db749beee769daf5c49d20
Opcode Fuzzy Hash: 7452f5ba37e64815dfab5303a5099a5df026889f254b9d2e124b40995e8e78be
Instruction Fuzzy Hash: 0F51D7A16047E53DFF3252288C56B7ABEA86B45302F0C8649FDD5568C2D294EC8CD772

Function 00D2542E Relevance: 10.7, APIs: 7, Instructions: 152fileCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetConsoleCP.KERNEL32(00D33CD6,?,?,?,?,?,?,?,?,00D25BA3,?,?,00D33CD6,?,?), ref: 00D25470
__fassign.LIBCMT ref: 00D254EB
__fassign.LIBCMT ref: 00D25506
WideCharToMultiByte.KERNEL32(?,00000000,?,00000001,00D33CD6,00000005,00000000,00000000), ref: 00D2552C
WriteFile.KERNEL32(?,00D33CD6,00000000,00D25BA3,00000000,?,?,?,?,?,?,?,?,?,00D25BA3,?), ref: 00D2554B
WriteFile.KERNEL32(?,?,00000001,00D25BA3,00000000,?,?,?,?,?,?,?,?,?,00D25BA3,?), ref: 00D25584

Memory Dump Source

Source File: 00000000.00000002.1741723192.0000000000CF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CF0000, based on PE: true

Associated: 00000000.00000002.1741689844.0000000000CF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741822052.0000000000D8C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741822052.0000000000DB2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741916293.0000000000DBC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741947371.0000000000DC4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cf0000_file.jbxd

Similarity

API ID: FileWrite__fassign$ByteCharConsoleMultiWide
String ID:
API String ID: 1324828854-0
Opcode ID: f3d81dbb790412139de869d966f97ce6cd7716d8305fd0cb880d24743ba3c3f9
Instruction ID: ae23f17ede7accaa8afe66eda18166e1c1d3342ffff5728e4f5d421f77efcf69
Opcode Fuzzy Hash: f3d81dbb790412139de869d966f97ce6cd7716d8305fd0cb880d24743ba3c3f9
Instruction Fuzzy Hash: 6351AE70A00719AFDB10CFA8E885EEEBBF9EF19305F14451AE955E7291D6309A41CB70

Function 00D12D20 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 117COMMON

Download Yara Rule

APIs

_ValidateLocalCookies.LIBCMT ref: 00D12D4B
___except_validate_context_record.LIBVCRUNTIME ref: 00D12D53
_ValidateLocalCookies.LIBCMT ref: 00D12DE1
__IsNonwritableInCurrentImage.LIBCMT ref: 00D12E0C
_ValidateLocalCookies.LIBCMT ref: 00D12E61

Strings

csm, xrefs: 00D12DF6

Memory Dump Source

Source File: 00000000.00000002.1741723192.0000000000CF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CF0000, based on PE: true

Associated: 00000000.00000002.1741689844.0000000000CF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741822052.0000000000D8C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741822052.0000000000DB2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741916293.0000000000DBC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741947371.0000000000DC4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cf0000_file.jbxd

Similarity

API ID: CookiesLocalValidate$CurrentImageNonwritable___except_validate_context_record
String ID: csm
API String ID: 1170836740-1018135373
Opcode ID: b3e8f4e77e597094b627dbb09b3c44227a6b6a856acbec92ca6af9e06af12b3a
Instruction ID: b2951dd7b9eccbacb5842ac4018e9f3b757ec2d51a4741af355688c69ed5f107
Opcode Fuzzy Hash: b3e8f4e77e597094b627dbb09b3c44227a6b6a856acbec92ca6af9e06af12b3a
Instruction Fuzzy Hash: EC416534A00209BBCF10DF68E845AEEBBA5FF45324F188155F9156B352DB329A95CBF0

Function 00D710B8 Relevance: 10.6, APIs: 7, Instructions: 110networkCOMMON

Download Yara Rule

APIs

Part of subcall function 00D7304E: inet_addr.WSOCK32(?,?,?,?,?,00000000), ref: 00D7307A
Part of subcall function 00D7304E: _wcslen.LIBCMT ref: 00D7309B

socket.WSOCK32(00000002,00000001,00000006,?,?,00000000), ref: 00D71112
WSAGetLastError.WSOCK32 ref: 00D71121
WSAGetLastError.WSOCK32 ref: 00D711C9
closesocket.WSOCK32(00000000), ref: 00D711F9

Memory Dump Source

Source File: 00000000.00000002.1741723192.0000000000CF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CF0000, based on PE: true

Associated: 00000000.00000002.1741689844.0000000000CF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741822052.0000000000D8C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741822052.0000000000DB2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741916293.0000000000DBC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741947371.0000000000DC4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cf0000_file.jbxd

Similarity

API ID: ErrorLast$_wcslenclosesocketinet_addrsocket
String ID:
API String ID: 2675159561-0
Opcode ID: 60185a5269f496ad665618cded6de41da850af43bc70ca0da227f8ac12a17109
Instruction ID: 69bbb2b359888c11b2a2acb774f502298d7e5ee9dddfc92924146475e6315835
Opcode Fuzzy Hash: 60185a5269f496ad665618cded6de41da850af43bc70ca0da227f8ac12a17109
Instruction Fuzzy Hash: 7D41D235610308AFDB109F58C884BA9B7A9EF45324F58C159FD499F291D770ED41CBB1

Function 00D5CF00 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 108filestringCOMMON

Download Yara Rule

APIs

Part of subcall function 00D5DDE0: GetFullPathNameW.KERNEL32(00000000,00007FFF,?,?,?,?,?,?,00D5CF22,?), ref: 00D5DDFD

Part of subcall function 00D5DDE0: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,?,00D5CF22,?), ref: 00D5DE16

lstrcmpiW.KERNEL32(?,?), ref: 00D5CF45
MoveFileW.KERNEL32(?,?), ref: 00D5CF7F
_wcslen.LIBCMT ref: 00D5D005
_wcslen.LIBCMT ref: 00D5D01B
SHFileOperationW.SHELL32(?), ref: 00D5D061

Strings

\*.*, xrefs: 00D5CFF3

Memory Dump Source

Source File: 00000000.00000002.1741723192.0000000000CF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CF0000, based on PE: true

Associated: 00000000.00000002.1741689844.0000000000CF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741822052.0000000000D8C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741822052.0000000000DB2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741916293.0000000000DBC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741947371.0000000000DC4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cf0000_file.jbxd

Similarity

API ID: FileFullNamePath_wcslen$MoveOperationlstrcmpi
String ID: \*.*
API String ID: 3164238972-1173974218
Opcode ID: 243530b29cbde30c7ef30198f99e425211531857d1fb200bb061c32852c6d4cf
Instruction ID: 543b0cd40499ab7b0a7c5e7ff63acc58f9fa52cd1970b58132d20115a93a56c0
Opcode Fuzzy Hash: 243530b29cbde30c7ef30198f99e425211531857d1fb200bb061c32852c6d4cf
Instruction Fuzzy Hash: FD4157719462189FDF12EFA4DD81ADDB7B9EF48381F0400E6E905EB141EA34A788CB70

Function 00D82DFD Relevance: 10.6, APIs: 7, Instructions: 99windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,000000F0,00000000,00000000), ref: 00D82E1C
GetWindowLongW.USER32(?,000000F0), ref: 00D82E4F
GetWindowLongW.USER32(?,000000F0), ref: 00D82E84
SendMessageW.USER32(?,000000F1,00000000,00000000), ref: 00D82EB6
SendMessageW.USER32(?,000000F1,00000001,00000000), ref: 00D82EE0
GetWindowLongW.USER32(?,000000F0), ref: 00D82EF1
SetWindowLongW.USER32(?,000000F0,00000000), ref: 00D82F0B

Memory Dump Source

Source File: 00000000.00000002.1741723192.0000000000CF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CF0000, based on PE: true

Associated: 00000000.00000002.1741689844.0000000000CF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741822052.0000000000D8C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741822052.0000000000DB2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741916293.0000000000DBC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741947371.0000000000DC4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cf0000_file.jbxd

Similarity

API ID: LongWindow$MessageSend
String ID:
API String ID: 2178440468-0
Opcode ID: 6d6431ba0d8335547450a10525bd433f991b7aba3e2050246c022afafea97cdf
Instruction ID: 4c5322295198adc5800c454843b1bf07f37d86fc2fbd77f35a08820f4b5c50e6
Opcode Fuzzy Hash: 6d6431ba0d8335547450a10525bd433f991b7aba3e2050246c022afafea97cdf
Instruction Fuzzy Hash: B0311234614252EFEB22EF18DC85F7537E0EB8A710F1801A5F910CB2B2CB71A840DB24

Function 00D57726 Relevance: 10.6, APIs: 7, Instructions: 94memoryCOMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 00D57769
MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 00D5778F
SysAllocString.OLEAUT32(00000000), ref: 00D57792
SysAllocString.OLEAUT32(?), ref: 00D577B0
SysFreeString.OLEAUT32(?), ref: 00D577B9
StringFromGUID2.OLE32(?,?,00000028), ref: 00D577DE
SysAllocString.OLEAUT32(?), ref: 00D577EC

Memory Dump Source

Source File: 00000000.00000002.1741723192.0000000000CF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CF0000, based on PE: true

Associated: 00000000.00000002.1741689844.0000000000CF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741822052.0000000000D8C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741822052.0000000000DB2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741916293.0000000000DBC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741947371.0000000000DC4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cf0000_file.jbxd

Similarity

API ID: String$Alloc$ByteCharMultiWide$FreeFrom
String ID:
API String ID: 3761583154-0
Opcode ID: 05682934a6f7b61c4fd501a0ae87b5834a8d6531781ae7d75d409664cd79f502
Instruction ID: c5c1191cd5bf2ccf2c590a84f1206a986fb1b7325dccbc7307d2d8e8fdbc0eb7
Opcode Fuzzy Hash: 05682934a6f7b61c4fd501a0ae87b5834a8d6531781ae7d75d409664cd79f502
Instruction Fuzzy Hash: 8021B076614219AFDF10DFA8EC88DBB73ACEB09364B148025FE04DB290D670EC8587B0

Function 00D577FD Relevance: 10.6, APIs: 7, Instructions: 89memoryCOMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 00D57842
MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 00D57868
SysAllocString.OLEAUT32(00000000), ref: 00D5786B
SysAllocString.OLEAUT32 ref: 00D5788C
SysFreeString.OLEAUT32 ref: 00D57895
StringFromGUID2.OLE32(?,?,00000028), ref: 00D578AF
SysAllocString.OLEAUT32(?), ref: 00D578BD

Memory Dump Source

Source File: 00000000.00000002.1741723192.0000000000CF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CF0000, based on PE: true

Associated: 00000000.00000002.1741689844.0000000000CF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741822052.0000000000D8C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741822052.0000000000DB2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741916293.0000000000DBC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741947371.0000000000DC4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cf0000_file.jbxd

Similarity

API ID: String$Alloc$ByteCharMultiWide$FreeFrom
String ID:
API String ID: 3761583154-0
Opcode ID: 472424d05be04da843f7dd8732879d5fb90b5e0cf70f6cf8e38e6f24a006c22a
Instruction ID: 71b506ba7fa28a14c2b6038bde2ef30cf70c2a0811012b409109dd0c6edf0b15
Opcode Fuzzy Hash: 472424d05be04da843f7dd8732879d5fb90b5e0cf70f6cf8e38e6f24a006c22a
Instruction Fuzzy Hash: AF21A431614214AFDF109FA9EC8CDAA7BECEB083607248125FD15CB2A1D670EC45CB74

Function 00D604D2 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 80pipeCOMMON

Download Yara Rule

APIs

GetStdHandle.KERNEL32(0000000C), ref: 00D604F2
CreatePipe.KERNEL32(?,?,0000000C,00000000), ref: 00D6052E

Strings

nul, xrefs: 00D60567

Memory Dump Source

Source File: 00000000.00000002.1741723192.0000000000CF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CF0000, based on PE: true

Associated: 00000000.00000002.1741689844.0000000000CF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741822052.0000000000D8C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741822052.0000000000DB2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741916293.0000000000DBC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741947371.0000000000DC4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cf0000_file.jbxd

Similarity

API ID: CreateHandlePipe
String ID: nul
API String ID: 1424370930-2873401336
Opcode ID: d6d282eb318aec9e7ea2c71e4be5175a919730c4d630a62372c33c327b041d66
Instruction ID: 06cc84a94191f6e1a9081480f6f1e9a0e124b0607f66754fa7aae91f1efdcbe0
Opcode Fuzzy Hash: d6d282eb318aec9e7ea2c71e4be5175a919730c4d630a62372c33c327b041d66
Instruction Fuzzy Hash: E5213975600305EFDB209F69DC45A9B7BB8AF55724F244A19F8A2E62E0E770D950CF30

Function 00D605A7 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 80pipeCOMMON

Download Yara Rule

APIs

GetStdHandle.KERNEL32(000000F6), ref: 00D605C6
CreatePipe.KERNEL32(?,?,0000000C,00000000), ref: 00D60601

Strings

nul, xrefs: 00D60639

Memory Dump Source

Source File: 00000000.00000002.1741723192.0000000000CF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CF0000, based on PE: true

Associated: 00000000.00000002.1741689844.0000000000CF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741822052.0000000000D8C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741822052.0000000000DB2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741916293.0000000000DBC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741947371.0000000000DC4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cf0000_file.jbxd

Similarity

API ID: CreateHandlePipe
String ID: nul
API String ID: 1424370930-2873401336
Opcode ID: 96dfbd46dcd67920859343a1d05bcb252e22d7c0a5c471801a8dc7020fdda58b
Instruction ID: 0269c1bae58c590a31e12a97e5829e05b49cbcf67d4bddf2deca818219cab626
Opcode Fuzzy Hash: 96dfbd46dcd67920859343a1d05bcb252e22d7c0a5c471801a8dc7020fdda58b
Instruction Fuzzy Hash: F2218E75550305DBDB209FA9CC44A9B7BE8AF95720F240A19F8A1E72E0E7B09860CB34

Function 00D840AD Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 75windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00CF600E: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 00CF604C
Part of subcall function 00CF600E: GetStockObject.GDI32(00000011), ref: 00CF6060
Part of subcall function 00CF600E: SendMessageW.USER32(00000000,00000030,00000000), ref: 00CF606A

SendMessageW.USER32(00000000,00002001,00000000,FF000000), ref: 00D84112
SendMessageW.USER32(?,00000409,00000000,FF000000), ref: 00D8411F
SendMessageW.USER32(?,00000402,00000000,00000000), ref: 00D8412A
SendMessageW.USER32(?,00000401,00000000,00640000), ref: 00D84139
SendMessageW.USER32(?,00000404,00000001,00000000), ref: 00D84145

Strings

Msctls_Progress32, xrefs: 00D840E3

Memory Dump Source

Source File: 00000000.00000002.1741723192.0000000000CF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CF0000, based on PE: true

Associated: 00000000.00000002.1741689844.0000000000CF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741822052.0000000000D8C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741822052.0000000000DB2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741916293.0000000000DBC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741947371.0000000000DC4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cf0000_file.jbxd

Similarity

API ID: MessageSend$CreateObjectStockWindow
String ID: Msctls_Progress32
API String ID: 1025951953-3636473452
Opcode ID: b0a5f3f0e82970ddf6e1c6405660b9d08971abd220ea9a1aabb5b8e596393ec4
Instruction ID: 31c58e7c3fa69171392e37404bf5b9a8bad6ed1f8399277ea422b6a16b532b8d
Opcode Fuzzy Hash: b0a5f3f0e82970ddf6e1c6405660b9d08971abd220ea9a1aabb5b8e596393ec4
Instruction Fuzzy Hash: 481190B215021ABEEF119F64CC86EEB7F5DEF08798F014110BA18A2190CA72DC219BB4

Function 00D2D7DF Relevance: 10.6, APIs: 7, Instructions: 65COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 00D2D7A3: _free.LIBCMT ref: 00D2D7CC

_free.LIBCMT ref: 00D2D82D

Part of subcall function 00D229C8: RtlFreeHeap.NTDLL(00000000,00000000,?,00D2D7D1,00000000,00000000,00000000,00000000,?,00D2D7F8,00000000,00000007,00000000,?,00D2DBF5,00000000), ref: 00D229DE
Part of subcall function 00D229C8: GetLastError.KERNEL32(00000000,?,00D2D7D1,00000000,00000000,00000000,00000000,?,00D2D7F8,00000000,00000007,00000000,?,00D2DBF5,00000000,00000000), ref: 00D229F0

_free.LIBCMT ref: 00D2D838
_free.LIBCMT ref: 00D2D843
_free.LIBCMT ref: 00D2D897
_free.LIBCMT ref: 00D2D8A2
_free.LIBCMT ref: 00D2D8AD
_free.LIBCMT ref: 00D2D8B8

Memory Dump Source

Source File: 00000000.00000002.1741723192.0000000000CF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CF0000, based on PE: true

Associated: 00000000.00000002.1741689844.0000000000CF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741822052.0000000000D8C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741822052.0000000000DB2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741916293.0000000000DBC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741947371.0000000000DC4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cf0000_file.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: d5e9bbcb1dbdafe4c8d3bd98f36014f41f46dc5d4a3df644b036f3c2391e0fc8
Instruction ID: a6067e778116dec0f52935e987ed19f1233e2508530bdc84705f2ef8f07b2e89
Opcode Fuzzy Hash: d5e9bbcb1dbdafe4c8d3bd98f36014f41f46dc5d4a3df644b036f3c2391e0fc8
Instruction Fuzzy Hash: 56113D71580B24BAD521BFB0EC47FDB7BDDEF24704F800825B29AA7092DB79B5458A70

Function 00D5DA5A Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 46windowCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,?,?,00000100,00000000), ref: 00D5DA74
LoadStringW.USER32(00000000), ref: 00D5DA7B
GetModuleHandleW.KERNEL32(00000000,00001389,?,00000100), ref: 00D5DA91
LoadStringW.USER32(00000000), ref: 00D5DA98
MessageBoxW.USER32(00000000,?,?,00011010), ref: 00D5DADC

Strings

%s (%d) : ==> %s: %s %s, xrefs: 00D5DAB9

Memory Dump Source

Source File: 00000000.00000002.1741723192.0000000000CF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CF0000, based on PE: true

Associated: 00000000.00000002.1741689844.0000000000CF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741822052.0000000000D8C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741822052.0000000000DB2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741916293.0000000000DBC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741947371.0000000000DC4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cf0000_file.jbxd

Similarity

API ID: HandleLoadModuleString$Message
String ID: %s (%d) : ==> %s: %s %s
API String ID: 4072794657-3128320259
Opcode ID: aa82e1e521d8ea47378170c1da8e64b2314edaf354608b65e9db9bc30efcbc10
Instruction ID: 08ee54c2d0567b11997c8bf3f16effb539f18cd4243706640b1d1166b24058a7
Opcode Fuzzy Hash: aa82e1e521d8ea47378170c1da8e64b2314edaf354608b65e9db9bc30efcbc10
Instruction Fuzzy Hash: 840186F2510308FFEB10ABA09D89EE7736CE708301F4014A2FB46E2141E6749E844F74

Function 00D6096B Relevance: 10.5, APIs: 7, Instructions: 35synchronizationthreadCOMMON

Download Yara Rule

APIs

InterlockedExchange.KERNEL32(0106E818,0106E818), ref: 00D6097B
EnterCriticalSection.KERNEL32(0106E7F8,00000000), ref: 00D6098D
TerminateThread.KERNEL32(?,000001F6), ref: 00D6099B
WaitForSingleObject.KERNEL32(?,000003E8), ref: 00D609A9
CloseHandle.KERNEL32(?), ref: 00D609B8
InterlockedExchange.KERNEL32(0106E818,000001F6), ref: 00D609C8
LeaveCriticalSection.KERNEL32(0106E7F8), ref: 00D609CF

Memory Dump Source

Source File: 00000000.00000002.1741723192.0000000000CF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CF0000, based on PE: true

Associated: 00000000.00000002.1741689844.0000000000CF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741822052.0000000000D8C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741822052.0000000000DB2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741916293.0000000000DBC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741947371.0000000000DC4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cf0000_file.jbxd

Similarity

API ID: CriticalExchangeInterlockedSection$CloseEnterHandleLeaveObjectSingleTerminateThreadWait
String ID:
API String ID: 3495660284-0
Opcode ID: 1dfc6b3c35cee6175bbe15d05ca0c6dcde6737bec50a7a67f0db0aaaed59ed98
Instruction ID: c5594c9346d3cf55dc9f70ea97205c6c554c0a5e2f3b8c82a8cb559ad797bde6
Opcode Fuzzy Hash: 1dfc6b3c35cee6175bbe15d05ca0c6dcde6737bec50a7a67f0db0aaaed59ed98
Instruction Fuzzy Hash: 7FF01932562A02EBD7415BA4EE8CBD6BB29BF01712F442026F202909A0C7749465CFB4

Function 00CF5D0A Relevance: 9.3, APIs: 6, Instructions: 276COMMON

Download Yara Rule

APIs

GetClientRect.USER32(?,?), ref: 00CF5D30
GetWindowRect.USER32(?,?), ref: 00CF5D71
ScreenToClient.USER32(?,?), ref: 00CF5D99
GetClientRect.USER32(?,?), ref: 00CF5ED7
GetWindowRect.USER32(?,?), ref: 00CF5EF8

Memory Dump Source

Source File: 00000000.00000002.1741723192.0000000000CF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CF0000, based on PE: true

Associated: 00000000.00000002.1741689844.0000000000CF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741822052.0000000000D8C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741822052.0000000000DB2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741916293.0000000000DBC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741947371.0000000000DC4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cf0000_file.jbxd

Similarity

API ID: Rect$Client$Window$Screen
String ID:
API String ID: 1296646539-0
Opcode ID: 04eb9ee4db6fa9d592cb96d3c937e95088416abba716cdbe0cca1981a559023c
Instruction ID: d096bc32ec3859c1349d29834fbd6ee750d6f27b488d73cece5093cb59927a06
Opcode Fuzzy Hash: 04eb9ee4db6fa9d592cb96d3c937e95088416abba716cdbe0cca1981a559023c
Instruction Fuzzy Hash: 3BB17A74A10B4ADBDB10CFA9C4407FAB7F1FF48310F14941AEAA9D7250DB38AA51DB61

Function 00D201B7 Relevance: 9.3, APIs: 6, Instructions: 269COMMON

Download Yara Rule

APIs

__allrem.LIBCMT ref: 00D200BA
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00D200D6
__allrem.LIBCMT ref: 00D200ED
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00D2010B
__allrem.LIBCMT ref: 00D20122
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00D20140

Memory Dump Source

Source File: 00000000.00000002.1741723192.0000000000CF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CF0000, based on PE: true

Associated: 00000000.00000002.1741689844.0000000000CF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741822052.0000000000D8C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741822052.0000000000DB2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741916293.0000000000DBC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741947371.0000000000DC4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cf0000_file.jbxd

Similarity

API ID: Unothrow_t@std@@@__allrem__ehfuncinfo$??2@
String ID:
API String ID: 1992179935-0
Opcode ID: c0aa086816e9a6b10c8594d9af3fc1b6618250ddc70608c46d0048b3e4fbc764
Instruction ID: a618eb1967b43d4beb62245ef428cbad52809609cee1ca616667c2140a2c3ed4
Opcode Fuzzy Hash: c0aa086816e9a6b10c8594d9af3fc1b6618250ddc70608c46d0048b3e4fbc764
Instruction Fuzzy Hash: 6E812D72A00716ABE7219F28EC41BAB77E9EF51338F14413AF551D7282EBB0D9418770

Function 00D71D10 Relevance: 9.3, APIs: 6, Instructions: 254networkCOMMON

Download Yara Rule

APIs

Part of subcall function 00D73149: select.WSOCK32(00000000,?,00000000,00000000,?,?,?,00000000,?,?,?,00D7101C,00000000,?,?,00000000), ref: 00D73195

__WSAFDIsSet.WSOCK32(00000000,?,00000000,00000000,?,00000064,00000000), ref: 00D71DC0
#17.WSOCK32(00000000,?,?,00000000,?,00000010), ref: 00D71DE1
WSAGetLastError.WSOCK32 ref: 00D71DF2
inet_ntoa.WSOCK32(?), ref: 00D71E8C
htons.WSOCK32(?,?,?,?,?), ref: 00D71EDB
_strlen.LIBCMT ref: 00D71F35

Part of subcall function 00D539E8: _strlen.LIBCMT ref: 00D539F2

Part of subcall function 00CF6D9E: MultiByteToWideChar.KERNEL32(00000000,00000001,?,?,00000000,00000000,00000002,?,?,?,?,00D0CF58,?,?,?), ref: 00CF6DBA
Part of subcall function 00CF6D9E: MultiByteToWideChar.KERNEL32(00000000,00000001,?,?,00000000,?,?,?,00D0CF58,?,?,?), ref: 00CF6DED

Memory Dump Source

Source File: 00000000.00000002.1741723192.0000000000CF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CF0000, based on PE: true

Associated: 00000000.00000002.1741689844.0000000000CF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741822052.0000000000D8C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741822052.0000000000DB2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741916293.0000000000DBC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741947371.0000000000DC4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cf0000_file.jbxd

Similarity

API ID: ByteCharMultiWide_strlen$ErrorLasthtonsinet_ntoaselect
String ID:
API String ID: 1923757996-0
Opcode ID: 59137065841ba3823bf7619fdcae5c86f2faeaafc5be467b0f77e8815f976a31
Instruction ID: f4cebbbc12c8a8e855b4f56843976ed4cf7377b00d70c4655c10d29efa55bf36
Opcode Fuzzy Hash: 59137065841ba3823bf7619fdcae5c86f2faeaafc5be467b0f77e8815f976a31
Instruction Fuzzy Hash: 13A1B275104341AFC324DF24C895F2ABBA5EF84318F588A4CF55A5B2E2DB31ED45CBA2

Function 00D261FE Relevance: 9.2, APIs: 6, Instructions: 216COMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000001,00000000,?,?,00000000,00000000,?,00D182D9,00D182D9,?,?,?,00D2644F,00000001,00000001,8BE85006), ref: 00D26258
MultiByteToWideChar.KERNEL32(00000001,00000001,?,?,00000000,?,?,?,?,00D2644F,00000001,00000001,8BE85006,?,?,?), ref: 00D262DE
WideCharToMultiByte.KERNEL32(00000001,00000000,00000000,00000000,?,8BE85006,00000000,00000000,?,00000400,00000000,?,00000000,00000000,00000000,00000000), ref: 00D263D8
__freea.LIBCMT ref: 00D263E5

Part of subcall function 00D23820: RtlAllocateHeap.NTDLL(00000000,?,00DC1444,?,00D0FDF5,?,?,00CFA976,00000010,00DC1440,00CF13FC,?,00CF13C6,?,00CF1129), ref: 00D23852

__freea.LIBCMT ref: 00D263EE
__freea.LIBCMT ref: 00D26413

Memory Dump Source

Source File: 00000000.00000002.1741723192.0000000000CF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CF0000, based on PE: true

Associated: 00000000.00000002.1741689844.0000000000CF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741822052.0000000000D8C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741822052.0000000000DB2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741916293.0000000000DBC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741947371.0000000000DC4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cf0000_file.jbxd

Similarity

API ID: ByteCharMultiWide__freea$AllocateHeap
String ID:
API String ID: 1414292761-0
Opcode ID: 9879bc6c389f530f1c4861a029b44627d5d2499caf15f05952ce409c87dcbb28
Instruction ID: 6b6fdc7977f4572308c321ef3f4652740467441bc5b82fa236ca0c438afa7db2
Opcode Fuzzy Hash: 9879bc6c389f530f1c4861a029b44627d5d2499caf15f05952ce409c87dcbb28
Instruction Fuzzy Hash: 0551E172A00326ABEB259F64EC81EAF77A9EF64718F1D4669FC15D6180DB34DC40C6B0

Function 00D7BBDB Relevance: 9.2, APIs: 6, Instructions: 191registryCOMMON

Download Yara Rule

APIs

Part of subcall function 00CF9CB3: _wcslen.LIBCMT ref: 00CF9CBD

Part of subcall function 00D7C998: CharUpperBuffW.USER32(?,?,?,?,?,?,?,00D7B6AE,?,?), ref: 00D7C9B5
Part of subcall function 00D7C998: _wcslen.LIBCMT ref: 00D7C9F1
Part of subcall function 00D7C998: _wcslen.LIBCMT ref: 00D7CA68
Part of subcall function 00D7C998: _wcslen.LIBCMT ref: 00D7CA9E

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 00D7BCCA
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 00D7BD25
RegCloseKey.ADVAPI32(00000000), ref: 00D7BD6A
RegEnumValueW.ADVAPI32(?,-00000001,?,?,00000000,?,00000000,00000000), ref: 00D7BD99
RegCloseKey.ADVAPI32(?,?,00000000), ref: 00D7BDF3
RegCloseKey.ADVAPI32(?), ref: 00D7BDFF

Memory Dump Source

Source File: 00000000.00000002.1741723192.0000000000CF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CF0000, based on PE: true

Associated: 00000000.00000002.1741689844.0000000000CF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741822052.0000000000D8C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741822052.0000000000DB2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741916293.0000000000DBC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741947371.0000000000DC4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cf0000_file.jbxd

Similarity

API ID: _wcslen$Close$BuffCharConnectEnumOpenRegistryUpperValue
String ID:
API String ID: 1120388591-0
Opcode ID: ef8f08f46c29c967771e7fcbbb80bc54fffcf618ce4f1a7555db30c7adcf9d90
Instruction ID: 311b6e276927373b8822960eef2c65c17f39ced24402b2e8bca5903968704cc6
Opcode Fuzzy Hash: ef8f08f46c29c967771e7fcbbb80bc54fffcf618ce4f1a7555db30c7adcf9d90
Instruction Fuzzy Hash: 8A817D70118241AFD714DF24C885E2ABBE5FF84318F14855DF59A8B2A2EB31ED45CBA2

Function 00D4F7AD Relevance: 9.2, APIs: 6, Instructions: 183memoryCOMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(00000035), ref: 00D4F7B9
SysAllocString.OLEAUT32(00000001), ref: 00D4F860
VariantCopy.OLEAUT32(00D4FA64,00000000), ref: 00D4F889
VariantClear.OLEAUT32(00D4FA64), ref: 00D4F8AD
VariantCopy.OLEAUT32(00D4FA64,00000000), ref: 00D4F8B1
VariantClear.OLEAUT32(?), ref: 00D4F8BB

Memory Dump Source

Source File: 00000000.00000002.1741723192.0000000000CF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CF0000, based on PE: true

Associated: 00000000.00000002.1741689844.0000000000CF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741822052.0000000000D8C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741822052.0000000000DB2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741916293.0000000000DBC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741947371.0000000000DC4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cf0000_file.jbxd

Similarity

API ID: Variant$ClearCopy$AllocInitString
String ID:
API String ID: 3859894641-0
Opcode ID: 94a0263d8bf8674204a67d90e2e5d43f195c980101c3f2892b454922ed8a2e5b
Instruction ID: 279874fe0cf9a62f71a458fe678919c2c09845e55a4d3de58c15f28af0fd97dc
Opcode Fuzzy Hash: 94a0263d8bf8674204a67d90e2e5d43f195c980101c3f2892b454922ed8a2e5b
Instruction Fuzzy Hash: 6951B336A10310EBCF24AB65D895B2DB3A8EF45310B249467E905DF2A2DB70DC40CBB7

Function 00D6910C Relevance: 9.1, APIs: 4, Strings: 1, Instructions: 383COMMON

Download Yara Rule

APIs

Part of subcall function 00CF7620: _wcslen.LIBCMT ref: 00CF7625

Part of subcall function 00CF6B57: _wcslen.LIBCMT ref: 00CF6B6A

GetOpenFileNameW.COMDLG32(00000058), ref: 00D694E5
_wcslen.LIBCMT ref: 00D69506
_wcslen.LIBCMT ref: 00D6952D
GetSaveFileNameW.COMDLG32(00000058), ref: 00D69585

Strings

X, xrefs: 00D69412

Memory Dump Source

Source File: 00000000.00000002.1741723192.0000000000CF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CF0000, based on PE: true

Associated: 00000000.00000002.1741689844.0000000000CF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741822052.0000000000D8C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741822052.0000000000DB2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741916293.0000000000DBC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741947371.0000000000DC4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cf0000_file.jbxd

Similarity

API ID: _wcslen$FileName$OpenSave
String ID: X
API String ID: 83654149-3081909835
Opcode ID: aaa402301cf2e7256e38aa283ce0e76586eecdc3360631984caefa73f6d31798
Instruction ID: 496ef4e754e5305e9de28de0d2036366396e5ce3bb5d80651926622bb2ffb44e
Opcode Fuzzy Hash: aaa402301cf2e7256e38aa283ce0e76586eecdc3360631984caefa73f6d31798
Instruction Fuzzy Hash: 22E19E31508341DFC764DF24C891A6AB7E4FF85314F18896DF9899B2A2DB31ED05CBA2

Function 00D0920C Relevance: 9.1, APIs: 6, Instructions: 113COMMON

Download Yara Rule

APIs

Part of subcall function 00D09BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00D09BB2

BeginPaint.USER32(?,?,?), ref: 00D09241
GetWindowRect.USER32(?,?), ref: 00D092A5
ScreenToClient.USER32(?,?), ref: 00D092C2
SetViewportOrgEx.GDI32(00000000,?,?,00000000), ref: 00D092D3
EndPaint.USER32(?,?,?,?,?), ref: 00D09321
Rectangle.GDI32(00000000,00000000,00000000,?,?), ref: 00D471EA

Part of subcall function 00D09339: BeginPath.GDI32(00000000), ref: 00D09357

Memory Dump Source

Source File: 00000000.00000002.1741723192.0000000000CF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CF0000, based on PE: true

Associated: 00000000.00000002.1741689844.0000000000CF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741822052.0000000000D8C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741822052.0000000000DB2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741916293.0000000000DBC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741947371.0000000000DC4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cf0000_file.jbxd

Similarity

API ID: BeginPaintWindow$ClientLongPathRectRectangleScreenViewport
String ID:
API String ID: 3050599898-0
Opcode ID: 97ed3e0c25d108338b3302afc660449d126fdd314b3d9f6bc641532a1f28d1b5
Instruction ID: 0a3ab9c4b9f5b1aa9e94fc43de89490813dda9ec82c7eac193627a02fa39cbae
Opcode Fuzzy Hash: 97ed3e0c25d108338b3302afc660449d126fdd314b3d9f6bc641532a1f28d1b5
Instruction Fuzzy Hash: 08418C74104312AFD721DF64DC99FAABBA8EB46720F140229F9A8C72E2C7319845DF71

Function 00D607EF Relevance: 9.1, APIs: 6, Instructions: 107fileCOMMON

Download Yara Rule

APIs

InterlockedExchange.KERNEL32(?,000001F5), ref: 00D6080C
ReadFile.KERNEL32(?,?,0000FFFF,?,00000000), ref: 00D60847
EnterCriticalSection.KERNEL32(?), ref: 00D60863
LeaveCriticalSection.KERNEL32(?), ref: 00D608DC
ReadFile.KERNEL32(?,?,0000FFFF,00000000,00000000), ref: 00D608F3
InterlockedExchange.KERNEL32(?,000001F6), ref: 00D60921

Memory Dump Source

Source File: 00000000.00000002.1741723192.0000000000CF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CF0000, based on PE: true

Associated: 00000000.00000002.1741689844.0000000000CF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741822052.0000000000D8C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741822052.0000000000DB2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741916293.0000000000DBC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741947371.0000000000DC4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cf0000_file.jbxd

Similarity

API ID: CriticalExchangeFileInterlockedReadSection$EnterLeave
String ID:
API String ID: 3368777196-0
Opcode ID: 7c30244b5abd4c12cef0357324635843aebaf5b27b0b1ae53a7d4f7fb1c684e1
Instruction ID: 6a53d0bedfd67db8f95e12533e104cfedf702d1380c76c5a33ed8f7fb6035849
Opcode Fuzzy Hash: 7c30244b5abd4c12cef0357324635843aebaf5b27b0b1ae53a7d4f7fb1c684e1
Instruction Fuzzy Hash: FA415671910205EBDF14EF54DC85AAA7BB9FF44310F1440A9F9049A296DB30DE64DBB4

Function 00D881DB Relevance: 9.1, APIs: 6, Instructions: 104windowCOMMON

Download Yara Rule

APIs

ShowWindow.USER32(FFFFFFFF,00000000,?,00000000,00000000,?,00D4F3AB,00000000,?,?,00000000,?,00D4682C,00000004,00000000,00000000), ref: 00D8824C
EnableWindow.USER32(?,00000000), ref: 00D88272
ShowWindow.USER32(FFFFFFFF,00000000), ref: 00D882D1
ShowWindow.USER32(?,00000004), ref: 00D882E5
EnableWindow.USER32(?,00000001), ref: 00D8830B
SendMessageW.USER32(?,0000130C,00000000,00000000), ref: 00D8832F

Memory Dump Source

Source File: 00000000.00000002.1741723192.0000000000CF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CF0000, based on PE: true

Associated: 00000000.00000002.1741689844.0000000000CF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741822052.0000000000D8C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741822052.0000000000DB2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741916293.0000000000DBC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741947371.0000000000DC4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cf0000_file.jbxd

Similarity

API ID: Window$Show$Enable$MessageSend
String ID:
API String ID: 642888154-0
Opcode ID: ff424ae0cd07677263176ee2c910dcb56e3c6ba3faf51325338b558af4d70129
Instruction ID: fd3977c89bdb28862e6c5918b8284ee3872aff8b02edf939e427636225c2716f
Opcode Fuzzy Hash: ff424ae0cd07677263176ee2c910dcb56e3c6ba3faf51325338b558af4d70129
Instruction Fuzzy Hash: 3041B278601741EFDB22EF15C899FA47BE0BB0A715F581168E518CB262CB31A841DF74

Function 00D54C7D Relevance: 9.1, APIs: 6, Instructions: 87windowCOMMON

Download Yara Rule

APIs

IsWindowVisible.USER32(?), ref: 00D54C95
SendMessageW.USER32(?,0000000E,00000000,00000000), ref: 00D54CB2
SendMessageW.USER32(?,0000000D,00000001,00000000), ref: 00D54CEA
_wcslen.LIBCMT ref: 00D54D08
CharUpperBuffW.USER32(00000000,00000000,?,?,?,?), ref: 00D54D10
_wcsstr.LIBVCRUNTIME ref: 00D54D1A

Memory Dump Source

Source File: 00000000.00000002.1741723192.0000000000CF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CF0000, based on PE: true

Associated: 00000000.00000002.1741689844.0000000000CF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741822052.0000000000D8C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741822052.0000000000DB2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741916293.0000000000DBC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741947371.0000000000DC4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cf0000_file.jbxd

Similarity

API ID: MessageSend$BuffCharUpperVisibleWindow_wcslen_wcsstr
String ID:
API String ID: 72514467-0
Opcode ID: c0bd229dc91aa6baa42d630735945570e5f4fa2360da6c1e7ca9bc75d64b38ba
Instruction ID: ab2aaa8ed3c1ffe41f6a4fc3598a6aeb00bb40aa4873bdc955d85c14a6e41e89
Opcode Fuzzy Hash: c0bd229dc91aa6baa42d630735945570e5f4fa2360da6c1e7ca9bc75d64b38ba
Instruction Fuzzy Hash: 1221D731214200BBEF255B25EC4AE7F7BA8DF45755F14403AFC09CA1A1EA61DC8497B1

Function 00D6581E Relevance: 9.1, APIs: 4, Strings: 1, Instructions: 336comCOMMON

Download Yara Rule

APIs

Part of subcall function 00CF3AA2: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00CF3A97,?,?,00CF2E7F,?,?,?,00000000), ref: 00CF3AC2

_wcslen.LIBCMT ref: 00D6587B
CoInitialize.OLE32(00000000), ref: 00D65995
CoCreateInstance.OLE32(00D8FCF8,00000000,00000001,00D8FB68,?), ref: 00D659AE
CoUninitialize.OLE32 ref: 00D659CC

Strings

.lnk, xrefs: 00D65876, 00D658C1, 00D65985

Memory Dump Source

Source File: 00000000.00000002.1741723192.0000000000CF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CF0000, based on PE: true

Associated: 00000000.00000002.1741689844.0000000000CF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741822052.0000000000D8C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741822052.0000000000DB2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741916293.0000000000DBC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741947371.0000000000DC4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cf0000_file.jbxd

Similarity

API ID: CreateFullInitializeInstanceNamePathUninitialize_wcslen
String ID: .lnk
API String ID: 3172280962-24824748
Opcode ID: 9633c4e32eec4c6989b81b76ce9605c03118497101956bce42bdbe456e34882d
Instruction ID: a95695fd065a97680f58dabb94bd949a5c669a242180a342214f312ef38ae71f
Opcode Fuzzy Hash: 9633c4e32eec4c6989b81b76ce9605c03118497101956bce42bdbe456e34882d
Instruction Fuzzy Hash: 86D15371608705DFC714DF28D480A2ABBE1EF89714F14895DF88A9B361DB31ED85CBA2

Function 00D5175D Relevance: 9.1, APIs: 6, Instructions: 68memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 00D50FB4: GetTokenInformation.ADVAPI32(?,00000002,?,00000000,?), ref: 00D50FCA
Part of subcall function 00D50FB4: GetLastError.KERNEL32(?,00000002,?,00000000,?), ref: 00D50FD6
Part of subcall function 00D50FB4: GetProcessHeap.KERNEL32(00000008,?,?,00000002,?,00000000,?), ref: 00D50FE5
Part of subcall function 00D50FB4: HeapAlloc.KERNEL32(00000000,?,00000002,?,00000000,?), ref: 00D50FEC
Part of subcall function 00D50FB4: GetTokenInformation.ADVAPI32(?,00000002,00000000,?,?,?,00000002,?,00000000,?), ref: 00D51002

GetLengthSid.ADVAPI32(?,00000000,00D51335), ref: 00D517AE
GetProcessHeap.KERNEL32(00000008,00000000), ref: 00D517BA
HeapAlloc.KERNEL32(00000000), ref: 00D517C1
CopySid.ADVAPI32(00000000,00000000,?), ref: 00D517DA
GetProcessHeap.KERNEL32(00000000,00000000,00D51335), ref: 00D517EE
HeapFree.KERNEL32(00000000), ref: 00D517F5

Memory Dump Source

Source File: 00000000.00000002.1741723192.0000000000CF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CF0000, based on PE: true

Associated: 00000000.00000002.1741689844.0000000000CF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741822052.0000000000D8C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741822052.0000000000DB2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741916293.0000000000DBC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741947371.0000000000DC4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cf0000_file.jbxd

Similarity

API ID: Heap$Process$AllocInformationToken$CopyErrorFreeLastLength
String ID:
API String ID: 3008561057-0
Opcode ID: 01a25c5c542b2f0b74e9cb54d6e54c7f9e712753d30efb3eacd0dcd492349a6d
Instruction ID: 6dfd3d055baf4b99c919feeaa6104cf6c07a482fa197cc4d479369cbffc74932
Opcode Fuzzy Hash: 01a25c5c542b2f0b74e9cb54d6e54c7f9e712753d30efb3eacd0dcd492349a6d
Instruction Fuzzy Hash: D3116A75620305EBDF109FA8DC89BAE7BA9FB49356F144118FC81E7210D735A948CB70

Function 00D514CE Relevance: 9.1, APIs: 6, Instructions: 64processCOMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(0000000A,00000004), ref: 00D514FF
OpenProcessToken.ADVAPI32(00000000), ref: 00D51506
CreateEnvironmentBlock.USERENV(?,00000004,00000001), ref: 00D51515
CloseHandle.KERNEL32(00000004), ref: 00D51520
CreateProcessWithLogonW.ADVAPI32(?,?,?,00000000,00000000,?,?,00000000,?,?,?), ref: 00D5154F
DestroyEnvironmentBlock.USERENV(00000000), ref: 00D51563

Memory Dump Source

Source File: 00000000.00000002.1741723192.0000000000CF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CF0000, based on PE: true

Associated: 00000000.00000002.1741689844.0000000000CF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741822052.0000000000D8C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741822052.0000000000DB2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741916293.0000000000DBC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741947371.0000000000DC4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cf0000_file.jbxd

Similarity

API ID: Process$BlockCreateEnvironment$CloseCurrentDestroyHandleLogonOpenTokenWith
String ID:
API String ID: 1413079979-0
Opcode ID: 11586d9f0e70559ad29875ffa38ca132f9a5c64edcd4e7776e5b8bd8d317187b
Instruction ID: 06463a044ad0984c4bac80889d84addd97f1488829597e98bcf72007b2367326
Opcode Fuzzy Hash: 11586d9f0e70559ad29875ffa38ca132f9a5c64edcd4e7776e5b8bd8d317187b
Instruction Fuzzy Hash: FD116476110209EBDF118FA8ED09FDE3BA9EB48749F084024FE05A2160D375CE64EB70

Function 00D13382 Relevance: 9.1, APIs: 6, Instructions: 60COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,00D13379,00D12FE5), ref: 00D13390
___vcrt_FlsGetValue.LIBVCRUNTIME ref: 00D1339E
___vcrt_FlsSetValue.LIBVCRUNTIME ref: 00D133B7
SetLastError.KERNEL32(00000000,?,00D13379,00D12FE5), ref: 00D13409

Memory Dump Source

Source File: 00000000.00000002.1741723192.0000000000CF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CF0000, based on PE: true

Associated: 00000000.00000002.1741689844.0000000000CF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741822052.0000000000D8C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741822052.0000000000DB2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741916293.0000000000DBC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741947371.0000000000DC4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cf0000_file.jbxd

Similarity

API ID: ErrorLastValue___vcrt_
String ID:
API String ID: 3852720340-0
Opcode ID: bce223aa6dd151a0b14cc396b381955596897485b98670abe854c2a1c742b02e
Instruction ID: 8130c2afa3c80218c991616ef802a357e082b639118f09bb98e172b0cb9de955
Opcode Fuzzy Hash: bce223aa6dd151a0b14cc396b381955596897485b98670abe854c2a1c742b02e
Instruction Fuzzy Hash: 9F01D43272D311FEAA253BB4BC856E62A94EB1577A724032AF420C52F0EF214D825678

Function 00D22D74 Relevance: 9.0, APIs: 6, Instructions: 50COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,00D25686,00D33CD6,?,00000000,?,00D25B6A,?,?,?,?,?,00D1E6D1,?,00DB8A48), ref: 00D22D78
_free.LIBCMT ref: 00D22DAB
_free.LIBCMT ref: 00D22DD3
SetLastError.KERNEL32(00000000,?,?,?,?,00D1E6D1,?,00DB8A48,00000010,00CF4F4A,?,?,00000000,00D33CD6), ref: 00D22DE0
SetLastError.KERNEL32(00000000,?,?,?,?,00D1E6D1,?,00DB8A48,00000010,00CF4F4A,?,?,00000000,00D33CD6), ref: 00D22DEC
_abort.LIBCMT ref: 00D22DF2

Memory Dump Source

Source File: 00000000.00000002.1741723192.0000000000CF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CF0000, based on PE: true

Associated: 00000000.00000002.1741689844.0000000000CF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741822052.0000000000D8C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741822052.0000000000DB2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741916293.0000000000DBC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741947371.0000000000DC4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cf0000_file.jbxd

Similarity

API ID: ErrorLast$_free$_abort
String ID:
API String ID: 3160817290-0
Opcode ID: 5da4d92cf29ab7c9f3cdd325f3f14e2375043ab3461e40bea7ae8aee8a1d39b8
Instruction ID: 60f1bb360fd52efefc25e52793b9449129703cb74600ae3d5068f55ca198c412
Opcode Fuzzy Hash: 5da4d92cf29ab7c9f3cdd325f3f14e2375043ab3461e40bea7ae8aee8a1d39b8
Instruction Fuzzy Hash: 65F0A436654730B7C6122738BC06E7A2659EFF17BDB284518F824D22D6EF34880252B0

Function 00D88A24 Relevance: 9.0, APIs: 6, Instructions: 49COMMON

Download Yara Rule

APIs

Part of subcall function 00D09639: ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 00D09693
Part of subcall function 00D09639: SelectObject.GDI32(?,00000000), ref: 00D096A2
Part of subcall function 00D09639: BeginPath.GDI32(?), ref: 00D096B9
Part of subcall function 00D09639: SelectObject.GDI32(?,00000000), ref: 00D096E2

MoveToEx.GDI32(?,-00000002,00000000,00000000), ref: 00D88A4E
LineTo.GDI32(?,00000003,00000000), ref: 00D88A62
MoveToEx.GDI32(?,00000000,-00000002,00000000), ref: 00D88A70
LineTo.GDI32(?,00000000,00000003), ref: 00D88A80
EndPath.GDI32(?), ref: 00D88A90
StrokePath.GDI32(?), ref: 00D88AA0

Memory Dump Source

Source File: 00000000.00000002.1741723192.0000000000CF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CF0000, based on PE: true

Associated: 00000000.00000002.1741689844.0000000000CF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741822052.0000000000D8C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741822052.0000000000DB2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741916293.0000000000DBC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741947371.0000000000DC4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cf0000_file.jbxd

Similarity

API ID: Path$LineMoveObjectSelect$BeginCreateStroke
String ID:
API String ID: 43455801-0
Opcode ID: 894774902bf72314329aab229f24e1e7fe1cb5d4060ad659de8b2d188b81f86e
Instruction ID: 9b8e451bc66525fd6b32c79aba012b20e98eb7a8de9daf6470c78695beab52a4
Opcode Fuzzy Hash: 894774902bf72314329aab229f24e1e7fe1cb5d4060ad659de8b2d188b81f86e
Instruction Fuzzy Hash: 3111C976010219FFDB129F94DC88EAA7F6DEB08394F048012FA199A2A1C7719D55DFB0

Function 00D551FD Relevance: 9.0, APIs: 6, Instructions: 49COMMON

Download Yara Rule

APIs

GetDC.USER32(00000000), ref: 00D55218
GetDeviceCaps.GDI32(00000000,00000058), ref: 00D55229
GetDeviceCaps.GDI32(00000000,0000005A), ref: 00D55230
ReleaseDC.USER32(00000000,00000000), ref: 00D55238
MulDiv.KERNEL32(000009EC,?,00000000), ref: 00D5524F
MulDiv.KERNEL32(000009EC,00000001,?), ref: 00D55261

Memory Dump Source

Source File: 00000000.00000002.1741723192.0000000000CF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CF0000, based on PE: true

Associated: 00000000.00000002.1741689844.0000000000CF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741822052.0000000000D8C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741822052.0000000000DB2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741916293.0000000000DBC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741947371.0000000000DC4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cf0000_file.jbxd

Similarity

API ID: CapsDevice$Release
String ID:
API String ID: 1035833867-0
Opcode ID: 4aac94f7c04afd02fbd6d703d6251b1a44df0904ee52fa1e015fabd15cbdcf16
Instruction ID: 86f2a225cbaf6f69501b8da6f6e17cf179e8cfaa0a23c8df21e00653135a93f5
Opcode Fuzzy Hash: 4aac94f7c04afd02fbd6d703d6251b1a44df0904ee52fa1e015fabd15cbdcf16
Instruction Fuzzy Hash: ED014F75A10718FBEF109BB69C49A5EBFB8EF48751F044065FA04E7391DA709804CBB0

Function 00CF1BC3 Relevance: 9.0, APIs: 6, Instructions: 44keyboardCOMMON

Download Yara Rule

APIs

MapVirtualKeyW.USER32(0000005B,00000000), ref: 00CF1BF4
MapVirtualKeyW.USER32(00000010,00000000), ref: 00CF1BFC
MapVirtualKeyW.USER32(000000A0,00000000), ref: 00CF1C07
MapVirtualKeyW.USER32(000000A1,00000000), ref: 00CF1C12
MapVirtualKeyW.USER32(00000011,00000000), ref: 00CF1C1A
MapVirtualKeyW.USER32(00000012,00000000), ref: 00CF1C22

Memory Dump Source

Source File: 00000000.00000002.1741723192.0000000000CF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CF0000, based on PE: true

Associated: 00000000.00000002.1741689844.0000000000CF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741822052.0000000000D8C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741822052.0000000000DB2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741916293.0000000000DBC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741947371.0000000000DC4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cf0000_file.jbxd

Similarity

API ID: Virtual
String ID:
API String ID: 4278518827-0
Opcode ID: 0d160e011aa78e6812d2d19f2349795b27e3cae3073f497f92ecbdb7e034ab15
Instruction ID: fb441d9ffe5d93fa7050cf965db0ec9fb6a83e51ec5a64c0a4bc870c0a8f7eda
Opcode Fuzzy Hash: 0d160e011aa78e6812d2d19f2349795b27e3cae3073f497f92ecbdb7e034ab15
Instruction Fuzzy Hash: 29016CB0902759BDE3008F5A8C85B52FFA8FF19354F00411B915C47A41C7F5A864CBE5

Function 00D5EB20 Relevance: 9.0, APIs: 6, Instructions: 42windowtimethreadCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,00000010,00000000,00000000), ref: 00D5EB30
SendMessageTimeoutW.USER32(?,00000010,00000000,00000000,00000002,000001F4,?), ref: 00D5EB46
GetWindowThreadProcessId.USER32(?,?), ref: 00D5EB55
OpenProcess.KERNEL32(001F0FFF,00000000,?,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 00D5EB64
TerminateProcess.KERNEL32(00000000,00000000,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 00D5EB6E
CloseHandle.KERNEL32(00000000,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 00D5EB75

Memory Dump Source

Source File: 00000000.00000002.1741723192.0000000000CF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CF0000, based on PE: true

Associated: 00000000.00000002.1741689844.0000000000CF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741822052.0000000000D8C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741822052.0000000000DB2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741916293.0000000000DBC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741947371.0000000000DC4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cf0000_file.jbxd

Similarity

API ID: Process$Message$CloseHandleOpenPostSendTerminateThreadTimeoutWindow
String ID:
API String ID: 839392675-0
Opcode ID: 76fadc5a4ac2fda0829e07a71dd5148214c846aba495776d03b076139bc43f69
Instruction ID: be61d94e00b7d36a9120757a8c2cddfa5050077126dbc7e89ff9ba9e840bdb27
Opcode Fuzzy Hash: 76fadc5a4ac2fda0829e07a71dd5148214c846aba495776d03b076139bc43f69
Instruction Fuzzy Hash: 19F03072260258FBE72157529C4EEEF3A7CEFCAB11F001168FA01D1291E7B05A01C7B5

Function 00D47439 Relevance: 9.0, APIs: 6, Instructions: 37windowCOMMON

Download Yara Rule

APIs

GetClientRect.USER32(?), ref: 00D47452
SendMessageW.USER32(?,00001328,00000000,?), ref: 00D47469
GetWindowDC.USER32(?), ref: 00D47475
GetPixel.GDI32(00000000,?,?), ref: 00D47484
ReleaseDC.USER32(?,00000000), ref: 00D47496
GetSysColor.USER32(00000005), ref: 00D474B0

Memory Dump Source

Source File: 00000000.00000002.1741723192.0000000000CF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CF0000, based on PE: true

Associated: 00000000.00000002.1741689844.0000000000CF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741822052.0000000000D8C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741822052.0000000000DB2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741916293.0000000000DBC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741947371.0000000000DC4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cf0000_file.jbxd

Similarity

API ID: ClientColorMessagePixelRectReleaseSendWindow
String ID:
API String ID: 272304278-0
Opcode ID: 590200be17550091e35382c7873e17ec0efe1b057ac4cb6002618dd9a1ca3ee1
Instruction ID: 2fdb0b722cb3fe4822261f41c283936c8da8c072314478e6e09b64215c81549e
Opcode Fuzzy Hash: 590200be17550091e35382c7873e17ec0efe1b057ac4cb6002618dd9a1ca3ee1
Instruction Fuzzy Hash: 64012831420215EFDB515FA4EC09BAA7BB5FB04321F555164F919E22B1CB311E51AB70

Function 00D51874 Relevance: 9.0, APIs: 6, Instructions: 23memorysynchronizationCOMMON

Download Yara Rule

APIs

WaitForSingleObject.KERNEL32(?,000000FF), ref: 00D5187F
UnloadUserProfile.USERENV(?,?), ref: 00D5188B
CloseHandle.KERNEL32(?), ref: 00D51894
CloseHandle.KERNEL32(?), ref: 00D5189C
GetProcessHeap.KERNEL32(00000000,?), ref: 00D518A5
HeapFree.KERNEL32(00000000), ref: 00D518AC

Memory Dump Source

Source File: 00000000.00000002.1741723192.0000000000CF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CF0000, based on PE: true

Associated: 00000000.00000002.1741689844.0000000000CF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741822052.0000000000D8C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741822052.0000000000DB2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741916293.0000000000DBC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741947371.0000000000DC4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cf0000_file.jbxd

Similarity

API ID: CloseHandleHeap$FreeObjectProcessProfileSingleUnloadUserWait
String ID:
API String ID: 146765662-0
Opcode ID: 1ec31f49f229ac53dc20d1d72c4a508d854b895ac17c573d0c25eac934c7cb0a
Instruction ID: 9b39b724ee7700da2941d19841500c937124286ba5c3eb2c17204bd9ef324272
Opcode Fuzzy Hash: 1ec31f49f229ac53dc20d1d72c4a508d854b895ac17c573d0c25eac934c7cb0a
Instruction Fuzzy Hash: EBE0C276124301FBDA015BA1ED0CD0ABB29FB59B22B109220F225C1674CB329421EB70

Function 00D5C5D0 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 191windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00CF7620: _wcslen.LIBCMT ref: 00CF7625

GetMenuItemInfoW.USER32(?,?,00000000,?), ref: 00D5C6EE
_wcslen.LIBCMT ref: 00D5C735
SetMenuItemInfoW.USER32(?,?,00000000,?), ref: 00D5C79C
SetMenuDefaultItem.USER32(?,000000FF,00000000), ref: 00D5C7CA

Strings

0, xrefs: 00D5C6AF

Memory Dump Source

Source File: 00000000.00000002.1741723192.0000000000CF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CF0000, based on PE: true

Associated: 00000000.00000002.1741689844.0000000000CF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741822052.0000000000D8C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741822052.0000000000DB2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741916293.0000000000DBC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741947371.0000000000DC4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cf0000_file.jbxd

Similarity

API ID: ItemMenu$Info_wcslen$Default
String ID: 0
API String ID: 1227352736-4108050209
Opcode ID: aee002f83956ad3f17aea4967aaa636e5eaf23316bd93deb1cdb2ec57adb6751
Instruction ID: bb7a79351b6cd8d9c6faf3db3f0e759e5fad851e15c9f384330b0567bd6f6b4d
Opcode Fuzzy Hash: aee002f83956ad3f17aea4967aaa636e5eaf23316bd93deb1cdb2ec57adb6751
Instruction Fuzzy Hash: 2351B0716243019FDB209F28C885B6A77E4EF49311F082A2DFD95D35E1EB70D9488BB2

Function 00D7AD64 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 176COMMON

Download Yara Rule

APIs

ShellExecuteExW.SHELL32(0000003C), ref: 00D7AEA3

Part of subcall function 00CF7620: _wcslen.LIBCMT ref: 00CF7625

GetProcessId.KERNEL32(00000000), ref: 00D7AF38
CloseHandle.KERNEL32(00000000), ref: 00D7AF67

Strings

@, xrefs: 00D7AE72
<, xrefs: 00D7AE6B

Memory Dump Source

Source File: 00000000.00000002.1741723192.0000000000CF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CF0000, based on PE: true

Associated: 00000000.00000002.1741689844.0000000000CF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741822052.0000000000D8C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741822052.0000000000DB2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741916293.0000000000DBC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741947371.0000000000DC4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cf0000_file.jbxd

Similarity

API ID: CloseExecuteHandleProcessShell_wcslen
String ID: <$@
API String ID: 146682121-1426351568
Opcode ID: ab41f5747232b1ea087e2def8108c2103ab451de2694b62592ff91c076069067
Instruction ID: b6fb64a32e9aba11e3565b326dbb0accb486d61504058bd6e9970f5bbd4debaf
Opcode Fuzzy Hash: ab41f5747232b1ea087e2def8108c2103ab451de2694b62592ff91c076069067
Instruction Fuzzy Hash: E6715B71A00619DFCB14DF58C484AAEBBF0FF48314F048499E85AAB392D775ED45CBA1

Function 00D5719E Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 120comlibraryloaderCOMMON

Download Yara Rule

APIs

CoCreateInstance.OLE32(?,00000000,00000005,?,?,?,?,?,?,?,?,?,?,?), ref: 00D57206
SetErrorMode.KERNEL32(00000001,?,?,?,?,?,?,?,?,?), ref: 00D5723C
GetProcAddress.KERNEL32(?,DllGetClassObject), ref: 00D5724D
SetErrorMode.KERNEL32(00000000,?,?,?,?,?,?,?,?,?), ref: 00D572CF

Strings

DllGetClassObject, xrefs: 00D57242

Memory Dump Source

Source File: 00000000.00000002.1741723192.0000000000CF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CF0000, based on PE: true

Associated: 00000000.00000002.1741689844.0000000000CF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741822052.0000000000D8C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741822052.0000000000DB2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741916293.0000000000DBC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741947371.0000000000DC4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cf0000_file.jbxd

Similarity

API ID: ErrorMode$AddressCreateInstanceProc
String ID: DllGetClassObject
API String ID: 753597075-1075368562
Opcode ID: 74776f73a8f99f53a3b19f51d4251b18ae1114765e240dd66e2aac3e51de02b8
Instruction ID: 73a057756abf4ea7b91bc0848e46b170d095261b7dbd8ba9e23491ed490a868c
Opcode Fuzzy Hash: 74776f73a8f99f53a3b19f51d4251b18ae1114765e240dd66e2aac3e51de02b8
Instruction Fuzzy Hash: 1A414CB1A04204EFDF15CF54D884A9A7BB9EF44312F2480A9BD09DF20AD7B1D949CBB4

Function 00D83D7C Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 101windowCOMMON

Download Yara Rule

APIs

GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00D83E35
IsMenu.USER32(?), ref: 00D83E4A
InsertMenuItemW.USER32(?,?,00000001,00000030), ref: 00D83E92
DrawMenuBar.USER32 ref: 00D83EA5

Strings

0, xrefs: 00D83D89

Memory Dump Source

Source File: 00000000.00000002.1741723192.0000000000CF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CF0000, based on PE: true

Associated: 00000000.00000002.1741689844.0000000000CF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741822052.0000000000D8C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741822052.0000000000DB2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741916293.0000000000DBC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741947371.0000000000DC4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cf0000_file.jbxd

Similarity

API ID: Menu$Item$DrawInfoInsert
String ID: 0
API String ID: 3076010158-4108050209
Opcode ID: 4de9f6ad7d7831ba3b769790a55a85aa3da5244ee895f37bfbc1c5c9272ed93e
Instruction ID: 9ca699f474ac2a6319464c3e606cdad29a93eb4712f29197d0bbadb04fceb069
Opcode Fuzzy Hash: 4de9f6ad7d7831ba3b769790a55a85aa3da5244ee895f37bfbc1c5c9272ed93e
Instruction Fuzzy Hash: 444145B5A10249EFDB11EF50D884EAABBB9FF49750F084269F919A7350D730AE40CF60

Function 00D51DE2 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 93windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00CF9CB3: _wcslen.LIBCMT ref: 00CF9CBD

Part of subcall function 00D53CA7: GetClassNameW.USER32(?,?,000000FF), ref: 00D53CCA

SendMessageW.USER32(?,00000188,00000000,00000000), ref: 00D51E66
SendMessageW.USER32(?,0000018A,00000000,00000000), ref: 00D51E79
SendMessageW.USER32(?,00000189,?,00000000), ref: 00D51EA9

Part of subcall function 00CF6B57: _wcslen.LIBCMT ref: 00CF6B6A

Strings

ComboBox, xrefs: 00D51DF0
ListBox, xrefs: 00D51E25

Memory Dump Source

Source File: 00000000.00000002.1741723192.0000000000CF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CF0000, based on PE: true

Associated: 00000000.00000002.1741689844.0000000000CF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741822052.0000000000D8C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741822052.0000000000DB2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741916293.0000000000DBC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741947371.0000000000DC4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cf0000_file.jbxd

Similarity

API ID: MessageSend$_wcslen$ClassName
String ID: ComboBox$ListBox
API String ID: 2081771294-1403004172
Opcode ID: 47341231941b3f64ee2eb0f46629f35b0a85bf90a8531340c0b3ccd87e90cb82
Instruction ID: 9c8b988b7fa028167669da34409cd2f5edaa216c995ca1e23e8321f6c67e5db4
Opcode Fuzzy Hash: 47341231941b3f64ee2eb0f46629f35b0a85bf90a8531340c0b3ccd87e90cb82
Instruction Fuzzy Hash: 3421D175A00108AEDF14ABA4DC46EFFB7B9EF46390B144129FD25A72E1DB34490E9630

Function 00D7C9EA Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 91COMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 00D7C9F1
_wcslen.LIBCMT ref: 00D7CA68
_wcslen.LIBCMT ref: 00D7CA9E
_wcslen.LIBCMT ref: 00D7CAF9
_wcslen.LIBCMT ref: 00D7CB2F
_wcslen.LIBCMT ref: 00D7CB7F

Strings

HKLM, xrefs: 00D7CA98, 00D7CA9D
HKEY_LOCAL_MACHINE, xrefs: 00D7CA62, 00D7CA67

Memory Dump Source

Source File: 00000000.00000002.1741723192.0000000000CF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CF0000, based on PE: true

Associated: 00000000.00000002.1741689844.0000000000CF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741822052.0000000000D8C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741822052.0000000000DB2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741916293.0000000000DBC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741947371.0000000000DC4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cf0000_file.jbxd

Similarity

API ID: _wcslen
String ID: HKEY_LOCAL_MACHINE$HKLM
API String ID: 176396367-4004644295
Opcode ID: b5461d2bdf1dfae3e0b74e57f77cec769c9c1f1b64e9daa84418a21716433a4a
Instruction ID: aad1e1a265b031e7ccfaaa76bbb224a2377da8d3ffd5c54879494b583a0ed30d
Opcode Fuzzy Hash: b5461d2bdf1dfae3e0b74e57f77cec769c9c1f1b64e9daa84418a21716433a4a
Instruction Fuzzy Hash: C631E673A2056A8FCB20EF2C99415BE33919BA1755B1D902DEC49AB345FA71CD8097B0

Function 00D82F17 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 78windowlibraryCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000467,00000000,?), ref: 00D82F8D
LoadLibraryW.KERNEL32(?), ref: 00D82F94
SendMessageW.USER32(?,00000467,00000000,00000000), ref: 00D82FA9
DestroyWindow.USER32(?), ref: 00D82FB1

Strings

SysAnimate32, xrefs: 00D82F68

Memory Dump Source

Source File: 00000000.00000002.1741723192.0000000000CF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CF0000, based on PE: true

Associated: 00000000.00000002.1741689844.0000000000CF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741822052.0000000000D8C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741822052.0000000000DB2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741916293.0000000000DBC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741947371.0000000000DC4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cf0000_file.jbxd

Similarity

API ID: MessageSend$DestroyLibraryLoadWindow
String ID: SysAnimate32
API String ID: 3529120543-1011021900
Opcode ID: a5de1607a0ed383700353460af5cec35c71a65b8785640629e08dfcbbdf6b80e
Instruction ID: 54a0eb23005669afdab62689cd5621ed0521a76ff2921170a92778f1a18a31a5
Opcode Fuzzy Hash: a5de1607a0ed383700353460af5cec35c71a65b8785640629e08dfcbbdf6b80e
Instruction Fuzzy Hash: 2D218672214209BBEB106FA69C80EBB37B9EF59368F150228FB50D21A0D671DC91D770

Function 00D14D6D Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 38libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,?,?,?,00D14D1E,00D228E9,?,00D14CBE,00D228E9,00DB88B8,0000000C,00D14E15,00D228E9,00000002), ref: 00D14D8D
GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 00D14DA0
FreeLibrary.KERNEL32(00000000,?,?,?,00D14D1E,00D228E9,?,00D14CBE,00D228E9,00DB88B8,0000000C,00D14E15,00D228E9,00000002,00000000), ref: 00D14DC3

Strings

CorExitProcess, xrefs: 00D14D98
mscoree.dll, xrefs: 00D14D86

Memory Dump Source

Source File: 00000000.00000002.1741723192.0000000000CF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CF0000, based on PE: true

Associated: 00000000.00000002.1741689844.0000000000CF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741822052.0000000000D8C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741822052.0000000000DB2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741916293.0000000000DBC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741947371.0000000000DC4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cf0000_file.jbxd

Similarity

API ID: AddressFreeHandleLibraryModuleProc
String ID: CorExitProcess$mscoree.dll
API String ID: 4061214504-1276376045
Opcode ID: 8019bef5e82cf92a82bac20c6e25ccb654470ec744e5b87979aefc76442bb122
Instruction ID: 655b14e6ed30dd78b3273bc87d5afe5256c1497e41d3aebd48b809d60617850e
Opcode Fuzzy Hash: 8019bef5e82cf92a82bac20c6e25ccb654470ec744e5b87979aefc76442bb122
Instruction Fuzzy Hash: 94F01935A60308FBDB119B90EC49BEDBFA5EB44762F0401A8A905A2260CF705984CBB1

Function 00D4D3A0 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 29libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32 ref: 00D4D3AD
GetProcAddress.KERNEL32(00000000,GetSystemWow64DirectoryW), ref: 00D4D3BF
FreeLibrary.KERNEL32(00000000), ref: 00D4D3E5

Strings

GetSystemWow64DirectoryW, xrefs: 00D4D3B9
X64, xrefs: 00D4D2A8

Memory Dump Source

Source File: 00000000.00000002.1741723192.0000000000CF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CF0000, based on PE: true

Associated: 00000000.00000002.1741689844.0000000000CF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741822052.0000000000D8C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741822052.0000000000DB2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741916293.0000000000DBC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741947371.0000000000DC4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cf0000_file.jbxd

Similarity

API ID: Library$AddressFreeLoadProc
String ID: GetSystemWow64DirectoryW$X64
API String ID: 145871493-2590602151
Opcode ID: af03be5eb8855b84e0ed19d74ec1857e02f11eafbe0cf6f88d08691f3508a614
Instruction ID: 908a0f79547b38c7906b7c3e7d973abf4a1c935734f53cf96671bee6de117b04
Opcode Fuzzy Hash: af03be5eb8855b84e0ed19d74ec1857e02f11eafbe0cf6f88d08691f3508a614
Instruction Fuzzy Hash: 64F05532522721DBC7702F108CCCA693326AF01F01B989099F446E2351CBB0CC448BB6

Function 00CF4E90 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 24libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,?,?,00CF4EDD,?,00DC1418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00CF4E9C
GetProcAddress.KERNEL32(00000000,Wow64DisableWow64FsRedirection), ref: 00CF4EAE
FreeLibrary.KERNEL32(00000000,?,?,00CF4EDD,?,00DC1418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00CF4EC0

Strings

kernel32.dll, xrefs: 00CF4E94
Wow64DisableWow64FsRedirection, xrefs: 00CF4EA8

Memory Dump Source

Source File: 00000000.00000002.1741723192.0000000000CF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CF0000, based on PE: true

Associated: 00000000.00000002.1741689844.0000000000CF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741822052.0000000000D8C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741822052.0000000000DB2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741916293.0000000000DBC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741947371.0000000000DC4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cf0000_file.jbxd

Similarity

API ID: Library$AddressFreeLoadProc
String ID: Wow64DisableWow64FsRedirection$kernel32.dll
API String ID: 145871493-3689287502
Opcode ID: d6d8f1870c06cd26efef128bfe5fb4f4340c28b49ed040093d5961282abbd53e
Instruction ID: 376866dd06a0d2f69c04548e15806a715303f5e06bee314154f8661ac9e17ff1
Opcode Fuzzy Hash: d6d8f1870c06cd26efef128bfe5fb4f4340c28b49ed040093d5961282abbd53e
Instruction Fuzzy Hash: A2E08635A21722DB93721B257C5CB7BB554AF81F627051115FE01D2340DB70CE0582B2

Function 00CF4E59 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 22libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,?,?,00D33CDE,?,00DC1418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00CF4E62
GetProcAddress.KERNEL32(00000000,Wow64RevertWow64FsRedirection), ref: 00CF4E74
FreeLibrary.KERNEL32(00000000,?,?,00D33CDE,?,00DC1418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00CF4E87

Strings

kernel32.dll, xrefs: 00CF4E5B
Wow64RevertWow64FsRedirection, xrefs: 00CF4E6E

Memory Dump Source

Source File: 00000000.00000002.1741723192.0000000000CF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CF0000, based on PE: true

Associated: 00000000.00000002.1741689844.0000000000CF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741822052.0000000000D8C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741822052.0000000000DB2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741916293.0000000000DBC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741947371.0000000000DC4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cf0000_file.jbxd

Similarity

API ID: Library$AddressFreeLoadProc
String ID: Wow64RevertWow64FsRedirection$kernel32.dll
API String ID: 145871493-1355242751
Opcode ID: 97dc8f721c9e336bfe76e63c0a62cb11d3dedcdc2197589fecca02c2cb9323f9
Instruction ID: eff2f944553193f2397af016896347d16065eff50e28f68fa18c4d0c67f4e812
Opcode Fuzzy Hash: 97dc8f721c9e336bfe76e63c0a62cb11d3dedcdc2197589fecca02c2cb9323f9
Instruction Fuzzy Hash: 87D0C231522B21DB47321B247C0CEABAA18AF81F113050210BA01E2210CF30CE0983F1

Function 00D62947 Relevance: 7.8, APIs: 5, Instructions: 313fileCOMMON

Download Yara Rule

APIs

DeleteFileW.KERNEL32(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 00D62C05
DeleteFileW.KERNEL32(?), ref: 00D62C87
CopyFileW.KERNEL32(?,?,00000000,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001), ref: 00D62C9D
DeleteFileW.KERNEL32(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 00D62CAE
DeleteFileW.KERNEL32(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 00D62CC0

Memory Dump Source

Source File: 00000000.00000002.1741723192.0000000000CF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CF0000, based on PE: true

Associated: 00000000.00000002.1741689844.0000000000CF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741822052.0000000000D8C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741822052.0000000000DB2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741916293.0000000000DBC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741947371.0000000000DC4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cf0000_file.jbxd

Similarity

API ID: File$Delete$Copy
String ID:
API String ID: 3226157194-0
Opcode ID: 42fec1e761657292368ea2b782063ec0da8090ee42a5b53dbb6c5500c5253b56
Instruction ID: ea0cf7324e4611afab2818d67a80fb02772a1cb08892013d84c60f133f546a0f
Opcode Fuzzy Hash: 42fec1e761657292368ea2b782063ec0da8090ee42a5b53dbb6c5500c5253b56
Instruction Fuzzy Hash: 92B15B72A0051DABDF21DBA4CC85EEEBBBDEF49350F1040A6F609E6141EB319A448F71

Function 00D7A387 Relevance: 7.8, APIs: 5, Instructions: 256COMMON

Download Yara Rule

APIs

GetCurrentProcessId.KERNEL32 ref: 00D7A427
OpenProcess.KERNEL32(00000410,00000000,00000000), ref: 00D7A435
GetProcessIoCounters.KERNEL32(00000000,?), ref: 00D7A468
CloseHandle.KERNEL32(?), ref: 00D7A63D

Memory Dump Source

Source File: 00000000.00000002.1741723192.0000000000CF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CF0000, based on PE: true

Associated: 00000000.00000002.1741689844.0000000000CF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741822052.0000000000D8C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741822052.0000000000DB2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741916293.0000000000DBC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741947371.0000000000DC4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cf0000_file.jbxd

Similarity

API ID: Process$CloseCountersCurrentHandleOpen
String ID:
API String ID: 3488606520-0
Opcode ID: fd2546123f6b4f08690298c37bbc90e1fb0daaa24ea6cf69293fa81a4439ed69
Instruction ID: 10c88532e9745f50b04d8936d3600bab0187cf8f2bd69ae2e9f2f15bfe05f08f
Opcode Fuzzy Hash: fd2546123f6b4f08690298c37bbc90e1fb0daaa24ea6cf69293fa81a4439ed69
Instruction Fuzzy Hash: E3A19371604701AFD724DF28C886F2AB7E5AF84714F14885DF5599B3D2D770EC418BA2

Function 00D5E3FB Relevance: 7.7, APIs: 5, Instructions: 167filestringCOMMON

Download Yara Rule

APIs

Part of subcall function 00D5DDE0: GetFullPathNameW.KERNEL32(00000000,00007FFF,?,?,?,?,?,?,00D5CF22,?), ref: 00D5DDFD

Part of subcall function 00D5DDE0: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,?,00D5CF22,?), ref: 00D5DE16

Part of subcall function 00D5E199: GetFileAttributesW.KERNEL32(?,00D5CF95), ref: 00D5E19A

lstrcmpiW.KERNEL32(?,?), ref: 00D5E473
MoveFileW.KERNEL32(?,?), ref: 00D5E4AC
_wcslen.LIBCMT ref: 00D5E5EB
_wcslen.LIBCMT ref: 00D5E603
SHFileOperationW.SHELL32(?,?,?,?,?,?), ref: 00D5E650

Memory Dump Source

Source File: 00000000.00000002.1741723192.0000000000CF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CF0000, based on PE: true

Associated: 00000000.00000002.1741689844.0000000000CF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741822052.0000000000D8C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741822052.0000000000DB2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741916293.0000000000DBC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741947371.0000000000DC4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cf0000_file.jbxd

Similarity

API ID: File$FullNamePath_wcslen$AttributesMoveOperationlstrcmpi
String ID:
API String ID: 3183298772-0
Opcode ID: d46d772f9cc7a6a137e41cca4d742b3615fedeff7e7b722c3e7cc146d5a196b1
Instruction ID: e4b281a54e33448868f44877917cdbcfa72fa6f8d175cd37b8c98dd889c69546
Opcode Fuzzy Hash: d46d772f9cc7a6a137e41cca4d742b3615fedeff7e7b722c3e7cc146d5a196b1
Instruction Fuzzy Hash: BD5162B24083459BCB24EB90D8819DBB3DCDF95341F04491EFA89D3191EE74E68C8776

Function 00D7B9C9 Relevance: 7.7, APIs: 5, Instructions: 167registryCOMMON

Download Yara Rule

APIs

Part of subcall function 00CF9CB3: _wcslen.LIBCMT ref: 00CF9CBD

Part of subcall function 00D7C998: CharUpperBuffW.USER32(?,?,?,?,?,?,?,00D7B6AE,?,?), ref: 00D7C9B5
Part of subcall function 00D7C998: _wcslen.LIBCMT ref: 00D7C9F1
Part of subcall function 00D7C998: _wcslen.LIBCMT ref: 00D7CA68
Part of subcall function 00D7C998: _wcslen.LIBCMT ref: 00D7CA9E

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 00D7BAA5
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 00D7BB00
RegEnumKeyExW.ADVAPI32(?,-00000001,?,?,00000000,00000000,00000000,?), ref: 00D7BB63
RegCloseKey.ADVAPI32(?,?), ref: 00D7BBA6
RegCloseKey.ADVAPI32(00000000), ref: 00D7BBB3

Memory Dump Source

Source File: 00000000.00000002.1741723192.0000000000CF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CF0000, based on PE: true

Associated: 00000000.00000002.1741689844.0000000000CF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741822052.0000000000D8C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741822052.0000000000DB2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741916293.0000000000DBC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741947371.0000000000DC4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cf0000_file.jbxd

Similarity

API ID: _wcslen$Close$BuffCharConnectEnumOpenRegistryUpper
String ID:
API String ID: 826366716-0
Opcode ID: 4c75b7d9fea7f6c92ab0791838cb0a9129ad29ec683629ea1e32d39008f27472
Instruction ID: 1be7b9d2ff28555acd171f433fbfee2f23b1f71cb7028dd03e005e9b641418e1
Opcode Fuzzy Hash: 4c75b7d9fea7f6c92ab0791838cb0a9129ad29ec683629ea1e32d39008f27472
Instruction Fuzzy Hash: 4F619D31218205AFC714DF14C491F2ABBE5FF84358F18856DF4998B2A2EB31ED45CBA2

Function 00D58BB0 Relevance: 7.7, APIs: 5, Instructions: 159COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 00D58BCD
VariantClear.OLEAUT32 ref: 00D58C3E
VariantClear.OLEAUT32 ref: 00D58C9D
VariantClear.OLEAUT32(?), ref: 00D58D10
VariantChangeType.OLEAUT32(?,?,00000000,00000013), ref: 00D58D3B

Memory Dump Source

Source File: 00000000.00000002.1741723192.0000000000CF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CF0000, based on PE: true

Associated: 00000000.00000002.1741689844.0000000000CF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741822052.0000000000D8C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741822052.0000000000DB2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741916293.0000000000DBC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741947371.0000000000DC4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cf0000_file.jbxd

Similarity

API ID: Variant$Clear$ChangeInitType
String ID:
API String ID: 4136290138-0
Opcode ID: be1f76f0ed83f80d10f6218edeaaacc2375f77515bb2ae5f758ce6b456ed6d2c
Instruction ID: ef2cc48e918e381528481fb4bf91c0de58dd546a60c2e7fe34c2f89cfe91318a
Opcode Fuzzy Hash: be1f76f0ed83f80d10f6218edeaaacc2375f77515bb2ae5f758ce6b456ed6d2c
Instruction Fuzzy Hash: 655169B5A10219EFCB10CF68C884AAAB7F8FF89311B158559ED05EB350E730E911CBA0

Function 00D68AFB Relevance: 7.6, APIs: 5, Instructions: 143COMMON

Download Yara Rule

APIs

GetPrivateProfileSectionW.KERNEL32(00000003,?,00007FFF,?), ref: 00D68BAE
GetPrivateProfileSectionW.KERNEL32(?,00000003,00000003,?), ref: 00D68BDA
WritePrivateProfileSectionW.KERNEL32(?,?,?), ref: 00D68C32
WritePrivateProfileStringW.KERNEL32(00000003,00000000,00000000,?), ref: 00D68C57
WritePrivateProfileStringW.KERNEL32(00000000,00000000,00000000,?), ref: 00D68C5F

Memory Dump Source

Source File: 00000000.00000002.1741723192.0000000000CF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CF0000, based on PE: true

Associated: 00000000.00000002.1741689844.0000000000CF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741822052.0000000000D8C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741822052.0000000000DB2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741916293.0000000000DBC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741947371.0000000000DC4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cf0000_file.jbxd

Similarity

API ID: PrivateProfile$SectionWrite$String
String ID:
API String ID: 2832842796-0
Opcode ID: 39f0b0de45b262d62c340abe9229aae27ffbf406b08a3b6f50f9570cedf8eacd
Instruction ID: eda5f4c4acbf7373fd5047b1bf8c1afea17afcbc02a9b1cd7cd0db8b64d9b38c
Opcode Fuzzy Hash: 39f0b0de45b262d62c340abe9229aae27ffbf406b08a3b6f50f9570cedf8eacd
Instruction Fuzzy Hash: 48514935A00219EFCB14DF64C880E69BBF5FF48314F098058E949AB3A2CB31ED45DBA1

Function 00D78EE4 Relevance: 7.6, APIs: 5, Instructions: 143libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryW.KERNEL32(?,00000000,?), ref: 00D78F40
GetProcAddress.KERNEL32(00000000,?), ref: 00D78FD0
GetProcAddress.KERNEL32(00000000,00000000), ref: 00D78FEC
GetProcAddress.KERNEL32(00000000,?), ref: 00D79032
FreeLibrary.KERNEL32(00000000), ref: 00D79052

Part of subcall function 00D0F6C9: WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,00000000,00000000,00000000,?,00000000,?,?,?,00D61043,?,753CE610), ref: 00D0F6E6
Part of subcall function 00D0F6C9: WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,00D4FA64,00000000,00000000,?,?,00D61043,?,753CE610,?,00D4FA64), ref: 00D0F70D

Memory Dump Source

Source File: 00000000.00000002.1741723192.0000000000CF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CF0000, based on PE: true

Associated: 00000000.00000002.1741689844.0000000000CF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741822052.0000000000D8C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741822052.0000000000DB2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741916293.0000000000DBC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741947371.0000000000DC4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cf0000_file.jbxd

Similarity

API ID: AddressProc$ByteCharLibraryMultiWide$FreeLoad
String ID:
API String ID: 666041331-0
Opcode ID: 13a6df6e988c4cfba2abbcb62c29b82f737ac952aa5b2e67d72641a2347890df
Instruction ID: b69977645036ea1f1d0232608c3fd08b53444e62a517b16b166c2c4a7e598ab9
Opcode Fuzzy Hash: 13a6df6e988c4cfba2abbcb62c29b82f737ac952aa5b2e67d72641a2347890df
Instruction Fuzzy Hash: 0F512935604205DFCB15DF58C4949ADFBB1FF49314B088099E90A9B362DB31ED85DBA1

Function 00D86B76 Relevance: 7.6, APIs: 5, Instructions: 131windowCOMMON

Download Yara Rule

APIs

SetWindowLongW.USER32(00000002,000000F0,?), ref: 00D86C33
SetWindowLongW.USER32(?,000000EC,?), ref: 00D86C4A
SendMessageW.USER32(00000002,00001036,00000000,?), ref: 00D86C73
ShowWindow.USER32(00000002,00000000,00000002,00000002,?,?,?,?,?,?,?,00D6AB79,00000000,00000000), ref: 00D86C98
SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000027,00000002,?,00000001,00000002,00000002,?,?,?), ref: 00D86CC7

Memory Dump Source

Source File: 00000000.00000002.1741723192.0000000000CF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CF0000, based on PE: true

Associated: 00000000.00000002.1741689844.0000000000CF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741822052.0000000000D8C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741822052.0000000000DB2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741916293.0000000000DBC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741947371.0000000000DC4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cf0000_file.jbxd

Similarity

API ID: Window$Long$MessageSendShow
String ID:
API String ID: 3688381893-0
Opcode ID: 427a5b2a4ca443648e230ac24d3a9fd306b21e8b210cb9581ec3e6f48cc18210
Instruction ID: 979c0898dabc80639e8e8a3e17476de49fb389eb047a0e89f6a0f015ed6d12cc
Opcode Fuzzy Hash: 427a5b2a4ca443648e230ac24d3a9fd306b21e8b210cb9581ec3e6f48cc18210
Instruction Fuzzy Hash: 6A41B075610204AFDB24AF28CC59FA97FA9EB09360F190268F895E73A0C771ED40CB70

Function 00D22051 Relevance: 7.6, APIs: 5, Instructions: 129COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 00D220C3
_free.LIBCMT ref: 00D220E3

Memory Dump Source

Source File: 00000000.00000002.1741723192.0000000000CF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CF0000, based on PE: true

Associated: 00000000.00000002.1741689844.0000000000CF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741822052.0000000000D8C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741822052.0000000000DB2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741916293.0000000000DBC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741947371.0000000000DC4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cf0000_file.jbxd

Similarity

API ID: _free
String ID:
API String ID: 269201875-0
Opcode ID: 7096cb679191a029c1ecbb6392abe2d1b2015a21b357fac0bca78172f92a83cc
Instruction ID: 2b65e3d58f6f8dbdf540b7438589f940d0031ec6c0805dcdc428abbf0239fd36
Opcode Fuzzy Hash: 7096cb679191a029c1ecbb6392abe2d1b2015a21b357fac0bca78172f92a83cc
Instruction Fuzzy Hash: 2041C332A00310AFCB24DF78D981A6DB7B5EF99318B154568F515EB395DB31ED01CBA0

Function 00D0912D Relevance: 7.6, APIs: 5, Instructions: 121keyboardCOMMON

Download Yara Rule

APIs

GetCursorPos.USER32(?), ref: 00D09141
ScreenToClient.USER32(00000000,?), ref: 00D0915E
GetAsyncKeyState.USER32(00000001), ref: 00D09183
GetAsyncKeyState.USER32(00000002), ref: 00D0919D

Memory Dump Source

Source File: 00000000.00000002.1741723192.0000000000CF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CF0000, based on PE: true

Associated: 00000000.00000002.1741689844.0000000000CF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741822052.0000000000D8C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741822052.0000000000DB2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741916293.0000000000DBC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741947371.0000000000DC4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cf0000_file.jbxd

Similarity

API ID: AsyncState$ClientCursorScreen
String ID:
API String ID: 4210589936-0
Opcode ID: a9e48e2549a94a484f943c078b3cdc036a1636f6350fed0fd4a77dea6fe08d18
Instruction ID: 97467c546fa7c064c4a8188331acbb571e29f14a829a87a9af657ced158aa581
Opcode Fuzzy Hash: a9e48e2549a94a484f943c078b3cdc036a1636f6350fed0fd4a77dea6fe08d18
Instruction Fuzzy Hash: F2413B71A0861AFBDF159F64C858BFEF774FB05320F248219E469A62D1C7346950CBB2

Function 00D63874 Relevance: 7.6, APIs: 5, Instructions: 101windowCOMMON

Download Yara Rule

APIs

GetInputState.USER32 ref: 00D638CB
TranslateAcceleratorW.USER32(?,00000000,?), ref: 00D63922
TranslateMessage.USER32(?), ref: 00D6394B
DispatchMessageW.USER32(?), ref: 00D63955
PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00D63966

Memory Dump Source

Source File: 00000000.00000002.1741723192.0000000000CF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CF0000, based on PE: true

Associated: 00000000.00000002.1741689844.0000000000CF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741822052.0000000000D8C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741822052.0000000000DB2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741916293.0000000000DBC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741947371.0000000000DC4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cf0000_file.jbxd

Similarity

API ID: Message$Translate$AcceleratorDispatchInputPeekState
String ID:
API String ID: 2256411358-0
Opcode ID: 5111ed2cfc0d7c979a5ad49f6b289fbd8422d2272b1bf8792108fdbb2a465e4a
Instruction ID: b8f89f6e53a86f1e075683bf3ccf1b8b604f6959c8eefa7750a14a97a66a8d66
Opcode Fuzzy Hash: 5111ed2cfc0d7c979a5ad49f6b289fbd8422d2272b1bf8792108fdbb2a465e4a
Instruction Fuzzy Hash: A131A6745143939FEB35CB759C48FB637A8EB06304F08056AE4A2C22A1E7B49A85CF31

Function 00D6CF1A Relevance: 7.6, APIs: 5, Instructions: 93networkfileCOMMON

Download Yara Rule

APIs

InternetQueryDataAvailable.WININET(?,?,00000000,00000000,00000000,?,00000000,?,?,?,00D6C21E,00000000), ref: 00D6CF38
InternetReadFile.WININET(?,00000000,?,?), ref: 00D6CF6F
GetLastError.KERNEL32(?,00000000,?,?,?,00D6C21E,00000000), ref: 00D6CFB4
SetEvent.KERNEL32(?,?,00000000,?,?,?,00D6C21E,00000000), ref: 00D6CFC8
SetEvent.KERNEL32(?,?,00000000,?,?,?,00D6C21E,00000000), ref: 00D6CFF2

Memory Dump Source

Source File: 00000000.00000002.1741723192.0000000000CF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CF0000, based on PE: true

Associated: 00000000.00000002.1741689844.0000000000CF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741822052.0000000000D8C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741822052.0000000000DB2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741916293.0000000000DBC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741947371.0000000000DC4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cf0000_file.jbxd

Similarity

API ID: EventInternet$AvailableDataErrorFileLastQueryRead
String ID:
API String ID: 3191363074-0
Opcode ID: a39cb1b8bfdca4a95a1aa954bb01b9aa3d7f2d83f5e0d423ffd285e65886bd06
Instruction ID: 6a74af0e17eaefaac130a76a5f0520b44cf8340c45e3cc34ba9460f0ff8fec38
Opcode Fuzzy Hash: a39cb1b8bfdca4a95a1aa954bb01b9aa3d7f2d83f5e0d423ffd285e65886bd06
Instruction Fuzzy Hash: 07315A71625205EFDB20DFA5D884ABABBFAEF14310B14542EF596D2240EB30EE409B70

Function 00D51901 Relevance: 7.6, APIs: 5, Instructions: 93sleepwindowCOMMON

Download Yara Rule

APIs

GetWindowRect.USER32(?,?), ref: 00D51915
PostMessageW.USER32(00000001,00000201,00000001), ref: 00D519C1
Sleep.KERNEL32(00000000,?,?,?), ref: 00D519C9
PostMessageW.USER32(00000001,00000202,00000000), ref: 00D519DA
Sleep.KERNEL32(00000000,?,?,?,?), ref: 00D519E2

Memory Dump Source

Source File: 00000000.00000002.1741723192.0000000000CF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CF0000, based on PE: true

Associated: 00000000.00000002.1741689844.0000000000CF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741822052.0000000000D8C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741822052.0000000000DB2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741916293.0000000000DBC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741947371.0000000000DC4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cf0000_file.jbxd

Similarity

API ID: MessagePostSleep$RectWindow
String ID:
API String ID: 3382505437-0
Opcode ID: 8fc5d71b8d57a093645b2a1f6f31d5c06c6ac0cbf538d751a83366d51bd4181e
Instruction ID: ef500b91afe32f514989c77db7dee35be838c430257ff75181db74b2d98c507d
Opcode Fuzzy Hash: 8fc5d71b8d57a093645b2a1f6f31d5c06c6ac0cbf538d751a83366d51bd4181e
Instruction Fuzzy Hash: 17318B75A10219EFCB00CFA8C999BAE7BB5EB44316F144229FD61A72D1C7709948CFA0

Function 00D85706 Relevance: 7.6, APIs: 5, Instructions: 82windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00001053,000000FF,?), ref: 00D85745
SendMessageW.USER32(?,00001074,?,00000001), ref: 00D8579D
_wcslen.LIBCMT ref: 00D857AF
_wcslen.LIBCMT ref: 00D857BA
SendMessageW.USER32(?,00001002,00000000,?), ref: 00D85816

Memory Dump Source

Source File: 00000000.00000002.1741723192.0000000000CF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CF0000, based on PE: true

Associated: 00000000.00000002.1741689844.0000000000CF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741822052.0000000000D8C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741822052.0000000000DB2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741916293.0000000000DBC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741947371.0000000000DC4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cf0000_file.jbxd

Similarity

API ID: MessageSend$_wcslen
String ID:
API String ID: 763830540-0
Opcode ID: 3faa029f155a15a6f10ad9db661f10e15a9f14d0d98c458eaf7fd969b2c8b79b
Instruction ID: 8fd03629e29dd7b60c67f2bb23ff1e7e2a4efcb9f862c95cf62639f6ddf5b39d
Opcode Fuzzy Hash: 3faa029f155a15a6f10ad9db661f10e15a9f14d0d98c458eaf7fd969b2c8b79b
Instruction Fuzzy Hash: B7219335914618EADF20AF64EC85AFDB7B8FF05320F148216E929EA194D770C985CF70

Function 00D70930 Relevance: 7.6, APIs: 5, Instructions: 69COMMON

Download Yara Rule

APIs

IsWindow.USER32(00000000), ref: 00D70951
GetForegroundWindow.USER32 ref: 00D70968
GetDC.USER32(00000000), ref: 00D709A4
GetPixel.GDI32(00000000,?,00000003), ref: 00D709B0
ReleaseDC.USER32(00000000,00000003), ref: 00D709E8

Memory Dump Source

Source File: 00000000.00000002.1741723192.0000000000CF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CF0000, based on PE: true

Associated: 00000000.00000002.1741689844.0000000000CF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741822052.0000000000D8C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741822052.0000000000DB2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741916293.0000000000DBC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741947371.0000000000DC4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cf0000_file.jbxd

Similarity

API ID: Window$ForegroundPixelRelease
String ID:
API String ID: 4156661090-0
Opcode ID: c004a8b5e03bc1ec6ae27317be3500a3b908a3f9b33c973a84884c8410311d2d
Instruction ID: 957c1839dd56d47dd73ddf97700c20637c096f1a409442790bea23663600fdbd
Opcode Fuzzy Hash: c004a8b5e03bc1ec6ae27317be3500a3b908a3f9b33c973a84884c8410311d2d
Instruction Fuzzy Hash: 90215E35610204EFD704EF69D985AAEBBE5EF44700F048068E94AD7362DB30AC04DB70

Function 00D2CDBD Relevance: 7.6, APIs: 5, Instructions: 68COMMON

Download Yara Rule

APIs

GetEnvironmentStringsW.KERNEL32 ref: 00D2CDC6
WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 00D2CDE9

Part of subcall function 00D23820: RtlAllocateHeap.NTDLL(00000000,?,00DC1444,?,00D0FDF5,?,?,00CFA976,00000010,00DC1440,00CF13FC,?,00CF13C6,?,00CF1129), ref: 00D23852

WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,00000000,00000000), ref: 00D2CE0F
_free.LIBCMT ref: 00D2CE22
FreeEnvironmentStringsW.KERNEL32(00000000), ref: 00D2CE31

Memory Dump Source

Source File: 00000000.00000002.1741723192.0000000000CF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CF0000, based on PE: true

Associated: 00000000.00000002.1741689844.0000000000CF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741822052.0000000000D8C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741822052.0000000000DB2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741916293.0000000000DBC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741947371.0000000000DC4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cf0000_file.jbxd

Similarity

API ID: ByteCharEnvironmentMultiStringsWide$AllocateFreeHeap_free
String ID:
API String ID: 336800556-0
Opcode ID: 5cfd7be1fc40f495afad24a240d925d8c8788aca4254493b07832c6d84e7f435
Instruction ID: 28c7ded8a17573f0d7fb3bb45dd05b8ac091f455c7e037d2b577dd26d14c5515
Opcode Fuzzy Hash: 5cfd7be1fc40f495afad24a240d925d8c8788aca4254493b07832c6d84e7f435
Instruction Fuzzy Hash: C90184726217357F232116B67C8CD7F796DDED6BA931A1129F905C7201EA718D0282B1

Function 00D09639 Relevance: 7.6, APIs: 5, Instructions: 66COMMON

Download Yara Rule

APIs

ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 00D09693
SelectObject.GDI32(?,00000000), ref: 00D096A2
BeginPath.GDI32(?), ref: 00D096B9
SelectObject.GDI32(?,00000000), ref: 00D096E2

Memory Dump Source

Source File: 00000000.00000002.1741723192.0000000000CF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CF0000, based on PE: true

Associated: 00000000.00000002.1741689844.0000000000CF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741822052.0000000000D8C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741822052.0000000000DB2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741916293.0000000000DBC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741947371.0000000000DC4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cf0000_file.jbxd

Similarity

API ID: ObjectSelect$BeginCreatePath
String ID:
API String ID: 3225163088-0
Opcode ID: 1dc3edc8f2d84273f244679206ae2706c3f8da9c9feaf8c0649a8ef69a4a5220
Instruction ID: e0798e562a234dc65d57dfc831aab0a2ac833548536e13706783ef730c0d70e1
Opcode Fuzzy Hash: 1dc3edc8f2d84273f244679206ae2706c3f8da9c9feaf8c0649a8ef69a4a5220
Instruction Fuzzy Hash: D621AF74812317EBDB109F64EC28BA9BBA8BB41761F140216F424E32E2D7719891CFB0

Function 00D55711 Relevance: 7.6, APIs: 5, Instructions: 61COMMON

Download Yara Rule

APIs

_memcmp.LIBVCRUNTIME ref: 00D55726
_memcmp.LIBVCRUNTIME ref: 00D55744
_memcmp.LIBVCRUNTIME ref: 00D55757
_memcmp.LIBVCRUNTIME ref: 00D5576F
_memcmp.LIBVCRUNTIME ref: 00D55787

Memory Dump Source

Source File: 00000000.00000002.1741723192.0000000000CF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CF0000, based on PE: true

Associated: 00000000.00000002.1741689844.0000000000CF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741822052.0000000000D8C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741822052.0000000000DB2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741916293.0000000000DBC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741947371.0000000000DC4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cf0000_file.jbxd

Similarity

API ID: _memcmp
String ID:
API String ID: 2931989736-0
Opcode ID: d54289f100a4b363a651822de8482a12eb191d7fd0da1b03aed7ec33cfa88e90
Instruction ID: 9776e4b4ace1a2c49c008fc453841d406a75e0a6c12f5de9183fd0a981292bf3
Opcode Fuzzy Hash: d54289f100a4b363a651822de8482a12eb191d7fd0da1b03aed7ec33cfa88e90
Instruction Fuzzy Hash: 4601B5A5641609BFDA096611BD92FFB735CDB25396F244020FE149A249FB60EE5883B0

Function 00D22DF8 Relevance: 7.6, APIs: 5, Instructions: 53COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,?,00D1F2DE,00D23863,00DC1444,?,00D0FDF5,?,?,00CFA976,00000010,00DC1440,00CF13FC,?,00CF13C6), ref: 00D22DFD
_free.LIBCMT ref: 00D22E32
_free.LIBCMT ref: 00D22E59
SetLastError.KERNEL32(00000000,00CF1129), ref: 00D22E66
SetLastError.KERNEL32(00000000,00CF1129), ref: 00D22E6F

Memory Dump Source

Source File: 00000000.00000002.1741723192.0000000000CF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CF0000, based on PE: true

Associated: 00000000.00000002.1741689844.0000000000CF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741822052.0000000000D8C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741822052.0000000000DB2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741916293.0000000000DBC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741947371.0000000000DC4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cf0000_file.jbxd

Similarity

API ID: ErrorLast$_free
String ID:
API String ID: 3170660625-0
Opcode ID: d5f202c5eb6ad3eeba5a6d1f709e7624199cee6a7194820366971fbf4021ae89
Instruction ID: 08a517710511530534f2f08aca7069e0c2ef9cd4c944083d799a528e7e12f421
Opcode Fuzzy Hash: d5f202c5eb6ad3eeba5a6d1f709e7624199cee6a7194820366971fbf4021ae89
Instruction Fuzzy Hash: C401D132255720BB861227387C46D3B265DEBF57ADB2A4128F861E2292EB74CC016130

Function 00D5000E Relevance: 7.5, APIs: 5, Instructions: 47stringCOMMON

Download Yara Rule

APIs

CLSIDFromProgID.OLE32(?,?,?,00000000,?,?,?,-C000001E,00000001,?,00D4FF41,80070057,?,?,?,00D5035E), ref: 00D5002B
ProgIDFromCLSID.OLE32(?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,00D4FF41,80070057,?,?), ref: 00D50046
lstrcmpiW.KERNEL32(?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,00D4FF41,80070057,?,?), ref: 00D50054
CoTaskMemFree.OLE32(00000000,?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,00D4FF41,80070057,?), ref: 00D50064
CLSIDFromString.OLE32(?,?,?,?,?,00000000,?,?,?,-C000001E,00000001,?,00D4FF41,80070057,?,?), ref: 00D50070

Memory Dump Source

Source File: 00000000.00000002.1741723192.0000000000CF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CF0000, based on PE: true

Associated: 00000000.00000002.1741689844.0000000000CF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741822052.0000000000D8C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741822052.0000000000DB2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741916293.0000000000DBC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741947371.0000000000DC4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cf0000_file.jbxd

Similarity

API ID: From$Prog$FreeStringTasklstrcmpi
String ID:
API String ID: 3897988419-0
Opcode ID: f52ac9b8529daac611e612b6cb6b56817b1e9dfff877109b76a3dbf6880250e8
Instruction ID: 1e33a6794ee013b5e719fe9dd17d933b73221940c1d4ab7ce3cbb1406a58aea9
Opcode Fuzzy Hash: f52ac9b8529daac611e612b6cb6b56817b1e9dfff877109b76a3dbf6880250e8
Instruction Fuzzy Hash: 78017872620204EBDF104F68DC04BAA7EBDEB48792F185124FD05D2250EB71DD448BB0

Function 00D5E97B Relevance: 7.5, APIs: 5, Instructions: 47sleepCOMMON

Download Yara Rule

APIs

QueryPerformanceCounter.KERNEL32(?), ref: 00D5E997
QueryPerformanceFrequency.KERNEL32(?), ref: 00D5E9A5
Sleep.KERNEL32(00000000), ref: 00D5E9AD
QueryPerformanceCounter.KERNEL32(?), ref: 00D5E9B7
Sleep.KERNEL32 ref: 00D5E9F3

Memory Dump Source

Source File: 00000000.00000002.1741723192.0000000000CF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CF0000, based on PE: true

Associated: 00000000.00000002.1741689844.0000000000CF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741822052.0000000000D8C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741822052.0000000000DB2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741916293.0000000000DBC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741947371.0000000000DC4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cf0000_file.jbxd

Similarity

API ID: PerformanceQuery$CounterSleep$Frequency
String ID:
API String ID: 2833360925-0
Opcode ID: 6a344137064d854a865be3f5e9b4b053049d4280be955d37af12cb700b98c432
Instruction ID: 703d49ff4b723f30733a67ba72b124ba44d8681c738e1a86cf9ea71e13e45e9e
Opcode Fuzzy Hash: 6a344137064d854a865be3f5e9b4b053049d4280be955d37af12cb700b98c432
Instruction Fuzzy Hash: 2F013531D11629DBCF04ABE5D889AEDFB78BB09702F010546ED12B2240DB309658CFB1

Function 00D510F9 Relevance: 7.5, APIs: 5, Instructions: 46memoryCOMMON

Download Yara Rule

APIs

GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 00D51114
GetLastError.KERNEL32(?,00000000,00000000,?,?,00D50B9B,?,?,?), ref: 00D51120
GetProcessHeap.KERNEL32(00000008,?,?,00000000,00000000,?,?,00D50B9B,?,?,?), ref: 00D5112F
HeapAlloc.KERNEL32(00000000,?,00000000,00000000,?,?,00D50B9B,?,?,?), ref: 00D51136
GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 00D5114D

Memory Dump Source

Source File: 00000000.00000002.1741723192.0000000000CF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CF0000, based on PE: true

Associated: 00000000.00000002.1741689844.0000000000CF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741822052.0000000000D8C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741822052.0000000000DB2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741916293.0000000000DBC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741947371.0000000000DC4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cf0000_file.jbxd

Similarity

API ID: HeapObjectSecurityUser$AllocErrorLastProcess
String ID:
API String ID: 842720411-0
Opcode ID: 9460e37feb95d3d011d15b8e5e63522b4b80405e7c740d51eb527586aa00d009
Instruction ID: 0a4e6fa1d25ae6e273dbfaa79f2acaaa2be7e7dff38387f61d15fa3e31ad40ab
Opcode Fuzzy Hash: 9460e37feb95d3d011d15b8e5e63522b4b80405e7c740d51eb527586aa00d009
Instruction Fuzzy Hash: EA014679220705EFDB114BA4EC89E6A3B6EEF893A1B250458FE45C2360DB31DC008B70

Function 00D50FB4 Relevance: 7.5, APIs: 5, Instructions: 43memoryCOMMON

Download Yara Rule

APIs

GetTokenInformation.ADVAPI32(?,00000002,?,00000000,?), ref: 00D50FCA
GetLastError.KERNEL32(?,00000002,?,00000000,?), ref: 00D50FD6
GetProcessHeap.KERNEL32(00000008,?,?,00000002,?,00000000,?), ref: 00D50FE5
HeapAlloc.KERNEL32(00000000,?,00000002,?,00000000,?), ref: 00D50FEC
GetTokenInformation.ADVAPI32(?,00000002,00000000,?,?,?,00000002,?,00000000,?), ref: 00D51002

Memory Dump Source

Source File: 00000000.00000002.1741723192.0000000000CF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CF0000, based on PE: true

Associated: 00000000.00000002.1741689844.0000000000CF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741822052.0000000000D8C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741822052.0000000000DB2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741916293.0000000000DBC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741947371.0000000000DC4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cf0000_file.jbxd

Similarity

API ID: HeapInformationToken$AllocErrorLastProcess
String ID:
API String ID: 44706859-0
Opcode ID: 57642a40dcb8e4f4e55252d0377b1777f3312d4943ef85262a007a769890b772
Instruction ID: de95ec8217b9f4f8c0ea503de367d52e030d898ee5823ff8549d40e65442dd6b
Opcode Fuzzy Hash: 57642a40dcb8e4f4e55252d0377b1777f3312d4943ef85262a007a769890b772
Instruction Fuzzy Hash: 6FF04979221312EBDB214FA8AC8EF563BADEF89762F544414FE45CA391CA70DC408B70

Function 00D51014 Relevance: 7.5, APIs: 5, Instructions: 43memoryCOMMON

Download Yara Rule

APIs

GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),?,00000000,?), ref: 00D5102A
GetLastError.KERNEL32(?,TokenIntegrityLevel,?,00000000,?), ref: 00D51036
GetProcessHeap.KERNEL32(00000008,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00D51045
HeapAlloc.KERNEL32(00000000,?,TokenIntegrityLevel,?,00000000,?), ref: 00D5104C
GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),00000000,?,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00D51062

Memory Dump Source

Source File: 00000000.00000002.1741723192.0000000000CF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CF0000, based on PE: true

Associated: 00000000.00000002.1741689844.0000000000CF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741822052.0000000000D8C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741822052.0000000000DB2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741916293.0000000000DBC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741947371.0000000000DC4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cf0000_file.jbxd

Similarity

API ID: HeapInformationToken$AllocErrorLastProcess
String ID:
API String ID: 44706859-0
Opcode ID: 2647c2db2b393b9eb9b1354e2826b7a7571785475feb1640742c763af9097a9a
Instruction ID: a247720524c8e46107b491efe804a2062509f1892602e8adb7bde0240dd67923
Opcode Fuzzy Hash: 2647c2db2b393b9eb9b1354e2826b7a7571785475feb1640742c763af9097a9a
Instruction Fuzzy Hash: B3F04979220311EBDB215FA8EC8AF563BADEF89762F240414FE45CA390CA70D8408B70

Function 00D6030F Relevance: 7.5, APIs: 6, Instructions: 41COMMON

Download Yara Rule

APIs

CloseHandle.KERNEL32(?,?,?,?,00D6017D,?,00D632FC,?,00000001,00D32592,?), ref: 00D60324
CloseHandle.KERNEL32(?,?,?,?,00D6017D,?,00D632FC,?,00000001,00D32592,?), ref: 00D60331
CloseHandle.KERNEL32(?,?,?,?,00D6017D,?,00D632FC,?,00000001,00D32592,?), ref: 00D6033E
CloseHandle.KERNEL32(?,?,?,?,00D6017D,?,00D632FC,?,00000001,00D32592,?), ref: 00D6034B
CloseHandle.KERNEL32(?,?,?,?,00D6017D,?,00D632FC,?,00000001,00D32592,?), ref: 00D60358
CloseHandle.KERNEL32(?,?,?,?,00D6017D,?,00D632FC,?,00000001,00D32592,?), ref: 00D60365

Memory Dump Source

Source File: 00000000.00000002.1741723192.0000000000CF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CF0000, based on PE: true

Associated: 00000000.00000002.1741689844.0000000000CF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741822052.0000000000D8C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741822052.0000000000DB2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741916293.0000000000DBC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741947371.0000000000DC4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cf0000_file.jbxd

Similarity

API ID: CloseHandle
String ID:
API String ID: 2962429428-0
Opcode ID: d7fa9a4d10c34980cd9b6db958255a75be5524c9316ca44c666898dc162ef576
Instruction ID: 94f52b092a5dcd1c28863757d9381bb996f31e27886db0172f10d0fb28155182
Opcode Fuzzy Hash: d7fa9a4d10c34980cd9b6db958255a75be5524c9316ca44c666898dc162ef576
Instruction Fuzzy Hash: 44019072800B159FC7319F66D880813FBF9BF502163198A3ED19652A31C371A955DFA0

Function 00D2D73A Relevance: 7.5, APIs: 5, Instructions: 40COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 00D2D752

Part of subcall function 00D229C8: RtlFreeHeap.NTDLL(00000000,00000000,?,00D2D7D1,00000000,00000000,00000000,00000000,?,00D2D7F8,00000000,00000007,00000000,?,00D2DBF5,00000000), ref: 00D229DE
Part of subcall function 00D229C8: GetLastError.KERNEL32(00000000,?,00D2D7D1,00000000,00000000,00000000,00000000,?,00D2D7F8,00000000,00000007,00000000,?,00D2DBF5,00000000,00000000), ref: 00D229F0

_free.LIBCMT ref: 00D2D764
_free.LIBCMT ref: 00D2D776
_free.LIBCMT ref: 00D2D788
_free.LIBCMT ref: 00D2D79A

Memory Dump Source

Source File: 00000000.00000002.1741723192.0000000000CF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CF0000, based on PE: true

Associated: 00000000.00000002.1741689844.0000000000CF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741822052.0000000000D8C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741822052.0000000000DB2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741916293.0000000000DBC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741947371.0000000000DC4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cf0000_file.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: 82bd152d4c099ac4740ce0d7d7486e40ab6c08536140db8a676dae6608d3fd6e
Instruction ID: 8bcc89552cfad3e394cca9d700138f8388b65d0784edcc8461165feac8e397af
Opcode Fuzzy Hash: 82bd152d4c099ac4740ce0d7d7486e40ab6c08536140db8a676dae6608d3fd6e
Instruction Fuzzy Hash: 9CF0FF32554324EB9621EB64F9C5C2677DEFB687197E81D05F049D7601C734FC808A74

Function 00D55C44 Relevance: 7.5, APIs: 5, Instructions: 40windowtimeCOMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,000003E9), ref: 00D55C58
GetWindowTextW.USER32(00000000,?,00000100), ref: 00D55C6F
MessageBeep.USER32(00000000), ref: 00D55C87
KillTimer.USER32(?,0000040A), ref: 00D55CA3
EndDialog.USER32(?,00000001), ref: 00D55CBD

Memory Dump Source

Source File: 00000000.00000002.1741723192.0000000000CF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CF0000, based on PE: true

Associated: 00000000.00000002.1741689844.0000000000CF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741822052.0000000000D8C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741822052.0000000000DB2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741916293.0000000000DBC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741947371.0000000000DC4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cf0000_file.jbxd

Similarity

API ID: BeepDialogItemKillMessageTextTimerWindow
String ID:
API String ID: 3741023627-0
Opcode ID: 613bb36dc51b9ee5d57b53f599dcc035b9620f2eeb7c9f3c8a706bcc062bd3bf
Instruction ID: 82db949b756d77bc72dfc3cfbc5edb750c2e3c4fcebbf404d503eecb4abd84d8
Opcode Fuzzy Hash: 613bb36dc51b9ee5d57b53f599dcc035b9620f2eeb7c9f3c8a706bcc062bd3bf
Instruction Fuzzy Hash: C9018B30510704DBEF215B10ED5FFB577B8BF00706F041569A993A15E5D7F099488B70

Function 00D222A0 Relevance: 7.5, APIs: 5, Instructions: 30COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 00D222BE

Part of subcall function 00D229C8: RtlFreeHeap.NTDLL(00000000,00000000,?,00D2D7D1,00000000,00000000,00000000,00000000,?,00D2D7F8,00000000,00000007,00000000,?,00D2DBF5,00000000), ref: 00D229DE
Part of subcall function 00D229C8: GetLastError.KERNEL32(00000000,?,00D2D7D1,00000000,00000000,00000000,00000000,?,00D2D7F8,00000000,00000007,00000000,?,00D2DBF5,00000000,00000000), ref: 00D229F0

_free.LIBCMT ref: 00D222D0
_free.LIBCMT ref: 00D222E3
_free.LIBCMT ref: 00D222F4
_free.LIBCMT ref: 00D22305

Memory Dump Source

Source File: 00000000.00000002.1741723192.0000000000CF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CF0000, based on PE: true

Associated: 00000000.00000002.1741689844.0000000000CF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741822052.0000000000D8C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741822052.0000000000DB2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741916293.0000000000DBC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741947371.0000000000DC4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cf0000_file.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: cc6b4b54354fe2face2bd3636fdc669633b7d58062e1ca9a54397674e5b751fa
Instruction ID: e37d0bc4e8966c0386bad0ec2aa78792512812268dfe6dcf865fa1b76af7cc65
Opcode Fuzzy Hash: cc6b4b54354fe2face2bd3636fdc669633b7d58062e1ca9a54397674e5b751fa
Instruction Fuzzy Hash: 58F03A78850333EB8612AF54BC02C687F64FB29765785160AF420D23B2C7350891AFB8

Function 00D095C5 Relevance: 7.5, APIs: 5, Instructions: 29COMMON

Download Yara Rule

APIs

EndPath.GDI32(?), ref: 00D095D4
StrokeAndFillPath.GDI32(?,?,00D471F7,00000000,?,?,?), ref: 00D095F0
SelectObject.GDI32(?,00000000), ref: 00D09603
DeleteObject.GDI32 ref: 00D09616
StrokePath.GDI32(?), ref: 00D09631

Memory Dump Source

Source File: 00000000.00000002.1741723192.0000000000CF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CF0000, based on PE: true

Associated: 00000000.00000002.1741689844.0000000000CF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741822052.0000000000D8C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741822052.0000000000DB2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741916293.0000000000DBC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741947371.0000000000DC4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cf0000_file.jbxd

Similarity

API ID: Path$ObjectStroke$DeleteFillSelect
String ID:
API String ID: 2625713937-0
Opcode ID: 3bdb4c8ed2fe09ebbe6293dacbfa09eb796dcdd746c0fa8156ba6b6533942b71
Instruction ID: ab2a4ca97c80449c6a0c32e1ddb032c2958634b6bd7a21c34ce4ae87836744a7
Opcode Fuzzy Hash: 3bdb4c8ed2fe09ebbe6293dacbfa09eb796dcdd746c0fa8156ba6b6533942b71
Instruction Fuzzy Hash: FAF03C38015706EBDB525FA5ED2CB643B65AB02362F048214F469D52F2CB3189A1DF30

Function 00D20F47 Relevance: 7.4, APIs: 2, Strings: 2, Instructions: 389COMMONLIBRARYCODE

Download Yara Rule

APIs

__freea.LIBCMT ref: 00D210F9
__freea.LIBCMT ref: 00D21117

Part of subcall function 00D21537: _free.LIBCMT ref: 00D2154F

Strings

a/p, xrefs: 00D211DE
am/pm, xrefs: 00D2117A

Memory Dump Source

Source File: 00000000.00000002.1741723192.0000000000CF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CF0000, based on PE: true

Associated: 00000000.00000002.1741689844.0000000000CF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741822052.0000000000D8C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741822052.0000000000DB2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741916293.0000000000DBC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741947371.0000000000DC4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cf0000_file.jbxd

Similarity

API ID: __freea$_free
String ID: a/p$am/pm
API String ID: 3432400110-3206640213
Opcode ID: ef519473c8f3212a2f2157b8ca5d46a63440680aef74a30013590e9acbe3c284
Instruction ID: c4702ea724d4610863e3c5b0ce30511caf6329bf960561adc199f4525d49bb53
Opcode Fuzzy Hash: ef519473c8f3212a2f2157b8ca5d46a63440680aef74a30013590e9acbe3c284
Instruction Fuzzy Hash: DBD12539900226DACB25DF68E845BFEB7B2FF35308F288259E5419B650D3359D81CBB1

Function 00D77B7E Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 230COMMON

Download Yara Rule

APIs

Part of subcall function 00D10242: EnterCriticalSection.KERNEL32(00DC070C,00DC1884,?,?,00D0198B,00DC2518,?,?,?,00CF12F9,00000000), ref: 00D1024D
Part of subcall function 00D10242: LeaveCriticalSection.KERNEL32(00DC070C,?,00D0198B,00DC2518,?,?,?,00CF12F9,00000000), ref: 00D1028A

Part of subcall function 00CF9CB3: _wcslen.LIBCMT ref: 00CF9CBD

Part of subcall function 00D100A3: __onexit.LIBCMT ref: 00D100A9

__Init_thread_footer.LIBCMT ref: 00D77BFB

Part of subcall function 00D101F8: EnterCriticalSection.KERNEL32(00DC070C,?,?,00D08747,00DC2514), ref: 00D10202
Part of subcall function 00D101F8: LeaveCriticalSection.KERNEL32(00DC070C,?,00D08747,00DC2514), ref: 00D10235

Strings

Variable must be of type 'Object'., xrefs: 00D77C3A
5, xrefs: 00D77C78
G, xrefs: 00D77C7F

Memory Dump Source

Source File: 00000000.00000002.1741723192.0000000000CF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CF0000, based on PE: true

Associated: 00000000.00000002.1741689844.0000000000CF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741822052.0000000000D8C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741822052.0000000000DB2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741916293.0000000000DBC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741947371.0000000000DC4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cf0000_file.jbxd

Similarity

API ID: CriticalSection$EnterLeave$Init_thread_footer__onexit_wcslen
String ID: 5$G$Variable must be of type 'Object'.
API String ID: 535116098-3733170431
Opcode ID: 2668bdb48793c9bdc583792d7e4896123e08e5319c5b85f1e7abe85ca49187ff
Instruction ID: 2ed5da813e72243319309caa3bf7fba0fb8fd3fa6f95f2bb15cd2d58eaa2f2ae
Opcode Fuzzy Hash: 2668bdb48793c9bdc583792d7e4896123e08e5319c5b85f1e7abe85ca49187ff
Instruction Fuzzy Hash: 07916870A04209EFCB14EF94D8919BDB7B1FF49300F148859F84A9B292EB71AE45DB71

Function 00D52716 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 121windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00D5B403: WriteProcessMemory.KERNEL32(?,?,?,00000000,00000000,00000000,?,00D521D0,?,?,00000034,00000800,?,00000034), ref: 00D5B42D

SendMessageW.USER32(?,00001104,00000000,00000000), ref: 00D52760

Part of subcall function 00D5B3CE: ReadProcessMemory.KERNEL32(?,?,?,00000000,00000000,00000000,?,00D521FF,?,?,00000800,?,00001073,00000000,?,?), ref: 00D5B3F8

Part of subcall function 00D5B32A: GetWindowThreadProcessId.USER32(?,?), ref: 00D5B355
Part of subcall function 00D5B32A: OpenProcess.KERNEL32(00000438,00000000,?,?,?,00D52194,00000034,?,?,00001004,00000000,00000000), ref: 00D5B365
Part of subcall function 00D5B32A: VirtualAllocEx.KERNEL32(00000000,00000000,?,00001000,00000004,?,?,00D52194,00000034,?,?,00001004,00000000,00000000), ref: 00D5B37B

SendMessageW.USER32(?,00001111,00000000,00000000), ref: 00D527CD
SendMessageW.USER32(?,00001111,00000000,00000000), ref: 00D5281A

Strings

@, xrefs: 00D52832

Memory Dump Source

Source File: 00000000.00000002.1741723192.0000000000CF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CF0000, based on PE: true

Associated: 00000000.00000002.1741689844.0000000000CF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741822052.0000000000D8C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741822052.0000000000DB2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741916293.0000000000DBC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741947371.0000000000DC4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cf0000_file.jbxd

Similarity

API ID: Process$MessageSend$Memory$AllocOpenReadThreadVirtualWindowWrite
String ID: @
API String ID: 4150878124-2766056989
Opcode ID: d89e9ecbc158e9e0fa020964462ed080bc7b4f7f88b5cc54b1cfe49b3e8b0589
Instruction ID: 8c8b92a7e8e6d0813663aac892ad367322054b3a4e53378620f9d66761ee68de
Opcode Fuzzy Hash: d89e9ecbc158e9e0fa020964462ed080bc7b4f7f88b5cc54b1cfe49b3e8b0589
Instruction Fuzzy Hash: DD412A72900218AFDF10DBA4CD82AEEBBB8EF09311F044055EE55B7191DB706E49CBB1

Function 00D2172E Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 115COMMON

Download Yara Rule

APIs

GetModuleFileNameW.KERNEL32(00000000,C:\Users\user\Desktop\file.exe,00000104), ref: 00D21769
_free.LIBCMT ref: 00D21834
_free.LIBCMT ref: 00D2183E

Strings

C:\Users\user\Desktop\file.exe, xrefs: 00D21760, 00D21767, 00D21796, 00D217CE

Memory Dump Source

Source File: 00000000.00000002.1741723192.0000000000CF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CF0000, based on PE: true

Associated: 00000000.00000002.1741689844.0000000000CF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741822052.0000000000D8C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741822052.0000000000DB2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741916293.0000000000DBC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741947371.0000000000DC4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cf0000_file.jbxd

Similarity

API ID: _free$FileModuleName
String ID: C:\Users\user\Desktop\file.exe
API String ID: 2506810119-1957095476
Opcode ID: 3f3efb9ebb32a3281c705105cb407ec1c481cb691b6a46aa51f91c113b853e2c
Instruction ID: c333bd589a3c1fde84989d0e2d9c70d1c0196a6d24e16abe51cca8eb045f65b5
Opcode Fuzzy Hash: 3f3efb9ebb32a3281c705105cb407ec1c481cb691b6a46aa51f91c113b853e2c
Instruction Fuzzy Hash: E7316D79A00339FBDB21DF99A885D9EFBBCEBA5314B148166F804D7211D6708E40CBB0

Function 00D5C27D Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 114windowCOMMON

Download Yara Rule

APIs

GetMenuItemInfoW.USER32(00000004,00000000,00000000,?), ref: 00D5C306
DeleteMenu.USER32(?,00000007,00000000), ref: 00D5C34C
DeleteMenu.USER32(?,00000000,00000000,?,00000000,00000000,00DC1990,010762B8), ref: 00D5C395

Strings

0, xrefs: 00D5C2DF

Memory Dump Source

Source File: 00000000.00000002.1741723192.0000000000CF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CF0000, based on PE: true

Associated: 00000000.00000002.1741689844.0000000000CF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741822052.0000000000D8C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741822052.0000000000DB2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741916293.0000000000DBC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741947371.0000000000DC4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cf0000_file.jbxd

Similarity

API ID: Menu$Delete$InfoItem
String ID: 0
API String ID: 135850232-4108050209
Opcode ID: b6f555f568ea87e5e77659afd8810d7e10254bf3b8b189ff42a7e3d1dae78153
Instruction ID: dac6c0563624c193d18ebba43cf245a2d4e5b346e555ae73352b29bc7a919687
Opcode Fuzzy Hash: b6f555f568ea87e5e77659afd8810d7e10254bf3b8b189ff42a7e3d1dae78153
Instruction Fuzzy Hash: 4E4180312143059FEB20DF25D884B6ABBE4EF85321F14965EFDA597291D730E908CB72

Function 00D84416 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 106COMMON

Download Yara Rule

APIs

SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000013,?,?,SysTreeView32,00D8CC08,00000000,?,?,?,?), ref: 00D844AA
GetWindowLongW.USER32 ref: 00D844C7
SetWindowLongW.USER32(?,000000F0,00000000), ref: 00D844D7

Strings

SysTreeView32, xrefs: 00D8447C

Memory Dump Source

Source File: 00000000.00000002.1741723192.0000000000CF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CF0000, based on PE: true

Associated: 00000000.00000002.1741689844.0000000000CF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741822052.0000000000D8C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741822052.0000000000DB2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741916293.0000000000DBC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741947371.0000000000DC4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cf0000_file.jbxd

Similarity

API ID: Window$Long
String ID: SysTreeView32
API String ID: 847901565-1698111956
Opcode ID: e49a2c3feb877412ec42e94d4d231b5c543501074faf00b98b826612cad827fe
Instruction ID: f7a5b3fdb402c2f85089f3f00f30664dfceb88a5b1b1b2627710b04a7bfbdd6d
Opcode Fuzzy Hash: e49a2c3feb877412ec42e94d4d231b5c543501074faf00b98b826612cad827fe
Instruction Fuzzy Hash: B7318D31210206AFDB20AE78DC45BEA7BA9EB09334F244725F979D22E1DB70EC509770

Function 00D7304E Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 90networkCOMMON

Download Yara Rule

APIs

Part of subcall function 00D7335B: WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,00000000,00000000,00000000,?,?,?,?,?,00D73077,?,?), ref: 00D73378

inet_addr.WSOCK32(?,?,?,?,?,00000000), ref: 00D7307A
_wcslen.LIBCMT ref: 00D7309B
htons.WSOCK32(00000000,?,?,00000000), ref: 00D73106

Strings

255.255.255.255, xrefs: 00D73095, 00D7309A

Memory Dump Source

Source File: 00000000.00000002.1741723192.0000000000CF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CF0000, based on PE: true

Associated: 00000000.00000002.1741689844.0000000000CF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741822052.0000000000D8C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741822052.0000000000DB2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741916293.0000000000DBC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741947371.0000000000DC4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cf0000_file.jbxd

Similarity

API ID: ByteCharMultiWide_wcslenhtonsinet_addr
String ID: 255.255.255.255
API String ID: 946324512-2422070025
Opcode ID: 65df18ec0ed4b02621a22391a96865d947599aeb44489abdefcdcc8ccc77f150
Instruction ID: 156317f0a910d25b44bce3784836b2b21f44ee7914232536da12e2b09d83e5b0
Opcode Fuzzy Hash: 65df18ec0ed4b02621a22391a96865d947599aeb44489abdefcdcc8ccc77f150
Instruction Fuzzy Hash: 9031B0392043059FCB20CF28C485EAA77E0EF14318F68C059E9198B392EB32EE41E771

Function 00D83EB8 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 89windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00001009,00000000,?), ref: 00D83F40
SetWindowPos.USER32(?,00000000,?,?,?,?,00000004), ref: 00D83F54
SendMessageW.USER32(?,00001002,00000000,?), ref: 00D83F78

Strings

SysMonthCal32, xrefs: 00D83F0B

Memory Dump Source

Source File: 00000000.00000002.1741723192.0000000000CF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CF0000, based on PE: true

Associated: 00000000.00000002.1741689844.0000000000CF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741822052.0000000000D8C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741822052.0000000000DB2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741916293.0000000000DBC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741947371.0000000000DC4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cf0000_file.jbxd

Similarity

API ID: MessageSend$Window
String ID: SysMonthCal32
API String ID: 2326795674-1439706946
Opcode ID: ac2f43bb7bca79c0e91b0547342872939ec7fd529669d590ed404b41ec7c6372
Instruction ID: 13cab0c6afe680f095611b711a00337eb6ec9bd084b09437abe433f0837957f9
Opcode Fuzzy Hash: ac2f43bb7bca79c0e91b0547342872939ec7fd529669d590ed404b41ec7c6372
Instruction Fuzzy Hash: A421AB32610219BBDF259F50CC46FEA3B79EF48B14F150214FE19AB190DAB1A9548BA0

Function 00D84653 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 87windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000469,?,00000000), ref: 00D84705
SendMessageW.USER32(00000000,00000465,00000000,80017FFF), ref: 00D84713
DestroyWindow.USER32(00000000,00000000,?,?,?,00000000,msctls_updown32,00000000,00000000,00000000,00000000,00000000,00000000,?,?,00000000), ref: 00D8471A

Strings

msctls_updown32, xrefs: 00D84684

Memory Dump Source

Source File: 00000000.00000002.1741723192.0000000000CF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CF0000, based on PE: true

Associated: 00000000.00000002.1741689844.0000000000CF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741822052.0000000000D8C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741822052.0000000000DB2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741916293.0000000000DBC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741947371.0000000000DC4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cf0000_file.jbxd

Similarity

API ID: MessageSend$DestroyWindow
String ID: msctls_updown32
API String ID: 4014797782-2298589950
Opcode ID: 4dc162b967e75afee2e04b04f54332ceae95245ee1876d4d9ccd997dee8fb337
Instruction ID: cd331b83a59398d819c986b0bd6bbdfb92030ae1e46caca5ce36ea510492f2c6
Opcode Fuzzy Hash: 4dc162b967e75afee2e04b04f54332ceae95245ee1876d4d9ccd997dee8fb337
Instruction Fuzzy Hash: 17214CB560021AAFDB11EF64DC81DB637ADEF4A3A8B140059FA109B361DB30EC11DBB0

Function 00D595AD Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 85COMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 00D5961D

Strings

#OnAutoItStartRegister, xrefs: 00D595F3
#notrayicon, xrefs: 00D595B7
#requireadmin, xrefs: 00D595D9

Memory Dump Source

Source File: 00000000.00000002.1741723192.0000000000CF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CF0000, based on PE: true

Associated: 00000000.00000002.1741689844.0000000000CF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741822052.0000000000D8C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741822052.0000000000DB2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741916293.0000000000DBC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741947371.0000000000DC4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cf0000_file.jbxd

Similarity

API ID: _wcslen
String ID: #OnAutoItStartRegister$#notrayicon$#requireadmin
API String ID: 176396367-2734436370
Opcode ID: 998e0987b5b842fcf41f4fe171f8313690cf1a6973cdd5cfe81f205ab0949c2e
Instruction ID: 94a7f95fd95c199bfd1bd0afaf3267b1f1dbf76a324b331f530bcce1674dff29
Opcode Fuzzy Hash: 998e0987b5b842fcf41f4fe171f8313690cf1a6973cdd5cfe81f205ab0949c2e
Instruction Fuzzy Hash: E2212672204251A6CB31AB24D822FB7B398DF91321F584026FD4997081EB71AD9DD2B5

Function 00D837B7 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 84windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000180,00000000,?), ref: 00D83840
SendMessageW.USER32(?,00000186,00000000,00000000), ref: 00D83850
MoveWindow.USER32(00000000,?,?,?,?,00000000,?,?,Listbox,00000000,00000000,?,?,?,?,?), ref: 00D83876

Strings

Listbox, xrefs: 00D8380F

Memory Dump Source

Source File: 00000000.00000002.1741723192.0000000000CF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CF0000, based on PE: true

Associated: 00000000.00000002.1741689844.0000000000CF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741822052.0000000000D8C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741822052.0000000000DB2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741916293.0000000000DBC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741947371.0000000000DC4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cf0000_file.jbxd

Similarity

API ID: MessageSend$MoveWindow
String ID: Listbox
API String ID: 3315199576-2633736733
Opcode ID: 8d1ff182c0142b5e036d691dc018343f89786a63d0e8654c76a48a7cb7dcc164
Instruction ID: 8752ee4c6a0b5a028640c03ace7d461abd1ac76bf90beb772e0167d80f512bf7
Opcode Fuzzy Hash: 8d1ff182c0142b5e036d691dc018343f89786a63d0e8654c76a48a7cb7dcc164
Instruction Fuzzy Hash: 08218E72610219BBEF21AF54CC85EBB376EEF89B50F158124FA499B190CA71DC5287B0

Function 00D649F4 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 78COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 00D64A08
GetVolumeInformationW.KERNEL32(?,?,00007FFF,?,00000000,00000000,00000000,00000000), ref: 00D64A5C
SetErrorMode.KERNEL32(00000000,?,?,00D8CC08), ref: 00D64AD0

Strings

%lu, xrefs: 00D64A6F

Memory Dump Source

Source File: 00000000.00000002.1741723192.0000000000CF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CF0000, based on PE: true

Associated: 00000000.00000002.1741689844.0000000000CF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741822052.0000000000D8C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741822052.0000000000DB2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741916293.0000000000DBC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741947371.0000000000DC4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cf0000_file.jbxd

Similarity

API ID: ErrorMode$InformationVolume
String ID: %lu
API String ID: 2507767853-685833217
Opcode ID: 710aef38cdfed4da0e6757d93590791d66530193b4de2306a2e3eb74d7ef13f4
Instruction ID: 45d0de19e20b4c224e7604289ffec115470f9caa59d9c7bef6718aab655f1799
Opcode Fuzzy Hash: 710aef38cdfed4da0e6757d93590791d66530193b4de2306a2e3eb74d7ef13f4
Instruction Fuzzy Hash: B8311C75A00209AFDB50DF64C985EAA7BF8EF08308F1480A9F909DB252D771EE45CB71

Function 00D841EB Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 67windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000405,00000000,00000000), ref: 00D8424F
SendMessageW.USER32(?,00000406,00000000,00640000), ref: 00D84264
SendMessageW.USER32(?,00000414,0000000A,00000000), ref: 00D84271

Strings

msctls_trackbar32, xrefs: 00D84226

Memory Dump Source

Source File: 00000000.00000002.1741723192.0000000000CF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CF0000, based on PE: true

Associated: 00000000.00000002.1741689844.0000000000CF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741822052.0000000000D8C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741822052.0000000000DB2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741916293.0000000000DBC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741947371.0000000000DC4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cf0000_file.jbxd

Similarity

API ID: MessageSend
String ID: msctls_trackbar32
API String ID: 3850602802-1010561917
Opcode ID: a088edc5e1ab21a2b16f00689d86daa917b319bd048eff0563dd9dc855b5b97b
Instruction ID: 82bada52acabad6e6cad26f157e4b4e928d8ca1478cad6073965a55268157da0
Opcode Fuzzy Hash: a088edc5e1ab21a2b16f00689d86daa917b319bd048eff0563dd9dc855b5b97b
Instruction Fuzzy Hash: 3411E031254209BEEF20AF29CC06FAB3BACEF95B64F110124FA55E20A0D671D8219B34

Function 00D52F52 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 67windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00CF6B57: _wcslen.LIBCMT ref: 00CF6B6A

Part of subcall function 00D52DA7: SendMessageTimeoutW.USER32(?,00000000,00000000,00000000,00000002,00001388,?), ref: 00D52DC5
Part of subcall function 00D52DA7: GetWindowThreadProcessId.USER32(?,00000000), ref: 00D52DD6
Part of subcall function 00D52DA7: GetCurrentThreadId.KERNEL32 ref: 00D52DDD
Part of subcall function 00D52DA7: AttachThreadInput.USER32(00000000,?,00000000,00000000), ref: 00D52DE4

GetFocus.USER32 ref: 00D52F78

Part of subcall function 00D52DEE: GetParent.USER32(00000000), ref: 00D52DF9

GetClassNameW.USER32(?,?,00000100), ref: 00D52FC3
EnumChildWindows.USER32(?,00D5303B), ref: 00D52FEB

Strings

%s%d, xrefs: 00D52FFF

Memory Dump Source

Source File: 00000000.00000002.1741723192.0000000000CF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CF0000, based on PE: true

Associated: 00000000.00000002.1741689844.0000000000CF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741822052.0000000000D8C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741822052.0000000000DB2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741916293.0000000000DBC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741947371.0000000000DC4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cf0000_file.jbxd

Similarity

API ID: Thread$AttachChildClassCurrentEnumFocusInputMessageNameParentProcessSendTimeoutWindowWindows_wcslen
String ID: %s%d
API String ID: 1272988791-1110647743
Opcode ID: ab331b482fca7a3646160630df1c819fa3d0c2302bf93a2f81fb3f3a2a0de4c3
Instruction ID: bc2318310a8ba491ea9a063516c3e658f8c3d54ed3f694498a8b252a2e6b0712
Opcode Fuzzy Hash: ab331b482fca7a3646160630df1c819fa3d0c2302bf93a2f81fb3f3a2a0de4c3
Instruction Fuzzy Hash: B911AF71600209ABCF547F649C86EFE376AEF84346F044075BD099B292DF30994D9B70

Function 00D85882 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 47windowCOMMON

Download Yara Rule

APIs

GetMenuItemInfoW.USER32(?,?,?,00000030), ref: 00D858C1
SetMenuItemInfoW.USER32(?,?,?,00000030), ref: 00D858EE
DrawMenuBar.USER32(?), ref: 00D858FD

Strings

0, xrefs: 00D8588F

Memory Dump Source

Source File: 00000000.00000002.1741723192.0000000000CF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CF0000, based on PE: true

Associated: 00000000.00000002.1741689844.0000000000CF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741822052.0000000000D8C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741822052.0000000000DB2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741916293.0000000000DBC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741947371.0000000000DC4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cf0000_file.jbxd

Similarity

API ID: Menu$InfoItem$Draw
String ID: 0
API String ID: 3227129158-4108050209
Opcode ID: 9a5acd2991c416eddf8a295927c55b615f127de59d468c46e1637ad5e6999b06
Instruction ID: 1cfa5b2543fcd64c40017ba66e594da9abad69f491e78fc64054eea93d8e2bb0
Opcode Fuzzy Hash: 9a5acd2991c416eddf8a295927c55b615f127de59d468c46e1637ad5e6999b06
Instruction Fuzzy Hash: 07012D35510218EFDB21AF15EC44BAEBBB4FB45361F1480A9F849D62A1DB308A94DF31

Function 00D5007F Relevance: 6.3, APIs: 4, Instructions: 322COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1741723192.0000000000CF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CF0000, based on PE: true

Associated: 00000000.00000002.1741689844.0000000000CF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741822052.0000000000D8C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741822052.0000000000DB2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741916293.0000000000DBC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741947371.0000000000DC4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cf0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6f069bf440dcf80630684741ed71db397e80f037b7f1e1dda78d2cf6a91da864
Instruction ID: 2c9c73438213a9397e9b96e8c0584f604addf96e334e524998e8668e090cabaa
Opcode Fuzzy Hash: 6f069bf440dcf80630684741ed71db397e80f037b7f1e1dda78d2cf6a91da864
Instruction Fuzzy Hash: 03C12975A00206EFDB14CFA8C894EAEBBB5FF48705F148598E905EB251D731ED45CBA0

Function 00D23E80 Relevance: 6.3, APIs: 4, Instructions: 305COMMON

Download Yara Rule

APIs

_strrchr.LIBCMT ref: 00D23F0B
__alldvrm.LIBCMT ref: 00D2410C
__alldvrm.LIBCMT ref: 00D2412E

Memory Dump Source

Source File: 00000000.00000002.1741723192.0000000000CF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CF0000, based on PE: true

Associated: 00000000.00000002.1741689844.0000000000CF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741822052.0000000000D8C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741822052.0000000000DB2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741916293.0000000000DBC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741947371.0000000000DC4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cf0000_file.jbxd

Similarity

API ID: __alldvrm$_strrchr
String ID:
API String ID: 1036877536-0
Opcode ID: 190bec492484a18a97fe5f025dcdb3e473ceac46589bc02d4dbe4f94f5be8f6e
Instruction ID: 637108d15c26716a104c13f0bb32f0c9f0071b74be30427ad442f6ed264fa624
Opcode Fuzzy Hash: 190bec492484a18a97fe5f025dcdb3e473ceac46589bc02d4dbe4f94f5be8f6e
Instruction Fuzzy Hash: 61A19B71E007A69FD712CF18E9917AEBBE4EF71358F18416DE9859B281C2388D81C770

Function 00D7342E Relevance: 6.3, APIs: 4, Instructions: 257COMMON

Download Yara Rule

APIs

CoInitialize.OLE32(00000000), ref: 00D73459
CoUninitialize.OLE32 ref: 00D73463
VariantInit.OLEAUT32(?), ref: 00D7346E
VariantClear.OLEAUT32(?), ref: 00D7371B

Memory Dump Source

Source File: 00000000.00000002.1741723192.0000000000CF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CF0000, based on PE: true

Associated: 00000000.00000002.1741689844.0000000000CF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741822052.0000000000D8C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741822052.0000000000DB2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741916293.0000000000DBC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741947371.0000000000DC4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cf0000_file.jbxd

Similarity

API ID: Variant$ClearInitInitializeUninitialize
String ID:
API String ID: 1998397398-0
Opcode ID: f08c45d4e11fec77d5f14d8470a30283771093159a7f38b4ab7fd023371be47d
Instruction ID: e14fa9f46292c9aed82550a1a86d0037decc22b7d3f5444bbfef71e523af2a46
Opcode Fuzzy Hash: f08c45d4e11fec77d5f14d8470a30283771093159a7f38b4ab7fd023371be47d
Instruction Fuzzy Hash: 07A14A75604304DFC710DF28C485A2AB7E5FF88714F058959F98A9B362EB70EE05DBA2

Function 00D50436 Relevance: 6.2, APIs: 4, Instructions: 230COMMON

Download Yara Rule

APIs

ProgIDFromCLSID.OLE32(?,00000000,?,00000000,00000800,00000000,?,00D8FC08,?), ref: 00D505F0
CoTaskMemFree.OLE32(00000000,00000000,?,00000000,00000800,00000000,?,00D8FC08,?), ref: 00D50608
CLSIDFromProgID.OLE32(?,?,00000000,00D8CC40,000000FF,?,00000000,00000800,00000000,?,00D8FC08,?), ref: 00D5062D
_memcmp.LIBVCRUNTIME ref: 00D5064E

Memory Dump Source

Source File: 00000000.00000002.1741723192.0000000000CF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CF0000, based on PE: true

Associated: 00000000.00000002.1741689844.0000000000CF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741822052.0000000000D8C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741822052.0000000000DB2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741916293.0000000000DBC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741947371.0000000000DC4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cf0000_file.jbxd

Similarity

API ID: FromProg$FreeTask_memcmp
String ID:
API String ID: 314563124-0
Opcode ID: 02705c1b67894f5a71654637f05912845c557ad6070df4f9ecb2daf8040d6a9d
Instruction ID: 490d455410abfb074a9cf06ec0389cf493f4dd6a57c1dcb9602e7d12077be03f
Opcode Fuzzy Hash: 02705c1b67894f5a71654637f05912845c557ad6070df4f9ecb2daf8040d6a9d
Instruction Fuzzy Hash: 9581FE75A00109EFCF04DF94C984EEEBBB9FF89315F144558E916AB250DB71AE0ACB60

Function 00D7A67C Relevance: 6.2, APIs: 4, Instructions: 175processCOMMON

Download Yara Rule

APIs

CreateToolhelp32Snapshot.KERNEL32 ref: 00D7A6AC
Process32FirstW.KERNEL32(00000000,?), ref: 00D7A6BA

Part of subcall function 00CF9CB3: _wcslen.LIBCMT ref: 00CF9CBD

Process32NextW.KERNEL32(00000000,?), ref: 00D7A79C
CloseHandle.KERNEL32(00000000), ref: 00D7A7AB

Part of subcall function 00D0CE60: CompareStringW.KERNEL32(00000409,00000001,?,00000000,00000000,?,?,00000000,?,00D33303,?), ref: 00D0CE8A

Memory Dump Source

Source File: 00000000.00000002.1741723192.0000000000CF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CF0000, based on PE: true

Associated: 00000000.00000002.1741689844.0000000000CF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741822052.0000000000D8C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741822052.0000000000DB2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741916293.0000000000DBC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741947371.0000000000DC4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cf0000_file.jbxd

Similarity

API ID: Process32$CloseCompareCreateFirstHandleNextSnapshotStringToolhelp32_wcslen
String ID:
API String ID: 1991900642-0
Opcode ID: 418bb21a87b66244c2ff0c5d4e615fe73736a985e0c6381859311200d2e4afb1
Instruction ID: 50a7d31e4ec376246f302c46a6db7413f62239bda039e5774a5d25b295299105
Opcode Fuzzy Hash: 418bb21a87b66244c2ff0c5d4e615fe73736a985e0c6381859311200d2e4afb1
Instruction Fuzzy Hash: EC515D71508304AFD754EF24C886A6FBBE8FF89754F00891DF58997291EB30D904CBA2

Function 00D31391 Relevance: 6.2, APIs: 4, Instructions: 152COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 00D314C0

Memory Dump Source

Source File: 00000000.00000002.1741723192.0000000000CF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CF0000, based on PE: true

Associated: 00000000.00000002.1741689844.0000000000CF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741822052.0000000000D8C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741822052.0000000000DB2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741916293.0000000000DBC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741947371.0000000000DC4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cf0000_file.jbxd

Similarity

API ID: _free
String ID:
API String ID: 269201875-0
Opcode ID: 7447611c9392e74608175344bec4093676e68891b9deb0bc84fc87c3af23160c
Instruction ID: cec1d815d0fe8f0e5dd23af89e10f1914837192c6e8531ea1ec637ae0f7eb9ce
Opcode Fuzzy Hash: 7447611c9392e74608175344bec4093676e68891b9deb0bc84fc87c3af23160c
Instruction Fuzzy Hash: A7413D39A00212BBDB217BFDAC46AFE3AA5EF51370F184235F419D6192EB7488419771

Function 00D86278 Relevance: 6.1, APIs: 4, Instructions: 138COMMON

Download Yara Rule

APIs

GetWindowRect.USER32(?,?), ref: 00D862E2
ScreenToClient.USER32(?,?), ref: 00D86315
MoveWindow.USER32(?,?,?,?,000000FF,00000001,?,?,?,?,?), ref: 00D86382

Memory Dump Source

Source File: 00000000.00000002.1741723192.0000000000CF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CF0000, based on PE: true

Associated: 00000000.00000002.1741689844.0000000000CF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741822052.0000000000D8C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741822052.0000000000DB2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741916293.0000000000DBC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741947371.0000000000DC4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cf0000_file.jbxd

Similarity

API ID: Window$ClientMoveRectScreen
String ID:
API String ID: 3880355969-0
Opcode ID: 0253ca3aad551bb9e983efcffc470b8a999dec6432f1674bd938aa863fdd82b9
Instruction ID: b879102d27423295dbc68d1e0ea7fc6b35dc2d82ac1325bd12c88dfc4b55fcf4
Opcode Fuzzy Hash: 0253ca3aad551bb9e983efcffc470b8a999dec6432f1674bd938aa863fdd82b9
Instruction Fuzzy Hash: 67510A74A00209EFDB11EF68D981AAE7BB5FF45360F188169F925DB2A1D730ED41CB60

Function 00D71AD6 Relevance: 6.1, APIs: 4, Instructions: 138networkCOMMON

Download Yara Rule

APIs

socket.WSOCK32(00000002,00000002,00000011), ref: 00D71AFD
WSAGetLastError.WSOCK32 ref: 00D71B0B
#21.WSOCK32(?,0000FFFF,00000020,00000002,00000004), ref: 00D71B8A
WSAGetLastError.WSOCK32 ref: 00D71B94

Memory Dump Source

Source File: 00000000.00000002.1741723192.0000000000CF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CF0000, based on PE: true

Associated: 00000000.00000002.1741689844.0000000000CF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741822052.0000000000D8C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741822052.0000000000DB2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741916293.0000000000DBC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741947371.0000000000DC4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cf0000_file.jbxd

Similarity

API ID: ErrorLast$socket
String ID:
API String ID: 1881357543-0
Opcode ID: 2840b2860657b131d25beb53cd115a5c35d6abb9c1d13385bcdbc6fc4dc26cd8
Instruction ID: 1f8a468a9cba651cbe54a99232fcb265b15b91653cd26a633956c26ac3d562ec
Opcode Fuzzy Hash: 2840b2860657b131d25beb53cd115a5c35d6abb9c1d13385bcdbc6fc4dc26cd8
Instruction Fuzzy Hash: 11419038600200AFE720AF24C886F3577E5AB49718F54C548FA1A9F3D3E772DD418BA1

Function 00D2B41F Relevance: 6.1, APIs: 4, Instructions: 133COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1741723192.0000000000CF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CF0000, based on PE: true

Associated: 00000000.00000002.1741689844.0000000000CF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741822052.0000000000D8C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741822052.0000000000DB2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741916293.0000000000DBC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741947371.0000000000DC4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cf0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ce9f238c9a18fa3db0359d97597447343e39f5cf218a234f60f46b2bfdc8beb6
Instruction ID: ae12db6fc6cc9bdb1db86027d309209b8f1223427bf238d4e4f48fcf53b4f401
Opcode Fuzzy Hash: ce9f238c9a18fa3db0359d97597447343e39f5cf218a234f60f46b2bfdc8beb6
Instruction Fuzzy Hash: AA414B75A00714BFD724AF38DC41BAA7BE9EB94728F10452BF041DB281D7B1994187B0

Function 00D656D9 Relevance: 6.1, APIs: 4, Instructions: 110fileCOMMON

Download Yara Rule

APIs

CreateHardLinkW.KERNEL32(00000002,?,00000000), ref: 00D65783
GetLastError.KERNEL32(?,00000000), ref: 00D657A9
DeleteFileW.KERNEL32(00000002,?,00000000), ref: 00D657CE
CreateHardLinkW.KERNEL32(00000002,?,00000000,?,00000000), ref: 00D657FA

Memory Dump Source

Source File: 00000000.00000002.1741723192.0000000000CF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CF0000, based on PE: true

Associated: 00000000.00000002.1741689844.0000000000CF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741822052.0000000000D8C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741822052.0000000000DB2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741916293.0000000000DBC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741947371.0000000000DC4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cf0000_file.jbxd

Similarity

API ID: CreateHardLink$DeleteErrorFileLast
String ID:
API String ID: 3321077145-0
Opcode ID: a47f05b8a8c561f15f5996475c78b341ac1d0612b28f7ac03a5c43ad02f17c27
Instruction ID: 51983a663988d84fe059087be615f738b891bfc2d388c8296b8f34849ed6d0bc
Opcode Fuzzy Hash: a47f05b8a8c561f15f5996475c78b341ac1d0612b28f7ac03a5c43ad02f17c27
Instruction Fuzzy Hash: FC414F35600615DFCB11DF15C544A2DBBF2EF49320F198488E94A9B362CB74FD44DBA1

Function 00D2D8C3 Relevance: 6.1, APIs: 4, Instructions: 110COMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(?,00000000,8BE85006,00D16D71,00000000,00000000,00D182D9,?,00D182D9,?,00000001,00D16D71,8BE85006,00000001,00D182D9,00D182D9), ref: 00D2D910
MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 00D2D999
GetStringTypeW.KERNEL32(?,00000000,00000000,?), ref: 00D2D9AB
__freea.LIBCMT ref: 00D2D9B4

Part of subcall function 00D23820: RtlAllocateHeap.NTDLL(00000000,?,00DC1444,?,00D0FDF5,?,?,00CFA976,00000010,00DC1440,00CF13FC,?,00CF13C6,?,00CF1129), ref: 00D23852

Memory Dump Source

Source File: 00000000.00000002.1741723192.0000000000CF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CF0000, based on PE: true

Associated: 00000000.00000002.1741689844.0000000000CF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741822052.0000000000D8C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741822052.0000000000DB2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741916293.0000000000DBC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741947371.0000000000DC4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cf0000_file.jbxd

Similarity

API ID: ByteCharMultiWide$AllocateHeapStringType__freea
String ID:
API String ID: 2652629310-0
Opcode ID: eb7b405b29f6d706571bb9a785ecebf788cd41c4e63c5d49d7d307665bfced76
Instruction ID: b52fcd6e67fc4f5508009f5845a23a00508ec053c552e3f2fe5af48ccbcc9e99
Opcode Fuzzy Hash: eb7b405b29f6d706571bb9a785ecebf788cd41c4e63c5d49d7d307665bfced76
Instruction Fuzzy Hash: 4F31B272A1021AABDF24DF65EC85EAE7BA6EB50314F194168FC04D7250EB35CD90CBB0

Function 00D852C1 Relevance: 6.1, APIs: 4, Instructions: 104windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00001024,00000000,?), ref: 00D85352
GetWindowLongW.USER32(?,000000F0), ref: 00D85375
SetWindowLongW.USER32(?,000000F0,00000000), ref: 00D85382
InvalidateRect.USER32(?,00000000,00000001,?,?,?), ref: 00D853A8

Memory Dump Source

Source File: 00000000.00000002.1741723192.0000000000CF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CF0000, based on PE: true

Associated: 00000000.00000002.1741689844.0000000000CF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741822052.0000000000D8C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741822052.0000000000DB2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741916293.0000000000DBC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741947371.0000000000DC4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cf0000_file.jbxd

Similarity

API ID: LongWindow$InvalidateMessageRectSend
String ID:
API String ID: 3340791633-0
Opcode ID: c2d0411f26ab317cd7baae8f8d126254b91771e02bf89b959c70e2e7eb12195b
Instruction ID: 65409f1637faffae1fbfd229c4c71168b18e09b0e7c7f971d451309dc089f797
Opcode Fuzzy Hash: c2d0411f26ab317cd7baae8f8d126254b91771e02bf89b959c70e2e7eb12195b
Instruction Fuzzy Hash: 8931E234A65B08FFEB31BA14EC06FE87765AB05391F5C4001FA51962E5C7B1AE409B71

Function 00D5AB9C Relevance: 6.1, APIs: 4, Instructions: 103keyboardwindowCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?,75C0C0D0,?,00008000), ref: 00D5ABF1
SetKeyboardState.USER32(00000080,?,00008000), ref: 00D5AC0D
PostMessageW.USER32(00000000,00000101,00000000), ref: 00D5AC74
SendInput.USER32(00000001,?,0000001C,75C0C0D0,?,00008000), ref: 00D5ACC6

Memory Dump Source

Source File: 00000000.00000002.1741723192.0000000000CF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CF0000, based on PE: true

Associated: 00000000.00000002.1741689844.0000000000CF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741822052.0000000000D8C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741822052.0000000000DB2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741916293.0000000000DBC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741947371.0000000000DC4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cf0000_file.jbxd

Similarity

API ID: KeyboardState$InputMessagePostSend
String ID:
API String ID: 432972143-0
Opcode ID: c33bbe56fadb61d3d6a5e19be24de3e60333a650f298862ec4b5adde598941b9
Instruction ID: 224757c2d7c9db2fe956a5dd418c9cdcbe6e64a2e20f0280cc51d0f0692dd9c4
Opcode Fuzzy Hash: c33bbe56fadb61d3d6a5e19be24de3e60333a650f298862ec4b5adde598941b9
Instruction Fuzzy Hash: A5313934A10328AFEF34CB6C8C157FA7BA5AB85312F08431AEC95962D0D37489898772

Function 00D87674 Relevance: 6.1, APIs: 4, Instructions: 102windowCOMMON

Download Yara Rule

APIs

ClientToScreen.USER32(?,?), ref: 00D8769A
GetWindowRect.USER32(?,?), ref: 00D87710
PtInRect.USER32(?,?,00D88B89), ref: 00D87720
MessageBeep.USER32(00000000), ref: 00D8778C

Memory Dump Source

Source File: 00000000.00000002.1741723192.0000000000CF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CF0000, based on PE: true

Associated: 00000000.00000002.1741689844.0000000000CF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741822052.0000000000D8C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741822052.0000000000DB2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741916293.0000000000DBC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741947371.0000000000DC4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cf0000_file.jbxd

Similarity

API ID: Rect$BeepClientMessageScreenWindow
String ID:
API String ID: 1352109105-0
Opcode ID: e23f344be8894854fa5c4d24c0144eead80c6dd9e8913e8dd184dee0616f490c
Instruction ID: 777c0b65ae1d6c595b89eaa10f793c595cf14a3641032744b71fdf319d71825c
Opcode Fuzzy Hash: e23f344be8894854fa5c4d24c0144eead80c6dd9e8913e8dd184dee0616f490c
Instruction Fuzzy Hash: BA4158386052159FCB01EF59CC94EA977B5BB4A314F2940A8E824DB361D730E942CFB0

Function 00D816DA Relevance: 6.1, APIs: 4, Instructions: 101COMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32 ref: 00D816EB

Part of subcall function 00D53A3D: GetWindowThreadProcessId.USER32(?,00000000), ref: 00D53A57
Part of subcall function 00D53A3D: GetCurrentThreadId.KERNEL32 ref: 00D53A5E
Part of subcall function 00D53A3D: AttachThreadInput.USER32(00000000,?,00000000,00000000,?,00D525B3), ref: 00D53A65

GetCaretPos.USER32(?), ref: 00D816FF
ClientToScreen.USER32(00000000,?), ref: 00D8174C
GetForegroundWindow.USER32 ref: 00D81752

Memory Dump Source

Source File: 00000000.00000002.1741723192.0000000000CF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CF0000, based on PE: true

Associated: 00000000.00000002.1741689844.0000000000CF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741822052.0000000000D8C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741822052.0000000000DB2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741916293.0000000000DBC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741947371.0000000000DC4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cf0000_file.jbxd

Similarity

API ID: ThreadWindow$Foreground$AttachCaretClientCurrentInputProcessScreen
String ID:
API String ID: 2759813231-0
Opcode ID: b114b2f7fcae538e97129cfb5834be5d3c3adeba2dc013acc4acdf654cd53582
Instruction ID: 93d1027c32debf2fb586ca9898e610127198ada57240e825e282af59ffffc134
Opcode Fuzzy Hash: b114b2f7fcae538e97129cfb5834be5d3c3adeba2dc013acc4acdf654cd53582
Instruction Fuzzy Hash: E6311D75E10249AFCB04EFA9C981CAEBBFDEF48304B5480A9E515E7211DA31DE45CBB1

Function 00D5DF95 Relevance: 6.1, APIs: 4, Instructions: 87COMMON

Download Yara Rule

APIs

Part of subcall function 00CF7620: _wcslen.LIBCMT ref: 00CF7625

_wcslen.LIBCMT ref: 00D5DFCB
_wcslen.LIBCMT ref: 00D5DFE2
_wcslen.LIBCMT ref: 00D5E00D
GetTextExtentPoint32W.GDI32(?,00000000,00000000,?), ref: 00D5E018

Memory Dump Source

Source File: 00000000.00000002.1741723192.0000000000CF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CF0000, based on PE: true

Associated: 00000000.00000002.1741689844.0000000000CF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741822052.0000000000D8C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741822052.0000000000DB2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741916293.0000000000DBC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741947371.0000000000DC4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cf0000_file.jbxd

Similarity

API ID: _wcslen$ExtentPoint32Text
String ID:
API String ID: 3763101759-0
Opcode ID: 3aa1edc55d41b150b8dc643b46659f793949872805ad0b491e8d014464fbf5a4
Instruction ID: 699ca605b734a316635dbd6d4a878a85ced82903c071f2e89c9d4176917fbabb
Opcode Fuzzy Hash: 3aa1edc55d41b150b8dc643b46659f793949872805ad0b491e8d014464fbf5a4
Instruction Fuzzy Hash: FB219F71900214AFCF20EFA8D982BAEB7F9EF45761F144065ED05BB281DA749E40CBB1

Function 00D88FC9 Relevance: 6.1, APIs: 4, Instructions: 78windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00D09BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00D09BB2

GetCursorPos.USER32(?), ref: 00D89001
TrackPopupMenuEx.USER32(?,00000000,?,?,?,00000000,?,00D47711,?,?,?,?,?), ref: 00D89016
GetCursorPos.USER32(?), ref: 00D8905E
DefDlgProcW.USER32(?,0000007B,?,?,?,?,?,?,?,?,?,?,00D47711,?,?,?), ref: 00D89094

Memory Dump Source

Source File: 00000000.00000002.1741723192.0000000000CF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CF0000, based on PE: true

Associated: 00000000.00000002.1741689844.0000000000CF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741822052.0000000000D8C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741822052.0000000000DB2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741916293.0000000000DBC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741947371.0000000000DC4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cf0000_file.jbxd

Similarity

API ID: Cursor$LongMenuPopupProcTrackWindow
String ID:
API String ID: 2864067406-0
Opcode ID: da2b45bb56b25c7522832387cd3fb08a1b82c921567b8ebd802a5a375eba831c
Instruction ID: e67a482740e3952da7147cde2dd939d1507c9036d78d96b7b6a78aac2e66f85a
Opcode Fuzzy Hash: da2b45bb56b25c7522832387cd3fb08a1b82c921567b8ebd802a5a375eba831c
Instruction Fuzzy Hash: 5021EF35600118FFCB269F95CC68EFABBB9EF4A310F180065F946972A2C7319950DB70

Function 00D5D2C1 Relevance: 6.1, APIs: 4, Instructions: 78COMMON

Download Yara Rule

APIs

GetFileAttributesW.KERNEL32(?,00D8CB68), ref: 00D5D2FB
GetLastError.KERNEL32 ref: 00D5D30A
CreateDirectoryW.KERNEL32(?,00000000), ref: 00D5D319
CreateDirectoryW.KERNEL32(?,00000000,00000000,000000FF,00D8CB68), ref: 00D5D376

Memory Dump Source

Source File: 00000000.00000002.1741723192.0000000000CF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CF0000, based on PE: true

Associated: 00000000.00000002.1741689844.0000000000CF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741822052.0000000000D8C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741822052.0000000000DB2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741916293.0000000000DBC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741947371.0000000000DC4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cf0000_file.jbxd

Similarity

API ID: CreateDirectory$AttributesErrorFileLast
String ID:
API String ID: 2267087916-0
Opcode ID: d5d71a0a9042599e7799b3b493a8dd7171d56c70fc097a255bc76c57287f0747
Instruction ID: 1bafeb40f2f127512e8859ebff6c602824ee258c82386273d5ad50965848423d
Opcode Fuzzy Hash: d5d71a0a9042599e7799b3b493a8dd7171d56c70fc097a255bc76c57287f0747
Instruction Fuzzy Hash: 26219E705053019F9B20DF24C88196AB7E8EE56365F144A19FC99C32A1D730D909CBB3

Function 00D51571 Relevance: 6.1, APIs: 4, Instructions: 78memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 00D51014: GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),?,00000000,?), ref: 00D5102A
Part of subcall function 00D51014: GetLastError.KERNEL32(?,TokenIntegrityLevel,?,00000000,?), ref: 00D51036
Part of subcall function 00D51014: GetProcessHeap.KERNEL32(00000008,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00D51045
Part of subcall function 00D51014: HeapAlloc.KERNEL32(00000000,?,TokenIntegrityLevel,?,00000000,?), ref: 00D5104C
Part of subcall function 00D51014: GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),00000000,?,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00D51062

LookupPrivilegeValueW.ADVAPI32(00000000,?,?), ref: 00D515BE
_memcmp.LIBVCRUNTIME ref: 00D515E1
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00D51617
HeapFree.KERNEL32(00000000), ref: 00D5161E

Memory Dump Source

Source File: 00000000.00000002.1741723192.0000000000CF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CF0000, based on PE: true

Associated: 00000000.00000002.1741689844.0000000000CF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741822052.0000000000D8C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741822052.0000000000DB2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741916293.0000000000DBC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741947371.0000000000DC4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cf0000_file.jbxd

Similarity

API ID: Heap$InformationProcessToken$AllocErrorFreeLastLookupPrivilegeValue_memcmp
String ID:
API String ID: 1592001646-0
Opcode ID: e3d3074ad6f9c64a88872bc131f98002000776b7e77acfc97a3a9927794112e3
Instruction ID: b4d9f12579ce97258a03f9bb7e54df4b7a538595983997cb9d07168debcf9ae0
Opcode Fuzzy Hash: e3d3074ad6f9c64a88872bc131f98002000776b7e77acfc97a3a9927794112e3
Instruction Fuzzy Hash: B9217875E50208EFDF10DFA4C949BEEB7B8EF44346F084459E851AB241E730AA09CBB0

Function 00D82782 Relevance: 6.1, APIs: 4, Instructions: 75COMMON

Download Yara Rule

APIs

GetWindowLongW.USER32(?,000000EC), ref: 00D8280A
SetWindowLongW.USER32(?,000000EC,00000000), ref: 00D82824
SetWindowLongW.USER32(?,000000EC,00000000), ref: 00D82832
SetLayeredWindowAttributes.USER32(?,00000000,?,00000002), ref: 00D82840

Memory Dump Source

Source File: 00000000.00000002.1741723192.0000000000CF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CF0000, based on PE: true

Associated: 00000000.00000002.1741689844.0000000000CF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741822052.0000000000D8C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741822052.0000000000DB2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741916293.0000000000DBC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741947371.0000000000DC4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cf0000_file.jbxd

Similarity

API ID: Window$Long$AttributesLayered
String ID:
API String ID: 2169480361-0
Opcode ID: 6e12981363c3f8006816fd76b5900ca44c488582cbb8228f369a7a17a420d323
Instruction ID: 875af15a414a3a11e4442c6b88e1913ab8024940ee064389a121e60f46b7b428
Opcode Fuzzy Hash: 6e12981363c3f8006816fd76b5900ca44c488582cbb8228f369a7a17a420d323
Instruction Fuzzy Hash: BD21B035214215AFDB14AB24CC45FBA7BA9EF45324F188158F426CB6E2C775EC42C7B0

Function 00D578F5 Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 71stringCOMMON

Download Yara Rule

APIs

Part of subcall function 00D58D7D: lstrlenW.KERNEL32(?,00000002,000000FF,?,?,?,00D5790A,?,000000FF,?,00D58754,00000000,?,0000001C,?,?), ref: 00D58D8C
Part of subcall function 00D58D7D: lstrcpyW.KERNEL32(00000000,?,?,00D5790A,?,000000FF,?,00D58754,00000000,?,0000001C,?,?,00000000), ref: 00D58DB2
Part of subcall function 00D58D7D: lstrcmpiW.KERNEL32(00000000,?,00D5790A,?,000000FF,?,00D58754,00000000,?,0000001C,?,?), ref: 00D58DE3

lstrlenW.KERNEL32(?,00000002,000000FF,?,000000FF,?,00D58754,00000000,?,0000001C,?,?,00000000), ref: 00D57923
lstrcpyW.KERNEL32(00000000,?,?,00D58754,00000000,?,0000001C,?,?,00000000), ref: 00D57949
lstrcmpiW.KERNEL32(00000002,cdecl,?,00D58754,00000000,?,0000001C,?,?,00000000), ref: 00D57984

Strings

cdecl, xrefs: 00D5797B

Memory Dump Source

Source File: 00000000.00000002.1741723192.0000000000CF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CF0000, based on PE: true

Associated: 00000000.00000002.1741689844.0000000000CF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741822052.0000000000D8C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741822052.0000000000DB2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741916293.0000000000DBC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741947371.0000000000DC4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cf0000_file.jbxd

Similarity

API ID: lstrcmpilstrcpylstrlen
String ID: cdecl
API String ID: 4031866154-3896280584
Opcode ID: 15b5bc368e53e42c6b2f6988d52d875eaadd240ffb03fe6bf943a36d3868e7c7
Instruction ID: f96ea405b712761e8b4063b98a4d7a420799867faaf188dcee070e5a51976b09
Opcode Fuzzy Hash: 15b5bc368e53e42c6b2f6988d52d875eaadd240ffb03fe6bf943a36d3868e7c7
Instruction Fuzzy Hash: E811DF3A200342ABCF259F35E844E7A77A9FF85351B20402AFC46C72A4EB3198058BB1

Function 00D87CC2 Relevance: 6.1, APIs: 4, Instructions: 70COMMON

Download Yara Rule

APIs

GetWindowLongW.USER32(?,000000F0), ref: 00D87D0B
SetWindowLongW.USER32(00000000,000000F0,?), ref: 00D87D2A
SetWindowLongW.USER32(00000000,000000EC,000000FF), ref: 00D87D42
SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,?,?,?,?,?,?,?,?,00D6B7AD,00000000), ref: 00D87D6B

Part of subcall function 00D09BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00D09BB2

Memory Dump Source

Source File: 00000000.00000002.1741723192.0000000000CF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CF0000, based on PE: true

Associated: 00000000.00000002.1741689844.0000000000CF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741822052.0000000000D8C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741822052.0000000000DB2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741916293.0000000000DBC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741947371.0000000000DC4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cf0000_file.jbxd

Similarity

API ID: Window$Long
String ID:
API String ID: 847901565-0
Opcode ID: 6e6179b08924d1636fd311792543312bea1e7aaa57e53e11587364d5a9e969d6
Instruction ID: 7b75e9ef7061502b32681df78d2e1802f50ad604e2ac2973dfd2f714c7512d51
Opcode Fuzzy Hash: 6e6179b08924d1636fd311792543312bea1e7aaa57e53e11587364d5a9e969d6
Instruction Fuzzy Hash: 59115E76615625EFCB10AF28CC04EA63BA5AF463A0B294724F839D72F1E730D951DB70

Function 00D85660 Relevance: 6.1, APIs: 4, Instructions: 67windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00001060,?,00000004), ref: 00D856BB
_wcslen.LIBCMT ref: 00D856CD
_wcslen.LIBCMT ref: 00D856D8
SendMessageW.USER32(?,00001002,00000000,?), ref: 00D85816

Memory Dump Source

Source File: 00000000.00000002.1741723192.0000000000CF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CF0000, based on PE: true

Associated: 00000000.00000002.1741689844.0000000000CF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741822052.0000000000D8C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741822052.0000000000DB2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741916293.0000000000DBC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741947371.0000000000DC4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cf0000_file.jbxd

Similarity

API ID: MessageSend_wcslen
String ID:
API String ID: 455545452-0
Opcode ID: bbab738fcd99d12f8f42967439899c3700503b95f38251534875f2c016169884
Instruction ID: b633ed58b72bccac70141755e05a10b47f3f5b0569d3bf1e25402e92a6a24085
Opcode Fuzzy Hash: bbab738fcd99d12f8f42967439899c3700503b95f38251534875f2c016169884
Instruction Fuzzy Hash: F3110075A10619A6DF20BF65EC82EFE77ACEF01360B14402AF915D6085EB70CA84CF70

Function 00D21D09 Relevance: 6.1, APIs: 4, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1741723192.0000000000CF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CF0000, based on PE: true

Associated: 00000000.00000002.1741689844.0000000000CF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741822052.0000000000D8C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741822052.0000000000DB2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741916293.0000000000DBC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741947371.0000000000DC4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cf0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 12fb3ceb37c625edfb941b21bbe84e45280e76c43b955c7d0d4c7efde16e92fd
Instruction ID: 4b7f99df99b813eff9e65e8c5abe7a6d263a119284e4effe25b9a56cd68ae2d7
Opcode Fuzzy Hash: 12fb3ceb37c625edfb941b21bbe84e45280e76c43b955c7d0d4c7efde16e92fd
Instruction Fuzzy Hash: 0A01ADB620972ABEF62126787CC0F27661DDFB13BCB388325F521A12D2DB708C425170

Function 00D51A27 Relevance: 6.1, APIs: 4, Instructions: 56windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,000000B0,?,?), ref: 00D51A47
SendMessageW.USER32(?,000000C9,?,00000000), ref: 00D51A59
SendMessageW.USER32(?,000000C9,?,00000000), ref: 00D51A6F
SendMessageW.USER32(?,000000C9,?,00000000), ref: 00D51A8A

Memory Dump Source

Source File: 00000000.00000002.1741723192.0000000000CF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CF0000, based on PE: true

Associated: 00000000.00000002.1741689844.0000000000CF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741822052.0000000000D8C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741822052.0000000000DB2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741916293.0000000000DBC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741947371.0000000000DC4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cf0000_file.jbxd

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: 4e52d615ce8ba12f1d446b9070bf3c32264e1dedd0230507aa6521a11a032437
Instruction ID: afb1d1b987765cf09fd8400418b42c4f98a5f7cfa657f2678cea4241301d3f58
Opcode Fuzzy Hash: 4e52d615ce8ba12f1d446b9070bf3c32264e1dedd0230507aa6521a11a032437
Instruction Fuzzy Hash: 09110C3AD01219FFEF11DBA5CD85FADBB78EB04750F200091EA04B7290D6716E51DBA4

Function 00D5E1D6 Relevance: 6.1, APIs: 4, Instructions: 55synchronizationthreadwindowCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 00D5E1FD
MessageBoxW.USER32(?,?,?,?), ref: 00D5E230
WaitForSingleObject.KERNEL32(00000000,000000FF,?,?,?,?), ref: 00D5E246
CloseHandle.KERNEL32(00000000,?,?,?,?), ref: 00D5E24D

Memory Dump Source

Source File: 00000000.00000002.1741723192.0000000000CF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CF0000, based on PE: true

Associated: 00000000.00000002.1741689844.0000000000CF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741822052.0000000000D8C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741822052.0000000000DB2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741916293.0000000000DBC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741947371.0000000000DC4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cf0000_file.jbxd

Similarity

API ID: CloseCurrentHandleMessageObjectSingleThreadWait
String ID:
API String ID: 2880819207-0
Opcode ID: e4231eb01e14e35b138fd994bcd7bbe2208cccbf549f46e09ed4095e9ca0674e
Instruction ID: 481462ee104e3436cec6a248a4156ac33701f3a19237d9965e4129fa0d451151
Opcode Fuzzy Hash: e4231eb01e14e35b138fd994bcd7bbe2208cccbf549f46e09ed4095e9ca0674e
Instruction Fuzzy Hash: 3B11C476914355BBCB05AFA8AC09E9E7FADEB46325F044255FD24E3391D6B0CA0887B0

Function 00D1D1CC Relevance: 6.1, APIs: 4, Instructions: 55threadCOMMON

Download Yara Rule

APIs

CreateThread.KERNEL32(00000000,?,00D1CFF9,00000000,00000004,00000000), ref: 00D1D218
GetLastError.KERNEL32 ref: 00D1D224
__dosmaperr.LIBCMT ref: 00D1D22B
ResumeThread.KERNEL32(00000000), ref: 00D1D249

Memory Dump Source

Source File: 00000000.00000002.1741723192.0000000000CF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CF0000, based on PE: true

Associated: 00000000.00000002.1741689844.0000000000CF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741822052.0000000000D8C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741822052.0000000000DB2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741916293.0000000000DBC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741947371.0000000000DC4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cf0000_file.jbxd

Similarity

API ID: Thread$CreateErrorLastResume__dosmaperr
String ID:
API String ID: 173952441-0
Opcode ID: d412d0b9817cc1c56d83e2d543c7892d7996f77983187a17b7091348e689c479
Instruction ID: 8aea9e349fa4993b55e4c6352beb88aba95e49b78b505a3c7b5bd53969450c2f
Opcode Fuzzy Hash: d412d0b9817cc1c56d83e2d543c7892d7996f77983187a17b7091348e689c479
Instruction Fuzzy Hash: E901C036915204BBCB116BA5FC09AEA7A6ADF82730F240219F925961E0DF71C98187B0

Function 00D89EF3 Relevance: 6.1, APIs: 4, Instructions: 55COMMON

Download Yara Rule

APIs

Part of subcall function 00D09BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00D09BB2

GetClientRect.USER32(?,?), ref: 00D89F31
GetCursorPos.USER32(?), ref: 00D89F3B
ScreenToClient.USER32(?,?), ref: 00D89F46
DefDlgProcW.USER32(?,00000020,?,00000000,?,?,?), ref: 00D89F7A

Memory Dump Source

Source File: 00000000.00000002.1741723192.0000000000CF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CF0000, based on PE: true

Associated: 00000000.00000002.1741689844.0000000000CF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741822052.0000000000D8C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741822052.0000000000DB2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741916293.0000000000DBC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741947371.0000000000DC4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cf0000_file.jbxd

Similarity

API ID: Client$CursorLongProcRectScreenWindow
String ID:
API String ID: 4127811313-0
Opcode ID: 73c0498ea57a58c22338fb764b9dbe42be8987cdcd65d391ba60b34dc5d02be8
Instruction ID: 39fef19410b6d9535cdeed15de2c2f0a82ebf8b3e5bd6b25ff3e4b7904ae7742
Opcode Fuzzy Hash: 73c0498ea57a58c22338fb764b9dbe42be8987cdcd65d391ba60b34dc5d02be8
Instruction Fuzzy Hash: A411253291021AABDB05EFA8D8959FEB7B9EF05311F180455FA52E3251D730AA81CBB1

Function 00CF600E Relevance: 6.1, APIs: 4, Instructions: 53windowCOMMON

Download Yara Rule

APIs

CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 00CF604C
GetStockObject.GDI32(00000011), ref: 00CF6060
SendMessageW.USER32(00000000,00000030,00000000), ref: 00CF606A

Memory Dump Source

Source File: 00000000.00000002.1741723192.0000000000CF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CF0000, based on PE: true

Associated: 00000000.00000002.1741689844.0000000000CF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741822052.0000000000D8C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741822052.0000000000DB2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741916293.0000000000DBC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741947371.0000000000DC4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cf0000_file.jbxd

Similarity

API ID: CreateMessageObjectSendStockWindow
String ID:
API String ID: 3970641297-0
Opcode ID: 3fbbdc495a6e0069ce47562a5d51664752fa7440b623735e310148bdd32d4dde
Instruction ID: b90f4b1aa864022c2747efc6f5e2f1bca36706db8548d7252ab7d4fa62ad82e0
Opcode Fuzzy Hash: 3fbbdc495a6e0069ce47562a5d51664752fa7440b623735e310148bdd32d4dde
Instruction Fuzzy Hash: B6118B7211160DBFEF524FA48C44EFABF69EF083A4F100215FA1592220DB329C609BB5

Function 00D13B3C Relevance: 6.1, APIs: 4, Instructions: 53COMMONLIBRARYCODE

Download Yara Rule

APIs

___BuildCatchObject.LIBVCRUNTIME ref: 00D13B56

Part of subcall function 00D13AA3: BuildCatchObjectHelperInternal.LIBVCRUNTIME ref: 00D13AD2
Part of subcall function 00D13AA3: ___AdjustPointer.LIBCMT ref: 00D13AED

_UnwindNestedFrames.LIBCMT ref: 00D13B6B
__FrameHandler3::FrameUnwindToState.LIBVCRUNTIME ref: 00D13B7C
CallCatchBlock.LIBVCRUNTIME ref: 00D13BA4

Memory Dump Source

Source File: 00000000.00000002.1741723192.0000000000CF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CF0000, based on PE: true

Associated: 00000000.00000002.1741689844.0000000000CF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741822052.0000000000D8C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741822052.0000000000DB2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741916293.0000000000DBC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741947371.0000000000DC4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cf0000_file.jbxd

Similarity

API ID: Catch$BuildFrameObjectUnwind$AdjustBlockCallFramesHandler3::HelperInternalNestedPointerState
String ID:
API String ID: 737400349-0
Opcode ID: 12ea49abee573113f57dbd3ec3a577afcc9c348439d29e6cbe32e78011ac24d3
Instruction ID: 8ff337326eb5c90883072349b11dafce85de6849480e33ce1fbb0a5ec436aa5e
Opcode Fuzzy Hash: 12ea49abee573113f57dbd3ec3a577afcc9c348439d29e6cbe32e78011ac24d3
Instruction Fuzzy Hash: 94014C72100148BBDF125E95ED42EEB3F6DEF58754F044014FE4856121DB32E9A1DBB0

Function 00D23073 Relevance: 6.1, APIs: 4, Instructions: 52libraryCOMMONLIBRARYCODE

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32(00000000,00000000,00000800,00CF13C6,00000000,00000000,?,00D2301A,00CF13C6,00000000,00000000,00000000,?,00D2328B,00000006,FlsSetValue), ref: 00D230A5
GetLastError.KERNEL32(?,00D2301A,00CF13C6,00000000,00000000,00000000,?,00D2328B,00000006,FlsSetValue,00D92290,FlsSetValue,00000000,00000364,?,00D22E46), ref: 00D230B1
LoadLibraryExW.KERNEL32(00000000,00000000,00000000,?,00D2301A,00CF13C6,00000000,00000000,00000000,?,00D2328B,00000006,FlsSetValue,00D92290,FlsSetValue,00000000), ref: 00D230BF

Memory Dump Source

Source File: 00000000.00000002.1741723192.0000000000CF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CF0000, based on PE: true

Associated: 00000000.00000002.1741689844.0000000000CF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741822052.0000000000D8C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741822052.0000000000DB2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741916293.0000000000DBC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741947371.0000000000DC4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cf0000_file.jbxd

Similarity

API ID: LibraryLoad$ErrorLast
String ID:
API String ID: 3177248105-0
Opcode ID: 5db8ace9584790554b573f647564a08e555d21bf3c5d7dfe34bf5ba1777ef6d7
Instruction ID: c7bd5174177d8f6b43cc1879313ad3423099cd63733c2a381732b6b708301252
Opcode Fuzzy Hash: 5db8ace9584790554b573f647564a08e555d21bf3c5d7dfe34bf5ba1777ef6d7
Instruction Fuzzy Hash: B501D432721336EBCB214F78BD44A677B98AF15BA5B140620F915E3280C735D901C7F0

Function 00D57464 Relevance: 6.1, APIs: 4, Instructions: 51registryCOMMON

Download Yara Rule

APIs

GetModuleFileNameW.KERNEL32(?,?,00000104,00000000), ref: 00D5747F
LoadTypeLibEx.OLEAUT32(?,00000002,?), ref: 00D57497
RegisterTypeLib.OLEAUT32(?,?,00000000), ref: 00D574AC
RegisterTypeLibForUser.OLEAUT32(?,?,00000000), ref: 00D574CA

Memory Dump Source

Source File: 00000000.00000002.1741723192.0000000000CF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CF0000, based on PE: true

Associated: 00000000.00000002.1741689844.0000000000CF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741822052.0000000000D8C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741822052.0000000000DB2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741916293.0000000000DBC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741947371.0000000000DC4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cf0000_file.jbxd

Similarity

API ID: Type$Register$FileLoadModuleNameUser
String ID:
API String ID: 1352324309-0
Opcode ID: 45b93e84083b9f844944169a345f88b285480365afded6af2165bc492c9a7fa4
Instruction ID: bb226c500c9812e29b37ecef257c07c47ef66994ee57615430104724686a43e3
Opcode Fuzzy Hash: 45b93e84083b9f844944169a345f88b285480365afded6af2165bc492c9a7fa4
Instruction Fuzzy Hash: 7411A1B1215314DBEB208F64EC08F927BFCEB00B01F208569AE56D6251D770E948DB71

Function 00D5B0A8 Relevance: 6.0, APIs: 4, Instructions: 50sleepCOMMON

Download Yara Rule

APIs

QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,?,?,00D5ACD3,?,00008000), ref: 00D5B0C4
Sleep.KERNEL32(00000000,?,?,?,?,?,?,?,?,00D5ACD3,?,00008000), ref: 00D5B0E9
QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,?,?,00D5ACD3,?,00008000), ref: 00D5B0F3
Sleep.KERNEL32(00000000,?,?,?,?,?,?,?,?,00D5ACD3,?,00008000), ref: 00D5B126

Memory Dump Source

Source File: 00000000.00000002.1741723192.0000000000CF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CF0000, based on PE: true

Associated: 00000000.00000002.1741689844.0000000000CF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741822052.0000000000D8C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741822052.0000000000DB2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741916293.0000000000DBC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741947371.0000000000DC4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cf0000_file.jbxd

Similarity

API ID: CounterPerformanceQuerySleep
String ID:
API String ID: 2875609808-0
Opcode ID: be2f567236fc819be5990b0fee77669ae890d7b917c1a71daed9154002957314
Instruction ID: 8d6bb264e723f7637456b240c388ce8044291c0dbfa684d93b015a56b3c26da4
Opcode Fuzzy Hash: be2f567236fc819be5990b0fee77669ae890d7b917c1a71daed9154002957314
Instruction Fuzzy Hash: C0113C31D11B18D7CF00AFA9D998AEEBB78FF0A722F114486DD41B2285CB3095548B71

Function 00D87E14 Relevance: 6.0, APIs: 4, Instructions: 46COMMON

Download Yara Rule

APIs

GetWindowRect.USER32(?,?), ref: 00D87E33
ScreenToClient.USER32(?,?), ref: 00D87E4B
ScreenToClient.USER32(?,?), ref: 00D87E6F
InvalidateRect.USER32(?,?,?,?,?,?,?,?,?,?,?,?), ref: 00D87E8A

Memory Dump Source

Source File: 00000000.00000002.1741723192.0000000000CF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CF0000, based on PE: true

Associated: 00000000.00000002.1741689844.0000000000CF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741822052.0000000000D8C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741822052.0000000000DB2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741916293.0000000000DBC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741947371.0000000000DC4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cf0000_file.jbxd

Similarity

API ID: ClientRectScreen$InvalidateWindow
String ID:
API String ID: 357397906-0
Opcode ID: 48bb20960a71a654ff5d9aefef1cf4a3eb43fd85adedae926403eb1fce9989cd
Instruction ID: 02e22afa6e567ab42008ebc4f66053c1458f9f723e80ad314e6fa5f95921c178
Opcode Fuzzy Hash: 48bb20960a71a654ff5d9aefef1cf4a3eb43fd85adedae926403eb1fce9989cd
Instruction Fuzzy Hash: 471143B9D1020AEFDB41DF98C884AEEBBF5FF08310F505066E925E2210D735AA55CF60

Function 00D52DA7 Relevance: 6.0, APIs: 4, Instructions: 34threadwindowtimeCOMMON

Download Yara Rule

APIs

SendMessageTimeoutW.USER32(?,00000000,00000000,00000000,00000002,00001388,?), ref: 00D52DC5
GetWindowThreadProcessId.USER32(?,00000000), ref: 00D52DD6
GetCurrentThreadId.KERNEL32 ref: 00D52DDD
AttachThreadInput.USER32(00000000,?,00000000,00000000), ref: 00D52DE4

Memory Dump Source

Source File: 00000000.00000002.1741723192.0000000000CF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CF0000, based on PE: true

Associated: 00000000.00000002.1741689844.0000000000CF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741822052.0000000000D8C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741822052.0000000000DB2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741916293.0000000000DBC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741947371.0000000000DC4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cf0000_file.jbxd

Similarity

API ID: Thread$AttachCurrentInputMessageProcessSendTimeoutWindow
String ID:
API String ID: 2710830443-0
Opcode ID: 589a4be892d28ec4f9c4b01eeb7bbd65e3ab505ee655697aa04a66414e96d044
Instruction ID: 8988908e8b973f08b47ecb7ac0c200ee54e32801942a7a50bc1a077881d60e57
Opcode Fuzzy Hash: 589a4be892d28ec4f9c4b01eeb7bbd65e3ab505ee655697aa04a66414e96d044
Instruction Fuzzy Hash: 2BE06571221324B6DB2017629C0EEF73E6CEB43B62F041115B905D115096A4C444C7F0

Function 00D88863 Relevance: 6.0, APIs: 4, Instructions: 31COMMON

Download Yara Rule

APIs

Part of subcall function 00D09639: ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 00D09693
Part of subcall function 00D09639: SelectObject.GDI32(?,00000000), ref: 00D096A2
Part of subcall function 00D09639: BeginPath.GDI32(?), ref: 00D096B9
Part of subcall function 00D09639: SelectObject.GDI32(?,00000000), ref: 00D096E2

MoveToEx.GDI32(?,00000000,00000000,00000000), ref: 00D88887
LineTo.GDI32(?,?,?), ref: 00D88894
EndPath.GDI32(?), ref: 00D888A4
StrokePath.GDI32(?), ref: 00D888B2

Memory Dump Source

Source File: 00000000.00000002.1741723192.0000000000CF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CF0000, based on PE: true

Associated: 00000000.00000002.1741689844.0000000000CF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741822052.0000000000D8C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741822052.0000000000DB2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741916293.0000000000DBC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741947371.0000000000DC4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cf0000_file.jbxd

Similarity

API ID: Path$ObjectSelect$BeginCreateLineMoveStroke
String ID:
API String ID: 1539411459-0
Opcode ID: dcabe20092676d765c0d47f271708faa443be9d5a1c2b9727fe158088c6a1960
Instruction ID: 762f21029df9983a35a14dc896bff4e112d8f8534a5f8894040d696e8e488954
Opcode Fuzzy Hash: dcabe20092676d765c0d47f271708faa443be9d5a1c2b9727fe158088c6a1960
Instruction Fuzzy Hash: 2EF03A36051369FADB126F94AC09FCA3A69AF06350F448000FA11A52E2CBB55511DFF5

Function 00D098B0 Relevance: 6.0, APIs: 4, Instructions: 23COMMON

Download Yara Rule

APIs

GetSysColor.USER32(00000008), ref: 00D098CC
SetTextColor.GDI32(?,?), ref: 00D098D6
SetBkMode.GDI32(?,00000001), ref: 00D098E9
GetStockObject.GDI32(00000005), ref: 00D098F1

Memory Dump Source

Source File: 00000000.00000002.1741723192.0000000000CF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CF0000, based on PE: true

Associated: 00000000.00000002.1741689844.0000000000CF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741822052.0000000000D8C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741822052.0000000000DB2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741916293.0000000000DBC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741947371.0000000000DC4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cf0000_file.jbxd

Similarity

API ID: Color$ModeObjectStockText
String ID:
API String ID: 4037423528-0
Opcode ID: 0bb2e2673e80456c176b578bb9c070161aab0fc4b616f79a95bb88a90d46b9c9
Instruction ID: 19cd7796bdcda25dcd82752b4b29a8273b157198df236de2717c17dc8f5b7a37
Opcode Fuzzy Hash: 0bb2e2673e80456c176b578bb9c070161aab0fc4b616f79a95bb88a90d46b9c9
Instruction Fuzzy Hash: 99E03931264780EADB215B74BC1DBE83B20AB12736F08921AF6BA981E1C37146409B30

Function 00D5162B Relevance: 6.0, APIs: 4, Instructions: 22threadCOMMON

Download Yara Rule

APIs

GetCurrentThread.KERNEL32 ref: 00D51634
OpenThreadToken.ADVAPI32(00000000,?,?,?,00D511D9), ref: 00D5163B
GetCurrentProcess.KERNEL32(00000028,?,?,?,?,00D511D9), ref: 00D51648
OpenProcessToken.ADVAPI32(00000000,?,?,?,00D511D9), ref: 00D5164F

Memory Dump Source

Source File: 00000000.00000002.1741723192.0000000000CF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CF0000, based on PE: true

Associated: 00000000.00000002.1741689844.0000000000CF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741822052.0000000000D8C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741822052.0000000000DB2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741916293.0000000000DBC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741947371.0000000000DC4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cf0000_file.jbxd

Similarity

API ID: CurrentOpenProcessThreadToken
String ID:
API String ID: 3974789173-0
Opcode ID: 682a1feb922defc6b4ef0cbd54c9ee218cef9a1669dfedd355425dd5db893a8e
Instruction ID: 8a39ac3fa801afcb357680894f98e4ed589bb899862a67c65b201073a16b814e
Opcode Fuzzy Hash: 682a1feb922defc6b4ef0cbd54c9ee218cef9a1669dfedd355425dd5db893a8e
Instruction Fuzzy Hash: B4E08C36622311EBDB301FB0AE0DB8A3B7CAF45BD2F198808FA45C9080E6348445CB74

Function 00D4D858 Relevance: 6.0, APIs: 4, Instructions: 19COMMON

Download Yara Rule

APIs

GetDesktopWindow.USER32 ref: 00D4D858
GetDC.USER32(00000000), ref: 00D4D862
GetDeviceCaps.GDI32(00000000,0000000C), ref: 00D4D882
ReleaseDC.USER32(?), ref: 00D4D8A3

Memory Dump Source

Source File: 00000000.00000002.1741723192.0000000000CF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CF0000, based on PE: true

Associated: 00000000.00000002.1741689844.0000000000CF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741822052.0000000000D8C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741822052.0000000000DB2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741916293.0000000000DBC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741947371.0000000000DC4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cf0000_file.jbxd

Similarity

API ID: CapsDesktopDeviceReleaseWindow
String ID:
API String ID: 2889604237-0
Opcode ID: 67f8a2b75db592b8e20efa9b91900e7653fcdb9b5a9de5ff103c79a8f1ee23e7
Instruction ID: 24f7801515b47e565ee42f8256b323e0d557aec865a245b146d024a4c4454c93
Opcode Fuzzy Hash: 67f8a2b75db592b8e20efa9b91900e7653fcdb9b5a9de5ff103c79a8f1ee23e7
Instruction Fuzzy Hash: 5DE0E5B4820205DFCB419FA0990966DBBB2AB08310B109019E94AE7360D7388901AF70

Function 00D4D86C Relevance: 6.0, APIs: 4, Instructions: 18COMMON

Download Yara Rule

APIs

GetDesktopWindow.USER32 ref: 00D4D86C
GetDC.USER32(00000000), ref: 00D4D876
GetDeviceCaps.GDI32(00000000,0000000C), ref: 00D4D882
ReleaseDC.USER32(?), ref: 00D4D8A3

Memory Dump Source

Source File: 00000000.00000002.1741723192.0000000000CF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CF0000, based on PE: true

Associated: 00000000.00000002.1741689844.0000000000CF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741822052.0000000000D8C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741822052.0000000000DB2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741916293.0000000000DBC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741947371.0000000000DC4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cf0000_file.jbxd

Similarity

API ID: CapsDesktopDeviceReleaseWindow
String ID:
API String ID: 2889604237-0
Opcode ID: 1f52725f2c4335e2b6b1fd0a610fad2aeb2e31ae2bfc5877a2c5cd20cb1879be
Instruction ID: 1ea4af90ad1fd93a608ff95be2e1d4365f4d90ca20923a0d8223a91ecb804df4
Opcode Fuzzy Hash: 1f52725f2c4335e2b6b1fd0a610fad2aeb2e31ae2bfc5877a2c5cd20cb1879be
Instruction Fuzzy Hash: EEE01A74820304DFCB409FB0D80966DBBB1BB08310B109019F94AE7360D7385901AF70

Function 00D64D87 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 230shareCOMMON

Download Yara Rule

APIs

Part of subcall function 00CF7620: _wcslen.LIBCMT ref: 00CF7625

WNetUseConnectionW.MPR(00000000,?,0000002A,00000000,?,?,0000002A,?), ref: 00D64ED4

Strings

LPT, xrefs: 00D64DFB
*, xrefs: 00D64E10

Memory Dump Source

Source File: 00000000.00000002.1741723192.0000000000CF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CF0000, based on PE: true

Associated: 00000000.00000002.1741689844.0000000000CF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741822052.0000000000D8C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741822052.0000000000DB2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741916293.0000000000DBC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741947371.0000000000DC4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cf0000_file.jbxd

Similarity

API ID: Connection_wcslen
String ID: *$LPT
API String ID: 1725874428-3443410124
Opcode ID: ea3e2e64fc4d7683ed90c125ab6526fc465697473811a05c1e9fd050e982d247
Instruction ID: 9b4ffe466905fff3d93a99cb2fdf748e30a242bc255d649926734380857ce9e5
Opcode Fuzzy Hash: ea3e2e64fc4d7683ed90c125ab6526fc465697473811a05c1e9fd050e982d247
Instruction Fuzzy Hash: A2914E75A00204AFCB14DF58C484EAABBF5BF44304F198099F84A9F3A2D775ED85CBA1

Function 00D1E27D Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 189COMMON

Download Yara Rule

APIs

__startOneArgErrorHandling.LIBCMT ref: 00D1E30D

Strings

pow, xrefs: 00D1E2E5, 00D1E302

Memory Dump Source

Source File: 00000000.00000002.1741723192.0000000000CF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CF0000, based on PE: true

Associated: 00000000.00000002.1741689844.0000000000CF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741822052.0000000000D8C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741822052.0000000000DB2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741916293.0000000000DBC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741947371.0000000000DC4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cf0000_file.jbxd

Similarity

API ID: ErrorHandling__start
String ID: pow
API String ID: 3213639722-2276729525
Opcode ID: ed267bf07fc58093a4b284bedcf2120818758ca14b8dac95e0e59082ee5bec09
Instruction ID: eabd5f41ae730e46b16ad4fd7cb943c6f324aa6eb1191ee8b48c91ae583b02aa
Opcode Fuzzy Hash: ed267bf07fc58093a4b284bedcf2120818758ca14b8dac95e0e59082ee5bec09
Instruction Fuzzy Hash: A7517B61A0C213B6CB257724F9013FA2B94EF20745F384999F8E5823A9DF35CCC19A76

Function 00D0E187 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 184COMMON

Download Yara Rule

Strings

#, xrefs: 00D0E1B1

Memory Dump Source

Source File: 00000000.00000002.1741723192.0000000000CF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CF0000, based on PE: true

Associated: 00000000.00000002.1741689844.0000000000CF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741822052.0000000000D8C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741822052.0000000000DB2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741916293.0000000000DBC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741947371.0000000000DC4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cf0000_file.jbxd

Similarity

API ID:
String ID: #
API String ID: 0-1885708031
Opcode ID: 42e8c58ed5df5b311d6220f43331c9898295eae42471ab0d064d466cfee7adc3
Instruction ID: 9afe149efe07aad3c90522a660d9718ca9691fea00a71356b6dd8b015a3e6a11
Opcode Fuzzy Hash: 42e8c58ed5df5b311d6220f43331c9898295eae42471ab0d064d466cfee7adc3
Instruction Fuzzy Hash: 26512035900346EFDF15DF78C481ABA7BA8FF66320F284459E8919B2D0DA309D42DBB1

Function 00D0F291 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 144sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNEL32(00000000), ref: 00D0F2A2
GlobalMemoryStatusEx.KERNEL32(?), ref: 00D0F2BB

Strings

@, xrefs: 00D0F2AF

Memory Dump Source

Source File: 00000000.00000002.1741723192.0000000000CF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CF0000, based on PE: true

Associated: 00000000.00000002.1741689844.0000000000CF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741822052.0000000000D8C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741822052.0000000000DB2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741916293.0000000000DBC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741947371.0000000000DC4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cf0000_file.jbxd

Similarity

API ID: GlobalMemorySleepStatus
String ID: @
API String ID: 2783356886-2766056989
Opcode ID: daae2bef53d2199663297506a541c742782391890d5b5de9246378b5980acef4
Instruction ID: 170fb16cf62cf5e1ad198e3f59baf2a5edd285a674bd6c64aea03ac998f6b7bc
Opcode Fuzzy Hash: daae2bef53d2199663297506a541c742782391890d5b5de9246378b5980acef4
Instruction Fuzzy Hash: 3C5158715187499BD360AF54D886BABBBF8FF85300F81484CF29981195EB308929CB6B

Function 00D75745 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 125COMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?,?,00000003,?,?), ref: 00D757E0
_wcslen.LIBCMT ref: 00D757EC

Strings

CALLARGARRAY, xrefs: 00D757E6, 00D757EB

Memory Dump Source

Source File: 00000000.00000002.1741723192.0000000000CF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CF0000, based on PE: true

Associated: 00000000.00000002.1741689844.0000000000CF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741822052.0000000000D8C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741822052.0000000000DB2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741916293.0000000000DBC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741947371.0000000000DC4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cf0000_file.jbxd

Similarity

API ID: BuffCharUpper_wcslen
String ID: CALLARGARRAY
API String ID: 157775604-1150593374
Opcode ID: a93bca74c5c2b2c86fa1c7a968deeb8ca2bbef0b2adf09f56e1ff5fd81535a53
Instruction ID: c35b2f15dd3775bc15d2b2511622e3f6bc2e5f87e2fea7b6bb3fcc4a536c620c
Opcode Fuzzy Hash: a93bca74c5c2b2c86fa1c7a968deeb8ca2bbef0b2adf09f56e1ff5fd81535a53
Instruction Fuzzy Hash: 14419F71A002099FCB14DFA9D8819BEBBB5EF59320F148069E509A7295E7709D81CBB2

Function 00D6D0F4 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 98networkCOMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 00D6D130
InternetCrackUrlW.WININET(?,00000000,00000000,0000007C), ref: 00D6D13A

Strings

|, xrefs: 00D6D10B

Memory Dump Source

Source File: 00000000.00000002.1741723192.0000000000CF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CF0000, based on PE: true

Associated: 00000000.00000002.1741689844.0000000000CF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741822052.0000000000D8C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741822052.0000000000DB2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741916293.0000000000DBC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741947371.0000000000DC4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cf0000_file.jbxd

Similarity

API ID: CrackInternet_wcslen
String ID: |
API String ID: 596671847-2343686810
Opcode ID: f060877a1b44ba21f787626fb39bd673b95e049aae0c2176f3d0c9ec57b6bebe
Instruction ID: 20fc1261dce1e72b122b205306741a213fd57a0261fc492b943a25ddfa45e642
Opcode Fuzzy Hash: f060877a1b44ba21f787626fb39bd673b95e049aae0c2176f3d0c9ec57b6bebe
Instruction Fuzzy Hash: 71316F71D00209ABCF15EFA4DC85EEEBFBAFF05300F000019F915A6162DB75AA46DB61

Function 00D8356C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 96COMMON

Download Yara Rule

APIs

DestroyWindow.USER32(?,?,?,?), ref: 00D83621
MoveWindow.USER32(?,?,?,?,?,00000001,?,?,?), ref: 00D8365C

Strings

static, xrefs: 00D835BC

Memory Dump Source

Source File: 00000000.00000002.1741723192.0000000000CF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CF0000, based on PE: true

Associated: 00000000.00000002.1741689844.0000000000CF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741822052.0000000000D8C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741822052.0000000000DB2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741916293.0000000000DBC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741947371.0000000000DC4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cf0000_file.jbxd

Similarity

API ID: Window$DestroyMove
String ID: static
API String ID: 2139405536-2160076837
Opcode ID: ee4cebcb64fb60519c6f535acb7b831487c47c5413ba9172d397c55a676b97a3
Instruction ID: 2dfdce0c2ea2e0067d4fd7283dad421ec28d0e1537b105d0ce1f079d078bb086
Opcode Fuzzy Hash: ee4cebcb64fb60519c6f535acb7b831487c47c5413ba9172d397c55a676b97a3
Instruction Fuzzy Hash: DD318B71110604AEDB14AF68DC81FBB73A9FF88B20F109619F9A9D7290DA30AD91D770

Function 00D84537 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 95windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000027,00001132,00000000,?), ref: 00D8461F
SendMessageW.USER32(?,00001105,00000000,00000000), ref: 00D84634

Strings

', xrefs: 00D8458E

Memory Dump Source

Source File: 00000000.00000002.1741723192.0000000000CF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CF0000, based on PE: true

Associated: 00000000.00000002.1741689844.0000000000CF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741822052.0000000000D8C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741822052.0000000000DB2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741916293.0000000000DBC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741947371.0000000000DC4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cf0000_file.jbxd

Similarity

API ID: MessageSend
String ID: '
API String ID: 3850602802-1997036262
Opcode ID: ab82f426daf960e253197aae6fcba05a32af56e0113fad9ee02904f6458f5379
Instruction ID: f8cd74973d4ac7a1c0da7c2e4a678b4ad61058a51c6c254efd1dc9d0ef6561ec
Opcode Fuzzy Hash: ab82f426daf960e253197aae6fcba05a32af56e0113fad9ee02904f6458f5379
Instruction Fuzzy Hash: E431E774A0131A9FDB14DF69C991BEA7BB5FF49300F14406AE905AB391E770A941CFA0

Function 00D831EF Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 72windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000143,00000000,?), ref: 00D8327C
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 00D83287

Strings

Combobox, xrefs: 00D83249

Memory Dump Source

Source File: 00000000.00000002.1741723192.0000000000CF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CF0000, based on PE: true

Associated: 00000000.00000002.1741689844.0000000000CF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741822052.0000000000D8C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741822052.0000000000DB2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741916293.0000000000DBC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741947371.0000000000DC4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cf0000_file.jbxd

Similarity

API ID: MessageSend
String ID: Combobox
API String ID: 3850602802-2096851135
Opcode ID: d25a548e83c696878b702625b39cabe64da519fd1511f3b051573ca0b3c4fd72
Instruction ID: 466a01d3c96695b1d4dc5d75ec02214be4fc07fc84ae7ef12ccfc42a612c099c
Opcode Fuzzy Hash: d25a548e83c696878b702625b39cabe64da519fd1511f3b051573ca0b3c4fd72
Instruction Fuzzy Hash: F711E271300209BFEF21AE54DC80FBB376AEF94764F140124F91897290D631DD518770

Function 00D83710 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 67COMMON

Download Yara Rule

APIs

Part of subcall function 00CF600E: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 00CF604C
Part of subcall function 00CF600E: GetStockObject.GDI32(00000011), ref: 00CF6060
Part of subcall function 00CF600E: SendMessageW.USER32(00000000,00000030,00000000), ref: 00CF606A

GetWindowRect.USER32(00000000,?), ref: 00D8377A
GetSysColor.USER32(00000012), ref: 00D83794

Strings

static, xrefs: 00D83757

Memory Dump Source

Source File: 00000000.00000002.1741723192.0000000000CF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CF0000, based on PE: true

Associated: 00000000.00000002.1741689844.0000000000CF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741822052.0000000000D8C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741822052.0000000000DB2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741916293.0000000000DBC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741947371.0000000000DC4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cf0000_file.jbxd

Similarity

API ID: Window$ColorCreateMessageObjectRectSendStock
String ID: static
API String ID: 1983116058-2160076837
Opcode ID: b614bddf97e36fb5c12f4252eb6a16f2c5d58a688c88fde20e762e907cdc4833
Instruction ID: b056297bb15811d4a65c48c2894e0e0384a32bda8f6ff148bcaa86e77cddc230
Opcode Fuzzy Hash: b614bddf97e36fb5c12f4252eb6a16f2c5d58a688c88fde20e762e907cdc4833
Instruction Fuzzy Hash: 311129B262020AAFDF00EFA8CC46EFA7BB8EF08714F015515F955E2250E775E8519B60

Function 00D6CD1E Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 66networkCOMMON

Download Yara Rule

APIs

InternetOpenW.WININET(?,00000000,00000000,00000000,00000000), ref: 00D6CD7D
InternetSetOptionW.WININET(00000000,00000032,?,00000008), ref: 00D6CDA6

Strings

<local>, xrefs: 00D6CD66

Memory Dump Source

Source File: 00000000.00000002.1741723192.0000000000CF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CF0000, based on PE: true

Associated: 00000000.00000002.1741689844.0000000000CF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741822052.0000000000D8C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741822052.0000000000DB2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741916293.0000000000DBC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741947371.0000000000DC4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cf0000_file.jbxd

Similarity

API ID: Internet$OpenOption
String ID: <local>
API String ID: 942729171-4266983199
Opcode ID: 29facfedee9b65e00af728731131e1d56cb50a35afa8abe6ec5ab35270143cf3
Instruction ID: 5ea249e59d2ca4ab47ff283fb6670beda81827e1bc1e928950111b1e22ae0c81
Opcode Fuzzy Hash: 29facfedee9b65e00af728731131e1d56cb50a35afa8abe6ec5ab35270143cf3
Instruction Fuzzy Hash: DE11C271225631BBD7385B668C49EF7BEACEF127A4F00522AB189C3180D7749845DAF0

Function 00D83429 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 64windowCOMMON

Download Yara Rule

APIs

GetWindowTextLengthW.USER32(00000000), ref: 00D834AB
SendMessageW.USER32(?,000000B1,00000000,00000000), ref: 00D834BA

Strings

edit, xrefs: 00D8348F

Memory Dump Source

Source File: 00000000.00000002.1741723192.0000000000CF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CF0000, based on PE: true

Associated: 00000000.00000002.1741689844.0000000000CF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741822052.0000000000D8C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741822052.0000000000DB2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741916293.0000000000DBC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741947371.0000000000DC4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cf0000_file.jbxd

Similarity

API ID: LengthMessageSendTextWindow
String ID: edit
API String ID: 2978978980-2167791130
Opcode ID: d004684dc1d3644610cf0149cbd4a0785425094733a963e7d9a6930ebefc612d
Instruction ID: 076c2ba7c61db2809592e797fe6aa2f89cb03bbc010076abb2d3b77eb3f96036
Opcode Fuzzy Hash: d004684dc1d3644610cf0149cbd4a0785425094733a963e7d9a6930ebefc612d
Instruction Fuzzy Hash: D0116A71110208AAEB12AE68DC44EBA376AEF05B74F644724FA69932E0C771DC559B70

Function 00D56C86 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 56COMMON

Download Yara Rule

APIs

Part of subcall function 00CF9CB3: _wcslen.LIBCMT ref: 00CF9CBD

CharUpperBuffW.USER32(?,?,?), ref: 00D56CB6
_wcslen.LIBCMT ref: 00D56CC2

Strings

STOP, xrefs: 00D56CBC, 00D56CC1

Memory Dump Source

Source File: 00000000.00000002.1741723192.0000000000CF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CF0000, based on PE: true

Associated: 00000000.00000002.1741689844.0000000000CF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741822052.0000000000D8C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741822052.0000000000DB2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741916293.0000000000DBC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741947371.0000000000DC4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cf0000_file.jbxd

Similarity

API ID: _wcslen$BuffCharUpper
String ID: STOP
API String ID: 1256254125-2411985666
Opcode ID: a3024fae96f8754d93aa10050ba702a60dcf51aaa5c455604e59bf06f6b79eba
Instruction ID: 8a9ca8f39d429635f52ab2931498d303cb3d33d6ecd28e0a3474bb1a6f3dadde
Opcode Fuzzy Hash: a3024fae96f8754d93aa10050ba702a60dcf51aaa5c455604e59bf06f6b79eba
Instruction Fuzzy Hash: B001043261052A8ACF219FBDDC809BF77B4EE61722B840929EC5297290FA31D848C670

Function 00D51CDE Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 52windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00CF9CB3: _wcslen.LIBCMT ref: 00CF9CBD

Part of subcall function 00D53CA7: GetClassNameW.USER32(?,?,000000FF), ref: 00D53CCA

SendMessageW.USER32(?,000001A2,000000FF,?), ref: 00D51D4C

Strings

ComboBox, xrefs: 00D51CEB
ListBox, xrefs: 00D51D16

Memory Dump Source

Source File: 00000000.00000002.1741723192.0000000000CF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CF0000, based on PE: true

Associated: 00000000.00000002.1741689844.0000000000CF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741822052.0000000000D8C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741822052.0000000000DB2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741916293.0000000000DBC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741947371.0000000000DC4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cf0000_file.jbxd

Similarity

API ID: ClassMessageNameSend_wcslen
String ID: ComboBox$ListBox
API String ID: 624084870-1403004172
Opcode ID: c9cd2411665fe80c3ab686640312aed6bc6d59eee67d9b5df88999c5f71a28a3
Instruction ID: 00f105288feee0bccbd8577a8f9a9c0b5c40fa130a3d1f897d3084b9863a2284
Opcode Fuzzy Hash: c9cd2411665fe80c3ab686640312aed6bc6d59eee67d9b5df88999c5f71a28a3
Instruction Fuzzy Hash: 2E01B175601218AB8F08EFA4CC51AFE77B8EB46390F04061AEC72A72D1EA31990C9671

Function 00D51BD8 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 50windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00CF9CB3: _wcslen.LIBCMT ref: 00CF9CBD

Part of subcall function 00D53CA7: GetClassNameW.USER32(?,?,000000FF), ref: 00D53CCA

SendMessageW.USER32(?,00000180,00000000,?), ref: 00D51C46

Strings

ComboBox, xrefs: 00D51BE5
ListBox, xrefs: 00D51C10

Memory Dump Source

Source File: 00000000.00000002.1741723192.0000000000CF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CF0000, based on PE: true

Associated: 00000000.00000002.1741689844.0000000000CF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741822052.0000000000D8C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741822052.0000000000DB2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741916293.0000000000DBC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741947371.0000000000DC4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cf0000_file.jbxd

Similarity

API ID: ClassMessageNameSend_wcslen
String ID: ComboBox$ListBox
API String ID: 624084870-1403004172
Opcode ID: 3f56a9c04f8d31bedaf0648d85be54de92cd013c4f656ed5db3b82047fa468ab
Instruction ID: d932b8a799418d9e0a167a6438cc41974f206860217133c9f3d786eb85aff997
Opcode Fuzzy Hash: 3f56a9c04f8d31bedaf0648d85be54de92cd013c4f656ed5db3b82047fa468ab
Instruction Fuzzy Hash: 21016775781108AACF14EB90D952BFFB7A8DF16381F140019ED56672C1EA319E0CD6B6

Function 00D51C5C Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 49windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00CF9CB3: _wcslen.LIBCMT ref: 00CF9CBD

Part of subcall function 00D53CA7: GetClassNameW.USER32(?,?,000000FF), ref: 00D53CCA

SendMessageW.USER32(?,00000182,?,00000000), ref: 00D51CC8

Strings

ComboBox, xrefs: 00D51C69
ListBox, xrefs: 00D51C94

Memory Dump Source

Source File: 00000000.00000002.1741723192.0000000000CF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CF0000, based on PE: true

Associated: 00000000.00000002.1741689844.0000000000CF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741822052.0000000000D8C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741822052.0000000000DB2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741916293.0000000000DBC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741947371.0000000000DC4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cf0000_file.jbxd

Similarity

API ID: ClassMessageNameSend_wcslen
String ID: ComboBox$ListBox
API String ID: 624084870-1403004172
Opcode ID: f5888fd96bba2fa7acac3be48eff5aca91dbf9cd496f22b68096618cbee92079
Instruction ID: a3fc38cf35c9598d64e19aa0658d7d185228cd6875474f73defe2d9ca2d45c31
Opcode Fuzzy Hash: f5888fd96bba2fa7acac3be48eff5aca91dbf9cd496f22b68096618cbee92079
Instruction Fuzzy Hash: 12018675781158ABCF14EBA5CA12BFEB7A8DB12381F140015BD42B3281EA729F0CD672

Function 00D51D68 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 46windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00CF9CB3: _wcslen.LIBCMT ref: 00CF9CBD

Part of subcall function 00D53CA7: GetClassNameW.USER32(?,?,000000FF), ref: 00D53CCA

SendMessageW.USER32(?,0000018B,00000000,00000000), ref: 00D51DD3

Strings

ComboBox, xrefs: 00D51D75
ListBox, xrefs: 00D51DA0

Memory Dump Source

Source File: 00000000.00000002.1741723192.0000000000CF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CF0000, based on PE: true

Associated: 00000000.00000002.1741689844.0000000000CF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741822052.0000000000D8C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741822052.0000000000DB2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741916293.0000000000DBC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741947371.0000000000DC4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cf0000_file.jbxd

Similarity

API ID: ClassMessageNameSend_wcslen
String ID: ComboBox$ListBox
API String ID: 624084870-1403004172
Opcode ID: ec29038b25c311d66b5f41c97500665f22144edf5f2c3336491b0ab07d7fd43e
Instruction ID: a583bf98ce8cf7872f6afbd0138b58c4548960bf5e22265eb98a44bf4c45793a
Opcode Fuzzy Hash: ec29038b25c311d66b5f41c97500665f22144edf5f2c3336491b0ab07d7fd43e
Instruction Fuzzy Hash: 24F0A475B51218AADF04EBA4CC52BFE7778EB02391F04091AFD62A32C1EA70990C9271

Function 00D7747E Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 36COMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 00D77493
_wcslen.LIBCMT ref: 00D774B9

Strings

3, 3, 16, 1, xrefs: 00D77483

Memory Dump Source

Source File: 00000000.00000002.1741723192.0000000000CF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CF0000, based on PE: true

Associated: 00000000.00000002.1741689844.0000000000CF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741822052.0000000000D8C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741822052.0000000000DB2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741916293.0000000000DBC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741947371.0000000000DC4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cf0000_file.jbxd

Similarity

API ID: _wcslen
String ID: 3, 3, 16, 1
API String ID: 176396367-3042988571
Opcode ID: 4d67dacfa4f29f465eba507fab25a380c3d1ab54ab04e4170ae97106f8179b11
Instruction ID: a53f3126bc4c2b8cf2ae8064f0c00c2e76b87c1730e3e998f661bdfb04450d53
Opcode Fuzzy Hash: 4d67dacfa4f29f465eba507fab25a380c3d1ab54ab04e4170ae97106f8179b11
Instruction Fuzzy Hash: FBE02B02304220209231127AECC19BF56C9DFC57607181C2FF989C2276FE948DD193B0

Function 00D50B15 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 28windowCOMMON

Download Yara Rule

APIs

MessageBoxW.USER32(00000000,Error allocating memory.,AutoIt,00000010), ref: 00D50B23

Strings

AutoIt, xrefs: 00D50B17
Error allocating memory., xrefs: 00D50B1C

Memory Dump Source

Source File: 00000000.00000002.1741723192.0000000000CF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CF0000, based on PE: true

Associated: 00000000.00000002.1741689844.0000000000CF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741822052.0000000000D8C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741822052.0000000000DB2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741916293.0000000000DBC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741947371.0000000000DC4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cf0000_file.jbxd

Similarity

API ID: Message
String ID: AutoIt$Error allocating memory.
API String ID: 2030045667-4017498283
Opcode ID: cd8b842203b3c74f08c6cd4c3d3f976a6ea8ba157728b6e6c6b1dc175b28ef90
Instruction ID: 305cc532eaad5912e208f9dd80f1dd2c69cd1410ff81cb99561e7bdc6ae5adf6
Opcode Fuzzy Hash: cd8b842203b3c74f08c6cd4c3d3f976a6ea8ba157728b6e6c6b1dc175b28ef90
Instruction Fuzzy Hash: CFE0D831254308BAD22037547C03FC97A84CF05F11F200466FB58955C38AE1249007F9

Function 00D10D42 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 22COMMON

Download Yara Rule

APIs

Part of subcall function 00D0F7C9: InitializeCriticalSectionAndSpinCount.KERNEL32(?,00000000,?,00D10D71,?,?,?,00CF100A), ref: 00D0F7CE

IsDebuggerPresent.KERNEL32(?,?,?,00CF100A), ref: 00D10D75
OutputDebugStringW.KERNEL32(ERROR : Unable to initialize critical section in CAtlBaseModule,?,?,?,00CF100A), ref: 00D10D84

Strings

ERROR : Unable to initialize critical section in CAtlBaseModule, xrefs: 00D10D7F

Memory Dump Source

Source File: 00000000.00000002.1741723192.0000000000CF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CF0000, based on PE: true

Associated: 00000000.00000002.1741689844.0000000000CF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741822052.0000000000D8C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741822052.0000000000DB2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741916293.0000000000DBC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741947371.0000000000DC4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cf0000_file.jbxd

Similarity

API ID: CountCriticalDebugDebuggerInitializeOutputPresentSectionSpinString
String ID: ERROR : Unable to initialize critical section in CAtlBaseModule
API String ID: 55579361-631824599
Opcode ID: 2e14394ca2533eb0b938f36eb4048343c2cfdcdcd17e64b21b1cf54c9326498b
Instruction ID: d7794624a730935c25b0b18e65b01409298767a9f59d943a530d46f9322e34d4
Opcode Fuzzy Hash: 2e14394ca2533eb0b938f36eb4048343c2cfdcdcd17e64b21b1cf54c9326498b
Instruction Fuzzy Hash: ECE06D742003519BD370AFB8F8047867FE0AB04B44F04492DE486C6B92DBF4E4848BB2

Function 00D63017 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 18COMMON

Download Yara Rule

APIs

GetTempPathW.KERNEL32(00000104,?,00000001), ref: 00D6302F
GetTempFileNameW.KERNEL32(?,aut,00000000,?), ref: 00D63044

Strings

aut, xrefs: 00D63038

Memory Dump Source

Source File: 00000000.00000002.1741723192.0000000000CF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CF0000, based on PE: true

Associated: 00000000.00000002.1741689844.0000000000CF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741822052.0000000000D8C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741822052.0000000000DB2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741916293.0000000000DBC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741947371.0000000000DC4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cf0000_file.jbxd

Similarity

API ID: Temp$FileNamePath
String ID: aut
API String ID: 3285503233-3010740371
Opcode ID: eb338b8680de2f7f2253bf51e33e42b0849ce1906109191d8be1ca75697a4297
Instruction ID: 52bf875fee491db00324b658900f0a5fc17ac5c5840fb17b15e9952c17e2ce65
Opcode Fuzzy Hash: eb338b8680de2f7f2253bf51e33e42b0849ce1906109191d8be1ca75697a4297
Instruction Fuzzy Hash: 7DD05E72510328ABDA20A7A4AC0EFCB3A6CDB05750F0002A1B656E21D1DAB4D984CBF4

Function 00D4D21C Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 17timeCOMMON

Download Yara Rule

APIs

GetLocalTime.KERNEL32(?), ref: 00D4D220

Strings

%.3d, xrefs: 00D4D22B
X64, xrefs: 00D4D2A8

Memory Dump Source

Source File: 00000000.00000002.1741723192.0000000000CF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CF0000, based on PE: true

Associated: 00000000.00000002.1741689844.0000000000CF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741822052.0000000000D8C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741822052.0000000000DB2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741916293.0000000000DBC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741947371.0000000000DC4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cf0000_file.jbxd

Similarity

API ID: LocalTime
String ID: %.3d$X64
API String ID: 481472006-1077770165
Opcode ID: 2de95780949d74023ed57adcc1b6d2ad54cf9c5df736ce422bd2440861dfbd49
Instruction ID: e0fc93a5c54566d8534f21f4e782c248e6b14ac3edb6e409fbf5ffcc0c378fea
Opcode Fuzzy Hash: 2de95780949d74023ed57adcc1b6d2ad54cf9c5df736ce422bd2440861dfbd49
Instruction Fuzzy Hash: BED01271808109FBCB9097D0CC899B9B3BDFB08301F608452F85BE1180D674C5086B75

Function 00D82356 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15windowCOMMON

Download Yara Rule

APIs

FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 00D8236C
PostMessageW.USER32(00000000), ref: 00D82373

Part of subcall function 00D5E97B: Sleep.KERNEL32 ref: 00D5E9F3

Strings

Shell_TrayWnd, xrefs: 00D82365

Memory Dump Source

Source File: 00000000.00000002.1741723192.0000000000CF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CF0000, based on PE: true

Associated: 00000000.00000002.1741689844.0000000000CF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741822052.0000000000D8C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741822052.0000000000DB2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741916293.0000000000DBC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741947371.0000000000DC4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cf0000_file.jbxd

Similarity

API ID: FindMessagePostSleepWindow
String ID: Shell_TrayWnd
API String ID: 529655941-2988720461
Opcode ID: 44438d749280bf5b19f2bd7980895504462c473fd9892c5ddc1db01385954fb2
Instruction ID: ecbb03c625da7b3ab2e58a9ddd35440d6d306e85987263b39f065f20068038f0
Opcode Fuzzy Hash: 44438d749280bf5b19f2bd7980895504462c473fd9892c5ddc1db01385954fb2
Instruction Fuzzy Hash: 62D0C9323A1310BAEA68B7709C0FFC676159B05B11F1059167A46EA2E1D9B4A8098B74

Function 00D82322 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15windowCOMMON

Download Yara Rule

APIs

FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 00D8232C
PostMessageW.USER32(00000000,00000111,00000197,00000000), ref: 00D8233F

Part of subcall function 00D5E97B: Sleep.KERNEL32 ref: 00D5E9F3

Strings

Shell_TrayWnd, xrefs: 00D82325

Memory Dump Source

Source File: 00000000.00000002.1741723192.0000000000CF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CF0000, based on PE: true

Associated: 00000000.00000002.1741689844.0000000000CF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741822052.0000000000D8C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741822052.0000000000DB2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741916293.0000000000DBC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741947371.0000000000DC4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cf0000_file.jbxd

Similarity

API ID: FindMessagePostSleepWindow
String ID: Shell_TrayWnd
API String ID: 529655941-2988720461
Opcode ID: 91bc25e1b4473965d9289fbd2db770f13b58dad5111e40072b1b374b75550ebe
Instruction ID: 8c233eb7a663268df0df7af3d9e934589555c820458c9d740c0bac2cc12aef8b
Opcode Fuzzy Hash: 91bc25e1b4473965d9289fbd2db770f13b58dad5111e40072b1b374b75550ebe
Instruction Fuzzy Hash: 81D0C9363A4310FAEA68B7709C1FFD67A159B00B11F1059167A46EA2E1D9B4A8098B74

Function 00D2BDFD Relevance: 5.1, APIs: 4, Instructions: 139COMMONLIBRARYCODE

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(?,00000009,?,00000000,00000000,?,?,?,00000000,?,?,?,?,?,00000000,?), ref: 00D2BE93
GetLastError.KERNEL32 ref: 00D2BEA1
MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 00D2BEFC

Memory Dump Source

Source File: 00000000.00000002.1741723192.0000000000CF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CF0000, based on PE: true

Associated: 00000000.00000002.1741689844.0000000000CF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741822052.0000000000D8C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741822052.0000000000DB2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741916293.0000000000DBC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741947371.0000000000DC4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cf0000_file.jbxd

Similarity

API ID: ByteCharMultiWide$ErrorLast
String ID:
API String ID: 1717984340-0
Opcode ID: 6d59c96e7ebc7b3bb580f3f38b73aaef61354a328636a3026b57d263bc9c1a28
Instruction ID: 889f58b0e7565ff8b827a215885faedf7ebcf8bb423281a2d4b8322ed44ceaeb
Opcode Fuzzy Hash: 6d59c96e7ebc7b3bb580f3f38b73aaef61354a328636a3026b57d263bc9c1a28
Instruction Fuzzy Hash: 86414A31604326EFCF218F64ED44ABA7BA5EF61334F19416AF969972A1DB718C00CB70

Analysis Process: firefox.exePID: 7532, Parent PID: 7812COMMON

Execution Graph

Execution Coverage:	0.3%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	100%
Total number of Nodes:	6
Total number of Limit Nodes:	0

Callgraph

Executed
Not Executed
Opacity -> Relevance
Disassembly available

Executed Functions

Function 000001882759ABB7 Relevance: 8.4, APIs: 1, Instructions: 6852nativeCOMMON

Download Yara Rule

APIs

NtQuerySystemInformation.NTDLL ref: 000001882759ABDC

Memory Dump Source

Source File: 00000010.00000002.2941386079.0000018827598000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000018827598000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_18827598000_firefox.jbxd

Similarity

API ID: InformationQuerySystem
String ID:
API String ID: 3562636166-0
Opcode ID: a3d4a310f25344abd1978f5247c9d082b9ccbb3eaa73dfa71153365510a96fee
Instruction ID: d5d66c1efe1c2b72692413add8f4a3861dd398324ab7f4d2ba6b1e4da0d8119f
Opcode Fuzzy Hash: a3d4a310f25344abd1978f5247c9d082b9ccbb3eaa73dfa71153365510a96fee
Instruction Fuzzy Hash: 27A3B331614A498BDB2DEF2DD8856E9B7E6FB55300F44822ED94AC7251DF30EA42CBC1

Source: Joe Sandbox View	IP Address: 34.149.100.209 34.149.100.209
Source: Joe Sandbox View	IP Address: 151.101.65.91 151.101.65.91
Source: Joe Sandbox View	IP Address: 34.117.188.166 34.117.188.166

Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache

Source: firefox.exe, 0000000D.00000003.1850662657.000001DA9FBE6000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1896430788.000001DA9FBEC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: 8://www.facebook.com/ equals www.facebook.com (Facebook)
Source: firefox.exe, 0000000D.00000003.1877609950.000001DAA021A000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1869195470.000001DAA0217000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: 8://www.youtube.com/ equals www.youtube.com (Youtube)
Source: firefox.exe, 0000000D.00000003.1764484023.000001DA9BCEA000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1854429569.000001DA9BBBF000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1869858263.000001DA9BBBF000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: 8https://www.facebook.com/ equals www.facebook.com (Facebook)
Source: firefox.exe, 0000000D.00000003.1764484023.000001DA9BCEA000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1854429569.000001DA9BBBF000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1869858263.000001DA9BBBF000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: 8https://www.youtube.com/ equals www.youtube.com (Youtube)
Source: firefox.exe, 0000000D.00000003.1910567761.000001DA948B9000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1907154238.000001DA94E20000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1910567761.000001DA9484A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: 8www.facebook.com equals www.facebook.com (Facebook)
Source: firefox.exe, 0000000D.00000003.1877609950.000001DAA021A000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1869195470.000001DAA0217000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: 8www.youtube.com equals www.youtube.com (Youtube)
Source: firefox.exe, 0000000D.00000003.1893995223.000001DA9740D000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1923050851.000001DA97416000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: `https://www.facebook.com/ equals www.facebook.com (Facebook)
Source: firefox.exe, 0000000D.00000003.1893995223.000001DA9740D000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1923050851.000001DA97416000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: `https://www.youtube.com/ equals www.youtube.com (Youtube)
Source: firefox.exe, 0000000D.00000003.1924158910.000001DA95BDC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://vk.com/,https://www.youtube.com/,https://ok.ru/,https://www.avito.ru/,https://www.aliexpress.com/,https://www.wikipedia.org/ equals www.youtube.com (Youtube)
Source: firefox.exe, 0000000D.00000003.1764484023.000001DA9BCEA000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1854429569.000001DA9BBBF000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1869858263.000001DA9BBBF000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.facebook.com/ equals www.facebook.com (Facebook)
Source: firefox.exe, 0000000D.00000003.1764484023.000001DA9BCEA000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1854429569.000001DA9BBBF000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1869858263.000001DA9BBBF000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/ equals www.youtube.com (Youtube)
Source: firefox.exe, 0000000D.00000003.1924158910.000001DA95BDC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://allegro.pl/,https://www.wikipedia.org/,https://www.olx.pl/,https://www.wykop.pl/ equals www.facebook.com (Facebook)
Source: firefox.exe, 0000000D.00000003.1924158910.000001DA95BDC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://allegro.pl/,https://www.wikipedia.org/,https://www.olx.pl/,https://www.wykop.pl/ equals www.youtube.com (Youtube)
Source: firefox.exe, 0000000D.00000003.1924158910.000001DA95BDC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.amazon.com/,https://www.reddit.com/,https://www.wikipedia.org/,https://twitter.com/ equals www.facebook.com (Facebook)
Source: firefox.exe, 0000000D.00000003.1924158910.000001DA95BDC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.amazon.com/,https://www.reddit.com/,https://www.wikipedia.org/,https://twitter.com/ equals www.twitter.com (Twitter)
Source: firefox.exe, 0000000D.00000003.1924158910.000001DA95BDC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.amazon.com/,https://www.reddit.com/,https://www.wikipedia.org/,https://twitter.com/ equals www.youtube.com (Youtube)
Source: firefox.exe, 0000000D.00000003.1924158910.000001DA95BDC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.amazon.de/,https://www.ebay.de/,https://www.wikipedia.org/,https://www.reddit.com/ equals www.facebook.com (Facebook)
Source: firefox.exe, 0000000D.00000003.1924158910.000001DA95BDC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.amazon.de/,https://www.ebay.de/,https://www.wikipedia.org/,https://www.reddit.com/ equals www.youtube.com (Youtube)
Source: firefox.exe, 0000000D.00000003.1924158910.000001DA95BDC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.reddit.com/,https://www.amazon.co.uk/,https://www.bbc.co.uk/,https://www.ebay.co.uk/ equals www.facebook.com (Facebook)
Source: firefox.exe, 0000000D.00000003.1924158910.000001DA95BDC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.reddit.com/,https://www.amazon.co.uk/,https://www.bbc.co.uk/,https://www.ebay.co.uk/ equals www.youtube.com (Youtube)
Source: firefox.exe, 0000000D.00000003.1924158910.000001DA95BDC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.reddit.com/,https://www.wikipedia.org/,https://www.amazon.ca/,https://twitter.com/ equals www.facebook.com (Facebook)
Source: firefox.exe, 0000000D.00000003.1924158910.000001DA95BDC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.reddit.com/,https://www.wikipedia.org/,https://www.amazon.ca/,https://twitter.com/ equals www.twitter.com (Twitter)
Source: firefox.exe, 0000000D.00000003.1924158910.000001DA95BDC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.reddit.com/,https://www.wikipedia.org/,https://www.amazon.ca/,https://twitter.com/ equals www.youtube.com (Youtube)
Source: firefox.exe, 0000000D.00000003.1924158910.000001DA95BDC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.wikipedia.org/,https://www.amazon.fr/,https://www.leboncoin.fr/,https://twitter.com/ equals www.facebook.com (Facebook)
Source: firefox.exe, 0000000D.00000003.1924158910.000001DA95BDC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.wikipedia.org/,https://www.amazon.fr/,https://www.leboncoin.fr/,https://twitter.com/ equals www.twitter.com (Twitter)
Source: firefox.exe, 0000000D.00000003.1924158910.000001DA95BDC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.wikipedia.org/,https://www.amazon.fr/,https://www.leboncoin.fr/,https://twitter.com/ equals www.youtube.com (Youtube)
Source: firefox.exe, 0000000D.00000003.1924158910.000001DA95BDC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.wikipedia.org/,https://www.amazon.fr/,https://www.leboncoin.fr/,https://twitter.com/L equals www.facebook.com (Facebook)
Source: firefox.exe, 0000000D.00000003.1924158910.000001DA95BDC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.wikipedia.org/,https://www.amazon.fr/,https://www.leboncoin.fr/,https://twitter.com/L equals www.twitter.com (Twitter)
Source: firefox.exe, 0000000D.00000003.1924158910.000001DA95BDC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.wikipedia.org/,https://www.amazon.fr/,https://www.leboncoin.fr/,https://twitter.com/L equals www.youtube.com (Youtube)
Source: firefox.exe, 0000000D.00000003.1924158910.000001DA95BDC000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1904933172.000001DA96371000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1870870141.000001DA96368000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.wikipedia.org/,https://www.reddit.com/,https://www.amazon.com/,https://twitter.com/ equals www.facebook.com (Facebook)
Source: firefox.exe, 0000000D.00000003.1924158910.000001DA95BDC000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1904933172.000001DA96371000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1870870141.000001DA96368000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.wikipedia.org/,https://www.reddit.com/,https://www.amazon.com/,https://twitter.com/ equals www.twitter.com (Twitter)
Source: firefox.exe, 0000000D.00000003.1924158910.000001DA95BDC000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1904933172.000001DA96371000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1870870141.000001DA96368000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.wikipedia.org/,https://www.reddit.com/,https://www.amazon.com/,https://twitter.com/ equals www.youtube.com (Youtube)
Source: firefox.exe, 0000000D.00000003.1850662657.000001DA9FB99000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/org/1/firefox/118.0.1/WINNT/en-US/security-error?1 equals www.youtube.com (Youtube)
Source: firefox.exe, 0000000D.00000003.1850662657.000001DA9FB99000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: support.mozilla.org/1/firefox/118.0.1/WINNT/en-US/security-errorhttps://www.youtube.com/org/1/firefox/118.0.1/WINNT/en-US/security-error?1 equals www.youtube.com (Youtube)
Source: firefox.exe, 0000000D.00000003.1929393517.000001DA937C7000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1910567761.000001DA948B9000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1907154238.000001DA94E20000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: www.facebook.com equals www.facebook.com (Facebook)
Source: firefox.exe, 0000000D.00000003.1929393517.000001DA937C7000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1877609950.000001DAA021A000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1869195470.000001DAA0217000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: www.youtube.com equals www.youtube.com (Youtube)
Source: firefox.exe, 0000000D.00000003.1847910614.000001DA9C2B8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: www.youtube.com- equals www.youtube.com (Youtube)
Source: firefox.exe, 0000000D.00000003.1910567761.000001DA9487C000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1911218785.000001DA945FD000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1873863513.000001DA9507C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: x://www.facebook.com/platform/impression.php equals www.facebook.com (Facebook)

Source: global traffic	DNS traffic detected: DNS query: prod.classify-client.prod.webservices.mozgcp.net
Source: global traffic	DNS traffic detected: DNS query: detectportal.firefox.com
Source: global traffic	DNS traffic detected: DNS query: youtube.com
Source: global traffic	DNS traffic detected: DNS query: prod.detectportal.prod.cloudops.mozgcp.net
Source: global traffic	DNS traffic detected: DNS query: contile.services.mozilla.com
Source: global traffic	DNS traffic detected: DNS query: spocs.getpocket.com
Source: global traffic	DNS traffic detected: DNS query: prod.balrog.prod.cloudops.mozgcp.net
Source: global traffic	DNS traffic detected: DNS query: prod.ads.prod.webservices.mozgcp.net
Source: global traffic	DNS traffic detected: DNS query: content-signature-2.cdn.mozilla.net
Source: global traffic	DNS traffic detected: DNS query: shavar.services.mozilla.com
Source: global traffic	DNS traffic detected: DNS query: prod.content-signature-chains.prod.webservices.mozgcp.net
Source: global traffic	DNS traffic detected: DNS query: example.org
Source: global traffic	DNS traffic detected: DNS query: ipv4only.arpa
Source: global traffic	DNS traffic detected: DNS query: push.services.mozilla.com
Source: global traffic	DNS traffic detected: DNS query: firefox.settings.services.mozilla.com
Source: global traffic	DNS traffic detected: DNS query: prod.remote-settings.prod.webservices.mozgcp.net
Source: global traffic	DNS traffic detected: DNS query: telemetry-incoming.r53-2.services.mozilla.com
Source: global traffic	DNS traffic detected: DNS query: support.mozilla.org
Source: global traffic	DNS traffic detected: DNS query: us-west1.prod.sumo.prod.webservices.mozgcp.net
Source: global traffic	DNS traffic detected: DNS query: www.youtube.com
Source: global traffic	DNS traffic detected: DNS query: www.facebook.com
Source: global traffic	DNS traffic detected: DNS query: www.wikipedia.org
Source: global traffic	DNS traffic detected: DNS query: dyna.wikimedia.org
Source: global traffic	DNS traffic detected: DNS query: star-mini.c10r.facebook.com
Source: global traffic	DNS traffic detected: DNS query: youtube-ui.l.google.com
Source: global traffic	DNS traffic detected: DNS query: www.reddit.com
Source: global traffic	DNS traffic detected: DNS query: twitter.com
Source: global traffic	DNS traffic detected: DNS query: reddit.map.fastly.net
Source: global traffic	DNS traffic detected: DNS query: services.addons.mozilla.org
Source: global traffic	DNS traffic detected: DNS query: normandy.cdn.mozilla.net
Source: global traffic	DNS traffic detected: DNS query: normandy-cdn.services.mozilla.com

Source: unknown	HTTPS traffic detected: 35.244.181.201:443 -> 192.168.2.4:49741 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.160.144.191:443 -> 192.168.2.4:49744 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.160.144.191:443 -> 192.168.2.4:49750 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 35.244.181.201:443 -> 192.168.2.4:49757 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.120.208.123:443 -> 192.168.2.4:49761 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.120.208.123:443 -> 192.168.2.4:49762 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 35.244.181.201:443 -> 192.168.2.4:49773 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.149.100.209:443 -> 192.168.2.4:49774 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 151.101.65.91:443 -> 192.168.2.4:49775 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 35.244.181.201:443 -> 192.168.2.4:49778 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 35.244.181.201:443 -> 192.168.2.4:49779 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 35.244.181.201:443 -> 192.168.2.4:49780 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.149.100.209:443 -> 192.168.2.4:49781 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.120.208.123:443 -> 192.168.2.4:49823 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.120.208.123:443 -> 192.168.2.4:49824 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.120.208.123:443 -> 192.168.2.4:49822 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.120.208.123:443 -> 192.168.2.4:49827 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.120.208.123:443 -> 192.168.2.4:49826 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.120.208.123:443 -> 192.168.2.4:49828 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.120.208.123:443 -> 192.168.2.4:49830 version: TLS 1.2

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49744
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49743
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49742
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49741
Source: unknown	Network traffic detected: HTTP traffic on port 49779 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49784
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49781
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49780
Source: unknown	Network traffic detected: HTTP traffic on port 49743 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49762 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49746 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49781 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49826 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49776 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49739
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49738
Source: unknown	Network traffic detected: HTTP traffic on port 49736 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49736
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49779
Source: unknown	Network traffic detected: HTTP traffic on port 49772 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49778
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49777
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49776
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49775
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49774
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49773
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49971
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49772
Source: unknown	Network traffic detected: HTTP traffic on port 49971 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49742 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49784 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49749 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49763 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49780 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49827 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49823 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49830 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49777 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49773 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49768
Source: unknown	Network traffic detected: HTTP traffic on port 49739 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49758 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49764
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49763
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49762
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49761
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49760
Source: unknown	Network traffic detected: HTTP traffic on port 49741 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49760 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49764 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49828 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49824 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49751 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49778 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49758
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49757
Source: unknown	Network traffic detected: HTTP traffic on port 49774 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49738 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49757 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49754
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49830
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49751
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49750
Source: unknown	Network traffic detected: HTTP traffic on port 49822 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49761 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49744 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49768 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49775 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49828
Source: unknown	Network traffic detected: HTTP traffic on port 49750 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49827
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49749
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49826
Source: unknown	Network traffic detected: HTTP traffic on port 49754 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49824
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49746
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49823
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49822

Description:	Adversaries may obtain and abuse credentials of existing accounts as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion. Compromised credentials may be used to bypass access controls placed on various resources on systems within the network and may even be used for persistent access to remote systems and externally available services, such as VPNs, Outlook Web Access, network devices, and remote desktop.Compromised credentials may also grant an adversary increased privilege to specific systems or access to restricted areas of the network. Adversaries may choose not to use malware or tools in conjunction with the legitimate access those credentials provide to make it harder to detect their presence.
Tactics:	Defense Evasion, Initial Access, Persistence, Privilege Escalation
Data Sources:	Logon Session: Logon Session Creation, Logon Session: Logon Session Metadata, User Account: User Account Authentication
Platforms:	Azure AD, Containers, Google Workspace, IaaS, Linux, macOS, Network, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to execute malicious commands and payloads. WMI is an administration feature that provides a uniform environment to access Windows system components. The WMI service enables both local and remote access, though the latter is facilitated by Remote Services such as Distributed Component Object Model (DCOM) and Windows Remote Management (WinRM).Remote WMI over DCOM operates using port 135, whereas WMI over WinRM operates over port 5985 when using HTTP and 5986 for HTTPS.
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Connection Creation, Process: Process Creation, WMI: WMI Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may exploit software vulnerabilities in an attempt to elevate privileges. Exploitation of a software vulnerability occurs when an adversary takes advantage of a programming error in a program, service, or within the operating system software or kernel itself to execute adversary-controlled code. Security constructs such as permission levels will often hinder access to information and use of certain techniques, so adversaries will likely need to perform privilege escalation to include use of software exploitation to circumvent those restrictions.
Tactics:	Privilege Escalation
Data Sources:	Driver: Driver Load, Process: Process Creation
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject malicious code into process via Extra Window Memory (EWM) in order to evade process-based defenses as well as possibly elevate privileges. EWM injection is a method of executing arbitrary code in the address space of a separate live process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Process: OS API Execution
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify access tokens to operate under a different user or system security context to perform actions and bypass access controls. Windows uses access tokens to determine the ownership of a running process. A user can manipulate access tokens to make a running process appear as though it is the child of a different process or belongs to someone other than the user that started the process. When this occurs, the process also takes on the security context associated with the new token.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Active Directory: Active Directory Object Modification, Command: Command Execution, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, User Account: User Account Metadata
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	Driver: Driver Load, File: File Modification, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Windows Registry: Windows Registry Key Modification
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of valid accounts, usernames, or email addresses on a system or within a compromised environment. This information can help adversaries determine which accounts exist, which can aid in follow-on behavior such as brute-forcing, spear-phishing attacks, or account takeovers (e.g., Valid Accounts ).
Tactics:	Discovery
Data Sources:	Command: Command Execution, File: File Access, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report file.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Memory Dumps

Sigma Signatures

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Spreading

Software Vulnerabilities

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

Private

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\ProgramData\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\uninstall_ping_308046B0AF4A39CB_b126bd3d-9c00-4518-b6ae-2e2abafcd518.json (copy)

C:\ProgramData\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\uninstall_ping_308046B0AF4A39CB_b126bd3d-9c00-4518-b6ae-2e2abafcd518.json.tmp

C:\Users\user\AppData\Local\Temp\mozilla-temp-files\mozilla-temp-41

C:\Users\user\AppData\Local\Temp\tmpaddon

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\ExperimentStoreData.json (copy)

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\ExperimentStoreData.json.tmp

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\addonStartup.json.lz4 (copy)

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\addonStartup.json.lz4.tmp

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\addons.json (copy)

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\addons.json.tmp

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\content-prefs.sqlite

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\crashes\store.json.mozlz4 (copy)

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\crashes\store.json.mozlz4.tmp

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\extensions.json (copy)

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\extensions.json.tmp

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\favicons.sqlite-shm

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll (copy)

Windows Analysis Report
file.exe

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to identify the primary user, currently logged in user, set of users that commonly uses a system, or whether a user is actively using the system. They may do this, for example, by retrieving account usernames or by using OS Credential Dumping . The information may be collected in a number of different ways using other Discovery techniques, because user and username details are prevalent throughout a system and include running process ownership, file/directory ownership, session information, and system logs. Adversaries may use the information from [System Owner/User Discovery](https://attack.mitre.org/techniques/T1033) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may collect data stored in the clipboard from users copying information within or between applications.
Tactics:	Collection
Data Sources:	Command: Command Execution, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may shutdown/reboot systems to interrupt access to, or aid in the destruction of, those systems. Operating systems may contain commands to initiate a shutdown/reboot of a machine or network device. In some cases, these commands may also be used to initiate a shutdown/reboot of a remote computer or network device via Network Device CLI (e.g. `reload` ).
Tactics:	Impact
Data Sources:	Command: Command Execution, Process: Process Creation, Sensor Health: Host Status
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre