Edit tour

Windows Analysis Report
file.exe

Overview

General Information

Sample name:	file.exe
Analysis ID:	1545679
MD5:	c5c8202cf33c1c61d4463d53aa3748e5
SHA1:	be46a2f36d213ed714a9f60f73e577d3884df9a4
SHA256:	ca80960301e0e4d399cdd5f9b93395b0d398290e0978926d1620437e19e0e955
Tags:	exeuser-Bitsight
Infos:

Detection

Credential Flusher

Score:	72
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Multi AV Scanner detection for submitted file

Yara detected Credential Flusher

AI detected suspicious sample

Binary is likely a compiled AutoIt script file

Found API chain indicative of sandbox detection

Machine Learning detection for sample

Connects to many different domains

Contains functionality for execution timing, often used to detect debuggers

Contains functionality for read data from the clipboard

Contains functionality to block mouse and keyboard input (often used to hinder debugging)

Contains functionality to call native functions

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to check if a window is minimized (may be used to check if an application is visible)

Contains functionality to communicate with device drivers

Contains functionality to dynamically determine API calls

Contains functionality to execute programs as a different user

Contains functionality to launch a process as a different user

Contains functionality to launch a program with higher privileges

Contains functionality to modify clipboard data

Contains functionality to open a port and listen for incoming connection (possibly a backdoor)

Contains functionality to query CPU information (cpuid)

Contains functionality to read the PEB

Contains functionality to read the clipboard data

Contains functionality to retrieve information about pressed keystrokes

Contains functionality to shutdown / reboot the system

Contains functionality to simulate keystroke presses

Contains functionality to simulate mouse events

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Detected potential crypto function

Drops PE files

Enables debug privileges

Found large amount of non-executed APIs

Found potential string decryption / allocating functions

IP address seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

OS version to string mapping found (often used in BOTs)

PE file contains sections with non-standard names

Potential key logger detected (key state polling based)

Sample execution stops while process was sleeping (likely an evasion)

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Uses taskkill to terminate processes

Classification

Process Tree

System is w10x64

file.exe (PID: 7352 cmdline: "C:\Users\user\Desktop\file.exe" MD5: C5C8202CF33C1C61D4463D53AA3748E5)

taskkill.exe (PID: 7368 cmdline: taskkill /F /IM firefox.exe /T MD5: CA313FD7E6C2A778FFD21CFB5C1C56CD)

conhost.exe (PID: 7376 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

taskkill.exe (PID: 7472 cmdline: taskkill /F /IM chrome.exe /T MD5: CA313FD7E6C2A778FFD21CFB5C1C56CD)

conhost.exe (PID: 7480 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

taskkill.exe (PID: 7536 cmdline: taskkill /F /IM msedge.exe /T MD5: CA313FD7E6C2A778FFD21CFB5C1C56CD)

conhost.exe (PID: 7544 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

taskkill.exe (PID: 7600 cmdline: taskkill /F /IM opera.exe /T MD5: CA313FD7E6C2A778FFD21CFB5C1C56CD)

conhost.exe (PID: 7608 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

taskkill.exe (PID: 7664 cmdline: taskkill /F /IM brave.exe /T MD5: CA313FD7E6C2A778FFD21CFB5C1C56CD)

conhost.exe (PID: 7672 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

firefox.exe (PID: 7728 cmdline: "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk "https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd" --no-default-browser-check --disable-popup-blocking MD5: C86B1BE9ED6496FE0E0CBE73F81D8045)

firefox.exe (PID: 7760 cmdline: "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd --no-default-browser-check --disable-popup-blocking --attempting-deelevation MD5: C86B1BE9ED6496FE0E0CBE73F81D8045)

firefox.exe (PID: 7776 cmdline: "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd --no-default-browser-check --disable-popup-blocking MD5: C86B1BE9ED6496FE0E0CBE73F81D8045)

firefox.exe (PID: 8020 cmdline: "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2276 -parentBuildID 20230927232528 -prefsHandle 2216 -prefMapHandle 2208 -prefsLen 25359 -prefMapSize 237879 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {a46847d0-9293-4bac-8415-4fa2947c8e97} 7776 "\\.\pipe\gecko-crash-server-pipe.7776" 1ccdad6d510 socket MD5: C86B1BE9ED6496FE0E0CBE73F81D8045)

firefox.exe (PID: 7604 cmdline: "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2696 -parentBuildID 20230927232528 -prefsHandle 4228 -prefMapHandle 4224 -prefsLen 26374 -prefMapSize 237879 -appDir "C:\Program Files\Mozilla Firefox\browser" - {e7cff00d-f0b1-495f-9d3f-92f956d45c2c} 7776 "\\.\pipe\gecko-crash-server-pipe.7776" 1ccece2fb10 rdd MD5: C86B1BE9ED6496FE0E0CBE73F81D8045)

firefox.exe (PID: 7616 cmdline: "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4952 -parentBuildID 20230927232528 -sandboxingKind 0 -prefsHandle 4956 -prefMapHandle 4904 -prefsLen 33185 -prefMapSize 237879 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {ff0ebe7f-fa1c-41ff-ae44-07a5d0ab7bae} 7776 "\\.\pipe\gecko-crash-server-pipe.7776" 1ccec341110 utility MD5: C86B1BE9ED6496FE0E0CBE73F81D8045)

cleanup

Yara Signatures

Memory Dumps

Source	Rule	Description	Author	Strings
Process Memory Space: file.exe PID: 7352	JoeSecurity_CredentialFlusher	Yara detected Credential Flusher	Joe Security

Code function: 0_2_0072EAFF OpenClipboard,IsClipboardFormatAvailable,IsClipboardFormatAvailable,GetClipboardData,CloseClipboard,GlobalLock,CloseClipboard,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,DragQueryFileW,DragQueryFileW,DragQueryFileW,GlobalUnlock,CountClipboardFormats,CloseClipboard,

0_2_0072EAFF

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_0072ED6A OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,

0_2_0072ED6A

Source: C:\Users\user\Desktop\file.exe

0_2_0072EAFF

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_0071AA57 GetKeyboardState,SetKeyboardState,PostMessageW,SendInput,

0_2_0071AA57

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00749576 DefDlgProcW,SendMessageW,GetWindowLongW,SendMessageW,SendMessageW,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,SendMessageW,SendMessageW,SendMessageW,ImageList_SetDragCursorImage,ImageList_BeginDrag,SetCapture,ClientToScreen,ImageList_DragEnter,InvalidateRect,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW,

0_2_00749576

System Summary

Binary is likely a compiled AutoIt script file

Source: file.exe	String found in binary or memory: This is a third-party compiled AutoIt script.
Source: file.exe, 00000000.00000002.1745557899.0000000000772000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: This is a third-party compiled AutoIt script.	memstr_7ac065d0-b
Source: file.exe, 00000000.00000002.1745557899.0000000000772000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: AnyArabicArmenianAvestanBalineseBamumBassa_VahBatakBengaliBopomofoBrahmiBrailleBugineseBuhidCCanadian_AboriginalCarianCaucasian_AlbanianCcCfChakmaChamCherokeeCnCoCommonCopticCsCuneiformCypriotCyrillicDeseretDevanagariDuployanEgyptian_HieroglyphsElbasanEthiopicGeorgianGlagoliticGothicGranthaGreekGujaratiGurmukhiHanHangulHanunooHebrewHiraganaImperial_AramaicInheritedInscriptional_PahlaviInscriptional_ParthianJavaneseKaithiKannadaKatakanaKayah_LiKharoshthiKhmerKhojkiKhudawadiLL&LaoLatinLepchaLimbuLinear_ALinear_BLisuLlLmLoLtLuLycianLydianMMahajaniMalayalamMandaicManichaeanMcMeMeetei_MayekMende_KikakuiMeroitic_CursiveMeroitic_HieroglyphsMiaoMnModiMongolianMroMyanmarNNabataeanNdNew_Tai_LueNkoNlNoOghamOl_ChikiOld_ItalicOld_North_ArabianOld_PermicOld_PersianOld_South_ArabianOld_TurkicOriyaOsmanyaPPahawh_HmongPalmyrenePau_Cin_HauPcPdPePfPhags_PaPhoenicianPiPoPsPsalter_PahlaviRejangRunicSSamaritanSaurashtraScSharadaShavianSiddhamSinhalaSkSmSoSora_SompengSundaneseSyloti_NagriSyriacTagalogTagbanwaTai_LeTai_ThamTai_VietTakriTamilTeluguThaanaThaiTibetanTifinaghTirhutaUgariticVaiWarang_CitiXanXpsXspXucXwdYiZZlZpZsSDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBoxSHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer	memstr_0bace3ee-5
Source: file.exe	String found in binary or memory: This is a third-party compiled AutoIt script.	memstr_505f7bc2-6
Source: file.exe	String found in binary or memory: AnyArabicArmenianAvestanBalineseBamumBassa_VahBatakBengaliBopomofoBrahmiBrailleBugineseBuhidCCanadian_AboriginalCarianCaucasian_AlbanianCcCfChakmaChamCherokeeCnCoCommonCopticCsCuneiformCypriotCyrillicDeseretDevanagariDuployanEgyptian_HieroglyphsElbasanEthiopicGeorgianGlagoliticGothicGranthaGreekGujaratiGurmukhiHanHangulHanunooHebrewHiraganaImperial_AramaicInheritedInscriptional_PahlaviInscriptional_ParthianJavaneseKaithiKannadaKatakanaKayah_LiKharoshthiKhmerKhojkiKhudawadiLL&LaoLatinLepchaLimbuLinear_ALinear_BLisuLlLmLoLtLuLycianLydianMMahajaniMalayalamMandaicManichaeanMcMeMeetei_MayekMende_KikakuiMeroitic_CursiveMeroitic_HieroglyphsMiaoMnModiMongolianMroMyanmarNNabataeanNdNew_Tai_LueNkoNlNoOghamOl_ChikiOld_ItalicOld_North_ArabianOld_PermicOld_PersianOld_South_ArabianOld_TurkicOriyaOsmanyaPPahawh_HmongPalmyrenePau_Cin_HauPcPdPePfPhags_PaPhoenicianPiPoPsPsalter_PahlaviRejangRunicSSamaritanSaurashtraScSharadaShavianSiddhamSinhalaSkSmSoSora_SompengSundaneseSyloti_NagriSyriacTagalogTagbanwaTai_LeTai_ThamTai_VietTakriTamilTeluguThaanaThaiTibetanTifinaghTirhutaUgariticVaiWarang_CitiXanXpsXspXucXwdYiZZlZpZsSDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBoxSHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer	memstr_5cd6cb95-2

Source: C:\Program Files\Mozilla Firefox\firefox.exe	Code function: 16_2_0000024FC4BE5AF7 NtQuerySystemInformation,		16_2_0000024FC4BE5AF7
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Code function: 16_2_0000024FC51A4872 NtQuerySystemInformation,		16_2_0000024FC51A4872

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_0071D5EB: CreateFileW,DeviceIoControl,CloseHandle,

0_2_0071D5EB

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00711201 LogonUserW,DuplicateTokenEx,CloseHandle,OpenWindowStationW,GetProcessWindowStation,SetProcessWindowStation,OpenDesktopW,_wcslen,LoadUserProfileW,CreateEnvironmentBlock,CreateProcessAsUserW,UnloadUserProfile,GetProcessHeap,HeapFree,CloseWindowStation,CloseDesktop,SetProcessWindowStation,CloseHandle,DestroyEnvironmentBlock,

0_2_00711201

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_0071E8F6 ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState,

0_2_0071E8F6

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_006BBF40	0_2_006BBF40
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_006B8060	0_2_006B8060
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00722046	0_2_00722046
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00718298	0_2_00718298
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_006EE4FF	0_2_006EE4FF
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_006E676B	0_2_006E676B
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00744873	0_2_00744873
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_006BCAF0	0_2_006BCAF0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_006DCAA0	0_2_006DCAA0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_006CCC39	0_2_006CCC39
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_006E6DD9	0_2_006E6DD9
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_006CB119	0_2_006CB119
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_006B91C0	0_2_006B91C0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_006D1394	0_2_006D1394
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_006D1706	0_2_006D1706
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_006D781B	0_2_006D781B
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_006C997D	0_2_006C997D
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_006B7920	0_2_006B7920
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_006D19B0	0_2_006D19B0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_006D7A4A	0_2_006D7A4A
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_006D1C77	0_2_006D1C77
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_006D7CA7	0_2_006D7CA7
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0073BE44	0_2_0073BE44
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_006E9EEE	0_2_006E9EEE
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_006D1F32	0_2_006D1F32
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Code function: 16_2_0000024FC4BE5AF7	16_2_0000024FC4BE5AF7
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Code function: 16_2_0000024FC51A4872	16_2_0000024FC51A4872
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Code function: 16_2_0000024FC51A4F9C	16_2_0000024FC51A4F9C
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Code function: 16_2_0000024FC51A48B2	16_2_0000024FC51A48B2

Source: C:\Users\user\Desktop\file.exe	Code function: String function: 006D0A30 appears 46 times
Source: C:\Users\user\Desktop\file.exe	Code function: String function: 006CF9F2 appears 31 times

Source: file.exe

Static PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE

Source: classification engine

Classification label: mal72.troj.evad.winEXE@34/34@65/12

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_007237B5 GetLastError,FormatMessageW,

0_2_007237B5

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_007110BF AdjustTokenPrivileges,CloseHandle,		0_2_007110BF
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_007116C3 LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,		0_2_007116C3

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_007251CD SetErrorMode,GetDiskFreeSpaceExW,SetErrorMode,

0_2_007251CD

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_0071D4DC CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,CloseHandle,

0_2_0071D4DC

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_0072648E _wcslen,CoInitialize,CoCreateInstance,CoUninitialize,

0_2_0072648E

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_006B42A2 CreateStreamOnHGlobal,FindResourceExW,LoadResource,SizeofResource,LockResource,

0_2_006B42A2

Source: C:\Program Files\Mozilla Firefox\firefox.exe

File created: C:\Users\user\AppData\Local\Mozilla\Firefox\SkeletonUILock-c388d246

Jump to behavior

Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7672:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7608:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7480:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7376:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7544:120:WilError_03

Source: C:\Program Files\Mozilla Firefox\firefox.exe

File created: C:\Users\user\AppData\Local\Temp\firefox

Jump to behavior

Source: file.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Windows\SysWOW64\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\SysWOW64\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\SysWOW64\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\SysWOW64\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\SysWOW64\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process

Source: C:\Program Files\Mozilla Firefox\firefox.exe

File read: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini

Jump to behavior

Source: C:\Users\user\Desktop\file.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: firefox.exe, 0000000D.00000003.1817002065.000001CCF65D2000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1883923310.000001CCF65D2000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: SELECT * FROM events WHERE timestamp BETWEEN date(:dateFrom) AND date(:dateTo);
Source: firefox.exe, 0000000D.00000003.1817002065.000001CCF65D2000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1883923310.000001CCF65D2000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: CREATE TABLE events (id INTEGER PRIMARY KEY, type INTEGER NOT NULL, count INTEGER NOT NULL, timestamp DATE );
Source: firefox.exe, 0000000D.00000003.1817002065.000001CCF65D2000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1883923310.000001CCF65D2000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: INSERT INTO events (type, count, timestamp) VALUES (:type, 1, date(:date));
Source: firefox.exe, 0000000D.00000003.1817002065.000001CCF65D2000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1883923310.000001CCF65D2000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: SELECT timestamp FROM events ORDER BY timestamp ASC LIMIT 1;;
Source: firefox.exe, 0000000D.00000003.1815704030.000001CCF6957000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: SELECT sum(count) FROM events;
Source: firefox.exe, 0000000D.00000003.1817002065.000001CCF65D2000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1883923310.000001CCF65D2000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: SELECT timestamp FROM events ORDER BY timestamp ASC LIMIT 1;;Fy6
Source: firefox.exe, 0000000D.00000003.1817002065.000001CCF65D2000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1883923310.000001CCF65D2000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: UPDATE events SET count = count + 1 WHERE id = :id;-
Source: firefox.exe, 0000000D.00000003.1817002065.000001CCF65D2000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1883923310.000001CCF65D2000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: SELECT sum(count) FROM events;9'
Source: firefox.exe, 0000000D.00000003.1817002065.000001CCF65D2000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1883923310.000001CCF65D2000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: SELECT sum(count) FROM events;9
Source: firefox.exe, 0000000D.00000003.1817002065.000001CCF65D2000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1883923310.000001CCF65D2000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: SELECT * FROM events WHERE type = :type AND timestamp = date(:date);

Source: file.exe

ReversingLabs: Detection: 47%

Source: unknown	Process created: C:\Users\user\Desktop\file.exe "C:\Users\user\Desktop\file.exe"
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM firefox.exe /T
Source: C:\Windows\SysWOW64\taskkill.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM chrome.exe /T
Source: C:\Windows\SysWOW64\taskkill.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM msedge.exe /T
Source: C:\Windows\SysWOW64\taskkill.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM opera.exe /T
Source: C:\Windows\SysWOW64\taskkill.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM brave.exe /T
Source: C:\Windows\SysWOW64\taskkill.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk "https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd" --no-default-browser-check --disable-popup-blocking
Source: unknown	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd --no-default-browser-check --disable-popup-blocking --attempting-deelevation
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd --no-default-browser-check --disable-popup-blocking
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2276 -parentBuildID 20230927232528 -prefsHandle 2216 -prefMapHandle 2208 -prefsLen 25359 -prefMapSize 237879 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {a46847d0-9293-4bac-8415-4fa2947c8e97} 7776 "\\.\pipe\gecko-crash-server-pipe.7776" 1ccdad6d510 socket
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2696 -parentBuildID 20230927232528 -prefsHandle 4228 -prefMapHandle 4224 -prefsLen 26374 -prefMapSize 237879 -appDir "C:\Program Files\Mozilla Firefox\browser" - {e7cff00d-f0b1-495f-9d3f-92f956d45c2c} 7776 "\\.\pipe\gecko-crash-server-pipe.7776" 1ccece2fb10 rdd
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4952 -parentBuildID 20230927232528 -sandboxingKind 0 -prefsHandle 4956 -prefMapHandle 4904 -prefsLen 33185 -prefMapSize 237879 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {ff0ebe7f-fa1c-41ff-ae44-07a5d0ab7bae} 7776 "\\.\pipe\gecko-crash-server-pipe.7776" 1ccec341110 utility
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM firefox.exe /T	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM chrome.exe /T	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM msedge.exe /T	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM opera.exe /T	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM brave.exe /T	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk "https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd" --no-default-browser-check --disable-popup-blocking	Jump to behavior
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd --no-default-browser-check --disable-popup-blocking	Jump to behavior
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2276 -parentBuildID 20230927232528 -prefsHandle 2216 -prefMapHandle 2208 -prefsLen 25359 -prefMapSize 237879 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {a46847d0-9293-4bac-8415-4fa2947c8e97} 7776 "\\.\pipe\gecko-crash-server-pipe.7776" 1ccdad6d510 socket	Jump to behavior
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2696 -parentBuildID 20230927232528 -prefsHandle 4228 -prefMapHandle 4224 -prefsLen 26374 -prefMapSize 237879 -appDir "C:\Program Files\Mozilla Firefox\browser" - {e7cff00d-f0b1-495f-9d3f-92f956d45c2c} 7776 "\\.\pipe\gecko-crash-server-pipe.7776" 1ccece2fb10 rdd	Jump to behavior
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4952 -parentBuildID 20230927232528 -sandboxingKind 0 -prefsHandle 4956 -prefMapHandle 4904 -prefsLen 33185 -prefMapSize 237879 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {ff0ebe7f-fa1c-41ff-ae44-07a5d0ab7bae} 7776 "\\.\pipe\gecko-crash-server-pipe.7776" 1ccec341110 utility	Jump to behavior
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: unknown unknown	Jump to behavior

Source: C:\Users\user\Desktop\file.exe	Section loaded: wsock32.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: framedynos.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: dbghelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: winsta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: framedynos.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: dbghelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: winsta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: framedynos.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: dbghelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: winsta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: framedynos.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: dbghelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: winsta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: framedynos.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: dbghelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: winsta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: profapi.dll	Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: file.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: file.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: file.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: file.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: file.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: file.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT

Source: file.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: z:\task_1551543573\build\openh264\gmpopenh264.pdbV source: gmpopenh264.dll.tmp.13.dr
Source:	Binary string: pnrpnsp.pdb source: firefox.exe, 0000000D.00000003.1821347049.000001CCEA493000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: z:\task_1551543573\build\openh264\gmpopenh264.pdb source: gmpopenh264.dll.tmp.13.dr
Source:	Binary string: pnrpnsp.pdbUGP source: firefox.exe, 0000000D.00000003.1821347049.000001CCEA493000.00000004.00000020.00020000.00000000.sdmp

Source: file.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: file.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: file.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: file.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: file.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_006B42DE GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

0_2_006B42DE

Source: gmpopenh264.dll.tmp.13.dr

Static PE information: section name: .rodata

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_006D0A76 push ecx; ret

0_2_006D0A89

Source: C:\Program Files\Mozilla Firefox\firefox.exe	File created: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll.tmp			Jump to dropped file
Source: C:\Program Files\Mozilla Firefox\firefox.exe	File created: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll (copy)			Jump to dropped file

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_006CF98E GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,		0_2_006CF98E
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00741C41 IsWindowVisible,IsWindowEnabled,GetForegroundWindow,IsIconic,IsZoomed,		0_2_00741C41

Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Found API chain indicative of sandbox detection

Source: C:\Users\user\Desktop\file.exe

Sandbox detection routine: GetForegroundWindow, DecisionNode, Sleep

graph_0-95067

Source: C:\Program Files\Mozilla Firefox\firefox.exe

Code function: 16_2_0000024FC4BE5AF7 rdtsc

16_2_0000024FC4BE5AF7

Source: C:\Users\user\Desktop\file.exe

API coverage: 3.7 %

Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0071DBBE lstrlenW,GetFileAttributesW,FindFirstFileW,FindClose,	0_2_0071DBBE
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_007268EE FindFirstFileW,FindClose,	0_2_007268EE
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0072698F FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,FileTimeToSystemTime,FileTimeToSystemTime,	0_2_0072698F
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0071D076 FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	0_2_0071D076
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0071D3A9 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	0_2_0071D3A9
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00729642 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	0_2_00729642
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0072979D SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	0_2_0072979D
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00729B2B FindFirstFileW,Sleep,FindNextFileW,FindClose,	0_2_00729B2B
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00725C97 FindFirstFileW,FindNextFileW,FindClose,	0_2_00725C97

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_006B42DE GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

0_2_006B42DE

Source: firefox.exe, 00000010.00000002.2937039213.0000024FC48CA000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW`x
Source: firefox.exe, 00000011.00000002.2941664590.000001AF6E920000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWX
Source: firefox.exe, 0000000F.00000002.2942444344.0000022DD3A40000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWWPV7
Source: firefox.exe, 00000010.00000002.2941773907.0000024FC5092000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllo
Source: firefox.exe, 00000010.00000002.2941773907.0000024FC5092000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dlls
Source: firefox.exe, 0000000F.00000002.2937059289.0000022DD30CA000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 0000000F.00000002.2942444344.0000022DD3A40000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 00000010.00000002.2941773907.0000024FC5092000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 00000011.00000002.2937768774.000001AF6E59A000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: firefox.exe, 0000000F.00000002.2941719706.0000022DD3618000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW : 2 : 34 : 1 : 1 : 0x20026 : 0x8 : %SystemRoot%\system32\mswsock.dll : : 1234191b-4bf7-4ca7-86e0-dfd7c32b5445
Source: firefox.exe, 0000000F.00000002.2937059289.0000022DD30CA000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW`
Source: firefox.exe, 0000000F.00000002.2942444344.0000022DD3A40000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 00000010.00000002.2941773907.0000024FC5092000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

Source: C:\Users\user\Desktop\file.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Program Files\Mozilla Firefox\firefox.exe

Code function: 16_2_0000024FC4BE5AF7 rdtsc

16_2_0000024FC4BE5AF7

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_0072EAA2 BlockInput,

0_2_0072EAA2

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_006E2622 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

0_2_006E2622

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_006B42DE GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

0_2_006B42DE

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_006D4CE8 mov eax, dword ptr fs:[00000030h]

0_2_006D4CE8

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00710B62 GetSecurityDescriptorDacl,GetAclInformation,GetLengthSid,GetLengthSid,GetAce,AddAce,GetLengthSid,GetProcessHeap,HeapAlloc,GetLengthSid,CopySid,AddAce,SetSecurityDescriptorDacl,SetUserObjectSecurity,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,

0_2_00710B62

Source: C:\Windows\SysWOW64\taskkill.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Process token adjusted: Debug	Jump to behavior

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_006E2622 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_006E2622
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_006D083F IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_006D083F
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_006D09D5 SetUnhandledExceptionFilter,	0_2_006D09D5
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_006D0C21 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	0_2_006D0C21

Source: C:\Users\user\Desktop\file.exe

0_2_00711201

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_006F2BA5 KiUserCallbackDispatcher,SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW,

0_2_006F2BA5

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_0071B226 SendInput,keybd_event,

0_2_0071B226

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_007322DA GetForegroundWindow,GetDesktopWindow,GetWindowRect,mouse_event,GetCursorPos,mouse_event,

0_2_007322DA

Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM firefox.exe /T	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM chrome.exe /T	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM msedge.exe /T	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM opera.exe /T	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM brave.exe /T	Jump to behavior

Source: C:\Users\user\Desktop\file.exe

0_2_00710B62

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00711663 AllocateAndInitializeSid,CheckTokenMembership,FreeSid,

0_2_00711663

Source: file.exe	Binary or memory string: Run Script:AutoIt script files (.au3, .a3x).au3;.a3xAll files (.).au3#include depth exceeded. Make sure there are no recursive includesError opening the file>>>AUTOIT SCRIPT<<<Bad directive syntax errorUnterminated stringCannot parse #includeUnterminated group of commentsONOFF0%d%dShell_TrayWndREMOVEKEYSEXISTSAPPENDblankinfoquestionstopwarning
Source: file.exe	Binary or memory string: Shell_TrayWnd

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_006D0698 cpuid

0_2_006D0698

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00728195 GetLocalTime,SystemTimeToFileTime,LocalFileTimeToFileTime,GetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,

0_2_00728195

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_0070D27A GetUserNameW,

0_2_0070D27A

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_006EBB6F _free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,

0_2_006EBB6F

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_006B42DE GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

0_2_006B42DE

Stealing of Sensitive Information

Yara detected Credential Flusher

Source: Yara match

File source: Process Memory Space: file.exe PID: 7352, type: MEMORYSTR

Source: file.exe	Binary or memory string: WIN_81
Source: file.exe	Binary or memory string: WIN_XP
Source: file.exe	Binary or memory string: %.3d%S%M%H%m%Y%jX86IA64X64WIN32_NTWIN_11WIN_10WIN_2022WIN_2019WIN_2016WIN_81WIN_2012R2WIN_2012WIN_8WIN_2008R2WIN_7WIN_2008WIN_VISTAWIN_2003WIN_XPeWIN_XPInstallLanguageSYSTEM\CurrentControlSet\Control\Nls\LanguageSchemeLangIDControl Panel\AppearanceUSERPROFILEUSERDOMAINUSERDNSDOMAINGetSystemWow64DirectoryWSeDebugPrivilege:winapistdcallubyte64HKEY_LOCAL_MACHINEHKLMHKEY_CLASSES_ROOTHKCRHKEY_CURRENT_CONFIGHKCCHKEY_CURRENT_USERHKCUHKEY_USERSHKUREG_EXPAND_SZREG_SZREG_MULTI_SZREG_DWORDREG_QWORDREG_BINARYRegDeleteKeyExWadvapi32.dll+.-.\\[\\nrt]\|%%\|%[-+ 0#]?([0-9]\|\)?(\.[0-9]\|\.\)?[hlL]?[diouxXeEfgGs](*UCP)\XISVISIBLEISENABLEDTABLEFTTABRIGHTCURRENTTABSHOWDROPDOWNHIDEDROPDOWNADDSTRINGDELSTRINGFINDSTRINGGETCOUNTSETCURRENTSELECTIONGETCURRENTSELECTIONSELECTSTRINGISCHECKEDCHECKUNCHECKGETSELECTEDGETLINECOUNTGETCURRENTLINEGETCURRENTCOLEDITPASTEGETLINESENDCOMMANDIDGETITEMCOUNTGETSUBITEMCOUNTGETTEXTGETSELECTEDCOUNTISSELECTEDSELECTALLSELECTCLEARSELECTINVERTDESELECTFINDITEMVIEWCHANGEGETTOTALCOUNTCOLLAPSEEXPANDmsctls_statusbar321tooltips_class32%d/%02d/%02dbuttonComboboxListboxSysDateTimePick32SysMonthCal32.icl.exe.dllMsctls_Progress32msctls_trackbar32SysAnimate32msctls_updown32SysTabControl32SysTreeView32SysListView32-----@GUI_DRAGID@GUI_DROPID@GUI_DRAGFILEError text not found (please report)Q\EDEFINEUTF16)UTF)UCP)NO_AUTO_POSSESS)NO_START_OPT)LIMIT_MATCH=LIMIT_RECURSION=CR)LF)CRLF)ANY)ANYCRLF)BSR_ANYCRLF)BSR_UNICODE)argument is not a compiled regular expressionargument not compiled in 16 bit modeinternal error: opcode not recognizedinternal error: missing capturing bracketfailed to get memory
Source: file.exe	Binary or memory string: WIN_XPe
Source: file.exe	Binary or memory string: WIN_VISTA
Source: file.exe	Binary or memory string: WIN_7
Source: file.exe	Binary or memory string: WIN_8

Remote Access Functionality

Yara detected Credential Flusher

Source: Yara match

File source: Process Memory Space: file.exe PID: 7352, type: MEMORYSTR

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00731204 socket,WSAGetLastError,bind,WSAGetLastError,closesocket,listen,WSAGetLastError,closesocket,		0_2_00731204
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00731806 socket,WSAGetLastError,bind,WSAGetLastError,closesocket,		0_2_00731806

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	2 Valid Accounts	1 Windows Management Instrumentation	1 DLL Side-Loading	1 Exploitation for Privilege Escalation	2 Disable or Modify Tools	21 Input Capture	2 System Time Discovery	Remote Services	1 Archive Collected Data	2 Ingress Tool Transfer	Exfiltration Over Other Network Medium	1 System Shutdown/Reboot
Credentials	Domains	Default Accounts	1 Native API	2 Valid Accounts	1 DLL Side-Loading	1 Deobfuscate/Decode Files or Information	LSASS Memory	1 Account Discovery	Remote Desktop Protocol	21 Input Capture	12 Encrypted Channel	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	1 Extra Window Memory Injection	2 Obfuscated Files or Information	Security Account Manager	2 File and Directory Discovery	SMB/Windows Admin Shares	3 Clipboard Data	2 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	2 Valid Accounts	1 DLL Side-Loading	NTDS	16 System Information Discovery	Distributed Component Object Model	Input Capture	3 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	21 Access Token Manipulation	1 Extra Window Memory Injection	LSA Secrets	131 Security Software Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	2 Process Injection	1 Masquerading	Cached Domain Credentials	1 Virtualization/Sandbox Evasion	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	2 Valid Accounts	DCSync	3 Process Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	1 Virtualization/Sandbox Evasion	Proc Filesystem	1 Application Window Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement
Network Topology	Malvertising	Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	21 Access Token Manipulation	/etc/passwd and /etc/shadow	1 System Owner/User Discovery	Direct Cloud VM Connections	Data Staged	Web Protocols	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Internal Defacement
IP Addresses	Compromise Infrastructure	Supply Chain Compromise	PowerShell	Cron	Cron	2 Process Injection	Network Sniffing	Network Service Discovery	Shared Webroot	Local Data Staging	File Transfer Protocols	Exfiltration Over Asymmetric Encrypted Non-C2 Protocol	External Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
file.exe	47%	ReversingLabs	Win32.Trojan.CredentialFlusher
file.exe	100%	Joe Sandbox ML

Dropped Files

Source	Detection	Scanner	Label	Link
C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll (copy)	0%	ReversingLabs
C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll.tmp	0%	ReversingLabs

Source	Detection	Scanner	Label
https://getpocket.cdn.mozilla.net/v3/firefox/trending-topics?version=2&consumer_key=$apiKey&locale_l	0%	URL Reputation	safe
http://detectportal.firefox.com/	0%	URL Reputation	safe
https://services.addons.mozilla.org/api/v5/addons/browser-mappings/?browser=%BROWSER%	0%	URL Reputation	safe
https://datastudio.google.com/embed/reporting/	0%	URL Reputation	safe
http://www.mozilla.com0	0%	URL Reputation	safe
https://bridge.lga1.admarketplace.net/ctp?version=16.0.0&key=1696332238301000001.2&ci=1696332238417.	0%	URL Reputation	safe
https://developer.mozilla.org/en-US/docs/Web/Web_Components/Using_custom_elements#using_the_lifecycl	0%	URL Reputation	safe
https://merino.services.mozilla.com/api/v1/suggest	0%	URL Reputation	safe
https://json-schema.org/draft/2019-09/schema.	0%	URL Reputation	safe
https://monitor.firefox.com/oauth/init?entrypoint=protection_report_monitor&utm_source=about-protect	0%	URL Reputation	safe
https://www.leboncoin.fr/	0%	URL Reputation	safe
https://spocs.getpocket.com/spocs	0%	URL Reputation	safe
https://shavar.services.mozilla.com	0%	URL Reputation	safe
https://completion.amazon.com/search/complete?q=	0%	URL Reputation	safe
https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/social-media-tracking-report	0%	URL Reputation	safe
https://ads.stickyadstv.com/firefox-etp	0%	URL Reputation	safe
https://identity.mozilla.com/ids/ecosystem_telemetryU	0%	URL Reputation	safe
https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/send-tab	0%	URL Reputation	safe
https://monitor.firefox.com/breach-details/	0%	URL Reputation	safe
https://versioncheck-bg.addons.mozilla.org/update/VersionCheck.php?reqVersion=%REQ_VERSION%&id=%ITEM	0%	URL Reputation	safe
https://services.addons.mozilla.org/api/v4/addons/addon/	0%	URL Reputation	safe
https://tracking-protection-issues.herokuapp.com/new	0%	URL Reputation	safe
https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/password-manager-report	0%	URL Reputation	safe
https://json-schema.org/draft/2020-12/schema/=	0%	URL Reputation	safe
https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/fingerprinters-report	0%	URL Reputation	safe
https://api.accounts.firefox.com/v1	0%	URL Reputation	safe
https://shavar.services.mozilla.com/downloads?client=SAFEBROWSING_ID&appver=118.0&pver=2.2	0%	URL Reputation	safe
https://monitor.firefox.com/?entrypoint=protection_report_monitor&utm_source=about-protections	0%	URL Reputation	safe
https://bugzilla.mozilla.org/show_bug.cgi?id=1283601	0%	URL Reputation	safe
https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/shield	0%	URL Reputation	safe
https://MD8.mozilla.org/1/m	0%	URL Reputation	safe
https://getpocket.cdn.mozilla.net/v3/firefox/global-recs?version=3&consumer_key=$apiKey&locale_lang=	0%	URL Reputation	safe
https://bugzilla.mozilla.org/show_bug.cgi?id=1266220	0%	URL Reputation	safe
https://searchfox.org/mozilla-central/source/toolkit/components/search/SearchUtils.jsm#145-152	0%	URL Reputation	safe
https://bugzilla.mo	0%	URL Reputation	safe
https://mitmdetection.services.mozilla.com/	0%	URL Reputation	safe
https://static.adsafeprotected.com/firefox-etp-js	0%	URL Reputation	safe
https://spocs.getpocket.com/	0%	URL Reputation	safe
https://services.addons.mozilla.org/api/v4/abuse/report/addon/	0%	URL Reputation	safe
https://services.addons.mozilla.org/api/v4/addons/search/?guid=%IDS%&lang=%LOCALE%	0%	URL Reputation	safe
https://color.firefox.com/?utm_source=firefox-browser&utm_medium=firefox-browser&utm_content=theme-f	0%	URL Reputation	safe
https://monitor.firefox.com/user/breach-stats?includeResolved=true	0%	URL Reputation	safe
https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/cross-site-tracking-report	0%	URL Reputation	safe
https://safebrowsing.google.com/safebrowsing/diagnostic?site=	0%	URL Reputation	safe
https://monitor.firefox.com/user/dashboard	0%	URL Reputation	safe
https://versioncheck.addons.mozilla.org/update/VersionCheck.php?reqVersion=%REQ_VERSION%&id=%ITEM_ID	0%	URL Reputation	safe
https://monitor.firefox.com/about	0%	URL Reputation	safe
https://account.bellmedia.c	0%	URL Reputation	safe
https://login.microsoftonline.com	0%	URL Reputation	safe
https://coverage.mozilla.org	0%	URL Reputation	safe
http://crl.thawte.com/ThawteTimestampingCA.crl0	0%	URL Reputation	safe
https://www.zhihu.com/	0%	URL Reputation	safe
https://infra.spec.whatwg.org/#ascii-whitespace	0%	URL Reputation	safe
https://blocked.cdn.mozilla.net/	0%	URL Reputation	safe
https://json-schema.org/draft/2019-09/schema	0%	URL Reputation	safe
https://profiler.firefox.com	0%	URL Reputation	safe
https://outlook.live.com/default.aspx?rru=compose&to=%s	0%	URL Reputation	safe
https://bugzilla.mozilla.org/show_bug.cgi?id=793869	0%	URL Reputation	safe
https://identity.mozilla.com/apps/relay	0%	URL Reputation	safe
https://mozilla.cloudflare-dns.com/dns-query	0%	URL Reputation	safe
https://support.mozilla.org/kb/refresh-firefox-reset-add-ons-and-settings2	0%	URL Reputation	safe
https://bugzilla.mozilla.org/show_bug.cgi?id=1678448	0%	URL Reputation	safe
https://contile-images.services.mozilla.com/0TegrVVRalreHILhR2WvtD_CFzj13HCDcLqqpvXSOuY.10862.jpg	0%	URL Reputation	safe
https://contile.services.mozilla.com/v1/tiles	0%	URL Reputation	safe
https://firefox.settings.services.mozilla.com/v1/buckets/main/collections/ms-language-packs/records/	0%	URL Reputation	safe
https://monitor.firefox.com/user/preferences	0%	URL Reputation	safe
https://screenshots.firefox.com/	0%	URL Reputation	safe
http://json-schema.org/draft-07/schema#-	0%	URL Reputation	safe
https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/tracking-content-report	0%	URL Reputation	safe
https://www.olx.pl/	0%	URL Reputation	safe
https://poczta.interia.pl/mh/?mailto=%s	0%	URL Reputation	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Reputation
example.org	93.184.215.14	true	false	unknown
star-mini.c10r.facebook.com	157.240.0.35	true	false	unknown
prod.classify-client.prod.webservices.mozgcp.net	35.190.72.216	true	false	unknown
prod.balrog.prod.cloudops.mozgcp.net	35.244.181.201	true	false	unknown
twitter.com	104.244.42.129	true	false	unknown
prod.detectportal.prod.cloudops.mozgcp.net	34.107.221.82	true	false	unknown
services.addons.mozilla.org	151.101.193.91	true	false	unknown
dyna.wikimedia.org	185.15.59.224	true	false	unknown
prod.remote-settings.prod.webservices.mozgcp.net	34.149.100.209	true	false	unknown
contile.services.mozilla.com	34.117.188.166	true	false	unknown
youtube.com	172.217.23.110	true	false	unknown
prod.content-signature-chains.prod.webservices.mozgcp.net	34.160.144.191	true	false	unknown
youtube-ui.l.google.com	142.250.185.78	true	false	unknown
us-west1.prod.sumo.prod.webservices.mozgcp.net	34.149.128.2	true	false	unknown
reddit.map.fastly.net	151.101.1.140	true	false	unknown
ipv4only.arpa	192.0.0.170	true	false	unknown
prod.ads.prod.webservices.mozgcp.net	34.117.188.166	true	false	unknown
push.services.mozilla.com	34.107.243.93	true	false	unknown
normandy-cdn.services.mozilla.com	35.201.103.21	true	false	unknown
telemetry-incoming.r53-2.services.mozilla.com	34.120.208.123	true	false	unknown
www.reddit.com	unknown	unknown	false	unknown
spocs.getpocket.com	unknown	unknown	false	unknown
content-signature-2.cdn.mozilla.net	unknown	unknown	false	unknown
support.mozilla.org	unknown	unknown	false	unknown
firefox.settings.services.mozilla.com	unknown	unknown	false	unknown
www.youtube.com	unknown	unknown	false	unknown
www.facebook.com	unknown	unknown	false	unknown
detectportal.firefox.com	unknown	unknown	false	unknown
normandy.cdn.mozilla.net	unknown	unknown	false	unknown
shavar.services.mozilla.com	unknown	unknown	false	unknown
www.wikipedia.org	unknown	unknown	false	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://play.google.com/store/apps/details?id=org.mozilla.firefox.vpn&referrer=utm_source%3Dfirefox-	firefox.exe, 0000000F.00000002.2938371233.0000022DD32B0000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.2938370292.0000024FC4B60000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.2938050483.000001AF6E6A0000.00000002.10000000.00040000.00000000.sdmp	false		unknown
https://getpocket.cdn.mozilla.net/v3/firefox/trending-topics?version=2&consumer_key=$apiKey&locale_l	firefox.exe, 0000000D.00000003.1894345341.000001CCEE5BA000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1772246830.000001CCEE5BA000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1899628478.000001CCEE5BA000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000002.2939224125.0000024FC4CC7000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000011.00000002.2938434541.000001AF6E8C4000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://crl3.di	firefox.exe, 0000000D.00000003.1821492878.000001CCEA48E000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1823262403.000001CCEA48E000.00000004.00000020.00020000.00000000.sdmp	false		unknown
http://detectportal.firefox.com/	firefox.exe, 0000000D.00000003.1888849279.000001CCEC9B5000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://services.addons.mozilla.org/api/v5/addons/browser-mappings/?browser=%BROWSER%	firefox.exe, 0000000F.00000002.2938371233.0000022DD32B0000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.2938370292.0000024FC4B60000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.2938050483.000001AF6E6A0000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://datastudio.google.com/embed/reporting/	firefox.exe, 0000000D.00000003.1816286414.000001CCF683A000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1818319765.000001CCF6D4A000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1883286244.000001CCF683A000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.mozilla.com0	gmpopenh264.dll.tmp.13.dr	false	URL Reputation: safe	unknown
https://bridge.lga1.admarketplace.net/ctp?version=16.0.0&key=1696332238301000001.2&ci=1696332238417.	firefox.exe, 0000000F.00000002.2938954967.0000022DD35E8000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000002.2939224125.0000024FC4CE8000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000011.00000002.2941877242.000001AF6EB03000.00000004.00000800.00020000.00000000.sdmp, prefs-1.js.13.dr	false	URL Reputation: safe	unknown
https://developer.mozilla.org/en-US/docs/Web/Web_Components/Using_custom_elements#using_the_lifecycl	firefox.exe, 0000000D.00000003.1825920628.000001CCF2C2D000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://merino.services.mozilla.com/api/v1/suggest	firefox.exe, 00000011.00000002.2938434541.000001AF6E88E000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://json-schema.org/draft/2019-09/schema.	firefox.exe, 0000000D.00000003.1859708026.000001CCF3047000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://monitor.firefox.com/oauth/init?entrypoint=protection_report_monitor&utm_source=about-protect	firefox.exe, 0000000F.00000002.2938371233.0000022DD32B0000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.2938370292.0000024FC4B60000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.2938050483.000001AF6E6A0000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://www.leboncoin.fr/	firefox.exe, 0000000D.00000003.1767584688.000001CCEB867000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://spocs.getpocket.com/spocs	firefox.exe, 0000000D.00000003.1815252044.000001CCF6B7E000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1883286244.000001CCF683A000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://shavar.services.mozilla.com	firefox.exe, 0000000D.00000003.1902551446.000001CCEC060000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://completion.amazon.com/search/complete?q=	firefox.exe, 0000000D.00000003.1817611864.000001CCF2D97000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1727714679.000001CCEA85A000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1727494060.000001CCEA83C000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1727055728.000001CCEA600000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1727285035.000001CCEA81F000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/social-media-tracking-report	firefox.exe, 0000000F.00000002.2938371233.0000022DD32B0000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.2938370292.0000024FC4B60000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.2938050483.000001AF6E6A0000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://ads.stickyadstv.com/firefox-etp	firefox.exe, 0000000D.00000003.1865500849.000001CCEC7D4000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://identity.mozilla.com/ids/ecosystem_telemetryU	firefox.exe, 0000000D.00000003.1883999273.000001CCF65B4000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/send-tab	firefox.exe, 0000000F.00000002.2938371233.0000022DD32B0000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.2938370292.0000024FC4B60000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.2938050483.000001AF6E6A0000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://monitor.firefox.com/breach-details/	firefox.exe, 0000000F.00000002.2938371233.0000022DD32B0000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.2938370292.0000024FC4B60000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.2938050483.000001AF6E6A0000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://versioncheck-bg.addons.mozilla.org/update/VersionCheck.php?reqVersion=%REQ_VERSION%&id=%ITEM	firefox.exe, 0000000F.00000002.2938371233.0000022DD32B0000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.2938370292.0000024FC4B60000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.2938050483.000001AF6E6A0000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://www.amazon.com/exec/obidos/external-search/	firefox.exe, 0000000D.00000003.1887377623.000001CCF303D000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1727285035.000001CCEA81F000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1842878406.000001CCEC54C000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://www.msn.com	firefox.exe, 0000000D.00000003.1862544568.000001CCED69F000.00000004.00000800.00020000.00000000.sdmp	false		unknown
http://mozilla.org/0	firefox.exe, 0000000D.00000003.1879175810.00002DE7C6B03000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1879002579.00000DAB99A03000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://github.com/mozilla-services/screenshots	firefox.exe, 0000000D.00000003.1727934759.000001CCEA877000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1727714679.000001CCEA85A000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1727494060.000001CCEA83C000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1727055728.000001CCEA600000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1727285035.000001CCEA81F000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://services.addons.mozilla.org/api/v4/addons/addon/	firefox.exe, 0000000F.00000002.2938371233.0000022DD32B0000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.2938370292.0000024FC4B60000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.2938050483.000001AF6E6A0000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://tracking-protection-issues.herokuapp.com/new	firefox.exe, 0000000F.00000002.2938371233.0000022DD32B0000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.2938370292.0000024FC4B60000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.2938050483.000001AF6E6A0000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/password-manager-report	firefox.exe, 0000000F.00000002.2938371233.0000022DD32B0000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.2938370292.0000024FC4B60000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.2938050483.000001AF6E6A0000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://youtube.com/	firefox.exe, 0000000D.00000003.1863127423.000001CCED64E000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://json-schema.org/draft/2020-12/schema/=	firefox.exe, 0000000D.00000003.1859708026.000001CCF3047000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://www.amazon.com/?tag=admarketus-20&ref=pd_sl_7548d4575af019e4c148ccf1a78112802e66a0816a72fc94	firefox.exe, 0000000F.00000002.2938954967.0000022DD35E8000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000002.2939224125.0000024FC4CE8000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000011.00000002.2941877242.000001AF6EB03000.00000004.00000800.00020000.00000000.sdmp, prefs-1.js.13.dr	false		unknown
https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/fingerprinters-report	firefox.exe, 0000000F.00000002.2938371233.0000022DD32B0000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.2938370292.0000024FC4B60000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.2938050483.000001AF6E6A0000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://api.accounts.firefox.com/v1	firefox.exe, 0000000F.00000002.2938371233.0000022DD32B0000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.2938370292.0000024FC4B60000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.2938050483.000001AF6E6A0000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://www.amazon.com/	firefox.exe, 0000000D.00000003.1887766640.000001CCF2D97000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://addons.mozilla.org/%LOCALE%/%APP%/blocked-addon/%addonID%/%addonVersion%/	firefox.exe, 0000000F.00000002.2938371233.0000022DD32B0000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.2938370292.0000024FC4B60000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.2938050483.000001AF6E6A0000.00000002.10000000.00040000.00000000.sdmp	false		unknown
https://shavar.services.mozilla.com/downloads?client=SAFEBROWSING_ID&appver=118.0&pver=2.2	firefox.exe, 0000000D.00000003.1864908272.000001CCEC93D000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://monitor.firefox.com/?entrypoint=protection_report_monitor&utm_source=about-protections	firefox.exe, 0000000F.00000002.2938371233.0000022DD32B0000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.2938370292.0000024FC4B60000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.2938050483.000001AF6E6A0000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://bridge.lga1.ap01.net/ctp?version=16.0.0&key=1696332238301000001.1&ci=1696332238417.12791&cta	firefox.exe, 0000000F.00000002.2938954967.0000022DD35E8000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000002.2939224125.0000024FC4CE8000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000011.00000002.2941877242.000001AF6EB03000.00000004.00000800.00020000.00000000.sdmp, prefs-1.js.13.dr	false		unknown
https://www.youtube.com/	firefox.exe, 00000010.00000002.2939224125.0000024FC4C03000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000011.00000002.2938434541.000001AF6E80C000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://bugzilla.mozilla.org/show_bug.cgi?id=1283601	firefox.exe, 0000000D.00000003.1776663554.000001CCEB198000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1778441389.000001CCEB15D000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/shield	firefox.exe, 0000000F.00000002.2938371233.0000022DD32B0000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.2938370292.0000024FC4B60000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.2938050483.000001AF6E6A0000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://MD8.mozilla.org/1/m	firefox.exe, 0000000D.00000003.1903348487.000001CCEB467000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://addons.mozilla.org/firefox/addon/to-google-translate/	firefox.exe, 0000000D.00000003.1884262283.000001CCF34F0000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1886215413.000001CCF34F0000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1897446962.000001CCF34F0000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://getpocket.cdn.mozilla.net/v3/firefox/global-recs?version=3&consumer_key=$apiKey&locale_lang=	firefox.exe, 0000000D.00000003.1887766640.000001CCF2D97000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1899628478.000001CCEE5BA000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000002.2939224125.0000024FC4CC7000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000011.00000002.2938434541.000001AF6E8C4000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://127.0.0.1:	firefox.exe, 0000000D.00000003.1860635516.000001CCEEA93000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000F.00000002.2938371233.0000022DD32B0000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.2938370292.0000024FC4B60000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.2938050483.000001AF6E6A0000.00000002.10000000.00040000.00000000.sdmp	false		unknown
https://bugzilla.mozilla.org/show_bug.cgi?id=1266220	firefox.exe, 0000000D.00000003.1776663554.000001CCEB198000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1778441389.000001CCEB15D000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://searchfox.org/mozilla-central/source/toolkit/components/search/SearchUtils.jsm#145-152	firefox.exe, 0000000D.00000003.1821832515.000001CCEC263000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1843026642.000001CCEC263000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1773451072.000001CCEC266000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1890381759.000001CCEC269000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://bugzilla.mo	firefox.exe, 0000000D.00000003.1897802935.000001CCF3405000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://mitmdetection.services.mozilla.com/	firefox.exe, 0000000F.00000002.2938371233.0000022DD32B0000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.2938370292.0000024FC4B60000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.2938050483.000001AF6E6A0000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://static.adsafeprotected.com/firefox-etp-js	firefox.exe, 0000000D.00000003.1865500849.000001CCEC7D4000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://youtube.com/account?=	recovery.jsonlz4.tmp.13.dr	false		unknown
http://crl3.digic	firefox.exe, 0000000D.00000003.1796685952.000001CCEA45B000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1798151613.000001CCEA45B000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://spocs.getpocket.com/	firefox.exe, 00000011.00000002.2938434541.000001AF6E813000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://services.addons.mozilla.org/api/v4/abuse/report/addon/	firefox.exe, 0000000F.00000002.2938371233.0000022DD32B0000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.2938370292.0000024FC4B60000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.2938050483.000001AF6E6A0000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://services.addons.mozilla.org/api/v4/addons/search/?guid=%IDS%&lang=%LOCALE%	firefox.exe, 0000000F.00000002.2938371233.0000022DD32B0000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.2938370292.0000024FC4B60000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.2938050483.000001AF6E6A0000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://color.firefox.com/?utm_source=firefox-browser&utm_medium=firefox-browser&utm_content=theme-f	firefox.exe, 0000000F.00000002.2938371233.0000022DD32B0000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.2938370292.0000024FC4B60000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.2938050483.000001AF6E6A0000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://play.google.com/store/apps/details?id=org.mozilla.firefox&referrer=utm_source%3Dprotection_r	firefox.exe, 0000000F.00000002.2938371233.0000022DD32B0000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.2938370292.0000024FC4B60000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.2938050483.000001AF6E6A0000.00000002.10000000.00040000.00000000.sdmp	false		unknown
https://monitor.firefox.com/user/breach-stats?includeResolved=true	firefox.exe, 0000000F.00000002.2938371233.0000022DD32B0000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.2938370292.0000024FC4B60000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.2938050483.000001AF6E6A0000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/cross-site-tracking-report	firefox.exe, 0000000F.00000002.2938371233.0000022DD32B0000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.2938370292.0000024FC4B60000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.2938050483.000001AF6E6A0000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://safebrowsing.google.com/safebrowsing/diagnostic?site=	firefox.exe, 0000000F.00000002.2938371233.0000022DD32B0000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.2938370292.0000024FC4B60000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.2938050483.000001AF6E6A0000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://monitor.firefox.com/user/dashboard	firefox.exe, 0000000F.00000002.2938371233.0000022DD32B0000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.2938370292.0000024FC4B60000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.2938050483.000001AF6E6A0000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://versioncheck.addons.mozilla.org/update/VersionCheck.php?reqVersion=%REQ_VERSION%&id=%ITEM_ID	firefox.exe, 0000000F.00000002.2938371233.0000022DD32B0000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.2938370292.0000024FC4B60000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.2938050483.000001AF6E6A0000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://monitor.firefox.com/about	firefox.exe, 0000000F.00000002.2938371233.0000022DD32B0000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.2938370292.0000024FC4B60000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.2938050483.000001AF6E6A0000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
http://mozilla.org/MPL/2.0/.	firefox.exe, 0000000D.00000003.1820483312.000001CCEAD8D000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1838138758.000001CCEC61D000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1838757378.000001CCEC6A1000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1821832515.000001CCEC263000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1890595471.000001CCEADD9000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1815102465.000001CCF6CAB000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1898150951.000001CCF2BB5000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1825920628.000001CCF2C19000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1828093438.000001CCEC245000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1828093438.000001CCEC295000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1730753730.000001CCEA868000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1828093438.000001CCEC248000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1880388264.000001CCEC50A000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1736515083.000001CCEB642000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1843026642.000001CCEC258000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1885214047.000001CCEADD3000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1820483312.000001CCEADEF000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1861720281.000001CCEE02B000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1765647907.000001CCED4DB000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1834385858.000001CCEC62B000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1828093438.000001CCEC29C000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://account.bellmedia.c	firefox.exe, 0000000D.00000003.1862544568.000001CCED69F000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://youtube.com/	firefox.exe, 0000000D.00000003.1817358221.000001CCF303D000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://login.microsoftonline.com	firefox.exe, 0000000D.00000003.1863228789.000001CCED61F000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1888730530.000001CCED62B000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1862544568.000001CCED69F000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://coverage.mozilla.org	firefox.exe, 0000000F.00000002.2938371233.0000022DD32B0000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.2938370292.0000024FC4B60000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.2938050483.000001AF6E6A0000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
http://crl.thawte.com/ThawteTimestampingCA.crl0	gmpopenh264.dll.tmp.13.dr	false	URL Reputation: safe	unknown
https://www.zhihu.com/	firefox.exe, 0000000D.00000003.1893543778.000001CCF2B58000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://infra.spec.whatwg.org/#ascii-whitespace	firefox.exe, 0000000D.00000003.1825920628.000001CCF2C2D000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://blocked.cdn.mozilla.net/	firefox.exe, 0000000F.00000002.2938371233.0000022DD32B0000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.2938370292.0000024FC4B60000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.2938050483.000001AF6E6A0000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://json-schema.org/draft/2019-09/schema	firefox.exe, 0000000D.00000003.1767584688.000001CCEB867000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://profiler.firefox.com	firefox.exe, 0000000F.00000002.2938371233.0000022DD32B0000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.2938370292.0000024FC4B60000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.2938050483.000001AF6E6A0000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://outlook.live.com/default.aspx?rru=compose&to=%s	firefox.exe, 0000000D.00000003.1732553585.000001CCE8433000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1734328595.000001CCE841D000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1734572109.000001CCE8433000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://bugzilla.mozilla.org/show_bug.cgi?id=793869	firefox.exe, 0000000D.00000003.1778441389.000001CCEB15D000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://identity.mozilla.com/apps/relay	firefox.exe, 0000000D.00000003.1896162879.000001CCEC3BA000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://mozilla.cloudflare-dns.com/dns-query	firefox.exe, 0000000F.00000002.2938371233.0000022DD32B0000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.2938370292.0000024FC4B60000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.2938050483.000001AF6E6A0000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://support.mozilla.org/kb/refresh-firefox-reset-add-ons-and-settings2	firefox.exe, 0000000D.00000003.1860763413.000001CCEE0A7000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://bugzilla.mozilla.org/show_bug.cgi?id=1678448	firefox.exe, 0000000D.00000003.1776663554.000001CCEB198000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1778441389.000001CCEB15D000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://mail.yahoo.co.jp/compose/?To=%s	firefox.exe, 0000000D.00000003.1732553585.000001CCE8433000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1734328595.000001CCE841D000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1734572109.000001CCE8433000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://addons.mozilla.org/firefox/addon/reddit-enhancement-suite/	firefox.exe, 0000000D.00000003.1884262283.000001CCF34F0000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1886215413.000001CCF34F0000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1897446962.000001CCF34F0000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://contile-images.services.mozilla.com/0TegrVVRalreHILhR2WvtD_CFzj13HCDcLqqpvXSOuY.10862.jpg	firefox.exe, 0000000F.00000002.2938954967.0000022DD35E8000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000002.2939224125.0000024FC4CE8000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000011.00000002.2941877242.000001AF6EB03000.00000004.00000800.00020000.00000000.sdmp, prefs-1.js.13.dr	false	URL Reputation: safe	unknown
https://contile.services.mozilla.com/v1/tiles	firefox.exe, 0000000D.00000003.1887766640.000001CCF2D97000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000F.00000002.2938371233.0000022DD32B0000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.2938370292.0000024FC4B60000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.2938050483.000001AF6E6A0000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://www.amazon.co.uk/	firefox.exe, 0000000D.00000003.1767584688.000001CCEB867000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://firefox.settings.services.mozilla.com/v1/buckets/main/collections/ms-language-packs/records/	firefox.exe, 0000000D.00000003.1815252044.000001CCF6B8C000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1902347555.000001CCEC0C7000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://monitor.firefox.com/user/preferences	firefox.exe, 0000000F.00000002.2938371233.0000022DD32B0000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.2938370292.0000024FC4B60000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.2938050483.000001AF6E6A0000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://screenshots.firefox.com/	firefox.exe, 0000000D.00000003.1727285035.000001CCEA81F000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://www.google.com/search	firefox.exe, 0000000D.00000003.1727934759.000001CCEA877000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1727714679.000001CCEA85A000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1727494060.000001CCEA83C000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1727055728.000001CCEA600000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1767584688.000001CCEB867000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1727285035.000001CCEA81F000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1842878406.000001CCEC54C000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://relay.firefox.com/api/v1/	firefox.exe, 0000000F.00000002.2938371233.0000022DD32B0000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.2938370292.0000024FC4B60000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.2938050483.000001AF6E6A0000.00000002.10000000.00040000.00000000.sdmp	false		unknown
http://json-schema.org/draft-07/schema#-	firefox.exe, 0000000D.00000003.1859708026.000001CCF3047000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/tracking-content-report	firefox.exe, 0000000F.00000002.2938371233.0000022DD32B0000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.2938370292.0000024FC4B60000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.2938050483.000001AF6E6A0000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://topsites.services.mozilla.com/cid/	firefox.exe, 0000000F.00000002.2938371233.0000022DD32B0000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.2938370292.0000024FC4B60000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.2938050483.000001AF6E6A0000.00000002.10000000.00040000.00000000.sdmp	false		unknown
https://twitter.com/	firefox.exe, 0000000D.00000003.1887766640.000001CCF2D97000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://www.olx.pl/	firefox.exe, 0000000D.00000003.1893543778.000001CCF2B58000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://bugzilla.mozilla.org/show_bug.cgi?id=1193802	firefox.exe, 0000000D.00000003.1776663554.000001CCEB198000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1778441389.000001CCEB15D000.00000004.00000800.00020000.00000000.sdmp	false		unknown
http://mozilla.org/Z	firefox.exe, 0000000D.00000003.1879175810.00002DE7C6B03000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1879002579.00000DAB99A03000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://poczta.interia.pl/mh/?mailto=%s	firefox.exe, 0000000D.00000003.1732553585.000001CCE8433000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1734328595.000001CCE841D000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1734572109.000001CCE8433000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://www.google.com/complete/search	firefox.exe, 0000000D.00000003.1763357078.000001CCF2E42000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1762926888.000001CCF2CA2000.00000004.00000800.00020000.00000000.sdmp	false		unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
34.149.100.209	prod.remote-settings.prod.webservices.mozgcp.net	United States	2686	ATGS-MMD-ASUS	false
34.107.243.93	push.services.mozilla.com	United States	15169	GOOGLEUS	false
34.107.221.82	prod.detectportal.prod.cloudops.mozgcp.net	United States	15169	GOOGLEUS	false
172.217.23.110	youtube.com	United States	15169	GOOGLEUS	false
35.244.181.201	prod.balrog.prod.cloudops.mozgcp.net	United States	15169	GOOGLEUS	false
34.117.188.166	contile.services.mozilla.com	United States	139070	GOOGLE-AS-APGoogleAsiaPacificPteLtdSG	false
151.101.193.91	services.addons.mozilla.org	United States	54113	FASTLYUS	false
35.201.103.21	normandy-cdn.services.mozilla.com	United States	15169	GOOGLEUS	false
35.190.72.216	prod.classify-client.prod.webservices.mozgcp.net	United States	15169	GOOGLEUS	false
34.160.144.191	prod.content-signature-chains.prod.webservices.mozgcp.net	United States	2686	ATGS-MMD-ASUS	false
34.120.208.123	telemetry-incoming.r53-2.services.mozilla.com	United States	15169	GOOGLEUS	false

Private

IP
127.0.0.1

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1545679
Start date and time:	2024-10-30 20:38:05 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 6m 49s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	22
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	file.exe
Detection:	MAL
Classification:	mal72.troj.evad.winEXE@34/34@65/12
EGA Information:	Successful, ratio: 50%
HCA Information:	Successful, ratio: 95% Number of executed functions: 41 Number of non-executed functions: 312
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, svchost.exe
Excluded IPs from analysis (whitelisted): 35.160.212.113, 52.11.191.138, 54.185.230.140, 142.250.186.174, 2.22.61.56, 2.22.61.59, 142.250.185.206, 142.250.185.202, 142.250.186.170
Excluded domains from analysis (whitelisted): fs.microsoft.com, shavar.prod.mozaws.net, ciscobinary.openh264.org, slscr.update.microsoft.com, otelrules.azureedge.net, incoming.telemetry.mozilla.org, ctldl.windowsupdate.com, a17.rackcdn.com.mdc.edgesuite.net, detectportal.prod.mozaws.net, aus5.mozilla.org, fe3cr.delivery.mp.microsoft.com, a19.dscg10.akamai.net, ocsp.digicert.com, redirector.gvt1.com, safebrowsing.googleapis.com, location.services.mozilla.com
Not all processes where analyzed, report is missing behavior information
Report size exceeded maximum capacity and may have missing behavior information.
Report size exceeded maximum capacity and may have missing disassembly code.
Report size getting too big, too many NtCreateFile calls found.
Report size getting too big, too many NtOpenFile calls found.
VT rate limit hit for: file.exe

Simulations

Behavior and APIs

Time	Type	Description
15:39:05	API Interceptor	1x Sleep call for process: firefox.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
34.117.188.166	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
151.101.193.91	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
34.149.100.209	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
34.160.144.191	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
services.addons.mozilla.org	file.exe	Get hash	malicious	Credential Flusher	Browse	151.101.129.91
	file.exe	Get hash	malicious	Credential Flusher	Browse	151.101.65.91
	file.exe	Get hash	malicious	Credential Flusher	Browse	151.101.1.91
	file.exe	Get hash	malicious	Credential Flusher	Browse	151.101.65.91
	file.exe	Get hash	malicious	Credential Flusher	Browse	151.101.65.91
	file.exe	Get hash	malicious	Credential Flusher	Browse	151.101.1.91
	file.exe	Get hash	malicious	Credential Flusher	Browse	151.101.193.91
	file.exe	Get hash	malicious	Credential Flusher	Browse	151.101.65.91
	file.exe	Get hash	malicious	Credential Flusher	Browse	151.101.193.91
	file.exe	Get hash	malicious	Credential Flusher	Browse	151.101.193.91
example.org	file.exe	Get hash	malicious	Credential Flusher	Browse	93.184.215.14
	file.exe	Get hash	malicious	Credential Flusher	Browse	93.184.215.14
	file.exe	Get hash	malicious	Credential Flusher	Browse	93.184.215.14
	file.exe	Get hash	malicious	Credential Flusher	Browse	93.184.215.14
	file.exe	Get hash	malicious	Credential Flusher	Browse	93.184.215.14
	file.exe	Get hash	malicious	Credential Flusher	Browse	93.184.215.14
	file.exe	Get hash	malicious	Credential Flusher	Browse	93.184.215.14
	file.exe	Get hash	malicious	Credential Flusher	Browse	93.184.215.14
	file.exe	Get hash	malicious	Credential Flusher	Browse	93.184.215.14
	file.exe	Get hash	malicious	LummaC, Amadey, Credential Flusher, LummaC Stealer, Stealc	Browse	93.184.215.14
star-mini.c10r.facebook.com	file.exe	Get hash	malicious	Credential Flusher	Browse	157.240.251.35
	file.exe	Get hash	malicious	Credential Flusher	Browse	157.240.253.35
	Reminders for Msp-partner_ Server Alert.eml	Get hash	malicious	HTMLPhisher	Browse	157.240.253.35
	file.exe	Get hash	malicious	Credential Flusher	Browse	157.240.253.35
	file.exe	Get hash	malicious	Credential Flusher	Browse	157.240.0.35
	https://wetransfer.com/downloads/bd15c1f671ae60c5a56e558eb8cc43bf20241030150256/3b30cd5b9ce1ffb29d79c9118153941c20241030150256/70baef?t_exp=1730559776&t_lsid=6bd545a9-d09b-4abd-a317-124dbe9fe64d&t_network=email&t_rid=YXV0aDB8NjZlYWI0YTExODhmYzc1OGMzMmNiODIx&t_s=download_link&t_ts=1730300576&utm_campaign=TRN_TDL_01&utm	Get hash	malicious	HTMLPhisher	Browse	157.240.251.35
	file.exe	Get hash	malicious	Credential Flusher	Browse	157.240.251.35
	file.exe	Get hash	malicious	Credential Flusher	Browse	157.240.253.35
	file.exe	Get hash	malicious	Credential Flusher	Browse	157.240.0.35
	https://www.guidedtrack.com/programs/n5snx1a/run	Get hash	malicious	Unknown	Browse	157.240.253.35
twitter.com	file.exe	Get hash	malicious	Credential Flusher	Browse	104.244.42.129
	file.exe	Get hash	malicious	Credential Flusher	Browse	104.244.42.1
	file.exe	Get hash	malicious	Credential Flusher	Browse	104.244.42.193
	file.exe	Get hash	malicious	Credential Flusher	Browse	104.244.42.193
	file.exe	Get hash	malicious	Credential Flusher	Browse	104.244.42.193
	file.exe	Get hash	malicious	Credential Flusher	Browse	104.244.42.65
	file.exe	Get hash	malicious	Credential Flusher	Browse	104.244.42.65
	file.exe	Get hash	malicious	Credential Flusher	Browse	104.244.42.129
	file.exe	Get hash	malicious	Credential Flusher	Browse	104.244.42.65
	file.exe	Get hash	malicious	Credential Flusher	Browse	104.244.42.129

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
GOOGLE-AS-APGoogleAsiaPacificPteLtdSG	file.exe	Get hash	malicious	Credential Flusher	Browse	34.117.188.166
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.117.188.166
	FormulariomillasbonusLATAM_GsqrekXCVBmUf.cmd	Get hash	malicious	Unknown	Browse	34.117.59.81
	172.104.150.66.ps1	Get hash	malicious	Unknown	Browse	34.117.59.81
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.117.188.166
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.117.188.166
	https://www.mediafire.com/file/oyfycncwen0a3ue/DSP_Plan_Set.zip/file	Get hash	malicious	Unknown	Browse	34.117.239.71
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.117.188.166
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.117.188.166
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.117.188.166
FASTLYUS	https://pub-6838e3dd185d4df89d3bb3eabe6469a4.r2.dev/index.html#	Get hash	malicious	Unknown	Browse	151.101.2.137
	https:/click.mailchimp.com/track/click/30010842/docsend.com?p=eyJzIjoiT2RaN0hwNHlyY2E3VXl5TWcwMlA2eFpHVlN3IiwidiI6MSwicCI6IntcInVcIjozMDAxMDg0MixcInZcIjoxLFwidXJsXCI6XCJodHRwczpcXFwvXFxcL2RvY3NlbmQuY29tXFxcL3ZpZXdcXFwvZzZnYzZjazdtNHlkYTRpa1wiLFwiaWRcIjpcImNhZDg3NzI1Y2UzMjRiMzI4Yzk1ZGVkYWUyMzc4ZTZjXCIsXCJ1cmxfaWRzXCI6W1wiYzE5ZWU5NGJiMzA5YmZhOGQ2MDU3OGI1Mjk5NTFmOWE4NDQ0ODNhYVwiXX0ifQ#steven.davis@tu.edu	Get hash	malicious	HTMLPhisher	Browse	151.101.66.137
	file.exe	Get hash	malicious	Credential Flusher	Browse	151.101.129.91
	Access Audits -System #6878.msg	Get hash	malicious	HTMLPhisher	Browse	151.101.1.229
	file.exe	Get hash	malicious	Credential Flusher	Browse	151.101.65.91
	(No subject) (100).eml	Get hash	malicious	Tycoon2FA	Browse	151.101.2.137
	Reminders for Msp-partner_ Server Alert.eml	Get hash	malicious	HTMLPhisher	Browse	151.101.2.137
	file.exe	Get hash	malicious	Credential Flusher	Browse	151.101.1.91
	file.exe	Get hash	malicious	Credential Flusher	Browse	151.101.65.91
	https://apollomicsinc-my.sharepoint.com/:u:/p/peony_yu/EThcAjzaTWNPs4NpIP1X0v0BUe4pmKNB9s6TANBDk5EDeA?rtime=8VndtY_33Eg	Get hash	malicious	Unknown	Browse	151.101.2.137
ATGS-MMD-ASUS	file.exe	Get hash	malicious	Credential Flusher	Browse	34.160.144.191
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.160.144.191
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.160.144.191
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.160.144.191
	https://www.mediafire.com/file/oyfycncwen0a3ue/DSP_Plan_Set.zip/file	Get hash	malicious	Unknown	Browse	34.1.246.194
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.160.144.191
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.160.144.191
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.160.144.191
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.160.144.191
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.160.144.191

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
fb0aa01abe9d8e4037eb3473ca6e2dca	file.exe	Get hash	malicious	Credential Flusher	Browse	151.101.193.91 35.244.181.201 34.149.100.209 34.160.144.191 34.120.208.123
	file.exe	Get hash	malicious	Credential Flusher	Browse	151.101.193.91 35.244.181.201 34.149.100.209 34.160.144.191 34.120.208.123
	file.exe	Get hash	malicious	Credential Flusher	Browse	151.101.193.91 35.244.181.201 34.149.100.209 34.160.144.191 34.120.208.123
	file.exe	Get hash	malicious	Credential Flusher	Browse	151.101.193.91 35.244.181.201 34.149.100.209 34.160.144.191 34.120.208.123
	file.exe	Get hash	malicious	Credential Flusher	Browse	151.101.193.91 35.244.181.201 34.149.100.209 34.160.144.191 34.120.208.123
	file.exe	Get hash	malicious	Credential Flusher	Browse	151.101.193.91 35.244.181.201 34.149.100.209 34.160.144.191 34.120.208.123
	file.exe	Get hash	malicious	Credential Flusher	Browse	151.101.193.91 35.244.181.201 34.149.100.209 34.160.144.191 34.120.208.123
	file.exe	Get hash	malicious	Credential Flusher	Browse	151.101.193.91 35.244.181.201 34.149.100.209 34.160.144.191 34.120.208.123
	file.exe	Get hash	malicious	Credential Flusher	Browse	151.101.193.91 35.244.181.201 34.149.100.209 34.160.144.191 34.120.208.123
	file.exe	Get hash	malicious	LummaC, Amadey, Credential Flusher, LummaC Stealer, Stealc	Browse	151.101.193.91 35.244.181.201 34.149.100.209 34.160.144.191 34.120.208.123

Dropped Files

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll.tmp	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll (copy)	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse

Created / dropped Files

C:\ProgramData\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\uninstall_ping_308046B0AF4A39CB_255b4412-0df3-4832-be32-5037f020fd1a.json (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	7813
Entropy (8bit):	5.1813201730866165
Encrypted:	false
SSDEEP:	192:7sjMihihMhXcbhbVbTbfbRbObtbyEl7nMrIJA6WnSrDtTUd/SkDrCw:QYyyYXcNhnzFSJsr7BnSrDhUd/r
MD5:	771513F5BDEF449FE21510F7B5B0D2E8
SHA1:	9E4B38D31B10CAF948521F29C5A64E26061975C8
SHA-256:	E04521110190E736456DD8EB0BDCE9C56194615076E5A31817F092226CD04F59
SHA-512:	4866C5CA45084D6097B6C9750310CD747B69EF0DECB537C8F4C45D55833CDE0EF8D85EE9DF244EE7BF9292F0C87D08BA2C1D3FE9AE48AD2EA60F855A2C788B5C
Malicious:	false
Preview:	{"type":"uninstall","id":"255b4412-0df3-4832-be32-5037f020fd1a","creationDate":"2024-10-30T20:47:05.566Z","version":4,"application":{"architecture":"x86-64","buildId":"20230927232528","name":"Firefox","version":"118.0.1","displayVersion":"118.0.1","vendor":"Mozilla","platformVersion":"118.0.1","xpcomAbi":"x86_64-msvc","channel":"release"},"payload":{"otherInstalls":0},"clientId":"65e71c9e-6ac3-4903-9066-b134350de32c","environment":{"build":{"applicationId":"{ec8030f7-c20a-464f-9b0e-13a3a9e97384}","applicationName":"Firefox","architecture":"x86-64","buildId":"20230927232528","version":"118.0.1","vendor":"Mozilla","displayVersion":"118.0.1","platformVersion":"118.0.1","xpcomAbi":"x86_64-msvc","updaterAvailable":true},"partner":{"distributionId":null,"distributionVersion":null,"partnerId":null,"distributor":null,"distributorChannel":null,"partnerNames":[]},"system":{"memoryMB":8191,"virtualMaxMB":134217728,"cpu":{"isWindowsSMode":false,"count":4,"cores":2,"vendor":"GenuineIntel","name":"I

C:\ProgramData\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\uninstall_ping_308046B0AF4A39CB_255b4412-0df3-4832-be32-5037f020fd1a.json.tmp

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	7813
Entropy (8bit):	5.1813201730866165
Encrypted:	false
SSDEEP:	192:7sjMihihMhXcbhbVbTbfbRbObtbyEl7nMrIJA6WnSrDtTUd/SkDrCw:QYyyYXcNhnzFSJsr7BnSrDhUd/r
MD5:	771513F5BDEF449FE21510F7B5B0D2E8
SHA1:	9E4B38D31B10CAF948521F29C5A64E26061975C8
SHA-256:	E04521110190E736456DD8EB0BDCE9C56194615076E5A31817F092226CD04F59
SHA-512:	4866C5CA45084D6097B6C9750310CD747B69EF0DECB537C8F4C45D55833CDE0EF8D85EE9DF244EE7BF9292F0C87D08BA2C1D3FE9AE48AD2EA60F855A2C788B5C
Malicious:	false
Preview:	{"type":"uninstall","id":"255b4412-0df3-4832-be32-5037f020fd1a","creationDate":"2024-10-30T20:47:05.566Z","version":4,"application":{"architecture":"x86-64","buildId":"20230927232528","name":"Firefox","version":"118.0.1","displayVersion":"118.0.1","vendor":"Mozilla","platformVersion":"118.0.1","xpcomAbi":"x86_64-msvc","channel":"release"},"payload":{"otherInstalls":0},"clientId":"65e71c9e-6ac3-4903-9066-b134350de32c","environment":{"build":{"applicationId":"{ec8030f7-c20a-464f-9b0e-13a3a9e97384}","applicationName":"Firefox","architecture":"x86-64","buildId":"20230927232528","version":"118.0.1","vendor":"Mozilla","displayVersion":"118.0.1","platformVersion":"118.0.1","xpcomAbi":"x86_64-msvc","updaterAvailable":true},"partner":{"distributionId":null,"distributionVersion":null,"partnerId":null,"distributor":null,"distributorChannel":null,"partnerNames":[]},"system":{"memoryMB":8191,"virtualMaxMB":134217728,"cpu":{"isWindowsSMode":false,"count":4,"cores":2,"vendor":"GenuineIntel","name":"I

C:\Users\user\AppData\Local\Temp\mozilla-temp-files\mozilla-temp-41

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	ISO Media, MP4 Base Media v1 [ISO 14496-12:2003]
Category:	dropped
Size (bytes):	32768
Entropy (8bit):	0.4593089050301797
Encrypted:	false
SSDEEP:	48:9SP0nUgwyZXYI65yFRX2D3GNTTfyn0Mk1iA:9SDKaIjo3UzyE1L
MD5:	D910AD167F0217587501FDCDB33CC544
SHA1:	2F57441CEFDC781011B53C1C5D29AC54835AFC1D
SHA-256:	E3699D9404A3FFC1AFF0CA8A3972DC0EF38BDAB927741E9F627C7C55CEA42E81
SHA-512:	F1871BF28FF25EE52BDB99C7A80AB715C7CAC164DCD2FD87E681168EE927FD2C5E80E03C91BB638D955A4627213BF575FF4D9EECAEDA7718C128CF2CE8F7CB3D
Malicious:	false
Preview:	... ftypisom....isomiso2avc1mp41....free....mdat..........E...H..,. .#..x264 - core 152 r2851 ba24899 - H.264/MPEG-4 AVC codec - Copyleft 2003-2017 - http://www.videolan.org/x264.html - options: cabac=1 ref=3 deblock=1:0:0 analyse=0x3:0x113 me=hex subme=7 psy=1 psy_rd=1.00:0.00 mixed_ref=1 me_range=16 chroma_me=1 trellis=1 8x8dct=1 cqm=0 deadzone=21,11 fast_pskip=1 chroma_qp_offset=-2 threads=4 lookahead_threads=1 sliced_threads=0 nr=0 decimate=1 interlaced=0 bluray_compat=0 constrained_intra=0 bframes=3 b_pyramid=2 b_adapt=1 b_bias=0 direct=1 weightb=1 open_gop=0 weightp=2 keyint=250 keyint_min=25 scenecut=40 intra_refresh=0 rc_lookahead=40 rc=crf mbtree=1 crf=23.0 qcomp=0.60 qpmin=0 qpmax=69 qpstep=4 ip_ratio=1.40 aq=1:1.00......e...+...s\|.kG3...'.u.."...,J.w.~.d\..(K....!.+..;....h....(.T.*...M......0..~L..8..B..A.y..R..,.zBP.';j.@.].w..........c......C=.'f....gI.$^.......m5V.L...{U..%V[....8......B..i..^,....:...,..5.m.%dA....moov...lmvhd...................(...........

C:\Users\user\AppData\Local\Temp\tmpaddon

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	Zip archive data, at least v2.0 to extract, compression method=deflate
Category:	dropped
Size (bytes):	453023
Entropy (8bit):	7.997718157581587
Encrypted:	true
SSDEEP:	12288:tESTeqTI2r4ZbCgUKWKNeRcPMb6qlV7hVZe3:tEsed2Xh9/bdzZe3
MD5:	85430BAED3398695717B0263807CF97C
SHA1:	FFFBEE923CEA216F50FCE5D54219A188A5100F41
SHA-256:	A9F4281F82B3579581C389E8583DC9F477C7FD0E20C9DFC91A2E611E21E3407E
SHA-512:	06511F1F6C6D44D076B3C593528C26A602348D9C41689DBF5FF716B671C3CA5756B12CB2E5869F836DEDCE27B1A5CFE79B93C707FD01F8E84B620923BB61B5F1
Malicious:	false
Preview:	PK.........bN...R..........gmpopenh264.dll..\|.E.0.=..I.....1....4f1q.`.........q.....'+....hm{.z..o_.{w........$..($A!...\|L...B&A2.s.{..Dd......c.U.U..9u.S...K.l`...../.d.-....\|.....&....9......wn..x......i.#O.+.Y.l......+....,3.3f..\..c.SSS,............N...GG...F.'.&.:'.K.Z&.>.@.g..M...M.`............ZR....^jg.G.Kb.o~va.....<Z..1.#.O.e.....D..X..i..$imBW..Q&.......P.....,M.,..:.c...-...\...........-i.K.I..4.a..6.....Ov=...W..F.CH.>...a.'.x...#@f...d..u.1....OV.1o}....g.5.._.3.J.Hi.Z.ipM....b.Z....%.G..F................/..3.q..J.....o...%.g.N..}..).3.N%.!..q........^I.m..~...6.#.~+.....A...I]r...x...<IYj....p0..`S.M@.E..f.=.;!.@.....E..E....... .0.n....Jd..d......uM.-.qI.lR..z..=}..r.D.XLZ....x.$..\|c.1.cUkM.&.Qn]..a]t.h...!.6 7..Jd.DvKJ"Wgd*%n...w...Jni.inmr.@M.$'Z.s....#)%..Rs..:.h....R....\..t.6..'.g.........Uj+F.cr:\|..!..K.W.Y...17......,....r.....>.N..3.R.Y.._\...Ir.DNJdM... .k...&V-....z.%...-...D..i..&...6....7.2T).>..0..%.&.

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\ExperimentStoreData.json (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	3621
Entropy (8bit):	4.931606558476108
Encrypted:	false
SSDEEP:	96:8S+OfJQPUFpOdwNIOdYVjvYcXaNLFGZ8P:8S+OBIUjOdwiOdYVjjwLFGZ8P
MD5:	EA3850EFEF6CD49404F9CE52E8E0004A
SHA1:	4143B91019D81BD43A2E457EF1E5EFCFBE4D77EC
SHA-256:	0BF33C85961871175B054535E33A3135A891C46CE878CB86F68205519875255B
SHA-512:	16BC4891214CF19CD21278AF57AFC39F06E427378A94DC0C2482EA43DCF2331EF99EC44A4CF37DAD861D1AE4E89E388211E9E12A6E7D10796FE1096EA0319667
Malicious:	false
Preview:	{"csv-import-release-rollout":{"slug":"csv-import-release-rollout","branch":{"slug":"enable-csv-import","ratio":1,"feature":{"value":{},"enabled":false,"featureId":"this-is-included-for-desktop-pre-95-support"},"features":[{"value":{"csvImport":true},"enabled":true,"featureId":"cm-csv-import"}]},"active":true,"enrollmentId":"c5d95379-f4ee-4629-a507-6f15a0e93cd4","experimentType":"rollout","source":"rs-loader","userFacingName":"CSV Import (Release Rollout)","userFacingDescription":"This rollout enables users to import logins from a CSV file from the about:logins page.","lastSeen":"2023-10-03T11:50:29.548Z","featureIds":["cm-csv-import"],"prefs":[{"name":"signon.management.page.fileImport.enabled","branch":"default","featureId":"cm-csv-import","variable":"csvImport","originalValue":false}],"isRollout":true},"serp-ad-telemetry-rollout":{"slug":"serp-ad-telemetry-rollout","branch":{"slug":"control","ratio":1,"feature":{"value":{},"enabled":false,"featureId":"this-is-included-for-desktop-pr

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\ExperimentStoreData.json.tmp

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	3621
Entropy (8bit):	4.931606558476108
Encrypted:	false
SSDEEP:	96:8S+OfJQPUFpOdwNIOdYVjvYcXaNLFGZ8P:8S+OBIUjOdwiOdYVjjwLFGZ8P
MD5:	EA3850EFEF6CD49404F9CE52E8E0004A
SHA1:	4143B91019D81BD43A2E457EF1E5EFCFBE4D77EC
SHA-256:	0BF33C85961871175B054535E33A3135A891C46CE878CB86F68205519875255B
SHA-512:	16BC4891214CF19CD21278AF57AFC39F06E427378A94DC0C2482EA43DCF2331EF99EC44A4CF37DAD861D1AE4E89E388211E9E12A6E7D10796FE1096EA0319667
Malicious:	false
Preview:	{"csv-import-release-rollout":{"slug":"csv-import-release-rollout","branch":{"slug":"enable-csv-import","ratio":1,"feature":{"value":{},"enabled":false,"featureId":"this-is-included-for-desktop-pre-95-support"},"features":[{"value":{"csvImport":true},"enabled":true,"featureId":"cm-csv-import"}]},"active":true,"enrollmentId":"c5d95379-f4ee-4629-a507-6f15a0e93cd4","experimentType":"rollout","source":"rs-loader","userFacingName":"CSV Import (Release Rollout)","userFacingDescription":"This rollout enables users to import logins from a CSV file from the about:logins page.","lastSeen":"2023-10-03T11:50:29.548Z","featureIds":["cm-csv-import"],"prefs":[{"name":"signon.management.page.fileImport.enabled","branch":"default","featureId":"cm-csv-import","variable":"csvImport","originalValue":false}],"isRollout":true},"serp-ad-telemetry-rollout":{"slug":"serp-ad-telemetry-rollout","branch":{"slug":"control","ratio":1,"feature":{"value":{},"enabled":false,"featureId":"this-is-included-for-desktop-pr

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\addonStartup.json.lz4 (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	Mozilla lz4 compressed data, originally 23432 bytes
Category:	dropped
Size (bytes):	5312
Entropy (8bit):	6.615424734763731
Encrypted:	false
SSDEEP:	96:V2YbKsKNU2xWrp327tGmD4wBON6h6cHaJVJuZMd0JGkkrw2D:VTx2x2t0FDJ4NpwZMd0EJws
MD5:	1B9C8056D3619CE5A8C59B0C09873F17
SHA1:	1015C630E1937AA63F6AB31743782ECB5D78CCD8
SHA-256:	A6AE5DE0733FED050AB570AD9374FF4593D554F695B5AE4E2495871D171D34A3
SHA-512:	B1DC9CC675D5476C270A2D5B214D3DF2B3856576ED7EFE92D9A606C2D9D34E781018902AE75CE9C1E25007BB7F8D8F7B52997E6F05B845EF44BAF22F614FE899
Malicious:	false
Preview:	mozLz40..[....{"app-system-defaults":{"addon....formautofill@mozilla.org&..Gdependencies":[],"enabled":true,"lastModifiedTime":1695865283000,"loader":null,"path":s.....xpi","recommendationStateA...rootURI":"jar:file:///C:/Program%20Files/M.......refox/browser/features/...... !/...unInSafeMode..wsignedD...telemetryKey..7%40R...:1.0.1","version":"..`},"pic..#in.....T.n..w...........S.......(.[......0....0"},"screenshots..T.r.....[.......(.V....-39.......},"webcompat-reporter...Ofals..&.z.....[.......(.]....=1.5.............<.)....p....d......1.z.!18...5.....startupData...pX.astentL..!er...webRequest%..onBefore...[[{"incognitoi.UtabId..!yp...."main_frame"],"url...."://login.microsoftonline.com/","..@us/L.dwindows...},["blocking"]],...Iimag...https://smartT.".f.....etp/facebook.svg",...Aplay....8`script...P.....-....-testbed.herokuapp\.`shims_..3.jsh.bexampl\|.......Pexten{..Q../?..s...S.J/_2..@&_3U..s7.addthis . ic...officialK......-angularjs/current/dist(..t.min.js...track.adB...net/s

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\addonStartup.json.lz4.tmp

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	Mozilla lz4 compressed data, originally 23432 bytes
Category:	dropped
Size (bytes):	5312
Entropy (8bit):	6.615424734763731
Encrypted:	false
SSDEEP:	96:V2YbKsKNU2xWrp327tGmD4wBON6h6cHaJVJuZMd0JGkkrw2D:VTx2x2t0FDJ4NpwZMd0EJws
MD5:	1B9C8056D3619CE5A8C59B0C09873F17
SHA1:	1015C630E1937AA63F6AB31743782ECB5D78CCD8
SHA-256:	A6AE5DE0733FED050AB570AD9374FF4593D554F695B5AE4E2495871D171D34A3
SHA-512:	B1DC9CC675D5476C270A2D5B214D3DF2B3856576ED7EFE92D9A606C2D9D34E781018902AE75CE9C1E25007BB7F8D8F7B52997E6F05B845EF44BAF22F614FE899
Malicious:	false
Preview:	mozLz40..[....{"app-system-defaults":{"addon....formautofill@mozilla.org&..Gdependencies":[],"enabled":true,"lastModifiedTime":1695865283000,"loader":null,"path":s.....xpi","recommendationStateA...rootURI":"jar:file:///C:/Program%20Files/M.......refox/browser/features/...... !/...unInSafeMode..wsignedD...telemetryKey..7%40R...:1.0.1","version":"..`},"pic..#in.....T.n..w...........S.......(.[......0....0"},"screenshots..T.r.....[.......(.V....-39.......},"webcompat-reporter...Ofals..&.z.....[.......(.]....=1.5.............<.)....p....d......1.z.!18...5.....startupData...pX.astentL..!er...webRequest%..onBefore...[[{"incognitoi.UtabId..!yp...."main_frame"],"url...."://login.microsoftonline.com/","..@us/L.dwindows...},["blocking"]],...Iimag...https://smartT.".f.....etp/facebook.svg",...Aplay....8`script...P.....-....-testbed.herokuapp\.`shims_..3.jsh.bexampl\|.......Pexten{..Q../?..s...S.J/_2..@&_3U..s7.addthis . ic...officialK......-angularjs/current/dist(..t.min.js...track.adB...net/s

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\addons.json (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	24
Entropy (8bit):	3.91829583405449
Encrypted:	false
SSDEEP:	3:YWGifTJE6iHQ:YWGif9EE
MD5:	3088F0272D29FAA42ED452C5E8120B08
SHA1:	C72AA542EF60AFA3DF5DFE1F9FCC06C0B135BE23
SHA-256:	D587CEC944023447DC91BC5F71E2291711BA5ADD337464837909A26F34BC5A06
SHA-512:	B662414EDD6DEF8589304904263584847586ECCA0B0E6296FB3ADB2192D92FB48697C99BD27C4375D192150E3F99102702AF2391117FFF50A9763C74C193D798
Malicious:	false
Preview:	{"schema":6,"addons":[]}

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\addons.json.tmp

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	24
Entropy (8bit):	3.91829583405449
Encrypted:	false
SSDEEP:	3:YWGifTJE6iHQ:YWGif9EE
MD5:	3088F0272D29FAA42ED452C5E8120B08
SHA1:	C72AA542EF60AFA3DF5DFE1F9FCC06C0B135BE23
SHA-256:	D587CEC944023447DC91BC5F71E2291711BA5ADD337464837909A26F34BC5A06
SHA-512:	B662414EDD6DEF8589304904263584847586ECCA0B0E6296FB3ADB2192D92FB48697C99BD27C4375D192150E3F99102702AF2391117FFF50A9763C74C193D798
Malicious:	false
Preview:	{"schema":6,"addons":[]}

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\content-prefs.sqlite

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	SQLite 3.x database, user version 5, last written using SQLite version 3042000, page size 32768, file counter 5, database pages 8, cookie 0x6, schema 4, largest root page 8, UTF-8, vacuum mode 1, version-valid-for 5
Category:	dropped
Size (bytes):	262144
Entropy (8bit):	0.04905391753567332
Encrypted:	false
SSDEEP:	24:DLivwae+Q8Uu50xj0aWe9LxYkKA25Q5tvAA:D6wae+QtMImelekKDa5
MD5:	DD9D28E87ED57D16E65B14501B4E54D1
SHA1:	793839B47326441BE2D1336BA9A61C9B948C578D
SHA-256:	BB4E6C58C50BD6399ED70468C02B584595C29F010B66F864CD4D6B427FA365BC
SHA-512:	A2626F6A3CBADE62E38DA5987729D99830D0C6AA134D4A9E615026A5F18ACBB11A2C3C80917DAD76DA90ED5BAA9B0454D4A3C2DD04436735E78C974BA1D035B1
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j......\|....~.}.}z}-\|.................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\crashes\store.json.mozlz4 (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	Mozilla lz4 compressed data, originally 56 bytes
Category:	dropped
Size (bytes):	66
Entropy (8bit):	4.837595020998689
Encrypted:	false
SSDEEP:	3:3fX/xH8IXl/I3v0lb7iioW:vXpH1RPXt
MD5:	A6338865EB252D0EF8FCF11FA9AF3F0D
SHA1:	CECDD4C4DCAE10C2FFC8EB938121B6231DE48CD3
SHA-256:	078648C042B9B08483CE246B7F01371072541A2E90D1BEB0C8009A6118CBD965
SHA-512:	D950227AC83F4E8246D73F9F35C19E88CE65D0CA5F1EF8CCBB02ED6EFC66B1B7E683E2BA0200279D7CA4B49831FD8C3CEB0584265B10ACCFF2611EC1CA8C0C6C
Malicious:	false
Preview:	mozLz40.8.....{"v":1,"crashes":{},"countsByDay....rruptDate":null}

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\crashes\store.json.mozlz4.tmp

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	Mozilla lz4 compressed data, originally 56 bytes
Category:	dropped
Size (bytes):	66
Entropy (8bit):	4.837595020998689
Encrypted:	false
SSDEEP:	3:3fX/xH8IXl/I3v0lb7iioW:vXpH1RPXt
MD5:	A6338865EB252D0EF8FCF11FA9AF3F0D
SHA1:	CECDD4C4DCAE10C2FFC8EB938121B6231DE48CD3
SHA-256:	078648C042B9B08483CE246B7F01371072541A2E90D1BEB0C8009A6118CBD965
SHA-512:	D950227AC83F4E8246D73F9F35C19E88CE65D0CA5F1EF8CCBB02ED6EFC66B1B7E683E2BA0200279D7CA4B49831FD8C3CEB0584265B10ACCFF2611EC1CA8C0C6C
Malicious:	false
Preview:	mozLz40.8.....{"v":1,"crashes":{},"countsByDay....rruptDate":null}

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\extensions.json (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	36830
Entropy (8bit):	5.185924656884556
Encrypted:	false
SSDEEP:	768:wI43DvfWXf4E6C4p4EC4Y4QfEWvM4B4QS4z4444XQ4U:wUfdvk
MD5:	5656BA69BD2966108A461AAE35F60226
SHA1:	9C2E5AE52D82CEA43C4A5FFF205A7700CF54D61C
SHA-256:	587596712960B26EAC18CB354CCD633FFDB218E374A9D59EFEA843914D7AB299
SHA-512:	38F715AD9156558B5D57CA2E75FB0FFE0C5C6728BD94484B8F15E090120DDD02DCE42DBC9CC7143AD6552460A5F3A40E577FAF1D76D5D40B25CDBE636F250054
Malicious:	false
Preview:	{"schemaVersion":35,"addons":[{"id":"formautofill@mozilla.org","syncGUID":"{60024e8e-cfd0-41e5-965d-7128c7dcf0e8}","version":"1.0.1","type":"extension","loader":null,"updateURL":null,"installOrigins":null,"manifestVersion":2,"optionsURL":null,"optionsType":null,"optionsBrowserStyle":true,"aboutURL":null,"defaultLocale":{"name":"Form Autofill","creator":null,"developers":null,"translators":null,"contributors":null},"visible":true,"active":true,"userDisabled":false,"appDisabled":false,"embedderDisabled":false,"installDate":1695865283000,"updateDate":1695865283000,"applyBackgroundUpdates":1,"path":"C:\\Program Files\\Mozilla Firefox\\browser\\features\\formautofill@mozilla.org.xpi","skinnable":false,"sourceURI":null,"releaseNotesURI":null,"softDisabled":false,"foreignInstall":false,"strictCompatibility":true,"locales":[],"targetApplications":[{"id":"toolkit@mozilla.org","minVersion":null,"maxVersion":null}],"targetPlatforms":[],"signedDate":null,"seen":true,"dependencies":[],"incognito":"

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\extensions.json.tmp

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	36830
Entropy (8bit):	5.185924656884556
Encrypted:	false
SSDEEP:	768:wI43DvfWXf4E6C4p4EC4Y4QfEWvM4B4QS4z4444XQ4U:wUfdvk
MD5:	5656BA69BD2966108A461AAE35F60226
SHA1:	9C2E5AE52D82CEA43C4A5FFF205A7700CF54D61C
SHA-256:	587596712960B26EAC18CB354CCD633FFDB218E374A9D59EFEA843914D7AB299
SHA-512:	38F715AD9156558B5D57CA2E75FB0FFE0C5C6728BD94484B8F15E090120DDD02DCE42DBC9CC7143AD6552460A5F3A40E577FAF1D76D5D40B25CDBE636F250054
Malicious:	false
Preview:	{"schemaVersion":35,"addons":[{"id":"formautofill@mozilla.org","syncGUID":"{60024e8e-cfd0-41e5-965d-7128c7dcf0e8}","version":"1.0.1","type":"extension","loader":null,"updateURL":null,"installOrigins":null,"manifestVersion":2,"optionsURL":null,"optionsType":null,"optionsBrowserStyle":true,"aboutURL":null,"defaultLocale":{"name":"Form Autofill","creator":null,"developers":null,"translators":null,"contributors":null},"visible":true,"active":true,"userDisabled":false,"appDisabled":false,"embedderDisabled":false,"installDate":1695865283000,"updateDate":1695865283000,"applyBackgroundUpdates":1,"path":"C:\\Program Files\\Mozilla Firefox\\browser\\features\\formautofill@mozilla.org.xpi","skinnable":false,"sourceURI":null,"releaseNotesURI":null,"softDisabled":false,"foreignInstall":false,"strictCompatibility":true,"locales":[],"targetApplications":[{"id":"toolkit@mozilla.org","minVersion":null,"maxVersion":null}],"targetPlatforms":[],"signedDate":null,"seen":true,"dependencies":[],"incognito":"

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\favicons.sqlite-shm

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	data
Category:	dropped
Size (bytes):	32768
Entropy (8bit):	0.017262956703125623
Encrypted:	false
SSDEEP:	3:G8lQs2TSlElQs2TtPRp//:G0QjSaQjrpX
MD5:	B7C14EC6110FA820CA6B65F5AEC85911
SHA1:	608EEB7488042453C9CA40F7E1398FC1A270F3F4
SHA-256:	FD4C9FDA9CD3F9AE7C962B0DDF37232294D55580E1AA165AA06129B8549389EB
SHA-512:	D8D75760F29B1E27AC9430BC4F4FFCEC39F1590BE5AEF2BFB5A535850302E067C288EF59CF3B2C5751009A22A6957733F9F80FA18F2B0D33D90C068A3F08F3B0
Malicious:	false
Preview:	..-.....................................8...5.....-.....................................8...5...........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	1021904
Entropy (8bit):	6.648417932394748
Encrypted:	false
SSDEEP:	12288:vYLdTfFKbNSjv92eFN+3wH+NYriA0Iq6lh6VawYIpAvwHN/Uf1h47HAfg1oet:vYLdTZ923NYrjwNpgwef1hzfg1x
MD5:	FE3355639648C417E8307C6D051E3E37
SHA1:	F54602D4B4778DA21BC97C7238FC66AA68C8EE34
SHA-256:	1ED7877024BE63A049DA98733FD282C16BD620530A4FB580DACEC3A78ACE914E
SHA-512:	8F4030BB2464B98ECCBEA6F06EB186D7216932702D94F6B84C56419E9CF65A18309711AB342D1513BF85AED402BC3535A70DB4395874828F0D35C278DD2EAC9C
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Joe Sandbox View:	Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......NH...)...)...)..eM...)..eM...)..eM..)..eM...)...)..i)..XA...)..XA..;)..XA...)...)..g)..cA...)..cA...)..Rich.)..........PE..d....z\.........." .....t................................................................`.........................................P...,...\|...(............P...H...z.................T...........................0...................p............................text...$s.......t.................. ..`.rdata...~...........x..............@..@.data....3..........................@....pdata...H...P...J..................@..@.rodata..............^..............@..@.reloc...............j..............@..B........................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll.tmp

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	1021904
Entropy (8bit):	6.648417932394748
Encrypted:	false
SSDEEP:	12288:vYLdTfFKbNSjv92eFN+3wH+NYriA0Iq6lh6VawYIpAvwHN/Uf1h47HAfg1oet:vYLdTZ923NYrjwNpgwef1hzfg1x
MD5:	FE3355639648C417E8307C6D051E3E37
SHA1:	F54602D4B4778DA21BC97C7238FC66AA68C8EE34
SHA-256:	1ED7877024BE63A049DA98733FD282C16BD620530A4FB580DACEC3A78ACE914E
SHA-512:	8F4030BB2464B98ECCBEA6F06EB186D7216932702D94F6B84C56419E9CF65A18309711AB342D1513BF85AED402BC3535A70DB4395874828F0D35C278DD2EAC9C
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Joe Sandbox View:	Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......NH...)...)...)..eM...)..eM...)..eM..)..eM...)...)..i)..XA...)..XA..;)..XA...)...)..g)..cA...)..cA...)..Rich.)..........PE..d....z\.........." .....t................................................................`.........................................P...,...\|...(............P...H...z.................T...........................0...................p............................text...$s.......t.................. ..`.rdata...~...........x..............@..@.data....3..........................@....pdata...H...P...J..................@..@.rodata..............^..............@..@.reloc...............j..............@..B........................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.info (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	116
Entropy (8bit):	4.968220104601006
Encrypted:	false
SSDEEP:	3:C3OuN9RAM7VDXcEzq+rEakOvTMBv+FdBAIABv+FEn:0BDUmHlvAWeWEn
MD5:	3D33CDC0B3D281E67DD52E14435DD04F
SHA1:	4DB88689282FD4F9E9E6AB95FCBB23DF6E6485DB
SHA-256:	F526E9F98841D987606EFEAFF7F3E017BA9FD516C4BE83890C7F9A093EA4C47B
SHA-512:	A4A96743332CC8EF0F86BC2E6122618BFC75ED46781DADBAC9E580CD73DF89E74738638A2CCCB4CAA4CBBF393D771D7F2C73F825737CDB247362450A0D4A4BC1
Malicious:	false
Preview:	Name: gmpopenh264.Description: GMP Plugin for OpenH264..Version: 1.8.1.APIs: encode-video[h264], decode-video[h264].

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.info.tmp

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	116
Entropy (8bit):	4.968220104601006
Encrypted:	false
SSDEEP:	3:C3OuN9RAM7VDXcEzq+rEakOvTMBv+FdBAIABv+FEn:0BDUmHlvAWeWEn
MD5:	3D33CDC0B3D281E67DD52E14435DD04F
SHA1:	4DB88689282FD4F9E9E6AB95FCBB23DF6E6485DB
SHA-256:	F526E9F98841D987606EFEAFF7F3E017BA9FD516C4BE83890C7F9A093EA4C47B
SHA-512:	A4A96743332CC8EF0F86BC2E6122618BFC75ED46781DADBAC9E580CD73DF89E74738638A2CCCB4CAA4CBBF393D771D7F2C73F825737CDB247362450A0D4A4BC1
Malicious:	false
Preview:	Name: gmpopenh264.Description: GMP Plugin for OpenH264..Version: 1.8.1.APIs: encode-video[h264], decode-video[h264].

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\permissions.sqlite

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	SQLite 3.x database, user version 12, last written using SQLite version 3042000, page size 32768, file counter 4, database pages 3, cookie 0x2, schema 4, UTF-8, version-valid-for 4
Category:	dropped
Size (bytes):	98304
Entropy (8bit):	0.07338695179673393
Encrypted:	false
SSDEEP:	12:DBl/A0OWla0mwPxRymgObsCVR45wcYR4fmnsCVR4zkinL:DLhesh7Owd4+jiL
MD5:	2EA153D905768C44B5CB58C942ABA844
SHA1:	85EFD24AD576D397CEE09A3C7BB1648DA58D98F2
SHA-256:	3A85F3CB87136B8F66D467EAC110FFED43E6F4D10F104EFC521375737A2BA0B9
SHA-512:	626A451E620C3209BFA9DFD6457B104B683D5166F207060887DFDEA0DBCA8FA6D5A7511A8BF8A80EA8BB226E0F0EEFE9898C0260B515FAAE0FF3EF71C3E72DA8
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j......~s..F~s........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\places.sqlite-shm

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	data
Category:	dropped
Size (bytes):	32768
Entropy (8bit):	0.035615874395153645
Encrypted:	false
SSDEEP:	3:GtlstFvW9n1QPPlYlstFvW9n1QPP///T89//alEl:GtWtUp1Q3lYWtUp1Q3/D89XuM
MD5:	A6453A65668E99CAB0C20817496A7978
SHA1:	68ADA9A93D660F57CE6214F57B111B18956D2934
SHA-256:	694E7847073752BB70FD0298FA9B151D530159C6FC220C65892D34DDD1B4BA7B
SHA-512:	68675FBA73E9B2509429CB295129C909F3BD3EA5932083584C164E4FEB596101B5F6DA089C78487ACD8661EAC1ED867B3DF3C05B53D190E9F0DD108B5949B295
Malicious:	false
Preview:	..-........................./.!\q..E....:...Grn...-........................./.!\q..E....:...Grn.........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\places.sqlite-wal

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	SQLite Write-Ahead Log, version 3007000
Category:	dropped
Size (bytes):	32824
Entropy (8bit):	0.03965353112274345
Encrypted:	false
SSDEEP:	3:Ol138gVrGgNUTD6Uiwl8rEXsxdwhml8XW3R2:KaQCxDXll8dMhm93w
MD5:	D69087C8F0C7F074CC441415024404CB
SHA1:	48048EC23C6699A79796456A83974DF7BEBCC968
SHA-256:	26DEB68ED0BDB32355524C3DA1600AF4E6C6B398252BB0517F01D3FAC32E1084
SHA-512:	754ABC77450FF445C4BB675489B64A4952B5ED1551E4F50FB40D135748E8072A38840F113A8B29B7E34C43C6FDF6C34EE8AEFC3FF3E1A23AD4F90655AEB5574D
Malicious:	false
Preview:	7....-..........q..E.....r.............q..E........\!./................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\prefs-1.js

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	ASCII text, with very long lines (1809), with CRLF line terminators
Category:	dropped
Size (bytes):	13254
Entropy (8bit):	5.4933499151167045
Encrypted:	false
SSDEEP:	192:tnaRtLYbBp6AXhj4qyaaXp6KDINFev85RfGNBw8d0Sl:QeJ6q/0I00cwD0
MD5:	F3598FDD635824175B038C8FDC1C7C37
SHA1:	5FFC6C0C9424DF75C484946ACC777195A5DE3472
SHA-256:	C2AC0EB98A59E6AC878B4863E6032F472A1A492FCDD7EC44F55939FF72F71875
SHA-512:	D890C5CB5E8D479B7C44A53C043C0697845CF55D8860B8A0E0C6E7CF2175FACC6FDF29B3EEE3EDBD228C18E34D1434DB4EC588C2D428C5CDC7EBD91F980A052B
Malicious:	false
Preview:	// Mozilla User Preferences....// DO NOT EDIT THIS FILE...//..// If you make changes to this file while the application is running,..// the changes will be overwritten when the application exits...//..// To change a preference value, you can either:..// - modify it via the UI (e.g. via about:config in the browser); or..// - set it within a user.js file in your profile.....user_pref("app.normandy.first_run", false);..user_pref("app.normandy.migrationsApplied", 12);..user_pref("app.normandy.user_id", "57f16a19-e119-4073-bf01-28f88011f783");..user_pref("app.update.auto.migrated", true);..user_pref("app.update.background.rolledout", true);..user_pref("app.update.backgroundErrors", 2);..user_pref("app.update.lastUpdateTime.addon-background-update-timer", 1730321195);..user_pref("app.update.lastUpdateTime.background-update-timer", 1730321195);..user_pref("app.update.lastUpdateTime.browser-cleanup-thumbnails", 1730321195);..user_pref("app.update.lastUpdateTime.recipe-client-addon-run", 173032

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\prefs.js (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	ASCII text, with very long lines (1809), with CRLF line terminators
Category:	dropped
Size (bytes):	13254
Entropy (8bit):	5.4933499151167045
Encrypted:	false
SSDEEP:	192:tnaRtLYbBp6AXhj4qyaaXp6KDINFev85RfGNBw8d0Sl:QeJ6q/0I00cwD0
MD5:	F3598FDD635824175B038C8FDC1C7C37
SHA1:	5FFC6C0C9424DF75C484946ACC777195A5DE3472
SHA-256:	C2AC0EB98A59E6AC878B4863E6032F472A1A492FCDD7EC44F55939FF72F71875
SHA-512:	D890C5CB5E8D479B7C44A53C043C0697845CF55D8860B8A0E0C6E7CF2175FACC6FDF29B3EEE3EDBD228C18E34D1434DB4EC588C2D428C5CDC7EBD91F980A052B
Malicious:	false
Preview:	// Mozilla User Preferences....// DO NOT EDIT THIS FILE...//..// If you make changes to this file while the application is running,..// the changes will be overwritten when the application exits...//..// To change a preference value, you can either:..// - modify it via the UI (e.g. via about:config in the browser); or..// - set it within a user.js file in your profile.....user_pref("app.normandy.first_run", false);..user_pref("app.normandy.migrationsApplied", 12);..user_pref("app.normandy.user_id", "57f16a19-e119-4073-bf01-28f88011f783");..user_pref("app.update.auto.migrated", true);..user_pref("app.update.background.rolledout", true);..user_pref("app.update.backgroundErrors", 2);..user_pref("app.update.lastUpdateTime.addon-background-update-timer", 1730321195);..user_pref("app.update.lastUpdateTime.background-update-timer", 1730321195);..user_pref("app.update.lastUpdateTime.browser-cleanup-thumbnails", 1730321195);..user_pref("app.update.lastUpdateTime.recipe-client-addon-run", 173032

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\protections.sqlite

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	SQLite 3.x database, user version 1, last written using SQLite version 3042000, page size 32768, file counter 5, database pages 2, cookie 0x1, schema 4, UTF-8, version-valid-for 5
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	0.04062825861060003
Encrypted:	false
SSDEEP:	6:ltBl/l4/WN1h4BEJYqWvLue3FMOrMZ0l:DBl/WuntfJiFxMZO
MD5:	18F65713B07CB441E6A98655B726D098
SHA1:	2CEFA32BC26B25BE81C411B60C9925CB0F1F8F88
SHA-256:	B6C268E48546B113551A5AF9CA86BB6A462A512DE6C9289315E125CEB0FD8621
SHA-512:	A6871076C7D7ED53B630F9F144ED04303AD54A2E60B94ECA2AA96964D1AB375EEFDCA86CE0D3EB0E9DBB81470C6BD159877125A080C95EB17E54A52427F805FB
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j.......x..x..........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\sessionCheckpoints.json (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	90
Entropy (8bit):	4.194538242412464
Encrypted:	false
SSDEEP:	3:YVXKQJAyiVLQwJtJDBA+AJ2LKZXJ3YFwHY:Y9KQOy6Lb1BA+m2L69Yr
MD5:	C4AB2EE59CA41B6D6A6EA911F35BDC00
SHA1:	5942CD6505FC8A9DABA403B082067E1CDEFDFBC4
SHA-256:	00AD9799527C3FD21F3A85012565EAE817490F3E0D417413BF9567BB5909F6A2
SHA-512:	71EA16900479E6AF161E0AAD08C8D1E9DED5868A8D848E7647272F3002E2F2013E16382B677ABE3C6F17792A26293B9E27EC78E16F00BD24BA3D21072BD1CAE2
Malicious:	false
Preview:	{"profile-after-change":true,"final-ui-startup":true,"sessionstore-windows-restored":true}

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\sessionCheckpoints.json.tmp

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	90
Entropy (8bit):	4.194538242412464
Encrypted:	false
SSDEEP:	3:YVXKQJAyiVLQwJtJDBA+AJ2LKZXJ3YFwHY:Y9KQOy6Lb1BA+m2L69Yr
MD5:	C4AB2EE59CA41B6D6A6EA911F35BDC00
SHA1:	5942CD6505FC8A9DABA403B082067E1CDEFDFBC4
SHA-256:	00AD9799527C3FD21F3A85012565EAE817490F3E0D417413BF9567BB5909F6A2
SHA-512:	71EA16900479E6AF161E0AAD08C8D1E9DED5868A8D848E7647272F3002E2F2013E16382B677ABE3C6F17792A26293B9E27EC78E16F00BD24BA3D21072BD1CAE2
Malicious:	false
Preview:	{"profile-after-change":true,"final-ui-startup":true,"sessionstore-windows-restored":true}

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\sessionstore-backups\recovery.baklz4 (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	Mozilla lz4 compressed data, originally 5861 bytes
Category:	dropped
Size (bytes):	1576
Entropy (8bit):	6.334045707441808
Encrypted:	false
SSDEEP:	24:v+USUGlcAxSEKaLXnIgm/pnxQwRlszT5sKt0i3eHVQj6T3JamhujJlOHzIomNVrw:GUpOx/2nR6N3eHT3J4JlK8quR4
MD5:	B15C4EE54C9F8CFF2BA8CA8C2E83F4D1
SHA1:	0BA553BEF1178DBB47E19A74098FBA43202FBFA6
SHA-256:	87F46592371B721FC0AD19FDD132861B8E3241B4AE1F74B807B4ABEDE7BD78F2
SHA-512:	D6CB1E2F2336F5A2ACFF0B259A2257182E1E5B3A8559E697D29445B3A119AE1DC62D674A57F43C177156631CB85F5EA128CE1ED864FE643B06546F31F11F928C
Malicious:	false
Preview:	mozLz40.......{"version":["ses....restore",1],"windows":[{"tab..bentrie....url":"https://youtube.com/account?=.....rs.googl%...v3/signin/challenge/pwd","title[.C..cacheKey":0,"ID":6,"docshellUU...D"{f1558e2f-f401-46b0-951f-41f30f06db97}","resultPrincipalURI":null,"hasUserInteracte...true,"triggering8.p_base64z..\"3\":{}^...docIdentifier":7,"persistK..+}],"lastAccessed":1730321200077,"hidden":false,"searchMode...userContextId...attribut...{},"index":1...questedI..p0,"imag....chrome://global/skin/icons/warning.svg"..aselect...,"_closedTZ.@],"_...C..`GroupCF..":-1,"busy...t...Flags":2167541758....dth":1164,"height":891,"screenX":4...Y..Aizem..."maximize......BeforeMin...&..workspace9...1a5ccf63-1000-409f-b5c1-afec7f75d4d9","zD..1...Wm..l........j..:....1":{..jUpdate...8,"startTim..`165318...centCrash..B0},".....Dcook.. hoc..."addons.mozilla.org","valu...A8bad2467092e6ddeb0dfa9e5ea54d86d26790ca7ba2ce88d10cb4604fe726755","path":"/","na..a"taarI\|.Recure...,`.Donly..eexpiry....170437,"originA

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\sessionstore-backups\recovery.jsonlz4 (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	Mozilla lz4 compressed data, originally 5861 bytes
Category:	dropped
Size (bytes):	1576
Entropy (8bit):	6.334045707441808
Encrypted:	false
SSDEEP:	24:v+USUGlcAxSEKaLXnIgm/pnxQwRlszT5sKt0i3eHVQj6T3JamhujJlOHzIomNVrw:GUpOx/2nR6N3eHT3J4JlK8quR4
MD5:	B15C4EE54C9F8CFF2BA8CA8C2E83F4D1
SHA1:	0BA553BEF1178DBB47E19A74098FBA43202FBFA6
SHA-256:	87F46592371B721FC0AD19FDD132861B8E3241B4AE1F74B807B4ABEDE7BD78F2
SHA-512:	D6CB1E2F2336F5A2ACFF0B259A2257182E1E5B3A8559E697D29445B3A119AE1DC62D674A57F43C177156631CB85F5EA128CE1ED864FE643B06546F31F11F928C
Malicious:	false
Preview:	mozLz40.......{"version":["ses....restore",1],"windows":[{"tab..bentrie....url":"https://youtube.com/account?=.....rs.googl%...v3/signin/challenge/pwd","title[.C..cacheKey":0,"ID":6,"docshellUU...D"{f1558e2f-f401-46b0-951f-41f30f06db97}","resultPrincipalURI":null,"hasUserInteracte...true,"triggering8.p_base64z..\"3\":{}^...docIdentifier":7,"persistK..+}],"lastAccessed":1730321200077,"hidden":false,"searchMode...userContextId...attribut...{},"index":1...questedI..p0,"imag....chrome://global/skin/icons/warning.svg"..aselect...,"_closedTZ.@],"_...C..`GroupCF..":-1,"busy...t...Flags":2167541758....dth":1164,"height":891,"screenX":4...Y..Aizem..."maximize......BeforeMin...&..workspace9...1a5ccf63-1000-409f-b5c1-afec7f75d4d9","zD..1...Wm..l........j..:....1":{..jUpdate...8,"startTim..`165318...centCrash..B0},".....Dcook.. hoc..."addons.mozilla.org","valu...A8bad2467092e6ddeb0dfa9e5ea54d86d26790ca7ba2ce88d10cb4604fe726755","path":"/","na..a"taarI\|.Recure...,`.Donly..eexpiry....170437,"originA

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\sessionstore-backups\recovery.jsonlz4.tmp

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	Mozilla lz4 compressed data, originally 5861 bytes
Category:	dropped
Size (bytes):	1576
Entropy (8bit):	6.334045707441808
Encrypted:	false
SSDEEP:	24:v+USUGlcAxSEKaLXnIgm/pnxQwRlszT5sKt0i3eHVQj6T3JamhujJlOHzIomNVrw:GUpOx/2nR6N3eHT3J4JlK8quR4
MD5:	B15C4EE54C9F8CFF2BA8CA8C2E83F4D1
SHA1:	0BA553BEF1178DBB47E19A74098FBA43202FBFA6
SHA-256:	87F46592371B721FC0AD19FDD132861B8E3241B4AE1F74B807B4ABEDE7BD78F2
SHA-512:	D6CB1E2F2336F5A2ACFF0B259A2257182E1E5B3A8559E697D29445B3A119AE1DC62D674A57F43C177156631CB85F5EA128CE1ED864FE643B06546F31F11F928C
Malicious:	false
Preview:	mozLz40.......{"version":["ses....restore",1],"windows":[{"tab..bentrie....url":"https://youtube.com/account?=.....rs.googl%...v3/signin/challenge/pwd","title[.C..cacheKey":0,"ID":6,"docshellUU...D"{f1558e2f-f401-46b0-951f-41f30f06db97}","resultPrincipalURI":null,"hasUserInteracte...true,"triggering8.p_base64z..\"3\":{}^...docIdentifier":7,"persistK..+}],"lastAccessed":1730321200077,"hidden":false,"searchMode...userContextId...attribut...{},"index":1...questedI..p0,"imag....chrome://global/skin/icons/warning.svg"..aselect...,"_closedTZ.@],"_...C..`GroupCF..":-1,"busy...t...Flags":2167541758....dth":1164,"height":891,"screenX":4...Y..Aizem..."maximize......BeforeMin...&..workspace9...1a5ccf63-1000-409f-b5c1-afec7f75d4d9","zD..1...Wm..l........j..:....1":{..jUpdate...8,"startTim..`165318...centCrash..B0},".....Dcook.. hoc..."addons.mozilla.org","valu...A8bad2467092e6ddeb0dfa9e5ea54d86d26790ca7ba2ce88d10cb4604fe726755","path":"/","na..a"taarI\|.Recure...,`.Donly..eexpiry....170437,"originA

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\storage.sqlite

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	SQLite 3.x database, user version 131075, last written using SQLite version 3042000, page size 512, file counter 6, database pages 8, cookie 0x4, schema 4, UTF-8, version-valid-for 6
Category:	dropped
Size (bytes):	4096
Entropy (8bit):	2.0836444556178684
Encrypted:	false
SSDEEP:	24:JBwdh/cEUcR9PzNFPFHx/GJRBdkOrDcRB1trwDeAq2gRMyxr3:jnEUo9LXtR+JdkOnohYsl
MD5:	8B40B1534FF0F4B533AF767EB5639A05
SHA1:	63EDB539EA39AD09D701A36B535C4C087AE08CC9
SHA-256:	AF275A19A5C2C682139266065D90C237282274D11C5619A121B7BDBDB252861B
SHA-512:	54AF707698CED33C206B1B193DA414D630901762E88E37E99885A50D4D5F8DDC28367C9B401DFE251CF0552B4FA446EE28F78A97C9096AFB0F2898BFBB673B53
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\targeting.snapshot.json (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	4537
Entropy (8bit):	5.034534303613634
Encrypted:	false
SSDEEP:	48:YrSAYnz6UQZpExB1+anOsW4Vh351VxWRzzc8eYMsku7f86SLAVL7if5FtsfAcbyk:yczyTEr5QFRzzcMvbw6KkCrrc2Rn27
MD5:	D70583E50460DB37C273DF059FADE4C6
SHA1:	28BBE016D5696EEB968EBDE63F20D2A6F8E7C317
SHA-256:	D998F9151AB917D092552445E6175BAEF562D79673D4E4865C621F4527F51C2B
SHA-512:	EB05F5916EC068CE2A72FC21639020B42B74461D60580069A55CCF2692AD1F4CDD8A0B4BF392688FBA23D09541C21C15420DFC932C1DBB51C29C5A54A22F913D
Malicious:	false
Preview:	{"environment":{"locale":"en-US","localeLanguageCode":"en","browserSettings":{"update":{"channel":"release","enabled":true,"autoDownload":true,"background":true}},"attributionData":{"campaign":"%2528not%2Bset%2529","content":"%2528not%2Bset%2529","dlsource":"mozorg","dltoken":"cd09ae95-e2cf-4b8b-8929-791b0dd48cdd","experiment":"%2528not%2Bset%2529","medium":"referral","source":"www.google.com","ua":"chrome","variation":"%2528not%2Bset%2529"},"currentDate":"2024-10-30T20:46:19.747Z","profileAgeCreated":1696333826043,"usesFirefoxSync":false,"isFxAEnabled":true,"isFxASignedIn":false,"sync":{"desktopDevices":0,"mobileDevices":0,"totalDevices":0},"xpinstallEnabled":true,"addonsInfo":{"addons":{"formautofill@mozilla.org":{"version":"1.0.1","type":"extension","isSystem":true,"isWebExtension":true,"name":"Form Autofill","userDisabled":false,"installDate":"2023-09-28T01:41:23.000Z"},"pictureinpicture@mozilla.org":{"version":"1.0.0","type":"extension","isSystem":true,"isWebExtension":true,"name"

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\targeting.snapshot.json.tmp

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	4537
Entropy (8bit):	5.034534303613634
Encrypted:	false
SSDEEP:	48:YrSAYnz6UQZpExB1+anOsW4Vh351VxWRzzc8eYMsku7f86SLAVL7if5FtsfAcbyk:yczyTEr5QFRzzcMvbw6KkCrrc2Rn27
MD5:	D70583E50460DB37C273DF059FADE4C6
SHA1:	28BBE016D5696EEB968EBDE63F20D2A6F8E7C317
SHA-256:	D998F9151AB917D092552445E6175BAEF562D79673D4E4865C621F4527F51C2B
SHA-512:	EB05F5916EC068CE2A72FC21639020B42B74461D60580069A55CCF2692AD1F4CDD8A0B4BF392688FBA23D09541C21C15420DFC932C1DBB51C29C5A54A22F913D
Malicious:	false
Preview:	{"environment":{"locale":"en-US","localeLanguageCode":"en","browserSettings":{"update":{"channel":"release","enabled":true,"autoDownload":true,"background":true}},"attributionData":{"campaign":"%2528not%2Bset%2529","content":"%2528not%2Bset%2529","dlsource":"mozorg","dltoken":"cd09ae95-e2cf-4b8b-8929-791b0dd48cdd","experiment":"%2528not%2Bset%2529","medium":"referral","source":"www.google.com","ua":"chrome","variation":"%2528not%2Bset%2529"},"currentDate":"2024-10-30T20:46:19.747Z","profileAgeCreated":1696333826043,"usesFirefoxSync":false,"isFxAEnabled":true,"isFxASignedIn":false,"sync":{"desktopDevices":0,"mobileDevices":0,"totalDevices":0},"xpinstallEnabled":true,"addonsInfo":{"addons":{"formautofill@mozilla.org":{"version":"1.0.1","type":"extension","isSystem":true,"isWebExtension":true,"name":"Form Autofill","userDisabled":false,"installDate":"2023-09-28T01:41:23.000Z"},"pictureinpicture@mozilla.org":{"version":"1.0.0","type":"extension","isSystem":true,"isWebExtension":true,"name"

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	6.584665030956594
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	file.exe
File size:	919'552 bytes
MD5:	c5c8202cf33c1c61d4463d53aa3748e5
SHA1:	be46a2f36d213ed714a9f60f73e577d3884df9a4
SHA256:	ca80960301e0e4d399cdd5f9b93395b0d398290e0978926d1620437e19e0e955
SHA512:	df2a7b43d30369e15c516150e9070889e0d6d2dabe343caf2d189a406c10129a37c980e7c383b9c6d5ec17ae235dd88ac0fa1cb8f29f74175df504fe4e4377f0
SSDEEP:	12288:GqDEvFo+yo4DdbbMWu/jrQu4M9lBAlKhQcDGB3cuBNGE6iOrpfe4JdaDga/TB:GqDEvCTbMWu7rQYlBQcBiT6rprG8abB
TLSH:	E7159E0273D1C062FFAB92334B5AF6515BBC69260123E61F13981DB9BE701B1563E7A3
File Content Preview:	MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$.......................j:......j:..C...j:......@.*...............................n.......~.............{.......{.......{.........z....

File Icon


Icon Hash:	aaf3e3e3938382a0

Static PE Info

General

Entrypoint:	0x420577
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, TERMINAL_SERVER_AWARE
Time Stamp:	0x672288B2 [Wed Oct 30 19:27:46 2024 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	5
OS Version Minor:	1
File Version Major:	5
File Version Minor:	1
Subsystem Version Major:	5
Subsystem Version Minor:	1
Import Hash:	948cc502fe9226992dce9417f952fce3

Entrypoint Preview

Instruction
call 00007FD694CDCBC3h
jmp 00007FD694CDC4CFh
push ebp
mov ebp, esp
push esi
push dword ptr [ebp+08h]
mov esi, ecx
call 00007FD694CDC6ADh
mov dword ptr [esi], 0049FDF0h
mov eax, esi
pop esi
pop ebp
retn 0004h
and dword ptr [ecx+04h], 00000000h
mov eax, ecx
and dword ptr [ecx+08h], 00000000h
mov dword ptr [ecx+04h], 0049FDF8h
mov dword ptr [ecx], 0049FDF0h
ret
push ebp
mov ebp, esp
push esi
push dword ptr [ebp+08h]
mov esi, ecx
call 00007FD694CDC67Ah
mov dword ptr [esi], 0049FE0Ch
mov eax, esi
pop esi
pop ebp
retn 0004h
and dword ptr [ecx+04h], 00000000h
mov eax, ecx
and dword ptr [ecx+08h], 00000000h
mov dword ptr [ecx+04h], 0049FE14h
mov dword ptr [ecx], 0049FE0Ch
ret
push ebp
mov ebp, esp
push esi
mov esi, ecx
lea eax, dword ptr [esi+04h]
mov dword ptr [esi], 0049FDD0h
and dword ptr [eax], 00000000h
and dword ptr [eax+04h], 00000000h
push eax
mov eax, dword ptr [ebp+08h]
add eax, 04h
push eax
call 00007FD694CDF26Dh
pop ecx
pop ecx
mov eax, esi
pop esi
pop ebp
retn 0004h
lea eax, dword ptr [ecx+04h]
mov dword ptr [ecx], 0049FDD0h
push eax
call 00007FD694CDF2B8h
pop ecx
ret
push ebp
mov ebp, esp
push esi
mov esi, ecx
lea eax, dword ptr [esi+04h]
mov dword ptr [esi], 0049FDD0h
push eax
call 00007FD694CDF2A1h
test byte ptr [ebp+08h], 00000001h
pop ecx

Rich Headers

Programming Language:

[ C ] VS2008 SP1 build 30729
[IMP] VS2008 SP1 build 30729

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0xc8e64	0x17c	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0xd4000	0x9c28	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0xde000	0x7594	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0xb0ff0	0x1c	.rdata
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0xc3400	0x18	.rdata
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0xb1010	0x40	.rdata
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x9c000	0x894	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x9ab1d	0x9ac00	0a1473f3064dcbc32ef93c5c8a90f3a6	False	0.565500681542811	data	6.668273581389308	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x9c000	0x2fb82	0x2fc00	c9cf2468b60bf4f80f136ed54b3989fb	False	0.35289185209424084	data	5.691811547483722	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0xcc000	0x706c	0x4800	53b9025d545d65e23295e30afdbd16d9	False	0.04356553819444445	DOS executable (block device driver @\273\)	0.5846666986982398	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0xd4000	0x9c28	0x9e00	fbbe17f381a8bd61c9e01fe0de006257	False	0.3156398338607595	data	5.373960290861578	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0xde000	0x7594	0x7600	c68ee8931a32d45eb82dc450ee40efc3	False	0.7628111758474576	data	6.7972128181359786	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_ICON	0xd45a8	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 192	English	Great Britain	0.7466216216216216
RT_ICON	0xd46d0	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 128, 16 important colors	English	Great Britain	0.3277027027027027
RT_ICON	0xd47f8	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 192	English	Great Britain	0.3885135135135135
RT_ICON	0xd4920	0x2e8	Device independent bitmap graphic, 32 x 64 x 4, image size 0	English	Great Britain	0.3333333333333333
RT_ICON	0xd4c08	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 0	English	Great Britain	0.5
RT_ICON	0xd4d30	0xea8	Device independent bitmap graphic, 48 x 96 x 8, image size 0	English	Great Britain	0.2835820895522388
RT_ICON	0xd5bd8	0x8a8	Device independent bitmap graphic, 32 x 64 x 8, image size 0	English	Great Britain	0.37906137184115524
RT_ICON	0xd6480	0x568	Device independent bitmap graphic, 16 x 32 x 8, image size 0	English	Great Britain	0.23699421965317918
RT_ICON	0xd69e8	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 0	English	Great Britain	0.13858921161825727
RT_ICON	0xd8f90	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 0	English	Great Britain	0.25070356472795496
RT_ICON	0xda038	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 0	English	Great Britain	0.3173758865248227
RT_MENU	0xda4a0	0x50	data	English	Great Britain	0.9
RT_STRING	0xda4f0	0x594	data	English	Great Britain	0.3333333333333333
RT_STRING	0xdaa84	0x68a	data	English	Great Britain	0.2735961768219833
RT_STRING	0xdb110	0x490	data	English	Great Britain	0.3715753424657534
RT_STRING	0xdb5a0	0x5fc	data	English	Great Britain	0.3087467362924282
RT_STRING	0xdbb9c	0x65c	data	English	Great Britain	0.34336609336609336
RT_STRING	0xdc1f8	0x466	data	English	Great Britain	0.3605683836589698
RT_STRING	0xdc660	0x158	Matlab v4 mat-file (little endian) n, numeric, rows 0, columns 0	English	Great Britain	0.502906976744186
RT_RCDATA	0xdc7b8	0xef0	data			1.0028765690376569
RT_GROUP_ICON	0xdd6a8	0x76	data	English	Great Britain	0.6610169491525424
RT_GROUP_ICON	0xdd720	0x14	data	English	Great Britain	1.25
RT_GROUP_ICON	0xdd734	0x14	data	English	Great Britain	1.15
RT_GROUP_ICON	0xdd748	0x14	data	English	Great Britain	1.25
RT_VERSION	0xdd75c	0xdc	data	English	Great Britain	0.6181818181818182
RT_MANIFEST	0xdd838	0x3ef	ASCII text, with CRLF line terminators	English	Great Britain	0.5074478649453823

Imports

DLL	Import
WSOCK32.dll	gethostbyname, recv, send, socket, inet_ntoa, setsockopt, ntohs, WSACleanup, WSAStartup, sendto, htons, __WSAFDIsSet, select, accept, listen, bind, inet_addr, ioctlsocket, recvfrom, WSAGetLastError, closesocket, gethostname, connect
VERSION.dll	GetFileVersionInfoW, VerQueryValueW, GetFileVersionInfoSizeW
WINMM.dll	timeGetTime, waveOutSetVolume, mciSendStringW
COMCTL32.dll	ImageList_ReplaceIcon, ImageList_Destroy, ImageList_Remove, ImageList_SetDragCursorImage, ImageList_BeginDrag, ImageList_DragEnter, ImageList_DragLeave, ImageList_EndDrag, ImageList_DragMove, InitCommonControlsEx, ImageList_Create
MPR.dll	WNetGetConnectionW, WNetCancelConnection2W, WNetUseConnectionW, WNetAddConnection2W
WININET.dll	HttpOpenRequestW, InternetCloseHandle, InternetOpenW, InternetSetOptionW, InternetCrackUrlW, HttpQueryInfoW, InternetQueryOptionW, InternetConnectW, HttpSendRequestW, FtpOpenFileW, FtpGetFileSize, InternetOpenUrlW, InternetReadFile, InternetQueryDataAvailable
PSAPI.DLL	GetProcessMemoryInfo
IPHLPAPI.DLL	IcmpSendEcho, IcmpCloseHandle, IcmpCreateFile
USERENV.dll	DestroyEnvironmentBlock, LoadUserProfileW, CreateEnvironmentBlock, UnloadUserProfile
UxTheme.dll	IsThemeActive
KERNEL32.dll	DuplicateHandle, CreateThread, WaitForSingleObject, HeapAlloc, GetProcessHeap, HeapFree, Sleep, GetCurrentThreadId, MultiByteToWideChar, MulDiv, GetVersionExW, IsWow64Process, GetSystemInfo, FreeLibrary, LoadLibraryA, GetProcAddress, SetErrorMode, GetModuleFileNameW, WideCharToMultiByte, lstrcpyW, lstrlenW, GetModuleHandleW, QueryPerformanceCounter, VirtualFreeEx, OpenProcess, VirtualAllocEx, WriteProcessMemory, ReadProcessMemory, CreateFileW, SetFilePointerEx, SetEndOfFile, ReadFile, WriteFile, FlushFileBuffers, TerminateProcess, CreateToolhelp32Snapshot, Process32FirstW, Process32NextW, SetFileTime, GetFileAttributesW, FindFirstFileW, FindClose, GetLongPathNameW, GetShortPathNameW, DeleteFileW, IsDebuggerPresent, CopyFileExW, MoveFileW, CreateDirectoryW, RemoveDirectoryW, SetSystemPowerState, QueryPerformanceFrequency, LoadResource, LockResource, SizeofResource, OutputDebugStringW, GetTempPathW, GetTempFileNameW, DeviceIoControl, LoadLibraryW, GetLocalTime, CompareStringW, GetCurrentThread, EnterCriticalSection, LeaveCriticalSection, GetStdHandle, CreatePipe, InterlockedExchange, TerminateThread, LoadLibraryExW, FindResourceExW, CopyFileW, VirtualFree, FormatMessageW, GetExitCodeProcess, GetPrivateProfileStringW, WritePrivateProfileStringW, GetPrivateProfileSectionW, WritePrivateProfileSectionW, GetPrivateProfileSectionNamesW, FileTimeToLocalFileTime, FileTimeToSystemTime, SystemTimeToFileTime, LocalFileTimeToFileTime, GetDriveTypeW, GetDiskFreeSpaceExW, GetDiskFreeSpaceW, GetVolumeInformationW, SetVolumeLabelW, CreateHardLinkW, SetFileAttributesW, CreateEventW, SetEvent, GetEnvironmentVariableW, SetEnvironmentVariableW, GlobalLock, GlobalUnlock, GlobalAlloc, GetFileSize, GlobalFree, GlobalMemoryStatusEx, Beep, GetSystemDirectoryW, HeapReAlloc, HeapSize, GetComputerNameW, GetWindowsDirectoryW, GetCurrentProcessId, GetProcessIoCounters, CreateProcessW, GetProcessId, SetPriorityClass, VirtualAlloc, GetCurrentDirectoryW, lstrcmpiW, DecodePointer, GetLastError, RaiseException, InitializeCriticalSectionAndSpinCount, DeleteCriticalSection, InterlockedDecrement, InterlockedIncrement, ResetEvent, WaitForSingleObjectEx, IsProcessorFeaturePresent, UnhandledExceptionFilter, SetUnhandledExceptionFilter, GetCurrentProcess, CloseHandle, GetFullPathNameW, GetStartupInfoW, GetSystemTimeAsFileTime, InitializeSListHead, RtlUnwind, SetLastError, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, EncodePointer, ExitProcess, GetModuleHandleExW, ExitThread, ResumeThread, FreeLibraryAndExitThread, GetACP, GetDateFormatW, GetTimeFormatW, LCMapStringW, GetStringTypeW, GetFileType, SetStdHandle, GetConsoleCP, GetConsoleMode, ReadConsoleW, GetTimeZoneInformation, FindFirstFileExW, IsValidCodePage, GetOEMCP, GetCPInfo, GetCommandLineA, GetCommandLineW, GetEnvironmentStringsW, FreeEnvironmentStringsW, SetEnvironmentVariableA, SetCurrentDirectoryW, FindNextFileW, WriteConsoleW
USER32.dll	GetKeyboardLayoutNameW, IsCharAlphaW, IsCharAlphaNumericW, IsCharLowerW, IsCharUpperW, GetMenuStringW, GetSubMenu, GetCaretPos, IsZoomed, GetMonitorInfoW, SetWindowLongW, SetLayeredWindowAttributes, FlashWindow, GetClassLongW, TranslateAcceleratorW, IsDialogMessageW, GetSysColor, InflateRect, DrawFocusRect, DrawTextW, FrameRect, DrawFrameControl, FillRect, PtInRect, DestroyAcceleratorTable, CreateAcceleratorTableW, SetCursor, GetWindowDC, GetSystemMetrics, GetActiveWindow, CharNextW, wsprintfW, RedrawWindow, DrawMenuBar, DestroyMenu, SetMenu, GetWindowTextLengthW, CreateMenu, IsDlgButtonChecked, DefDlgProcW, CallWindowProcW, ReleaseCapture, SetCapture, PeekMessageW, GetInputState, UnregisterHotKey, CharLowerBuffW, MonitorFromPoint, MonitorFromRect, LoadImageW, mouse_event, ExitWindowsEx, SetActiveWindow, FindWindowExW, EnumThreadWindows, SetMenuDefaultItem, InsertMenuItemW, IsMenu, ClientToScreen, GetCursorPos, DeleteMenu, CheckMenuRadioItem, GetMenuItemID, GetMenuItemCount, SetMenuItemInfoW, GetMenuItemInfoW, SetForegroundWindow, IsIconic, FindWindowW, SystemParametersInfoW, LockWindowUpdate, SendInput, GetAsyncKeyState, SetKeyboardState, GetKeyboardState, GetKeyState, VkKeyScanW, LoadStringW, DialogBoxParamW, MessageBeep, EndDialog, SendDlgItemMessageW, GetDlgItem, SetWindowTextW, CopyRect, ReleaseDC, GetDC, EndPaint, BeginPaint, GetClientRect, GetMenu, DestroyWindow, EnumWindows, GetDesktopWindow, IsWindow, IsWindowEnabled, IsWindowVisible, EnableWindow, InvalidateRect, GetWindowLongW, GetWindowThreadProcessId, AttachThreadInput, GetFocus, GetWindowTextW, SendMessageTimeoutW, EnumChildWindows, CharUpperBuffW, GetClassNameW, GetParent, GetDlgCtrlID, SendMessageW, MapVirtualKeyW, PostMessageW, GetWindowRect, SetUserObjectSecurity, CloseDesktop, CloseWindowStation, OpenDesktopW, RegisterHotKey, GetCursorInfo, SetWindowPos, CopyImage, AdjustWindowRectEx, SetRect, SetClipboardData, EmptyClipboard, CountClipboardFormats, CloseClipboard, GetClipboardData, IsClipboardFormatAvailable, OpenClipboard, BlockInput, TrackPopupMenuEx, GetMessageW, SetProcessWindowStation, GetProcessWindowStation, OpenWindowStationW, GetUserObjectSecurity, MessageBoxW, DefWindowProcW, MoveWindow, SetFocus, PostQuitMessage, KillTimer, CreatePopupMenu, RegisterWindowMessageW, SetTimer, ShowWindow, CreateWindowExW, RegisterClassExW, LoadIconW, LoadCursorW, GetSysColorBrush, GetForegroundWindow, MessageBoxA, DestroyIcon, DispatchMessageW, keybd_event, TranslateMessage, ScreenToClient
GDI32.dll	EndPath, DeleteObject, GetTextExtentPoint32W, ExtCreatePen, StrokeAndFillPath, GetDeviceCaps, SetPixel, CloseFigure, LineTo, AngleArc, MoveToEx, Ellipse, CreateCompatibleBitmap, CreateCompatibleDC, PolyDraw, BeginPath, Rectangle, SetViewportOrgEx, GetObjectW, SetBkMode, RoundRect, SetBkColor, CreatePen, SelectObject, StretchBlt, CreateSolidBrush, SetTextColor, CreateFontW, GetTextFaceW, GetStockObject, CreateDCW, GetPixel, DeleteDC, GetDIBits, StrokePath
COMDLG32.dll	GetSaveFileNameW, GetOpenFileNameW
ADVAPI32.dll	GetAce, RegEnumValueW, RegDeleteValueW, RegDeleteKeyW, RegEnumKeyExW, RegSetValueExW, RegOpenKeyExW, RegCloseKey, RegQueryValueExW, RegConnectRegistryW, InitializeSecurityDescriptor, InitializeAcl, AdjustTokenPrivileges, OpenThreadToken, OpenProcessToken, LookupPrivilegeValueW, DuplicateTokenEx, CreateProcessAsUserW, CreateProcessWithLogonW, GetLengthSid, CopySid, LogonUserW, AllocateAndInitializeSid, CheckTokenMembership, FreeSid, GetTokenInformation, RegCreateKeyExW, GetSecurityDescriptorDacl, GetAclInformation, GetUserNameW, AddAce, SetSecurityDescriptorDacl, InitiateSystemShutdownExW
SHELL32.dll	DragFinish, DragQueryPoint, ShellExecuteExW, DragQueryFileW, SHEmptyRecycleBinW, SHGetPathFromIDListW, SHBrowseForFolderW, SHCreateShellItem, SHGetDesktopFolder, SHGetSpecialFolderLocation, SHGetFolderPathW, SHFileOperationW, ExtractIconExW, Shell_NotifyIconW, ShellExecuteW
ole32.dll	CoTaskMemAlloc, CoTaskMemFree, CLSIDFromString, ProgIDFromCLSID, CLSIDFromProgID, OleSetMenuDescriptor, MkParseDisplayName, OleSetContainedObject, CoCreateInstance, IIDFromString, StringFromGUID2, CreateStreamOnHGlobal, OleInitialize, OleUninitialize, CoInitialize, CoUninitialize, GetRunningObjectTable, CoGetInstanceFromFile, CoGetObject, CoInitializeSecurity, CoCreateInstanceEx, CoSetProxyBlanket
OLEAUT32.dll	CreateStdDispatch, CreateDispTypeInfo, UnRegisterTypeLib, UnRegisterTypeLibForUser, RegisterTypeLibForUser, RegisterTypeLib, LoadTypeLibEx, VariantCopyInd, SysReAllocString, SysFreeString, VariantChangeType, SafeArrayDestroyData, SafeArrayUnaccessData, SafeArrayAccessData, SafeArrayAllocData, SafeArrayAllocDescriptorEx, SafeArrayCreateVector, SysStringLen, QueryPathOfRegTypeLib, SysAllocString, VariantInit, VariantClear, DispCallFunc, VariantTimeToSystemTime, VarR8FromDec, SafeArrayGetVartype, SafeArrayDestroyDescriptor, VariantCopy, OleLoadPicture

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	Great Britain

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Oct 30, 2024 20:39:03.671406984 CET	49736	443	192.168.2.4	35.190.72.216
Oct 30, 2024 20:39:03.671506882 CET	443	49736	35.190.72.216	192.168.2.4
Oct 30, 2024 20:39:03.671953917 CET	49736	443	192.168.2.4	35.190.72.216
Oct 30, 2024 20:39:03.678229094 CET	49736	443	192.168.2.4	35.190.72.216
Oct 30, 2024 20:39:03.678267002 CET	443	49736	35.190.72.216	192.168.2.4
Oct 30, 2024 20:39:04.290612936 CET	443	49736	35.190.72.216	192.168.2.4
Oct 30, 2024 20:39:04.295336008 CET	443	49736	35.190.72.216	192.168.2.4
Oct 30, 2024 20:39:04.297058105 CET	49736	443	192.168.2.4	35.190.72.216
Oct 30, 2024 20:39:04.305895090 CET	49736	443	192.168.2.4	35.190.72.216
Oct 30, 2024 20:39:04.305927992 CET	443	49736	35.190.72.216	192.168.2.4
Oct 30, 2024 20:39:04.306049109 CET	49736	443	192.168.2.4	35.190.72.216
Oct 30, 2024 20:39:04.306086063 CET	443	49736	35.190.72.216	192.168.2.4
Oct 30, 2024 20:39:04.306298018 CET	49736	443	192.168.2.4	35.190.72.216
Oct 30, 2024 20:39:04.306482077 CET	49737	443	192.168.2.4	35.190.72.216
Oct 30, 2024 20:39:04.306524992 CET	443	49737	35.190.72.216	192.168.2.4
Oct 30, 2024 20:39:04.306615114 CET	49737	443	192.168.2.4	35.190.72.216
Oct 30, 2024 20:39:04.308106899 CET	49737	443	192.168.2.4	35.190.72.216
Oct 30, 2024 20:39:04.308123112 CET	443	49737	35.190.72.216	192.168.2.4
Oct 30, 2024 20:39:04.915625095 CET	443	49737	35.190.72.216	192.168.2.4
Oct 30, 2024 20:39:04.915807009 CET	49737	443	192.168.2.4	35.190.72.216
Oct 30, 2024 20:39:04.921257019 CET	49737	443	192.168.2.4	35.190.72.216
Oct 30, 2024 20:39:04.921271086 CET	443	49737	35.190.72.216	192.168.2.4
Oct 30, 2024 20:39:04.921344995 CET	49737	443	192.168.2.4	35.190.72.216
Oct 30, 2024 20:39:04.921422005 CET	443	49737	35.190.72.216	192.168.2.4
Oct 30, 2024 20:39:04.932020903 CET	49737	443	192.168.2.4	35.190.72.216
Oct 30, 2024 20:39:05.618726969 CET	49739	443	192.168.2.4	172.217.23.110
Oct 30, 2024 20:39:05.618809938 CET	443	49739	172.217.23.110	192.168.2.4
Oct 30, 2024 20:39:05.619226933 CET	49739	443	192.168.2.4	172.217.23.110
Oct 30, 2024 20:39:05.621109962 CET	49739	443	192.168.2.4	172.217.23.110
Oct 30, 2024 20:39:05.621160030 CET	443	49739	172.217.23.110	192.168.2.4
Oct 30, 2024 20:39:05.825999975 CET	49740	443	192.168.2.4	172.217.23.110
Oct 30, 2024 20:39:05.826087952 CET	443	49740	172.217.23.110	192.168.2.4
Oct 30, 2024 20:39:05.826649904 CET	49740	443	192.168.2.4	172.217.23.110
Oct 30, 2024 20:39:05.828105927 CET	49740	443	192.168.2.4	172.217.23.110
Oct 30, 2024 20:39:05.828140020 CET	443	49740	172.217.23.110	192.168.2.4
Oct 30, 2024 20:39:05.848890066 CET	49741	80	192.168.2.4	34.107.221.82
Oct 30, 2024 20:39:05.854299068 CET	80	49741	34.107.221.82	192.168.2.4
Oct 30, 2024 20:39:05.854490995 CET	49741	80	192.168.2.4	34.107.221.82
Oct 30, 2024 20:39:05.854609966 CET	49741	80	192.168.2.4	34.107.221.82
Oct 30, 2024 20:39:05.859869003 CET	80	49741	34.107.221.82	192.168.2.4
Oct 30, 2024 20:39:05.985733032 CET	49742	443	192.168.2.4	34.117.188.166
Oct 30, 2024 20:39:05.985771894 CET	443	49742	34.117.188.166	192.168.2.4
Oct 30, 2024 20:39:05.986319065 CET	49742	443	192.168.2.4	34.117.188.166
Oct 30, 2024 20:39:05.987795115 CET	49742	443	192.168.2.4	34.117.188.166
Oct 30, 2024 20:39:05.987811089 CET	443	49742	34.117.188.166	192.168.2.4
Oct 30, 2024 20:39:06.015062094 CET	49743	443	192.168.2.4	35.244.181.201
Oct 30, 2024 20:39:06.015079975 CET	443	49743	35.244.181.201	192.168.2.4
Oct 30, 2024 20:39:06.017266035 CET	49743	443	192.168.2.4	35.244.181.201
Oct 30, 2024 20:39:06.017406940 CET	49743	443	192.168.2.4	35.244.181.201
Oct 30, 2024 20:39:06.017448902 CET	443	49743	35.244.181.201	192.168.2.4
Oct 30, 2024 20:39:06.344558954 CET	49744	443	192.168.2.4	34.117.188.166
Oct 30, 2024 20:39:06.344610929 CET	443	49744	34.117.188.166	192.168.2.4
Oct 30, 2024 20:39:06.346590042 CET	49744	443	192.168.2.4	34.117.188.166
Oct 30, 2024 20:39:06.347970009 CET	49744	443	192.168.2.4	34.117.188.166
Oct 30, 2024 20:39:06.347997904 CET	443	49744	34.117.188.166	192.168.2.4
Oct 30, 2024 20:39:06.451692104 CET	80	49741	34.107.221.82	192.168.2.4
Oct 30, 2024 20:39:06.473901033 CET	443	49739	172.217.23.110	192.168.2.4
Oct 30, 2024 20:39:06.474050999 CET	49739	443	192.168.2.4	172.217.23.110
Oct 30, 2024 20:39:06.474566936 CET	443	49739	172.217.23.110	192.168.2.4
Oct 30, 2024 20:39:06.474627972 CET	49739	443	192.168.2.4	172.217.23.110
Oct 30, 2024 20:39:06.479424953 CET	49739	443	192.168.2.4	172.217.23.110
Oct 30, 2024 20:39:06.479446888 CET	443	49739	172.217.23.110	192.168.2.4
Oct 30, 2024 20:39:06.479532003 CET	49739	443	192.168.2.4	172.217.23.110
Oct 30, 2024 20:39:06.479578018 CET	443	49739	172.217.23.110	192.168.2.4
Oct 30, 2024 20:39:06.479649067 CET	49739	443	192.168.2.4	172.217.23.110
Oct 30, 2024 20:39:06.497397900 CET	49741	80	192.168.2.4	34.107.221.82
Oct 30, 2024 20:39:06.505098104 CET	49745	443	192.168.2.4	34.160.144.191
Oct 30, 2024 20:39:06.505131006 CET	443	49745	34.160.144.191	192.168.2.4
Oct 30, 2024 20:39:06.505222082 CET	49745	443	192.168.2.4	34.160.144.191
Oct 30, 2024 20:39:06.505398989 CET	49745	443	192.168.2.4	34.160.144.191
Oct 30, 2024 20:39:06.505413055 CET	443	49745	34.160.144.191	192.168.2.4
Oct 30, 2024 20:39:06.592092037 CET	49746	80	192.168.2.4	34.107.221.82
Oct 30, 2024 20:39:06.596426010 CET	443	49742	34.117.188.166	192.168.2.4
Oct 30, 2024 20:39:06.596930027 CET	49742	443	192.168.2.4	34.117.188.166
Oct 30, 2024 20:39:06.597399950 CET	80	49746	34.107.221.82	192.168.2.4
Oct 30, 2024 20:39:06.597793102 CET	49746	80	192.168.2.4	34.107.221.82
Oct 30, 2024 20:39:06.599500895 CET	49746	80	192.168.2.4	34.107.221.82
Oct 30, 2024 20:39:06.602973938 CET	49742	443	192.168.2.4	34.117.188.166
Oct 30, 2024 20:39:06.602986097 CET	443	49742	34.117.188.166	192.168.2.4
Oct 30, 2024 20:39:06.603080034 CET	49742	443	192.168.2.4	34.117.188.166
Oct 30, 2024 20:39:06.603138924 CET	443	49742	34.117.188.166	192.168.2.4
Oct 30, 2024 20:39:06.603440046 CET	49747	443	192.168.2.4	34.117.188.166
Oct 30, 2024 20:39:06.603480101 CET	443	49747	34.117.188.166	192.168.2.4
Oct 30, 2024 20:39:06.604846954 CET	80	49746	34.107.221.82	192.168.2.4
Oct 30, 2024 20:39:06.607083082 CET	49742	443	192.168.2.4	34.117.188.166
Oct 30, 2024 20:39:06.607131958 CET	49747	443	192.168.2.4	34.117.188.166
Oct 30, 2024 20:39:06.608603001 CET	49747	443	192.168.2.4	34.117.188.166
Oct 30, 2024 20:39:06.608620882 CET	443	49747	34.117.188.166	192.168.2.4
Oct 30, 2024 20:39:06.631196976 CET	443	49743	35.244.181.201	192.168.2.4
Oct 30, 2024 20:39:06.631264925 CET	49743	443	192.168.2.4	35.244.181.201
Oct 30, 2024 20:39:06.634144068 CET	49743	443	192.168.2.4	35.244.181.201
Oct 30, 2024 20:39:06.634149075 CET	443	49743	35.244.181.201	192.168.2.4
Oct 30, 2024 20:39:06.634638071 CET	443	49743	35.244.181.201	192.168.2.4
Oct 30, 2024 20:39:06.636965990 CET	49743	443	192.168.2.4	35.244.181.201
Oct 30, 2024 20:39:06.637034893 CET	49743	443	192.168.2.4	35.244.181.201
Oct 30, 2024 20:39:06.637339115 CET	443	49743	35.244.181.201	192.168.2.4
Oct 30, 2024 20:39:06.637403965 CET	49743	443	192.168.2.4	35.244.181.201
Oct 30, 2024 20:39:06.664355040 CET	49741	80	192.168.2.4	34.107.221.82
Oct 30, 2024 20:39:06.670372009 CET	80	49741	34.107.221.82	192.168.2.4
Oct 30, 2024 20:39:06.670439005 CET	49741	80	192.168.2.4	34.107.221.82
Oct 30, 2024 20:39:06.685543060 CET	49748	80	192.168.2.4	34.107.221.82
Oct 30, 2024 20:39:06.690881968 CET	80	49748	34.107.221.82	192.168.2.4
Oct 30, 2024 20:39:06.693610907 CET	49748	80	192.168.2.4	34.107.221.82
Oct 30, 2024 20:39:06.693747044 CET	49748	80	192.168.2.4	34.107.221.82
Oct 30, 2024 20:39:06.699103117 CET	80	49748	34.107.221.82	192.168.2.4
Oct 30, 2024 20:39:06.705308914 CET	443	49740	172.217.23.110	192.168.2.4
Oct 30, 2024 20:39:06.706012011 CET	443	49740	172.217.23.110	192.168.2.4
Oct 30, 2024 20:39:06.711333036 CET	443	49740	172.217.23.110	192.168.2.4
Oct 30, 2024 20:39:06.713694096 CET	49740	443	192.168.2.4	172.217.23.110
Oct 30, 2024 20:39:06.718159914 CET	49740	443	192.168.2.4	172.217.23.110
Oct 30, 2024 20:39:06.718179941 CET	443	49740	172.217.23.110	192.168.2.4
Oct 30, 2024 20:39:06.718285084 CET	49740	443	192.168.2.4	172.217.23.110
Oct 30, 2024 20:39:06.718348980 CET	443	49740	172.217.23.110	192.168.2.4
Oct 30, 2024 20:39:06.718607903 CET	49749	443	192.168.2.4	172.217.23.110
Oct 30, 2024 20:39:06.718631983 CET	443	49749	172.217.23.110	192.168.2.4
Oct 30, 2024 20:39:06.718779087 CET	49740	443	192.168.2.4	172.217.23.110
Oct 30, 2024 20:39:06.718810081 CET	49749	443	192.168.2.4	172.217.23.110
Oct 30, 2024 20:39:06.720180035 CET	49749	443	192.168.2.4	172.217.23.110
Oct 30, 2024 20:39:06.720194101 CET	443	49749	172.217.23.110	192.168.2.4
Oct 30, 2024 20:39:06.974955082 CET	443	49744	34.117.188.166	192.168.2.4
Oct 30, 2024 20:39:06.975110054 CET	49744	443	192.168.2.4	34.117.188.166
Oct 30, 2024 20:39:06.979757071 CET	49744	443	192.168.2.4	34.117.188.166
Oct 30, 2024 20:39:06.979775906 CET	443	49744	34.117.188.166	192.168.2.4
Oct 30, 2024 20:39:06.979891062 CET	49744	443	192.168.2.4	34.117.188.166
Oct 30, 2024 20:39:06.980056047 CET	443	49744	34.117.188.166	192.168.2.4
Oct 30, 2024 20:39:06.980282068 CET	49751	443	192.168.2.4	34.117.188.166
Oct 30, 2024 20:39:06.980314016 CET	443	49751	34.117.188.166	192.168.2.4
Oct 30, 2024 20:39:06.980812073 CET	49744	443	192.168.2.4	34.117.188.166
Oct 30, 2024 20:39:06.980830908 CET	49751	443	192.168.2.4	34.117.188.166
Oct 30, 2024 20:39:06.982189894 CET	49751	443	192.168.2.4	34.117.188.166
Oct 30, 2024 20:39:06.982204914 CET	443	49751	34.117.188.166	192.168.2.4
Oct 30, 2024 20:39:07.127654076 CET	443	49745	34.160.144.191	192.168.2.4
Oct 30, 2024 20:39:07.128535986 CET	49745	443	192.168.2.4	34.160.144.191
Oct 30, 2024 20:39:07.131731987 CET	49745	443	192.168.2.4	34.160.144.191
Oct 30, 2024 20:39:07.131746054 CET	443	49745	34.160.144.191	192.168.2.4
Oct 30, 2024 20:39:07.131946087 CET	443	49745	34.160.144.191	192.168.2.4
Oct 30, 2024 20:39:07.162839890 CET	49745	443	192.168.2.4	34.160.144.191
Oct 30, 2024 20:39:07.162961006 CET	49745	443	192.168.2.4	34.160.144.191
Oct 30, 2024 20:39:07.163012028 CET	443	49745	34.160.144.191	192.168.2.4
Oct 30, 2024 20:39:07.163357019 CET	49752	443	192.168.2.4	34.160.144.191
Oct 30, 2024 20:39:07.163402081 CET	443	49752	34.160.144.191	192.168.2.4
Oct 30, 2024 20:39:07.168194056 CET	49745	443	192.168.2.4	34.160.144.191
Oct 30, 2024 20:39:07.168246031 CET	49752	443	192.168.2.4	34.160.144.191
Oct 30, 2024 20:39:07.168461084 CET	49752	443	192.168.2.4	34.160.144.191
Oct 30, 2024 20:39:07.168490887 CET	443	49752	34.160.144.191	192.168.2.4
Oct 30, 2024 20:39:07.196190119 CET	80	49746	34.107.221.82	192.168.2.4
Oct 30, 2024 20:39:07.196619034 CET	49746	80	192.168.2.4	34.107.221.82
Oct 30, 2024 20:39:07.202244997 CET	80	49746	34.107.221.82	192.168.2.4
Oct 30, 2024 20:39:07.202321053 CET	49746	80	192.168.2.4	34.107.221.82
Oct 30, 2024 20:39:07.215650082 CET	443	49747	34.117.188.166	192.168.2.4
Oct 30, 2024 20:39:07.215728998 CET	49747	443	192.168.2.4	34.117.188.166
Oct 30, 2024 20:39:07.221039057 CET	49747	443	192.168.2.4	34.117.188.166
Oct 30, 2024 20:39:07.221050024 CET	443	49747	34.117.188.166	192.168.2.4
Oct 30, 2024 20:39:07.221117973 CET	49747	443	192.168.2.4	34.117.188.166
Oct 30, 2024 20:39:07.221221924 CET	443	49747	34.117.188.166	192.168.2.4
Oct 30, 2024 20:39:07.221343994 CET	49747	443	192.168.2.4	34.117.188.166
Oct 30, 2024 20:39:07.292570114 CET	80	49748	34.107.221.82	192.168.2.4
Oct 30, 2024 20:39:07.346580029 CET	49748	80	192.168.2.4	34.107.221.82
Oct 30, 2024 20:39:07.493474960 CET	49754	80	192.168.2.4	34.107.221.82
Oct 30, 2024 20:39:07.494750977 CET	49755	443	192.168.2.4	34.107.243.93
Oct 30, 2024 20:39:07.494769096 CET	443	49755	34.107.243.93	192.168.2.4
Oct 30, 2024 20:39:07.498843908 CET	80	49754	34.107.221.82	192.168.2.4
Oct 30, 2024 20:39:07.500329971 CET	49755	443	192.168.2.4	34.107.243.93
Oct 30, 2024 20:39:07.500329971 CET	49754	80	192.168.2.4	34.107.221.82
Oct 30, 2024 20:39:07.502062082 CET	49755	443	192.168.2.4	34.107.243.93
Oct 30, 2024 20:39:07.502077103 CET	443	49755	34.107.243.93	192.168.2.4
Oct 30, 2024 20:39:07.502202988 CET	49754	80	192.168.2.4	34.107.221.82
Oct 30, 2024 20:39:07.506843090 CET	49756	443	192.168.2.4	34.120.208.123
Oct 30, 2024 20:39:07.506880999 CET	443	49756	34.120.208.123	192.168.2.4
Oct 30, 2024 20:39:07.507472038 CET	80	49754	34.107.221.82	192.168.2.4
Oct 30, 2024 20:39:07.511431932 CET	49756	443	192.168.2.4	34.120.208.123
Oct 30, 2024 20:39:07.515464067 CET	49756	443	192.168.2.4	34.120.208.123
Oct 30, 2024 20:39:07.515485048 CET	443	49756	34.120.208.123	192.168.2.4
Oct 30, 2024 20:39:07.564719915 CET	443	49749	172.217.23.110	192.168.2.4
Oct 30, 2024 20:39:07.565426111 CET	443	49749	172.217.23.110	192.168.2.4
Oct 30, 2024 20:39:07.569381952 CET	49749	443	192.168.2.4	172.217.23.110
Oct 30, 2024 20:39:07.569403887 CET	443	49749	172.217.23.110	192.168.2.4
Oct 30, 2024 20:39:07.578583956 CET	49749	443	192.168.2.4	172.217.23.110
Oct 30, 2024 20:39:07.578608990 CET	443	49749	172.217.23.110	192.168.2.4
Oct 30, 2024 20:39:07.578658104 CET	49749	443	192.168.2.4	172.217.23.110
Oct 30, 2024 20:39:07.578754902 CET	443	49749	172.217.23.110	192.168.2.4
Oct 30, 2024 20:39:07.579269886 CET	49749	443	192.168.2.4	172.217.23.110
Oct 30, 2024 20:39:07.776971102 CET	443	49752	34.160.144.191	192.168.2.4
Oct 30, 2024 20:39:07.786047935 CET	49752	443	192.168.2.4	34.160.144.191
Oct 30, 2024 20:39:07.833450079 CET	49752	443	192.168.2.4	34.160.144.191
Oct 30, 2024 20:39:07.833503008 CET	443	49752	34.160.144.191	192.168.2.4
Oct 30, 2024 20:39:07.833844900 CET	443	49752	34.160.144.191	192.168.2.4
Oct 30, 2024 20:39:07.835990906 CET	49752	443	192.168.2.4	34.160.144.191
Oct 30, 2024 20:39:07.836066008 CET	49752	443	192.168.2.4	34.160.144.191
Oct 30, 2024 20:39:07.836182117 CET	443	49752	34.160.144.191	192.168.2.4
Oct 30, 2024 20:39:07.846612930 CET	49752	443	192.168.2.4	34.160.144.191
Oct 30, 2024 20:39:07.846647978 CET	49752	443	192.168.2.4	34.160.144.191
Oct 30, 2024 20:39:07.897826910 CET	443	49751	34.117.188.166	192.168.2.4
Oct 30, 2024 20:39:07.903335094 CET	443	49751	34.117.188.166	192.168.2.4
Oct 30, 2024 20:39:07.907200098 CET	49751	443	192.168.2.4	34.117.188.166
Oct 30, 2024 20:39:07.966633081 CET	49751	443	192.168.2.4	34.117.188.166
Oct 30, 2024 20:39:07.966648102 CET	443	49751	34.117.188.166	192.168.2.4
Oct 30, 2024 20:39:07.966725111 CET	49751	443	192.168.2.4	34.117.188.166
Oct 30, 2024 20:39:07.967108011 CET	443	49751	34.117.188.166	192.168.2.4
Oct 30, 2024 20:39:07.967669964 CET	49751	443	192.168.2.4	34.117.188.166
Oct 30, 2024 20:39:08.104281902 CET	80	49754	34.107.221.82	192.168.2.4
Oct 30, 2024 20:39:08.112138033 CET	443	49755	34.107.243.93	192.168.2.4
Oct 30, 2024 20:39:08.112493038 CET	49755	443	192.168.2.4	34.107.243.93
Oct 30, 2024 20:39:08.116910934 CET	49755	443	192.168.2.4	34.107.243.93
Oct 30, 2024 20:39:08.116921902 CET	443	49755	34.107.243.93	192.168.2.4
Oct 30, 2024 20:39:08.116986036 CET	49755	443	192.168.2.4	34.107.243.93
Oct 30, 2024 20:39:08.117078066 CET	443	49755	34.107.243.93	192.168.2.4
Oct 30, 2024 20:39:08.127501011 CET	443	49756	34.120.208.123	192.168.2.4
Oct 30, 2024 20:39:08.129235029 CET	49755	443	192.168.2.4	34.107.243.93
Oct 30, 2024 20:39:08.129261017 CET	49756	443	192.168.2.4	34.120.208.123
Oct 30, 2024 20:39:08.141974926 CET	49756	443	192.168.2.4	34.120.208.123
Oct 30, 2024 20:39:08.141989946 CET	443	49756	34.120.208.123	192.168.2.4
Oct 30, 2024 20:39:08.142046928 CET	49756	443	192.168.2.4	34.120.208.123
Oct 30, 2024 20:39:08.142237902 CET	443	49756	34.120.208.123	192.168.2.4
Oct 30, 2024 20:39:08.149389982 CET	49756	443	192.168.2.4	34.120.208.123
Oct 30, 2024 20:39:08.149405003 CET	49754	80	192.168.2.4	34.107.221.82
Oct 30, 2024 20:39:08.203583002 CET	49748	80	192.168.2.4	34.107.221.82
Oct 30, 2024 20:39:08.204269886 CET	49757	443	192.168.2.4	34.149.100.209
Oct 30, 2024 20:39:08.204308033 CET	443	49757	34.149.100.209	192.168.2.4
Oct 30, 2024 20:39:08.206717968 CET	49757	443	192.168.2.4	34.149.100.209
Oct 30, 2024 20:39:08.208163977 CET	49757	443	192.168.2.4	34.149.100.209
Oct 30, 2024 20:39:08.208179951 CET	443	49757	34.149.100.209	192.168.2.4
Oct 30, 2024 20:39:08.208899021 CET	80	49748	34.107.221.82	192.168.2.4
Oct 30, 2024 20:39:08.223172903 CET	49758	443	192.168.2.4	35.244.181.201
Oct 30, 2024 20:39:08.223207951 CET	443	49758	35.244.181.201	192.168.2.4
Oct 30, 2024 20:39:08.223742962 CET	49758	443	192.168.2.4	35.244.181.201
Oct 30, 2024 20:39:08.223942041 CET	49758	443	192.168.2.4	35.244.181.201
Oct 30, 2024 20:39:08.223953962 CET	443	49758	35.244.181.201	192.168.2.4
Oct 30, 2024 20:39:08.328521967 CET	80	49748	34.107.221.82	192.168.2.4
Oct 30, 2024 20:39:08.371283054 CET	49748	80	192.168.2.4	34.107.221.82
Oct 30, 2024 20:39:08.449491978 CET	49759	443	192.168.2.4	34.117.188.166
Oct 30, 2024 20:39:08.449526072 CET	443	49759	34.117.188.166	192.168.2.4
Oct 30, 2024 20:39:08.452014923 CET	49759	443	192.168.2.4	34.117.188.166
Oct 30, 2024 20:39:08.453632116 CET	49759	443	192.168.2.4	34.117.188.166
Oct 30, 2024 20:39:08.453643084 CET	443	49759	34.117.188.166	192.168.2.4
Oct 30, 2024 20:39:08.466671944 CET	49760	443	192.168.2.4	34.120.208.123
Oct 30, 2024 20:39:08.466697931 CET	443	49760	34.120.208.123	192.168.2.4
Oct 30, 2024 20:39:08.467514992 CET	49760	443	192.168.2.4	34.120.208.123
Oct 30, 2024 20:39:08.468951941 CET	49760	443	192.168.2.4	34.120.208.123
Oct 30, 2024 20:39:08.468966007 CET	443	49760	34.120.208.123	192.168.2.4
Oct 30, 2024 20:39:08.838906050 CET	443	49757	34.149.100.209	192.168.2.4
Oct 30, 2024 20:39:08.846868992 CET	49757	443	192.168.2.4	34.149.100.209
Oct 30, 2024 20:39:08.864526033 CET	443	49758	35.244.181.201	192.168.2.4
Oct 30, 2024 20:39:08.865448952 CET	49758	443	192.168.2.4	35.244.181.201
Oct 30, 2024 20:39:08.924604893 CET	49758	443	192.168.2.4	35.244.181.201
Oct 30, 2024 20:39:08.924619913 CET	443	49758	35.244.181.201	192.168.2.4
Oct 30, 2024 20:39:08.924942970 CET	443	49758	35.244.181.201	192.168.2.4
Oct 30, 2024 20:39:08.926732063 CET	49757	443	192.168.2.4	34.149.100.209
Oct 30, 2024 20:39:08.926759958 CET	443	49757	34.149.100.209	192.168.2.4
Oct 30, 2024 20:39:08.926814079 CET	49757	443	192.168.2.4	34.149.100.209
Oct 30, 2024 20:39:08.926997900 CET	443	49757	34.149.100.209	192.168.2.4
Oct 30, 2024 20:39:08.928164959 CET	49757	443	192.168.2.4	34.149.100.209
Oct 30, 2024 20:39:08.929641962 CET	49758	443	192.168.2.4	35.244.181.201
Oct 30, 2024 20:39:08.929713964 CET	49758	443	192.168.2.4	35.244.181.201
Oct 30, 2024 20:39:08.929805994 CET	443	49758	35.244.181.201	192.168.2.4
Oct 30, 2024 20:39:08.936774969 CET	49758	443	192.168.2.4	35.244.181.201
Oct 30, 2024 20:39:09.068156958 CET	443	49760	34.120.208.123	192.168.2.4
Oct 30, 2024 20:39:09.068236113 CET	49760	443	192.168.2.4	34.120.208.123
Oct 30, 2024 20:39:09.070861101 CET	443	49759	34.117.188.166	192.168.2.4
Oct 30, 2024 20:39:09.070935011 CET	49759	443	192.168.2.4	34.117.188.166
Oct 30, 2024 20:39:09.105998039 CET	49760	443	192.168.2.4	34.120.208.123
Oct 30, 2024 20:39:09.106014967 CET	443	49760	34.120.208.123	192.168.2.4
Oct 30, 2024 20:39:09.106091976 CET	49760	443	192.168.2.4	34.120.208.123
Oct 30, 2024 20:39:09.106193066 CET	49759	443	192.168.2.4	34.117.188.166
Oct 30, 2024 20:39:09.106199980 CET	443	49759	34.117.188.166	192.168.2.4
Oct 30, 2024 20:39:09.106211901 CET	443	49760	34.120.208.123	192.168.2.4
Oct 30, 2024 20:39:09.106265068 CET	49759	443	192.168.2.4	34.117.188.166
Oct 30, 2024 20:39:09.106374979 CET	49760	443	192.168.2.4	34.120.208.123
Oct 30, 2024 20:39:09.106400013 CET	443	49759	34.117.188.166	192.168.2.4
Oct 30, 2024 20:39:09.106447935 CET	49759	443	192.168.2.4	34.117.188.166
Oct 30, 2024 20:39:10.838680029 CET	49754	80	192.168.2.4	34.107.221.82
Oct 30, 2024 20:39:10.844055891 CET	80	49754	34.107.221.82	192.168.2.4
Oct 30, 2024 20:39:10.888340950 CET	49748	80	192.168.2.4	34.107.221.82
Oct 30, 2024 20:39:10.889861107 CET	49762	443	192.168.2.4	34.120.208.123
Oct 30, 2024 20:39:10.889904022 CET	443	49762	34.120.208.123	192.168.2.4
Oct 30, 2024 20:39:10.890156031 CET	49762	443	192.168.2.4	34.120.208.123
Oct 30, 2024 20:39:10.891719103 CET	49762	443	192.168.2.4	34.120.208.123
Oct 30, 2024 20:39:10.891738892 CET	443	49762	34.120.208.123	192.168.2.4
Oct 30, 2024 20:39:10.893625975 CET	80	49748	34.107.221.82	192.168.2.4
Oct 30, 2024 20:39:10.966732979 CET	80	49754	34.107.221.82	192.168.2.4
Oct 30, 2024 20:39:11.004477978 CET	49763	443	192.168.2.4	34.120.208.123
Oct 30, 2024 20:39:11.004580975 CET	443	49763	34.120.208.123	192.168.2.4
Oct 30, 2024 20:39:11.005759954 CET	49764	443	192.168.2.4	34.120.208.123
Oct 30, 2024 20:39:11.005801916 CET	443	49764	34.120.208.123	192.168.2.4
Oct 30, 2024 20:39:11.007055044 CET	49754	80	192.168.2.4	34.107.221.82
Oct 30, 2024 20:39:11.007117987 CET	49763	443	192.168.2.4	34.120.208.123
Oct 30, 2024 20:39:11.007250071 CET	49764	443	192.168.2.4	34.120.208.123
Oct 30, 2024 20:39:11.007559061 CET	49764	443	192.168.2.4	34.120.208.123
Oct 30, 2024 20:39:11.007569075 CET	49763	443	192.168.2.4	34.120.208.123
Oct 30, 2024 20:39:11.007574081 CET	443	49764	34.120.208.123	192.168.2.4
Oct 30, 2024 20:39:11.007601976 CET	443	49763	34.120.208.123	192.168.2.4
Oct 30, 2024 20:39:11.013351917 CET	80	49748	34.107.221.82	192.168.2.4
Oct 30, 2024 20:39:11.060450077 CET	49748	80	192.168.2.4	34.107.221.82
Oct 30, 2024 20:39:11.510451078 CET	443	49762	34.120.208.123	192.168.2.4
Oct 30, 2024 20:39:11.510539055 CET	49762	443	192.168.2.4	34.120.208.123
Oct 30, 2024 20:39:11.514328957 CET	49762	443	192.168.2.4	34.120.208.123
Oct 30, 2024 20:39:11.514339924 CET	443	49762	34.120.208.123	192.168.2.4
Oct 30, 2024 20:39:11.514425039 CET	49762	443	192.168.2.4	34.120.208.123
Oct 30, 2024 20:39:11.514540911 CET	443	49762	34.120.208.123	192.168.2.4
Oct 30, 2024 20:39:11.514763117 CET	49762	443	192.168.2.4	34.120.208.123
Oct 30, 2024 20:39:11.613826036 CET	443	49764	34.120.208.123	192.168.2.4
Oct 30, 2024 20:39:11.616657972 CET	49764	443	192.168.2.4	34.120.208.123
Oct 30, 2024 20:39:11.619590044 CET	49764	443	192.168.2.4	34.120.208.123
Oct 30, 2024 20:39:11.619599104 CET	443	49764	34.120.208.123	192.168.2.4
Oct 30, 2024 20:39:11.619862080 CET	443	49764	34.120.208.123	192.168.2.4
Oct 30, 2024 20:39:11.623883009 CET	443	49763	34.120.208.123	192.168.2.4
Oct 30, 2024 20:39:11.624130011 CET	49763	443	192.168.2.4	34.120.208.123
Oct 30, 2024 20:39:11.626250029 CET	49763	443	192.168.2.4	34.120.208.123
Oct 30, 2024 20:39:11.626269102 CET	443	49763	34.120.208.123	192.168.2.4
Oct 30, 2024 20:39:11.626503944 CET	443	49763	34.120.208.123	192.168.2.4
Oct 30, 2024 20:39:11.627087116 CET	49764	443	192.168.2.4	34.120.208.123
Oct 30, 2024 20:39:11.627255917 CET	443	49764	34.120.208.123	192.168.2.4
Oct 30, 2024 20:39:11.627258062 CET	49764	443	192.168.2.4	34.120.208.123
Oct 30, 2024 20:39:11.627264977 CET	443	49764	34.120.208.123	192.168.2.4
Oct 30, 2024 20:39:11.629324913 CET	49763	443	192.168.2.4	34.120.208.123
Oct 30, 2024 20:39:11.629399061 CET	49763	443	192.168.2.4	34.120.208.123
Oct 30, 2024 20:39:11.629487038 CET	443	49763	34.120.208.123	192.168.2.4
Oct 30, 2024 20:39:11.629539013 CET	49763	443	192.168.2.4	34.120.208.123
Oct 30, 2024 20:39:11.835326910 CET	443	49764	34.120.208.123	192.168.2.4
Oct 30, 2024 20:39:11.835390091 CET	49764	443	192.168.2.4	34.120.208.123
Oct 30, 2024 20:39:15.213392019 CET	49754	80	192.168.2.4	34.107.221.82
Oct 30, 2024 20:39:15.218765020 CET	80	49754	34.107.221.82	192.168.2.4
Oct 30, 2024 20:39:15.340090036 CET	80	49754	34.107.221.82	192.168.2.4
Oct 30, 2024 20:39:15.391869068 CET	49754	80	192.168.2.4	34.107.221.82
Oct 30, 2024 20:39:16.368742943 CET	49748	80	192.168.2.4	34.107.221.82
Oct 30, 2024 20:39:16.374346972 CET	80	49748	34.107.221.82	192.168.2.4
Oct 30, 2024 20:39:16.494013071 CET	80	49748	34.107.221.82	192.168.2.4
Oct 30, 2024 20:39:16.510611057 CET	49769	443	192.168.2.4	34.107.243.93
Oct 30, 2024 20:39:16.510658979 CET	443	49769	34.107.243.93	192.168.2.4
Oct 30, 2024 20:39:16.514461040 CET	49769	443	192.168.2.4	34.107.243.93
Oct 30, 2024 20:39:16.516000986 CET	49769	443	192.168.2.4	34.107.243.93
Oct 30, 2024 20:39:16.516019106 CET	443	49769	34.107.243.93	192.168.2.4
Oct 30, 2024 20:39:16.548474073 CET	49748	80	192.168.2.4	34.107.221.82
Oct 30, 2024 20:39:17.137324095 CET	443	49769	34.107.243.93	192.168.2.4
Oct 30, 2024 20:39:17.150383949 CET	49769	443	192.168.2.4	34.107.243.93
Oct 30, 2024 20:39:17.163846016 CET	49769	443	192.168.2.4	34.107.243.93
Oct 30, 2024 20:39:17.163872004 CET	443	49769	34.107.243.93	192.168.2.4
Oct 30, 2024 20:39:17.163938046 CET	49769	443	192.168.2.4	34.107.243.93
Oct 30, 2024 20:39:17.164012909 CET	443	49769	34.107.243.93	192.168.2.4
Oct 30, 2024 20:39:17.165930986 CET	49769	443	192.168.2.4	34.107.243.93
Oct 30, 2024 20:39:17.672456980 CET	49754	80	192.168.2.4	34.107.221.82
Oct 30, 2024 20:39:17.678025007 CET	80	49754	34.107.221.82	192.168.2.4
Oct 30, 2024 20:39:17.799793005 CET	80	49754	34.107.221.82	192.168.2.4
Oct 30, 2024 20:39:17.843328953 CET	49754	80	192.168.2.4	34.107.221.82
Oct 30, 2024 20:39:18.574721098 CET	49748	80	192.168.2.4	34.107.221.82
Oct 30, 2024 20:39:18.580061913 CET	80	49748	34.107.221.82	192.168.2.4
Oct 30, 2024 20:39:18.707412958 CET	80	49748	34.107.221.82	192.168.2.4
Oct 30, 2024 20:39:18.734363079 CET	49754	80	192.168.2.4	34.107.221.82
Oct 30, 2024 20:39:18.739725113 CET	80	49754	34.107.221.82	192.168.2.4
Oct 30, 2024 20:39:18.761620998 CET	49748	80	192.168.2.4	34.107.221.82
Oct 30, 2024 20:39:18.860865116 CET	80	49754	34.107.221.82	192.168.2.4
Oct 30, 2024 20:39:18.915242910 CET	49754	80	192.168.2.4	34.107.221.82
Oct 30, 2024 20:39:28.347227097 CET	49772	443	192.168.2.4	34.107.243.93
Oct 30, 2024 20:39:28.347265959 CET	443	49772	34.107.243.93	192.168.2.4
Oct 30, 2024 20:39:28.350467920 CET	49772	443	192.168.2.4	34.107.243.93
Oct 30, 2024 20:39:28.351757050 CET	49772	443	192.168.2.4	34.107.243.93
Oct 30, 2024 20:39:28.351767063 CET	443	49772	34.107.243.93	192.168.2.4
Oct 30, 2024 20:39:28.721205950 CET	49748	80	192.168.2.4	34.107.221.82
Oct 30, 2024 20:39:28.726763010 CET	80	49748	34.107.221.82	192.168.2.4
Oct 30, 2024 20:39:28.874824047 CET	49754	80	192.168.2.4	34.107.221.82
Oct 30, 2024 20:39:28.880179882 CET	80	49754	34.107.221.82	192.168.2.4
Oct 30, 2024 20:39:28.954309940 CET	443	49772	34.107.243.93	192.168.2.4
Oct 30, 2024 20:39:28.954583883 CET	49772	443	192.168.2.4	34.107.243.93
Oct 30, 2024 20:39:28.959285021 CET	49772	443	192.168.2.4	34.107.243.93
Oct 30, 2024 20:39:28.959294081 CET	443	49772	34.107.243.93	192.168.2.4
Oct 30, 2024 20:39:28.959373951 CET	49772	443	192.168.2.4	34.107.243.93
Oct 30, 2024 20:39:28.959435940 CET	443	49772	34.107.243.93	192.168.2.4
Oct 30, 2024 20:39:28.960598946 CET	49772	443	192.168.2.4	34.107.243.93
Oct 30, 2024 20:39:28.962866068 CET	49748	80	192.168.2.4	34.107.221.82
Oct 30, 2024 20:39:28.968267918 CET	80	49748	34.107.221.82	192.168.2.4
Oct 30, 2024 20:39:29.088347912 CET	80	49748	34.107.221.82	192.168.2.4
Oct 30, 2024 20:39:29.092117071 CET	49754	80	192.168.2.4	34.107.221.82
Oct 30, 2024 20:39:29.098192930 CET	80	49754	34.107.221.82	192.168.2.4
Oct 30, 2024 20:39:29.144424915 CET	49748	80	192.168.2.4	34.107.221.82
Oct 30, 2024 20:39:29.219724894 CET	80	49754	34.107.221.82	192.168.2.4
Oct 30, 2024 20:39:29.260338068 CET	49754	80	192.168.2.4	34.107.221.82
Oct 30, 2024 20:39:32.223463058 CET	49773	443	192.168.2.4	34.149.100.209
Oct 30, 2024 20:39:32.223534107 CET	443	49773	34.149.100.209	192.168.2.4
Oct 30, 2024 20:39:32.226401091 CET	49773	443	192.168.2.4	34.149.100.209
Oct 30, 2024 20:39:32.226572990 CET	49773	443	192.168.2.4	34.149.100.209
Oct 30, 2024 20:39:32.226591110 CET	443	49773	34.149.100.209	192.168.2.4
Oct 30, 2024 20:39:32.230010033 CET	49774	443	192.168.2.4	35.244.181.201
Oct 30, 2024 20:39:32.230051041 CET	443	49774	35.244.181.201	192.168.2.4
Oct 30, 2024 20:39:32.230680943 CET	49774	443	192.168.2.4	35.244.181.201
Oct 30, 2024 20:39:32.231339931 CET	49774	443	192.168.2.4	35.244.181.201
Oct 30, 2024 20:39:32.231350899 CET	443	49774	35.244.181.201	192.168.2.4
Oct 30, 2024 20:39:32.231750011 CET	49775	443	192.168.2.4	151.101.193.91
Oct 30, 2024 20:39:32.231776953 CET	443	49775	151.101.193.91	192.168.2.4
Oct 30, 2024 20:39:32.232594013 CET	49775	443	192.168.2.4	151.101.193.91
Oct 30, 2024 20:39:32.232680082 CET	49775	443	192.168.2.4	151.101.193.91
Oct 30, 2024 20:39:32.232695103 CET	443	49775	151.101.193.91	192.168.2.4
Oct 30, 2024 20:39:32.256093979 CET	49776	443	192.168.2.4	35.190.72.216
Oct 30, 2024 20:39:32.256113052 CET	443	49776	35.190.72.216	192.168.2.4
Oct 30, 2024 20:39:32.260304928 CET	49776	443	192.168.2.4	35.190.72.216
Oct 30, 2024 20:39:32.261770010 CET	49776	443	192.168.2.4	35.190.72.216
Oct 30, 2024 20:39:32.261780024 CET	443	49776	35.190.72.216	192.168.2.4
Oct 30, 2024 20:39:32.272250891 CET	49777	443	192.168.2.4	35.201.103.21
Oct 30, 2024 20:39:32.272269011 CET	443	49777	35.201.103.21	192.168.2.4
Oct 30, 2024 20:39:32.275629044 CET	49777	443	192.168.2.4	35.201.103.21
Oct 30, 2024 20:39:32.277025938 CET	49777	443	192.168.2.4	35.201.103.21
Oct 30, 2024 20:39:32.277043104 CET	443	49777	35.201.103.21	192.168.2.4
Oct 30, 2024 20:39:32.835005999 CET	443	49773	34.149.100.209	192.168.2.4
Oct 30, 2024 20:39:32.835120916 CET	49773	443	192.168.2.4	34.149.100.209
Oct 30, 2024 20:39:32.838701010 CET	49773	443	192.168.2.4	34.149.100.209
Oct 30, 2024 20:39:32.838712931 CET	443	49773	34.149.100.209	192.168.2.4
Oct 30, 2024 20:39:32.838931084 CET	443	49773	34.149.100.209	192.168.2.4
Oct 30, 2024 20:39:32.840013981 CET	443	49775	151.101.193.91	192.168.2.4
Oct 30, 2024 20:39:32.840164900 CET	49775	443	192.168.2.4	151.101.193.91
Oct 30, 2024 20:39:32.842902899 CET	49775	443	192.168.2.4	151.101.193.91
Oct 30, 2024 20:39:32.842911005 CET	443	49775	151.101.193.91	192.168.2.4
Oct 30, 2024 20:39:32.843146086 CET	443	49775	151.101.193.91	192.168.2.4
Oct 30, 2024 20:39:32.844758034 CET	49773	443	192.168.2.4	34.149.100.209
Oct 30, 2024 20:39:32.844885111 CET	49773	443	192.168.2.4	34.149.100.209
Oct 30, 2024 20:39:32.844919920 CET	443	49773	34.149.100.209	192.168.2.4
Oct 30, 2024 20:39:32.846319914 CET	49775	443	192.168.2.4	151.101.193.91
Oct 30, 2024 20:39:32.846395016 CET	49775	443	192.168.2.4	151.101.193.91
Oct 30, 2024 20:39:32.846482992 CET	443	49775	151.101.193.91	192.168.2.4
Oct 30, 2024 20:39:32.848227978 CET	49773	443	192.168.2.4	34.149.100.209
Oct 30, 2024 20:39:32.848236084 CET	49775	443	192.168.2.4	151.101.193.91
Oct 30, 2024 20:39:32.850745916 CET	443	49774	35.244.181.201	192.168.2.4
Oct 30, 2024 20:39:32.850836992 CET	49774	443	192.168.2.4	35.244.181.201
Oct 30, 2024 20:39:32.853522062 CET	49774	443	192.168.2.4	35.244.181.201
Oct 30, 2024 20:39:32.853528976 CET	443	49774	35.244.181.201	192.168.2.4
Oct 30, 2024 20:39:32.853615999 CET	49748	80	192.168.2.4	34.107.221.82
Oct 30, 2024 20:39:32.853744030 CET	443	49774	35.244.181.201	192.168.2.4
Oct 30, 2024 20:39:32.856271029 CET	49778	443	192.168.2.4	35.244.181.201
Oct 30, 2024 20:39:32.856348038 CET	443	49778	35.244.181.201	192.168.2.4
Oct 30, 2024 20:39:32.857652903 CET	49774	443	192.168.2.4	35.244.181.201
Oct 30, 2024 20:39:32.857717037 CET	49774	443	192.168.2.4	35.244.181.201
Oct 30, 2024 20:39:32.857788086 CET	443	49774	35.244.181.201	192.168.2.4
Oct 30, 2024 20:39:32.858397961 CET	49774	443	192.168.2.4	35.244.181.201
Oct 30, 2024 20:39:32.858591080 CET	49778	443	192.168.2.4	35.244.181.201
Oct 30, 2024 20:39:32.858591080 CET	49778	443	192.168.2.4	35.244.181.201
Oct 30, 2024 20:39:32.858680964 CET	443	49778	35.244.181.201	192.168.2.4
Oct 30, 2024 20:39:32.859013081 CET	80	49748	34.107.221.82	192.168.2.4
Oct 30, 2024 20:39:32.860969067 CET	49779	443	192.168.2.4	35.244.181.201
Oct 30, 2024 20:39:32.860997915 CET	443	49779	35.244.181.201	192.168.2.4
Oct 30, 2024 20:39:32.861365080 CET	49779	443	192.168.2.4	35.244.181.201
Oct 30, 2024 20:39:32.861485958 CET	49779	443	192.168.2.4	35.244.181.201
Oct 30, 2024 20:39:32.861499071 CET	443	49779	35.244.181.201	192.168.2.4
Oct 30, 2024 20:39:32.863255978 CET	49780	443	192.168.2.4	35.244.181.201
Oct 30, 2024 20:39:32.863356113 CET	443	49780	35.244.181.201	192.168.2.4
Oct 30, 2024 20:39:32.863482952 CET	49780	443	192.168.2.4	35.244.181.201
Oct 30, 2024 20:39:32.863599062 CET	49780	443	192.168.2.4	35.244.181.201
Oct 30, 2024 20:39:32.863636017 CET	443	49780	35.244.181.201	192.168.2.4
Oct 30, 2024 20:39:32.872256041 CET	443	49776	35.190.72.216	192.168.2.4
Oct 30, 2024 20:39:32.872339010 CET	49776	443	192.168.2.4	35.190.72.216
Oct 30, 2024 20:39:32.876179934 CET	49776	443	192.168.2.4	35.190.72.216
Oct 30, 2024 20:39:32.876188040 CET	443	49776	35.190.72.216	192.168.2.4
Oct 30, 2024 20:39:32.876249075 CET	49776	443	192.168.2.4	35.190.72.216
Oct 30, 2024 20:39:32.876388073 CET	443	49776	35.190.72.216	192.168.2.4
Oct 30, 2024 20:39:32.885335922 CET	49776	443	192.168.2.4	35.190.72.216
Oct 30, 2024 20:39:32.935148954 CET	443	49777	35.201.103.21	192.168.2.4
Oct 30, 2024 20:39:32.935225964 CET	49777	443	192.168.2.4	35.201.103.21
Oct 30, 2024 20:39:32.940203905 CET	49777	443	192.168.2.4	35.201.103.21
Oct 30, 2024 20:39:32.940212011 CET	443	49777	35.201.103.21	192.168.2.4
Oct 30, 2024 20:39:32.940299988 CET	49777	443	192.168.2.4	35.201.103.21
Oct 30, 2024 20:39:32.940457106 CET	443	49777	35.201.103.21	192.168.2.4
Oct 30, 2024 20:39:32.940809011 CET	49777	443	192.168.2.4	35.201.103.21
Oct 30, 2024 20:39:32.952728987 CET	49781	443	192.168.2.4	34.149.100.209
Oct 30, 2024 20:39:32.952826023 CET	443	49781	34.149.100.209	192.168.2.4
Oct 30, 2024 20:39:32.953042984 CET	49781	443	192.168.2.4	34.149.100.209
Oct 30, 2024 20:39:32.953135014 CET	49781	443	192.168.2.4	34.149.100.209
Oct 30, 2024 20:39:32.953155041 CET	443	49781	34.149.100.209	192.168.2.4
Oct 30, 2024 20:39:32.979167938 CET	80	49748	34.107.221.82	192.168.2.4
Oct 30, 2024 20:39:32.982172012 CET	49754	80	192.168.2.4	34.107.221.82
Oct 30, 2024 20:39:32.987696886 CET	80	49754	34.107.221.82	192.168.2.4
Oct 30, 2024 20:39:33.033682108 CET	49748	80	192.168.2.4	34.107.221.82
Oct 30, 2024 20:39:33.110732079 CET	80	49754	34.107.221.82	192.168.2.4
Oct 30, 2024 20:39:33.156120062 CET	49754	80	192.168.2.4	34.107.221.82
Oct 30, 2024 20:39:33.470675945 CET	443	49779	35.244.181.201	192.168.2.4
Oct 30, 2024 20:39:33.470705032 CET	443	49778	35.244.181.201	192.168.2.4
Oct 30, 2024 20:39:33.470777988 CET	49779	443	192.168.2.4	35.244.181.201
Oct 30, 2024 20:39:33.471174002 CET	49778	443	192.168.2.4	35.244.181.201
Oct 30, 2024 20:39:33.472773075 CET	443	49780	35.244.181.201	192.168.2.4
Oct 30, 2024 20:39:33.473656893 CET	49779	443	192.168.2.4	35.244.181.201
Oct 30, 2024 20:39:33.473664999 CET	443	49779	35.244.181.201	192.168.2.4
Oct 30, 2024 20:39:33.473891020 CET	443	49779	35.244.181.201	192.168.2.4
Oct 30, 2024 20:39:33.473911047 CET	49780	443	192.168.2.4	35.244.181.201
Oct 30, 2024 20:39:33.476243973 CET	49778	443	192.168.2.4	35.244.181.201
Oct 30, 2024 20:39:33.476265907 CET	443	49778	35.244.181.201	192.168.2.4
Oct 30, 2024 20:39:33.476511955 CET	443	49778	35.244.181.201	192.168.2.4
Oct 30, 2024 20:39:33.478758097 CET	49780	443	192.168.2.4	35.244.181.201
Oct 30, 2024 20:39:33.478773117 CET	443	49780	35.244.181.201	192.168.2.4
Oct 30, 2024 20:39:33.478984118 CET	443	49780	35.244.181.201	192.168.2.4
Oct 30, 2024 20:39:33.482232094 CET	49779	443	192.168.2.4	35.244.181.201
Oct 30, 2024 20:39:33.482320070 CET	49779	443	192.168.2.4	35.244.181.201
Oct 30, 2024 20:39:33.482367039 CET	443	49779	35.244.181.201	192.168.2.4
Oct 30, 2024 20:39:33.482897997 CET	49778	443	192.168.2.4	35.244.181.201
Oct 30, 2024 20:39:33.482959986 CET	49778	443	192.168.2.4	35.244.181.201
Oct 30, 2024 20:39:33.483077049 CET	443	49778	35.244.181.201	192.168.2.4
Oct 30, 2024 20:39:33.483604908 CET	49780	443	192.168.2.4	35.244.181.201
Oct 30, 2024 20:39:33.483690977 CET	49780	443	192.168.2.4	35.244.181.201
Oct 30, 2024 20:39:33.483716965 CET	443	49780	35.244.181.201	192.168.2.4
Oct 30, 2024 20:39:33.484745979 CET	49779	443	192.168.2.4	35.244.181.201
Oct 30, 2024 20:39:33.484765053 CET	49778	443	192.168.2.4	35.244.181.201
Oct 30, 2024 20:39:33.484774113 CET	49780	443	192.168.2.4	35.244.181.201
Oct 30, 2024 20:39:33.488487005 CET	49748	80	192.168.2.4	34.107.221.82
Oct 30, 2024 20:39:33.493817091 CET	80	49748	34.107.221.82	192.168.2.4
Oct 30, 2024 20:39:33.567576885 CET	443	49781	34.149.100.209	192.168.2.4
Oct 30, 2024 20:39:33.567683935 CET	49781	443	192.168.2.4	34.149.100.209
Oct 30, 2024 20:39:33.570542097 CET	49781	443	192.168.2.4	34.149.100.209
Oct 30, 2024 20:39:33.570566893 CET	443	49781	34.149.100.209	192.168.2.4
Oct 30, 2024 20:39:33.570914030 CET	443	49781	34.149.100.209	192.168.2.4
Oct 30, 2024 20:39:33.572807074 CET	49781	443	192.168.2.4	34.149.100.209
Oct 30, 2024 20:39:33.572927952 CET	49781	443	192.168.2.4	34.149.100.209
Oct 30, 2024 20:39:33.573019028 CET	443	49781	34.149.100.209	192.168.2.4
Oct 30, 2024 20:39:33.573757887 CET	49781	443	192.168.2.4	34.149.100.209
Oct 30, 2024 20:39:33.613393068 CET	80	49748	34.107.221.82	192.168.2.4
Oct 30, 2024 20:39:33.616689920 CET	49754	80	192.168.2.4	34.107.221.82
Oct 30, 2024 20:39:33.622117996 CET	80	49754	34.107.221.82	192.168.2.4
Oct 30, 2024 20:39:33.657584906 CET	49748	80	192.168.2.4	34.107.221.82
Oct 30, 2024 20:39:33.743587017 CET	80	49754	34.107.221.82	192.168.2.4
Oct 30, 2024 20:39:33.789122105 CET	49754	80	192.168.2.4	34.107.221.82
Oct 30, 2024 20:39:43.617548943 CET	49748	80	192.168.2.4	34.107.221.82
Oct 30, 2024 20:39:43.622963905 CET	80	49748	34.107.221.82	192.168.2.4
Oct 30, 2024 20:39:43.749182940 CET	49754	80	192.168.2.4	34.107.221.82
Oct 30, 2024 20:39:43.755399942 CET	80	49754	34.107.221.82	192.168.2.4
Oct 30, 2024 20:39:49.113903046 CET	49783	443	192.168.2.4	34.107.243.93
Oct 30, 2024 20:39:49.113919973 CET	443	49783	34.107.243.93	192.168.2.4
Oct 30, 2024 20:39:49.114171982 CET	49783	443	192.168.2.4	34.107.243.93
Oct 30, 2024 20:39:49.115668058 CET	49783	443	192.168.2.4	34.107.243.93
Oct 30, 2024 20:39:49.115679026 CET	443	49783	34.107.243.93	192.168.2.4
Oct 30, 2024 20:39:49.728570938 CET	443	49783	34.107.243.93	192.168.2.4
Oct 30, 2024 20:39:49.728707075 CET	49783	443	192.168.2.4	34.107.243.93
Oct 30, 2024 20:39:49.734030962 CET	49783	443	192.168.2.4	34.107.243.93
Oct 30, 2024 20:39:49.734041929 CET	443	49783	34.107.243.93	192.168.2.4
Oct 30, 2024 20:39:49.734071016 CET	49783	443	192.168.2.4	34.107.243.93
Oct 30, 2024 20:39:49.734163046 CET	443	49783	34.107.243.93	192.168.2.4
Oct 30, 2024 20:39:49.734716892 CET	49783	443	192.168.2.4	34.107.243.93
Oct 30, 2024 20:39:49.736927032 CET	49748	80	192.168.2.4	34.107.221.82
Oct 30, 2024 20:39:49.744108915 CET	80	49748	34.107.221.82	192.168.2.4
Oct 30, 2024 20:39:49.861844063 CET	80	49748	34.107.221.82	192.168.2.4
Oct 30, 2024 20:39:49.864917040 CET	49754	80	192.168.2.4	34.107.221.82
Oct 30, 2024 20:39:49.870496988 CET	80	49754	34.107.221.82	192.168.2.4
Oct 30, 2024 20:39:49.904743910 CET	49748	80	192.168.2.4	34.107.221.82
Oct 30, 2024 20:39:49.992060900 CET	80	49754	34.107.221.82	192.168.2.4
Oct 30, 2024 20:39:50.036278963 CET	49754	80	192.168.2.4	34.107.221.82
Oct 30, 2024 20:39:59.872682095 CET	49748	80	192.168.2.4	34.107.221.82
Oct 30, 2024 20:39:59.877969027 CET	80	49748	34.107.221.82	192.168.2.4
Oct 30, 2024 20:39:59.995239973 CET	49754	80	192.168.2.4	34.107.221.82
Oct 30, 2024 20:40:00.001693964 CET	80	49754	34.107.221.82	192.168.2.4
Oct 30, 2024 20:40:02.357101917 CET	49818	443	192.168.2.4	34.120.208.123
Oct 30, 2024 20:40:02.357125998 CET	443	49818	34.120.208.123	192.168.2.4
Oct 30, 2024 20:40:02.357249975 CET	49819	443	192.168.2.4	34.120.208.123
Oct 30, 2024 20:40:02.357275963 CET	443	49819	34.120.208.123	192.168.2.4
Oct 30, 2024 20:40:02.357448101 CET	49820	443	192.168.2.4	34.120.208.123
Oct 30, 2024 20:40:02.357470036 CET	443	49820	34.120.208.123	192.168.2.4
Oct 30, 2024 20:40:02.357904911 CET	49818	443	192.168.2.4	34.120.208.123
Oct 30, 2024 20:40:02.357912064 CET	49820	443	192.168.2.4	34.120.208.123
Oct 30, 2024 20:40:02.357916117 CET	49819	443	192.168.2.4	34.120.208.123
Oct 30, 2024 20:40:02.358109951 CET	49818	443	192.168.2.4	34.120.208.123
Oct 30, 2024 20:40:02.358129025 CET	443	49818	34.120.208.123	192.168.2.4
Oct 30, 2024 20:40:02.358268023 CET	49820	443	192.168.2.4	34.120.208.123
Oct 30, 2024 20:40:02.358279943 CET	443	49820	34.120.208.123	192.168.2.4
Oct 30, 2024 20:40:02.358367920 CET	49819	443	192.168.2.4	34.120.208.123
Oct 30, 2024 20:40:02.358382940 CET	443	49819	34.120.208.123	192.168.2.4
Oct 30, 2024 20:40:02.967921972 CET	443	49820	34.120.208.123	192.168.2.4
Oct 30, 2024 20:40:02.968005896 CET	49820	443	192.168.2.4	34.120.208.123
Oct 30, 2024 20:40:02.971311092 CET	49820	443	192.168.2.4	34.120.208.123
Oct 30, 2024 20:40:02.971319914 CET	443	49820	34.120.208.123	192.168.2.4
Oct 30, 2024 20:40:02.971565008 CET	443	49820	34.120.208.123	192.168.2.4
Oct 30, 2024 20:40:02.973165989 CET	443	49819	34.120.208.123	192.168.2.4
Oct 30, 2024 20:40:02.973366022 CET	49819	443	192.168.2.4	34.120.208.123
Oct 30, 2024 20:40:02.976135969 CET	49819	443	192.168.2.4	34.120.208.123
Oct 30, 2024 20:40:02.976145983 CET	443	49819	34.120.208.123	192.168.2.4
Oct 30, 2024 20:40:02.976187944 CET	49820	443	192.168.2.4	34.120.208.123
Oct 30, 2024 20:40:02.976341963 CET	443	49820	34.120.208.123	192.168.2.4
Oct 30, 2024 20:40:02.976341963 CET	443	49819	34.120.208.123	192.168.2.4
Oct 30, 2024 20:40:02.976576090 CET	49820	443	192.168.2.4	34.120.208.123
Oct 30, 2024 20:40:02.976583958 CET	443	49820	34.120.208.123	192.168.2.4
Oct 30, 2024 20:40:02.979562044 CET	49819	443	192.168.2.4	34.120.208.123
Oct 30, 2024 20:40:02.979651928 CET	49819	443	192.168.2.4	34.120.208.123
Oct 30, 2024 20:40:02.979685068 CET	443	49819	34.120.208.123	192.168.2.4
Oct 30, 2024 20:40:02.981952906 CET	49748	80	192.168.2.4	34.107.221.82
Oct 30, 2024 20:40:02.982403040 CET	49819	443	192.168.2.4	34.120.208.123
Oct 30, 2024 20:40:02.982430935 CET	49819	443	192.168.2.4	34.120.208.123
Oct 30, 2024 20:40:02.982482910 CET	49820	443	192.168.2.4	34.120.208.123
Oct 30, 2024 20:40:02.987457037 CET	80	49748	34.107.221.82	192.168.2.4
Oct 30, 2024 20:40:02.995732069 CET	443	49818	34.120.208.123	192.168.2.4
Oct 30, 2024 20:40:02.995795012 CET	49818	443	192.168.2.4	34.120.208.123
Oct 30, 2024 20:40:02.998644114 CET	49818	443	192.168.2.4	34.120.208.123
Oct 30, 2024 20:40:02.998651981 CET	443	49818	34.120.208.123	192.168.2.4
Oct 30, 2024 20:40:02.998886108 CET	443	49818	34.120.208.123	192.168.2.4
Oct 30, 2024 20:40:03.001261950 CET	49818	443	192.168.2.4	34.120.208.123
Oct 30, 2024 20:40:03.001365900 CET	49818	443	192.168.2.4	34.120.208.123
Oct 30, 2024 20:40:03.001399994 CET	443	49818	34.120.208.123	192.168.2.4
Oct 30, 2024 20:40:03.001519918 CET	49818	443	192.168.2.4	34.120.208.123
Oct 30, 2024 20:40:03.107362986 CET	80	49748	34.107.221.82	192.168.2.4
Oct 30, 2024 20:40:03.139441967 CET	49754	80	192.168.2.4	34.107.221.82
Oct 30, 2024 20:40:03.146305084 CET	80	49754	34.107.221.82	192.168.2.4
Oct 30, 2024 20:40:03.152476072 CET	49748	80	192.168.2.4	34.107.221.82
Oct 30, 2024 20:40:03.267074108 CET	80	49754	34.107.221.82	192.168.2.4
Oct 30, 2024 20:40:03.312484980 CET	49754	80	192.168.2.4	34.107.221.82
Oct 30, 2024 20:40:08.026148081 CET	49748	80	192.168.2.4	34.107.221.82
Oct 30, 2024 20:40:08.031476021 CET	80	49748	34.107.221.82	192.168.2.4
Oct 30, 2024 20:40:08.151287079 CET	80	49748	34.107.221.82	192.168.2.4
Oct 30, 2024 20:40:08.154392958 CET	49754	80	192.168.2.4	34.107.221.82
Oct 30, 2024 20:40:08.159816980 CET	80	49754	34.107.221.82	192.168.2.4
Oct 30, 2024 20:40:08.210510969 CET	49748	80	192.168.2.4	34.107.221.82
Oct 30, 2024 20:40:08.282725096 CET	80	49754	34.107.221.82	192.168.2.4
Oct 30, 2024 20:40:08.342025042 CET	49754	80	192.168.2.4	34.107.221.82
Oct 30, 2024 20:40:18.154093981 CET	49748	80	192.168.2.4	34.107.221.82
Oct 30, 2024 20:40:18.159567118 CET	80	49748	34.107.221.82	192.168.2.4
Oct 30, 2024 20:40:18.301234961 CET	49754	80	192.168.2.4	34.107.221.82
Oct 30, 2024 20:40:18.306533098 CET	80	49754	34.107.221.82	192.168.2.4
Oct 30, 2024 20:40:28.173854113 CET	49748	80	192.168.2.4	34.107.221.82
Oct 30, 2024 20:40:28.179177046 CET	80	49748	34.107.221.82	192.168.2.4
Oct 30, 2024 20:40:28.327517986 CET	49754	80	192.168.2.4	34.107.221.82
Oct 30, 2024 20:40:28.332793951 CET	80	49754	34.107.221.82	192.168.2.4
Oct 30, 2024 20:40:30.566024065 CET	49961	443	192.168.2.4	34.107.243.93
Oct 30, 2024 20:40:30.566054106 CET	443	49961	34.107.243.93	192.168.2.4
Oct 30, 2024 20:40:30.566314936 CET	49961	443	192.168.2.4	34.107.243.93
Oct 30, 2024 20:40:30.567773104 CET	49961	443	192.168.2.4	34.107.243.93
Oct 30, 2024 20:40:30.567801952 CET	443	49961	34.107.243.93	192.168.2.4
Oct 30, 2024 20:40:31.186014891 CET	443	49961	34.107.243.93	192.168.2.4
Oct 30, 2024 20:40:31.191353083 CET	443	49961	34.107.243.93	192.168.2.4
Oct 30, 2024 20:40:31.198286057 CET	49961	443	192.168.2.4	34.107.243.93
Oct 30, 2024 20:40:31.202486038 CET	49961	443	192.168.2.4	34.107.243.93
Oct 30, 2024 20:40:31.202495098 CET	443	49961	34.107.243.93	192.168.2.4
Oct 30, 2024 20:40:31.202588081 CET	49961	443	192.168.2.4	34.107.243.93
Oct 30, 2024 20:40:31.202985048 CET	443	49961	34.107.243.93	192.168.2.4
Oct 30, 2024 20:40:31.205286980 CET	49748	80	192.168.2.4	34.107.221.82
Oct 30, 2024 20:40:31.205645084 CET	49961	443	192.168.2.4	34.107.243.93
Oct 30, 2024 20:40:31.210664034 CET	80	49748	34.107.221.82	192.168.2.4
Oct 30, 2024 20:40:31.330332994 CET	80	49748	34.107.221.82	192.168.2.4
Oct 30, 2024 20:40:31.334687948 CET	49754	80	192.168.2.4	34.107.221.82
Oct 30, 2024 20:40:31.340116024 CET	80	49754	34.107.221.82	192.168.2.4
Oct 30, 2024 20:40:31.383223057 CET	49748	80	192.168.2.4	34.107.221.82
Oct 30, 2024 20:40:31.462025881 CET	80	49754	34.107.221.82	192.168.2.4
Oct 30, 2024 20:40:31.514739037 CET	49754	80	192.168.2.4	34.107.221.82
Oct 30, 2024 20:40:41.342561007 CET	49748	80	192.168.2.4	34.107.221.82
Oct 30, 2024 20:40:41.347893000 CET	80	49748	34.107.221.82	192.168.2.4
Oct 30, 2024 20:40:41.464925051 CET	49754	80	192.168.2.4	34.107.221.82
Oct 30, 2024 20:40:41.470362902 CET	80	49754	34.107.221.82	192.168.2.4
Oct 30, 2024 20:40:51.364455938 CET	49748	80	192.168.2.4	34.107.221.82
Oct 30, 2024 20:40:51.369863033 CET	80	49748	34.107.221.82	192.168.2.4
Oct 30, 2024 20:40:51.495997906 CET	49754	80	192.168.2.4	34.107.221.82
Oct 30, 2024 20:40:51.501813889 CET	80	49754	34.107.221.82	192.168.2.4
Oct 30, 2024 20:41:01.388974905 CET	49748	80	192.168.2.4	34.107.221.82
Oct 30, 2024 20:41:01.394399881 CET	80	49748	34.107.221.82	192.168.2.4
Oct 30, 2024 20:41:01.510072947 CET	49754	80	192.168.2.4	34.107.221.82
Oct 30, 2024 20:41:01.515463114 CET	80	49754	34.107.221.82	192.168.2.4

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Oct 30, 2024 20:39:03.670980930 CET	52615	53	192.168.2.4	1.1.1.1
Oct 30, 2024 20:39:03.680211067 CET	53	52615	1.1.1.1	192.168.2.4
Oct 30, 2024 20:39:03.690179110 CET	62241	53	192.168.2.4	1.1.1.1
Oct 30, 2024 20:39:03.699278116 CET	53	62241	1.1.1.1	192.168.2.4
Oct 30, 2024 20:39:05.606626987 CET	52963	53	192.168.2.4	1.1.1.1
Oct 30, 2024 20:39:05.614562035 CET	53	52963	1.1.1.1	192.168.2.4
Oct 30, 2024 20:39:05.619056940 CET	62347	53	192.168.2.4	1.1.1.1
Oct 30, 2024 20:39:05.626945019 CET	53	62347	1.1.1.1	192.168.2.4
Oct 30, 2024 20:39:05.628129959 CET	63974	53	192.168.2.4	1.1.1.1
Oct 30, 2024 20:39:05.636816025 CET	53	63974	1.1.1.1	192.168.2.4
Oct 30, 2024 20:39:05.796844959 CET	64707	53	192.168.2.4	1.1.1.1
Oct 30, 2024 20:39:05.809134007 CET	51783	53	192.168.2.4	1.1.1.1
Oct 30, 2024 20:39:05.818330050 CET	53	51783	1.1.1.1	192.168.2.4
Oct 30, 2024 20:39:05.819025993 CET	51414	53	192.168.2.4	1.1.1.1
Oct 30, 2024 20:39:05.826653004 CET	53	51414	1.1.1.1	192.168.2.4
Oct 30, 2024 20:39:05.976838112 CET	56589	53	192.168.2.4	1.1.1.1
Oct 30, 2024 20:39:05.984935999 CET	53	56589	1.1.1.1	192.168.2.4
Oct 30, 2024 20:39:05.986241102 CET	60243	53	192.168.2.4	1.1.1.1
Oct 30, 2024 20:39:05.993868113 CET	53	60243	1.1.1.1	192.168.2.4
Oct 30, 2024 20:39:06.013012886 CET	50246	53	192.168.2.4	1.1.1.1
Oct 30, 2024 20:39:06.015336037 CET	64051	53	192.168.2.4	1.1.1.1
Oct 30, 2024 20:39:06.020246983 CET	53	50246	1.1.1.1	192.168.2.4
Oct 30, 2024 20:39:06.023762941 CET	53	64051	1.1.1.1	192.168.2.4
Oct 30, 2024 20:39:06.044138908 CET	56438	53	192.168.2.4	1.1.1.1
Oct 30, 2024 20:39:06.052555084 CET	53	56438	1.1.1.1	192.168.2.4
Oct 30, 2024 20:39:06.334306955 CET	54520	53	192.168.2.4	1.1.1.1
Oct 30, 2024 20:39:06.343151093 CET	53	54520	1.1.1.1	192.168.2.4
Oct 30, 2024 20:39:06.345155954 CET	57244	53	192.168.2.4	1.1.1.1
Oct 30, 2024 20:39:06.356163979 CET	53	57244	1.1.1.1	192.168.2.4
Oct 30, 2024 20:39:06.360507965 CET	49712	53	192.168.2.4	1.1.1.1
Oct 30, 2024 20:39:06.369134903 CET	53	49712	1.1.1.1	192.168.2.4
Oct 30, 2024 20:39:06.494859934 CET	53964	53	192.168.2.4	1.1.1.1
Oct 30, 2024 20:39:06.504112005 CET	53	53964	1.1.1.1	192.168.2.4
Oct 30, 2024 20:39:06.505669117 CET	49949	53	192.168.2.4	1.1.1.1
Oct 30, 2024 20:39:06.515202999 CET	53	49949	1.1.1.1	192.168.2.4
Oct 30, 2024 20:39:06.516350031 CET	50741	53	192.168.2.4	1.1.1.1
Oct 30, 2024 20:39:06.525082111 CET	53	50741	1.1.1.1	192.168.2.4
Oct 30, 2024 20:39:06.568697929 CET	56693	53	192.168.2.4	1.1.1.1
Oct 30, 2024 20:39:06.569777012 CET	52122	53	192.168.2.4	1.1.1.1
Oct 30, 2024 20:39:06.577599049 CET	53	56693	1.1.1.1	192.168.2.4
Oct 30, 2024 20:39:06.577614069 CET	53	52122	1.1.1.1	192.168.2.4
Oct 30, 2024 20:39:06.583281040 CET	51999	53	192.168.2.4	1.1.1.1
Oct 30, 2024 20:39:07.191359043 CET	62285	53	192.168.2.4	1.1.1.1
Oct 30, 2024 20:39:07.229084969 CET	53	51813	1.1.1.1	192.168.2.4
Oct 30, 2024 20:39:07.263870001 CET	56828	53	192.168.2.4	1.1.1.1
Oct 30, 2024 20:39:07.272516966 CET	53	56828	1.1.1.1	192.168.2.4
Oct 30, 2024 20:39:07.277647972 CET	53141	53	192.168.2.4	1.1.1.1
Oct 30, 2024 20:39:07.285026073 CET	53	53141	1.1.1.1	192.168.2.4
Oct 30, 2024 20:39:07.286740065 CET	62025	53	192.168.2.4	1.1.1.1
Oct 30, 2024 20:39:07.294908047 CET	53	62025	1.1.1.1	192.168.2.4
Oct 30, 2024 20:39:07.507386923 CET	60610	53	192.168.2.4	1.1.1.1
Oct 30, 2024 20:39:07.517818928 CET	53	60610	1.1.1.1	192.168.2.4
Oct 30, 2024 20:39:07.571696043 CET	49258	53	192.168.2.4	1.1.1.1
Oct 30, 2024 20:39:07.578855991 CET	53	49258	1.1.1.1	192.168.2.4
Oct 30, 2024 20:39:08.177409887 CET	63217	53	192.168.2.4	1.1.1.1
Oct 30, 2024 20:39:08.185046911 CET	53	63217	1.1.1.1	192.168.2.4
Oct 30, 2024 20:39:08.249541044 CET	57563	53	192.168.2.4	1.1.1.1
Oct 30, 2024 20:39:08.258052111 CET	53	57563	1.1.1.1	192.168.2.4
Oct 30, 2024 20:39:08.277746916 CET	50283	53	192.168.2.4	1.1.1.1
Oct 30, 2024 20:39:08.285306931 CET	53	50283	1.1.1.1	192.168.2.4
Oct 30, 2024 20:39:10.865366936 CET	56495	53	192.168.2.4	1.1.1.1
Oct 30, 2024 20:39:10.873986006 CET	53	56495	1.1.1.1	192.168.2.4
Oct 30, 2024 20:39:10.878099918 CET	54831	53	192.168.2.4	1.1.1.1
Oct 30, 2024 20:39:10.886370897 CET	53	54831	1.1.1.1	192.168.2.4
Oct 30, 2024 20:39:10.887608051 CET	58900	53	192.168.2.4	1.1.1.1
Oct 30, 2024 20:39:10.895194054 CET	53	58900	1.1.1.1	192.168.2.4
Oct 30, 2024 20:39:15.264431953 CET	52255	53	192.168.2.4	1.1.1.1
Oct 30, 2024 20:39:15.264818907 CET	61543	53	192.168.2.4	1.1.1.1
Oct 30, 2024 20:39:15.265036106 CET	53233	53	192.168.2.4	1.1.1.1
Oct 30, 2024 20:39:15.271958113 CET	53	61543	1.1.1.1	192.168.2.4
Oct 30, 2024 20:39:15.272464037 CET	53	52255	1.1.1.1	192.168.2.4
Oct 30, 2024 20:39:15.272824049 CET	53	53233	1.1.1.1	192.168.2.4
Oct 30, 2024 20:39:15.276000977 CET	62291	53	192.168.2.4	1.1.1.1
Oct 30, 2024 20:39:15.277044058 CET	52732	53	192.168.2.4	1.1.1.1
Oct 30, 2024 20:39:15.279546022 CET	57090	53	192.168.2.4	1.1.1.1
Oct 30, 2024 20:39:15.283373117 CET	53	62291	1.1.1.1	192.168.2.4
Oct 30, 2024 20:39:15.284178019 CET	52192	53	192.168.2.4	1.1.1.1
Oct 30, 2024 20:39:15.285069942 CET	53	52732	1.1.1.1	192.168.2.4
Oct 30, 2024 20:39:15.285928965 CET	56018	53	192.168.2.4	1.1.1.1
Oct 30, 2024 20:39:15.287736893 CET	53	57090	1.1.1.1	192.168.2.4
Oct 30, 2024 20:39:15.289933920 CET	57236	53	192.168.2.4	1.1.1.1
Oct 30, 2024 20:39:15.291701078 CET	53	52192	1.1.1.1	192.168.2.4
Oct 30, 2024 20:39:15.292293072 CET	62410	53	192.168.2.4	1.1.1.1
Oct 30, 2024 20:39:15.293689966 CET	53	56018	1.1.1.1	192.168.2.4
Oct 30, 2024 20:39:15.294778109 CET	51182	53	192.168.2.4	1.1.1.1
Oct 30, 2024 20:39:15.298118114 CET	53	57236	1.1.1.1	192.168.2.4
Oct 30, 2024 20:39:15.299941063 CET	53	62410	1.1.1.1	192.168.2.4
Oct 30, 2024 20:39:15.300581932 CET	49482	53	192.168.2.4	1.1.1.1
Oct 30, 2024 20:39:15.302915096 CET	53	51182	1.1.1.1	192.168.2.4
Oct 30, 2024 20:39:15.303366899 CET	60063	53	192.168.2.4	1.1.1.1
Oct 30, 2024 20:39:15.308067083 CET	53	49482	1.1.1.1	192.168.2.4
Oct 30, 2024 20:39:15.308563948 CET	53562	53	192.168.2.4	1.1.1.1
Oct 30, 2024 20:39:15.311249971 CET	53	60063	1.1.1.1	192.168.2.4
Oct 30, 2024 20:39:15.311645985 CET	64554	53	192.168.2.4	1.1.1.1
Oct 30, 2024 20:39:15.316138029 CET	53	53562	1.1.1.1	192.168.2.4
Oct 30, 2024 20:39:15.320048094 CET	53	64554	1.1.1.1	192.168.2.4
Oct 30, 2024 20:39:16.368674040 CET	60945	53	192.168.2.4	1.1.1.1
Oct 30, 2024 20:39:16.515052080 CET	64906	53	192.168.2.4	1.1.1.1
Oct 30, 2024 20:39:16.522342920 CET	53	64906	1.1.1.1	192.168.2.4
Oct 30, 2024 20:39:28.347665071 CET	62596	53	192.168.2.4	1.1.1.1
Oct 30, 2024 20:39:28.355540037 CET	53	62596	1.1.1.1	192.168.2.4
Oct 30, 2024 20:39:32.220794916 CET	58913	53	192.168.2.4	1.1.1.1
Oct 30, 2024 20:39:32.229424953 CET	54686	53	192.168.2.4	1.1.1.1
Oct 30, 2024 20:39:32.230114937 CET	53	58913	1.1.1.1	192.168.2.4
Oct 30, 2024 20:39:32.231962919 CET	49317	53	192.168.2.4	1.1.1.1
Oct 30, 2024 20:39:32.236881971 CET	53	54686	1.1.1.1	192.168.2.4
Oct 30, 2024 20:39:32.240099907 CET	53	49317	1.1.1.1	192.168.2.4
Oct 30, 2024 20:39:32.240631104 CET	57434	53	192.168.2.4	1.1.1.1
Oct 30, 2024 20:39:32.248274088 CET	53	57434	1.1.1.1	192.168.2.4
Oct 30, 2024 20:39:32.263056040 CET	54397	53	192.168.2.4	1.1.1.1
Oct 30, 2024 20:39:32.270684004 CET	53	54397	1.1.1.1	192.168.2.4
Oct 30, 2024 20:39:32.273197889 CET	55009	53	192.168.2.4	1.1.1.1
Oct 30, 2024 20:39:32.281137943 CET	53	55009	1.1.1.1	192.168.2.4
Oct 30, 2024 20:39:32.285254955 CET	59331	53	192.168.2.4	1.1.1.1
Oct 30, 2024 20:39:32.292726040 CET	53	59331	1.1.1.1	192.168.2.4
Oct 30, 2024 20:39:49.105604887 CET	58414	53	192.168.2.4	1.1.1.1
Oct 30, 2024 20:39:49.112965107 CET	53	58414	1.1.1.1	192.168.2.4
Oct 30, 2024 20:39:49.113600969 CET	50773	53	192.168.2.4	1.1.1.1
Oct 30, 2024 20:39:49.121465921 CET	53	50773	1.1.1.1	192.168.2.4
Oct 30, 2024 20:40:02.350028038 CET	65064	53	192.168.2.4	1.1.1.1
Oct 30, 2024 20:40:02.358475924 CET	53	65064	1.1.1.1	192.168.2.4
Oct 30, 2024 20:40:30.564852953 CET	52526	53	192.168.2.4	1.1.1.1
Oct 30, 2024 20:40:30.572890997 CET	53	52526	1.1.1.1	192.168.2.4
Oct 30, 2024 20:40:30.573985100 CET	57183	53	192.168.2.4	1.1.1.1
Oct 30, 2024 20:40:30.584032059 CET	53	57183	1.1.1.1	192.168.2.4
Oct 30, 2024 20:40:31.205444098 CET	50017	53	192.168.2.4	1.1.1.1

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Oct 30, 2024 20:39:03.670980930 CET	192.168.2.4	1.1.1.1	0x40bc	Standard query (0)	prod.classify-client.prod.webservices.mozgcp.net	A (IP address)	IN (0x0001)	false
Oct 30, 2024 20:39:03.690179110 CET	192.168.2.4	1.1.1.1	0x4e62	Standard query (0)	prod.classify-client.prod.webservices.mozgcp.net	28	IN (0x0001)	false
Oct 30, 2024 20:39:05.606626987 CET	192.168.2.4	1.1.1.1	0x114e	Standard query (0)	youtube.com	A (IP address)	IN (0x0001)	false
Oct 30, 2024 20:39:05.619056940 CET	192.168.2.4	1.1.1.1	0xc841	Standard query (0)	youtube.com	A (IP address)	IN (0x0001)	false
Oct 30, 2024 20:39:05.628129959 CET	192.168.2.4	1.1.1.1	0x2440	Standard query (0)	youtube.com	28	IN (0x0001)	false
Oct 30, 2024 20:39:05.796844959 CET	192.168.2.4	1.1.1.1	0xacd1	Standard query (0)	detectportal.firefox.com	A (IP address)	IN (0x0001)	false
Oct 30, 2024 20:39:05.809134007 CET	192.168.2.4	1.1.1.1	0xe2f1	Standard query (0)	prod.detectportal.prod.cloudops.mozgcp.net	A (IP address)	IN (0x0001)	false
Oct 30, 2024 20:39:05.819025993 CET	192.168.2.4	1.1.1.1	0xcd86	Standard query (0)	prod.detectportal.prod.cloudops.mozgcp.net	28	IN (0x0001)	false
Oct 30, 2024 20:39:05.976838112 CET	192.168.2.4	1.1.1.1	0xbd3c	Standard query (0)	contile.services.mozilla.com	A (IP address)	IN (0x0001)	false
Oct 30, 2024 20:39:05.986241102 CET	192.168.2.4	1.1.1.1	0x7b80	Standard query (0)	contile.services.mozilla.com	A (IP address)	IN (0x0001)	false
Oct 30, 2024 20:39:06.013012886 CET	192.168.2.4	1.1.1.1	0x18a	Standard query (0)	contile.services.mozilla.com	28	IN (0x0001)	false
Oct 30, 2024 20:39:06.015336037 CET	192.168.2.4	1.1.1.1	0xf59a	Standard query (0)	prod.balrog.prod.cloudops.mozgcp.net	A (IP address)	IN (0x0001)	false
Oct 30, 2024 20:39:06.044138908 CET	192.168.2.4	1.1.1.1	0x6ac7	Standard query (0)	prod.balrog.prod.cloudops.mozgcp.net	28	IN (0x0001)	false
Oct 30, 2024 20:39:06.334306955 CET	192.168.2.4	1.1.1.1	0x812f	Standard query (0)	spocs.getpocket.com	A (IP address)	IN (0x0001)	false
Oct 30, 2024 20:39:06.345155954 CET	192.168.2.4	1.1.1.1	0xc9e2	Standard query (0)	prod.ads.prod.webservices.mozgcp.net	A (IP address)	IN (0x0001)	false
Oct 30, 2024 20:39:06.360507965 CET	192.168.2.4	1.1.1.1	0x6c97	Standard query (0)	prod.ads.prod.webservices.mozgcp.net	28	IN (0x0001)	false
Oct 30, 2024 20:39:06.494859934 CET	192.168.2.4	1.1.1.1	0x7753	Standard query (0)	content-signature-2.cdn.mozilla.net	A (IP address)	IN (0x0001)	false
Oct 30, 2024 20:39:06.505669117 CET	192.168.2.4	1.1.1.1	0x16cf	Standard query (0)	prod.content-signature-chains.prod.webservices.mozgcp.net	A (IP address)	IN (0x0001)	false
Oct 30, 2024 20:39:06.516350031 CET	192.168.2.4	1.1.1.1	0xebd6	Standard query (0)	prod.content-signature-chains.prod.webservices.mozgcp.net	28	IN (0x0001)	false
Oct 30, 2024 20:39:06.568697929 CET	192.168.2.4	1.1.1.1	0xc543	Standard query (0)	example.org	A (IP address)	IN (0x0001)	false
Oct 30, 2024 20:39:06.569777012 CET	192.168.2.4	1.1.1.1	0x754b	Standard query (0)	ipv4only.arpa	A (IP address)	IN (0x0001)	false
Oct 30, 2024 20:39:06.583281040 CET	192.168.2.4	1.1.1.1	0x5948	Standard query (0)	detectportal.firefox.com	A (IP address)	IN (0x0001)	false
Oct 30, 2024 20:39:07.191359043 CET	192.168.2.4	1.1.1.1	0xd4d9	Standard query (0)	shavar.services.mozilla.com	A (IP address)	IN (0x0001)	false
Oct 30, 2024 20:39:07.263870001 CET	192.168.2.4	1.1.1.1	0x7de	Standard query (0)	push.services.mozilla.com	A (IP address)	IN (0x0001)	false
Oct 30, 2024 20:39:07.277647972 CET	192.168.2.4	1.1.1.1	0xd414	Standard query (0)	push.services.mozilla.com	A (IP address)	IN (0x0001)	false
Oct 30, 2024 20:39:07.286740065 CET	192.168.2.4	1.1.1.1	0xf7d1	Standard query (0)	push.services.mozilla.com	28	IN (0x0001)	false
Oct 30, 2024 20:39:07.507386923 CET	192.168.2.4	1.1.1.1	0x4bc4	Standard query (0)	telemetry-incoming.r53-2.services.mozilla.com	A (IP address)	IN (0x0001)	false
Oct 30, 2024 20:39:07.571696043 CET	192.168.2.4	1.1.1.1	0x6fcd	Standard query (0)	telemetry-incoming.r53-2.services.mozilla.com	28	IN (0x0001)	false
Oct 30, 2024 20:39:08.177409887 CET	192.168.2.4	1.1.1.1	0x78f8	Standard query (0)	firefox.settings.services.mozilla.com	A (IP address)	IN (0x0001)	false
Oct 30, 2024 20:39:08.249541044 CET	192.168.2.4	1.1.1.1	0x589f	Standard query (0)	prod.remote-settings.prod.webservices.mozgcp.net	A (IP address)	IN (0x0001)	false
Oct 30, 2024 20:39:08.277746916 CET	192.168.2.4	1.1.1.1	0x6fb9	Standard query (0)	prod.remote-settings.prod.webservices.mozgcp.net	28	IN (0x0001)	false
Oct 30, 2024 20:39:10.865366936 CET	192.168.2.4	1.1.1.1	0xd883	Standard query (0)	support.mozilla.org	A (IP address)	IN (0x0001)	false
Oct 30, 2024 20:39:10.878099918 CET	192.168.2.4	1.1.1.1	0xde33	Standard query (0)	us-west1.prod.sumo.prod.webservices.mozgcp.net	A (IP address)	IN (0x0001)	false
Oct 30, 2024 20:39:10.887608051 CET	192.168.2.4	1.1.1.1	0xab14	Standard query (0)	us-west1.prod.sumo.prod.webservices.mozgcp.net	28	IN (0x0001)	false
Oct 30, 2024 20:39:15.264431953 CET	192.168.2.4	1.1.1.1	0x6934	Standard query (0)	www.youtube.com	A (IP address)	IN (0x0001)	false
Oct 30, 2024 20:39:15.264818907 CET	192.168.2.4	1.1.1.1	0xf99e	Standard query (0)	www.facebook.com	A (IP address)	IN (0x0001)	false
Oct 30, 2024 20:39:15.265036106 CET	192.168.2.4	1.1.1.1	0x5083	Standard query (0)	www.wikipedia.org	A (IP address)	IN (0x0001)	false
Oct 30, 2024 20:39:15.276000977 CET	192.168.2.4	1.1.1.1	0x5909	Standard query (0)	dyna.wikimedia.org	A (IP address)	IN (0x0001)	false
Oct 30, 2024 20:39:15.277044058 CET	192.168.2.4	1.1.1.1	0x5af4	Standard query (0)	star-mini.c10r.facebook.com	A (IP address)	IN (0x0001)	false
Oct 30, 2024 20:39:15.279546022 CET	192.168.2.4	1.1.1.1	0x13be	Standard query (0)	youtube-ui.l.google.com	A (IP address)	IN (0x0001)	false
Oct 30, 2024 20:39:15.284178019 CET	192.168.2.4	1.1.1.1	0xb20d	Standard query (0)	dyna.wikimedia.org	28	IN (0x0001)	false
Oct 30, 2024 20:39:15.285928965 CET	192.168.2.4	1.1.1.1	0x36b9	Standard query (0)	star-mini.c10r.facebook.com	28	IN (0x0001)	false
Oct 30, 2024 20:39:15.289933920 CET	192.168.2.4	1.1.1.1	0xcaad	Standard query (0)	youtube-ui.l.google.com	28	IN (0x0001)	false
Oct 30, 2024 20:39:15.292293072 CET	192.168.2.4	1.1.1.1	0xe875	Standard query (0)	www.reddit.com	A (IP address)	IN (0x0001)	false
Oct 30, 2024 20:39:15.294778109 CET	192.168.2.4	1.1.1.1	0xc455	Standard query (0)	twitter.com	A (IP address)	IN (0x0001)	false
Oct 30, 2024 20:39:15.300581932 CET	192.168.2.4	1.1.1.1	0x9fbc	Standard query (0)	reddit.map.fastly.net	A (IP address)	IN (0x0001)	false
Oct 30, 2024 20:39:15.303366899 CET	192.168.2.4	1.1.1.1	0xbcf1	Standard query (0)	twitter.com	A (IP address)	IN (0x0001)	false
Oct 30, 2024 20:39:15.308563948 CET	192.168.2.4	1.1.1.1	0x171f	Standard query (0)	reddit.map.fastly.net	28	IN (0x0001)	false
Oct 30, 2024 20:39:15.311645985 CET	192.168.2.4	1.1.1.1	0x74cd	Standard query (0)	twitter.com	28	IN (0x0001)	false
Oct 30, 2024 20:39:16.368674040 CET	192.168.2.4	1.1.1.1	0xae0a	Standard query (0)	detectportal.firefox.com	A (IP address)	IN (0x0001)	false
Oct 30, 2024 20:39:16.515052080 CET	192.168.2.4	1.1.1.1	0x977b	Standard query (0)	push.services.mozilla.com	28	IN (0x0001)	false
Oct 30, 2024 20:39:28.347665071 CET	192.168.2.4	1.1.1.1	0xded6	Standard query (0)	push.services.mozilla.com	28	IN (0x0001)	false
Oct 30, 2024 20:39:32.220794916 CET	192.168.2.4	1.1.1.1	0x26f1	Standard query (0)	services.addons.mozilla.org	A (IP address)	IN (0x0001)	false
Oct 30, 2024 20:39:32.229424953 CET	192.168.2.4	1.1.1.1	0xe6f6	Standard query (0)	prod.balrog.prod.cloudops.mozgcp.net	28	IN (0x0001)	false
Oct 30, 2024 20:39:32.231962919 CET	192.168.2.4	1.1.1.1	0x7c61	Standard query (0)	services.addons.mozilla.org	A (IP address)	IN (0x0001)	false
Oct 30, 2024 20:39:32.240631104 CET	192.168.2.4	1.1.1.1	0x9ab	Standard query (0)	services.addons.mozilla.org	28	IN (0x0001)	false
Oct 30, 2024 20:39:32.263056040 CET	192.168.2.4	1.1.1.1	0xa5a6	Standard query (0)	normandy.cdn.mozilla.net	A (IP address)	IN (0x0001)	false
Oct 30, 2024 20:39:32.273197889 CET	192.168.2.4	1.1.1.1	0x3d0f	Standard query (0)	normandy-cdn.services.mozilla.com	A (IP address)	IN (0x0001)	false
Oct 30, 2024 20:39:32.285254955 CET	192.168.2.4	1.1.1.1	0xafc2	Standard query (0)	normandy-cdn.services.mozilla.com	28	IN (0x0001)	false
Oct 30, 2024 20:39:49.105604887 CET	192.168.2.4	1.1.1.1	0xc602	Standard query (0)	push.services.mozilla.com	A (IP address)	IN (0x0001)	false
Oct 30, 2024 20:39:49.113600969 CET	192.168.2.4	1.1.1.1	0xdfba	Standard query (0)	push.services.mozilla.com	28	IN (0x0001)	false
Oct 30, 2024 20:40:02.350028038 CET	192.168.2.4	1.1.1.1	0x1621	Standard query (0)	telemetry-incoming.r53-2.services.mozilla.com	28	IN (0x0001)	false
Oct 30, 2024 20:40:30.564852953 CET	192.168.2.4	1.1.1.1	0x9b8e	Standard query (0)	push.services.mozilla.com	A (IP address)	IN (0x0001)	false
Oct 30, 2024 20:40:30.573985100 CET	192.168.2.4	1.1.1.1	0x4cff	Standard query (0)	push.services.mozilla.com	28	IN (0x0001)	false
Oct 30, 2024 20:40:31.205444098 CET	192.168.2.4	1.1.1.1	0xae8e	Standard query (0)	detectportal.firefox.com	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Oct 30, 2024 20:39:03.652764082 CET	1.1.1.1	192.168.2.4	0xd2d7	No error (0)	prod.classify-client.prod.webservices.mozgcp.net		35.190.72.216	A (IP address)	IN (0x0001)	false
Oct 30, 2024 20:39:03.680211067 CET	1.1.1.1	192.168.2.4	0x40bc	No error (0)	prod.classify-client.prod.webservices.mozgcp.net		35.190.72.216	A (IP address)	IN (0x0001)	false
Oct 30, 2024 20:39:05.614562035 CET	1.1.1.1	192.168.2.4	0x114e	No error (0)	youtube.com		172.217.23.110	A (IP address)	IN (0x0001)	false
Oct 30, 2024 20:39:05.626945019 CET	1.1.1.1	192.168.2.4	0xc841	No error (0)	youtube.com		142.250.185.238	A (IP address)	IN (0x0001)	false
Oct 30, 2024 20:39:05.636816025 CET	1.1.1.1	192.168.2.4	0x2440	No error (0)	youtube.com			28	IN (0x0001)	false
Oct 30, 2024 20:39:05.804029942 CET	1.1.1.1	192.168.2.4	0xacd1	No error (0)	detectportal.firefox.com	detectportal.prod.mozaws.net		CNAME (Canonical name)	IN (0x0001)	false
Oct 30, 2024 20:39:05.804029942 CET	1.1.1.1	192.168.2.4	0xacd1	No error (0)	prod.detectportal.prod.cloudops.mozgcp.net		34.107.221.82	A (IP address)	IN (0x0001)	false
Oct 30, 2024 20:39:05.818330050 CET	1.1.1.1	192.168.2.4	0xe2f1	No error (0)	prod.detectportal.prod.cloudops.mozgcp.net		34.107.221.82	A (IP address)	IN (0x0001)	false
Oct 30, 2024 20:39:05.826653004 CET	1.1.1.1	192.168.2.4	0xcd86	No error (0)	prod.detectportal.prod.cloudops.mozgcp.net			28	IN (0x0001)	false
Oct 30, 2024 20:39:05.984935999 CET	1.1.1.1	192.168.2.4	0xbd3c	No error (0)	contile.services.mozilla.com		34.117.188.166	A (IP address)	IN (0x0001)	false
Oct 30, 2024 20:39:05.993868113 CET	1.1.1.1	192.168.2.4	0x7b80	No error (0)	contile.services.mozilla.com		34.117.188.166	A (IP address)	IN (0x0001)	false
Oct 30, 2024 20:39:06.013716936 CET	1.1.1.1	192.168.2.4	0xc586	No error (0)	balrog-aus5.r53-2.services.mozilla.com	prod.balrog.prod.cloudops.mozgcp.net		CNAME (Canonical name)	IN (0x0001)	false
Oct 30, 2024 20:39:06.013716936 CET	1.1.1.1	192.168.2.4	0xc586	No error (0)	prod.balrog.prod.cloudops.mozgcp.net		35.244.181.201	A (IP address)	IN (0x0001)	false
Oct 30, 2024 20:39:06.023762941 CET	1.1.1.1	192.168.2.4	0xf59a	No error (0)	prod.balrog.prod.cloudops.mozgcp.net		35.244.181.201	A (IP address)	IN (0x0001)	false
Oct 30, 2024 20:39:06.343151093 CET	1.1.1.1	192.168.2.4	0x812f	No error (0)	spocs.getpocket.com	prod.ads.prod.webservices.mozgcp.net		CNAME (Canonical name)	IN (0x0001)	false
Oct 30, 2024 20:39:06.343151093 CET	1.1.1.1	192.168.2.4	0x812f	No error (0)	prod.ads.prod.webservices.mozgcp.net		34.117.188.166	A (IP address)	IN (0x0001)	false
Oct 30, 2024 20:39:06.356163979 CET	1.1.1.1	192.168.2.4	0xc9e2	No error (0)	prod.ads.prod.webservices.mozgcp.net		34.117.188.166	A (IP address)	IN (0x0001)	false
Oct 30, 2024 20:39:06.504112005 CET	1.1.1.1	192.168.2.4	0x7753	No error (0)	content-signature-2.cdn.mozilla.net	content-signature-chains.prod.autograph.services.mozaws.net		CNAME (Canonical name)	IN (0x0001)	false
Oct 30, 2024 20:39:06.504112005 CET	1.1.1.1	192.168.2.4	0x7753	No error (0)	content-signature-chains.prod.autograph.services.mozaws.net	prod.content-signature-chains.prod.webservices.mozgcp.net		CNAME (Canonical name)	IN (0x0001)	false
Oct 30, 2024 20:39:06.504112005 CET	1.1.1.1	192.168.2.4	0x7753	No error (0)	prod.content-signature-chains.prod.webservices.mozgcp.net		34.160.144.191	A (IP address)	IN (0x0001)	false
Oct 30, 2024 20:39:06.515202999 CET	1.1.1.1	192.168.2.4	0x16cf	No error (0)	prod.content-signature-chains.prod.webservices.mozgcp.net		34.160.144.191	A (IP address)	IN (0x0001)	false
Oct 30, 2024 20:39:06.525082111 CET	1.1.1.1	192.168.2.4	0xebd6	No error (0)	prod.content-signature-chains.prod.webservices.mozgcp.net			28	IN (0x0001)	false
Oct 30, 2024 20:39:06.577599049 CET	1.1.1.1	192.168.2.4	0xc543	No error (0)	example.org		93.184.215.14	A (IP address)	IN (0x0001)	false
Oct 30, 2024 20:39:06.577614069 CET	1.1.1.1	192.168.2.4	0x754b	No error (0)	ipv4only.arpa		192.0.0.170	A (IP address)	IN (0x0001)	false
Oct 30, 2024 20:39:06.577614069 CET	1.1.1.1	192.168.2.4	0x754b	No error (0)	ipv4only.arpa		192.0.0.171	A (IP address)	IN (0x0001)	false
Oct 30, 2024 20:39:06.591428995 CET	1.1.1.1	192.168.2.4	0x5948	No error (0)	detectportal.firefox.com	detectportal.prod.mozaws.net		CNAME (Canonical name)	IN (0x0001)	false
Oct 30, 2024 20:39:06.591428995 CET	1.1.1.1	192.168.2.4	0x5948	No error (0)	prod.detectportal.prod.cloudops.mozgcp.net		34.107.221.82	A (IP address)	IN (0x0001)	false
Oct 30, 2024 20:39:07.198920012 CET	1.1.1.1	192.168.2.4	0xd4d9	No error (0)	shavar.services.mozilla.com	shavar.prod.mozaws.net		CNAME (Canonical name)	IN (0x0001)	false
Oct 30, 2024 20:39:07.272516966 CET	1.1.1.1	192.168.2.4	0x7de	No error (0)	push.services.mozilla.com		34.107.243.93	A (IP address)	IN (0x0001)	false
Oct 30, 2024 20:39:07.285026073 CET	1.1.1.1	192.168.2.4	0xd414	No error (0)	push.services.mozilla.com		34.107.243.93	A (IP address)	IN (0x0001)	false
Oct 30, 2024 20:39:07.500725031 CET	1.1.1.1	192.168.2.4	0xbee5	No error (0)	telemetry-incoming.r53-2.services.mozilla.com		34.120.208.123	A (IP address)	IN (0x0001)	false
Oct 30, 2024 20:39:07.517818928 CET	1.1.1.1	192.168.2.4	0x4bc4	No error (0)	telemetry-incoming.r53-2.services.mozilla.com		34.120.208.123	A (IP address)	IN (0x0001)	false
Oct 30, 2024 20:39:08.183288097 CET	1.1.1.1	192.168.2.4	0xc578	No error (0)	balrog-aus5.r53-2.services.mozilla.com	prod.balrog.prod.cloudops.mozgcp.net		CNAME (Canonical name)	IN (0x0001)	false
Oct 30, 2024 20:39:08.183288097 CET	1.1.1.1	192.168.2.4	0xc578	No error (0)	prod.balrog.prod.cloudops.mozgcp.net		35.244.181.201	A (IP address)	IN (0x0001)	false
Oct 30, 2024 20:39:08.185046911 CET	1.1.1.1	192.168.2.4	0x78f8	No error (0)	firefox.settings.services.mozilla.com	prod.remote-settings.prod.webservices.mozgcp.net		CNAME (Canonical name)	IN (0x0001)	false
Oct 30, 2024 20:39:08.185046911 CET	1.1.1.1	192.168.2.4	0x78f8	No error (0)	prod.remote-settings.prod.webservices.mozgcp.net		34.149.100.209	A (IP address)	IN (0x0001)	false
Oct 30, 2024 20:39:08.258052111 CET	1.1.1.1	192.168.2.4	0x589f	No error (0)	prod.remote-settings.prod.webservices.mozgcp.net		34.149.100.209	A (IP address)	IN (0x0001)	false
Oct 30, 2024 20:39:08.457750082 CET	1.1.1.1	192.168.2.4	0xd97	No error (0)	telemetry-incoming.r53-2.services.mozilla.com		34.120.208.123	A (IP address)	IN (0x0001)	false
Oct 30, 2024 20:39:10.873986006 CET	1.1.1.1	192.168.2.4	0xd883	No error (0)	support.mozilla.org	prod.sumo.prod.webservices.mozgcp.net		CNAME (Canonical name)	IN (0x0001)	false
Oct 30, 2024 20:39:10.873986006 CET	1.1.1.1	192.168.2.4	0xd883	No error (0)	prod.sumo.prod.webservices.mozgcp.net	us-west1.prod.sumo.prod.webservices.mozgcp.net		CNAME (Canonical name)	IN (0x0001)	false
Oct 30, 2024 20:39:10.873986006 CET	1.1.1.1	192.168.2.4	0xd883	No error (0)	us-west1.prod.sumo.prod.webservices.mozgcp.net		34.149.128.2	A (IP address)	IN (0x0001)	false
Oct 30, 2024 20:39:10.886370897 CET	1.1.1.1	192.168.2.4	0xde33	No error (0)	us-west1.prod.sumo.prod.webservices.mozgcp.net		34.149.128.2	A (IP address)	IN (0x0001)	false
Oct 30, 2024 20:39:15.271958113 CET	1.1.1.1	192.168.2.4	0xf99e	No error (0)	www.facebook.com	star-mini.c10r.facebook.com		CNAME (Canonical name)	IN (0x0001)	false
Oct 30, 2024 20:39:15.271958113 CET	1.1.1.1	192.168.2.4	0xf99e	No error (0)	star-mini.c10r.facebook.com		157.240.0.35	A (IP address)	IN (0x0001)	false
Oct 30, 2024 20:39:15.272464037 CET	1.1.1.1	192.168.2.4	0x6934	No error (0)	www.youtube.com	youtube-ui.l.google.com		CNAME (Canonical name)	IN (0x0001)	false
Oct 30, 2024 20:39:15.272464037 CET	1.1.1.1	192.168.2.4	0x6934	No error (0)	youtube-ui.l.google.com		142.250.185.78	A (IP address)	IN (0x0001)	false
Oct 30, 2024 20:39:15.272464037 CET	1.1.1.1	192.168.2.4	0x6934	No error (0)	youtube-ui.l.google.com		142.250.185.238	A (IP address)	IN (0x0001)	false
Oct 30, 2024 20:39:15.272464037 CET	1.1.1.1	192.168.2.4	0x6934	No error (0)	youtube-ui.l.google.com		172.217.18.14	A (IP address)	IN (0x0001)	false
Oct 30, 2024 20:39:15.272464037 CET	1.1.1.1	192.168.2.4	0x6934	No error (0)	youtube-ui.l.google.com		142.250.186.110	A (IP address)	IN (0x0001)	false
Oct 30, 2024 20:39:15.272464037 CET	1.1.1.1	192.168.2.4	0x6934	No error (0)	youtube-ui.l.google.com		142.250.186.142	A (IP address)	IN (0x0001)	false
Oct 30, 2024 20:39:15.272464037 CET	1.1.1.1	192.168.2.4	0x6934	No error (0)	youtube-ui.l.google.com		142.250.185.206	A (IP address)	IN (0x0001)	false
Oct 30, 2024 20:39:15.272464037 CET	1.1.1.1	192.168.2.4	0x6934	No error (0)	youtube-ui.l.google.com		142.250.184.206	A (IP address)	IN (0x0001)	false
Oct 30, 2024 20:39:15.272464037 CET	1.1.1.1	192.168.2.4	0x6934	No error (0)	youtube-ui.l.google.com		142.250.185.142	A (IP address)	IN (0x0001)	false
Oct 30, 2024 20:39:15.272464037 CET	1.1.1.1	192.168.2.4	0x6934	No error (0)	youtube-ui.l.google.com		172.217.23.110	A (IP address)	IN (0x0001)	false
Oct 30, 2024 20:39:15.272464037 CET	1.1.1.1	192.168.2.4	0x6934	No error (0)	youtube-ui.l.google.com		142.250.185.174	A (IP address)	IN (0x0001)	false
Oct 30, 2024 20:39:15.272464037 CET	1.1.1.1	192.168.2.4	0x6934	No error (0)	youtube-ui.l.google.com		142.250.184.238	A (IP address)	IN (0x0001)	false
Oct 30, 2024 20:39:15.272464037 CET	1.1.1.1	192.168.2.4	0x6934	No error (0)	youtube-ui.l.google.com		142.250.185.110	A (IP address)	IN (0x0001)	false
Oct 30, 2024 20:39:15.272464037 CET	1.1.1.1	192.168.2.4	0x6934	No error (0)	youtube-ui.l.google.com		172.217.16.206	A (IP address)	IN (0x0001)	false
Oct 30, 2024 20:39:15.272464037 CET	1.1.1.1	192.168.2.4	0x6934	No error (0)	youtube-ui.l.google.com		172.217.18.110	A (IP address)	IN (0x0001)	false
Oct 30, 2024 20:39:15.272464037 CET	1.1.1.1	192.168.2.4	0x6934	No error (0)	youtube-ui.l.google.com		142.250.186.174	A (IP address)	IN (0x0001)	false
Oct 30, 2024 20:39:15.272464037 CET	1.1.1.1	192.168.2.4	0x6934	No error (0)	youtube-ui.l.google.com		216.58.206.78	A (IP address)	IN (0x0001)	false
Oct 30, 2024 20:39:15.272824049 CET	1.1.1.1	192.168.2.4	0x5083	No error (0)	www.wikipedia.org	dyna.wikimedia.org		CNAME (Canonical name)	IN (0x0001)	false
Oct 30, 2024 20:39:15.272824049 CET	1.1.1.1	192.168.2.4	0x5083	No error (0)	dyna.wikimedia.org		185.15.59.224	A (IP address)	IN (0x0001)	false
Oct 30, 2024 20:39:15.283373117 CET	1.1.1.1	192.168.2.4	0x5909	No error (0)	dyna.wikimedia.org		185.15.59.224	A (IP address)	IN (0x0001)	false
Oct 30, 2024 20:39:15.285069942 CET	1.1.1.1	192.168.2.4	0x5af4	No error (0)	star-mini.c10r.facebook.com		157.240.0.35	A (IP address)	IN (0x0001)	false
Oct 30, 2024 20:39:15.287736893 CET	1.1.1.1	192.168.2.4	0x13be	No error (0)	youtube-ui.l.google.com		216.58.212.142	A (IP address)	IN (0x0001)	false
Oct 30, 2024 20:39:15.287736893 CET	1.1.1.1	192.168.2.4	0x13be	No error (0)	youtube-ui.l.google.com		142.250.186.46	A (IP address)	IN (0x0001)	false
Oct 30, 2024 20:39:15.287736893 CET	1.1.1.1	192.168.2.4	0x13be	No error (0)	youtube-ui.l.google.com		142.250.184.238	A (IP address)	IN (0x0001)	false
Oct 30, 2024 20:39:15.287736893 CET	1.1.1.1	192.168.2.4	0x13be	No error (0)	youtube-ui.l.google.com		142.250.185.142	A (IP address)	IN (0x0001)	false
Oct 30, 2024 20:39:15.287736893 CET	1.1.1.1	192.168.2.4	0x13be	No error (0)	youtube-ui.l.google.com		142.250.185.206	A (IP address)	IN (0x0001)	false
Oct 30, 2024 20:39:15.287736893 CET	1.1.1.1	192.168.2.4	0x13be	No error (0)	youtube-ui.l.google.com		142.250.185.78	A (IP address)	IN (0x0001)	false
Oct 30, 2024 20:39:15.287736893 CET	1.1.1.1	192.168.2.4	0x13be	No error (0)	youtube-ui.l.google.com		142.250.185.238	A (IP address)	IN (0x0001)	false
Oct 30, 2024 20:39:15.287736893 CET	1.1.1.1	192.168.2.4	0x13be	No error (0)	youtube-ui.l.google.com		172.217.16.206	A (IP address)	IN (0x0001)	false
Oct 30, 2024 20:39:15.287736893 CET	1.1.1.1	192.168.2.4	0x13be	No error (0)	youtube-ui.l.google.com		172.217.16.142	A (IP address)	IN (0x0001)	false
Oct 30, 2024 20:39:15.287736893 CET	1.1.1.1	192.168.2.4	0x13be	No error (0)	youtube-ui.l.google.com		142.250.186.174	A (IP address)	IN (0x0001)	false
Oct 30, 2024 20:39:15.287736893 CET	1.1.1.1	192.168.2.4	0x13be	No error (0)	youtube-ui.l.google.com		216.58.206.46	A (IP address)	IN (0x0001)	false
Oct 30, 2024 20:39:15.287736893 CET	1.1.1.1	192.168.2.4	0x13be	No error (0)	youtube-ui.l.google.com		142.250.186.78	A (IP address)	IN (0x0001)	false
Oct 30, 2024 20:39:15.287736893 CET	1.1.1.1	192.168.2.4	0x13be	No error (0)	youtube-ui.l.google.com		142.250.185.110	A (IP address)	IN (0x0001)	false
Oct 30, 2024 20:39:15.287736893 CET	1.1.1.1	192.168.2.4	0x13be	No error (0)	youtube-ui.l.google.com		216.58.206.78	A (IP address)	IN (0x0001)	false
Oct 30, 2024 20:39:15.287736893 CET	1.1.1.1	192.168.2.4	0x13be	No error (0)	youtube-ui.l.google.com		142.250.185.174	A (IP address)	IN (0x0001)	false
Oct 30, 2024 20:39:15.287736893 CET	1.1.1.1	192.168.2.4	0x13be	No error (0)	youtube-ui.l.google.com		142.250.181.238	A (IP address)	IN (0x0001)	false
Oct 30, 2024 20:39:15.291701078 CET	1.1.1.1	192.168.2.4	0xb20d	No error (0)	dyna.wikimedia.org			28	IN (0x0001)	false
Oct 30, 2024 20:39:15.293689966 CET	1.1.1.1	192.168.2.4	0x36b9	No error (0)	star-mini.c10r.facebook.com			28	IN (0x0001)	false
Oct 30, 2024 20:39:15.298118114 CET	1.1.1.1	192.168.2.4	0xcaad	No error (0)	youtube-ui.l.google.com			28	IN (0x0001)	false
Oct 30, 2024 20:39:15.298118114 CET	1.1.1.1	192.168.2.4	0xcaad	No error (0)	youtube-ui.l.google.com			28	IN (0x0001)	false
Oct 30, 2024 20:39:15.298118114 CET	1.1.1.1	192.168.2.4	0xcaad	No error (0)	youtube-ui.l.google.com			28	IN (0x0001)	false
Oct 30, 2024 20:39:15.298118114 CET	1.1.1.1	192.168.2.4	0xcaad	No error (0)	youtube-ui.l.google.com			28	IN (0x0001)	false
Oct 30, 2024 20:39:15.299941063 CET	1.1.1.1	192.168.2.4	0xe875	No error (0)	www.reddit.com	reddit.map.fastly.net		CNAME (Canonical name)	IN (0x0001)	false
Oct 30, 2024 20:39:15.299941063 CET	1.1.1.1	192.168.2.4	0xe875	No error (0)	reddit.map.fastly.net		151.101.1.140	A (IP address)	IN (0x0001)	false
Oct 30, 2024 20:39:15.299941063 CET	1.1.1.1	192.168.2.4	0xe875	No error (0)	reddit.map.fastly.net		151.101.193.140	A (IP address)	IN (0x0001)	false
Oct 30, 2024 20:39:15.299941063 CET	1.1.1.1	192.168.2.4	0xe875	No error (0)	reddit.map.fastly.net		151.101.129.140	A (IP address)	IN (0x0001)	false
Oct 30, 2024 20:39:15.299941063 CET	1.1.1.1	192.168.2.4	0xe875	No error (0)	reddit.map.fastly.net		151.101.65.140	A (IP address)	IN (0x0001)	false
Oct 30, 2024 20:39:15.302915096 CET	1.1.1.1	192.168.2.4	0xc455	No error (0)	twitter.com		104.244.42.129	A (IP address)	IN (0x0001)	false
Oct 30, 2024 20:39:15.308067083 CET	1.1.1.1	192.168.2.4	0x9fbc	No error (0)	reddit.map.fastly.net		151.101.193.140	A (IP address)	IN (0x0001)	false
Oct 30, 2024 20:39:15.308067083 CET	1.1.1.1	192.168.2.4	0x9fbc	No error (0)	reddit.map.fastly.net		151.101.65.140	A (IP address)	IN (0x0001)	false
Oct 30, 2024 20:39:15.308067083 CET	1.1.1.1	192.168.2.4	0x9fbc	No error (0)	reddit.map.fastly.net		151.101.129.140	A (IP address)	IN (0x0001)	false
Oct 30, 2024 20:39:15.308067083 CET	1.1.1.1	192.168.2.4	0x9fbc	No error (0)	reddit.map.fastly.net		151.101.1.140	A (IP address)	IN (0x0001)	false
Oct 30, 2024 20:39:15.311249971 CET	1.1.1.1	192.168.2.4	0xbcf1	No error (0)	twitter.com		104.244.42.193	A (IP address)	IN (0x0001)	false
Oct 30, 2024 20:39:16.376595020 CET	1.1.1.1	192.168.2.4	0xae0a	No error (0)	detectportal.firefox.com	detectportal.prod.mozaws.net		CNAME (Canonical name)	IN (0x0001)	false
Oct 30, 2024 20:39:16.376595020 CET	1.1.1.1	192.168.2.4	0xae0a	No error (0)	prod.detectportal.prod.cloudops.mozgcp.net		34.107.221.82	A (IP address)	IN (0x0001)	false
Oct 30, 2024 20:39:32.227932930 CET	1.1.1.1	192.168.2.4	0x2b66	No error (0)	balrog-aus5.r53-2.services.mozilla.com	prod.balrog.prod.cloudops.mozgcp.net		CNAME (Canonical name)	IN (0x0001)	false
Oct 30, 2024 20:39:32.227932930 CET	1.1.1.1	192.168.2.4	0x2b66	No error (0)	prod.balrog.prod.cloudops.mozgcp.net		35.244.181.201	A (IP address)	IN (0x0001)	false
Oct 30, 2024 20:39:32.230114937 CET	1.1.1.1	192.168.2.4	0x26f1	No error (0)	services.addons.mozilla.org		151.101.193.91	A (IP address)	IN (0x0001)	false
Oct 30, 2024 20:39:32.230114937 CET	1.1.1.1	192.168.2.4	0x26f1	No error (0)	services.addons.mozilla.org		151.101.65.91	A (IP address)	IN (0x0001)	false
Oct 30, 2024 20:39:32.230114937 CET	1.1.1.1	192.168.2.4	0x26f1	No error (0)	services.addons.mozilla.org		151.101.1.91	A (IP address)	IN (0x0001)	false
Oct 30, 2024 20:39:32.230114937 CET	1.1.1.1	192.168.2.4	0x26f1	No error (0)	services.addons.mozilla.org		151.101.129.91	A (IP address)	IN (0x0001)	false
Oct 30, 2024 20:39:32.240099907 CET	1.1.1.1	192.168.2.4	0x7c61	No error (0)	services.addons.mozilla.org		151.101.1.91	A (IP address)	IN (0x0001)	false
Oct 30, 2024 20:39:32.240099907 CET	1.1.1.1	192.168.2.4	0x7c61	No error (0)	services.addons.mozilla.org		151.101.65.91	A (IP address)	IN (0x0001)	false
Oct 30, 2024 20:39:32.240099907 CET	1.1.1.1	192.168.2.4	0x7c61	No error (0)	services.addons.mozilla.org		151.101.193.91	A (IP address)	IN (0x0001)	false
Oct 30, 2024 20:39:32.240099907 CET	1.1.1.1	192.168.2.4	0x7c61	No error (0)	services.addons.mozilla.org		151.101.129.91	A (IP address)	IN (0x0001)	false
Oct 30, 2024 20:39:32.248274088 CET	1.1.1.1	192.168.2.4	0x9ab	No error (0)	services.addons.mozilla.org			28	IN (0x0001)	false
Oct 30, 2024 20:39:32.248274088 CET	1.1.1.1	192.168.2.4	0x9ab	No error (0)	services.addons.mozilla.org			28	IN (0x0001)	false
Oct 30, 2024 20:39:32.248274088 CET	1.1.1.1	192.168.2.4	0x9ab	No error (0)	services.addons.mozilla.org			28	IN (0x0001)	false
Oct 30, 2024 20:39:32.248274088 CET	1.1.1.1	192.168.2.4	0x9ab	No error (0)	services.addons.mozilla.org			28	IN (0x0001)	false
Oct 30, 2024 20:39:32.270684004 CET	1.1.1.1	192.168.2.4	0xa5a6	No error (0)	normandy.cdn.mozilla.net	normandy-cdn.services.mozilla.com		CNAME (Canonical name)	IN (0x0001)	false
Oct 30, 2024 20:39:32.270684004 CET	1.1.1.1	192.168.2.4	0xa5a6	No error (0)	normandy-cdn.services.mozilla.com		35.201.103.21	A (IP address)	IN (0x0001)	false
Oct 30, 2024 20:39:32.281137943 CET	1.1.1.1	192.168.2.4	0x3d0f	No error (0)	normandy-cdn.services.mozilla.com		35.201.103.21	A (IP address)	IN (0x0001)	false
Oct 30, 2024 20:39:33.501602888 CET	1.1.1.1	192.168.2.4	0xeb	No error (0)	a21ed24aedde648804e7-228765c84088fef4ff5e70f2710398e9.r17.cf1.rackcdn.com	a17.rackcdn.com		CNAME (Canonical name)	IN (0x0001)	false
Oct 30, 2024 20:39:33.501602888 CET	1.1.1.1	192.168.2.4	0xeb	No error (0)	a17.rackcdn.com	a17.rackcdn.com.mdc.edgesuite.net		CNAME (Canonical name)	IN (0x0001)	false
Oct 30, 2024 20:39:49.112965107 CET	1.1.1.1	192.168.2.4	0xc602	No error (0)	push.services.mozilla.com		34.107.243.93	A (IP address)	IN (0x0001)	false
Oct 30, 2024 20:40:02.347716093 CET	1.1.1.1	192.168.2.4	0x83d	No error (0)	telemetry-incoming.r53-2.services.mozilla.com		34.120.208.123	A (IP address)	IN (0x0001)	false
Oct 30, 2024 20:40:30.572890997 CET	1.1.1.1	192.168.2.4	0x9b8e	No error (0)	push.services.mozilla.com		34.107.243.93	A (IP address)	IN (0x0001)	false
Oct 30, 2024 20:40:31.213134050 CET	1.1.1.1	192.168.2.4	0xae8e	No error (0)	detectportal.firefox.com	detectportal.prod.mozaws.net		CNAME (Canonical name)	IN (0x0001)	false
Oct 30, 2024 20:40:31.213134050 CET	1.1.1.1	192.168.2.4	0xae8e	No error (0)	prod.detectportal.prod.cloudops.mozgcp.net		34.107.221.82	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

detectportal.firefox.com

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.4	49741	34.107.221.82	80	7776	C:\Program Files\Mozilla Firefox\firefox.exe

Timestamp	Bytes transferred	Direction	Data
Oct 30, 2024 20:39:05.854609966 CET	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Oct 30, 2024 20:39:06.451692104 CET	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Wed, 30 Oct 2024 04:31:13 GMT Age: 54473 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.4	49746	34.107.221.82	80	7776	C:\Program Files\Mozilla Firefox\firefox.exe

Timestamp	Bytes transferred	Direction	Data
Oct 30, 2024 20:39:06.599500895 CET	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Oct 30, 2024 20:39:07.196190119 CET	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Wed, 30 Oct 2024 04:30:51 GMT Age: 54496 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.4	49748	34.107.221.82	80	7776	C:\Program Files\Mozilla Firefox\firefox.exe

Timestamp	Bytes transferred	Direction	Data
Oct 30, 2024 20:39:06.693747044 CET	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Oct 30, 2024 20:39:07.292570114 CET	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Wed, 30 Oct 2024 04:31:13 GMT Age: 54474 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Oct 30, 2024 20:39:08.203583002 CET	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Oct 30, 2024 20:39:08.328521967 CET	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Wed, 30 Oct 2024 04:31:13 GMT Age: 54475 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Oct 30, 2024 20:39:10.888340950 CET	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Oct 30, 2024 20:39:11.013351917 CET	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Wed, 30 Oct 2024 04:31:13 GMT Age: 54477 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Oct 30, 2024 20:39:16.368742943 CET	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Oct 30, 2024 20:39:16.494013071 CET	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Wed, 30 Oct 2024 04:31:13 GMT Age: 54483 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Oct 30, 2024 20:39:18.574721098 CET	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Oct 30, 2024 20:39:18.707412958 CET	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Wed, 30 Oct 2024 04:31:13 GMT Age: 54485 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Oct 30, 2024 20:39:28.721205950 CET	6	OUT	Data Raw: 00 Data Ascii:
Oct 30, 2024 20:39:28.962866068 CET	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Oct 30, 2024 20:39:29.088347912 CET	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Wed, 30 Oct 2024 04:31:13 GMT Age: 54496 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Oct 30, 2024 20:39:32.853615999 CET	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Oct 30, 2024 20:39:32.979167938 CET	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Wed, 30 Oct 2024 04:31:13 GMT Age: 54499 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Oct 30, 2024 20:39:33.488487005 CET	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Oct 30, 2024 20:39:33.613393068 CET	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Wed, 30 Oct 2024 04:31:13 GMT Age: 54500 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Oct 30, 2024 20:39:43.617548943 CET	6	OUT	Data Raw: 00 Data Ascii:
Oct 30, 2024 20:39:49.736927032 CET	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Oct 30, 2024 20:39:49.861844063 CET	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Wed, 30 Oct 2024 04:31:13 GMT Age: 54516 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Oct 30, 2024 20:39:59.872682095 CET	6	OUT	Data Raw: 00 Data Ascii:
Oct 30, 2024 20:40:02.981952906 CET	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Oct 30, 2024 20:40:03.107362986 CET	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Wed, 30 Oct 2024 04:31:13 GMT Age: 54530 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Oct 30, 2024 20:40:08.026148081 CET	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Oct 30, 2024 20:40:08.151287079 CET	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Wed, 30 Oct 2024 04:31:13 GMT Age: 54535 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Oct 30, 2024 20:40:18.154093981 CET	6	OUT	Data Raw: 00 Data Ascii:
Oct 30, 2024 20:40:28.173854113 CET	6	OUT	Data Raw: 00 Data Ascii:
Oct 30, 2024 20:40:31.205286980 CET	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Oct 30, 2024 20:40:31.330332994 CET	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Wed, 30 Oct 2024 04:31:13 GMT Age: 54558 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Oct 30, 2024 20:40:41.342561007 CET	6	OUT	Data Raw: 00 Data Ascii:
Oct 30, 2024 20:40:51.364455938 CET	6	OUT	Data Raw: 00 Data Ascii:
Oct 30, 2024 20:41:01.388974905 CET	6	OUT	Data Raw: 00 Data Ascii:

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
3	192.168.2.4	49754	34.107.221.82	80	7776	C:\Program Files\Mozilla Firefox\firefox.exe

Timestamp	Bytes transferred	Direction	Data
Oct 30, 2024 20:39:07.502202988 CET	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Oct 30, 2024 20:39:08.104281902 CET	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Wed, 30 Oct 2024 04:30:51 GMT Age: 54497 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Oct 30, 2024 20:39:10.838680029 CET	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Oct 30, 2024 20:39:10.966732979 CET	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Wed, 30 Oct 2024 04:30:51 GMT Age: 54499 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Oct 30, 2024 20:39:15.213392019 CET	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Oct 30, 2024 20:39:15.340090036 CET	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Wed, 30 Oct 2024 04:30:51 GMT Age: 54504 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Oct 30, 2024 20:39:17.672456980 CET	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Oct 30, 2024 20:39:17.799793005 CET	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Wed, 30 Oct 2024 04:30:51 GMT Age: 54506 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Oct 30, 2024 20:39:18.734363079 CET	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Oct 30, 2024 20:39:18.860865116 CET	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Wed, 30 Oct 2024 04:30:51 GMT Age: 54507 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Oct 30, 2024 20:39:28.874824047 CET	6	OUT	Data Raw: 00 Data Ascii:
Oct 30, 2024 20:39:29.092117071 CET	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Oct 30, 2024 20:39:29.219724894 CET	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Wed, 30 Oct 2024 04:30:51 GMT Age: 54518 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Oct 30, 2024 20:39:32.982172012 CET	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Oct 30, 2024 20:39:33.110732079 CET	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Wed, 30 Oct 2024 04:30:51 GMT Age: 54522 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Oct 30, 2024 20:39:33.616689920 CET	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Oct 30, 2024 20:39:33.743587017 CET	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Wed, 30 Oct 2024 04:30:51 GMT Age: 54522 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Oct 30, 2024 20:39:43.749182940 CET	6	OUT	Data Raw: 00 Data Ascii:
Oct 30, 2024 20:39:49.864917040 CET	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Oct 30, 2024 20:39:49.992060900 CET	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Wed, 30 Oct 2024 04:30:51 GMT Age: 54538 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Oct 30, 2024 20:39:59.995239973 CET	6	OUT	Data Raw: 00 Data Ascii:
Oct 30, 2024 20:40:03.139441967 CET	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Oct 30, 2024 20:40:03.267074108 CET	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Wed, 30 Oct 2024 04:30:51 GMT Age: 54552 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Oct 30, 2024 20:40:08.154392958 CET	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Oct 30, 2024 20:40:08.282725096 CET	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Wed, 30 Oct 2024 04:30:51 GMT Age: 54557 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Oct 30, 2024 20:40:18.301234961 CET	6	OUT	Data Raw: 00 Data Ascii:
Oct 30, 2024 20:40:28.327517986 CET	6	OUT	Data Raw: 00 Data Ascii:
Oct 30, 2024 20:40:31.334687948 CET	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Oct 30, 2024 20:40:31.462025881 CET	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Wed, 30 Oct 2024 04:30:51 GMT Age: 54580 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Oct 30, 2024 20:40:41.464925051 CET	6	OUT	Data Raw: 00 Data Ascii:
Oct 30, 2024 20:40:51.495997906 CET	6	OUT	Data Raw: 00 Data Ascii:
Oct 30, 2024 20:41:01.510072947 CET	6	OUT	Data Raw: 00 Data Ascii:

Target ID:	0
Start time:	15:38:56
Start date:	30/10/2024
Path:	C:\Users\user\Desktop\file.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\file.exe"
Imagebase:	0x6b0000
File size:	919'552 bytes
MD5 hash:	C5C8202CF33C1C61D4463D53AA3748E5
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	1
Start time:	15:38:56
Start date:	30/10/2024
Path:	C:\Windows\SysWOW64\taskkill.exe
Wow64 process (32bit):	true
Commandline:	taskkill /F /IM firefox.exe /T
Imagebase:	0x3e0000
File size:	74'240 bytes
MD5 hash:	CA313FD7E6C2A778FFD21CFB5C1C56CD
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	2
Start time:	15:38:56
Start date:	30/10/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	3
Start time:	15:38:58
Start date:	30/10/2024
Path:	C:\Windows\SysWOW64\taskkill.exe
Wow64 process (32bit):	true
Commandline:	taskkill /F /IM chrome.exe /T
Imagebase:	0x3e0000
File size:	74'240 bytes
MD5 hash:	CA313FD7E6C2A778FFD21CFB5C1C56CD
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	4
Start time:	15:38:58
Start date:	30/10/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	5
Start time:	15:38:59
Start date:	30/10/2024
Path:	C:\Windows\SysWOW64\taskkill.exe
Wow64 process (32bit):	true
Commandline:	taskkill /F /IM msedge.exe /T
Imagebase:	0x3e0000
File size:	74'240 bytes
MD5 hash:	CA313FD7E6C2A778FFD21CFB5C1C56CD
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	6
Start time:	15:38:59
Start date:	30/10/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	7
Start time:	15:38:59
Start date:	30/10/2024
Path:	C:\Windows\SysWOW64\taskkill.exe
Wow64 process (32bit):	true
Commandline:	taskkill /F /IM opera.exe /T
Imagebase:	0x3e0000
File size:	74'240 bytes
MD5 hash:	CA313FD7E6C2A778FFD21CFB5C1C56CD
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	8
Start time:	15:38:59
Start date:	30/10/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	9
Start time:	15:38:59
Start date:	30/10/2024
Path:	C:\Windows\SysWOW64\taskkill.exe
Wow64 process (32bit):	true
Commandline:	taskkill /F /IM brave.exe /T
Imagebase:	0x3e0000
File size:	74'240 bytes
MD5 hash:	CA313FD7E6C2A778FFD21CFB5C1C56CD
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	10
Start time:	15:38:59
Start date:	30/10/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	11
Start time:	15:38:59
Start date:	30/10/2024
Path:	C:\Program Files\Mozilla Firefox\firefox.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk "https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd" --no-default-browser-check --disable-popup-blocking
Imagebase:	0x7ff6bf500000
File size:	676'768 bytes
MD5 hash:	C86B1BE9ED6496FE0E0CBE73F81D8045
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	12
Start time:	15:38:59
Start date:	30/10/2024
Path:	C:\Program Files\Mozilla Firefox\firefox.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd --no-default-browser-check --disable-popup-blocking --attempting-deelevation
Imagebase:	0x7ff6bf500000
File size:	676'768 bytes
MD5 hash:	C86B1BE9ED6496FE0E0CBE73F81D8045
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	13
Start time:	15:38:59
Start date:	30/10/2024
Path:	C:\Program Files\Mozilla Firefox\firefox.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd --no-default-browser-check --disable-popup-blocking
Imagebase:	0x7ff6bf500000
File size:	676'768 bytes
MD5 hash:	C86B1BE9ED6496FE0E0CBE73F81D8045
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Target ID:	15
Start time:	15:39:00
Start date:	30/10/2024
Path:	C:\Program Files\Mozilla Firefox\firefox.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2276 -parentBuildID 20230927232528 -prefsHandle 2216 -prefMapHandle 2208 -prefsLen 25359 -prefMapSize 237879 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {a46847d0-9293-4bac-8415-4fa2947c8e97} 7776 "\\.\pipe\gecko-crash-server-pipe.7776" 1ccdad6d510 socket
Imagebase:	0x7ff6bf500000
File size:	676'768 bytes
MD5 hash:	C86B1BE9ED6496FE0E0CBE73F81D8045
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Target ID:	16
Start time:	15:39:02
Start date:	30/10/2024
Path:	C:\Program Files\Mozilla Firefox\firefox.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2696 -parentBuildID 20230927232528 -prefsHandle 4228 -prefMapHandle 4224 -prefsLen 26374 -prefMapSize 237879 -appDir "C:\Program Files\Mozilla Firefox\browser" - {e7cff00d-f0b1-495f-9d3f-92f956d45c2c} 7776 "\\.\pipe\gecko-crash-server-pipe.7776" 1ccece2fb10 rdd
Imagebase:	0x7ff6bf500000
File size:	676'768 bytes
MD5 hash:	C86B1BE9ED6496FE0E0CBE73F81D8045
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Target ID:	17
Start time:	15:39:06
Start date:	30/10/2024
Path:	C:\Program Files\Mozilla Firefox\firefox.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4952 -parentBuildID 20230927232528 -sandboxingKind 0 -prefsHandle 4956 -prefMapHandle 4904 -prefsLen 33185 -prefMapSize 237879 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {ff0ebe7f-fa1c-41ff-ae44-07a5d0ab7bae} 7776 "\\.\pipe\gecko-crash-server-pipe.7776" 1ccec341110 utility
Imagebase:	0x7ff6bf500000
File size:	676'768 bytes
MD5 hash:	C86B1BE9ED6496FE0E0CBE73F81D8045
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Execution Graph

Execution Coverage:	2.1%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	6.4%
Total number of Nodes:	1602
Total number of Limit Nodes:	80

Executed Functions

Function 006B42DE Relevance: 21.2, APIs: 9, Strings: 3, Instructions: 235
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetVersionExW.KERNEL32(?), ref: 006B430D

Part of subcall function 006B6B57: _wcslen.LIBCMT ref: 006B6B6A

GetCurrentProcess.KERNEL32(?,0074CB64,00000000,?,?), ref: 006B4422
IsWow64Process.KERNEL32(00000000,?,?), ref: 006B4429
LoadLibraryA.KERNEL32(kernel32.dll,?,?), ref: 006B4454
GetProcAddress.KERNEL32(00000000,GetNativeSystemInfo), ref: 006B4466
GetNativeSystemInfo.KERNELBASE(?,?,?), ref: 006B4474
FreeLibrary.KERNEL32(00000000,?,?), ref: 006B447B
GetSystemInfo.KERNEL32(?,?,?), ref: 006B44A0

Strings

|O, xrefs: 006F36F8
kernel32.dll, xrefs: 006B444F
GetNativeSystemInfo, xrefs: 006B4460

Memory Dump Source

Source File: 00000000.00000002.1745474304.00000000006B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006B0000, based on PE: true

Associated: 00000000.00000002.1745310696.00000000006B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1745557899.000000000074C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1745557899.0000000000772000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1745607755.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1745632258.0000000000784000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6b0000_file.jbxd

Similarity

API ID: InfoLibraryProcessSystem$AddressCurrentFreeLoadNativeProcVersionWow64_wcslen
String ID: GetNativeSystemInfo$kernel32.dll$|O
API String ID: 3290436268-3101561225
Opcode ID: 9fd2830633a8d82ce32e72ced70680dd23a5e5652f6b506b8dc61b8c98d0436d
Instruction ID: 16031b828e3107327bbc0885d27cbe7bd544349ba7e0669adce6551253ec0373
Opcode Fuzzy Hash: 9fd2830633a8d82ce32e72ced70680dd23a5e5652f6b506b8dc61b8c98d0436d
Instruction Fuzzy Hash: 3FA1D4B198A2D4CFC712C7697C441E53FEEAB26710BA8C899D08193F22D66C455BCB2D

Function 006B42A2 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 61
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateStreamOnHGlobal.COMBASE(00000000,00000001,?,?,?,?,?,006B50AA,?,?,00000000,00000000), ref: 006B42B2
FindResourceExW.KERNEL32(?,0000000A,SCRIPT,00000000,?,?,006B50AA,?,?,00000000,00000000), ref: 006B42C9
LoadResource.KERNEL32(?,00000000,?,?,006B50AA,?,?,00000000,00000000,?,?,?,?,?,?,006B4F20), ref: 006F35BE
SizeofResource.KERNEL32(?,00000000,?,?,006B50AA,?,?,00000000,00000000,?,?,?,?,?,?,006B4F20), ref: 006F35D3
LockResource.KERNEL32(006B50AA,?,?,006B50AA,?,?,00000000,00000000,?,?,?,?,?,?,006B4F20,?), ref: 006F35E6

Strings

SCRIPT, xrefs: 006B42BF

Memory Dump Source

Source File: 00000000.00000002.1745474304.00000000006B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006B0000, based on PE: true

Associated: 00000000.00000002.1745310696.00000000006B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1745557899.000000000074C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1745557899.0000000000772000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1745607755.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1745632258.0000000000784000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6b0000_file.jbxd

Similarity

API ID: Resource$CreateFindGlobalLoadLockSizeofStream
String ID: SCRIPT
API String ID: 3051347437-3967369404
Opcode ID: f9641314ecb6488ff0cc594e947cabd7590d7bc247bf291a3de271d77ce8867c
Instruction ID: cecb0b362aa3d7923aced2dcd6ed26a2d990bd7d566a7107d5373eda76381caf
Opcode Fuzzy Hash: f9641314ecb6488ff0cc594e947cabd7590d7bc247bf291a3de271d77ce8867c
Instruction Fuzzy Hash: 4E117CB4241700BFE7228FA5DC49FA77BBAEFC6B51F10816AF40296260DBB1D9409620

Function 006F2BA5 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 62
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetCurrentDirectoryW.KERNEL32(?), ref: 006B2B6B

Part of subcall function 006B3A5A: GetModuleFileNameW.KERNEL32(00000000,?,00007FFF,00781418,?,006B2E7F,?,?,?,00000000), ref: 006B3A78

Part of subcall function 006B9CB3: _wcslen.LIBCMT ref: 006B9CBD

GetForegroundWindow.USER32(runas,?,?,?,?,?,00772224), ref: 006F2C10
ShellExecuteW.SHELL32(00000000,?,?,00772224), ref: 006F2C17

Strings

runas, xrefs: 006F2C0B

Memory Dump Source

Source File: 00000000.00000002.1745474304.00000000006B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006B0000, based on PE: true

Associated: 00000000.00000002.1745310696.00000000006B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1745557899.000000000074C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1745557899.0000000000772000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1745607755.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1745632258.0000000000784000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6b0000_file.jbxd

Similarity

API ID: CurrentDirectoryExecuteFileForegroundModuleNameShellWindow_wcslen
String ID: runas
API String ID: 448630720-4000483414
Opcode ID: 7d69b9e82f6619a115ecbbe9fd4127512155c2d32f48e0c6eb2fdf923c97349a
Instruction ID: aaac759b80fdb9967bed73fbd3cedb7193c15322a4e683dedcefefb9a2da4315
Opcode Fuzzy Hash: 7d69b9e82f6619a115ecbbe9fd4127512155c2d32f48e0c6eb2fdf923c97349a
Instruction Fuzzy Hash: C51106B12083866AC785FF60D8619FE7BEA9F91344F44542DF246021A3CF2485CAC71A

Function 0071D4DC Relevance: 6.1, APIs: 4, Instructions: 86
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateToolhelp32Snapshot.KERNEL32 ref: 0071D501
Process32FirstW.KERNEL32(00000000,?), ref: 0071D50F
Process32NextW.KERNEL32(00000000,?), ref: 0071D52F
CloseHandle.KERNELBASE(00000000), ref: 0071D5DC

Memory Dump Source

Source File: 00000000.00000002.1745474304.00000000006B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006B0000, based on PE: true

Associated: 00000000.00000002.1745310696.00000000006B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1745557899.000000000074C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1745557899.0000000000772000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1745607755.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1745632258.0000000000784000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6b0000_file.jbxd

Similarity

API ID: Process32$CloseCreateFirstHandleNextSnapshotToolhelp32
String ID:
API String ID: 420147892-0
Opcode ID: a62e8e16ec11e9208a3b10c695582d72f50c74635fd9cb975f6f11cb533eafca
Instruction ID: 6a559e2db345d350387bf077ffa6628df695057c2fe53405fb24934cddfa0914
Opcode Fuzzy Hash: a62e8e16ec11e9208a3b10c695582d72f50c74635fd9cb975f6f11cb533eafca
Instruction Fuzzy Hash: 2831C4B11083009FD315EF54C881AEFBBF9EF99354F14092DF681821A1EB719984CBA2

Function 0071DBBE Relevance: 6.0, APIs: 4, Instructions: 29
filestringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

lstrlenW.KERNEL32(?,006F5222), ref: 0071DBCE
GetFileAttributesW.KERNELBASE(?), ref: 0071DBDD
FindFirstFileW.KERNEL32(?,?), ref: 0071DBEE
FindClose.KERNEL32(00000000), ref: 0071DBFA

Memory Dump Source

Source File: 00000000.00000002.1745474304.00000000006B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006B0000, based on PE: true

Associated: 00000000.00000002.1745310696.00000000006B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1745557899.000000000074C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1745557899.0000000000772000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1745607755.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1745632258.0000000000784000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6b0000_file.jbxd

Similarity

API ID: FileFind$AttributesCloseFirstlstrlen
String ID:
API String ID: 2695905019-0
Opcode ID: c3abbd9f8df9d873998628639edf95421ff024ccf64c1bf6080c24917f9bcefe
Instruction ID: 960b6d2ce1c208f7dcba7b3dc8fdd86dc4514d7714b014d94498296892482b28
Opcode Fuzzy Hash: c3abbd9f8df9d873998628639edf95421ff024ccf64c1bf6080c24917f9bcefe
Instruction Fuzzy Hash: 2CF082344119149B93316F6C9C0D4EA376CAE02334B108B02F535C10E0EBF85D94C9E9

Function 006D4CE8 Relevance: 4.5, APIs: 3, Instructions: 20COMMONLIBRARYCODE

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(006E28E9,?,006D4CBE,006E28E9,007788B8,0000000C,006D4E15,006E28E9,00000002,00000000,?,006E28E9), ref: 006D4D09
TerminateProcess.KERNEL32(00000000,?,006D4CBE,006E28E9,007788B8,0000000C,006D4E15,006E28E9,00000002,00000000,?,006E28E9), ref: 006D4D10
ExitProcess.KERNEL32 ref: 006D4D22

Memory Dump Source

Source File: 00000000.00000002.1745474304.00000000006B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006B0000, based on PE: true

Associated: 00000000.00000002.1745310696.00000000006B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1745557899.000000000074C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1745557899.0000000000772000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1745607755.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1745632258.0000000000784000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6b0000_file.jbxd

Similarity

API ID: Process$CurrentExitTerminate
String ID:
API String ID: 1703294689-0
Opcode ID: 5da1061113eedea3b9cbb25d1dd4b170d64adb50e3e28d0b2b78fab68f99687a
Instruction ID: 215a9a542e8dcc2a0f104a2afa83651b7878b45dd8948795e0aa6d3ae9d64911
Opcode Fuzzy Hash: 5da1061113eedea3b9cbb25d1dd4b170d64adb50e3e28d0b2b78fab68f99687a
Instruction Fuzzy Hash: 84E0BF35401148ABCF626F54DD09A583B6BEF42741B148019FC058B322DB39DD41CA84

Function 006BBF40 Relevance: 2.4, Strings: 1, Instructions: 1178COMMON

Download Yara Rule

Strings

p#x, xrefs: 007007CE

Memory Dump Source

Source File: 00000000.00000002.1745474304.00000000006B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006B0000, based on PE: true

Associated: 00000000.00000002.1745310696.00000000006B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1745557899.000000000074C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1745557899.0000000000772000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1745607755.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1745632258.0000000000784000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6b0000_file.jbxd

Similarity

API ID: BuffCharUpper
String ID: p#x
API String ID: 3964851224-1271349037
Opcode ID: 8d74e21f77f780f0ac8eefdf43b0974196d511505779465141e79de2914a286d
Instruction ID: c6a201b750ecfa36bbce1eac1a249f0c6bbfeb298d9d2a0d018262c2864c30fe
Opcode Fuzzy Hash: 8d74e21f77f780f0ac8eefdf43b0974196d511505779465141e79de2914a286d
Instruction Fuzzy Hash: 66A26EB0608341DFD750DF18C480B6AB7E2BF89324F14896DE89A8B352D775ED85CB92

Function 0073AFF9 Relevance: 24.4, APIs: 16, Instructions: 418
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_wcslen.LIBCMT ref: 0073B198
GetSystemDirectoryW.KERNEL32(00000000,00000000), ref: 0073B1B0
GetSystemDirectoryW.KERNEL32(00000000,00000000), ref: 0073B1D4
_wcslen.LIBCMT ref: 0073B200
GetCurrentDirectoryW.KERNEL32(00000000,00000000), ref: 0073B214
GetCurrentDirectoryW.KERNEL32(00000000,00000000), ref: 0073B236
_wcslen.LIBCMT ref: 0073B332

Part of subcall function 007205A7: GetStdHandle.KERNEL32(000000F6), ref: 007205C6

_wcslen.LIBCMT ref: 0073B34B
_wcslen.LIBCMT ref: 0073B366
CreateProcessW.KERNELBASE(00000000,?,00000000,00000000,?,?,00000000,?,?,?), ref: 0073B3B6
GetLastError.KERNEL32(00000000), ref: 0073B407
CloseHandle.KERNEL32(?), ref: 0073B439
CloseHandle.KERNEL32(00000000), ref: 0073B44A
CloseHandle.KERNEL32(00000000), ref: 0073B45C
CloseHandle.KERNEL32(00000000), ref: 0073B46E
CloseHandle.KERNEL32(?), ref: 0073B4E3

Memory Dump Source

Source File: 00000000.00000002.1745474304.00000000006B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006B0000, based on PE: true

Associated: 00000000.00000002.1745310696.00000000006B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1745557899.000000000074C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1745557899.0000000000772000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1745607755.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1745632258.0000000000784000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6b0000_file.jbxd

Similarity

API ID: Handle$Close_wcslen$Directory$CurrentSystem$CreateErrorLastProcess
String ID:
API String ID: 2178637699-0
Opcode ID: 5b993ba84b89c743b3d2018038a3405d4a1b4f8e92725f05e38b9715835be205
Instruction ID: 3e1a592663a12bf97819c23ba8f2a5acbe6499be3ffd5809fbca639b9c950735
Opcode Fuzzy Hash: 5b993ba84b89c743b3d2018038a3405d4a1b4f8e92725f05e38b9715835be205
Instruction Fuzzy Hash: 0DF1BC71608340DFD764EF24C891B6EBBE6AF85310F14855DF9898B2A2DB35EC40CB96

Function 006BD730 Relevance: 21.6, APIs: 14, Instructions: 627sleeptimeCOMMON

Download Yara Rule

APIs

GetInputState.USER32 ref: 006BD807
timeGetTime.WINMM ref: 006BDA07
Sleep.KERNELBASE(0000000A), ref: 006BDBB1

Memory Dump Source

Source File: 00000000.00000002.1745474304.00000000006B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006B0000, based on PE: true

Associated: 00000000.00000002.1745310696.00000000006B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1745557899.000000000074C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1745557899.0000000000772000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1745607755.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1745632258.0000000000784000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6b0000_file.jbxd

Similarity

API ID: InputSleepStateTimetime
String ID:
API String ID: 4149333218-0
Opcode ID: 22032a7a3d1242752cbf7dd1a240de071f1faa9f83a615e8a742864480d47c23
Instruction ID: c016dd2bdfd027a4c2bb878ecacd96ac33174097452fa3e52e1717a8bb9bac0b
Opcode Fuzzy Hash: 22032a7a3d1242752cbf7dd1a240de071f1faa9f83a615e8a742864480d47c23
Instruction Fuzzy Hash: DF4234B0604241EFD728DF24C848BEAB7E2BF45304F54861DE8558B3D2E778E885CB92

Function 006B2CD4 Relevance: 19.3, APIs: 7, Strings: 4, Instructions: 53
windowregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSysColorBrush.USER32(0000000F), ref: 006B2D07
RegisterClassExW.USER32(00000030), ref: 006B2D31
RegisterWindowMessageW.USER32(TaskbarCreated), ref: 006B2D42
InitCommonControlsEx.COMCTL32(?), ref: 006B2D5F
ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 006B2D6F
LoadIconW.USER32(000000A9), ref: 006B2D85
ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 006B2D94

Strings

TaskbarCreated, xrefs: 006B2D37
0, xrefs: 006B2CE9
+, xrefs: 006B2CF0
AutoIt v3 GUI, xrefs: 006B2D23

Memory Dump Source

Source File: 00000000.00000002.1745474304.00000000006B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006B0000, based on PE: true

Associated: 00000000.00000002.1745310696.00000000006B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1745557899.000000000074C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1745557899.0000000000772000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1745607755.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1745632258.0000000000784000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6b0000_file.jbxd

Similarity

API ID: IconImageList_Register$BrushClassColorCommonControlsCreateInitLoadMessageReplaceWindow
String ID: +$0$AutoIt v3 GUI$TaskbarCreated
API String ID: 2914291525-1005189915
Opcode ID: 2baf5da3db4e3c5382812f64d0987664eb5cfdf2daa4e5d4c55cae1a93ca6cdd
Instruction ID: 673152e5dc39dc034613f64711aaa469f35cba52298d9511c80bbe3f9ba298b0
Opcode Fuzzy Hash: 2baf5da3db4e3c5382812f64d0987664eb5cfdf2daa4e5d4c55cae1a93ca6cdd
Instruction Fuzzy Hash: 0621F2B5942348AFDB41DFA4EC89BDDBBB8FB09700F10811AF511A62A0D7B91541CFA8

Function 006F065B Relevance: 17.8, APIs: 9, Strings: 1, Instructions: 272
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 006F039A: CreateFileW.KERNELBASE(00000000,00000000,?,006F0704,?,?,00000000,?,006F0704,00000000,0000000C), ref: 006F03B7

GetLastError.KERNEL32 ref: 006F076F
__dosmaperr.LIBCMT ref: 006F0776
GetFileType.KERNELBASE(00000000), ref: 006F0782
GetLastError.KERNEL32 ref: 006F078C
__dosmaperr.LIBCMT ref: 006F0795
CloseHandle.KERNEL32(00000000), ref: 006F07B5
CloseHandle.KERNEL32(?), ref: 006F08FF
GetLastError.KERNEL32 ref: 006F0931
__dosmaperr.LIBCMT ref: 006F0938

Strings

H, xrefs: 006F08BD

Memory Dump Source

Source File: 00000000.00000002.1745474304.00000000006B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006B0000, based on PE: true

Associated: 00000000.00000002.1745310696.00000000006B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1745557899.000000000074C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1745557899.0000000000772000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1745607755.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1745632258.0000000000784000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6b0000_file.jbxd

Similarity

API ID: ErrorLast__dosmaperr$CloseFileHandle$CreateType
String ID: H
API String ID: 4237864984-2852464175
Opcode ID: 5540c7a0161db3c14f5ef8236e18c5388b34d9f8bfcb678a057269fb8b24652b
Instruction ID: d0b9bdec117b00cbe3b6c0474cc0a3d2b8e13c88fdfda757f13f16eecb8c37c3
Opcode Fuzzy Hash: 5540c7a0161db3c14f5ef8236e18c5388b34d9f8bfcb678a057269fb8b24652b
Instruction Fuzzy Hash: 4DA12536A001088FEF19AF68D851BBE7BA2AF06320F24415EF915DF392D7359912CB95

Function 006B344D Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 201
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 006B3A5A: GetModuleFileNameW.KERNEL32(00000000,?,00007FFF,00781418,?,006B2E7F,?,?,?,00000000), ref: 006B3A78

Part of subcall function 006B3357: GetFullPathNameW.KERNEL32(?,00007FFF,?,?), ref: 006B3379

RegOpenKeyExW.KERNELBASE(80000001,Software\AutoIt v3\AutoIt,00000000,00000001,?,?,\Include\), ref: 006B356A
RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,00000000,?), ref: 006F318D
RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,?,?,00000000), ref: 006F31CE
RegCloseKey.ADVAPI32(?), ref: 006F3210
_wcslen.LIBCMT ref: 006F3277
_wcslen.LIBCMT ref: 006F3286

Strings

\Include\, xrefs: 006B3527
Software\AutoIt v3\AutoIt, xrefs: 006B3560
\, xrefs: 006F328C
Include, xrefs: 006F3184, 006F31C5

Memory Dump Source

Source File: 00000000.00000002.1745474304.00000000006B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006B0000, based on PE: true

Associated: 00000000.00000002.1745310696.00000000006B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1745557899.000000000074C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1745557899.0000000000772000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1745607755.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1745632258.0000000000784000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6b0000_file.jbxd

Similarity

API ID: NameQueryValue_wcslen$CloseFileFullModuleOpenPath
String ID: Include$Software\AutoIt v3\AutoIt$\$\Include\
API String ID: 98802146-2727554177
Opcode ID: 11b04769126e92d5e0cdab3f342d5cda7d0863ffbc419d86daf207d47cbd042c
Instruction ID: 2dedb7c9be425cf35d5826f5731567d70f9018aa14db0b3bec2b48c33628a20c
Opcode Fuzzy Hash: 11b04769126e92d5e0cdab3f342d5cda7d0863ffbc419d86daf207d47cbd042c
Instruction Fuzzy Hash: CD71E4B15443009FC344EF65DC919ABBBE9FF85340F60842EF54583272EB389A49CB69

Function 006B2B83 Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 63
windowregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSysColorBrush.USER32(0000000F), ref: 006B2B8E
LoadCursorW.USER32(00000000,00007F00), ref: 006B2B9D
LoadIconW.USER32(00000063), ref: 006B2BB3
LoadIconW.USER32(000000A4), ref: 006B2BC5
LoadIconW.USER32(000000A2), ref: 006B2BD7
LoadImageW.USER32(00000063,00000001,00000010,00000010,00000000), ref: 006B2BEF
RegisterClassExW.USER32(?), ref: 006B2C40

Part of subcall function 006B2CD4: GetSysColorBrush.USER32(0000000F), ref: 006B2D07
Part of subcall function 006B2CD4: RegisterClassExW.USER32(00000030), ref: 006B2D31
Part of subcall function 006B2CD4: RegisterWindowMessageW.USER32(TaskbarCreated), ref: 006B2D42
Part of subcall function 006B2CD4: InitCommonControlsEx.COMCTL32(?), ref: 006B2D5F
Part of subcall function 006B2CD4: ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 006B2D6F
Part of subcall function 006B2CD4: LoadIconW.USER32(000000A9), ref: 006B2D85
Part of subcall function 006B2CD4: ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 006B2D94

Strings

#, xrefs: 006B2C16
AutoIt v3, xrefs: 006B2C2F
0, xrefs: 006B2C0F

Memory Dump Source

Source File: 00000000.00000002.1745474304.00000000006B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006B0000, based on PE: true

Associated: 00000000.00000002.1745310696.00000000006B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1745557899.000000000074C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1745557899.0000000000772000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1745607755.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1745632258.0000000000784000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6b0000_file.jbxd

Similarity

API ID: Load$Icon$ImageRegister$BrushClassColorList_$CommonControlsCreateCursorInitMessageReplaceWindow
String ID: #$0$AutoIt v3
API String ID: 423443420-4155596026
Opcode ID: 4b4a7130c918dc98023b5de78af86d3c3b1c02f9a2733a9f32067dab64104f34
Instruction ID: a6ff2f6189c2f82676fdfffbe715e0b9d73840badad906fc03e52d20522b7730
Opcode Fuzzy Hash: 4b4a7130c918dc98023b5de78af86d3c3b1c02f9a2733a9f32067dab64104f34
Instruction Fuzzy Hash: 28214C74E81314ABDB119FA5EC55ADD7FB8FB08B50F60801AE500E6AA0D3B90541CF98

Function 006BB710 Relevance: 16.3, APIs: 1, Strings: 8, Instructions: 587COMMON

Download Yara Rule

APIs

__Init_thread_footer.LIBCMT ref: 006BBB4E

Strings

p#x, xrefs: 0070024F
p%x, xrefs: 006BB8DC
p#x, xrefs: 006BBA72
p#x, xrefs: 00700263
p%x, xrefs: 006BBB32
p#x, xrefs: 006BBB6B
x#x, xrefs: 00700168
x#x, xrefs: 00700207

Memory Dump Source

Source File: 00000000.00000002.1745474304.00000000006B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006B0000, based on PE: true

Associated: 00000000.00000002.1745310696.00000000006B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1745557899.000000000074C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1745557899.0000000000772000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1745607755.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1745632258.0000000000784000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6b0000_file.jbxd

Similarity

API ID: Init_thread_footer
String ID: p#x$p#x$p#x$p#x$p%x$p%x$x#x$x#x
API String ID: 1385522511-4033257530
Opcode ID: 7ae9b0f8f4a9d1c3bd2e296e328a4259e9646d4cb34682faad36d19bc92f237b
Instruction ID: 72c75069bc41b410a09c6d65c4575a5d738a57704041b71f529c1c7d43b77605
Opcode Fuzzy Hash: 7ae9b0f8f4a9d1c3bd2e296e328a4259e9646d4cb34682faad36d19bc92f237b
Instruction Fuzzy Hash: DD326AB4A00209DFDB14DF54C894BFEB7F6EB45314F148169E905AB391C7B8AD82CB91

Function 006B3170 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 145
windowtimeregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DefWindowProcW.USER32(?,?,?,?,?,?,?,?,?,006B316A,?,?), ref: 006B31D8
KillTimer.USER32(?,00000001,?,?,?,?,?,006B316A,?,?), ref: 006B3204
SetTimer.USER32(?,00000001,000002EE,00000000), ref: 006B3227
RegisterWindowMessageW.USER32(TaskbarCreated,?,?,?,?,?,006B316A,?,?), ref: 006B3232
CreatePopupMenu.USER32 ref: 006B3246
PostQuitMessage.USER32(00000000), ref: 006B3267

Strings

TaskbarCreated, xrefs: 006B322D

Memory Dump Source

Source File: 00000000.00000002.1745474304.00000000006B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006B0000, based on PE: true

Associated: 00000000.00000002.1745310696.00000000006B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1745557899.000000000074C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1745557899.0000000000772000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1745607755.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1745632258.0000000000784000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6b0000_file.jbxd

Similarity

API ID: MessageTimerWindow$CreateKillMenuPopupPostProcQuitRegister
String ID: TaskbarCreated
API String ID: 129472671-2362178303
Opcode ID: cfbb70020931543a97bf0dd9277fde5a0cdc74431dca2737badf76817a532318
Instruction ID: 885cbb43e708d2173ccc792391ff6e1a5ddcd0df48d3591f9d03cc0df4471bba
Opcode Fuzzy Hash: cfbb70020931543a97bf0dd9277fde5a0cdc74431dca2737badf76817a532318
Instruction Fuzzy Hash: 8C413CB53C0228A7DB152B7CDC1EBF93A1FEB06340F548129F501857A1CB799BC29769

Function 006B1410 Relevance: 14.3, APIs: 7, Strings: 1, Instructions: 332
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

mciSendStringW.WINMM(close all,00000000,00000000,00000000), ref: 006B1459
CoUninitialize.COMBASE ref: 006B14F8
UnregisterHotKey.USER32(?), ref: 006B16DD
DestroyWindow.USER32(?), ref: 006F24B9
FreeLibrary.KERNEL32(?), ref: 006F251E
VirtualFree.KERNEL32(?,00000000,00008000), ref: 006F254B

Strings

close all, xrefs: 006B1454

Memory Dump Source

Source File: 00000000.00000002.1745474304.00000000006B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006B0000, based on PE: true

Associated: 00000000.00000002.1745310696.00000000006B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1745557899.000000000074C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1745557899.0000000000772000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1745607755.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1745632258.0000000000784000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6b0000_file.jbxd

Similarity

API ID: Free$DestroyLibrarySendStringUninitializeUnregisterVirtualWindow
String ID: close all
API String ID: 469580280-3243417748
Opcode ID: a91ce2220e4e501e952817b3065c6aa5ca20052d4b9a4758b5c29d411ff55dbf
Instruction ID: 52aff5d19c44e3d1baca7a8b1a972e6eec7b9f9e51a4deda5227542e6188f654
Opcode Fuzzy Hash: a91ce2220e4e501e952817b3065c6aa5ca20052d4b9a4758b5c29d411ff55dbf
Instruction Fuzzy Hash: 58D18EB1702212DFCB19EF14C4A9AA9F7A2BF06700F5441ADE54AAB352DB30ED52CF54

Function 006B2C63 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 44
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateWindowExW.USER32(00000000,AutoIt v3,AutoIt v3,00CF0000,80000000,80000000,0000012C,00000064,00000000,00000000,00000000,00000001), ref: 006B2C91
CreateWindowExW.USER32(00000000,edit,00000000,50B008C4,00000000,00000000,00000000,00000000,00000000,00000001,00000000), ref: 006B2CB2
ShowWindow.USER32(00000000,?,?,?,?,?,?,006B1CAD,?), ref: 006B2CC6
ShowWindow.USER32(00000000,?,?,?,?,?,?,006B1CAD,?), ref: 006B2CCF

Strings

edit, xrefs: 006B2CAC
AutoIt v3, xrefs: 006B2C89, 006B2C8E, 006B2C8F

Memory Dump Source

Source File: 00000000.00000002.1745474304.00000000006B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006B0000, based on PE: true

Associated: 00000000.00000002.1745310696.00000000006B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1745557899.000000000074C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1745557899.0000000000772000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1745607755.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1745632258.0000000000784000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6b0000_file.jbxd

Similarity

API ID: Window$CreateShow
String ID: AutoIt v3$edit
API String ID: 1584632944-3779509399
Opcode ID: 729e447c8dc93d42c62c43f4f82da4c561a08dfd7867daff2749081142d6b20c
Instruction ID: da5b81492e6f7123b275cf942dfe7a8603485d2373b8926d5e4b752b5ac1cca5
Opcode Fuzzy Hash: 729e447c8dc93d42c62c43f4f82da4c561a08dfd7867daff2749081142d6b20c
Instruction Fuzzy Hash: 06F0DA755813907AEB721717AC08EB72EBDD7C7F50B60805AF900A29A0C6791852DBB8

Function 006B3B1C Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 58
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RegOpenKeyExW.KERNELBASE(80000001,Control Panel\Mouse,00000000,00000001,00000000,?,?,80000001,80000001,?,006B3B0F,SwapMouseButtons,00000004,?), ref: 006B3B40
RegQueryValueExW.KERNELBASE(00000000,00000000,00000000,00000000,?,?,?,?,?,80000001,80000001,?,006B3B0F,SwapMouseButtons,00000004,?), ref: 006B3B61
RegCloseKey.KERNELBASE(00000000,?,?,?,80000001,80000001,?,006B3B0F,SwapMouseButtons,00000004,?), ref: 006B3B83

Strings

Control Panel\Mouse, xrefs: 006B3B3E

Memory Dump Source

Source File: 00000000.00000002.1745474304.00000000006B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006B0000, based on PE: true

Associated: 00000000.00000002.1745310696.00000000006B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1745557899.000000000074C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1745557899.0000000000772000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1745607755.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1745632258.0000000000784000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6b0000_file.jbxd

Similarity

API ID: CloseOpenQueryValue
String ID: Control Panel\Mouse
API String ID: 3677997916-824357125
Opcode ID: 6241404e3dfe39d679eaacec566de373e60bd3d3463c253934a7798a43dc2434
Instruction ID: ac16a5ff3a0f2fe65c33a2106c11ca8b1aad6b344424ec997b041c4b492c0bea
Opcode Fuzzy Hash: 6241404e3dfe39d679eaacec566de373e60bd3d3463c253934a7798a43dc2434
Instruction Fuzzy Hash: 99115AB5611218FFDB218FA4DC44AEEB7B9EF21740B10855AA801D7224E6319E809764

Function 006B3923 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 94windowCOMMON

Download Yara Rule

APIs

LoadStringW.USER32(00000065,?,0000007F,00000104), ref: 006F33A2

Part of subcall function 006B6B57: _wcslen.LIBCMT ref: 006B6B6A

Shell_NotifyIconW.SHELL32(00000001,?), ref: 006B3A04

Strings

Line: , xrefs: 006F33EB

Memory Dump Source

Source File: 00000000.00000002.1745474304.00000000006B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006B0000, based on PE: true

Associated: 00000000.00000002.1745310696.00000000006B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1745557899.000000000074C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1745557899.0000000000772000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1745607755.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1745632258.0000000000784000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6b0000_file.jbxd

Similarity

API ID: IconLoadNotifyShell_String_wcslen
String ID: Line:
API String ID: 2289894680-1585850449
Opcode ID: 838229cdb1473bf5ab57d69ae1e37e1281fa410c8f39b1dcd1b651c131be2415
Instruction ID: b1d3c68777ab5e33dc84b6fa19429ca035419538322494e5333f538227ebafe4
Opcode Fuzzy Hash: 838229cdb1473bf5ab57d69ae1e37e1281fa410c8f39b1dcd1b651c131be2415
Instruction Fuzzy Hash: 6B3124B1548320AFC761EB20DC45BEBB7DDAB40310F10452EF19983291EF749A89C7CA

Function 006B2DE3 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 64COMMON

Download Yara Rule

APIs

GetOpenFileNameW.COMDLG32(?), ref: 006F2C8C

Part of subcall function 006B3AA2: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,006B3A97,?,?,006B2E7F,?,?,?,00000000), ref: 006B3AC2

Part of subcall function 006B2DA5: GetLongPathNameW.KERNELBASE(?,?,00007FFF), ref: 006B2DC4

Strings

`ew, xrefs: 006F2C85
X, xrefs: 006F2C5A

Memory Dump Source

Source File: 00000000.00000002.1745474304.00000000006B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006B0000, based on PE: true

Associated: 00000000.00000002.1745310696.00000000006B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1745557899.000000000074C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1745557899.0000000000772000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1745607755.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1745632258.0000000000784000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6b0000_file.jbxd

Similarity

API ID: Name$Path$FileFullLongOpen
String ID: X$`ew
API String ID: 779396738-2133719843
Opcode ID: cbf8f498536339ed97000d2f9646e59ef713fd5c9abec132a4e98f563530c5a4
Instruction ID: 22270bde764402dbdea795cd324978ebcb09c17c0ef6f4a2fd42a4f1c63997e0
Opcode Fuzzy Hash: cbf8f498536339ed97000d2f9646e59ef713fd5c9abec132a4e98f563530c5a4
Instruction Fuzzy Hash: 112196B1A002589BCF41DF94C8557EE7BF9AF49304F00805DE505A7345DBB856898F65

Function 006CFDDB Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 43COMMON

Download Yara Rule

APIs

__CxxThrowException@8.LIBVCRUNTIME ref: 006D0668

Part of subcall function 006D32A4: RaiseException.KERNEL32(?,?,?,006D068A,?,00781444,?,?,?,?,?,?,006D068A,006B1129,00778738,006B1129), ref: 006D3304

__CxxThrowException@8.LIBVCRUNTIME ref: 006D0685

Strings

Unknown exception, xrefs: 006D0692

Memory Dump Source

Source File: 00000000.00000002.1745474304.00000000006B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006B0000, based on PE: true

Associated: 00000000.00000002.1745310696.00000000006B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1745557899.000000000074C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1745557899.0000000000772000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1745607755.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1745632258.0000000000784000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6b0000_file.jbxd

Similarity

API ID: Exception@8Throw$ExceptionRaise
String ID: Unknown exception
API String ID: 3476068407-410509341
Opcode ID: 04c25ba4c484afcd653ed612c6422d884b8e9ba4a0aa6dc1da8fd01efcde8e01
Instruction ID: c8f83dce3f7f5dc5721d044a72896a7794714f0ef9dc770e7ff240fa818bcbd6
Opcode Fuzzy Hash: 04c25ba4c484afcd653ed612c6422d884b8e9ba4a0aa6dc1da8fd01efcde8e01
Instruction Fuzzy Hash: D0F0A424D0024977CB40B664E84AEAD776F9E00350B60413BB81496792EF71EA1585C5

Function 006B10F3 Relevance: 4.7, APIs: 3, Instructions: 153comCOMMON

Download Yara Rule

APIs

Part of subcall function 006B1BC3: MapVirtualKeyW.USER32(0000005B,00000000), ref: 006B1BF4
Part of subcall function 006B1BC3: MapVirtualKeyW.USER32(00000010,00000000), ref: 006B1BFC
Part of subcall function 006B1BC3: MapVirtualKeyW.USER32(000000A0,00000000), ref: 006B1C07
Part of subcall function 006B1BC3: MapVirtualKeyW.USER32(000000A1,00000000), ref: 006B1C12
Part of subcall function 006B1BC3: MapVirtualKeyW.USER32(00000011,00000000), ref: 006B1C1A
Part of subcall function 006B1BC3: MapVirtualKeyW.USER32(00000012,00000000), ref: 006B1C22

Part of subcall function 006B1B4A: RegisterWindowMessageW.USER32(00000004,?,006B12C4), ref: 006B1BA2

GetStdHandle.KERNEL32(000000F6,00000000,00000000), ref: 006B136A
OleInitialize.OLE32 ref: 006B1388
CloseHandle.KERNEL32(00000000,00000000), ref: 006F24AB

Memory Dump Source

Source File: 00000000.00000002.1745474304.00000000006B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006B0000, based on PE: true

Associated: 00000000.00000002.1745310696.00000000006B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1745557899.000000000074C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1745557899.0000000000772000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1745607755.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1745632258.0000000000784000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6b0000_file.jbxd

Similarity

API ID: Virtual$Handle$CloseInitializeMessageRegisterWindow
String ID:
API String ID: 1986988660-0
Opcode ID: 8ff53e95dd236959f018464356c69ed52393fac7b920b5e83f70544c3ea73f6f
Instruction ID: 080587d244d91b0aa8ccb1bfcec072968af356a1123da6aacd0e080c7bc313d2
Opcode Fuzzy Hash: 8ff53e95dd236959f018464356c69ed52393fac7b920b5e83f70544c3ea73f6f
Instruction Fuzzy Hash: 2F717CB49912409EC384EF79A8566953BE9BB893547E4C13E900AC7361EB3C4462CF5D

Function 0071C161 Relevance: 4.6, APIs: 3, Instructions: 74timewindowCOMMON

Download Yara Rule

APIs

Part of subcall function 006B3923: Shell_NotifyIconW.SHELL32(00000001,?), ref: 006B3A04

Shell_NotifyIconW.SHELL32(00000001,000003A8), ref: 0071C259
KillTimer.USER32(?,00000001,?,?), ref: 0071C261
SetTimer.USER32(?,00000001,000002EE,00000000), ref: 0071C270

Memory Dump Source

Source File: 00000000.00000002.1745474304.00000000006B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006B0000, based on PE: true

Associated: 00000000.00000002.1745310696.00000000006B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1745557899.000000000074C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1745557899.0000000000772000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1745607755.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1745632258.0000000000784000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6b0000_file.jbxd

Similarity

API ID: IconNotifyShell_Timer$Kill
String ID:
API String ID: 3500052701-0
Opcode ID: 3297cb1a2c3704a7487a0a09a8892f3e1e9b53d1f4699b764b7804de0d11b412
Instruction ID: 8830c75d8b1e13808c44258260d6024a3d08605a64dc62986d3e3f5b267dc455
Opcode Fuzzy Hash: 3297cb1a2c3704a7487a0a09a8892f3e1e9b53d1f4699b764b7804de0d11b412
Instruction Fuzzy Hash: B931E570940344AFEB738FA88855BEBBBFCAB06304F00409ED2DA93281C3785AC4CB55

Function 006E86AE Relevance: 4.6, APIs: 3, Instructions: 61COMMONLIBRARYCODE

Download Yara Rule

APIs

CloseHandle.KERNELBASE(00000000,00000000,?,?,006E85CC,?,00778CC8,0000000C), ref: 006E8704
GetLastError.KERNEL32(?,006E85CC,?,00778CC8,0000000C), ref: 006E870E
__dosmaperr.LIBCMT ref: 006E8739

Memory Dump Source

Source File: 00000000.00000002.1745474304.00000000006B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006B0000, based on PE: true

Associated: 00000000.00000002.1745310696.00000000006B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1745557899.000000000074C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1745557899.0000000000772000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1745607755.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1745632258.0000000000784000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6b0000_file.jbxd

Similarity

API ID: CloseErrorHandleLast__dosmaperr
String ID:
API String ID: 2583163307-0
Opcode ID: 55b71263421fa9e933d19a3ef72774331f67eaedc7a6d549d754aa297fed2436
Instruction ID: 656b395d3841ec5066dcd7984a7ee55f7276bccd10e228bb0147258794952214
Opcode Fuzzy Hash: 55b71263421fa9e933d19a3ef72774331f67eaedc7a6d549d754aa297fed2436
Instruction Fuzzy Hash: 34016F326073E01EC6A0633658457BE67474B82778F35011DF81D8F2D3DF648C818294

Function 006BDB38 Relevance: 4.5, APIs: 3, Instructions: 29windowsleepCOMMON

Download Yara Rule

APIs

TranslateMessage.USER32(?), ref: 006BDB7B
DispatchMessageW.USER32(?), ref: 006BDB89
PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 006BDB9F
Sleep.KERNELBASE(0000000A), ref: 006BDBB1
TranslateAcceleratorW.USER32(?,?,?), ref: 00701CC9

Memory Dump Source

Source File: 00000000.00000002.1745474304.00000000006B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006B0000, based on PE: true

Associated: 00000000.00000002.1745310696.00000000006B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1745557899.000000000074C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1745557899.0000000000772000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1745607755.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1745632258.0000000000784000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6b0000_file.jbxd

Similarity

API ID: Message$Translate$AcceleratorDispatchPeekSleep
String ID:
API String ID: 3288985973-0
Opcode ID: 6e68efade84bddeb4f060d6b8bf8b145961c94d9d8fc0e888017ad8a6eca0a40
Instruction ID: bf717351378b28549e4d15d4ab72121a3abc617bb1f62d988ef1a13b663a57f7
Opcode Fuzzy Hash: 6e68efade84bddeb4f060d6b8bf8b145961c94d9d8fc0e888017ad8a6eca0a40
Instruction Fuzzy Hash: 7BF05E706453409BEB70CB608C49FEA73ADEB45310F508A29E61A870C0EB38A4898B29

Function 006C1310 Relevance: 4.0, APIs: 1, Strings: 1, Instructions: 531COMMON

Download Yara Rule

APIs

__Init_thread_footer.LIBCMT ref: 006C17F6

Strings

CALL, xrefs: 006C17C6

Memory Dump Source

Source File: 00000000.00000002.1745474304.00000000006B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006B0000, based on PE: true

Associated: 00000000.00000002.1745310696.00000000006B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1745557899.000000000074C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1745557899.0000000000772000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1745607755.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1745632258.0000000000784000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6b0000_file.jbxd

Similarity

API ID: Init_thread_footer
String ID: CALL
API String ID: 1385522511-4196123274
Opcode ID: 4fb7b914a88483a734e4e14b77b96663a0ec2aea3071f9dbaa740d07cc4d24bc
Instruction ID: a468badac148e2ac9fd4b18619f7f1c5226511af67e21f20db162efbc4f52eeb
Opcode Fuzzy Hash: 4fb7b914a88483a734e4e14b77b96663a0ec2aea3071f9dbaa740d07cc4d24bc
Instruction Fuzzy Hash: 2F2269B0608201DFC714DF14C894F6ABBE2EF8A314F24895DF4968B3A2D735E951CB96

Function 006B3837 Relevance: 3.1, APIs: 2, Instructions: 77windowCOMMON

Download Yara Rule

APIs

Shell_NotifyIconW.SHELL32(00000000,?), ref: 006B3908

Memory Dump Source

Source File: 00000000.00000002.1745474304.00000000006B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006B0000, based on PE: true

Associated: 00000000.00000002.1745310696.00000000006B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1745557899.000000000074C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1745557899.0000000000772000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1745607755.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1745632258.0000000000784000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6b0000_file.jbxd

Similarity

API ID: IconNotifyShell_
String ID:
API String ID: 1144537725-0
Opcode ID: f6638d1e66fbe6682906eb0ea1902d3151d42f6aa15ee5043bb249cc81cea6a3
Instruction ID: 3fbb0db324c987eea548db56863279263ca514b8fe0458fe167c6e6c96d3b80f
Opcode Fuzzy Hash: f6638d1e66fbe6682906eb0ea1902d3151d42f6aa15ee5043bb249cc81cea6a3
Instruction Fuzzy Hash: 4C31ACB0A043119FD361DF24D8847D7BBE8FB49308F00092EF69A83780E775AA85CB56

Function 006CF645 Relevance: 3.0, APIs: 2, Instructions: 29sleeptimeCOMMON

Download Yara Rule

APIs

timeGetTime.WINMM ref: 006CF661

Part of subcall function 006BD730: GetInputState.USER32 ref: 006BD807

Sleep.KERNEL32(00000000), ref: 0070F2DE

Memory Dump Source

Source File: 00000000.00000002.1745474304.00000000006B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006B0000, based on PE: true

Associated: 00000000.00000002.1745310696.00000000006B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1745557899.000000000074C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1745557899.0000000000772000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1745607755.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1745632258.0000000000784000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6b0000_file.jbxd

Similarity

API ID: InputSleepStateTimetime
String ID:
API String ID: 4149333218-0
Opcode ID: 44e3b766135a6f31fe37d97a7cd41b13c7a17e82a9a9a8cf0b1ccfc894de3bba
Instruction ID: 47a8d6f2a10b205f832b63076b0e613d97ffd6356c43b83c45f2151df51f9517
Opcode Fuzzy Hash: 44e3b766135a6f31fe37d97a7cd41b13c7a17e82a9a9a8cf0b1ccfc894de3bba
Instruction Fuzzy Hash: D9F082752402059FD350EF65D445BAAB7E9FF45760F00402EE85AC7260DB70A840CB95

Function 006B4ECB Relevance: 1.6, APIs: 1, Instructions: 65libraryCOMMON

Download Yara Rule

APIs

Part of subcall function 006B4E90: LoadLibraryA.KERNEL32(kernel32.dll,?,?,006B4EDD,?,00781418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 006B4E9C
Part of subcall function 006B4E90: GetProcAddress.KERNEL32(00000000,Wow64DisableWow64FsRedirection), ref: 006B4EAE
Part of subcall function 006B4E90: FreeLibrary.KERNEL32(00000000,?,?,006B4EDD,?,00781418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 006B4EC0

LoadLibraryExW.KERNEL32(?,00000000,00000002,?,00781418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 006B4EFD

Part of subcall function 006B4E59: LoadLibraryA.KERNEL32(kernel32.dll,?,?,006F3CDE,?,00781418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 006B4E62
Part of subcall function 006B4E59: GetProcAddress.KERNEL32(00000000,Wow64RevertWow64FsRedirection), ref: 006B4E74
Part of subcall function 006B4E59: FreeLibrary.KERNEL32(00000000,?,?,006F3CDE,?,00781418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 006B4E87

Memory Dump Source

Source File: 00000000.00000002.1745474304.00000000006B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006B0000, based on PE: true

Associated: 00000000.00000002.1745310696.00000000006B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1745557899.000000000074C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1745557899.0000000000772000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1745607755.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1745632258.0000000000784000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6b0000_file.jbxd

Similarity

API ID: Library$Load$AddressFreeProc
String ID:
API String ID: 2632591731-0
Opcode ID: be33a873cbdb6268b7a86f0f4d994e927baec1b6fe0f63d038017e25292819fa
Instruction ID: 0f53cb24f48c8b1e3ff72aaef45c9cee3249f3338af0b0b66434302eb69e1126
Opcode Fuzzy Hash: be33a873cbdb6268b7a86f0f4d994e927baec1b6fe0f63d038017e25292819fa
Instruction Fuzzy Hash: 7911E772600305AACF64BB64DC02FFD77AAAF80710F10842DF542A72C2DE75DA859758

Function 006E8402 Relevance: 1.6, APIs: 1, Instructions: 54COMMON

Download Yara Rule

APIs

__wsopen_s.LIBCMT ref: 006E8440

Memory Dump Source

Source File: 00000000.00000002.1745474304.00000000006B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006B0000, based on PE: true

Associated: 00000000.00000002.1745310696.00000000006B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1745557899.000000000074C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1745557899.0000000000772000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1745607755.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1745632258.0000000000784000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6b0000_file.jbxd

Similarity

API ID: __wsopen_s
String ID:
API String ID: 3347428461-0
Opcode ID: ee6874fc61751c6c13f667b3de536704b01bc3ae5fda8fe1a32c6e1c1a5d5503
Instruction ID: d96037e366d99f625c49965181b48bc8d97792c47584c9ab6fe75dcee5382aaa
Opcode Fuzzy Hash: ee6874fc61751c6c13f667b3de536704b01bc3ae5fda8fe1a32c6e1c1a5d5503
Instruction Fuzzy Hash: 4711187590420AEFCB05DF59E9419DA7BF5EF48314F104059F808AB352DA31DA11CBA5

Function 006E5000 Relevance: 1.6, APIs: 1, Instructions: 52COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 006E4C7D: RtlAllocateHeap.NTDLL(00000008,006B1129,00000000,?,006E2E29,00000001,00000364,?,?,?,006DF2DE,006E3863,00781444,?,006CFDF5,?), ref: 006E4CBE

_free.LIBCMT ref: 006E506C

Memory Dump Source

Source File: 00000000.00000002.1745474304.00000000006B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006B0000, based on PE: true

Associated: 00000000.00000002.1745310696.00000000006B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1745557899.000000000074C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1745557899.0000000000772000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1745607755.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1745632258.0000000000784000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6b0000_file.jbxd

Similarity

API ID: AllocateHeap_free
String ID:
API String ID: 614378929-0
Opcode ID: 9ba45ce058d1080761d5af908226540236078fd1fc19e2e0238d0ad147f07c6e
Instruction ID: 17121daef634b8f591750a526defdc9f57f9ffc2ab7e44975b03e07902c15fce
Opcode Fuzzy Hash: 9ba45ce058d1080761d5af908226540236078fd1fc19e2e0238d0ad147f07c6e
Instruction Fuzzy Hash: F50149722057456FE3318F66D885A9AFBEEFB89370F25051DF185832C0EA70A805C7B4

Function 006DE602 Relevance: 1.5, APIs: 1, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1745474304.00000000006B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006B0000, based on PE: true

Associated: 00000000.00000002.1745310696.00000000006B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1745557899.000000000074C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1745557899.0000000000772000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1745607755.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1745632258.0000000000784000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6b0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d6c69ec2a70ac845cc05b5f137181c3f07394ab8b33ef369e8c7ef627d5c9574
Instruction ID: b92c6a3ddeadec82131c1094ec7ca5e264ffc5d17c94b27df5f7b39887241393
Opcode Fuzzy Hash: d6c69ec2a70ac845cc05b5f137181c3f07394ab8b33ef369e8c7ef627d5c9574
Instruction Fuzzy Hash: C7F0F932D11B549AC6313A668C05B96339F9F52335F10071FF4259B3D2DB75E40286ED

Function 006E4C7D Relevance: 1.5, APIs: 1, Instructions: 39memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(00000008,006B1129,00000000,?,006E2E29,00000001,00000364,?,?,?,006DF2DE,006E3863,00781444,?,006CFDF5,?), ref: 006E4CBE

Memory Dump Source

Source File: 00000000.00000002.1745474304.00000000006B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006B0000, based on PE: true

Associated: 00000000.00000002.1745310696.00000000006B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1745557899.000000000074C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1745557899.0000000000772000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1745607755.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1745632258.0000000000784000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6b0000_file.jbxd

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: 59f2b2f031493d1ce0c13e6143dac6f5df63fce837e037b4f245104a0d55ebcf
Instruction ID: 207ae60ef81d0fb3e3f4d2daa3a968ef5229a2621b69482f0e7223d85076a924
Opcode Fuzzy Hash: 59f2b2f031493d1ce0c13e6143dac6f5df63fce837e037b4f245104a0d55ebcf
Instruction Fuzzy Hash: E6F0B4316033A467DB215F739C05F9A378BAF81BA0B348116B81AAB794CE30DC0186E4

Function 006E3820 Relevance: 1.5, APIs: 1, Instructions: 32memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(00000000,?,00781444,?,006CFDF5,?,?,006BA976,00000010,00781440,006B13FC,?,006B13C6,?,006B1129), ref: 006E3852

Memory Dump Source

Source File: 00000000.00000002.1745474304.00000000006B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006B0000, based on PE: true

Associated: 00000000.00000002.1745310696.00000000006B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1745557899.000000000074C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1745557899.0000000000772000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1745607755.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1745632258.0000000000784000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6b0000_file.jbxd

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: 7879e6c2af2cc36f6256852068dca1c931be8d247b02db2e1c854bb2b5598909
Instruction ID: dc203de53317e52b7134f5a5ca4d7145d8f224d5c940461b545a6b0fef3ccd17
Opcode Fuzzy Hash: 7879e6c2af2cc36f6256852068dca1c931be8d247b02db2e1c854bb2b5598909
Instruction Fuzzy Hash: E2E030315033B466D63126A79C09BDB375BAF827B0B150126B81697791DB21DE0282E5

Function 006B4F39 Relevance: 1.5, APIs: 1, Instructions: 28COMMON

Download Yara Rule

APIs

FreeLibrary.KERNEL32(?,?,00781418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 006B4F6D

Memory Dump Source

Source File: 00000000.00000002.1745474304.00000000006B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006B0000, based on PE: true

Associated: 00000000.00000002.1745310696.00000000006B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1745557899.000000000074C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1745557899.0000000000772000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1745607755.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1745632258.0000000000784000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6b0000_file.jbxd

Similarity

API ID: FreeLibrary
String ID:
API String ID: 3664257935-0
Opcode ID: 53df3f1f6d348092874c3c45cbed51fe9dd025349542a6a7d9464e5760f070ba
Instruction ID: 6dcaa52789ce5f26906b4183e7393e072f2dba45734362cc61c35f789a4401fc
Opcode Fuzzy Hash: 53df3f1f6d348092874c3c45cbed51fe9dd025349542a6a7d9464e5760f070ba
Instruction Fuzzy Hash: E5F030B1505751CFDB349F64D4908A2B7FAEF55319310C97EE2DA83612CB319884DF10

Function 00742A55 Relevance: 1.5, APIs: 1, Instructions: 25COMMON

Download Yara Rule

APIs

IsWindow.USER32(00000000), ref: 00742A66

Memory Dump Source

Source File: 00000000.00000002.1745474304.00000000006B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006B0000, based on PE: true

Associated: 00000000.00000002.1745310696.00000000006B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1745557899.000000000074C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1745557899.0000000000772000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1745607755.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1745632258.0000000000784000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6b0000_file.jbxd

Similarity

API ID: Window
String ID:
API String ID: 2353593579-0
Opcode ID: 39d3347f1ef5c65f2d5704b269a24be43da3e74399b11cd335731c5918ecf56b
Instruction ID: b489bd04daf869ed7c38deee8f487cdc7b84b502896d75ad19cc8caa34c0746e
Opcode Fuzzy Hash: 39d3347f1ef5c65f2d5704b269a24be43da3e74399b11cd335731c5918ecf56b
Instruction Fuzzy Hash: A5E0DF3636012AAAC710EA30EC888FA734CEB113957508536BC2AC3141DB389AA286A0

Function 006B30F2 Relevance: 1.5, APIs: 1, Instructions: 24windowCOMMON

Download Yara Rule

APIs

Shell_NotifyIconW.SHELL32(00000002,?), ref: 006B314E

Memory Dump Source

Source File: 00000000.00000002.1745474304.00000000006B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006B0000, based on PE: true

Associated: 00000000.00000002.1745310696.00000000006B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1745557899.000000000074C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1745557899.0000000000772000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1745607755.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1745632258.0000000000784000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6b0000_file.jbxd

Similarity

API ID: IconNotifyShell_
String ID:
API String ID: 1144537725-0
Opcode ID: cc560e2c1543302d4b71f2391a83cf8cc502eb3ac1993b51457c7f1c678849fb
Instruction ID: f59aa365fb19aee8ed38e9db5c48b3d26091800b6c68119379719c53baf72234
Opcode Fuzzy Hash: cc560e2c1543302d4b71f2391a83cf8cc502eb3ac1993b51457c7f1c678849fb
Instruction Fuzzy Hash: EDF0A7709403149FE7929B24DC467D57BBCA701708F1040E9A24896681D7744789CF45

Function 006B2DA5 Relevance: 1.5, APIs: 1, Instructions: 23COMMON

Download Yara Rule

APIs

GetLongPathNameW.KERNELBASE(?,?,00007FFF), ref: 006B2DC4

Part of subcall function 006B6B57: _wcslen.LIBCMT ref: 006B6B6A

Memory Dump Source

Source File: 00000000.00000002.1745474304.00000000006B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006B0000, based on PE: true

Associated: 00000000.00000002.1745310696.00000000006B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1745557899.000000000074C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1745557899.0000000000772000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1745607755.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1745632258.0000000000784000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6b0000_file.jbxd

Similarity

API ID: LongNamePath_wcslen
String ID:
API String ID: 541455249-0
Opcode ID: 4384e8511b0d1b84f84054ffa7d18190beb261cea16c3a40efe67d8bc5175b32
Instruction ID: 4591020e09749641a246dbd2ad85dd08ecba521cec89e9e65d79d7fa8b52bbf1
Opcode Fuzzy Hash: 4384e8511b0d1b84f84054ffa7d18190beb261cea16c3a40efe67d8bc5175b32
Instruction Fuzzy Hash: 2AE0CD766011245BC7519258DC05FEA77EDDFC97D0F044075FE09D7248DAA4AD808654

Function 006B2B3D Relevance: 1.5, APIs: 1, Instructions: 22COMMON

Download Yara Rule

APIs

Part of subcall function 006B3837: Shell_NotifyIconW.SHELL32(00000000,?), ref: 006B3908

Part of subcall function 006BD730: GetInputState.USER32 ref: 006BD807

SetCurrentDirectoryW.KERNEL32(?), ref: 006B2B6B

Part of subcall function 006B30F2: Shell_NotifyIconW.SHELL32(00000002,?), ref: 006B314E

Memory Dump Source

Source File: 00000000.00000002.1745474304.00000000006B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006B0000, based on PE: true

Associated: 00000000.00000002.1745310696.00000000006B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1745557899.000000000074C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1745557899.0000000000772000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1745607755.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1745632258.0000000000784000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6b0000_file.jbxd

Similarity

API ID: IconNotifyShell_$CurrentDirectoryInputState
String ID:
API String ID: 3667716007-0
Opcode ID: f9e41a36e25e7a7e5337b698baed039f6aff837f4e4719f8a8de7219fb0b46d7
Instruction ID: 8be5278c8193e966840eb1902d4e66d92166d433664e5f1d29f124230dea19ef
Opcode Fuzzy Hash: f9e41a36e25e7a7e5337b698baed039f6aff837f4e4719f8a8de7219fb0b46d7
Instruction Fuzzy Hash: 23E086B130425406CA88BB7498625EDA75F9FD1355F40553EF14647263DF2845C6435A

Function 006F039A Relevance: 1.5, APIs: 1, Instructions: 15fileCOMMONLIBRARYCODE

Download Yara Rule

APIs

CreateFileW.KERNELBASE(00000000,00000000,?,006F0704,?,?,00000000,?,006F0704,00000000,0000000C), ref: 006F03B7

Memory Dump Source

Source File: 00000000.00000002.1745474304.00000000006B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006B0000, based on PE: true

Associated: 00000000.00000002.1745310696.00000000006B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1745557899.000000000074C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1745557899.0000000000772000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1745607755.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1745632258.0000000000784000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6b0000_file.jbxd

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: 03c6b1d9d9bb810be109e416143d6b074482dcbdcc8742af6b452fc33ca91b8d
Instruction ID: a8e1204b23f489aef5dfd13061e1e69818044aaeb71be69b1e3bc348309604b5
Opcode Fuzzy Hash: 03c6b1d9d9bb810be109e416143d6b074482dcbdcc8742af6b452fc33ca91b8d
Instruction Fuzzy Hash: 56D06C3204010DBBDF028F84DD06EDA3BAAFB48714F018000BE1856020C736E821AB94

Function 006B1CAD Relevance: 1.5, APIs: 1, Instructions: 8COMMON

Download Yara Rule

APIs

SystemParametersInfoW.USER32(00002001,00000000,00000002), ref: 006B1CBC

Memory Dump Source

Source File: 00000000.00000002.1745474304.00000000006B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006B0000, based on PE: true

Associated: 00000000.00000002.1745310696.00000000006B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1745557899.000000000074C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1745557899.0000000000772000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1745607755.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1745632258.0000000000784000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6b0000_file.jbxd

Similarity

API ID: InfoParametersSystem
String ID:
API String ID: 3098949447-0
Opcode ID: de1c93110ed49338e2a6a2a7ce928533ec0a6e23f96ad879310d87e8537a2823
Instruction ID: 03a91f33f04892cff53d1d0189618c0f9a66b29a7f218f03096e854dd0c8051e
Opcode Fuzzy Hash: de1c93110ed49338e2a6a2a7ce928533ec0a6e23f96ad879310d87e8537a2823
Instruction Fuzzy Hash: 9DC09B352C03049FF2154780FC5AF547758A348B01F74C001F709955E3C3A51431D758

Non-executed Functions

Function 00749576 Relevance: 74.1, APIs: 39, Strings: 3, Instructions: 625windowkeyboardCOMMON

Download Yara Rule

APIs

Part of subcall function 006C9BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 006C9BB2

DefDlgProcW.USER32(?,0000004E,?,?,?,?,?,?), ref: 0074961A
SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 0074965B
GetWindowLongW.USER32(FFFFFDD9,000000F0), ref: 0074969F
SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 007496C9
SendMessageW.USER32 ref: 007496F2
GetKeyState.USER32(00000011), ref: 0074978B
GetKeyState.USER32(00000009), ref: 00749798
SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 007497AE
GetKeyState.USER32(00000010), ref: 007497B8
SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 007497E9
SendMessageW.USER32 ref: 00749810
SendMessageW.USER32(?,00001030,?,00747E95), ref: 00749918
ImageList_SetDragCursorImage.COMCTL32(00000000,00000000,00000000,?,?,?), ref: 0074992E
ImageList_BeginDrag.COMCTL32(00000000,000000F8,000000F0), ref: 00749941
SetCapture.USER32(?), ref: 0074994A
ClientToScreen.USER32(?,?), ref: 007499AF
ImageList_DragEnter.COMCTL32(00000000,?,?), ref: 007499BC
InvalidateRect.USER32(?,00000000,00000001,?,?,?), ref: 007499D6
ReleaseCapture.USER32 ref: 007499E1
GetCursorPos.USER32(?), ref: 00749A19
ScreenToClient.USER32(?,?), ref: 00749A26
SendMessageW.USER32(?,00001012,00000000,?), ref: 00749A80
SendMessageW.USER32 ref: 00749AAE
SendMessageW.USER32(?,00001111,00000000,?), ref: 00749AEB
SendMessageW.USER32 ref: 00749B1A
SendMessageW.USER32(?,0000110B,00000009,00000000), ref: 00749B3B
SendMessageW.USER32(?,0000110B,00000009,?), ref: 00749B4A
GetCursorPos.USER32(?), ref: 00749B68
ScreenToClient.USER32(?,?), ref: 00749B75
GetParent.USER32(?), ref: 00749B93
SendMessageW.USER32(?,00001012,00000000,?), ref: 00749BFA
SendMessageW.USER32 ref: 00749C2B
ClientToScreen.USER32(?,?), ref: 00749C84
TrackPopupMenuEx.USER32(?,00000000,?,?,?,00000000), ref: 00749CB4
SendMessageW.USER32(?,00001111,00000000,?), ref: 00749CDE
SendMessageW.USER32 ref: 00749D01
ClientToScreen.USER32(?,?), ref: 00749D4E
TrackPopupMenuEx.USER32(?,00000080,?,?,?,00000000), ref: 00749D82

Part of subcall function 006C9944: GetWindowLongW.USER32(?,000000EB), ref: 006C9952

GetWindowLongW.USER32(?,000000F0), ref: 00749E05

Strings

F, xrefs: 00749D07
p#x, xrefs: 00749990
@GUI_DRAGID, xrefs: 0074997D

Memory Dump Source

Source File: 00000000.00000002.1745474304.00000000006B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006B0000, based on PE: true

Associated: 00000000.00000002.1745310696.00000000006B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1745557899.000000000074C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1745557899.0000000000772000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1745607755.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1745632258.0000000000784000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6b0000_file.jbxd

Similarity

API ID: MessageSend$ClientScreen$ImageLongWindow$CursorDragList_State$CaptureMenuPopupTrack$BeginEnterInvalidateParentProcRectRelease
String ID: @GUI_DRAGID$F$p#x
API String ID: 3429851547-3050798211
Opcode ID: 227edda5a3fa29fe2a7d1f73abf6bbcaec8bddfeeb96c5f6c027cbcaf6420578
Instruction ID: 0ae915034414560e6f05f5efcdc309597a8bf48c895bfbd4cbde5e0caa30b8e1
Opcode Fuzzy Hash: 227edda5a3fa29fe2a7d1f73abf6bbcaec8bddfeeb96c5f6c027cbcaf6420578
Instruction Fuzzy Hash: 06428A34204241EFDB25CF24CC44EABBBE9FF49310F11865AF699872A1D739A851CF56

Function 00744873 Relevance: 60.1, APIs: 33, Strings: 1, Instructions: 566windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000408,00000000,00000000), ref: 007448F3
SendMessageW.USER32(00000000,00000188,00000000,00000000), ref: 00744908
SendMessageW.USER32(00000000,0000018A,00000000,00000000), ref: 00744927
SendMessageW.USER32(?,00000148,00000000,00000000), ref: 0074494B
SendMessageW.USER32(00000000,00000147,00000000,00000000), ref: 0074495C
SendMessageW.USER32(00000000,00000149,00000000,00000000), ref: 0074497B
SendMessageW.USER32(00000000,0000130B,00000000,00000000), ref: 007449AE
SendMessageW.USER32(00000000,0000133C,00000000,?), ref: 007449D4
SendMessageW.USER32(00000000,0000110A,00000009,00000000), ref: 00744A0F
SendMessageW.USER32(00000000,0000113E,00000000,00000004), ref: 00744A56
SendMessageW.USER32(00000000,0000113E,00000000,00000004), ref: 00744A7E
IsMenu.USER32(?), ref: 00744A97
GetMenuItemInfoW.USER32(?,?,00000000,?), ref: 00744AF2
GetMenuItemInfoW.USER32(?,?,00000000,?), ref: 00744B20
GetWindowLongW.USER32(?,000000F0), ref: 00744B94
SendMessageW.USER32(?,0000113E,00000000,00000008), ref: 00744BE3
SendMessageW.USER32(00000000,00001001,00000000,?), ref: 00744C82
wsprintfW.USER32 ref: 00744CAE
SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 00744CC9
GetWindowTextW.USER32(?,00000000,00000001), ref: 00744CF1
SendMessageW.USER32(00000000,000000F0,00000000,00000000), ref: 00744D13
SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 00744D33
GetWindowTextW.USER32(?,00000000,00000001), ref: 00744D5A

Strings

%d/%02d/%02d, xrefs: 00744CA8

Memory Dump Source

Source File: 00000000.00000002.1745474304.00000000006B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006B0000, based on PE: true

Associated: 00000000.00000002.1745310696.00000000006B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1745557899.000000000074C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1745557899.0000000000772000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1745607755.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1745632258.0000000000784000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6b0000_file.jbxd

Similarity

API ID: MessageSend$MenuWindow$InfoItemText$Longwsprintf
String ID: %d/%02d/%02d
API String ID: 4054740463-328681919
Opcode ID: 37b042cb091ea7b8640243c6af7b0727dd7a6f7b71446431fda59d5483da13df
Instruction ID: 3e808342bb0d14fdf147d8110bb034c5db60bb3ffde9bec89fa7e4f26df7325a
Opcode Fuzzy Hash: 37b042cb091ea7b8640243c6af7b0727dd7a6f7b71446431fda59d5483da13df
Instruction Fuzzy Hash: 40122271600214ABEB258F24CC49FAE7BF9FF46310F14816AF916EB2E1DB789941DB50

Function 006CF98E Relevance: 43.9, APIs: 24, Strings: 1, Instructions: 130keyboardthreadwindowCOMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32(00000000,00000000,00000000), ref: 006CF998
FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 0070F474
IsIconic.USER32(00000000), ref: 0070F47D
ShowWindow.USER32(00000000,00000009), ref: 0070F48A
SetForegroundWindow.USER32(00000000), ref: 0070F494
GetWindowThreadProcessId.USER32(00000000,00000000), ref: 0070F4AA
GetCurrentThreadId.KERNEL32 ref: 0070F4B1
GetWindowThreadProcessId.USER32(00000000,00000000), ref: 0070F4BD
AttachThreadInput.USER32(?,00000000,00000001), ref: 0070F4CE
AttachThreadInput.USER32(?,00000000,00000001), ref: 0070F4D6
AttachThreadInput.USER32(00000000,000000FF,00000001), ref: 0070F4DE
SetForegroundWindow.USER32(00000000), ref: 0070F4E1
MapVirtualKeyW.USER32(00000012,00000000), ref: 0070F4F6
keybd_event.USER32(00000012,00000000), ref: 0070F501
MapVirtualKeyW.USER32(00000012,00000000), ref: 0070F50B
keybd_event.USER32(00000012,00000000), ref: 0070F510
MapVirtualKeyW.USER32(00000012,00000000), ref: 0070F519
keybd_event.USER32(00000012,00000000), ref: 0070F51E
MapVirtualKeyW.USER32(00000012,00000000), ref: 0070F528
keybd_event.USER32(00000012,00000000), ref: 0070F52D
SetForegroundWindow.USER32(00000000), ref: 0070F530
AttachThreadInput.USER32(?,000000FF,00000000), ref: 0070F557

Strings

Shell_TrayWnd, xrefs: 0070F46F

Memory Dump Source

Source File: 00000000.00000002.1745474304.00000000006B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006B0000, based on PE: true

Associated: 00000000.00000002.1745310696.00000000006B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1745557899.000000000074C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1745557899.0000000000772000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1745607755.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1745632258.0000000000784000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6b0000_file.jbxd

Similarity

API ID: Window$Thread$AttachForegroundInputVirtualkeybd_event$Process$CurrentFindIconicShow
String ID: Shell_TrayWnd
API String ID: 4125248594-2988720461
Opcode ID: 9dc0b9ec8ff8306b2a0e67134a8406b423456c35f758e474fa36152a9f7cfb1d
Instruction ID: 2aea01617726a223ef4611528815de8a4d4356db79b2d9b9d49cf13ae1a5fd84
Opcode Fuzzy Hash: 9dc0b9ec8ff8306b2a0e67134a8406b423456c35f758e474fa36152a9f7cfb1d
Instruction Fuzzy Hash: 4431C675A41318BFEB316BB54C4AFBF7EACEB45B50F204026FA00E61D1C7B85D10AA65

Function 00711201 Relevance: 40.5, APIs: 19, Strings: 4, Instructions: 241COMMON

Download Yara Rule

APIs

Part of subcall function 007116C3: LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 0071170D
Part of subcall function 007116C3: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 0071173A
Part of subcall function 007116C3: GetLastError.KERNEL32 ref: 0071174A

LogonUserW.ADVAPI32(?,?,?,00000000,00000000,?), ref: 00711286
DuplicateTokenEx.ADVAPI32(?,00000000,00000000,00000002,00000001,?), ref: 007112A8
CloseHandle.KERNEL32(?), ref: 007112B9
OpenWindowStationW.USER32(winsta0,00000000,00060000), ref: 007112D1
GetProcessWindowStation.USER32 ref: 007112EA
SetProcessWindowStation.USER32(00000000), ref: 007112F4
OpenDesktopW.USER32(default,00000000,00000000,00060081), ref: 00711310

Part of subcall function 007110BF: AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000,?,007111FC), ref: 007110D4
Part of subcall function 007110BF: CloseHandle.KERNEL32(?,?,007111FC), ref: 007110E9

Strings

, xrefs: 0071125A
Zw, xrefs: 00711392
default, xrefs: 0071130B
winsta0, xrefs: 007112CC

Memory Dump Source

Source File: 00000000.00000002.1745474304.00000000006B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006B0000, based on PE: true

Associated: 00000000.00000002.1745310696.00000000006B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1745557899.000000000074C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1745557899.0000000000772000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1745607755.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1745632258.0000000000784000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6b0000_file.jbxd

Similarity

API ID: StationTokenWindow$AdjustCloseHandleOpenPrivilegesProcess$DesktopDuplicateErrorLastLogonLookupPrivilegeUserValue
String ID: $default$winsta0$Zw
API String ID: 22674027-1034679043
Opcode ID: 13fa2648db1e3f5decadc26e53c2f45b7a07c55afb77e051f509ccdb169cfa01
Instruction ID: be402bd6f873e81b3df66918cb39fb28c481c70058b3ff2e727ad854c53a20b6
Opcode Fuzzy Hash: 13fa2648db1e3f5decadc26e53c2f45b7a07c55afb77e051f509ccdb169cfa01
Instruction Fuzzy Hash: 4981C371900249AFDF11DFA8DC49FEE7BB9EF05704F14812AFE10AA1A0D7798984CB65

Function 00710B62 Relevance: 31.7, APIs: 21, Instructions: 202memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 007110F9: GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 00711114
Part of subcall function 007110F9: GetLastError.KERNEL32(?,00000000,00000000,?,?,00710B9B,?,?,?), ref: 00711120
Part of subcall function 007110F9: GetProcessHeap.KERNEL32(00000008,?,?,00000000,00000000,?,?,00710B9B,?,?,?), ref: 0071112F
Part of subcall function 007110F9: HeapAlloc.KERNEL32(00000000,?,00000000,00000000,?,?,00710B9B,?,?,?), ref: 00711136
Part of subcall function 007110F9: GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 0071114D

GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 00710BCC
GetAclInformation.ADVAPI32(?,?,0000000C,00000002), ref: 00710C00
GetLengthSid.ADVAPI32(?), ref: 00710C17
GetAce.ADVAPI32(?,00000000,?), ref: 00710C51
AddAce.ADVAPI32(?,00000002,000000FF,?,?), ref: 00710C6D
GetLengthSid.ADVAPI32(?), ref: 00710C84
GetProcessHeap.KERNEL32(00000008,00000008), ref: 00710C8C
HeapAlloc.KERNEL32(00000000), ref: 00710C93
GetLengthSid.ADVAPI32(?,00000008,?), ref: 00710CB4
CopySid.ADVAPI32(00000000), ref: 00710CBB
AddAce.ADVAPI32(?,00000002,000000FF,00000000,?), ref: 00710CEA
SetSecurityDescriptorDacl.ADVAPI32(?,00000001,?,00000000), ref: 00710D0C
SetUserObjectSecurity.USER32(?,00000004,?), ref: 00710D1E
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00710D45
HeapFree.KERNEL32(00000000), ref: 00710D4C
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00710D55
HeapFree.KERNEL32(00000000), ref: 00710D5C
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00710D65
HeapFree.KERNEL32(00000000), ref: 00710D6C
GetProcessHeap.KERNEL32(00000000,?), ref: 00710D78
HeapFree.KERNEL32(00000000), ref: 00710D7F

Part of subcall function 00711193: GetProcessHeap.KERNEL32(00000008,00710BB1,?,00000000,?,00710BB1,?), ref: 007111A1
Part of subcall function 00711193: HeapAlloc.KERNEL32(00000000,?,00000000,?,00710BB1,?), ref: 007111A8
Part of subcall function 00711193: InitializeSecurityDescriptor.ADVAPI32(00000000,00000001,?,00000000,?,00710BB1,?), ref: 007111B7

Memory Dump Source

Source File: 00000000.00000002.1745474304.00000000006B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006B0000, based on PE: true

Associated: 00000000.00000002.1745310696.00000000006B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1745557899.000000000074C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1745557899.0000000000772000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1745607755.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1745632258.0000000000784000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6b0000_file.jbxd

Similarity

API ID: Heap$Process$Security$Free$AllocDescriptorLengthObjectUser$Dacl$CopyErrorInformationInitializeLast
String ID:
API String ID: 4175595110-0
Opcode ID: 1fd6efc5267ef28d7f390a7c6a5ff3ee8bedddf58021a3e66b85bad4908d76ff
Instruction ID: f878da1dda100ff84a8eba2cb26f3a15f90311716c016df15bb469e7792e290a
Opcode Fuzzy Hash: 1fd6efc5267ef28d7f390a7c6a5ff3ee8bedddf58021a3e66b85bad4908d76ff
Instruction Fuzzy Hash: 5F7190B5A0120AABDF11DFE8DC45FEEBBB8BF05300F048115E954A7191D7B9A985CBA0

Function 0072EAFF Relevance: 30.2, APIs: 20, Instructions: 191clipboardfileCOMMON

Download Yara Rule

APIs

OpenClipboard.USER32(0074CC08), ref: 0072EB29
IsClipboardFormatAvailable.USER32(0000000D), ref: 0072EB37
GetClipboardData.USER32(0000000D), ref: 0072EB43
CloseClipboard.USER32 ref: 0072EB4F
GlobalLock.KERNEL32(00000000), ref: 0072EB87
CloseClipboard.USER32 ref: 0072EB91
GlobalUnlock.KERNEL32(00000000), ref: 0072EBBC
IsClipboardFormatAvailable.USER32(00000001), ref: 0072EBC9
GetClipboardData.USER32(00000001), ref: 0072EBD1
GlobalLock.KERNEL32(00000000), ref: 0072EBE2
GlobalUnlock.KERNEL32(00000000), ref: 0072EC22
IsClipboardFormatAvailable.USER32(0000000F), ref: 0072EC38
GetClipboardData.USER32(0000000F), ref: 0072EC44
GlobalLock.KERNEL32(00000000), ref: 0072EC55
DragQueryFileW.SHELL32(00000000,000000FF,00000000,00000000), ref: 0072EC77
DragQueryFileW.SHELL32(00000000,?,?,00000104), ref: 0072EC94
DragQueryFileW.SHELL32(00000000,?,?,00000104), ref: 0072ECD2
GlobalUnlock.KERNEL32(00000000), ref: 0072ECF3
CountClipboardFormats.USER32 ref: 0072ED14
CloseClipboard.USER32 ref: 0072ED59

Memory Dump Source

Source File: 00000000.00000002.1745474304.00000000006B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006B0000, based on PE: true

Associated: 00000000.00000002.1745310696.00000000006B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1745557899.000000000074C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1745557899.0000000000772000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1745607755.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1745632258.0000000000784000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6b0000_file.jbxd

Similarity

API ID: Clipboard$Global$AvailableCloseDataDragFileFormatLockQueryUnlock$CountFormatsOpen
String ID:
API String ID: 420908878-0
Opcode ID: cf91f4acb537d6dfe6711c8b685ea4332865801f63d743b755bae40bc168be68
Instruction ID: 02fbddb7567a2e78a0bfbfe3852d6882bc0c1cc7905fdbe34cf81aa7e7436b6b
Opcode Fuzzy Hash: cf91f4acb537d6dfe6711c8b685ea4332865801f63d743b755bae40bc168be68
Instruction Fuzzy Hash: 4561F178204301AFD341EF24E888F6A7BE4BF85714F18851EF456872A2CB79DD45CB66

Function 0072698F Relevance: 21.4, APIs: 7, Strings: 5, Instructions: 363timefileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?), ref: 007269BE
FindClose.KERNEL32(00000000), ref: 00726A12
FileTimeToLocalFileTime.KERNEL32(?,?), ref: 00726A4E
FileTimeToLocalFileTime.KERNEL32(?,?), ref: 00726A75

Part of subcall function 006B9CB3: _wcslen.LIBCMT ref: 006B9CBD

FileTimeToSystemTime.KERNEL32(?,?), ref: 00726AB2
FileTimeToSystemTime.KERNEL32(?,?), ref: 00726ADF

Strings

%02d, xrefs: 00726C00, 00726C0A, 00726C5A, 00726CAA, 00726CFA, 00726D4A
%03d, xrefs: 00726DA2
%4d, xrefs: 00726BB1
%4d%02d%02d%02d%02d%02d, xrefs: 00726B6A
%4d%02d%02d%02d%02d%02d%03d, xrefs: 00726B32

Memory Dump Source

Source File: 00000000.00000002.1745474304.00000000006B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006B0000, based on PE: true

Associated: 00000000.00000002.1745310696.00000000006B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1745557899.000000000074C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1745557899.0000000000772000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1745607755.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1745632258.0000000000784000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6b0000_file.jbxd

Similarity

API ID: Time$File$FindLocalSystem$CloseFirst_wcslen
String ID: %02d$%03d$%4d$%4d%02d%02d%02d%02d%02d$%4d%02d%02d%02d%02d%02d%03d
API String ID: 3830820486-3289030164
Opcode ID: cd2de3e49a2c1147dc4ab25ef1ce1ec61680c7562a0fc8291b77242ca26fa0e7
Instruction ID: d581453a8e67b4c83fab8881cc3ac1ef65d86a16054adc36b8c3aedd9b1ab374
Opcode Fuzzy Hash: cd2de3e49a2c1147dc4ab25ef1ce1ec61680c7562a0fc8291b77242ca26fa0e7
Instruction Fuzzy Hash: 94D151B2508300AFC754EB64D885EBBB7FDAF88704F04491EF589D6191EB78DA44CB62

Function 00729642 Relevance: 21.1, APIs: 11, Strings: 1, Instructions: 118fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?,74DE8FB0,?,00000000), ref: 00729663
GetFileAttributesW.KERNEL32(?), ref: 007296A1
SetFileAttributesW.KERNEL32(?,?), ref: 007296BB
FindNextFileW.KERNEL32(00000000,?), ref: 007296D3
FindClose.KERNEL32(00000000), ref: 007296DE
FindFirstFileW.KERNEL32(*.*,?), ref: 007296FA
SetCurrentDirectoryW.KERNEL32(?), ref: 0072974A
SetCurrentDirectoryW.KERNEL32(00776B7C), ref: 00729768
FindNextFileW.KERNEL32(00000000,00000010), ref: 00729772
FindClose.KERNEL32(00000000), ref: 0072977F
FindClose.KERNEL32(00000000), ref: 0072978F

Strings

*.*, xrefs: 007296F5

Memory Dump Source

Source File: 00000000.00000002.1745474304.00000000006B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006B0000, based on PE: true

Associated: 00000000.00000002.1745310696.00000000006B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1745557899.000000000074C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1745557899.0000000000772000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1745607755.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1745632258.0000000000784000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6b0000_file.jbxd

Similarity

API ID: Find$File$Close$AttributesCurrentDirectoryFirstNext
String ID: *.*
API String ID: 1409584000-438819550
Opcode ID: 7a85af0e7c8f78c3b8ffa089cda6d7e6df392c3264e94c25a21cf22abf8c0c86
Instruction ID: 8d696d3a32bdfb7673d896e19f6db73c8d418dc6e1b2abd5883d87be235037b3
Opcode Fuzzy Hash: 7a85af0e7c8f78c3b8ffa089cda6d7e6df392c3264e94c25a21cf22abf8c0c86
Instruction Fuzzy Hash: C53108765416296FDF10DFB4EC48ADE77BCAF0A320F14805AFA05E21A0DB78DE448E18

Function 0072979D Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 111fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?,74DE8FB0,?,00000000), ref: 007297BE
FindNextFileW.KERNEL32(00000000,?), ref: 00729819
FindClose.KERNEL32(00000000), ref: 00729824
FindFirstFileW.KERNEL32(*.*,?), ref: 00729840
SetCurrentDirectoryW.KERNEL32(?), ref: 00729890
SetCurrentDirectoryW.KERNEL32(00776B7C), ref: 007298AE
FindNextFileW.KERNEL32(00000000,00000010), ref: 007298B8
FindClose.KERNEL32(00000000), ref: 007298C5
FindClose.KERNEL32(00000000), ref: 007298D5

Part of subcall function 0071DAE5: CreateFileW.KERNEL32(?,40000000,00000001,00000000,00000003,02000080,00000000), ref: 0071DB00

Strings

*.*, xrefs: 0072983B

Memory Dump Source

Source File: 00000000.00000002.1745474304.00000000006B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006B0000, based on PE: true

Associated: 00000000.00000002.1745310696.00000000006B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1745557899.000000000074C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1745557899.0000000000772000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1745607755.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1745632258.0000000000784000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6b0000_file.jbxd

Similarity

API ID: Find$File$Close$CurrentDirectoryFirstNext$Create
String ID: *.*
API String ID: 2640511053-438819550
Opcode ID: ab57a9fb00af715f071e7c813ace874595a35d78d6278ccd5298663659f96ae7
Instruction ID: 38bee5507e40f39801d64df12b757e3566a550d75d4df430d4663c54ef5ab5d5
Opcode Fuzzy Hash: ab57a9fb00af715f071e7c813ace874595a35d78d6278ccd5298663659f96ae7
Instruction Fuzzy Hash: 6E31D871541629AAEF15DFB4EC48ADE77ACAF06320F188156E614E21A0DB78DE44CB24

Function 0073BE44 Relevance: 17.0, APIs: 11, Instructions: 456registryCOMMON

Download Yara Rule

APIs

Part of subcall function 0073C998: CharUpperBuffW.USER32(?,?,?,?,?,?,?,0073B6AE,?,?), ref: 0073C9B5
Part of subcall function 0073C998: _wcslen.LIBCMT ref: 0073C9F1
Part of subcall function 0073C998: _wcslen.LIBCMT ref: 0073CA68
Part of subcall function 0073C998: _wcslen.LIBCMT ref: 0073CA9E

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 0073BF3E
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?,?,?), ref: 0073BFA9
RegCloseKey.ADVAPI32(00000000), ref: 0073BFCD
RegQueryValueExW.ADVAPI32(?,?,00000000,?,00000000,?), ref: 0073C02C
RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,?,00000008), ref: 0073C0E7
RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,?,?,?,00000000), ref: 0073C154
RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,?,?,?,00000000), ref: 0073C1E9
RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,00000000,?,?,?,00000000), ref: 0073C23A
RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,?,?,?,00000000), ref: 0073C2E3
RegCloseKey.ADVAPI32(?,?,00000000), ref: 0073C382
RegCloseKey.ADVAPI32(00000000), ref: 0073C38F

Memory Dump Source

Source File: 00000000.00000002.1745474304.00000000006B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006B0000, based on PE: true

Associated: 00000000.00000002.1745310696.00000000006B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1745557899.000000000074C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1745557899.0000000000772000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1745607755.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1745632258.0000000000784000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6b0000_file.jbxd

Similarity

API ID: QueryValue$Close_wcslen$BuffCharConnectOpenRegistryUpper
String ID:
API String ID: 3102970594-0
Opcode ID: 3409f4323f3fcccee5dac6917879e44a07d4a4abbd169bf6dd4fefd42f0d9935
Instruction ID: e5710fa15bb36306348a4ceb873d400161d7a9d064bde43c94245781e9ce333c
Opcode Fuzzy Hash: 3409f4323f3fcccee5dac6917879e44a07d4a4abbd169bf6dd4fefd42f0d9935
Instruction Fuzzy Hash: 64026E71604200AFD755DF28C891E2ABBE5EF89304F18C49DF84ADB2A2DB35EC45CB52

Function 00728195 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 186timeCOMMON

Download Yara Rule

APIs

GetLocalTime.KERNEL32(?), ref: 00728257
SystemTimeToFileTime.KERNEL32(?,?), ref: 00728267
LocalFileTimeToFileTime.KERNEL32(?,?), ref: 00728273
GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 00728310
SetCurrentDirectoryW.KERNEL32(?), ref: 00728324
SetCurrentDirectoryW.KERNEL32(?), ref: 00728356
SetCurrentDirectoryW.KERNEL32(?,?,?,?,?), ref: 0072838C
SetCurrentDirectoryW.KERNEL32(?), ref: 00728395

Strings

*.*, xrefs: 0072839B

Memory Dump Source

Source File: 00000000.00000002.1745474304.00000000006B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006B0000, based on PE: true

Associated: 00000000.00000002.1745310696.00000000006B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1745557899.000000000074C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1745557899.0000000000772000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1745607755.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1745632258.0000000000784000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6b0000_file.jbxd

Similarity

API ID: CurrentDirectoryTime$File$Local$System
String ID: *.*
API String ID: 1464919966-438819550
Opcode ID: aa0b90d4643c6a68a1c02416e5573d987bbc464ebad019d6df9be581401c2091
Instruction ID: 92c93a46780408dd3a05b36d6476cb9a5069089648c49e0b83ff265a7cb8a83f
Opcode Fuzzy Hash: aa0b90d4643c6a68a1c02416e5573d987bbc464ebad019d6df9be581401c2091
Instruction Fuzzy Hash: 8061ADB25043159FCB50EF64D8409AEB3E9FF89310F04891EF989C7251EB3AE945CB96

Function 0071D076 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 172fileCOMMON

Download Yara Rule

APIs

Part of subcall function 006B3AA2: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,006B3A97,?,?,006B2E7F,?,?,?,00000000), ref: 006B3AC2

Part of subcall function 0071E199: GetFileAttributesW.KERNEL32(?,0071CF95), ref: 0071E19A

FindFirstFileW.KERNEL32(?,?), ref: 0071D122
DeleteFileW.KERNEL32(?,?,?,?,?,00000000,?,?,?), ref: 0071D1DD
MoveFileW.KERNEL32(?,?), ref: 0071D1F0
DeleteFileW.KERNEL32(?,?,?,?), ref: 0071D20D
FindNextFileW.KERNEL32(00000000,00000010), ref: 0071D237

Part of subcall function 0071D29C: CopyFileExW.KERNEL32(?,?,00000000,00000000,00000000,00000008,?,?,0071D21C,?,?), ref: 0071D2B2

FindClose.KERNEL32(00000000,?,?,?), ref: 0071D253
FindClose.KERNEL32(00000000), ref: 0071D264

Strings

\*.*, xrefs: 0071D0CD, 0071D0D6, 0071D0EB

Memory Dump Source

Source File: 00000000.00000002.1745474304.00000000006B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006B0000, based on PE: true

Associated: 00000000.00000002.1745310696.00000000006B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1745557899.000000000074C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1745557899.0000000000772000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1745607755.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1745632258.0000000000784000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6b0000_file.jbxd

Similarity

API ID: File$Find$CloseDelete$AttributesCopyFirstFullMoveNameNextPath
String ID: \*.*
API String ID: 1946585618-1173974218
Opcode ID: d5afc55a3306a1ae572474b28cbc76b0227d89aa35fb1d57d89c4b345e50aec3
Instruction ID: d51470742ca4a66af165ee0162611eb67ec4c24c95b046bf2fa5d1cedcefecea
Opcode Fuzzy Hash: d5afc55a3306a1ae572474b28cbc76b0227d89aa35fb1d57d89c4b345e50aec3
Instruction Fuzzy Hash: 20617D7180111DABCF15EBE8CD929EDB7B6AF15300F248169E40277191EB38AF89DF64

Function 0072ED6A Relevance: 13.6, APIs: 9, Instructions: 102clipboardmemoryCOMMON

Download Yara Rule

APIs

OpenClipboard.USER32 ref: 0072ED91
EmptyClipboard.USER32 ref: 0072ED97
GlobalAlloc.KERNEL32(00000002,?), ref: 0072EDAC
CloseClipboard.USER32 ref: 0072EEA3

Memory Dump Source

Source File: 00000000.00000002.1745474304.00000000006B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006B0000, based on PE: true

Associated: 00000000.00000002.1745310696.00000000006B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1745557899.000000000074C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1745557899.0000000000772000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1745607755.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1745632258.0000000000784000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6b0000_file.jbxd

Similarity

API ID: Clipboard$AllocCloseEmptyGlobalOpen
String ID:
API String ID: 1737998785-0
Opcode ID: 054b1d3ae5b6fb02088b62248d26a43e83501da242fff2da9633abb44baff6cb
Instruction ID: 784f39c654e5012f12ac953fd28ec45b252bc917e748605021c986b454c0bbb8
Opcode Fuzzy Hash: 054b1d3ae5b6fb02088b62248d26a43e83501da242fff2da9633abb44baff6cb
Instruction Fuzzy Hash: 0541EF35604221AFE321CF15E888B29BBE5FF44328F15C09EE4158BB62C779EC41CB95

Function 0071E8F6 Relevance: 12.3, APIs: 3, Strings: 4, Instructions: 57shutdownCOMMON

Download Yara Rule

APIs

Part of subcall function 007116C3: LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 0071170D
Part of subcall function 007116C3: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 0071173A
Part of subcall function 007116C3: GetLastError.KERNEL32 ref: 0071174A

ExitWindowsEx.USER32(?,00000000), ref: 0071E932

Strings

@, xrefs: 0071E925
, xrefs: 0071E920
, xrefs: 0071E95C
SeShutdownPrivilege, xrefs: 0071E902

Memory Dump Source

Source File: 00000000.00000002.1745474304.00000000006B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006B0000, based on PE: true

Associated: 00000000.00000002.1745310696.00000000006B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1745557899.000000000074C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1745557899.0000000000772000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1745607755.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1745632258.0000000000784000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6b0000_file.jbxd

Similarity

API ID: AdjustErrorExitLastLookupPrivilegePrivilegesTokenValueWindows
String ID: $ $@$SeShutdownPrivilege
API String ID: 2234035333-3163812486
Opcode ID: 37aa2a47cb919d5f8dc5eae9d846ad63a0c95fc54df73c50d2666da79651ebfa
Instruction ID: 5ea392b2419ab3afca987bb8f3797ae2b9b7bbb676e1c54474b51fc7f7205045
Opcode Fuzzy Hash: 37aa2a47cb919d5f8dc5eae9d846ad63a0c95fc54df73c50d2666da79651ebfa
Instruction Fuzzy Hash: EE01F976A10311ABEB5466BC9C8AFFF726CAB18750F154422FD03E21D1D6AD7CC085A5

Function 00731204 Relevance: 12.1, APIs: 8, Instructions: 113networkCOMMON

Download Yara Rule

APIs

socket.WSOCK32(00000002,00000001,00000006,?,00000002,00000000), ref: 00731276
WSAGetLastError.WSOCK32 ref: 00731283
bind.WSOCK32(00000000,?,00000010), ref: 007312BA
WSAGetLastError.WSOCK32 ref: 007312C5
closesocket.WSOCK32(00000000), ref: 007312F4
listen.WSOCK32(00000000,00000005), ref: 00731303
WSAGetLastError.WSOCK32 ref: 0073130D
closesocket.WSOCK32(00000000), ref: 0073133C

Memory Dump Source

Source File: 00000000.00000002.1745474304.00000000006B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006B0000, based on PE: true

Associated: 00000000.00000002.1745310696.00000000006B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1745557899.000000000074C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1745557899.0000000000772000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1745607755.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1745632258.0000000000784000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6b0000_file.jbxd

Similarity

API ID: ErrorLast$closesocket$bindlistensocket
String ID:
API String ID: 540024437-0
Opcode ID: 939d7713f7d6ab3f18aafa4f4c8f72daf1482eeb1c7dd4248da45d462cafab4f
Instruction ID: 5b14cff819d54bfc1991ece1dc343884e1fb94a806cbb93455284b6261955dd8
Opcode Fuzzy Hash: 939d7713f7d6ab3f18aafa4f4c8f72daf1482eeb1c7dd4248da45d462cafab4f
Instruction Fuzzy Hash: B44191756001109FE710DF24C488B6ABBE6BF86318F58C199E8568F297C779ED81CBE1

Function 0071D3A9 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 91fileCOMMON

Download Yara Rule

APIs

Part of subcall function 006B3AA2: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,006B3A97,?,?,006B2E7F,?,?,?,00000000), ref: 006B3AC2

Part of subcall function 0071E199: GetFileAttributesW.KERNEL32(?,0071CF95), ref: 0071E19A

FindFirstFileW.KERNEL32(?,?), ref: 0071D420
DeleteFileW.KERNEL32(?,?,?,?), ref: 0071D470
FindNextFileW.KERNEL32(00000000,00000010), ref: 0071D481
FindClose.KERNEL32(00000000), ref: 0071D498
FindClose.KERNEL32(00000000), ref: 0071D4A1

Strings

\*.*, xrefs: 0071D3F2

Memory Dump Source

Source File: 00000000.00000002.1745474304.00000000006B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006B0000, based on PE: true

Associated: 00000000.00000002.1745310696.00000000006B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1745557899.000000000074C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1745557899.0000000000772000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1745607755.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1745632258.0000000000784000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6b0000_file.jbxd

Similarity

API ID: FileFind$Close$AttributesDeleteFirstFullNameNextPath
String ID: \*.*
API String ID: 2649000838-1173974218
Opcode ID: d4be3f2508cded78ab1e8599c538eb02da3bd394d31e8233e15f57cc728bd6ca
Instruction ID: c01b8233e65b94deb1f9f5e86f301de724224fcae3b484137b5d672efd3e8c28
Opcode Fuzzy Hash: d4be3f2508cded78ab1e8599c538eb02da3bd394d31e8233e15f57cc728bd6ca
Instruction Fuzzy Hash: FD31B071008391ABC355EF64C8918EF77E9BE92300F404E1EF8D142191EB74AE49CB67

Function 006EE4FF Relevance: 10.1, APIs: 1, Strings: 4, Instructions: 1381COMMON

Download Yara Rule

APIs

__floor_pentium4.LIBCMT ref: 006EE645

Strings

1#QNAN, xrefs: 006EF84B
1#INF, xrefs: 006EF852
1#SNAN, xrefs: 006EF844
1#IND, xrefs: 006EF83D

Memory Dump Source

Source File: 00000000.00000002.1745474304.00000000006B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006B0000, based on PE: true

Associated: 00000000.00000002.1745310696.00000000006B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1745557899.000000000074C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1745557899.0000000000772000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1745607755.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1745632258.0000000000784000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6b0000_file.jbxd

Similarity

API ID: __floor_pentium4
String ID: 1#IND$1#INF$1#QNAN$1#SNAN
API String ID: 4168288129-2761157908
Opcode ID: e50d47826e3b15e854738fd145fdb4881bb4975c9f0cff77c0c3c8bfbe5ae56b
Instruction ID: 68e551c6f44f3efc3e640a14504317579f915fbe42a71ee5ebcba193a94bb181
Opcode Fuzzy Hash: e50d47826e3b15e854738fd145fdb4881bb4975c9f0cff77c0c3c8bfbe5ae56b
Instruction Fuzzy Hash: 41C25B71E056688FDB25CF29DD407EAB7B6EB48305F1441EAD80DE7281E779AE818F40

Function 0072648E Relevance: 9.1, APIs: 4, Strings: 1, Instructions: 367comCOMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 007264DC
CoInitialize.OLE32(00000000), ref: 00726639
CoCreateInstance.OLE32(0074FCF8,00000000,00000001,0074FB68,?), ref: 00726650
CoUninitialize.OLE32 ref: 007268D4

Strings

.lnk, xrefs: 007264BA, 00726524, 007265E0

Memory Dump Source

Source File: 00000000.00000002.1745474304.00000000006B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006B0000, based on PE: true

Associated: 00000000.00000002.1745310696.00000000006B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1745557899.000000000074C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1745557899.0000000000772000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1745607755.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1745632258.0000000000784000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6b0000_file.jbxd

Similarity

API ID: CreateInitializeInstanceUninitialize_wcslen
String ID: .lnk
API String ID: 886957087-24824748
Opcode ID: 4ea5fc9d8e65f1575f0720c5b6500eda0ebd631b8edc6886c70d369b4931700a
Instruction ID: c368b0d46671e3ff412e2c57068f726b531aad9ab6f2d34a06ba1de217955722
Opcode Fuzzy Hash: 4ea5fc9d8e65f1575f0720c5b6500eda0ebd631b8edc6886c70d369b4931700a
Instruction Fuzzy Hash: DBD14AB1508311AFC354EF24C8819ABB7E9FF94704F10496DF5958B2A1EB70ED45CBA2

Function 007322DA Relevance: 9.1, APIs: 6, Instructions: 103COMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32(?,?,00000000), ref: 007322E8

Part of subcall function 0072E4EC: GetWindowRect.USER32(?,?), ref: 0072E504

GetDesktopWindow.USER32 ref: 00732312
GetWindowRect.USER32(00000000), ref: 00732319
mouse_event.USER32(00008001,?,?,00000002,00000002), ref: 00732355
GetCursorPos.USER32(?), ref: 00732381
mouse_event.USER32(00008001,?,?,00000000,00000000), ref: 007323DF

Memory Dump Source

Source File: 00000000.00000002.1745474304.00000000006B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006B0000, based on PE: true

Associated: 00000000.00000002.1745310696.00000000006B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1745557899.000000000074C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1745557899.0000000000772000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1745607755.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1745632258.0000000000784000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6b0000_file.jbxd

Similarity

API ID: Window$Rectmouse_event$CursorDesktopForeground
String ID:
API String ID: 2387181109-0
Opcode ID: f0729118a9f945d721de8068f603b6b7d4abff0a82bad06946c567e7979984f5
Instruction ID: 3512cc9cd91f7b65ca3f18a6f16afb53f7157a72405791a8fac526f1d8c58d90
Opcode Fuzzy Hash: f0729118a9f945d721de8068f603b6b7d4abff0a82bad06946c567e7979984f5
Instruction Fuzzy Hash: F3310172505315AFE721DF18C848F9BBBA9FF85310F00491AF98597182DB38EA09CB96

Function 00729B2B Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 119filesleepCOMMON

Download Yara Rule

APIs

Part of subcall function 006B9CB3: _wcslen.LIBCMT ref: 006B9CBD

FindFirstFileW.KERNEL32(00000001,?,*.*,?,?,00000000,00000000), ref: 00729B78
FindClose.KERNEL32(00000000,?,00000000,00000000), ref: 00729C8B

Part of subcall function 00723874: GetInputState.USER32 ref: 007238CB
Part of subcall function 00723874: PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00723966

Sleep.KERNEL32(0000000A,?,00000000,00000000), ref: 00729BA8
FindNextFileW.KERNEL32(?,?,?,00000000,00000000), ref: 00729C75

Strings

*.*, xrefs: 00729B5D

Memory Dump Source

Source File: 00000000.00000002.1745474304.00000000006B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006B0000, based on PE: true

Associated: 00000000.00000002.1745310696.00000000006B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1745557899.000000000074C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1745557899.0000000000772000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1745607755.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1745632258.0000000000784000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6b0000_file.jbxd

Similarity

API ID: Find$File$CloseFirstInputMessageNextPeekSleepState_wcslen
String ID: *.*
API String ID: 1972594611-438819550
Opcode ID: 4c36812e2a580e50b27d9996341f3f6829c1fe2a31ab6f5aebe1af458d6bfc6b
Instruction ID: 9560332bfaa0a3b1687f1bdca25240bb0d0d3d8a321458d2573c22754e719f06
Opcode Fuzzy Hash: 4c36812e2a580e50b27d9996341f3f6829c1fe2a31ab6f5aebe1af458d6bfc6b
Instruction Fuzzy Hash: 9A41A3B190021AAFDF55DF74D885AEEBBF9FF05310F24405AE905A2191EB349E84CF64

Function 006C997D Relevance: 7.9, APIs: 5, Instructions: 375COMMON

Download Yara Rule

APIs

Part of subcall function 006C9BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 006C9BB2

DefDlgProcW.USER32(?,?,?,?,?), ref: 006C9A4E
GetSysColor.USER32(0000000F), ref: 006C9B23
SetBkColor.GDI32(?,00000000), ref: 006C9B36

Memory Dump Source

Source File: 00000000.00000002.1745474304.00000000006B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006B0000, based on PE: true

Associated: 00000000.00000002.1745310696.00000000006B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1745557899.000000000074C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1745557899.0000000000772000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1745607755.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1745632258.0000000000784000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6b0000_file.jbxd

Similarity

API ID: Color$LongProcWindow
String ID:
API String ID: 3131106179-0
Opcode ID: 4146038bdee27e078b8d849a9f1390a20632bfd1b1a585614324c8ed990c41c6
Instruction ID: da77c17d9d8db5212e1bd27eb4e179e50a3d68cfdd495407fd94b496ffb67b48
Opcode Fuzzy Hash: 4146038bdee27e078b8d849a9f1390a20632bfd1b1a585614324c8ed990c41c6
Instruction Fuzzy Hash: C5A10871608444FEE729AA6C8C9DFBB369EEB42350F25420DF502D67D1CA2DAD02D376

Function 00731806 Relevance: 7.7, APIs: 5, Instructions: 153networkCOMMON

Download Yara Rule

APIs

Part of subcall function 0073304E: inet_addr.WSOCK32(?,?,?,?,?,00000000), ref: 0073307A
Part of subcall function 0073304E: _wcslen.LIBCMT ref: 0073309B

socket.WSOCK32(00000002,00000002,00000011,?,?,00000000), ref: 0073185D
WSAGetLastError.WSOCK32 ref: 00731884
bind.WSOCK32(00000000,?,00000010), ref: 007318DB
WSAGetLastError.WSOCK32 ref: 007318E6
closesocket.WSOCK32(00000000), ref: 00731915

Memory Dump Source

Source File: 00000000.00000002.1745474304.00000000006B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006B0000, based on PE: true

Associated: 00000000.00000002.1745310696.00000000006B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1745557899.000000000074C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1745557899.0000000000772000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1745607755.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1745632258.0000000000784000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6b0000_file.jbxd

Similarity

API ID: ErrorLast$_wcslenbindclosesocketinet_addrsocket
String ID:
API String ID: 1601658205-0
Opcode ID: b142601d7d22f7d176f2b10fd44888fa7b49adbcc2a9b23d683e02f79747cb42
Instruction ID: 83703a0b476061a0d8a18b7e44168eb43f83d7be9d75713e4548b14d6a951222
Opcode Fuzzy Hash: b142601d7d22f7d176f2b10fd44888fa7b49adbcc2a9b23d683e02f79747cb42
Instruction Fuzzy Hash: 355192B5A002109FEB50AF24C886F6A77EAAB45718F48809CF9055F293C775AD418BA5

Function 00741C41 Relevance: 7.6, APIs: 5, Instructions: 83windowCOMMON

Download Yara Rule

APIs

IsWindowVisible.USER32 ref: 00741CC0
IsWindowEnabled.USER32 ref: 00741CCE
GetForegroundWindow.USER32(?,?,00000001,?), ref: 00741CDB
IsIconic.USER32 ref: 00741CE9
IsZoomed.USER32 ref: 00741CF7

Memory Dump Source

Source File: 00000000.00000002.1745474304.00000000006B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006B0000, based on PE: true

Associated: 00000000.00000002.1745310696.00000000006B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1745557899.000000000074C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1745557899.0000000000772000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1745607755.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1745632258.0000000000784000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6b0000_file.jbxd

Similarity

API ID: Window$EnabledForegroundIconicVisibleZoomed
String ID:
API String ID: 292994002-0
Opcode ID: ea4376de755b4f4c303cf7ca1d0cecadc246a1276e44dc9f7318839a76d11581
Instruction ID: 84fa416ba25abf5f5708850cbac145ae4e6379f27782d77c8f365eb1a3adb931
Opcode Fuzzy Hash: ea4376de755b4f4c303cf7ca1d0cecadc246a1276e44dc9f7318839a76d11581
Instruction Fuzzy Hash: EE21F6317412009FD3219F1ACC84B6A7BE5EF85324B59C059E8458B352C779DC82CBA4

Function 006B8060 Relevance: 7.4, Strings: 5, Instructions: 1151COMMON

Download Yara Rule

Strings

VUUU, xrefs: 006F5DF0
VUUU, xrefs: 006B83E8
VUUU, xrefs: 006B83FA
VUUU, xrefs: 006B843C
ERCP, xrefs: 006B813C

Memory Dump Source

Source File: 00000000.00000002.1745474304.00000000006B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006B0000, based on PE: true

Associated: 00000000.00000002.1745310696.00000000006B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1745557899.000000000074C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1745557899.0000000000772000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1745607755.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1745632258.0000000000784000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6b0000_file.jbxd

Similarity

API ID:
String ID: ERCP$VUUU$VUUU$VUUU$VUUU
API String ID: 0-1546025612
Opcode ID: 383e8c9a6dd23d6c182c27a8ad3f6c30dbdeacadd20118a0392763ff88c168fc
Instruction ID: 07eb6125633e5bc8f4a421cc444528d053cec77f622fd03ab0c4f8cdaa371118
Opcode Fuzzy Hash: 383e8c9a6dd23d6c182c27a8ad3f6c30dbdeacadd20118a0392763ff88c168fc
Instruction Fuzzy Hash: 28A25DB1A0021ACFDF24CF58C9507FDB7B6BB54314F2481A9EA16A7345EB709D81CB90

Function 00718298 Relevance: 6.6, APIs: 1, Strings: 3, Instructions: 568stringCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(?,?,?,00000000), ref: 007182AA

Strings

tbw, xrefs: 007184F4
|, xrefs: 007182DA
(, xrefs: 007182F0

Memory Dump Source

Source File: 00000000.00000002.1745474304.00000000006B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006B0000, based on PE: true

Associated: 00000000.00000002.1745310696.00000000006B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1745557899.000000000074C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1745557899.0000000000772000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1745607755.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1745632258.0000000000784000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6b0000_file.jbxd

Similarity

API ID: lstrlen
String ID: ($tbw$|
API String ID: 1659193697-2577085510
Opcode ID: 37b34c1aac8e0cfb13a58f054441f77d86cd87b53cf05fbbce76c45656524598
Instruction ID: 9f5b3f96136263a7e17a55a47bca1ddb61e10e8c4d4b11df687c532bc26dc27c
Opcode Fuzzy Hash: 37b34c1aac8e0cfb13a58f054441f77d86cd87b53cf05fbbce76c45656524598
Instruction Fuzzy Hash: 00323774A006059FCB68CF59C081AAAB7F1FF48710B15C56EE49ADB3A1EB74E981CB44

Function 0071AA57 Relevance: 6.1, APIs: 4, Instructions: 107keyboardwindowCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?,00000001,00000040,00000000), ref: 0071AAAC
SetKeyboardState.USER32(00000080), ref: 0071AAC8
PostMessageW.USER32(?,00000102,00000001,00000001), ref: 0071AB36
SendInput.USER32(00000001,?,0000001C,00000001,00000040,00000000), ref: 0071AB88

Memory Dump Source

Source File: 00000000.00000002.1745474304.00000000006B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006B0000, based on PE: true

Associated: 00000000.00000002.1745310696.00000000006B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1745557899.000000000074C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1745557899.0000000000772000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1745607755.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1745632258.0000000000784000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6b0000_file.jbxd

Similarity

API ID: KeyboardState$InputMessagePostSend
String ID:
API String ID: 432972143-0
Opcode ID: 3829b83ca7c53ffd7df9c51ac072b7cd668ba07d6f196a03047143c45cf54240
Instruction ID: 2ab23c2a36e7588c87a942f69a5edefbd7b8504aa9a7092cb0f141641370f8bb
Opcode Fuzzy Hash: 3829b83ca7c53ffd7df9c51ac072b7cd668ba07d6f196a03047143c45cf54240
Instruction Fuzzy Hash: 643128B0A46288BEFF31CA6CCC05BFA7BA6AF45310F04821AF181521D1D37D89C5C762

Function 006EBB6F Relevance: 6.1, APIs: 4, Instructions: 90timeCOMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 006EBB7F

Part of subcall function 006E29C8: RtlFreeHeap.NTDLL(00000000,00000000,?,006ED7D1,00000000,00000000,00000000,00000000,?,006ED7F8,00000000,00000007,00000000,?,006EDBF5,00000000), ref: 006E29DE
Part of subcall function 006E29C8: GetLastError.KERNEL32(00000000,?,006ED7D1,00000000,00000000,00000000,00000000,?,006ED7F8,00000000,00000007,00000000,?,006EDBF5,00000000,00000000), ref: 006E29F0

GetTimeZoneInformation.KERNEL32 ref: 006EBB91
WideCharToMultiByte.KERNEL32(00000000,?,0078121C,000000FF,?,0000003F,?,?), ref: 006EBC09
WideCharToMultiByte.KERNEL32(00000000,?,00781270,000000FF,?,0000003F,?,?,?,0078121C,000000FF,?,0000003F,?,?), ref: 006EBC36

Memory Dump Source

Source File: 00000000.00000002.1745474304.00000000006B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006B0000, based on PE: true

Associated: 00000000.00000002.1745310696.00000000006B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1745557899.000000000074C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1745557899.0000000000772000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1745607755.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1745632258.0000000000784000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6b0000_file.jbxd

Similarity

API ID: ByteCharMultiWide$ErrorFreeHeapInformationLastTimeZone_free
String ID:
API String ID: 806657224-0
Opcode ID: 03b1a4a818219441acc4d6dbe8f01ca0d8e3bccf722ba89bf1a636408e2ad190
Instruction ID: d74c8f5d4e20113c0f120781693784a85c4aac624f128e9814bd4b4d6ef3f13c
Opcode Fuzzy Hash: 03b1a4a818219441acc4d6dbe8f01ca0d8e3bccf722ba89bf1a636408e2ad190
Instruction Fuzzy Hash: 3B31E170A49385DFCB11DF6ADC8186EBBBAFF45710B2492AAE050DB2A1C7349D02CB54

Function 0072CE44 Relevance: 6.1, APIs: 4, Instructions: 75filenetworkCOMMON

Download Yara Rule

APIs

InternetReadFile.WININET(?,?,00000400,?), ref: 0072CE89
GetLastError.KERNEL32(?,00000000), ref: 0072CEEA
SetEvent.KERNEL32(?,?,00000000), ref: 0072CEFE

Memory Dump Source

Source File: 00000000.00000002.1745474304.00000000006B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006B0000, based on PE: true

Associated: 00000000.00000002.1745310696.00000000006B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1745557899.000000000074C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1745557899.0000000000772000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1745607755.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1745632258.0000000000784000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6b0000_file.jbxd

Similarity

API ID: ErrorEventFileInternetLastRead
String ID:
API String ID: 234945975-0
Opcode ID: a542eeb30abede9f76b4e9d38ffd7c02dee7bc9a2f83fc2ce7a80fbd463b2ef2
Instruction ID: 1b90444fd89b2a7eefbc99ddb228762eccd00eb30cfee8ef02fe6e1e40732076
Opcode Fuzzy Hash: a542eeb30abede9f76b4e9d38ffd7c02dee7bc9a2f83fc2ce7a80fbd463b2ef2
Instruction Fuzzy Hash: E821CFB29007159BEB22DFA5E948BAB77FCEB20358F10841EE546D2151E778EE048B54

Function 00725C97 Relevance: 4.6, APIs: 3, Instructions: 138fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?), ref: 00725CC1
FindNextFileW.KERNEL32(00000000,?), ref: 00725D17
FindClose.KERNEL32(?), ref: 00725D5F

Memory Dump Source

Source File: 00000000.00000002.1745474304.00000000006B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006B0000, based on PE: true

Associated: 00000000.00000002.1745310696.00000000006B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1745557899.000000000074C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1745557899.0000000000772000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1745607755.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1745632258.0000000000784000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6b0000_file.jbxd

Similarity

API ID: Find$File$CloseFirstNext
String ID:
API String ID: 3541575487-0
Opcode ID: 5b3c7cc02bdf548174a2942659554784ea535b12a51c894b3a90bebed1cf3569
Instruction ID: edbf627bcbed2807f3aefd32075d32dd5b35fee114c844fa55affd96c9346234
Opcode Fuzzy Hash: 5b3c7cc02bdf548174a2942659554784ea535b12a51c894b3a90bebed1cf3569
Instruction Fuzzy Hash: B2519774604A019FC714CF28D4D4A9AB7E4FF4A324F14855EE99A8B3A2DB34ED44CFA1

Function 006E2622 Relevance: 4.6, APIs: 3, Instructions: 78COMMONLIBRARYCODE

Download Yara Rule

APIs

IsDebuggerPresent.KERNEL32 ref: 006E271A
SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 006E2724
UnhandledExceptionFilter.KERNEL32(?), ref: 006E2731

Memory Dump Source

Source File: 00000000.00000002.1745474304.00000000006B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006B0000, based on PE: true

Associated: 00000000.00000002.1745310696.00000000006B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1745557899.000000000074C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1745557899.0000000000772000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1745607755.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1745632258.0000000000784000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6b0000_file.jbxd

Similarity

API ID: ExceptionFilterUnhandled$DebuggerPresent
String ID:
API String ID: 3906539128-0
Opcode ID: 9f7ad0d01c2f920be7cc6f39f1122b61a6a6f0a21db6854dcff36d8f45aaf927
Instruction ID: 814eeb4c94997fd0f57918bc82f8690ebf07c567df5ecb39f9cedf70fd9899d9
Opcode Fuzzy Hash: 9f7ad0d01c2f920be7cc6f39f1122b61a6a6f0a21db6854dcff36d8f45aaf927
Instruction Fuzzy Hash: A031C4749013199BCB61DF65DC887DCBBB9AF08310F5041EAE40CA6261E7749F818F49

Function 007251CD Relevance: 4.6, APIs: 3, Instructions: 76COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 007251DA
GetDiskFreeSpaceExW.KERNEL32(?,?,?,?), ref: 00725238
SetErrorMode.KERNEL32(00000000), ref: 007252A1

Memory Dump Source

Source File: 00000000.00000002.1745474304.00000000006B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006B0000, based on PE: true

Associated: 00000000.00000002.1745310696.00000000006B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1745557899.000000000074C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1745557899.0000000000772000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1745607755.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1745632258.0000000000784000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6b0000_file.jbxd

Similarity

API ID: ErrorMode$DiskFreeSpace
String ID:
API String ID: 1682464887-0
Opcode ID: 4bf3da67e0d95360b52ff135b0e7a9eab23ab398fc7630795cf483f157d27e0b
Instruction ID: 81fd925617397a3503cc495a9bffdb567d7efd0f4cd994ee59c74cad506821ca
Opcode Fuzzy Hash: 4bf3da67e0d95360b52ff135b0e7a9eab23ab398fc7630795cf483f157d27e0b
Instruction Fuzzy Hash: B0317CB5A00518DFDB00DF54D884EADBBF5FF49314F188099E805AB3A2DB35E945CBA0

Function 007116C3 Relevance: 4.6, APIs: 3, Instructions: 68COMMON

Download Yara Rule

APIs

Part of subcall function 006CFDDB: __CxxThrowException@8.LIBVCRUNTIME ref: 006D0668
Part of subcall function 006CFDDB: __CxxThrowException@8.LIBVCRUNTIME ref: 006D0685

LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 0071170D
AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 0071173A
GetLastError.KERNEL32 ref: 0071174A

Memory Dump Source

Source File: 00000000.00000002.1745474304.00000000006B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006B0000, based on PE: true

Associated: 00000000.00000002.1745310696.00000000006B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1745557899.000000000074C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1745557899.0000000000772000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1745607755.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1745632258.0000000000784000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6b0000_file.jbxd

Similarity

API ID: Exception@8Throw$AdjustErrorLastLookupPrivilegePrivilegesTokenValue
String ID:
API String ID: 577356006-0
Opcode ID: d0c086d7a195eff6137ef4ecd9f3dc2dd9b6ecd07a8a2d729dce139348800ad7
Instruction ID: 8126d4bae5b14fa72077205c6565cb0725793453e3e30da7f2fc82f77e3e2434
Opcode Fuzzy Hash: d0c086d7a195eff6137ef4ecd9f3dc2dd9b6ecd07a8a2d729dce139348800ad7
Instruction Fuzzy Hash: 2F11CEB2400304AFD718AF58DC86EAAB7BAEF04714B20852EE05657291EB74BC818B24

Function 0071D5EB Relevance: 4.6, APIs: 3, Instructions: 58fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(?,00000080,00000003,00000000,00000003,00000080,00000000), ref: 0071D608
DeviceIoControl.KERNEL32(00000000,002D1400,?,0000000C,?,00000028,?,00000000), ref: 0071D645
CloseHandle.KERNEL32(?,?,00000080,00000003,00000000,00000003,00000080,00000000), ref: 0071D650

Memory Dump Source

Source File: 00000000.00000002.1745474304.00000000006B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006B0000, based on PE: true

Associated: 00000000.00000002.1745310696.00000000006B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1745557899.000000000074C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1745557899.0000000000772000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1745607755.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1745632258.0000000000784000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6b0000_file.jbxd

Similarity

API ID: CloseControlCreateDeviceFileHandle
String ID:
API String ID: 33631002-0
Opcode ID: 179e3d1d6ed3a1c199a0ea4427b552ab91d826cb947ff6e0bd82a3d14cd3be42
Instruction ID: 09e43db6da9390cf8b06da3fb949c57a9fb9d147b24c0df9637f95c9768a2a51
Opcode Fuzzy Hash: 179e3d1d6ed3a1c199a0ea4427b552ab91d826cb947ff6e0bd82a3d14cd3be42
Instruction Fuzzy Hash: 98117C75E01228BBDB208F989C44FAFBBBCEB45B50F108112F904E7290C2B45A018BA1

Function 00711663 Relevance: 4.5, APIs: 3, Instructions: 40memoryCOMMON

Download Yara Rule

APIs

AllocateAndInitializeSid.ADVAPI32(?,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,?,?), ref: 0071168C
CheckTokenMembership.ADVAPI32(00000000,?,?), ref: 007116A1
FreeSid.ADVAPI32(?), ref: 007116B1

Memory Dump Source

Source File: 00000000.00000002.1745474304.00000000006B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006B0000, based on PE: true

Associated: 00000000.00000002.1745310696.00000000006B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1745557899.000000000074C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1745557899.0000000000772000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1745607755.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1745632258.0000000000784000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6b0000_file.jbxd

Similarity

API ID: AllocateCheckFreeInitializeMembershipToken
String ID:
API String ID: 3429775523-0
Opcode ID: e1b044efc2f3941e61e4d68a6a0e3ff3c966b4256fc077f30f02cb3b7521457a
Instruction ID: 8596e7d97d324cc649b0c4b2376c310764446c292afb98b7908e24dfdcba5098
Opcode Fuzzy Hash: e1b044efc2f3941e61e4d68a6a0e3ff3c966b4256fc077f30f02cb3b7521457a
Instruction Fuzzy Hash: DBF04475A41308FBDB00CFE48C89AAEBBBCEB08200F408861E600E2190E738AA448A54

Function 0070D27A Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 10COMMON

Download Yara Rule

APIs

GetUserNameW.ADVAPI32(?,?), ref: 0070D28C

Strings

X64, xrefs: 0070D2A8

Memory Dump Source

Source File: 00000000.00000002.1745474304.00000000006B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006B0000, based on PE: true

Associated: 00000000.00000002.1745310696.00000000006B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1745557899.000000000074C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1745557899.0000000000772000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1745607755.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1745632258.0000000000784000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6b0000_file.jbxd

Similarity

API ID: NameUser
String ID: X64
API String ID: 2645101109-893830106
Opcode ID: 06ab71ac291041bb28a004203b7ad4ff54b4e22724839a334e9a9708f2e80cff
Instruction ID: 47568380fd5f95a1e4c348a7bd5d588b3b5f9c5fe3d98f3b9f11f7d7bf834bbf
Opcode Fuzzy Hash: 06ab71ac291041bb28a004203b7ad4ff54b4e22724839a334e9a9708f2e80cff
Instruction Fuzzy Hash: B0D0C9B480211DEBCB90CB90DC88DE9B3BCBB04315F104256F106A2040D73495498F10

Function 006DCAA0 Relevance: 3.5, APIs: 2, Instructions: 464COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1745474304.00000000006B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006B0000, based on PE: true

Associated: 00000000.00000002.1745310696.00000000006B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1745557899.000000000074C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1745557899.0000000000772000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1745607755.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1745632258.0000000000784000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6b0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2fbdbeface8d474e65e3d830227d731b015bc4fe83c76ff0107a9da6199ccf29
Instruction ID: ba6482a0914f35a72385902a6590db340da1e063692a6cb04c091aafe7746777
Opcode Fuzzy Hash: 2fbdbeface8d474e65e3d830227d731b015bc4fe83c76ff0107a9da6199ccf29
Instruction Fuzzy Hash: E302FC71E0111A9BDF14CFA9C9806EDFBF2EF48324F25426AD919EB384D731A941CB94

Function 006BCAF0 Relevance: 3.2, Strings: 2, Instructions: 659COMMON

Download Yara Rule

Strings

Variable is not of type 'Object'., xrefs: 00700C40
p#x, xrefs: 006BCF7F

Memory Dump Source

Source File: 00000000.00000002.1745474304.00000000006B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006B0000, based on PE: true

Associated: 00000000.00000002.1745310696.00000000006B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1745557899.000000000074C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1745557899.0000000000772000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1745607755.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1745632258.0000000000784000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6b0000_file.jbxd

Similarity

API ID:
String ID: Variable is not of type 'Object'.$p#x
API String ID: 0-252530211
Opcode ID: 8d361d60ee4643bbf922781e6e1afc207b25820b3c3a06d831508865680e4319
Instruction ID: 8d7ba9665ed8d291f732b857ce0b26de4b416fc055e884dac1fc0972c2b39dbf
Opcode Fuzzy Hash: 8d361d60ee4643bbf922781e6e1afc207b25820b3c3a06d831508865680e4319
Instruction Fuzzy Hash: 52329EB4900218DBDF14DF94C895BFDB7B6FF04324F148169E806AB292D775AE86CB60

Function 007268EE Relevance: 3.1, APIs: 2, Instructions: 57fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?), ref: 00726918
FindClose.KERNEL32(00000000), ref: 00726961

Memory Dump Source

Source File: 00000000.00000002.1745474304.00000000006B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006B0000, based on PE: true

Associated: 00000000.00000002.1745310696.00000000006B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1745557899.000000000074C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1745557899.0000000000772000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1745607755.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1745632258.0000000000784000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6b0000_file.jbxd

Similarity

API ID: Find$CloseFileFirst
String ID:
API String ID: 2295610775-0
Opcode ID: 5ba35c412cd66e0fe2d8ae41f19ac93a61c97a7e0a74a7ffa6aad939444114c9
Instruction ID: 8a6fcaf71db056d09f3f3abbee5607891cbf03eafadee08bf6c4cc3a89d6a96c
Opcode Fuzzy Hash: 5ba35c412cd66e0fe2d8ae41f19ac93a61c97a7e0a74a7ffa6aad939444114c9
Instruction Fuzzy Hash: B811D0756042109FD710CF29D484A26BBE5FF85328F04C69EF4A98F2A2CB74EC45CB90

Function 007237B5 Relevance: 3.0, APIs: 2, Instructions: 33windowCOMMON

Download Yara Rule

APIs

GetLastError.KERNEL32(00000000,?,00000FFF,00000000,?,?,?,00734891,?,?,00000035,?), ref: 007237E4
FormatMessageW.KERNEL32(00001000,00000000,?,00000000,?,00000FFF,00000000,?,?,?,00734891,?,?,00000035,?), ref: 007237F4

Memory Dump Source

Source File: 00000000.00000002.1745474304.00000000006B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006B0000, based on PE: true

Associated: 00000000.00000002.1745310696.00000000006B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1745557899.000000000074C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1745557899.0000000000772000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1745607755.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1745632258.0000000000784000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6b0000_file.jbxd

Similarity

API ID: ErrorFormatLastMessage
String ID:
API String ID: 3479602957-0
Opcode ID: 2eaf3bb2cc03cb0ec3930e69b012e92e8029b5c0e737278afb2602a955c4105b
Instruction ID: 7f8989cde01dab1a10df54ff8cccbf799727805d3d1c9f7506ce3dc71ae012e5
Opcode Fuzzy Hash: 2eaf3bb2cc03cb0ec3930e69b012e92e8029b5c0e737278afb2602a955c4105b
Instruction Fuzzy Hash: 0DF05CB06012282BDB5017655C4CFEB3AAEEFC5760F000225F104D2280C6744900C7B0

Function 0071B226 Relevance: 3.0, APIs: 2, Instructions: 29keyboardCOMMON

Download Yara Rule

APIs

SendInput.USER32(00000001,?,0000001C,?,?,00000002), ref: 0071B25D
keybd_event.USER32(?,75C0C0D0,?,00000000), ref: 0071B270

Memory Dump Source

Source File: 00000000.00000002.1745474304.00000000006B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006B0000, based on PE: true

Associated: 00000000.00000002.1745310696.00000000006B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1745557899.000000000074C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1745557899.0000000000772000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1745607755.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1745632258.0000000000784000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6b0000_file.jbxd

Similarity

API ID: InputSendkeybd_event
String ID:
API String ID: 3536248340-0
Opcode ID: 1b8cde4e4d722622d732fdf5f7b6e46cf3e06e8f3580440404906b4c647ecfac
Instruction ID: b55a1d11527a5298004b0e96d856fcc30cda95f938a956eb09b81387ba9da2d6
Opcode Fuzzy Hash: 1b8cde4e4d722622d732fdf5f7b6e46cf3e06e8f3580440404906b4c647ecfac
Instruction Fuzzy Hash: B6F06D7480424DABDB068FA4C805BEE7BB4FF08305F00800AF951A5191C37D82159F94

Function 007110BF Relevance: 3.0, APIs: 2, Instructions: 24COMMON

Download Yara Rule

APIs

AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000,?,007111FC), ref: 007110D4
CloseHandle.KERNEL32(?,?,007111FC), ref: 007110E9

Memory Dump Source

Source File: 00000000.00000002.1745474304.00000000006B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006B0000, based on PE: true

Associated: 00000000.00000002.1745310696.00000000006B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1745557899.000000000074C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1745557899.0000000000772000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1745607755.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1745632258.0000000000784000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6b0000_file.jbxd

Similarity

API ID: AdjustCloseHandlePrivilegesToken
String ID:
API String ID: 81990902-0
Opcode ID: be5364f5c152b8a3f482bb5327dcb86a5f297ee679e2098372f52dbd87f01863
Instruction ID: 6b49432ce1987a4e9fe685517c981c6cecaee956c2d9dffd9d04742db601ae85
Opcode Fuzzy Hash: be5364f5c152b8a3f482bb5327dcb86a5f297ee679e2098372f52dbd87f01863
Instruction Fuzzy Hash: 31E04F32005610AFE7662B11FC05F7377AAEF04310B10C82EF5A6804B1DB62AC90DB14

Function 006E676B Relevance: 1.8, APIs: 1, Instructions: 269COMMONLIBRARYCODE

Download Yara Rule

APIs

RaiseException.KERNEL32(C000000D,00000000,00000001,?,?,00000008,?,?,006E6766,?,?,00000008,?,?,006EFEFE,00000000), ref: 006E6998

Memory Dump Source

Source File: 00000000.00000002.1745474304.00000000006B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006B0000, based on PE: true

Associated: 00000000.00000002.1745310696.00000000006B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1745557899.000000000074C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1745557899.0000000000772000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1745607755.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1745632258.0000000000784000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6b0000_file.jbxd

Similarity

API ID: ExceptionRaise
String ID:
API String ID: 3997070919-0
Opcode ID: 3562a59dda73877933fff75c3a1b82e1aadcc9b3552ee9a343915c9e047ae197
Instruction ID: 23433e5bf26c943e6f9fdec255de8da193e14d04efd7db2f21fa539901c302dc
Opcode Fuzzy Hash: 3562a59dda73877933fff75c3a1b82e1aadcc9b3552ee9a343915c9e047ae197
Instruction Fuzzy Hash: C2B16D316117498FD715CF29C486BA57BE1FF153A4F258658F89ACF2A2C335E982CB40

Function 006CB119 Relevance: 1.8, Strings: 1, Instructions: 511COMMON

Download Yara Rule

Strings

, xrefs: 0070851F

Memory Dump Source

Source File: 00000000.00000002.1745474304.00000000006B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006B0000, based on PE: true

Associated: 00000000.00000002.1745310696.00000000006B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1745557899.000000000074C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1745557899.0000000000772000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1745607755.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1745632258.0000000000784000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6b0000_file.jbxd

Similarity

API ID:
String ID:
API String ID: 0-3916222277
Opcode ID: 950547d4cb66c071a4366d4b86dc0cb24eff1ff11339d28bc92b56810ebf4a61
Instruction ID: 06c90ddea6b681634d660b308a643aff90cd66a05308624740f6063c8821965b
Opcode Fuzzy Hash: 950547d4cb66c071a4366d4b86dc0cb24eff1ff11339d28bc92b56810ebf4a61
Instruction Fuzzy Hash: 25124E71900229DBCB54CF58C881BFEB7F5FF48710F14819AE849EB295EB749A81CB91

Function 0072EAA2 Relevance: 1.5, APIs: 1, Instructions: 25keyboardCOMMON

Download Yara Rule

APIs

BlockInput.USER32(00000001), ref: 0072EABD

Memory Dump Source

Source File: 00000000.00000002.1745474304.00000000006B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006B0000, based on PE: true

Associated: 00000000.00000002.1745310696.00000000006B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1745557899.000000000074C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1745557899.0000000000772000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1745607755.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1745632258.0000000000784000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6b0000_file.jbxd

Similarity

API ID: BlockInput
String ID:
API String ID: 3456056419-0
Opcode ID: 4374ae5dac79cd325a9861de477388d3c11b23943be615822834a18791104d7c
Instruction ID: 3fb72e1547a58076f3ccf8394803368b1c8caacbdbe9702918bfc0580804a6ee
Opcode Fuzzy Hash: 4374ae5dac79cd325a9861de477388d3c11b23943be615822834a18791104d7c
Instruction Fuzzy Hash: 89E01A762002149FC750EF59E804EAAB7EDAFA9760F00C41AFC4AC7251DBB4A8808B95

Function 006D09D5 Relevance: 1.5, APIs: 1, Instructions: 3COMMON

Download Yara Rule

APIs

SetUnhandledExceptionFilter.KERNEL32(Function_000209E1,006D03EE), ref: 006D09DA

Memory Dump Source

Source File: 00000000.00000002.1745474304.00000000006B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006B0000, based on PE: true

Associated: 00000000.00000002.1745310696.00000000006B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1745557899.000000000074C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1745557899.0000000000772000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1745607755.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1745632258.0000000000784000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6b0000_file.jbxd

Similarity

API ID: ExceptionFilterUnhandled
String ID:
API String ID: 3192549508-0
Opcode ID: 887f4d0f06f38624a7fe2b039af4bcc6a53d4f5330839db18252e19a44f76344
Instruction ID: 0d16efc7c614580e29db49751e31d28518345223cea0a022faf3edb7c8877bc5
Opcode Fuzzy Hash: 887f4d0f06f38624a7fe2b039af4bcc6a53d4f5330839db18252e19a44f76344
Instruction Fuzzy Hash:

Function 006D781B Relevance: 1.5, Strings: 1, Instructions: 214COMMON

Download Yara Rule

Strings

0, xrefs: 006D798B

Memory Dump Source

Source File: 00000000.00000002.1745474304.00000000006B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006B0000, based on PE: true

Associated: 00000000.00000002.1745310696.00000000006B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1745557899.000000000074C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1745557899.0000000000772000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1745607755.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1745632258.0000000000784000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6b0000_file.jbxd

Similarity

API ID:
String ID: 0
API String ID: 0-4108050209
Opcode ID: 9084b4e029052128895840c3c28e948f6724b1d83b91d22a18243ac96ad56844
Instruction ID: 5bd0282c0598b3d0ff134718be5c4679c4c0f4729af602ab0698511c8814276b
Opcode Fuzzy Hash: 9084b4e029052128895840c3c28e948f6724b1d83b91d22a18243ac96ad56844
Instruction Fuzzy Hash: 58515972E0C6455BDB384568886E7FE63979B52300F18052FD886DB382FA15DE02F39B

Function 00722046 Relevance: 1.3, Strings: 1, Instructions: 72COMMON

Download Yara Rule

Strings

0&x, xrefs: 00722053

Memory Dump Source

Source File: 00000000.00000002.1745474304.00000000006B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006B0000, based on PE: true

Associated: 00000000.00000002.1745310696.00000000006B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1745557899.000000000074C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1745557899.0000000000772000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1745607755.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1745632258.0000000000784000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6b0000_file.jbxd

Similarity

API ID:
String ID: 0&x
API String ID: 0-1177175720
Opcode ID: fd69e077845bf8272543042dddd656c960545d16f9e99e01dbf392e52bab06f7
Instruction ID: 4e70a03326538e067ea49febe163b988351a705dffe92302a4dc4c67e3292d57
Opcode Fuzzy Hash: fd69e077845bf8272543042dddd656c960545d16f9e99e01dbf392e52bab06f7
Instruction Fuzzy Hash: 5221A5327606118BD728CE79C82267A73E5A754310F25862EE4A7C77D1DE3AE905CB84

Function 006E6DD9 Relevance: .6, Instructions: 637COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1745474304.00000000006B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006B0000, based on PE: true

Associated: 00000000.00000002.1745310696.00000000006B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1745557899.000000000074C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1745557899.0000000000772000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1745607755.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1745632258.0000000000784000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6b0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c67cebecee14de111356e3f8825aaec3340137b09036ad37240fc7e215a33b76
Instruction ID: a3cf9fb5aeb16e12d853599f4b5192383d4685a4234c658d2077b6e3edf011be
Opcode Fuzzy Hash: c67cebecee14de111356e3f8825aaec3340137b09036ad37240fc7e215a33b76
Instruction Fuzzy Hash: A4325921D2AF814DD7239635DC22375629AAFB73C6F14C737F81AB5AA6EF69C4834100

Function 006CCC39 Relevance: .6, Instructions: 635COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1745474304.00000000006B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006B0000, based on PE: true

Associated: 00000000.00000002.1745310696.00000000006B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1745557899.000000000074C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1745557899.0000000000772000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1745607755.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1745632258.0000000000784000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6b0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c7a9c4290a8394d58c448e3f191ff58c666129456894572eee9cf1b3c25a005f
Instruction ID: a389bff8edf732eb74ee711e36a6800dca433864c9cd238cd9f2643cb488af38
Opcode Fuzzy Hash: c7a9c4290a8394d58c448e3f191ff58c666129456894572eee9cf1b3c25a005f
Instruction Fuzzy Hash: 90321471A00105CBDF2ACB28C494BBD77E2EB45314F28836AE84ACB2D1E638DD81DB51

Function 006B7920 Relevance: .6, Instructions: 563COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1745474304.00000000006B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006B0000, based on PE: true

Associated: 00000000.00000002.1745310696.00000000006B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1745557899.000000000074C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1745557899.0000000000772000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1745607755.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1745632258.0000000000784000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6b0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6050f17a20014e821ff740165e073343bf44e415bd5d4ee75d62a3fd5a2ff6a7
Instruction ID: ae9b3c983813cab4273af8846dd805736d2996d1d69e59b99bde8ed32cefb50b
Opcode Fuzzy Hash: 6050f17a20014e821ff740165e073343bf44e415bd5d4ee75d62a3fd5a2ff6a7
Instruction Fuzzy Hash: 25228DB0A0460A9FDF14DF68C881AEEB7F7FF44300F244629E916A7291EB35AD51CB54

Function 006B91C0 Relevance: .5, Instructions: 475COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1745474304.00000000006B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006B0000, based on PE: true

Associated: 00000000.00000002.1745310696.00000000006B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1745557899.000000000074C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1745557899.0000000000772000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1745607755.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1745632258.0000000000784000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6b0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 92c6f158844e3c971a8e5e2fbb377b5b311212de3ff8158b6e4bd247edb2ce69
Instruction ID: e991f8463ecfe3f7fbad13a0d6204121fd62a938a56db0011e377cde42af1079
Opcode Fuzzy Hash: 92c6f158844e3c971a8e5e2fbb377b5b311212de3ff8158b6e4bd247edb2ce69
Instruction Fuzzy Hash: CA02A6B1E00209EBDB14DF54D981AFDBBB3FF44300F108169E9169B3A1EB35AA51CB95

Function 006E9EEE Relevance: .3, Instructions: 294COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1745474304.00000000006B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006B0000, based on PE: true

Associated: 00000000.00000002.1745310696.00000000006B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1745557899.000000000074C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1745557899.0000000000772000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1745607755.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1745632258.0000000000784000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6b0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: eb8389ed199f4aece0de8e35e89650dbefbb7c588be00f30e3c5abcceee866c6
Instruction ID: 5c4acb1612e4f5bb712df15e6574a9df37ab748028bee1ed5971372001caed85
Opcode Fuzzy Hash: eb8389ed199f4aece0de8e35e89650dbefbb7c588be00f30e3c5abcceee866c6
Instruction Fuzzy Hash: F3B1F020E2AF404DD72396398831336B65CAFBB6D6F91D71BFC2674D22EB2686834144

Function 006D1C77 Relevance: .3, Instructions: 254COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1745474304.00000000006B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006B0000, based on PE: true

Associated: 00000000.00000002.1745310696.00000000006B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1745557899.000000000074C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1745557899.0000000000772000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1745607755.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1745632258.0000000000784000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6b0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 93657a121f16255c59120ad0d08fdbba6372c273009ad596b4ecdf6e8f3c6909
Instruction ID: 374a109f59d7465bd3d0abd7ef26b61add25a619e134f67c27c16c5c1577e2be
Opcode Fuzzy Hash: 93657a121f16255c59120ad0d08fdbba6372c273009ad596b4ecdf6e8f3c6909
Instruction Fuzzy Hash: F2918772A080A35ADB29463A85344BDFFE35E933A131A079FD4F2CE3C5EE548955D620

Function 006D1F32 Relevance: .2, Instructions: 244COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1745474304.00000000006B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006B0000, based on PE: true

Associated: 00000000.00000002.1745310696.00000000006B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1745557899.000000000074C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1745557899.0000000000772000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1745607755.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1745632258.0000000000784000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6b0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 05e0b846b00456d0f1e87463b9d189974beed2fe63262d4392584e128a114ea2
Instruction ID: b7d2f0b75def13c2dba50dd4e165ec10f33a5c255d49dbbba3a42b728b7f7249
Opcode Fuzzy Hash: 05e0b846b00456d0f1e87463b9d189974beed2fe63262d4392584e128a114ea2
Instruction Fuzzy Hash: DF917972A080A349D7294339897447EFFE35AA23A131A479FD5F2CF3C5EE24C555D620

Function 006D19B0 Relevance: .2, Instructions: 240COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1745474304.00000000006B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006B0000, based on PE: true

Associated: 00000000.00000002.1745310696.00000000006B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1745557899.000000000074C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1745557899.0000000000772000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1745607755.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1745632258.0000000000784000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6b0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 40101273f58913c3cb3bc7eb54df01d47b4121c3e67d19f11ec2cb23d33ea445
Instruction ID: 87fe170d9fa0c98d70f40e8240ee757023b7733139f58a11d9bebd0ffc180823
Opcode Fuzzy Hash: 40101273f58913c3cb3bc7eb54df01d47b4121c3e67d19f11ec2cb23d33ea445
Instruction Fuzzy Hash: 14917372A090A35ADB2D427A857407DFFE25A933A131E079FD4F2CE3C1FD648655D620

Function 006D7A4A Relevance: .2, Instructions: 237COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1745474304.00000000006B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006B0000, based on PE: true

Associated: 00000000.00000002.1745310696.00000000006B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1745557899.000000000074C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1745557899.0000000000772000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1745607755.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1745632258.0000000000784000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6b0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2c7efed43c4262cee8ec11c5d07872d39add11ec2e69aa28b7e4005193b4e044
Instruction ID: 5f60fd391f5177e8a7e76a2787eaa1f6309e7aaf75a1ee40fb94432f1524a904
Opcode Fuzzy Hash: 2c7efed43c4262cee8ec11c5d07872d39add11ec2e69aa28b7e4005193b4e044
Instruction Fuzzy Hash: 94615871E0874A5ADA749E288DA6BFE2397DF51704F18091FE842DB381F611AE42C35B

Function 006D7CA7 Relevance: .2, Instructions: 237COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1745474304.00000000006B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006B0000, based on PE: true

Associated: 00000000.00000002.1745310696.00000000006B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1745557899.000000000074C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1745557899.0000000000772000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1745607755.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1745632258.0000000000784000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6b0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 366fd7891f21154c3d22fa8206417c0268cb3c7e1e5f4a51b8d6e4d874d52e6c
Instruction ID: f9a8536908eea3b2d87c6a3c486563ed91d98344d992e2da2d6b1f5ffaa8aa69
Opcode Fuzzy Hash: 366fd7891f21154c3d22fa8206417c0268cb3c7e1e5f4a51b8d6e4d874d52e6c
Instruction Fuzzy Hash: 88614971E0870956DE385A289856BFF6397DF42704F14095FE943DB381FA12ED42825B

Function 006D1706 Relevance: .2, Instructions: 232COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1745474304.00000000006B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006B0000, based on PE: true

Associated: 00000000.00000002.1745310696.00000000006B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1745557899.000000000074C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1745557899.0000000000772000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1745607755.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1745632258.0000000000784000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6b0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 70da388f96bbbf26b230a155b4728740b34f0d100ea60ab2bbadb9d7d0befbf0
Instruction ID: e279c83ea72d026b18385573a8381f6e4b189b710267c5f53ffb6e03f7ed2d75
Opcode Fuzzy Hash: 70da388f96bbbf26b230a155b4728740b34f0d100ea60ab2bbadb9d7d0befbf0
Instruction Fuzzy Hash: 1E816672E090A31ADB6D8279853447EFFE35A933A131A079FD4F2CE3D1EE648554E620

Function 00732ADE Relevance: 77.5, APIs: 40, Strings: 4, Instructions: 486filecommemoryCOMMON

Download Yara Rule

APIs

DeleteObject.GDI32(00000000), ref: 00732B30
DeleteObject.GDI32(00000000), ref: 00732B43
DestroyWindow.USER32 ref: 00732B52
GetDesktopWindow.USER32 ref: 00732B6D
GetWindowRect.USER32(00000000), ref: 00732B74
SetRect.USER32(?,00000000,00000000,00000007,00000002), ref: 00732CA3
AdjustWindowRectEx.USER32(?,88C00000,00000000,?), ref: 00732CB1
CreateWindowExW.USER32(?,AutoIt v3,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00732CF8
GetClientRect.USER32(00000000,?), ref: 00732D04
CreateWindowExW.USER32(00000000,static,00000000,5000000E,00000000,00000000,?,?,00000000,00000000,00000000), ref: 00732D40
CreateFileW.KERNEL32(?,80000000,00000000,00000000,00000003,00000000,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00732D62
GetFileSize.KERNEL32(00000000,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00732D75
GlobalAlloc.KERNEL32(00000002,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00732D80
GlobalLock.KERNEL32(00000000), ref: 00732D89
ReadFile.KERNEL32(00000000,00000000,00000000,?,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00732D98
GlobalUnlock.KERNEL32(00000000), ref: 00732DA1
CloseHandle.KERNEL32(00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00732DA8
GlobalFree.KERNEL32(00000000), ref: 00732DB3
CreateStreamOnHGlobal.OLE32(00000000,00000001,?,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00732DC5
OleLoadPicture.OLEAUT32(?,00000000,00000000,0074FC38,00000000), ref: 00732DDB
GlobalFree.KERNEL32(00000000), ref: 00732DEB
CopyImage.USER32(00000007,00000000,00000000,00000000,00002000), ref: 00732E11
SendMessageW.USER32(00000000,00000172,00000000,00000007), ref: 00732E30
SetWindowPos.USER32(00000000,00000000,00000000,00000000,?,?,00000020,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00732E52
ShowWindow.USER32(00000004,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 0073303F

Strings

static, xrefs: 00732D3A, 00732E91
, xrefs: 00732FC5
DISPLAY, xrefs: 00732EA2
AutoIt v3, xrefs: 00732CF2

Memory Dump Source

Source File: 00000000.00000002.1745474304.00000000006B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006B0000, based on PE: true

Associated: 00000000.00000002.1745310696.00000000006B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1745557899.000000000074C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1745557899.0000000000772000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1745607755.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1745632258.0000000000784000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6b0000_file.jbxd

Similarity

API ID: Window$Global$CreateRect$File$DeleteFreeObject$AdjustAllocClientCloseCopyDesktopDestroyHandleImageLoadLockMessagePictureReadSendShowSizeStreamUnlock
String ID: $AutoIt v3$DISPLAY$static
API String ID: 2211948467-2373415609
Opcode ID: 0b598e94cbc3b9a268786e39ff4a040f912d8569a60ee7de39987b9893db53d6
Instruction ID: fe0129f05b89d1d2a1db663fe24986f8b8f689339a44bb3381aec6e53c7d7668
Opcode Fuzzy Hash: 0b598e94cbc3b9a268786e39ff4a040f912d8569a60ee7de39987b9893db53d6
Instruction Fuzzy Hash: AB029EB5500214EFDB15DF64CC89EAE7BB9FF49310F108119F915AB2A2DB78AD01CB64

Function 007470D5 Relevance: 49.8, APIs: 33, Instructions: 273COMMON

Download Yara Rule

APIs

SetTextColor.GDI32(?,00000000), ref: 0074712F
GetSysColorBrush.USER32(0000000F), ref: 00747160
GetSysColor.USER32(0000000F), ref: 0074716C
SetBkColor.GDI32(?,000000FF), ref: 00747186
SelectObject.GDI32(?,?), ref: 00747195
InflateRect.USER32(?,000000FF,000000FF), ref: 007471C0
GetSysColor.USER32(00000010), ref: 007471C8
CreateSolidBrush.GDI32(00000000), ref: 007471CF
FrameRect.USER32(?,?,00000000), ref: 007471DE
DeleteObject.GDI32(00000000), ref: 007471E5
InflateRect.USER32(?,000000FE,000000FE), ref: 00747230
FillRect.USER32(?,?,?), ref: 00747262
GetWindowLongW.USER32(?,000000F0), ref: 00747284

Part of subcall function 007473E8: GetSysColor.USER32(00000012), ref: 00747421
Part of subcall function 007473E8: SetTextColor.GDI32(?,?), ref: 00747425
Part of subcall function 007473E8: GetSysColorBrush.USER32(0000000F), ref: 0074743B
Part of subcall function 007473E8: GetSysColor.USER32(0000000F), ref: 00747446
Part of subcall function 007473E8: GetSysColor.USER32(00000011), ref: 00747463
Part of subcall function 007473E8: CreatePen.GDI32(00000000,00000001,00743C00), ref: 00747471
Part of subcall function 007473E8: SelectObject.GDI32(?,00000000), ref: 00747482
Part of subcall function 007473E8: SetBkColor.GDI32(?,00000000), ref: 0074748B
Part of subcall function 007473E8: SelectObject.GDI32(?,?), ref: 00747498
Part of subcall function 007473E8: InflateRect.USER32(?,000000FF,000000FF), ref: 007474B7
Part of subcall function 007473E8: RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 007474CE
Part of subcall function 007473E8: GetWindowLongW.USER32(00000000,000000F0), ref: 007474DB

Memory Dump Source

Source File: 00000000.00000002.1745474304.00000000006B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006B0000, based on PE: true

Associated: 00000000.00000002.1745310696.00000000006B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1745557899.000000000074C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1745557899.0000000000772000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1745607755.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1745632258.0000000000784000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6b0000_file.jbxd

Similarity

API ID: Color$Rect$Object$BrushInflateSelect$CreateLongTextWindow$DeleteFillFrameRoundSolid
String ID:
API String ID: 4124339563-0
Opcode ID: 291ce3dcece53efabdf5eca0e950e8d55fb523f999aa9cf653b2f93c3e392d02
Instruction ID: 57ccd7d2fc992440ea5d36bb209d1ba2ac751739dd93f272d21252d646723fb5
Opcode Fuzzy Hash: 291ce3dcece53efabdf5eca0e950e8d55fb523f999aa9cf653b2f93c3e392d02
Instruction Fuzzy Hash: D6A1C076009301FFD7569F60DC48E6BBBB9FB8A320F104A1AF962961E1D778E800CB55

Function 006C8D85 Relevance: 47.7, APIs: 26, Strings: 1, Instructions: 480windowCOMMON

Download Yara Rule

APIs

DestroyWindow.USER32(?,?), ref: 006C8E14
SendMessageW.USER32(?,00001308,?,00000000), ref: 00706AC5
ImageList_Remove.COMCTL32(?,000000FF,?), ref: 00706AFE
MoveWindow.USER32(?,?,?,?,?,00000000), ref: 00706F43

Part of subcall function 006C8F62: InvalidateRect.USER32(?,00000000,00000001,?,?,?,006C8BE8,?,00000000,?,?,?,?,006C8BBA,00000000,?), ref: 006C8FC5

SendMessageW.USER32(?,00001053), ref: 00706F7F
SendMessageW.USER32(?,00001008,000000FF,00000000), ref: 00706F96
ImageList_Destroy.COMCTL32(00000000,?), ref: 00706FAC
ImageList_Destroy.COMCTL32(00000000,?), ref: 00706FB7

Strings

0, xrefs: 00706DCF

Memory Dump Source

Source File: 00000000.00000002.1745474304.00000000006B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006B0000, based on PE: true

Associated: 00000000.00000002.1745310696.00000000006B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1745557899.000000000074C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1745557899.0000000000772000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1745607755.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1745632258.0000000000784000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6b0000_file.jbxd

Similarity

API ID: DestroyImageList_MessageSend$Window$InvalidateMoveRectRemove
String ID: 0
API String ID: 2760611726-4108050209
Opcode ID: a3befec17d606097f88b2a6d635c7716eec795b60c3d883a62fe87c0dbd2f3a3
Instruction ID: 13da66988524c8efefc5826f426178d1ede5f892aacf9eb2e5f131659c61d45f
Opcode Fuzzy Hash: a3befec17d606097f88b2a6d635c7716eec795b60c3d883a62fe87c0dbd2f3a3
Instruction Fuzzy Hash: 0112AE74201201DFDB25CF24C864BBAB7E6FB49300F64866DE595CB2A1CB39EC62CB55

Function 00732711 Relevance: 45.8, APIs: 22, Strings: 4, Instructions: 330windowCOMMON

Download Yara Rule

APIs

DestroyWindow.USER32(00000000), ref: 0073273E
SystemParametersInfoW.USER32(00000030,00000000,?,00000000), ref: 0073286A
SetRect.USER32(?,00000000,00000000,0000012C,?), ref: 007328A9
AdjustWindowRectEx.USER32(?,88C00000,00000000,00000008), ref: 007328B9
CreateWindowExW.USER32(00000008,AutoIt v3,?,88C00000,000000FF,?,?,?,00000000,00000000,00000000), ref: 00732900
GetClientRect.USER32(00000000,?), ref: 0073290C
CreateWindowExW.USER32(00000000,static,?,50000000,?,00000004,00000500,-00000017,00000000,00000000,00000000), ref: 00732955
CreateDCW.GDI32(DISPLAY,00000000,00000000,00000000), ref: 00732964
GetStockObject.GDI32(00000011), ref: 00732974
SelectObject.GDI32(00000000,00000000), ref: 00732978
GetTextFaceW.GDI32(00000000,00000040,?,?,50000000,?,00000004,00000500,-00000017,00000000,00000000,00000000,?,88C00000,000000FF,?), ref: 00732988
GetDeviceCaps.GDI32(00000000,0000005A), ref: 00732991
DeleteDC.GDI32(00000000), ref: 0073299A
CreateFontW.GDI32(00000000,00000000,00000000,00000000,00000258,00000000,00000000,00000000,00000001,00000004,00000000,00000002,00000000,?), ref: 007329C6
SendMessageW.USER32(00000030,00000000,00000001), ref: 007329DD
CreateWindowExW.USER32(00000200,msctls_progress32,00000000,50000001,?,-0000001D,00000104,00000014,00000000,00000000,00000000), ref: 00732A1D
SendMessageW.USER32(00000000,00000401,00000000,00640000), ref: 00732A31
SendMessageW.USER32(00000404,00000001,00000000), ref: 00732A42
CreateWindowExW.USER32(00000000,static,?,50000000,?,00000041,00000500,-00000027,00000000,00000000,00000000), ref: 00732A77
GetStockObject.GDI32(00000011), ref: 00732A82
SendMessageW.USER32(00000030,00000000,?,50000000), ref: 00732A8D
ShowWindow.USER32(00000004,?,50000000,?,00000004,00000500,-00000017,00000000,00000000,00000000,?,88C00000,000000FF,?,?,?), ref: 00732A97

Strings

msctls_progress32, xrefs: 00732A13
static, xrefs: 0073294F, 00732A71
DISPLAY, xrefs: 0073295A
AutoIt v3, xrefs: 007328F8

Memory Dump Source

Source File: 00000000.00000002.1745474304.00000000006B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006B0000, based on PE: true

Associated: 00000000.00000002.1745310696.00000000006B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1745557899.000000000074C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1745557899.0000000000772000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1745607755.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1745632258.0000000000784000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6b0000_file.jbxd

Similarity

API ID: Window$Create$MessageSend$ObjectRect$Stock$AdjustCapsClientDeleteDestroyDeviceFaceFontInfoParametersSelectShowSystemText
String ID: AutoIt v3$DISPLAY$msctls_progress32$static
API String ID: 2910397461-517079104
Opcode ID: 9fe4ca6f7733921fa97fabbc5162b3484778d9fe7be8e42701f0e3605ac66b8b
Instruction ID: 1a97816b6bf96f513694ba03f9a35408f9a2d3dd5f186288d4bdd24a37aa1156
Opcode Fuzzy Hash: 9fe4ca6f7733921fa97fabbc5162b3484778d9fe7be8e42701f0e3605ac66b8b
Instruction Fuzzy Hash: 17B19FB5A40215AFEB10CF68CC49FAE7BA9FB05710F108515FA14E7291D778ED41CBA8

Function 00724ADF Relevance: 45.7, APIs: 3, Strings: 23, Instructions: 191COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 00724AED
GetDriveTypeW.KERNEL32(?,0074CB68,?,\\.\,0074CC08), ref: 00724BCA
SetErrorMode.KERNEL32(00000000,0074CB68,?,\\.\,0074CC08), ref: 00724D36

Strings

Fixed, xrefs: 00724C09
MMC, xrefs: 00724CDE
1394, xrefs: 00724C9F
Network, xrefs: 00724C02
RAMDisk, xrefs: 00724BF4
SAS, xrefs: 00724CC9
\\.\, xrefs: 00724B3F
PhysicalDrive, xrefs: 00724B76
Fibre, xrefs: 00724CAD
Removable, xrefs: 00724C10, 00724C15
Unknown, xrefs: 00724BED, 00724C83
SATA, xrefs: 00724CD0
SCSI, xrefs: 00724C8A
ATAPI, xrefs: 00724C91
SSD, xrefs: 00724C4A
CDROM, xrefs: 00724BFB
iSCSI, xrefs: 00724CC2
ATA, xrefs: 00724C98
Virtual, xrefs: 00724CE5
RAID, xrefs: 00724CBB
USB, xrefs: 00724CB4
SSA, xrefs: 00724CA6
FileBackedVirtual, xrefs: 00724CEC

Memory Dump Source

Source File: 00000000.00000002.1745474304.00000000006B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006B0000, based on PE: true

Associated: 00000000.00000002.1745310696.00000000006B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1745557899.000000000074C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1745557899.0000000000772000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1745607755.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1745632258.0000000000784000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6b0000_file.jbxd

Similarity

API ID: ErrorMode$DriveType
String ID: 1394$ATA$ATAPI$CDROM$Fibre$FileBackedVirtual$Fixed$MMC$Network$PhysicalDrive$RAID$RAMDisk$Removable$SAS$SATA$SCSI$SSA$SSD$USB$Unknown$Virtual$\\.\$iSCSI
API String ID: 2907320926-4222207086
Opcode ID: 99c962346cae2fd4416825505e6e99d527da85e0d9ee952468a26cf4be54bbbd
Instruction ID: 8527ecaae412f3bee853044431c2336646bf9f9a4507313c47d8651a96d49623
Opcode Fuzzy Hash: 99c962346cae2fd4416825505e6e99d527da85e0d9ee952468a26cf4be54bbbd
Instruction Fuzzy Hash: 6661D3B0701615DBCF15DF28DA919B877F1EB04380B24841AF80AAB695DB3DEDC1DB61

Function 007473E8 Relevance: 39.2, APIs: 26, Instructions: 201windowCOMMON

Download Yara Rule

APIs

GetSysColor.USER32(00000012), ref: 00747421
SetTextColor.GDI32(?,?), ref: 00747425
GetSysColorBrush.USER32(0000000F), ref: 0074743B
GetSysColor.USER32(0000000F), ref: 00747446
CreateSolidBrush.GDI32(?), ref: 0074744B
GetSysColor.USER32(00000011), ref: 00747463
CreatePen.GDI32(00000000,00000001,00743C00), ref: 00747471
SelectObject.GDI32(?,00000000), ref: 00747482
SetBkColor.GDI32(?,00000000), ref: 0074748B
SelectObject.GDI32(?,?), ref: 00747498
InflateRect.USER32(?,000000FF,000000FF), ref: 007474B7
RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 007474CE
GetWindowLongW.USER32(00000000,000000F0), ref: 007474DB
SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 0074752A
GetWindowTextW.USER32(00000000,00000000,00000001), ref: 00747554
InflateRect.USER32(?,000000FD,000000FD), ref: 00747572
DrawFocusRect.USER32(?,?), ref: 0074757D
GetSysColor.USER32(00000011), ref: 0074758E
SetTextColor.GDI32(?,00000000), ref: 00747596
DrawTextW.USER32(?,007470F5,000000FF,?,00000000), ref: 007475A8
SelectObject.GDI32(?,?), ref: 007475BF
DeleteObject.GDI32(?), ref: 007475CA
SelectObject.GDI32(?,?), ref: 007475D0
DeleteObject.GDI32(?), ref: 007475D5
SetTextColor.GDI32(?,?), ref: 007475DB
SetBkColor.GDI32(?,?), ref: 007475E5

Memory Dump Source

Source File: 00000000.00000002.1745474304.00000000006B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006B0000, based on PE: true

Associated: 00000000.00000002.1745310696.00000000006B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1745557899.000000000074C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1745557899.0000000000772000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1745607755.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1745632258.0000000000784000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6b0000_file.jbxd

Similarity

API ID: Color$Object$Text$RectSelect$BrushCreateDeleteDrawInflateWindow$FocusLongMessageRoundSendSolid
String ID:
API String ID: 1996641542-0
Opcode ID: e1f364191db65419c000d0927ee4295fca45a79c1d2e4a87fd8f37fe2925855d
Instruction ID: e0bba3766f3862103d3a66cb267ab6595fe4a35645fe4f23d66c6d4743bebde0
Opcode Fuzzy Hash: e1f364191db65419c000d0927ee4295fca45a79c1d2e4a87fd8f37fe2925855d
Instruction Fuzzy Hash: 24619F76901218AFDF059FA4DC49EEEBFB9EB09320F118116F911BB2A1D7789940CF90

Function 00740FF3 Relevance: 37.0, APIs: 18, Strings: 3, Instructions: 284windowCOMMON

Download Yara Rule

APIs

GetCursorPos.USER32(?), ref: 00741128
GetDesktopWindow.USER32 ref: 0074113D
GetWindowRect.USER32(00000000), ref: 00741144
GetWindowLongW.USER32(?,000000F0), ref: 00741199
DestroyWindow.USER32(?), ref: 007411B9
CreateWindowExW.USER32(00000008,tooltips_class32,00000000,7FFFFFFD,80000000,80000000,80000000,80000000,00000000,00000000,00000000,00000000), ref: 007411ED
SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 0074120B
SendMessageW.USER32(00000000,00000418,00000000,?), ref: 0074121D
SendMessageW.USER32(00000000,00000421,?,?), ref: 00741232
SendMessageW.USER32(00000000,0000041D,00000000,00000000), ref: 00741245
IsWindowVisible.USER32(00000000), ref: 007412A1
SendMessageW.USER32(00000000,00000412,00000000,D8F0D8F0), ref: 007412BC
SendMessageW.USER32(00000000,00000411,00000001,00000030), ref: 007412D0
GetWindowRect.USER32(00000000,?), ref: 007412E8
MonitorFromPoint.USER32(?,?,00000002), ref: 0074130E
GetMonitorInfoW.USER32(00000000,?), ref: 00741328
CopyRect.USER32(?,?), ref: 0074133F
SendMessageW.USER32(00000000,00000412,00000000), ref: 007413AA

Strings

tooltips_class32, xrefs: 007411E6
(, xrefs: 0074131B
0, xrefs: 007410D3

Memory Dump Source

Source File: 00000000.00000002.1745474304.00000000006B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006B0000, based on PE: true

Associated: 00000000.00000002.1745310696.00000000006B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1745557899.000000000074C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1745557899.0000000000772000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1745607755.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1745632258.0000000000784000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6b0000_file.jbxd

Similarity

API ID: MessageSendWindow$Rect$Monitor$CopyCreateCursorDesktopDestroyFromInfoLongPointVisible
String ID: ($0$tooltips_class32
API String ID: 698492251-4156429822
Opcode ID: 0998a256da21b74def0c21edab4ab9231af89d29cedbc6c27b03284f234ad4bd
Instruction ID: f488d50898e1ddd54288d5471e65cc42b8cfd55c0b63590034fdfcee00783b39
Opcode Fuzzy Hash: 0998a256da21b74def0c21edab4ab9231af89d29cedbc6c27b03284f234ad4bd
Instruction Fuzzy Hash: FCB1BC71604340AFD750EF24C884BABBBE5FF85300F40891DF9999B2A1C775E884CBA6

Function 006C8891 Relevance: 33.5, APIs: 18, Strings: 1, Instructions: 282windowtimeCOMMON

Download Yara Rule

APIs

SystemParametersInfoW.USER32(00000030,00000000,000000FF,00000000), ref: 006C8968
GetSystemMetrics.USER32(00000007), ref: 006C8970
SystemParametersInfoW.USER32(00000030,00000000,000000FF,00000000), ref: 006C899B
GetSystemMetrics.USER32(00000008), ref: 006C89A3
GetSystemMetrics.USER32(00000004), ref: 006C89C8
SetRect.USER32(000000FF,00000000,00000000,000000FF,000000FF), ref: 006C89E5
AdjustWindowRectEx.USER32(000000FF,?,00000000,?), ref: 006C89F5
CreateWindowExW.USER32(?,AutoIt v3 GUI,?,?,?,000000FF,000000FF,000000FF,?,00000000,00000000), ref: 006C8A28
SetWindowLongW.USER32(00000000,000000EB,00000000), ref: 006C8A3C
GetClientRect.USER32(00000000,000000FF), ref: 006C8A5A
GetStockObject.GDI32(00000011), ref: 006C8A76
SendMessageW.USER32(00000000,00000030,00000000), ref: 006C8A81

Part of subcall function 006C912D: GetCursorPos.USER32(?), ref: 006C9141
Part of subcall function 006C912D: ScreenToClient.USER32(00000000,?), ref: 006C915E
Part of subcall function 006C912D: GetAsyncKeyState.USER32(00000001), ref: 006C9183
Part of subcall function 006C912D: GetAsyncKeyState.USER32(00000002), ref: 006C919D

SetTimer.USER32(00000000,00000000,00000028,006C90FC), ref: 006C8AA8

Strings

AutoIt v3 GUI, xrefs: 006C8A20

Memory Dump Source

Source File: 00000000.00000002.1745474304.00000000006B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006B0000, based on PE: true

Associated: 00000000.00000002.1745310696.00000000006B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1745557899.000000000074C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1745557899.0000000000772000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1745607755.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1745632258.0000000000784000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6b0000_file.jbxd

Similarity

API ID: System$MetricsRectWindow$AsyncClientInfoParametersState$AdjustCreateCursorLongMessageObjectScreenSendStockTimer
String ID: AutoIt v3 GUI
API String ID: 1458621304-248962490
Opcode ID: 81f96450d318cdcbb14ad323facec8d314465277a1e6363042b39abeccb900dc
Instruction ID: 9810ccaa2cc4bed2eaa22f95f6260cc200d95cfac56f61576aeaca4ce14bec00
Opcode Fuzzy Hash: 81f96450d318cdcbb14ad323facec8d314465277a1e6363042b39abeccb900dc
Instruction Fuzzy Hash: 7BB1AF35640209DFDB14DF68CC55FAE7BB5FB48314F11822AFA05A72D0CB38A851CB58

Function 00710D8B Relevance: 31.7, APIs: 21, Instructions: 202memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 007110F9: GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 00711114
Part of subcall function 007110F9: GetLastError.KERNEL32(?,00000000,00000000,?,?,00710B9B,?,?,?), ref: 00711120
Part of subcall function 007110F9: GetProcessHeap.KERNEL32(00000008,?,?,00000000,00000000,?,?,00710B9B,?,?,?), ref: 0071112F
Part of subcall function 007110F9: HeapAlloc.KERNEL32(00000000,?,00000000,00000000,?,?,00710B9B,?,?,?), ref: 00711136
Part of subcall function 007110F9: GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 0071114D

GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 00710DF5
GetAclInformation.ADVAPI32(?,?,0000000C,00000002), ref: 00710E29
GetLengthSid.ADVAPI32(?), ref: 00710E40
GetAce.ADVAPI32(?,00000000,?), ref: 00710E7A
AddAce.ADVAPI32(?,00000002,000000FF,?,?), ref: 00710E96
GetLengthSid.ADVAPI32(?), ref: 00710EAD
GetProcessHeap.KERNEL32(00000008,00000008), ref: 00710EB5
HeapAlloc.KERNEL32(00000000), ref: 00710EBC
GetLengthSid.ADVAPI32(?,00000008,?), ref: 00710EDD
CopySid.ADVAPI32(00000000), ref: 00710EE4
AddAce.ADVAPI32(?,00000002,000000FF,00000000,?), ref: 00710F13
SetSecurityDescriptorDacl.ADVAPI32(?,00000001,?,00000000), ref: 00710F35
SetUserObjectSecurity.USER32(?,00000004,?), ref: 00710F47
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00710F6E
HeapFree.KERNEL32(00000000), ref: 00710F75
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00710F7E
HeapFree.KERNEL32(00000000), ref: 00710F85
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00710F8E
HeapFree.KERNEL32(00000000), ref: 00710F95
GetProcessHeap.KERNEL32(00000000,?), ref: 00710FA1
HeapFree.KERNEL32(00000000), ref: 00710FA8

Part of subcall function 00711193: GetProcessHeap.KERNEL32(00000008,00710BB1,?,00000000,?,00710BB1,?), ref: 007111A1
Part of subcall function 00711193: HeapAlloc.KERNEL32(00000000,?,00000000,?,00710BB1,?), ref: 007111A8
Part of subcall function 00711193: InitializeSecurityDescriptor.ADVAPI32(00000000,00000001,?,00000000,?,00710BB1,?), ref: 007111B7

Memory Dump Source

Source File: 00000000.00000002.1745474304.00000000006B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006B0000, based on PE: true

Associated: 00000000.00000002.1745310696.00000000006B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1745557899.000000000074C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1745557899.0000000000772000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1745607755.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1745632258.0000000000784000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6b0000_file.jbxd

Similarity

API ID: Heap$Process$Security$Free$AllocDescriptorLengthObjectUser$Dacl$CopyErrorInformationInitializeLast
String ID:
API String ID: 4175595110-0
Opcode ID: db2b04224bb45e9c2653ba82e28d21690379f593e1f58027877b62028eeb2eb5
Instruction ID: 5d4457f7ceea0e105241b0566135e445e5a98c78bcd338ac929411a784e3ae7d
Opcode Fuzzy Hash: db2b04224bb45e9c2653ba82e28d21690379f593e1f58027877b62028eeb2eb5
Instruction Fuzzy Hash: 9F718F7190120AEBDF219FA9DC49FEEBBBCBF05300F048115F919A6191D7799A85CBA0

Function 0073C3B7 Relevance: 30.2, APIs: 11, Strings: 6, Instructions: 495registryCOMMON

Download Yara Rule

APIs

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 0073C4BD
RegCreateKeyExW.ADVAPI32(?,?,00000000,0074CC08,00000000,?,00000000,?,?), ref: 0073C544
RegCloseKey.ADVAPI32(00000000,00000000,00000000), ref: 0073C5A4
_wcslen.LIBCMT ref: 0073C5F4
_wcslen.LIBCMT ref: 0073C66F
RegSetValueExW.ADVAPI32(00000001,?,00000000,00000001,?,?), ref: 0073C6B2
RegSetValueExW.ADVAPI32(00000001,?,00000000,00000007,?,?), ref: 0073C7C1
RegSetValueExW.ADVAPI32(00000001,?,00000000,0000000B,?,00000008), ref: 0073C84D
RegCloseKey.ADVAPI32(?), ref: 0073C881
RegCloseKey.ADVAPI32(00000000), ref: 0073C88E
RegSetValueExW.ADVAPI32(00000001,?,00000000,00000003,00000000,00000000), ref: 0073C960

Strings

REG_MULTI_SZ, xrefs: 0073C6F5
REG_SZ, xrefs: 0073C644
REG_EXPAND_SZ, xrefs: 0073C5CD
REG_BINARY, xrefs: 0073C913
REG_QWORD, xrefs: 0073C8C3
REG_DWORD, xrefs: 0073C804

Memory Dump Source

Source File: 00000000.00000002.1745474304.00000000006B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006B0000, based on PE: true

Associated: 00000000.00000002.1745310696.00000000006B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1745557899.000000000074C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1745557899.0000000000772000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1745607755.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1745632258.0000000000784000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6b0000_file.jbxd

Similarity

API ID: Value$Close$_wcslen$ConnectCreateRegistry
String ID: REG_BINARY$REG_DWORD$REG_EXPAND_SZ$REG_MULTI_SZ$REG_QWORD$REG_SZ
API String ID: 9721498-966354055
Opcode ID: a83c0c130d8638d0604ca65a34168fa77925509eab820046105ac722d439ec90
Instruction ID: 5f58e9a8717e73bd41d8c3009461d61a5b0b69ad54da085a47019a1c5f92b20d
Opcode Fuzzy Hash: a83c0c130d8638d0604ca65a34168fa77925509eab820046105ac722d439ec90
Instruction Fuzzy Hash: 2D12AC756042009FD755DF14C881A6AB7E6FF88314F04889DF88AAB3A2DB35FD41CB85

Function 0074091E Relevance: 30.1, APIs: 6, Strings: 11, Instructions: 372windowCOMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?), ref: 007409C6
_wcslen.LIBCMT ref: 00740A01
SendMessageW.USER32(?,00001105,00000000,00000000), ref: 00740A54
_wcslen.LIBCMT ref: 00740A8A
_wcslen.LIBCMT ref: 00740B06
_wcslen.LIBCMT ref: 00740B81

Part of subcall function 006CF9F2: _wcslen.LIBCMT ref: 006CF9FD

Part of subcall function 00712BE8: SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 00712BFA

Strings

EXPAND, xrefs: 00740BF8
EXISTS, xrefs: 00740B7C, 00740B97
GETTOTALCOUNT, xrefs: 007409F2, 00740A17
GETTEXT, xrefs: 00740C97
COLLAPSE, xrefs: 00740B01, 00740B1C
ISCHECKED, xrefs: 00740CE1
SELECT, xrefs: 00740D11
GETSELECTED, xrefs: 00740C4E
UNCHECK, xrefs: 00740D3E
CHECK, xrefs: 00740A85, 00740AA0
GETITEMCOUNT, xrefs: 00740C1E

Memory Dump Source

Source File: 00000000.00000002.1745474304.00000000006B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006B0000, based on PE: true

Associated: 00000000.00000002.1745310696.00000000006B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1745557899.000000000074C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1745557899.0000000000772000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1745607755.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1745632258.0000000000784000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6b0000_file.jbxd

Similarity

API ID: _wcslen$MessageSend$BuffCharUpper
String ID: CHECK$COLLAPSE$EXISTS$EXPAND$GETITEMCOUNT$GETSELECTED$GETTEXT$GETTOTALCOUNT$ISCHECKED$SELECT$UNCHECK
API String ID: 1103490817-4258414348
Opcode ID: 15c154a84d77cbca4c15d43641bb6a4cc22743e18752e355338afd5a84846b59
Instruction ID: ad4ed2b59e4e6678cc372c2ff8ee604b44027471f79d629534606cb1d480637a
Opcode Fuzzy Hash: 15c154a84d77cbca4c15d43641bb6a4cc22743e18752e355338afd5a84846b59
Instruction Fuzzy Hash: 05E1BB712083018FCB54DF24C45096AB7E2FF88354B14895DF99A9B3A2DB38ED86CBD5

Function 0073C998 Relevance: 30.0, APIs: 7, Strings: 10, Instructions: 242COMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?,?,?,?,?,?,0073B6AE,?,?), ref: 0073C9B5
_wcslen.LIBCMT ref: 0073C9F1
_wcslen.LIBCMT ref: 0073CA68
_wcslen.LIBCMT ref: 0073CA9E
_wcslen.LIBCMT ref: 0073CAF9
_wcslen.LIBCMT ref: 0073CB2F
_wcslen.LIBCMT ref: 0073CB7F

Strings

HKEY_USERS, xrefs: 0073CBDF
HKCR, xrefs: 0073CB29, 0073CB2E
HKCC, xrefs: 0073CBAC
HKCU, xrefs: 0073CBCE
HKEY_CURRENT_CONFIG, xrefs: 0073CB79, 0073CB7E
HKEY_CLASSES_ROOT, xrefs: 0073CAF3, 0073CAF8
HKU, xrefs: 0073CBF0
HKLM, xrefs: 0073CA98, 0073CA9D
HKEY_CURRENT_USER, xrefs: 0073CBBD
HKEY_LOCAL_MACHINE, xrefs: 0073CA62, 0073CA67

Memory Dump Source

Source File: 00000000.00000002.1745474304.00000000006B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006B0000, based on PE: true

Associated: 00000000.00000002.1745310696.00000000006B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1745557899.000000000074C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1745557899.0000000000772000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1745607755.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1745632258.0000000000784000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6b0000_file.jbxd

Similarity

API ID: _wcslen$BuffCharUpper
String ID: HKCC$HKCR$HKCU$HKEY_CLASSES_ROOT$HKEY_CURRENT_CONFIG$HKEY_CURRENT_USER$HKEY_LOCAL_MACHINE$HKEY_USERS$HKLM$HKU
API String ID: 1256254125-909552448
Opcode ID: 4aac105c500ee317cfbeef7aeee2fb73681666576e7e9e14a13e76034ca37f32
Instruction ID: b2108e9a440f69e02ef9b47c96763ad15a6d810c9fe38e0f38d68fef81e4804d
Opcode Fuzzy Hash: 4aac105c500ee317cfbeef7aeee2fb73681666576e7e9e14a13e76034ca37f32
Instruction Fuzzy Hash: 3F71077360012A8BEF12DF7CCD515BA3392AF60790F258529F855BB286EA3DCD45C3A0

Function 0074833C Relevance: 29.9, APIs: 14, Strings: 3, Instructions: 196windowlibraryCOMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 0074835A
_wcslen.LIBCMT ref: 0074836E
_wcslen.LIBCMT ref: 00748391
_wcslen.LIBCMT ref: 007483B4
LoadImageW.USER32(00000000,?,00000001,?,?,00002010), ref: 007483F2
LoadLibraryExW.KERNEL32(?,00000000,00000032,?,?,00000001,?,?,?,0074361A,?), ref: 0074844E
LoadImageW.USER32(?,?,00000001,?,?,00000000), ref: 00748487
LoadImageW.USER32(00000000,?,00000001,?,?,00000000), ref: 007484CA
LoadImageW.USER32(?,?,00000001,?,?,00000000), ref: 00748501
FreeLibrary.KERNEL32(?), ref: 0074850D
ExtractIconExW.SHELL32(?,00000000,00000000,00000000,00000001), ref: 0074851D
DestroyIcon.USER32(?), ref: 0074852C
SendMessageW.USER32(?,00000170,00000000,00000000), ref: 00748549
SendMessageW.USER32(?,00000064,00000172,00000001), ref: 00748555

Strings

.icl, xrefs: 00748368
.dll, xrefs: 007483AB
.exe, xrefs: 00748388

Memory Dump Source

Source File: 00000000.00000002.1745474304.00000000006B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006B0000, based on PE: true

Associated: 00000000.00000002.1745310696.00000000006B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1745557899.000000000074C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1745557899.0000000000772000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1745607755.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1745632258.0000000000784000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6b0000_file.jbxd

Similarity

API ID: Load$Image_wcslen$IconLibraryMessageSend$DestroyExtractFree
String ID: .dll$.exe$.icl
API String ID: 799131459-1154884017
Opcode ID: 5085cedaa080fae1a01675227ef36b040f46b49e51fd4bd96fed6090e8dc6e4d
Instruction ID: e16350ae5234a7553a3cfe0c29fa19f3b4bc666013715e4f963f87cf6df9b560
Opcode Fuzzy Hash: 5085cedaa080fae1a01675227ef36b040f46b49e51fd4bd96fed6090e8dc6e4d
Instruction Fuzzy Hash: D861F271900219BBEB54CF64CC81BBE77A8BF04720F10850AF915DA1D1DFB8AE90CBA0

Function 006B7778 Relevance: 28.3, APIs: 1, Strings: 15, Instructions: 273COMMON

Download Yara Rule

Strings

#notrayicon, xrefs: 006B77E7
", xrefs: 006F5153
#pragma compile, xrefs: 006B77D3
#include-once, xrefs: 006B782F
#ce, xrefs: 006B78ED
#comments-start, xrefs: 006B785F, 006B78B1
Cannot parse #include, xrefs: 006F5279
#comments-end, xrefs: 006B78D9
#OnAutoItStartRegister, xrefs: 006B7817
#requireadmin, xrefs: 006B77FF
Bad directive syntax error, xrefs: 006F519A
#include, xrefs: 006B7847
Unterminated group of comments, xrefs: 006F528C
', xrefs: 006F5169
#cs, xrefs: 006B7873, 006B78C5

Memory Dump Source

Source File: 00000000.00000002.1745474304.00000000006B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006B0000, based on PE: true

Associated: 00000000.00000002.1745310696.00000000006B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1745557899.000000000074C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1745557899.0000000000772000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1745607755.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1745632258.0000000000784000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6b0000_file.jbxd

Similarity

API ID:
String ID: "$#OnAutoItStartRegister$#ce$#comments-end$#comments-start$#cs$#include$#include-once$#notrayicon$#pragma compile$#requireadmin$'$Bad directive syntax error$Cannot parse #include$Unterminated group of comments
API String ID: 0-1645009161
Opcode ID: daf06f4521b51f9c0bea0ed8f063d56ed585e5ad7a18559359fbae4286b196f0
Instruction ID: b464907d9266e9b47e8e59486845c9186a4451e6dd75fe392c039111401706a0
Opcode Fuzzy Hash: daf06f4521b51f9c0bea0ed8f063d56ed585e5ad7a18559359fbae4286b196f0
Instruction Fuzzy Hash: 7781E7B1A04605BBDB20AF60CC46FFE37A7AF55300F044029FA05AB296EF74D951D7A5

Function 00723E79 Relevance: 28.2, APIs: 8, Strings: 8, Instructions: 205COMMON

Download Yara Rule

APIs

CharLowerBuffW.USER32(?,?), ref: 00723EF8
_wcslen.LIBCMT ref: 00723F03
_wcslen.LIBCMT ref: 00723F5A
_wcslen.LIBCMT ref: 00723F98
GetDriveTypeW.KERNEL32(?), ref: 00723FD6
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 0072401E
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 00724059
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 00724087

Strings

close cd wait, xrefs: 00724072
open, xrefs: 00723F54, 00723F59
closed, xrefs: 00723F08, 00723F2D, 00723F46, 00723F7E, 00723F97
set cd door , xrefs: 00724028
type cdaudio alias cd wait, xrefs: 00724001
open , xrefs: 00723FE5
wait, xrefs: 00724044
close, xrefs: 00723EFE, 00723F18

Memory Dump Source

Source File: 00000000.00000002.1745474304.00000000006B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006B0000, based on PE: true

Associated: 00000000.00000002.1745310696.00000000006B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1745557899.000000000074C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1745557899.0000000000772000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1745607755.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1745632258.0000000000784000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6b0000_file.jbxd

Similarity

API ID: SendString_wcslen$BuffCharDriveLowerType
String ID: type cdaudio alias cd wait$ wait$close$close cd wait$closed$open$open $set cd door
API String ID: 1839972693-4113822522
Opcode ID: e69856cda345036c18c9b9f2f5c0a93b7ed897c9ed694d80db847cc8d5d1d813
Instruction ID: 73e0ab6e69ed3e165cf9d8a68088546cd4efcf9dd74288b8504b49f11898c15d
Opcode Fuzzy Hash: e69856cda345036c18c9b9f2f5c0a93b7ed897c9ed694d80db847cc8d5d1d813
Instruction Fuzzy Hash: 917102B26043219FC710EF24D8808ABB7F5EF94754F10892DF99597251EB38EE89CB91

Function 00715A1B Relevance: 27.2, APIs: 18, Instructions: 198windowtimeCOMMON

Download Yara Rule

APIs

LoadIconW.USER32(00000063), ref: 00715A2E
SendMessageW.USER32(?,00000080,00000000,00000000), ref: 00715A40
SetWindowTextW.USER32(?,?), ref: 00715A57
GetDlgItem.USER32(?,000003EA), ref: 00715A6C
SetWindowTextW.USER32(00000000,?), ref: 00715A72
GetDlgItem.USER32(?,000003E9), ref: 00715A82
SetWindowTextW.USER32(00000000,?), ref: 00715A88
SendDlgItemMessageW.USER32(?,000003E9,000000CC,?,00000000), ref: 00715AA9
SendDlgItemMessageW.USER32(?,000003E9,000000C5,00000000,00000000), ref: 00715AC3
GetWindowRect.USER32(?,?), ref: 00715ACC
_wcslen.LIBCMT ref: 00715B33
SetWindowTextW.USER32(?,?), ref: 00715B6F
GetDesktopWindow.USER32 ref: 00715B75
GetWindowRect.USER32(00000000), ref: 00715B7C
MoveWindow.USER32(?,?,00000080,00000000,?,00000000), ref: 00715BD3
GetClientRect.USER32(?,?), ref: 00715BE0
PostMessageW.USER32(?,00000005,00000000,?), ref: 00715C05
SetTimer.USER32(?,0000040A,00000000,00000000), ref: 00715C2F

Memory Dump Source

Source File: 00000000.00000002.1745474304.00000000006B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006B0000, based on PE: true

Associated: 00000000.00000002.1745310696.00000000006B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1745557899.000000000074C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1745557899.0000000000772000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1745607755.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1745632258.0000000000784000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6b0000_file.jbxd

Similarity

API ID: Window$ItemMessageText$RectSend$ClientDesktopIconLoadMovePostTimer_wcslen
String ID:
API String ID: 895679908-0
Opcode ID: 100c10456f26416f26b1227ad3f14bf89847c81f1fd94311cef865c09fd7e018
Instruction ID: b32ac43bcff129e1ce87f5d257a5490251fd4c0816fc65bf195a9fb7dc17a51d
Opcode Fuzzy Hash: 100c10456f26416f26b1227ad3f14bf89847c81f1fd94311cef865c09fd7e018
Instruction Fuzzy Hash: 31719F71900B09EFDB25DFA8CE85AAEBBF5FF88704F108519E142A25E0D779E940CB54

Function 0072FE0E Relevance: 27.1, APIs: 18, Instructions: 128COMMON

Download Yara Rule

APIs

LoadCursorW.USER32(00000000,00007F89), ref: 0072FE27
LoadCursorW.USER32(00000000,00007F8A), ref: 0072FE32
LoadCursorW.USER32(00000000,00007F00), ref: 0072FE3D
LoadCursorW.USER32(00000000,00007F03), ref: 0072FE48
LoadCursorW.USER32(00000000,00007F8B), ref: 0072FE53
LoadCursorW.USER32(00000000,00007F01), ref: 0072FE5E
LoadCursorW.USER32(00000000,00007F81), ref: 0072FE69
LoadCursorW.USER32(00000000,00007F88), ref: 0072FE74
LoadCursorW.USER32(00000000,00007F80), ref: 0072FE7F
LoadCursorW.USER32(00000000,00007F86), ref: 0072FE8A
LoadCursorW.USER32(00000000,00007F83), ref: 0072FE95
LoadCursorW.USER32(00000000,00007F85), ref: 0072FEA0
LoadCursorW.USER32(00000000,00007F82), ref: 0072FEAB
LoadCursorW.USER32(00000000,00007F84), ref: 0072FEB6
LoadCursorW.USER32(00000000,00007F04), ref: 0072FEC1
LoadCursorW.USER32(00000000,00007F02), ref: 0072FECC
GetCursorInfo.USER32(?), ref: 0072FEDC
GetLastError.KERNEL32 ref: 0072FF1E

Memory Dump Source

Source File: 00000000.00000002.1745474304.00000000006B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006B0000, based on PE: true

Associated: 00000000.00000002.1745310696.00000000006B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1745557899.000000000074C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1745557899.0000000000772000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1745607755.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1745632258.0000000000784000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6b0000_file.jbxd

Similarity

API ID: Cursor$Load$ErrorInfoLast
String ID:
API String ID: 3215588206-0
Opcode ID: 37f319e66719eac2c1c5649dee89e971cc41e741aff30e9fb8d868cff959ae64
Instruction ID: 5d189dd9c46ecfbceedc6cc7840c546b769c5f17480faf959448022d978b37ee
Opcode Fuzzy Hash: 37f319e66719eac2c1c5649dee89e971cc41e741aff30e9fb8d868cff959ae64
Instruction Fuzzy Hash: 964140B0D053196ADB109FBA9C8986EBFF8FF04354B50853AF119E7281DB78A9018F91

Function 007130F7 Relevance: 26.6, APIs: 8, Strings: 7, Instructions: 400COMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 0071318D
_wcslen.LIBCMT ref: 007131F8

Strings

NAME, xrefs: 00713335, 00713346
TEXT, xrefs: 0071347C
INSTANCE, xrefs: 00713453
REGEXPCLASS, xrefs: 00713255, 00713266
CLASSNN, xrefs: 007131F3, 00713204
[w, xrefs: 0071339A
CLASS, xrefs: 00713188, 007131A5

Memory Dump Source

Source File: 00000000.00000002.1745474304.00000000006B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006B0000, based on PE: true

Associated: 00000000.00000002.1745310696.00000000006B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1745557899.000000000074C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1745557899.0000000000772000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1745607755.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1745632258.0000000000784000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6b0000_file.jbxd

Similarity

API ID: _wcslen
String ID: CLASS$CLASSNN$INSTANCE$NAME$REGEXPCLASS$TEXT$[w
API String ID: 176396367-778023905
Opcode ID: 83172e9e9fb767e7cda6386b2cc8e67fc0095618325d7da5228cb798d475d87f
Instruction ID: 2c0607b04ead8293926ae260145256ef93f6b099fc4e1dd3cd09ba607f7104c2
Opcode Fuzzy Hash: 83172e9e9fb767e7cda6386b2cc8e67fc0095618325d7da5228cb798d475d87f
Instruction Fuzzy Hash: 65E1E432A00516ABCF189FBCC451AFDBBB5BF44750F14812AE856B7280DB38AEC597D0

Function 006D00C6 Relevance: 26.3, APIs: 10, Strings: 5, Instructions: 81COMMON

Download Yara Rule

APIs

__scrt_initialize_thread_safe_statics_platform_specific.LIBCMT ref: 006D00C6

Part of subcall function 006D00ED: InitializeCriticalSectionAndSpinCount.KERNEL32(0078070C,00000FA0,5DBB1618,?,?,?,?,006F23B3,000000FF), ref: 006D011C
Part of subcall function 006D00ED: GetModuleHandleW.KERNEL32(api-ms-win-core-synch-l1-2-0.dll,?,?,?,?,006F23B3,000000FF), ref: 006D0127
Part of subcall function 006D00ED: GetModuleHandleW.KERNEL32(kernel32.dll,?,?,?,?,006F23B3,000000FF), ref: 006D0138
Part of subcall function 006D00ED: GetProcAddress.KERNEL32(00000000,InitializeConditionVariable), ref: 006D014E
Part of subcall function 006D00ED: GetProcAddress.KERNEL32(00000000,SleepConditionVariableCS), ref: 006D015C
Part of subcall function 006D00ED: GetProcAddress.KERNEL32(00000000,WakeAllConditionVariable), ref: 006D016A
Part of subcall function 006D00ED: __crt_fast_encode_pointer.LIBVCRUNTIME ref: 006D0195
Part of subcall function 006D00ED: __crt_fast_encode_pointer.LIBVCRUNTIME ref: 006D01A0

___scrt_fastfail.LIBCMT ref: 006D00E7

Part of subcall function 006D00A3: __onexit.LIBCMT ref: 006D00A9

Strings

SleepConditionVariableCS, xrefs: 006D0154
InitializeConditionVariable, xrefs: 006D0148
WakeAllConditionVariable, xrefs: 006D0162
kernel32.dll, xrefs: 006D0133
api-ms-win-core-synch-l1-2-0.dll, xrefs: 006D0122

Memory Dump Source

Source File: 00000000.00000002.1745474304.00000000006B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006B0000, based on PE: true

Associated: 00000000.00000002.1745310696.00000000006B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1745557899.000000000074C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1745557899.0000000000772000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1745607755.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1745632258.0000000000784000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6b0000_file.jbxd

Similarity

API ID: AddressProc$HandleModule__crt_fast_encode_pointer$CountCriticalInitializeSectionSpin___scrt_fastfail__onexit__scrt_initialize_thread_safe_statics_platform_specific
String ID: InitializeConditionVariable$SleepConditionVariableCS$WakeAllConditionVariable$api-ms-win-core-synch-l1-2-0.dll$kernel32.dll
API String ID: 66158676-1714406822
Opcode ID: f7465cf3241ccde131f75ab0d3aa86fed56844ca296a8868db7ca6a52224e89d
Instruction ID: 8705ce8aadf78f3cc340464df7befaa06bfbb2ccf95a82c90a9eee029bfea0c3
Opcode Fuzzy Hash: f7465cf3241ccde131f75ab0d3aa86fed56844ca296a8868db7ca6a52224e89d
Instruction Fuzzy Hash: 6121F6B2E457147BFB516BB4AC05F6A3396EB4AB51F10813FF801E2391DB7898008A98

Function 007244C0 Relevance: 24.8, APIs: 7, Strings: 7, Instructions: 309COMMON

Download Yara Rule

APIs

CharLowerBuffW.USER32(00000000,00000000,0074CC08), ref: 00724527
_wcslen.LIBCMT ref: 0072453B
_wcslen.LIBCMT ref: 00724599
_wcslen.LIBCMT ref: 007245F4
_wcslen.LIBCMT ref: 0072463F
_wcslen.LIBCMT ref: 007246A7

Part of subcall function 006CF9F2: _wcslen.LIBCMT ref: 006CF9FD

GetDriveTypeW.KERNEL32(?,00776BF0,00000061), ref: 00724743

Strings

all, xrefs: 00724531, 00724536
unknown, xrefs: 00724708
ramdisk, xrefs: 007246F1
fixed, xrefs: 00724635, 0072463A
removable, xrefs: 007245EA, 007245EF
cdrom, xrefs: 0072458F, 00724594
network, xrefs: 0072469D, 007246A2

Memory Dump Source

Source File: 00000000.00000002.1745474304.00000000006B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006B0000, based on PE: true

Associated: 00000000.00000002.1745310696.00000000006B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1745557899.000000000074C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1745557899.0000000000772000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1745607755.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1745632258.0000000000784000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6b0000_file.jbxd

Similarity

API ID: _wcslen$BuffCharDriveLowerType
String ID: all$cdrom$fixed$network$ramdisk$removable$unknown
API String ID: 2055661098-1000479233
Opcode ID: a2fb66de150f2c623e0062df3cc1674bacaace78daec70aabf28365f438bee20
Instruction ID: 3d57e41ceb2ef36307e49675541163ae24a761fedbc5ba72a9167b31dcaaa204
Opcode Fuzzy Hash: a2fb66de150f2c623e0062df3cc1674bacaace78daec70aabf28365f438bee20
Instruction Fuzzy Hash: F8B1F2716083229FC710DF28E890A7AB7E6FFA5760F50491DF496C7291D738D984CBA2

Function 0074911E Relevance: 24.7, APIs: 10, Strings: 4, Instructions: 181windowfileCOMMON

Download Yara Rule

APIs

Part of subcall function 006C9BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 006C9BB2

DragQueryPoint.SHELL32(?,?), ref: 00749147

Part of subcall function 00747674: ClientToScreen.USER32(?,?), ref: 0074769A
Part of subcall function 00747674: GetWindowRect.USER32(?,?), ref: 00747710
Part of subcall function 00747674: PtInRect.USER32(?,?,00748B89), ref: 00747720

SendMessageW.USER32(?,000000B0,?,?), ref: 007491B0
DragQueryFileW.SHELL32(?,000000FF,00000000,00000000), ref: 007491BB
DragQueryFileW.SHELL32(?,00000000,?,00000104), ref: 007491DE
SendMessageW.USER32(?,000000C2,00000001,?), ref: 00749225
SendMessageW.USER32(?,000000B0,?,?), ref: 0074923E
SendMessageW.USER32(?,000000B1,?,?), ref: 00749255
SendMessageW.USER32(?,000000B1,?,?), ref: 00749277
DragFinish.SHELL32(?), ref: 0074927E
DefDlgProcW.USER32(?,00000233,?,00000000,?,?,?), ref: 00749371

Strings

@GUI_DROPID, xrefs: 0074929E
p#x, xrefs: 007492BB
@GUI_DRAGID, xrefs: 007492E9
@GUI_DRAGFILE, xrefs: 00749320

Memory Dump Source

Source File: 00000000.00000002.1745474304.00000000006B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006B0000, based on PE: true

Associated: 00000000.00000002.1745310696.00000000006B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1745557899.000000000074C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1745557899.0000000000772000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1745607755.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1745632258.0000000000784000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6b0000_file.jbxd

Similarity

API ID: MessageSend$Drag$Query$FileRectWindow$ClientFinishLongPointProcScreen
String ID: @GUI_DRAGFILE$@GUI_DRAGID$@GUI_DROPID$p#x
API String ID: 221274066-781702483
Opcode ID: e53dddd28eb0e553673503a7fdce9512b12a40e7d101ccefe05c8337298b6865
Instruction ID: c78a19b6c0e23f33e3c3b0bfecfd0d08ae85909d1ca7b7e9ab086e381d181cd1
Opcode Fuzzy Hash: e53dddd28eb0e553673503a7fdce9512b12a40e7d101ccefe05c8337298b6865
Instruction Fuzzy Hash: 01619C71108300AFC701EF64CC85DAFBBE9EF89350F00496EF695921A1DB749A49CB66

Function 00733FE9 Relevance: 23.2, APIs: 11, Strings: 2, Instructions: 478libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,?,0074CC08), ref: 007340BB
GetProcAddress.KERNEL32(00000000,GetModuleHandleExW), ref: 007340CD
GetModuleFileNameW.KERNEL32(?,?,00000104,?,?,?,0074CC08), ref: 007340F2
FreeLibrary.KERNEL32(00000000,?,0074CC08), ref: 0073413E
StringFromGUID2.OLE32(?,?,00000028,?,0074CC08), ref: 007341A8
SysFreeString.OLEAUT32(00000009), ref: 00734262
QueryPathOfRegTypeLib.OLEAUT32(?,?,?,?,?), ref: 007342C8
SysFreeString.OLEAUT32(?), ref: 007342F2

Strings

kernel32.dll, xrefs: 007340B6
GetModuleHandleExW, xrefs: 007340C7

Memory Dump Source

Source File: 00000000.00000002.1745474304.00000000006B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006B0000, based on PE: true

Associated: 00000000.00000002.1745310696.00000000006B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1745557899.000000000074C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1745557899.0000000000772000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1745607755.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1745632258.0000000000784000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6b0000_file.jbxd

Similarity

API ID: FreeString$Library$AddressFileFromLoadModuleNamePathProcQueryType
String ID: GetModuleHandleExW$kernel32.dll
API String ID: 354098117-199464113
Opcode ID: 92e728343e091f72cc784705de784e3cf65b9e91786f69b26e47e4462d5292f0
Instruction ID: 1e23cf4417f92beb1b28acccf6e8fbd8aaa5cbcad6ae295a462e5eef037bd732
Opcode Fuzzy Hash: 92e728343e091f72cc784705de784e3cf65b9e91786f69b26e47e4462d5292f0
Instruction Fuzzy Hash: 86124E75A00119EFEB58CF94C884EAEBBB5FF45314F248099E905AB252D735FD42CBA0

Function 006B326F Relevance: 23.0, APIs: 12, Strings: 1, Instructions: 214windowCOMMON

Download Yara Rule

APIs

GetMenuItemCount.USER32(00781990), ref: 006F2F8D
GetMenuItemCount.USER32(00781990), ref: 006F303D
GetCursorPos.USER32(?), ref: 006F3081
SetForegroundWindow.USER32(00000000), ref: 006F308A
TrackPopupMenuEx.USER32(00781990,00000000,?,00000000,00000000,00000000), ref: 006F309D
PostMessageW.USER32(00000000,00000000,00000000,00000000), ref: 006F30A9

Strings

0, xrefs: 006B327D

Memory Dump Source

Source File: 00000000.00000002.1745474304.00000000006B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006B0000, based on PE: true

Associated: 00000000.00000002.1745310696.00000000006B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1745557899.000000000074C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1745557899.0000000000772000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1745607755.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1745632258.0000000000784000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6b0000_file.jbxd

Similarity

API ID: Menu$CountItem$CursorForegroundMessagePopupPostTrackWindow
String ID: 0
API String ID: 36266755-4108050209
Opcode ID: b48e75b087ee20a424971b0293bdd666bdfdb1e6a2264cd366694552a9fee347
Instruction ID: 15cc0e7ff651b66bbc5a9260e54c2a23b95ed325f58ed6b813c43ed622aa4b8c
Opcode Fuzzy Hash: b48e75b087ee20a424971b0293bdd666bdfdb1e6a2264cd366694552a9fee347
Instruction Fuzzy Hash: 60710B7064121ABEEB218F64CC59FEABF66FF05324F204216F6146A3D0C7B5AD50DB90

Function 00746CD9 Relevance: 22.9, APIs: 11, Strings: 2, Instructions: 194windowCOMMON

Download Yara Rule

APIs

DestroyWindow.USER32(00000000,?), ref: 00746DEB

Part of subcall function 006B6B57: _wcslen.LIBCMT ref: 006B6B6A

CreateWindowExW.USER32(00000008,tooltips_class32,00000000,?,80000000,80000000,80000000,80000000,?,00000000,00000000,?), ref: 00746E5F
SendMessageW.USER32(00000000,00000433,00000000,00000030), ref: 00746E81
SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 00746E94
DestroyWindow.USER32(?), ref: 00746EB5
CreateWindowExW.USER32(00000008,tooltips_class32,00000000,?,80000000,80000000,80000000,80000000,?,00000000,006B0000,00000000), ref: 00746EE4
SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 00746EFD
GetDesktopWindow.USER32 ref: 00746F16
GetWindowRect.USER32(00000000), ref: 00746F1D
SendMessageW.USER32(00000000,00000418,00000000,?), ref: 00746F35
SendMessageW.USER32(00000000,00000421,?,00000000), ref: 00746F4D

Part of subcall function 006C9944: GetWindowLongW.USER32(?,000000EB), ref: 006C9952

Strings

tooltips_class32, xrefs: 00746E58, 00746EDD
0, xrefs: 00746D98

Memory Dump Source

Source File: 00000000.00000002.1745474304.00000000006B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006B0000, based on PE: true

Associated: 00000000.00000002.1745310696.00000000006B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1745557899.000000000074C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1745557899.0000000000772000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1745607755.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1745632258.0000000000784000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6b0000_file.jbxd

Similarity

API ID: Window$MessageSend$CreateDestroy$DesktopLongRect_wcslen
String ID: 0$tooltips_class32
API String ID: 2429346358-3619404913
Opcode ID: 86e856624650e5dce32d1e6c2155167c9836636bcb93f081814a7c3254f24ff2
Instruction ID: 9a96874c6427639d76949a8bd1306c1fd8acef8abd875f9ddfb653ce56ead51f
Opcode Fuzzy Hash: 86e856624650e5dce32d1e6c2155167c9836636bcb93f081814a7c3254f24ff2
Instruction Fuzzy Hash: 39716974144340AFDB21CF18D844EAABBE9FB8A304F55845EF99987261C778E90ACB16

Function 0072C476 Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 143networkCOMMON

Download Yara Rule

APIs

InternetConnectW.WININET(?,?,?,?,?,?,00000000,00000000), ref: 0072C4B0
GetLastError.KERNEL32(?,00000003,?,?,?,?,?,?), ref: 0072C4C3
SetEvent.KERNEL32(?,?,00000003,?,?,?,?,?,?), ref: 0072C4D7
HttpOpenRequestW.WININET(00000000,00000000,?,00000000,00000000,00000000,?,00000000), ref: 0072C4F0
InternetQueryOptionW.WININET(00000000,0000001F,?,?), ref: 0072C533
InternetSetOptionW.WININET(00000000,0000001F,00000100,00000004), ref: 0072C549
HttpSendRequestW.WININET(00000000,00000000,00000000,00000000,00000000), ref: 0072C554
HttpQueryInfoW.WININET(00000000,00000005,?,?,?), ref: 0072C584
GetLastError.KERNEL32(?,00000003,?,?,?,?,?,?), ref: 0072C5DC
SetEvent.KERNEL32(?,?,00000003,?,?,?,?,?,?), ref: 0072C5F0
InternetCloseHandle.WININET(00000000), ref: 0072C5FB

Strings

, xrefs: 0072C575

Memory Dump Source

Source File: 00000000.00000002.1745474304.00000000006B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006B0000, based on PE: true

Associated: 00000000.00000002.1745310696.00000000006B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1745557899.000000000074C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1745557899.0000000000772000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1745607755.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1745632258.0000000000784000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6b0000_file.jbxd

Similarity

API ID: Internet$Http$ErrorEventLastOptionQueryRequest$CloseConnectHandleInfoOpenSend
String ID:
API String ID: 3800310941-3916222277
Opcode ID: 21b2622b6565d46a065d0c1a85270457ec83dcb6324f8b8361809db2856da97a
Instruction ID: 5118761cd6828361bc4ad130a04511f0114da661d889183bb21c3c9b15ddd374
Opcode Fuzzy Hash: 21b2622b6565d46a065d0c1a85270457ec83dcb6324f8b8361809db2856da97a
Instruction Fuzzy Hash: 5D517BB5500618BFEB239F61D988AAF7BFCFF19344F10841AF94596210DB78EA14DB60

Function 0074856F Relevance: 22.6, APIs: 15, Instructions: 131filecommemoryCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(?,80000000,00000000,00000000,00000003,00000000,00000000,?,00000000,?), ref: 00748592
GetFileSize.KERNEL32(00000000,00000000), ref: 007485A2
GlobalAlloc.KERNEL32(00000002,00000000), ref: 007485AD
CloseHandle.KERNEL32(00000000), ref: 007485BA
GlobalLock.KERNEL32(00000000), ref: 007485C8
ReadFile.KERNEL32(00000000,00000000,00000000,?,00000000), ref: 007485D7
GlobalUnlock.KERNEL32(00000000), ref: 007485E0
CloseHandle.KERNEL32(00000000), ref: 007485E7
CreateStreamOnHGlobal.OLE32(00000000,00000001,?), ref: 007485F8
OleLoadPicture.OLEAUT32(?,00000000,00000000,0074FC38,?), ref: 00748611
GlobalFree.KERNEL32(00000000), ref: 00748621
GetObjectW.GDI32(?,00000018,000000FF), ref: 00748641
CopyImage.USER32(?,00000000,00000000,?,00002000), ref: 00748671
DeleteObject.GDI32(00000000), ref: 00748699
SendMessageW.USER32(?,00000172,00000000,00000000), ref: 007486AF

Memory Dump Source

Source File: 00000000.00000002.1745474304.00000000006B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006B0000, based on PE: true

Associated: 00000000.00000002.1745310696.00000000006B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1745557899.000000000074C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1745557899.0000000000772000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1745607755.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1745632258.0000000000784000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6b0000_file.jbxd

Similarity

API ID: Global$File$CloseCreateHandleObject$AllocCopyDeleteFreeImageLoadLockMessagePictureReadSendSizeStreamUnlock
String ID:
API String ID: 3840717409-0
Opcode ID: 98e6e5482e415bf1af9c9109c95e0bc93c725d288211e8357c39a0a0c2a099a0
Instruction ID: 653f4859cfd7e247e7f269e12c6c2a7f7088cd39fe1b8b4e2ca1f641e461f991
Opcode Fuzzy Hash: 98e6e5482e415bf1af9c9109c95e0bc93c725d288211e8357c39a0a0c2a099a0
Instruction Fuzzy Hash: 06413C75601208AFDB519FA5CC48EAE7BB8FF8A711F118059F905E7260DB789D01CB25

Function 007214BD Relevance: 21.4, APIs: 10, Strings: 2, Instructions: 360timeCOMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(00000000), ref: 00721502
VariantCopy.OLEAUT32(?,?), ref: 0072150B
VariantClear.OLEAUT32(?), ref: 00721517
VariantTimeToSystemTime.OLEAUT32(?,?,?), ref: 007215FB
VarR8FromDec.OLEAUT32(?,?), ref: 00721657
VariantInit.OLEAUT32(?), ref: 00721708
SysFreeString.OLEAUT32(?), ref: 0072178C
VariantClear.OLEAUT32(?), ref: 007217D8
VariantClear.OLEAUT32(?), ref: 007217E7
VariantInit.OLEAUT32(00000000), ref: 00721823

Strings

%4d%02d%02d%02d%02d%02d, xrefs: 00721625
Default, xrefs: 007216AF

Memory Dump Source

Source File: 00000000.00000002.1745474304.00000000006B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006B0000, based on PE: true

Associated: 00000000.00000002.1745310696.00000000006B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1745557899.000000000074C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1745557899.0000000000772000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1745607755.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1745632258.0000000000784000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6b0000_file.jbxd

Similarity

API ID: Variant$ClearInit$Time$CopyFreeFromStringSystem
String ID: %4d%02d%02d%02d%02d%02d$Default
API String ID: 1234038744-3931177956
Opcode ID: e799b0409cf8c20d852542525fb3ea37a30a14794c8dc47dae6e462173756232
Instruction ID: 9de59d811457d118545713129b4b6ff0b0cc425ca6eefaf6a9899c6fb21ef34e
Opcode Fuzzy Hash: e799b0409cf8c20d852542525fb3ea37a30a14794c8dc47dae6e462173756232
Instruction Fuzzy Hash: 67D12471A00225DBDB009F66E885BBDB7B6FF55700F90809AF406AB280DB38ED51DB61

Function 0073B60E Relevance: 21.3, APIs: 10, Strings: 2, Instructions: 285registrylibraryloaderCOMMON

Download Yara Rule

APIs

Part of subcall function 006B9CB3: _wcslen.LIBCMT ref: 006B9CBD

Part of subcall function 0073C998: CharUpperBuffW.USER32(?,?,?,?,?,?,?,0073B6AE,?,?), ref: 0073C9B5
Part of subcall function 0073C998: _wcslen.LIBCMT ref: 0073C9F1
Part of subcall function 0073C998: _wcslen.LIBCMT ref: 0073CA68
Part of subcall function 0073C998: _wcslen.LIBCMT ref: 0073CA9E

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 0073B6F4
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 0073B772
RegDeleteValueW.ADVAPI32(?,?), ref: 0073B80A
RegCloseKey.ADVAPI32(?), ref: 0073B87E
RegCloseKey.ADVAPI32(?), ref: 0073B89C
LoadLibraryA.KERNEL32(advapi32.dll), ref: 0073B8F2
GetProcAddress.KERNEL32(00000000,RegDeleteKeyExW), ref: 0073B904
RegDeleteKeyW.ADVAPI32(?,?), ref: 0073B922
FreeLibrary.KERNEL32(00000000), ref: 0073B983
RegCloseKey.ADVAPI32(00000000), ref: 0073B994

Strings

RegDeleteKeyExW, xrefs: 0073B8FE
advapi32.dll, xrefs: 0073B8ED

Memory Dump Source

Source File: 00000000.00000002.1745474304.00000000006B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006B0000, based on PE: true

Associated: 00000000.00000002.1745310696.00000000006B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1745557899.000000000074C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1745557899.0000000000772000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1745607755.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1745632258.0000000000784000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6b0000_file.jbxd

Similarity

API ID: _wcslen$Close$DeleteLibrary$AddressBuffCharConnectFreeLoadOpenProcRegistryUpperValue
String ID: RegDeleteKeyExW$advapi32.dll
API String ID: 146587525-4033151799
Opcode ID: dc189d85639479062f122a8228c85850626daf0971b7e789f912ddfe75d0518f
Instruction ID: 6370c8c59afad4624d85723d3d38510478560a000a657b96bd868209ccdd83bc
Opcode Fuzzy Hash: dc189d85639479062f122a8228c85850626daf0971b7e789f912ddfe75d0518f
Instruction Fuzzy Hash: 16C17A74204201EFE714DF14C495F6ABBE5EF84318F14849DF69A8B2A3CB39E985CB91

Function 0073255C Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 169windowCOMMON

Download Yara Rule

APIs

GetDC.USER32(00000000), ref: 007325D8
CreateCompatibleBitmap.GDI32(00000000,?,?), ref: 007325E8
CreateCompatibleDC.GDI32(?), ref: 007325F4
SelectObject.GDI32(00000000,?), ref: 00732601
StretchBlt.GDI32(?,00000000,00000000,?,?,?,00000006,?,?,?,00CC0020), ref: 0073266D
GetDIBits.GDI32(?,?,00000000,00000000,00000000,00000028,00000000), ref: 007326AC
GetDIBits.GDI32(?,?,00000000,?,00000000,00000028,00000000), ref: 007326D0
SelectObject.GDI32(?,?), ref: 007326D8
DeleteObject.GDI32(?), ref: 007326E1
DeleteDC.GDI32(?), ref: 007326E8
ReleaseDC.USER32(00000000,?), ref: 007326F3

Strings

(, xrefs: 0073268D

Memory Dump Source

Source File: 00000000.00000002.1745474304.00000000006B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006B0000, based on PE: true

Associated: 00000000.00000002.1745310696.00000000006B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1745557899.000000000074C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1745557899.0000000000772000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1745607755.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1745632258.0000000000784000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6b0000_file.jbxd

Similarity

API ID: Object$BitsCompatibleCreateDeleteSelect$BitmapReleaseStretch
String ID: (
API String ID: 2598888154-3887548279
Opcode ID: b645e76f93086f9d7b232bde352b75890c2351fa1a13aa2cce53b24029580b3b
Instruction ID: 66c0c9c827b1f970adab1557b8b96576fde86501832ced0fc490aee666a19e54
Opcode Fuzzy Hash: b645e76f93086f9d7b232bde352b75890c2351fa1a13aa2cce53b24029580b3b
Instruction Fuzzy Hash: 6C6112B5D00219EFDF05CFA4D884EAEBBB6FF48310F20842AE955A7251D774A941CF54

Function 006EDA5D Relevance: 19.6, APIs: 13, Instructions: 114COMMONLIBRARYCODE

Download Yara Rule

APIs

___free_lconv_mon.LIBCMT ref: 006EDAA1

Part of subcall function 006ED63C: _free.LIBCMT ref: 006ED659
Part of subcall function 006ED63C: _free.LIBCMT ref: 006ED66B
Part of subcall function 006ED63C: _free.LIBCMT ref: 006ED67D
Part of subcall function 006ED63C: _free.LIBCMT ref: 006ED68F
Part of subcall function 006ED63C: _free.LIBCMT ref: 006ED6A1
Part of subcall function 006ED63C: _free.LIBCMT ref: 006ED6B3
Part of subcall function 006ED63C: _free.LIBCMT ref: 006ED6C5
Part of subcall function 006ED63C: _free.LIBCMT ref: 006ED6D7
Part of subcall function 006ED63C: _free.LIBCMT ref: 006ED6E9
Part of subcall function 006ED63C: _free.LIBCMT ref: 006ED6FB
Part of subcall function 006ED63C: _free.LIBCMT ref: 006ED70D
Part of subcall function 006ED63C: _free.LIBCMT ref: 006ED71F
Part of subcall function 006ED63C: _free.LIBCMT ref: 006ED731

_free.LIBCMT ref: 006EDA96

Part of subcall function 006E29C8: RtlFreeHeap.NTDLL(00000000,00000000,?,006ED7D1,00000000,00000000,00000000,00000000,?,006ED7F8,00000000,00000007,00000000,?,006EDBF5,00000000), ref: 006E29DE
Part of subcall function 006E29C8: GetLastError.KERNEL32(00000000,?,006ED7D1,00000000,00000000,00000000,00000000,?,006ED7F8,00000000,00000007,00000000,?,006EDBF5,00000000,00000000), ref: 006E29F0

_free.LIBCMT ref: 006EDAB8
_free.LIBCMT ref: 006EDACD
_free.LIBCMT ref: 006EDAD8
_free.LIBCMT ref: 006EDAFA
_free.LIBCMT ref: 006EDB0D
_free.LIBCMT ref: 006EDB1B
_free.LIBCMT ref: 006EDB26
_free.LIBCMT ref: 006EDB5E
_free.LIBCMT ref: 006EDB65
_free.LIBCMT ref: 006EDB82
_free.LIBCMT ref: 006EDB9A

Memory Dump Source

Source File: 00000000.00000002.1745474304.00000000006B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006B0000, based on PE: true

Associated: 00000000.00000002.1745310696.00000000006B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1745557899.000000000074C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1745557899.0000000000772000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1745607755.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1745632258.0000000000784000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6b0000_file.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast___free_lconv_mon
String ID:
API String ID: 161543041-0
Opcode ID: 6f30d1c02270d33bec1f5a7739fcfd5764dc05d3bfcf2ef7278b4a2581787d08
Instruction ID: d2219c7569e208f7eec80ad33a5d36fde5a19fd7a03c8d9dab7165f8cf1e5be8
Opcode Fuzzy Hash: 6f30d1c02270d33bec1f5a7739fcfd5764dc05d3bfcf2ef7278b4a2581787d08
Instruction Fuzzy Hash: 263180715063899FDB61AA3BD846B9A77EBFF00710F11442DE458DB292DF35AD408B24

Function 0071365B Relevance: 19.5, APIs: 10, Strings: 1, Instructions: 267windowtimeCOMMON

Download Yara Rule

APIs

GetClassNameW.USER32(?,?,00000100), ref: 0071369C
_wcslen.LIBCMT ref: 007136A7
SendMessageTimeoutW.USER32(?,?,00000101,00000000,00000002,00001388,?), ref: 00713797
GetClassNameW.USER32(?,?,00000400), ref: 0071380C
GetDlgCtrlID.USER32(?), ref: 0071385D
GetWindowRect.USER32(?,?), ref: 00713882
GetParent.USER32(?), ref: 007138A0
ScreenToClient.USER32(00000000), ref: 007138A7
GetClassNameW.USER32(?,?,00000100), ref: 00713921
GetWindowTextW.USER32(?,?,00000400), ref: 0071395D

Strings

%s%u, xrefs: 00713734

Memory Dump Source

Source File: 00000000.00000002.1745474304.00000000006B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006B0000, based on PE: true

Associated: 00000000.00000002.1745310696.00000000006B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1745557899.000000000074C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1745557899.0000000000772000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1745607755.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1745632258.0000000000784000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6b0000_file.jbxd

Similarity

API ID: ClassName$Window$ClientCtrlMessageParentRectScreenSendTextTimeout_wcslen
String ID: %s%u
API String ID: 4010501982-679674701
Opcode ID: ceb798f55502e8795a5d4022b25ccaeb52d7cb1c01774d878774e44f1c3b3661
Instruction ID: 9d6744347efc6241b86adc23b4b2625c3cc5235bfc32ee2e46b9b9c58f3192fb
Opcode Fuzzy Hash: ceb798f55502e8795a5d4022b25ccaeb52d7cb1c01774d878774e44f1c3b3661
Instruction Fuzzy Hash: 6191D571204606AFD715DF28C885FEAF7A9FF44354F008629F999D21D0DB38EA85CBA1

Function 00714954 Relevance: 19.5, APIs: 10, Strings: 1, Instructions: 253COMMON

Download Yara Rule

APIs

GetClassNameW.USER32(?,?,00000400), ref: 00714994
GetWindowTextW.USER32(?,?,00000400), ref: 007149DA
_wcslen.LIBCMT ref: 007149EB
CharUpperBuffW.USER32(?,00000000), ref: 007149F7
_wcsstr.LIBVCRUNTIME ref: 00714A2C
GetClassNameW.USER32(00000018,?,00000400), ref: 00714A64
GetWindowTextW.USER32(?,?,00000400), ref: 00714A9D
GetClassNameW.USER32(00000018,?,00000400), ref: 00714AE6
GetClassNameW.USER32(?,?,00000400), ref: 00714B20
GetWindowRect.USER32(?,?), ref: 00714B8B

Strings

ThumbnailClass, xrefs: 00714A6F, 00714AF1

Memory Dump Source

Source File: 00000000.00000002.1745474304.00000000006B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006B0000, based on PE: true

Associated: 00000000.00000002.1745310696.00000000006B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1745557899.000000000074C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1745557899.0000000000772000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1745607755.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1745632258.0000000000784000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6b0000_file.jbxd

Similarity

API ID: ClassName$Window$Text$BuffCharRectUpper_wcslen_wcsstr
String ID: ThumbnailClass
API String ID: 1311036022-1241985126
Opcode ID: 8b916b9fbea4634a6301d4886533bb1156e073790b0542fb5509d71c473fdb22
Instruction ID: 00c3853e829081632ee30d09f6ed64e28b9758203938d539dfef892eed8bdf30
Opcode Fuzzy Hash: 8b916b9fbea4634a6301d4886533bb1156e073790b0542fb5509d71c473fdb22
Instruction Fuzzy Hash: A991BDB10082059FDB14CF18C985BEA77E9FF84354F04846AFD899A1D6DB38ED85CBA1

Function 0071BF30 Relevance: 19.4, APIs: 10, Strings: 1, Instructions: 190windowsleepCOMMON

Download Yara Rule

APIs

GetMenuItemInfoW.USER32(00781990,000000FF,00000000,00000030), ref: 0071BFAC
SetMenuItemInfoW.USER32(00781990,00000004,00000000,00000030), ref: 0071BFE1
Sleep.KERNEL32(000001F4), ref: 0071BFF3
GetMenuItemCount.USER32(?), ref: 0071C039
GetMenuItemID.USER32(?,00000000), ref: 0071C056
GetMenuItemID.USER32(?,-00000001), ref: 0071C082
GetMenuItemID.USER32(?,?), ref: 0071C0C9
CheckMenuRadioItem.USER32(?,00000000,?,00000000,00000400), ref: 0071C10F
GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 0071C124
SetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 0071C145

Strings

0, xrefs: 0071BF3D

Memory Dump Source

Source File: 00000000.00000002.1745474304.00000000006B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006B0000, based on PE: true

Associated: 00000000.00000002.1745310696.00000000006B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1745557899.000000000074C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1745557899.0000000000772000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1745607755.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1745632258.0000000000784000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6b0000_file.jbxd

Similarity

API ID: ItemMenu$Info$CheckCountRadioSleep
String ID: 0
API String ID: 1460738036-4108050209
Opcode ID: 30ad2230d19a2d23dfb9ef1162629dbc8ebb901b61a6817e753ff73c77b4d43c
Instruction ID: 2d65a230216a490000122ee1a003ab950d25a2bdcebddcd5c85ec86b8fc8a9a6
Opcode Fuzzy Hash: 30ad2230d19a2d23dfb9ef1162629dbc8ebb901b61a6817e753ff73c77b4d43c
Instruction Fuzzy Hash: 0E6171B0980249EFDF12CFACCD88AEEBB79EB05344F104155E911A32D1D739AD95DB60

Function 0073CC34 Relevance: 19.4, APIs: 9, Strings: 2, Instructions: 104registryCOMMON

Download Yara Rule

APIs

RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?,?,?,00000000), ref: 0073CC64
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?,?,?,00000000), ref: 0073CC8D
FreeLibrary.KERNEL32(00000000,?,?,00000000), ref: 0073CD48

Part of subcall function 0073CC34: RegCloseKey.ADVAPI32(?,?,?,00000000), ref: 0073CCAA
Part of subcall function 0073CC34: LoadLibraryA.KERNEL32(advapi32.dll,?,?,00000000), ref: 0073CCBD
Part of subcall function 0073CC34: GetProcAddress.KERNEL32(00000000,RegDeleteKeyExW), ref: 0073CCCF
Part of subcall function 0073CC34: FreeLibrary.KERNEL32(00000000,?,?,00000000), ref: 0073CD05
Part of subcall function 0073CC34: RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?,?,?,00000000), ref: 0073CD28

RegDeleteKeyW.ADVAPI32(?,?), ref: 0073CCF3

Strings

RegDeleteKeyExW, xrefs: 0073CCC9
advapi32.dll, xrefs: 0073CCB8

Memory Dump Source

Source File: 00000000.00000002.1745474304.00000000006B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006B0000, based on PE: true

Associated: 00000000.00000002.1745310696.00000000006B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1745557899.000000000074C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1745557899.0000000000772000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1745607755.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1745632258.0000000000784000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6b0000_file.jbxd

Similarity

API ID: Library$EnumFree$AddressCloseDeleteLoadOpenProc
String ID: RegDeleteKeyExW$advapi32.dll
API String ID: 2734957052-4033151799
Opcode ID: da68f03e76a6687b4f28c144728634a4ce3db1185a46fd45c7e732d4039fde82
Instruction ID: 7989e8a6416af7796235fa4f9831b1af70f4099ed57e4e5bc4b2e6d5e5306e56
Opcode Fuzzy Hash: da68f03e76a6687b4f28c144728634a4ce3db1185a46fd45c7e732d4039fde82
Instruction Fuzzy Hash: 503180B5A02128BBEB228B50DC88EFFBB7CEF06740F004165B905E6151DB389A45DBB0

Function 00723D1E Relevance: 19.4, APIs: 8, Strings: 3, Instructions: 101fileCOMMON

Download Yara Rule

APIs

GetFullPathNameW.KERNEL32(?,00007FFF,?,?), ref: 00723D40
_wcslen.LIBCMT ref: 00723D6D
CreateDirectoryW.KERNEL32(?,00000000), ref: 00723D9D
CreateFileW.KERNEL32(?,40000000,00000000,00000000,00000003,02200000,00000000), ref: 00723DBE
RemoveDirectoryW.KERNEL32(?), ref: 00723DCE
DeviceIoControl.KERNEL32(00000000,000900A4,?,?,00000000,00000000,?,00000000), ref: 00723E55
CloseHandle.KERNEL32(00000000), ref: 00723E60
CloseHandle.KERNEL32(00000000), ref: 00723E6B

Strings

:, xrefs: 00723D82
\, xrefs: 00723D77
\??\%s, xrefs: 00723D5B

Memory Dump Source

Source File: 00000000.00000002.1745474304.00000000006B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006B0000, based on PE: true

Associated: 00000000.00000002.1745310696.00000000006B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1745557899.000000000074C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1745557899.0000000000772000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1745607755.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1745632258.0000000000784000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6b0000_file.jbxd

Similarity

API ID: CloseCreateDirectoryHandle$ControlDeviceFileFullNamePathRemove_wcslen
String ID: :$\$\??\%s
API String ID: 1149970189-3457252023
Opcode ID: 8228518875a3ceb66981836cf6abd99fbf0d146043d179cfc14f2bca2e371ca3
Instruction ID: ec7457e62f88df81de3ea298ed7198ab4fa65530ac80ed3b07c7b05b50f3d915
Opcode Fuzzy Hash: 8228518875a3ceb66981836cf6abd99fbf0d146043d179cfc14f2bca2e371ca3
Instruction Fuzzy Hash: 5531A776A00119ABDB219FA0DC49FEF37BDEF89740F1041BAF509D6150E77897448B68

Function 0071E6B0 Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 72sleepwindowtimeCOMMON

Download Yara Rule

APIs

timeGetTime.WINMM ref: 0071E6B4

Part of subcall function 006CE551: timeGetTime.WINMM(?,?,0071E6D4), ref: 006CE555

Sleep.KERNEL32(0000000A), ref: 0071E6E1
EnumThreadWindows.USER32(?,Function_0006E665,00000000), ref: 0071E705
FindWindowExW.USER32(00000000,00000000,BUTTON,00000000), ref: 0071E727
SetActiveWindow.USER32 ref: 0071E746
SendMessageW.USER32(00000000,000000F5,00000000,00000000), ref: 0071E754
SendMessageW.USER32(00000010,00000000,00000000), ref: 0071E773
Sleep.KERNEL32(000000FA), ref: 0071E77E
IsWindow.USER32 ref: 0071E78A
EndDialog.USER32(00000000), ref: 0071E79B

Strings

BUTTON, xrefs: 0071E719

Memory Dump Source

Source File: 00000000.00000002.1745474304.00000000006B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006B0000, based on PE: true

Associated: 00000000.00000002.1745310696.00000000006B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1745557899.000000000074C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1745557899.0000000000772000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1745607755.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1745632258.0000000000784000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6b0000_file.jbxd

Similarity

API ID: Window$MessageSendSleepTimetime$ActiveDialogEnumFindThreadWindows
String ID: BUTTON
API String ID: 1194449130-3405671355
Opcode ID: 86f04657c12da3857eb22ce220e0b6afe68a0f60802e806f5c879347756fa890
Instruction ID: 1541084a7d7a70ac03c6f747d6fdadc095ba0872e909aea5e65c840630c9bbcc
Opcode Fuzzy Hash: 86f04657c12da3857eb22ce220e0b6afe68a0f60802e806f5c879347756fa890
Instruction Fuzzy Hash: 8E21F6B4341204AFFB015F24EC89E653BA9F756749F64C425FC01815E2EB7D9C418B1C

Function 0071E9FC Relevance: 19.3, APIs: 5, Strings: 6, Instructions: 71COMMON

Download Yara Rule

APIs

Part of subcall function 006B9CB3: _wcslen.LIBCMT ref: 006B9CBD

mciSendStringW.WINMM(status PlayMe mode,?,00000100,00000000), ref: 0071EA5D
mciSendStringW.WINMM(close PlayMe,00000000,00000000,00000000), ref: 0071EA73
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 0071EA84
mciSendStringW.WINMM(play PlayMe wait,00000000,00000000,00000000), ref: 0071EA96
mciSendStringW.WINMM(play PlayMe,00000000,00000000,00000000), ref: 0071EAA7

Strings

play PlayMe wait, xrefs: 0071EA91
status PlayMe mode, xrefs: 0071EA58
play PlayMe, xrefs: 0071EAA2
close PlayMe, xrefs: 0071EA6E, 0071EA9B
alias PlayMe, xrefs: 0071EA36
open , xrefs: 0071EA0C

Memory Dump Source

Source File: 00000000.00000002.1745474304.00000000006B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006B0000, based on PE: true

Associated: 00000000.00000002.1745310696.00000000006B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1745557899.000000000074C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1745557899.0000000000772000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1745607755.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1745632258.0000000000784000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6b0000_file.jbxd

Similarity

API ID: SendString$_wcslen
String ID: alias PlayMe$close PlayMe$open $play PlayMe$play PlayMe wait$status PlayMe mode
API String ID: 2420728520-1007645807
Opcode ID: 84fce69420f7d1faa37cdcde91ae9cb11572e87cf18e70313fa39182b9be0351
Instruction ID: 994a503025440023c7fbc7ef6066310a47efc39b4e479efc28ec7f2de39a50c5
Opcode Fuzzy Hash: 84fce69420f7d1faa37cdcde91ae9cb11572e87cf18e70313fa39182b9be0351
Instruction Fuzzy Hash: B811E3B0A4026979DB20A3A5DC4ADFF6F7CEFD1F40F00442DB901A20D5EE741984CAB0

Function 00715CC6 Relevance: 18.2, APIs: 12, Instructions: 173COMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,00000001), ref: 00715CE2
GetWindowRect.USER32(00000000,?), ref: 00715CFB
MoveWindow.USER32(?,0000000A,00000004,?,?,00000004,00000000), ref: 00715D59
GetDlgItem.USER32(?,00000002), ref: 00715D69
GetWindowRect.USER32(00000000,?), ref: 00715D7B
MoveWindow.USER32(?,?,00000004,00000000,?,00000004,00000000), ref: 00715DCF
GetDlgItem.USER32(?,000003E9), ref: 00715DDD
GetWindowRect.USER32(00000000,?), ref: 00715DEF
MoveWindow.USER32(?,0000000A,00000000,?,00000004,00000000), ref: 00715E31
GetDlgItem.USER32(?,000003EA), ref: 00715E44
MoveWindow.USER32(00000000,0000000A,0000000A,?,-00000005,00000000), ref: 00715E5A
InvalidateRect.USER32(?,00000000,00000001), ref: 00715E67

Memory Dump Source

Source File: 00000000.00000002.1745474304.00000000006B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006B0000, based on PE: true

Associated: 00000000.00000002.1745310696.00000000006B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1745557899.000000000074C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1745557899.0000000000772000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1745607755.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1745632258.0000000000784000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6b0000_file.jbxd

Similarity

API ID: Window$ItemMoveRect$Invalidate
String ID:
API String ID: 3096461208-0
Opcode ID: 29fa91cf1d96652f9ea42d4dfa9dacdd4de03f3de1d2dc6342bb3fb3cfb25bc1
Instruction ID: 5e27d780ffc7acf3dad2f047d1284ffd0a23701707601d0f3b3658c1d0296f7d
Opcode Fuzzy Hash: 29fa91cf1d96652f9ea42d4dfa9dacdd4de03f3de1d2dc6342bb3fb3cfb25bc1
Instruction Fuzzy Hash: 8F513E74B00605AFDF19CF68DD89AAEBBB5FB88300F148229F915E7290D7749E44CB51

Function 006C8BCD Relevance: 18.2, APIs: 12, Instructions: 168timeCOMMON

Download Yara Rule

APIs

Part of subcall function 006C8F62: InvalidateRect.USER32(?,00000000,00000001,?,?,?,006C8BE8,?,00000000,?,?,?,?,006C8BBA,00000000,?), ref: 006C8FC5

DestroyWindow.USER32(?), ref: 006C8C81
KillTimer.USER32(00000000,?,?,?,?,006C8BBA,00000000,?), ref: 006C8D1B
DestroyAcceleratorTable.USER32(00000000), ref: 00706973
ImageList_Destroy.COMCTL32(00000000,?,?,?,?,?,?,00000000,?,?,?,?,006C8BBA,00000000,?), ref: 007069A1
ImageList_Destroy.COMCTL32(?,?,?,?,?,?,?,00000000,?,?,?,?,006C8BBA,00000000,?), ref: 007069B8
ImageList_Destroy.COMCTL32(00000000,?,?,?,?,?,?,?,?,00000000,?,?,?,?,006C8BBA,00000000), ref: 007069D4
DeleteObject.GDI32(00000000), ref: 007069E6

Memory Dump Source

Source File: 00000000.00000002.1745474304.00000000006B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006B0000, based on PE: true

Associated: 00000000.00000002.1745310696.00000000006B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1745557899.000000000074C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1745557899.0000000000772000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1745607755.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1745632258.0000000000784000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6b0000_file.jbxd

Similarity

API ID: Destroy$ImageList_$AcceleratorDeleteInvalidateKillObjectRectTableTimerWindow
String ID:
API String ID: 641708696-0
Opcode ID: f90f41a4335dafb8c755deb0c8c97b836ac4a422f1a688a1c72315cb7dff2cd6
Instruction ID: 6cc0afc55d76e29eead762df713b935eae8d3f6b53c4e7676096b2c7d2ae4f29
Opcode Fuzzy Hash: f90f41a4335dafb8c755deb0c8c97b836ac4a422f1a688a1c72315cb7dff2cd6
Instruction Fuzzy Hash: 4A617931102600DFCB369F14D958B7577F2FB41312F65861DE0429BAA0CB39B992DF98

Function 006C9838 Relevance: 18.1, APIs: 12, Instructions: 137COMMON

Download Yara Rule

APIs

Part of subcall function 006C9944: GetWindowLongW.USER32(?,000000EB), ref: 006C9952

GetSysColor.USER32(0000000F), ref: 006C9862

Memory Dump Source

Source File: 00000000.00000002.1745474304.00000000006B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006B0000, based on PE: true

Associated: 00000000.00000002.1745310696.00000000006B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1745557899.000000000074C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1745557899.0000000000772000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1745607755.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1745632258.0000000000784000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6b0000_file.jbxd

Similarity

API ID: ColorLongWindow
String ID:
API String ID: 259745315-0
Opcode ID: 4a2cbac5824d0b170daf1c5c0af8018c94ebdda0a412ba352d9e6bb99076fc44
Instruction ID: 1ac3911802627c89970e9e0ff3dda547d9a078e6412f544305a5c6a7addce44c
Opcode Fuzzy Hash: 4a2cbac5824d0b170daf1c5c0af8018c94ebdda0a412ba352d9e6bb99076fc44
Instruction Fuzzy Hash: 0941B5355066449FDB215F389C48FB937A6EB07330F148B0AF9A28B2E1D7359D42DB24

Function 006E8D45 Relevance: 17.8, APIs: 9, Strings: 1, Instructions: 300COMMONLIBRARYCODE

Download Yara Rule

Strings

.m, xrefs: 006E903A, 006E8FD0, 006E8FF2

Memory Dump Source

Source File: 00000000.00000002.1745474304.00000000006B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006B0000, based on PE: true

Associated: 00000000.00000002.1745310696.00000000006B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1745557899.000000000074C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1745557899.0000000000772000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1745607755.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1745632258.0000000000784000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6b0000_file.jbxd

Similarity

API ID:
String ID: .m
API String ID: 0-2594521899
Opcode ID: a9f1fff96b8085e7ecee56876c9f7a763b1d76df5313b674f1c467d4e4d36fee
Instruction ID: 3fcc06089bea46b7603606af532b1f03c4280c155506fd6141ca272bce5eaba0
Opcode Fuzzy Hash: a9f1fff96b8085e7ecee56876c9f7a763b1d76df5313b674f1c467d4e4d36fee
Instruction Fuzzy Hash: 6EC11274D06389AFCB51DFAAC841BEDBBB2AF09310F54419DE519AB392C7348941CB74

Function 007196E2 Relevance: 17.6, APIs: 5, Strings: 5, Instructions: 137windowCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,?,00000FFF,00000001,00000000,?,?,006FF7F8,00000001,0000138C,00000001,?,00000001,00000000,?,?), ref: 00719717
LoadStringW.USER32(00000000,?,006FF7F8,00000001), ref: 00719720

Part of subcall function 006B9CB3: _wcslen.LIBCMT ref: 006B9CBD

GetModuleHandleW.KERNEL32(00000000,00000001,?,00000FFF,?,?,006FF7F8,00000001,0000138C,00000001,?,00000001,00000000,?,?,00000000), ref: 00719742
LoadStringW.USER32(00000000,?,006FF7F8,00000001), ref: 00719745
MessageBoxW.USER32(00000000,00000000,?,00011010), ref: 00719866

Strings

^ ERROR, xrefs: 007197FB
Line %d (File "%s"):, xrefs: 0071978F
Error: , xrefs: 0071981D
%s (%d) : ==> %s: %s %s, xrefs: 0071984A
Line %d:, xrefs: 007197A0

Memory Dump Source

Source File: 00000000.00000002.1745474304.00000000006B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006B0000, based on PE: true

Associated: 00000000.00000002.1745310696.00000000006B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1745557899.000000000074C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1745557899.0000000000772000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1745607755.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1745632258.0000000000784000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6b0000_file.jbxd

Similarity

API ID: HandleLoadModuleString$Message_wcslen
String ID: Error: $%s (%d) : ==> %s: %s %s$Line %d (File "%s"):$Line %d:$^ ERROR
API String ID: 747408836-2268648507
Opcode ID: b78c9ea7cdf65586ae3e48fa699138487a089c53de96e38801d25fe9a56b74bd
Instruction ID: 923a4441e851f8dac0de0202906dbea9d89cffcddc6b10142d3a41d9a535f7d4
Opcode Fuzzy Hash: b78c9ea7cdf65586ae3e48fa699138487a089c53de96e38801d25fe9a56b74bd
Instruction Fuzzy Hash: 394171B2900219AACF44FBE4CD96DEE7779AF15340F604029F20572092EB396F89CB75

Function 007106DE Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 127registryshareCOMMON

Download Yara Rule

APIs

Part of subcall function 006B6B57: _wcslen.LIBCMT ref: 006B6B6A

WNetAddConnection2W.MPR(?,?,?,00000000), ref: 007107A2
RegConnectRegistryW.ADVAPI32(?,80000002,?), ref: 007107BE
RegOpenKeyExW.ADVAPI32(?,?,00000000,00020019,?,?,SOFTWARE\Classes\), ref: 007107DA
RegQueryValueExW.ADVAPI32(?,00000000,00000000,00000000,?,?,?,SOFTWARE\Classes\), ref: 00710804
CLSIDFromString.OLE32(?,000001FE,?,SOFTWARE\Classes\), ref: 0071082C
RegCloseKey.ADVAPI32(?,?,SOFTWARE\Classes\), ref: 00710837
RegCloseKey.ADVAPI32(?,?,SOFTWARE\Classes\), ref: 0071083C

Strings

\CLSID, xrefs: 00710724
\IPC$, xrefs: 00710784
SOFTWARE\Classes\, xrefs: 0071070E

Memory Dump Source

Source File: 00000000.00000002.1745474304.00000000006B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006B0000, based on PE: true

Associated: 00000000.00000002.1745310696.00000000006B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1745557899.000000000074C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1745557899.0000000000772000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1745607755.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1745632258.0000000000784000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6b0000_file.jbxd

Similarity

API ID: Close$ConnectConnection2FromOpenQueryRegistryStringValue_wcslen
String ID: SOFTWARE\Classes\$\CLSID$\IPC$
API String ID: 323675364-22481851
Opcode ID: 17e8a30636db6a88b842f50e5cefaab6ad669d4d6320f11f8c4b42eda72d1aa1
Instruction ID: 5bea4741d9bbae5a098b812993c205530ff78c620287995081059ad02576e1a3
Opcode Fuzzy Hash: 17e8a30636db6a88b842f50e5cefaab6ad669d4d6320f11f8c4b42eda72d1aa1
Instruction Fuzzy Hash: 07413BB5C10229ABDF15EB94DC95CEDB779BF04350B14412AE901A71A0EB74AE84CBA4

Function 00733C30 Relevance: 16.8, APIs: 11, Instructions: 344fileCOMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 00733C5C
CoInitialize.OLE32(00000000), ref: 00733C8A
CoUninitialize.OLE32 ref: 00733C94
_wcslen.LIBCMT ref: 00733D2D
GetRunningObjectTable.OLE32(00000000,?), ref: 00733DB1
SetErrorMode.KERNEL32(00000001,00000029), ref: 00733ED5
CoGetInstanceFromFile.OLE32(00000000,?,00000000,00000015,00000002,?,00000001,?), ref: 00733F0E
CoGetObject.OLE32(?,00000000,0074FB98,?), ref: 00733F2D
SetErrorMode.KERNEL32(00000000), ref: 00733F40
SetErrorMode.KERNEL32(00000000,00000000,00000000,00000000,00000000), ref: 00733FC4
VariantClear.OLEAUT32(?), ref: 00733FD8

Memory Dump Source

Source File: 00000000.00000002.1745474304.00000000006B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006B0000, based on PE: true

Associated: 00000000.00000002.1745310696.00000000006B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1745557899.000000000074C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1745557899.0000000000772000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1745607755.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1745632258.0000000000784000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6b0000_file.jbxd

Similarity

API ID: ErrorMode$ObjectVariant$ClearFileFromInitInitializeInstanceRunningTableUninitialize_wcslen
String ID:
API String ID: 429561992-0
Opcode ID: 3c8091180d4603c25ce096bb0d59d6f9cecf992282e9b9e6178f8aada39325fe
Instruction ID: 45134cc16d51c20449a0fec94635ad478790fb8f25424bff879e45c5acfdcaa2
Opcode Fuzzy Hash: 3c8091180d4603c25ce096bb0d59d6f9cecf992282e9b9e6178f8aada39325fe
Instruction Fuzzy Hash: F8C168B16083059FE710DF68C88492BBBE9FF89744F00491DF98A9B252D735EE45CB62

Function 00727A96 Relevance: 16.8, APIs: 11, Instructions: 298comCOMMON

Download Yara Rule

APIs

CoInitialize.OLE32(00000000), ref: 00727AF3
SHGetSpecialFolderLocation.SHELL32(00000000,00000000,?), ref: 00727B8F
SHGetDesktopFolder.SHELL32(?), ref: 00727BA3
CoCreateInstance.OLE32(0074FD08,00000000,00000001,00776E6C,?), ref: 00727BEF
SHCreateShellItem.SHELL32(00000000,00000000,?,00000003), ref: 00727C74
CoTaskMemFree.OLE32(?,?), ref: 00727CCC
SHBrowseForFolderW.SHELL32(?), ref: 00727D57
SHGetPathFromIDListW.SHELL32(00000000,?), ref: 00727D7A
CoTaskMemFree.OLE32(00000000), ref: 00727D81
CoTaskMemFree.OLE32(00000000), ref: 00727DD6
CoUninitialize.OLE32 ref: 00727DDC

Memory Dump Source

Source File: 00000000.00000002.1745474304.00000000006B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006B0000, based on PE: true

Associated: 00000000.00000002.1745310696.00000000006B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1745557899.000000000074C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1745557899.0000000000772000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1745607755.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1745632258.0000000000784000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6b0000_file.jbxd

Similarity

API ID: FolderFreeTask$Create$BrowseDesktopFromInitializeInstanceItemListLocationPathShellSpecialUninitialize
String ID:
API String ID: 2762341140-0
Opcode ID: 422678cb4e994c9a0c4ec8d665a50bbda320b7cbc2d1b60da22bfa5f1eeb7d3f
Instruction ID: e0f7ec971918895b16cba591529fef41eae5ba0c2820de06e22170e0aeae02e4
Opcode Fuzzy Hash: 422678cb4e994c9a0c4ec8d665a50bbda320b7cbc2d1b60da22bfa5f1eeb7d3f
Instruction Fuzzy Hash: 5CC15B75A00119AFCB14DFA4D984DAEBBF9FF48304B148499E81ADB361D734EE81CB94

Function 0074541D Relevance: 16.7, APIs: 11, Instructions: 191windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00000158,000000FF,00000158), ref: 00745504
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 00745515
CharNextW.USER32(00000158), ref: 00745544
SendMessageW.USER32(?,0000014B,00000000,00000000), ref: 00745585
SendMessageW.USER32(?,00000158,000000FF,0000014E), ref: 0074559B
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 007455AC

Memory Dump Source

Source File: 00000000.00000002.1745474304.00000000006B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006B0000, based on PE: true

Associated: 00000000.00000002.1745310696.00000000006B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1745557899.000000000074C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1745557899.0000000000772000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1745607755.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1745632258.0000000000784000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6b0000_file.jbxd

Similarity

API ID: MessageSend$CharNext
String ID:
API String ID: 1350042424-0
Opcode ID: bab783717c36295d3c2d768c0cafae826b00205c0c09fc0a8f8ecd87248c3c8d
Instruction ID: acc04f8fb2fc2ce79ff99a8daf40cd764f61bbaa3be92bd70aeca3e7fa1d50b1
Opcode Fuzzy Hash: bab783717c36295d3c2d768c0cafae826b00205c0c09fc0a8f8ecd87248c3c8d
Instruction Fuzzy Hash: C561C034905608EFDF119F64CC84DFE7BB9EF06720F108145F925AB292D7789A80DB61

Function 0070FA88 Relevance: 16.6, APIs: 11, Instructions: 122memoryCOMMON

Download Yara Rule

APIs

SafeArrayAllocDescriptorEx.OLEAUT32(0000000C,?,?), ref: 0070FAAF
SafeArrayAllocData.OLEAUT32(?), ref: 0070FB08
VariantInit.OLEAUT32(?), ref: 0070FB1A
SafeArrayAccessData.OLEAUT32(?,?), ref: 0070FB3A
VariantCopy.OLEAUT32(?,?), ref: 0070FB8D
SafeArrayUnaccessData.OLEAUT32(?), ref: 0070FBA1
VariantClear.OLEAUT32(?), ref: 0070FBB6
SafeArrayDestroyData.OLEAUT32(?), ref: 0070FBC3
SafeArrayDestroyDescriptor.OLEAUT32(?), ref: 0070FBCC
VariantClear.OLEAUT32(?), ref: 0070FBDE
SafeArrayDestroyDescriptor.OLEAUT32(?), ref: 0070FBE9

Memory Dump Source

Source File: 00000000.00000002.1745474304.00000000006B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006B0000, based on PE: true

Associated: 00000000.00000002.1745310696.00000000006B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1745557899.000000000074C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1745557899.0000000000772000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1745607755.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1745632258.0000000000784000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6b0000_file.jbxd

Similarity

API ID: ArraySafe$DataVariant$DescriptorDestroy$AllocClear$AccessCopyInitUnaccess
String ID:
API String ID: 2706829360-0
Opcode ID: d0d9c1e9a92e7bd9d796c77e17764ef60b176eea2af68e6e6673081ba93b2d73
Instruction ID: bc507df3eceb9e78002deba2987398ff71f83ee90591bb4ef14eb68c13fb57f0
Opcode Fuzzy Hash: d0d9c1e9a92e7bd9d796c77e17764ef60b176eea2af68e6e6673081ba93b2d73
Instruction Fuzzy Hash: 6F417F75A00219DFCB11DFA8C8589AEBFB9FF48354F00C169E905A7261CB38A945CFA4

Function 00719C79 Relevance: 16.6, APIs: 11, Instructions: 119keyboardCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?), ref: 00719CA1
GetAsyncKeyState.USER32(000000A0), ref: 00719D22
GetKeyState.USER32(000000A0), ref: 00719D3D
GetAsyncKeyState.USER32(000000A1), ref: 00719D57
GetKeyState.USER32(000000A1), ref: 00719D6C
GetAsyncKeyState.USER32(00000011), ref: 00719D84
GetKeyState.USER32(00000011), ref: 00719D96
GetAsyncKeyState.USER32(00000012), ref: 00719DAE
GetKeyState.USER32(00000012), ref: 00719DC0
GetAsyncKeyState.USER32(0000005B), ref: 00719DD8
GetKeyState.USER32(0000005B), ref: 00719DEA

Memory Dump Source

Source File: 00000000.00000002.1745474304.00000000006B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006B0000, based on PE: true

Associated: 00000000.00000002.1745310696.00000000006B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1745557899.000000000074C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1745557899.0000000000772000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1745607755.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1745632258.0000000000784000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6b0000_file.jbxd

Similarity

API ID: State$Async$Keyboard
String ID:
API String ID: 541375521-0
Opcode ID: eab592e8812992a6148be510514ea718ed365bcfff639a1133ba7fa2b031bb6c
Instruction ID: f63a3e8c13f8ce09b1a657489fecd113e5834ce8dc39b2137cd38a3347c59629
Opcode Fuzzy Hash: eab592e8812992a6148be510514ea718ed365bcfff639a1133ba7fa2b031bb6c
Instruction Fuzzy Hash: EE41D8346047C969FF718A78D4243F5FEF06B12344F08805ADBC6565C2E7AC99C9C7A2

Function 0073055B Relevance: 16.0, APIs: 8, Strings: 1, Instructions: 207networkfileCOMMON

Download Yara Rule

APIs

WSAStartup.WSOCK32(00000101,?), ref: 007305BC
inet_addr.WSOCK32(?), ref: 0073061C
gethostbyname.WSOCK32(?), ref: 00730628
IcmpCreateFile.IPHLPAPI ref: 00730636
IcmpSendEcho.IPHLPAPI(?,?,?,00000005,00000000,?,00000029,00000FA0), ref: 007306C6
IcmpSendEcho.IPHLPAPI(00000000,00000000,?,00000005,00000000,?,00000029,00000FA0), ref: 007306E5
IcmpCloseHandle.IPHLPAPI(?), ref: 007307B9
WSACleanup.WSOCK32 ref: 007307BF

Strings

Ping, xrefs: 00730676

Memory Dump Source

Source File: 00000000.00000002.1745474304.00000000006B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006B0000, based on PE: true

Associated: 00000000.00000002.1745310696.00000000006B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1745557899.000000000074C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1745557899.0000000000772000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1745607755.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1745632258.0000000000784000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6b0000_file.jbxd

Similarity

API ID: Icmp$EchoSend$CleanupCloseCreateFileHandleStartupgethostbynameinet_addr
String ID: Ping
API String ID: 1028309954-2246546115
Opcode ID: f0a5f0fb1758b8efb16a1f4ac6e5b3ff35294e7c3f8899a1e1b01def46a6e683
Instruction ID: 8f12bd5b8a32a83652e6ff1da7eb160c425cc8c7386c05d81796935e0ef65800
Opcode Fuzzy Hash: f0a5f0fb1758b8efb16a1f4ac6e5b3ff35294e7c3f8899a1e1b01def46a6e683
Instruction Fuzzy Hash: 1A919D756042019FE720DF15C499F1ABBE5AF84318F1485A9F46A8B6A2C738ED81CFD1

Function 00738CD3 Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 193COMMON

Download Yara Rule

APIs

CharLowerBuffW.USER32(?,?,00000000,?), ref: 00738CF3

Part of subcall function 00718E54: _wcslen.LIBCMT ref: 00718E77

_wcslen.LIBCMT ref: 00738D4E
_wcslen.LIBCMT ref: 00738D9C
_wcslen.LIBCMT ref: 00738DDC
_wcslen.LIBCMT ref: 00738E6E

Strings

stdcall, xrefs: 00738DD6, 00738DDB
winapi, xrefs: 00738D96, 00738D9B
cdecl, xrefs: 00738D48, 00738D4D
none, xrefs: 00738E65, 00738E6A

Memory Dump Source

Source File: 00000000.00000002.1745474304.00000000006B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006B0000, based on PE: true

Associated: 00000000.00000002.1745310696.00000000006B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1745557899.000000000074C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1745557899.0000000000772000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1745607755.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1745632258.0000000000784000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6b0000_file.jbxd

Similarity

API ID: _wcslen$BuffCharLower
String ID: cdecl$none$stdcall$winapi
API String ID: 707087890-567219261
Opcode ID: d46b22bd2ff98cb1529f996e12a2501e850eeb503437473a60a74ecc695a1f86
Instruction ID: 72d88686c1ced6486c0be3d95662e21e09a7eba15b2e2d8ff5696f3500e07097
Opcode Fuzzy Hash: d46b22bd2ff98cb1529f996e12a2501e850eeb503437473a60a74ecc695a1f86
Instruction Fuzzy Hash: 06519072A002169BDF54DF68C9509BEB7A6BF68720B204229F426E7286DB38DD40C7D1

Function 0073372C Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 187comCOMMON

Download Yara Rule

APIs

CoInitialize.OLE32 ref: 00733774
CoUninitialize.OLE32 ref: 0073377F
CoCreateInstance.OLE32(?,00000000,00000017,0074FB78,?), ref: 007337D9
IIDFromString.OLE32(?,?), ref: 0073384C
VariantInit.OLEAUT32(?), ref: 007338E4
VariantClear.OLEAUT32(?), ref: 00733936

Strings

Invalid parameter, xrefs: 00733865
NULL Pointer assignment, xrefs: 0073381E
Failed to create object, xrefs: 007337E4, 0073389A

Memory Dump Source

Source File: 00000000.00000002.1745474304.00000000006B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006B0000, based on PE: true

Associated: 00000000.00000002.1745310696.00000000006B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1745557899.000000000074C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1745557899.0000000000772000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1745607755.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1745632258.0000000000784000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6b0000_file.jbxd

Similarity

API ID: Variant$ClearCreateFromInitInitializeInstanceStringUninitialize
String ID: Failed to create object$Invalid parameter$NULL Pointer assignment
API String ID: 636576611-1287834457
Opcode ID: 9f36dcaa582590a0c6aa79b65090fb7d35ee263535b30128d260be3608c3016a
Instruction ID: 257ada47150d6d74a904694f3e79c8e383a44cdb049f025daf25bc65f02dbe62
Opcode Fuzzy Hash: 9f36dcaa582590a0c6aa79b65090fb7d35ee263535b30128d260be3608c3016a
Instruction Fuzzy Hash: 1961B2B1608301AFE321DF54C889F9AB7E8EF45715F00491DF5859B292C778EE84CBA6

Function 00723388 Relevance: 15.9, APIs: 3, Strings: 6, Instructions: 149COMMON

Download Yara Rule

APIs

LoadStringW.USER32(00000066,?,00000FFF,?), ref: 007233CF

Part of subcall function 006B9CB3: _wcslen.LIBCMT ref: 006B9CBD

LoadStringW.USER32(00000072,?,00000FFF,?), ref: 007233F0

Strings

Line %d (File "%s"):, xrefs: 00723443, 0072345C
Error: , xrefs: 007234D1
Incorrect parameters to object property !, xrefs: 007234AB
^ ERROR , xrefs: 0072349E
"%s" (%d) : ==> %s:%s%s, xrefs: 00723504
"%s" (%d) : ==> %s:, xrefs: 00723522

Memory Dump Source

Source File: 00000000.00000002.1745474304.00000000006B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006B0000, based on PE: true

Associated: 00000000.00000002.1745310696.00000000006B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1745557899.000000000074C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1745557899.0000000000772000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1745607755.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1745632258.0000000000784000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6b0000_file.jbxd

Similarity

API ID: LoadString$_wcslen
String ID: Error: $"%s" (%d) : ==> %s:$"%s" (%d) : ==> %s:%s%s$Incorrect parameters to object property !$Line %d (File "%s"):$^ ERROR
API String ID: 4099089115-3080491070
Opcode ID: e95ae93ed3c9accbb9b96efc98d80d94282711a25184a2725b8e0bf8299b06d1
Instruction ID: e6837ef4b496fec01ab68eb7bfb8f18b44b04dc215e6d9d489eea0742f783868
Opcode Fuzzy Hash: e95ae93ed3c9accbb9b96efc98d80d94282711a25184a2725b8e0bf8299b06d1
Instruction Fuzzy Hash: FE51D4B1900219ABDF15EBE0DD46EEEB7B9EF04340F208069F10972091DB396F98DB64

Function 0071B5C8 Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 142COMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?), ref: 0071B5FC
_wcslen.LIBCMT ref: 0071B608
_wcslen.LIBCMT ref: 0071B64D
_wcslen.LIBCMT ref: 0071B68C
_wcslen.LIBCMT ref: 0071B6C7

Strings

EXISTS, xrefs: 0071B686, 0071B68B
KEYS, xrefs: 0071B647, 0071B64C
REMOVE, xrefs: 0071B602, 0071B607
APPEND, xrefs: 0071B6C1, 0071B6C6

Memory Dump Source

Source File: 00000000.00000002.1745474304.00000000006B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006B0000, based on PE: true

Associated: 00000000.00000002.1745310696.00000000006B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1745557899.000000000074C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1745557899.0000000000772000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1745607755.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1745632258.0000000000784000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6b0000_file.jbxd

Similarity

API ID: _wcslen$BuffCharUpper
String ID: APPEND$EXISTS$KEYS$REMOVE
API String ID: 1256254125-769500911
Opcode ID: 66d03aed9c97e65250e896404fd060d165e5e18985ee1ce00302a9d8a51a4cb1
Instruction ID: d294dca768e16374fb9382c1aff41213b4b5296bf061b9737bd997da5e609d52
Opcode Fuzzy Hash: 66d03aed9c97e65250e896404fd060d165e5e18985ee1ce00302a9d8a51a4cb1
Instruction Fuzzy Hash: 2C41D532A001269BCB206F7DC9A05FEB7A5AFB0794B24412AE465DB2C4E739CDC1C790

Function 00725393 Relevance: 15.9, APIs: 4, Strings: 5, Instructions: 103COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 007253A0
GetDiskFreeSpaceW.KERNEL32(?,?,?,?,?,00000002,00000001), ref: 00725416
GetLastError.KERNEL32 ref: 00725420
SetErrorMode.KERNEL32(00000000,READY), ref: 007254A7

Strings

INVALID, xrefs: 00725459
READY, xrefs: 00725460, 00725468
UNKNOWN, xrefs: 00725444
READONLY, xrefs: 00725452
NOTREADY, xrefs: 0072544B

Memory Dump Source

Source File: 00000000.00000002.1745474304.00000000006B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006B0000, based on PE: true

Associated: 00000000.00000002.1745310696.00000000006B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1745557899.000000000074C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1745557899.0000000000772000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1745607755.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1745632258.0000000000784000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6b0000_file.jbxd

Similarity

API ID: Error$Mode$DiskFreeLastSpace
String ID: INVALID$NOTREADY$READONLY$READY$UNKNOWN
API String ID: 4194297153-14809454
Opcode ID: 6fbcced46764f86402087712eb0eb3e9e3f9bdc1708b6abfe367f74e6195c85c
Instruction ID: 4989cf53a29fb510a7ad3a72114f77538cabc910115e733c4930d88edffbcce5
Opcode Fuzzy Hash: 6fbcced46764f86402087712eb0eb3e9e3f9bdc1708b6abfe367f74e6195c85c
Instruction Fuzzy Hash: E931F275A006549FDB10EF68D484EEABBB4FF05305F14806AE905CB292DB79DD86CBA0

Function 00743C46 Relevance: 15.9, APIs: 7, Strings: 2, Instructions: 101windowCOMMON

Download Yara Rule

APIs

CreateMenu.USER32 ref: 00743C79
SetMenu.USER32(?,00000000), ref: 00743C88
GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00743D10
IsMenu.USER32(?), ref: 00743D24
CreatePopupMenu.USER32 ref: 00743D2E
InsertMenuItemW.USER32(?,?,00000001,00000030), ref: 00743D5B
DrawMenuBar.USER32 ref: 00743D63

Strings

F, xrefs: 00743D4E
0, xrefs: 00743C54

Memory Dump Source

Source File: 00000000.00000002.1745474304.00000000006B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006B0000, based on PE: true

Associated: 00000000.00000002.1745310696.00000000006B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1745557899.000000000074C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1745557899.0000000000772000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1745607755.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1745632258.0000000000784000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6b0000_file.jbxd

Similarity

API ID: Menu$CreateItem$DrawInfoInsertPopup
String ID: 0$F
API String ID: 161812096-3044882817
Opcode ID: 242f47f4e2eda7a1a735ca1c7f244c4d0f6057b973352975fdee75aae33fffd1
Instruction ID: 5df3707d540fbea053ea993bfde0cd178f2ba867148a7cfd3a2fc158fa307db6
Opcode Fuzzy Hash: 242f47f4e2eda7a1a735ca1c7f244c4d0f6057b973352975fdee75aae33fffd1
Instruction Fuzzy Hash: BC415B79A01209AFDB14CF64D884AAEBBB5FF49351F144029F95A97360D738AA10CF94

Function 00711EDF Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 78windowCOMMON

Download Yara Rule

APIs

Part of subcall function 006B9CB3: _wcslen.LIBCMT ref: 006B9CBD

Part of subcall function 00713CA7: GetClassNameW.USER32(?,?,000000FF), ref: 00713CCA

SendMessageW.USER32(?,0000018C,000000FF,00020000), ref: 00711F64
GetDlgCtrlID.USER32 ref: 00711F6F
GetParent.USER32 ref: 00711F8B
SendMessageW.USER32(00000000,?,00000111,?), ref: 00711F8E
GetDlgCtrlID.USER32(?), ref: 00711F97
GetParent.USER32(?), ref: 00711FAB
SendMessageW.USER32(00000000,?,00000111,?), ref: 00711FAE

Strings

ListBox, xrefs: 00711F21
ComboBox, xrefs: 00711EEC

Memory Dump Source

Source File: 00000000.00000002.1745474304.00000000006B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006B0000, based on PE: true

Associated: 00000000.00000002.1745310696.00000000006B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1745557899.000000000074C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1745557899.0000000000772000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1745607755.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1745632258.0000000000784000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6b0000_file.jbxd

Similarity

API ID: MessageSend$CtrlParent$ClassName_wcslen
String ID: ComboBox$ListBox
API String ID: 711023334-1403004172
Opcode ID: 0fafba560b568f33ff3161245ee07857077e7b566366a66cc8a461fc04a320e9
Instruction ID: 5aba253d8b691dd15fd190170b0000ad7a973908d89a7896cfc08c67fc5e572c
Opcode Fuzzy Hash: 0fafba560b568f33ff3161245ee07857077e7b566366a66cc8a461fc04a320e9
Instruction Fuzzy Hash: 4821D3B4901114BBCF05AFA4CC84DEEBBB9AF06340F108546BA65672E1DB7849498B74

Function 00743A23 Relevance: 15.2, APIs: 10, Instructions: 182windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,0000101F,00000000,00000000), ref: 00743A9D
SendMessageW.USER32(00000000,?,0000101F,00000000), ref: 00743AA0
GetWindowLongW.USER32(?,000000F0), ref: 00743AC7
SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00743AEA
SendMessageW.USER32(?,0000104D,00000000,00000007), ref: 00743B62
SendMessageW.USER32(?,00001074,00000000,00000007), ref: 00743BAC
SendMessageW.USER32(?,00001057,00000000,00000000), ref: 00743BC7
SendMessageW.USER32(?,0000101D,00001004,00000000), ref: 00743BE2
SendMessageW.USER32(?,0000101E,00001004,00000000), ref: 00743BF6
SendMessageW.USER32(?,00001008,00000000,00000007), ref: 00743C13

Memory Dump Source

Source File: 00000000.00000002.1745474304.00000000006B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006B0000, based on PE: true

Associated: 00000000.00000002.1745310696.00000000006B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1745557899.000000000074C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1745557899.0000000000772000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1745607755.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1745632258.0000000000784000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6b0000_file.jbxd

Similarity

API ID: MessageSend$LongWindow
String ID:
API String ID: 312131281-0
Opcode ID: 5e61ed061bb50e34ac99766c8c673d60ef4029bc058e21ca6d7b5c52aecec862
Instruction ID: 5e029cab18a3dcd13c0f260a8f1c96525fba64106c6ef5be94ba0c671ce5f979
Opcode Fuzzy Hash: 5e61ed061bb50e34ac99766c8c673d60ef4029bc058e21ca6d7b5c52aecec862
Instruction Fuzzy Hash: 26617BB5900248AFDB11DFA8CC81EEE77B8EB09710F104199FA15E72A1C778AE45DF64

Function 0071B12F Relevance: 15.1, APIs: 10, Instructions: 88threadCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 0071B151
GetForegroundWindow.USER32(00000000,?,?,?,?,?,0071A1E1,?,00000001), ref: 0071B165
GetWindowThreadProcessId.USER32(00000000), ref: 0071B16C
AttachThreadInput.USER32(00000000,00000000,00000001,?,?,?,?,?,0071A1E1,?,00000001), ref: 0071B17B
GetWindowThreadProcessId.USER32(?,00000000), ref: 0071B18D
AttachThreadInput.USER32(?,00000000,00000001,?,?,?,?,?,0071A1E1,?,00000001), ref: 0071B1A6
AttachThreadInput.USER32(00000000,00000000,00000001,?,?,?,?,?,0071A1E1,?,00000001), ref: 0071B1B8
AttachThreadInput.USER32(00000000,00000000,?,?,?,?,?,0071A1E1,?,00000001), ref: 0071B1FD
AttachThreadInput.USER32(?,?,00000000,?,?,?,?,?,0071A1E1,?,00000001), ref: 0071B212
AttachThreadInput.USER32(00000000,?,00000000,?,?,?,?,?,0071A1E1,?,00000001), ref: 0071B21D

Memory Dump Source

Source File: 00000000.00000002.1745474304.00000000006B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006B0000, based on PE: true

Associated: 00000000.00000002.1745310696.00000000006B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1745557899.000000000074C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1745557899.0000000000772000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1745607755.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1745632258.0000000000784000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6b0000_file.jbxd

Similarity

API ID: Thread$AttachInput$Window$Process$CurrentForeground
String ID:
API String ID: 2156557900-0
Opcode ID: 8e18ce43de426875b210c0056130ede996ed299960f373e47d0694e1f146db23
Instruction ID: 132d55a4a1c57935d3023f31133f2f12380e3a1dc52669a7d2625cb5a62233a6
Opcode Fuzzy Hash: 8e18ce43de426875b210c0056130ede996ed299960f373e47d0694e1f146db23
Instruction Fuzzy Hash: 5431C175541204BFDB119F6CDC59FAD7BAABB51711F21C005FA00DA1D0D7BC9A848F68

Function 006E2C80 Relevance: 15.1, APIs: 10, Instructions: 54COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 006E2C94

Part of subcall function 006E29C8: RtlFreeHeap.NTDLL(00000000,00000000,?,006ED7D1,00000000,00000000,00000000,00000000,?,006ED7F8,00000000,00000007,00000000,?,006EDBF5,00000000), ref: 006E29DE
Part of subcall function 006E29C8: GetLastError.KERNEL32(00000000,?,006ED7D1,00000000,00000000,00000000,00000000,?,006ED7F8,00000000,00000007,00000000,?,006EDBF5,00000000,00000000), ref: 006E29F0

_free.LIBCMT ref: 006E2CA0
_free.LIBCMT ref: 006E2CAB
_free.LIBCMT ref: 006E2CB6
_free.LIBCMT ref: 006E2CC1
_free.LIBCMT ref: 006E2CCC
_free.LIBCMT ref: 006E2CD7
_free.LIBCMT ref: 006E2CE2
_free.LIBCMT ref: 006E2CED
_free.LIBCMT ref: 006E2CFB

Memory Dump Source

Source File: 00000000.00000002.1745474304.00000000006B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006B0000, based on PE: true

Associated: 00000000.00000002.1745310696.00000000006B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1745557899.000000000074C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1745557899.0000000000772000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1745607755.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1745632258.0000000000784000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6b0000_file.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: 62c54478eda431029f961ab5623a372eb874c2a6aa55f3b3a67ad08ad762ae34
Instruction ID: d831c0e0e6ef2d5ec9aebfd09143ba3f42bfc5fa3175d283f4e1b532aaeabe33
Opcode Fuzzy Hash: 62c54478eda431029f961ab5623a372eb874c2a6aa55f3b3a67ad08ad762ae34
Instruction Fuzzy Hash: E711073610124DAFCB42EF56D852CDC3BABFF05740F4254A8F9485F222D635EE509B94

Function 00727DF0 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 230COMMON

Download Yara Rule

APIs

GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 00727FAD
SetCurrentDirectoryW.KERNEL32(?), ref: 00727FC1
GetFileAttributesW.KERNEL32(?), ref: 00727FEB
SetFileAttributesW.KERNEL32(?,00000000), ref: 00728005
SetCurrentDirectoryW.KERNEL32(?), ref: 00728017
SetCurrentDirectoryW.KERNEL32(?), ref: 00728060
SetCurrentDirectoryW.KERNEL32(?,?,?,?,?), ref: 007280B0

Strings

*.*, xrefs: 00728066

Memory Dump Source

Source File: 00000000.00000002.1745474304.00000000006B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006B0000, based on PE: true

Associated: 00000000.00000002.1745310696.00000000006B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1745557899.000000000074C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1745557899.0000000000772000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1745607755.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1745632258.0000000000784000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6b0000_file.jbxd

Similarity

API ID: CurrentDirectory$AttributesFile
String ID: *.*
API String ID: 769691225-438819550
Opcode ID: e40eb298e4804f73669955a7664c39ed12eaf90326b9440ac1bab830446443d0
Instruction ID: 994b4e7182dfbffb3031aa8b0ff02178fde1c7ea454b2174f0de6a65eccd5cb2
Opcode Fuzzy Hash: e40eb298e4804f73669955a7664c39ed12eaf90326b9440ac1bab830446443d0
Instruction Fuzzy Hash: C781F3729082509BCB68EF14D5449BEB3E9BF88310F154C5EF885C7250EB39DD44CB62

Function 006B5BEA Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 184windowCOMMON

Download Yara Rule

APIs

SetWindowLongW.USER32(?,000000EB), ref: 006B5C7A

Part of subcall function 006B5D0A: GetClientRect.USER32(?,?), ref: 006B5D30
Part of subcall function 006B5D0A: GetWindowRect.USER32(?,?), ref: 006B5D71
Part of subcall function 006B5D0A: ScreenToClient.USER32(?,?), ref: 006B5D99

GetDC.USER32 ref: 006F46F5
SendMessageW.USER32(?,00000031,00000000,00000000), ref: 006F4708
SelectObject.GDI32(00000000,00000000), ref: 006F4716
SelectObject.GDI32(00000000,00000000), ref: 006F472B
ReleaseDC.USER32(?,00000000), ref: 006F4733
MoveWindow.USER32(?,?,?,?,?,?,?,00000031,00000000,00000000), ref: 006F47C4

Strings

U, xrefs: 006F4693

Memory Dump Source

Source File: 00000000.00000002.1745474304.00000000006B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006B0000, based on PE: true

Associated: 00000000.00000002.1745310696.00000000006B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1745557899.000000000074C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1745557899.0000000000772000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1745607755.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1745632258.0000000000784000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6b0000_file.jbxd

Similarity

API ID: Window$ClientObjectRectSelect$LongMessageMoveReleaseScreenSend
String ID: U
API String ID: 4009187628-3372436214
Opcode ID: 3738e17a9aa78d743dd0c855bd808b393d04f962f6e6fa4977342992c2efb069
Instruction ID: 7db6c372a4cc01e164c53cde0de5c2e7b86bb8ddc3e3a9e0a02496d12a148054
Opcode Fuzzy Hash: 3738e17a9aa78d743dd0c855bd808b393d04f962f6e6fa4977342992c2efb069
Instruction Fuzzy Hash: F971E234400209DFCF219F64C984AFB7BB7FF4A360F144269EE565A666CB359882DF50

Function 0072359C Relevance: 14.2, APIs: 3, Strings: 5, Instructions: 150COMMON

Download Yara Rule

APIs

LoadStringW.USER32(00000066,?,00000FFF,00000000), ref: 007235E4

Part of subcall function 006B9CB3: _wcslen.LIBCMT ref: 006B9CBD

LoadStringW.USER32(00782390,?,00000FFF,?), ref: 0072360A

Strings

^ ERROR, xrefs: 007236C9
Line %d (File "%s"):, xrefs: 0072366B
Error: , xrefs: 007236EF
"%s" (%d) : ==> %s:%s%s, xrefs: 00723724
"%s" (%d) : ==> %s:, xrefs: 00723742

Memory Dump Source

Source File: 00000000.00000002.1745474304.00000000006B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006B0000, based on PE: true

Associated: 00000000.00000002.1745310696.00000000006B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1745557899.000000000074C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1745557899.0000000000772000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1745607755.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1745632258.0000000000784000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6b0000_file.jbxd

Similarity

API ID: LoadString$_wcslen
String ID: Error: $"%s" (%d) : ==> %s:$"%s" (%d) : ==> %s:%s%s$Line %d (File "%s"):$^ ERROR
API String ID: 4099089115-2391861430
Opcode ID: 0a163983cb00a756f10d779f9c17ba1c83027cbe3b791fc213c59734de5260c8
Instruction ID: ded86ba23346224bbef0508415b91fa07cb450c6715cb7c8486c5da74e86ffef
Opcode Fuzzy Hash: 0a163983cb00a756f10d779f9c17ba1c83027cbe3b791fc213c59734de5260c8
Instruction Fuzzy Hash: 7151A0B1900219BBCF15EBA0DC82EEEBB79AF04300F544129F205721A1DB395BD9DFA4

Function 0072C253 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 94networkCOMMON

Download Yara Rule

APIs

InternetOpenUrlW.WININET(?,?,00000000,00000000,?,00000000), ref: 0072C272
HttpSendRequestW.WININET(00000000,00000000,00000000,00000000,00000000), ref: 0072C29A
HttpQueryInfoW.WININET(00000000,00000005,?,?,?), ref: 0072C2CA
GetLastError.KERNEL32 ref: 0072C322
SetEvent.KERNEL32(?), ref: 0072C336
InternetCloseHandle.WININET(00000000), ref: 0072C341

Strings

, xrefs: 0072C2BB

Memory Dump Source

Source File: 00000000.00000002.1745474304.00000000006B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006B0000, based on PE: true

Associated: 00000000.00000002.1745310696.00000000006B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1745557899.000000000074C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1745557899.0000000000772000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1745607755.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1745632258.0000000000784000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6b0000_file.jbxd

Similarity

API ID: HttpInternet$CloseErrorEventHandleInfoLastOpenQueryRequestSend
String ID:
API String ID: 3113390036-3916222277
Opcode ID: 105e50f3ff8e697f38793be7edd4133da6dcf6a2c408512547ab1a591e00e591
Instruction ID: ce2bc080ba518d6ee8652a6918eb03e964db9cac5c2e4dc3f3100ceca7aa2057
Opcode Fuzzy Hash: 105e50f3ff8e697f38793be7edd4133da6dcf6a2c408512547ab1a591e00e591
Instruction Fuzzy Hash: EF31ADB1500614AFD723DF64AC88AAF7AFCEB6A740F10891EF44693201DB78DD048B61

Function 0071989B Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 74windowCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,?,?,00000FFF,00000000,?,006F3AAF,?,?,Bad directive syntax error,0074CC08,00000000,00000010,?,?,>>>AUTOIT SCRIPT<<<), ref: 007198BC
LoadStringW.USER32(00000000,?,006F3AAF,?), ref: 007198C3

Part of subcall function 006B9CB3: _wcslen.LIBCMT ref: 006B9CBD

MessageBoxW.USER32(00000000,00000001,00000001,00011010), ref: 00719987

Strings

Line %d (File "%s"):, xrefs: 0071992D
%s (%d) : ==> %s.: %s %s, xrefs: 007198F1
Error: , xrefs: 00719955
Line %d:, xrefs: 00719912
., xrefs: 0071996D

Memory Dump Source

Source File: 00000000.00000002.1745474304.00000000006B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006B0000, based on PE: true

Associated: 00000000.00000002.1745310696.00000000006B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1745557899.000000000074C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1745557899.0000000000772000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1745607755.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1745632258.0000000000784000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6b0000_file.jbxd

Similarity

API ID: HandleLoadMessageModuleString_wcslen
String ID: Error: $%s (%d) : ==> %s.: %s %s$.$Line %d (File "%s"):$Line %d:
API String ID: 858772685-4153970271
Opcode ID: 0d76561c1e3d5020f75377411b227523f416f7e2d1e2555429ac3e5d67f6bceb
Instruction ID: 54e3a64aae63e84b166dd599f2c5be8364389b669580f8b596940b3785da2f2e
Opcode Fuzzy Hash: 0d76561c1e3d5020f75377411b227523f416f7e2d1e2555429ac3e5d67f6bceb
Instruction Fuzzy Hash: E621947190021DFBCF55AF90CC1AEEE7776FF14340F048459F619650A2EB35A698CB24

Function 0071209F Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 71windowCOMMON

Download Yara Rule

APIs

GetParent.USER32 ref: 007120AB
GetClassNameW.USER32(00000000,?,00000100), ref: 007120C0
SendMessageW.USER32(00000000,00000111,0000702B,00000000), ref: 0071214D

Strings

list, xrefs: 0071212F
smallicons, xrefs: 00712115
SHELLDLL_DefView, xrefs: 007120CC
largeicons, xrefs: 007120E1
details, xrefs: 007120FB

Memory Dump Source

Source File: 00000000.00000002.1745474304.00000000006B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006B0000, based on PE: true

Associated: 00000000.00000002.1745310696.00000000006B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1745557899.000000000074C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1745557899.0000000000772000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1745607755.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1745632258.0000000000784000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6b0000_file.jbxd

Similarity

API ID: ClassMessageNameParentSend
String ID: SHELLDLL_DefView$details$largeicons$list$smallicons
API String ID: 1290815626-3381328864
Opcode ID: 0d7952c2f809dd21c59385beb2f5cd8b109e0c2c7db0ed20d076b3c50a9372a1
Instruction ID: 7a9254753dbed41501303ff3d0ce6df32751dfd49aafcb9b6346deaf4f03032d
Opcode Fuzzy Hash: 0d7952c2f809dd21c59385beb2f5cd8b109e0c2c7db0ed20d076b3c50a9372a1
Instruction Fuzzy Hash: AD110DBA68470AB6FB156328DC06DFA379CCB05364B20411BFB04A51E2FFAD5C936518

Function 006ECE90 Relevance: 13.7, APIs: 9, Instructions: 209COMMON

Download Yara Rule

APIs

___from_strstr_to_strchr.LIBCMT ref: 006ECEB7
_free.LIBCMT ref: 006ECF22
_free.LIBCMT ref: 006ECF48
_free.LIBCMT ref: 006ECF71
_free.LIBCMT ref: 006ECFA9
_free.LIBCMT ref: 006ECFDA
_free.LIBCMT ref: 006ED01B
SetEnvironmentVariableA.KERNEL32(00000000,00000000), ref: 006ED09C
_free.LIBCMT ref: 006ED0B5

Memory Dump Source

Source File: 00000000.00000002.1745474304.00000000006B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006B0000, based on PE: true

Associated: 00000000.00000002.1745310696.00000000006B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1745557899.000000000074C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1745557899.0000000000772000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1745607755.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1745632258.0000000000784000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6b0000_file.jbxd

Similarity

API ID: _free$EnvironmentVariable___from_strstr_to_strchr
String ID:
API String ID: 1282221369-0
Opcode ID: ca93df6e0af6ed1b564dbddfd1fbd9fa2d3c10bef35cac371ac4f6046fc42f2b
Instruction ID: 086ab4a2f821140772cdd8fd77e904749748a747fe97350b4dc157d384f9d77e
Opcode Fuzzy Hash: ca93df6e0af6ed1b564dbddfd1fbd9fa2d3c10bef35cac371ac4f6046fc42f2b
Instruction Fuzzy Hash: D6618B72A063C1AFDB21AFB79C51AA97B9BEF01330F14416DF8009B382D6359D0687A4

Function 007450D4 Relevance: 13.7, APIs: 9, Instructions: 162windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00002001,00000000,00000000), ref: 00745186
ShowWindow.USER32(?,00000000), ref: 007451C7
ShowWindow.USER32(?,00000005,?,00000000), ref: 007451CD
SetFocus.USER32(?,?,00000005,?,00000000), ref: 007451D1

Part of subcall function 00746FBA: DeleteObject.GDI32(00000000), ref: 00746FE6

GetWindowLongW.USER32(?,000000F0), ref: 0074520D
SetWindowLongW.USER32(?,000000F0,00000000), ref: 0074521A
InvalidateRect.USER32(?,00000000,00000001,?,00000001), ref: 0074524D
SendMessageW.USER32(?,00001001,00000000,000000FE), ref: 00745287
SendMessageW.USER32(?,00001026,00000000,000000FE), ref: 00745296

Memory Dump Source

Source File: 00000000.00000002.1745474304.00000000006B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006B0000, based on PE: true

Associated: 00000000.00000002.1745310696.00000000006B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1745557899.000000000074C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1745557899.0000000000772000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1745607755.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1745632258.0000000000784000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6b0000_file.jbxd

Similarity

API ID: Window$MessageSend$LongShow$DeleteFocusInvalidateObjectRect
String ID:
API String ID: 3210457359-0
Opcode ID: 00e42bb136be8d441d95e66c23f6f4e7ba87692bfa9b82ffafaadc227037d665
Instruction ID: d5859c99a7e746a96d544947b1ffe84a2c2bd52013a99139661fa90f884f5b3d
Opcode Fuzzy Hash: 00e42bb136be8d441d95e66c23f6f4e7ba87692bfa9b82ffafaadc227037d665
Instruction Fuzzy Hash: B6519F70A41A0CFFEF209F28CC49B993B65FB05321F148117F615962E2C7BDA980DB51

Function 006C8B06 Relevance: 13.7, APIs: 9, Instructions: 155windowCOMMON

Download Yara Rule

APIs

LoadImageW.USER32(00000000,?,?,00000010,00000010,00000010), ref: 00706890
ExtractIconExW.SHELL32(?,?,00000000,00000000,00000001), ref: 007068A9
LoadImageW.USER32(00000000,?,00000001,00000000,00000000,00000050), ref: 007068B9
ExtractIconExW.SHELL32(?,?,?,00000000,00000001), ref: 007068D1
SendMessageW.USER32(00000000,00000080,00000000,00000000), ref: 007068F2
DestroyIcon.USER32(00000000,?,00000010,00000010,00000010,?,?,?,?,?,006C8874,00000000,00000000,00000000,000000FF,00000000), ref: 00706901
SendMessageW.USER32(00000000,00000080,00000001,00000000), ref: 0070691E
DestroyIcon.USER32(00000000,?,00000010,00000010,00000010,?,?,?,?,?,006C8874,00000000,00000000,00000000,000000FF,00000000), ref: 0070692D

Memory Dump Source

Source File: 00000000.00000002.1745474304.00000000006B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006B0000, based on PE: true

Associated: 00000000.00000002.1745310696.00000000006B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1745557899.000000000074C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1745557899.0000000000772000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1745607755.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1745632258.0000000000784000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6b0000_file.jbxd

Similarity

API ID: Icon$DestroyExtractImageLoadMessageSend
String ID:
API String ID: 1268354404-0
Opcode ID: a4a408ed4f9025a7e1d533f84fbed6eda9b9981cf5c5d1d799d7e945103ad91c
Instruction ID: 5ef0c92aed200a493f0e52419bd1b4cd5f38b690385a2aed6f371513e71c8164
Opcode Fuzzy Hash: a4a408ed4f9025a7e1d533f84fbed6eda9b9981cf5c5d1d799d7e945103ad91c
Instruction Fuzzy Hash: 44516670600209EFDB208F24CC55FAA7BB6EB58750F10861DF906972E0DB78EDA1DB54

Function 0072C143 Relevance: 13.6, APIs: 9, Instructions: 95networkCOMMON

Download Yara Rule

APIs

InternetConnectW.WININET(?,?,?,?,?,?,00000000,00000000), ref: 0072C182
GetLastError.KERNEL32 ref: 0072C195
SetEvent.KERNEL32(?), ref: 0072C1A9

Part of subcall function 0072C253: InternetOpenUrlW.WININET(?,?,00000000,00000000,?,00000000), ref: 0072C272
Part of subcall function 0072C253: GetLastError.KERNEL32 ref: 0072C322
Part of subcall function 0072C253: SetEvent.KERNEL32(?), ref: 0072C336
Part of subcall function 0072C253: InternetCloseHandle.WININET(00000000), ref: 0072C341

Memory Dump Source

Source File: 00000000.00000002.1745474304.00000000006B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006B0000, based on PE: true

Associated: 00000000.00000002.1745310696.00000000006B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1745557899.000000000074C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1745557899.0000000000772000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1745607755.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1745632258.0000000000784000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6b0000_file.jbxd

Similarity

API ID: Internet$ErrorEventLast$CloseConnectHandleOpen
String ID:
API String ID: 337547030-0
Opcode ID: cbd2d79a2fc1dac4b8cf3a198a7e6cc4fa882baa41a224bb63c3afe23f3e3497
Instruction ID: 5dec64629418de808f86c6ca9a4abff0b673a3ee06521f4b38d11e8f227d9c65
Opcode Fuzzy Hash: cbd2d79a2fc1dac4b8cf3a198a7e6cc4fa882baa41a224bb63c3afe23f3e3497
Instruction Fuzzy Hash: E131AE75201615EFDB239FA5EC04A6ABBF8FF29300B04841EF95687610DB39E810DBA0

Function 007125A2 Relevance: 13.6, APIs: 9, Instructions: 60sleepkeyboardwindowCOMMON

Download Yara Rule

APIs

Part of subcall function 00713A3D: GetWindowThreadProcessId.USER32(?,00000000), ref: 00713A57
Part of subcall function 00713A3D: GetCurrentThreadId.KERNEL32 ref: 00713A5E
Part of subcall function 00713A3D: AttachThreadInput.USER32(00000000,?,00000000,00000000,?,007125B3), ref: 00713A65

MapVirtualKeyW.USER32(00000025,00000000), ref: 007125BD
PostMessageW.USER32(?,00000100,00000025,00000000), ref: 007125DB
Sleep.KERNEL32(00000000,?,00000100,00000025,00000000), ref: 007125DF
MapVirtualKeyW.USER32(00000025,00000000), ref: 007125E9
PostMessageW.USER32(?,00000100,00000027,00000000), ref: 00712601
Sleep.KERNEL32(00000000,?,00000100,00000027,00000000), ref: 00712605
MapVirtualKeyW.USER32(00000025,00000000), ref: 0071260F
PostMessageW.USER32(?,00000101,00000027,00000000), ref: 00712623
Sleep.KERNEL32(00000000,?,00000101,00000027,00000000,?,00000100,00000027,00000000), ref: 00712627

Memory Dump Source

Source File: 00000000.00000002.1745474304.00000000006B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006B0000, based on PE: true

Associated: 00000000.00000002.1745310696.00000000006B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1745557899.000000000074C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1745557899.0000000000772000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1745607755.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1745632258.0000000000784000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6b0000_file.jbxd

Similarity

API ID: MessagePostSleepThreadVirtual$AttachCurrentInputProcessWindow
String ID:
API String ID: 2014098862-0
Opcode ID: f8a1a5a81d53f781d658e46ea7d3dc07d292791b5c1a3013cb82dc8f4d0c266c
Instruction ID: aaed79de9e49aa02e8ebb21d737f1863ed21b7b19c83600cc71057a7c50be077
Opcode Fuzzy Hash: f8a1a5a81d53f781d658e46ea7d3dc07d292791b5c1a3013cb82dc8f4d0c266c
Instruction Fuzzy Hash: 2301D870391214BBFB1067689C8EF993F59DF4FB11F104042F318AE0D1CAE518458AAE

Function 00711803 Relevance: 13.5, APIs: 9, Instructions: 49memorythreadCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000008,0000000C,?,00000000,?,00711449,?,?,00000000), ref: 0071180C
HeapAlloc.KERNEL32(00000000,?,00711449,?,?,00000000), ref: 00711813
GetCurrentProcess.KERNEL32(00000000,00000000,00000000,00000002,?,00711449,?,?,00000000), ref: 00711828
GetCurrentProcess.KERNEL32(?,00000000,?,00711449,?,?,00000000), ref: 00711830
DuplicateHandle.KERNEL32(00000000,?,00711449,?,?,00000000), ref: 00711833
GetCurrentProcess.KERNEL32(00000000,00000000,00000000,00000002,?,00711449,?,?,00000000), ref: 00711843
GetCurrentProcess.KERNEL32(00711449,00000000,?,00711449,?,?,00000000), ref: 0071184B
DuplicateHandle.KERNEL32(00000000,?,00711449,?,?,00000000), ref: 0071184E
CreateThread.KERNEL32(00000000,00000000,00711874,00000000,00000000,00000000), ref: 00711868

Memory Dump Source

Source File: 00000000.00000002.1745474304.00000000006B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006B0000, based on PE: true

Associated: 00000000.00000002.1745310696.00000000006B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1745557899.000000000074C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1745557899.0000000000772000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1745607755.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1745632258.0000000000784000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6b0000_file.jbxd

Similarity

API ID: Process$Current$DuplicateHandleHeap$AllocCreateThread
String ID:
API String ID: 1957940570-0
Opcode ID: 7d7314d8804911dff4a82177bc18055bfe0c1e59cc34b0aa96480ada357d5b26
Instruction ID: 25f60eeaecd85b84fcaa7b63c80a9cfc9d9c9d8453c56c07c6694ec65f4b3644
Opcode Fuzzy Hash: 7d7314d8804911dff4a82177bc18055bfe0c1e59cc34b0aa96480ada357d5b26
Instruction Fuzzy Hash: 5301BFB5241308BFE751AFA5DC4EF573B6CEB8AB11F418411FA05DB191C6749C00CB24

Function 006E3E80 Relevance: 12.6, APIs: 4, Strings: 3, Instructions: 305COMMON

Download Yara Rule

APIs

_strrchr.LIBCMT ref: 006E3F0B
__alldvrm.LIBCMT ref: 006E410C
__alldvrm.LIBCMT ref: 006E412E

Strings

}}m, xrefs: 006E40CD
}}m, xrefs: 006E3E96, 006E3EF1, 006E3F0A, 006E4090
}}m, xrefs: 006E3E8A

Memory Dump Source

Source File: 00000000.00000002.1745474304.00000000006B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006B0000, based on PE: true

Associated: 00000000.00000002.1745310696.00000000006B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1745557899.000000000074C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1745557899.0000000000772000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1745607755.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1745632258.0000000000784000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6b0000_file.jbxd

Similarity

API ID: __alldvrm$_strrchr
String ID: }}m$}}m$}}m
API String ID: 1036877536-215773011
Opcode ID: 190bec492484a18a97fe5f025dcdb3e473ceac46589bc02d4dbe4f94f5be8f6e
Instruction ID: a60e3f90a38d13453b951dffb79caebc57116f7f9666c2d383fe17091bfefa60
Opcode Fuzzy Hash: 190bec492484a18a97fe5f025dcdb3e473ceac46589bc02d4dbe4f94f5be8f6e
Instruction Fuzzy Hash: 6DA14671D023D69FDB21CF2AC8917FABBE6EF66350F1441ADE5859B381CA348982C750

Function 0073A0E2 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 160COMMON

Download Yara Rule

APIs

Part of subcall function 0071D4DC: CreateToolhelp32Snapshot.KERNEL32 ref: 0071D501
Part of subcall function 0071D4DC: Process32FirstW.KERNEL32(00000000,?), ref: 0071D50F
Part of subcall function 0071D4DC: CloseHandle.KERNELBASE(00000000), ref: 0071D5DC

OpenProcess.KERNEL32(00000001,00000000,?), ref: 0073A16D
GetLastError.KERNEL32 ref: 0073A180
OpenProcess.KERNEL32(00000001,00000000,?), ref: 0073A1B3
TerminateProcess.KERNEL32(00000000,00000000), ref: 0073A268
GetLastError.KERNEL32(00000000), ref: 0073A273
CloseHandle.KERNEL32(00000000), ref: 0073A2C4

Strings

SeDebugPrivilege, xrefs: 0073A18F

Memory Dump Source

Source File: 00000000.00000002.1745474304.00000000006B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006B0000, based on PE: true

Associated: 00000000.00000002.1745310696.00000000006B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1745557899.000000000074C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1745557899.0000000000772000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1745607755.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1745632258.0000000000784000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6b0000_file.jbxd

Similarity

API ID: Process$CloseErrorHandleLastOpen$CreateFirstProcess32SnapshotTerminateToolhelp32
String ID: SeDebugPrivilege
API String ID: 2533919879-2896544425
Opcode ID: 5f58d82fc6122f5915338b3fda231a889eceeda3f4d3da2e1f2143df81d8c841
Instruction ID: 6c34c2ce58ba872d6306db29574f9d55e335b95e08ebb6edf1f50d3d93f377ce
Opcode Fuzzy Hash: 5f58d82fc6122f5915338b3fda231a889eceeda3f4d3da2e1f2143df81d8c841
Instruction Fuzzy Hash: 3861B171204241AFE710DF18C495F66BBE1AF84318F14848CE4A64B7A3C77AED85CB96

Function 00743886 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 141windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00001036,00000010,00000010), ref: 00743925
SendMessageW.USER32(00000000,00001036,00000000,?), ref: 0074393A
SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000013), ref: 00743954
_wcslen.LIBCMT ref: 00743999
SendMessageW.USER32(?,00001057,00000000,?), ref: 007439C6
SendMessageW.USER32(?,00001061,?,0000000F), ref: 007439F4

Strings

SysListView32, xrefs: 007438F7

Memory Dump Source

Source File: 00000000.00000002.1745474304.00000000006B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006B0000, based on PE: true

Associated: 00000000.00000002.1745310696.00000000006B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1745557899.000000000074C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1745557899.0000000000772000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1745607755.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1745632258.0000000000784000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6b0000_file.jbxd

Similarity

API ID: MessageSend$Window_wcslen
String ID: SysListView32
API String ID: 2147712094-78025650
Opcode ID: a364db9f1b224de7b06c3660595f73dae34345ee81ff072c4a7111bbfd22b17e
Instruction ID: 34615bd157b1756825997ca5e69ffcb300990de2bcf97786c04077828e9b2e60
Opcode Fuzzy Hash: a364db9f1b224de7b06c3660595f73dae34345ee81ff072c4a7111bbfd22b17e
Instruction Fuzzy Hash: 8541B571A00318ABEF219F64CC49FEA7BA9EF08354F10456AF958E7281D7799D80CB94

Function 0071BC5E Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 137windowCOMMON

Download Yara Rule

APIs

GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 0071BCFD
IsMenu.USER32(00000000), ref: 0071BD1D
CreatePopupMenu.USER32 ref: 0071BD53
GetMenuItemCount.USER32(019055E0), ref: 0071BDA4
InsertMenuItemW.USER32(019055E0,?,00000001,00000030), ref: 0071BDCC

Strings

0, xrefs: 0071BCA8
2, xrefs: 0071BD37

Memory Dump Source

Source File: 00000000.00000002.1745474304.00000000006B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006B0000, based on PE: true

Associated: 00000000.00000002.1745310696.00000000006B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1745557899.000000000074C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1745557899.0000000000772000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1745607755.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1745632258.0000000000784000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6b0000_file.jbxd

Similarity

API ID: Menu$Item$CountCreateInfoInsertPopup
String ID: 0$2
API String ID: 93392585-3793063076
Opcode ID: ba1685334ab682698b2378f960772477646fb84656c5f0ae37141f99b2e4c874
Instruction ID: 8715ab986d2d5e78b3bcd53fe494ea1b46e59ed14bacd30aa9775dabda105206
Opcode Fuzzy Hash: ba1685334ab682698b2378f960772477646fb84656c5f0ae37141f99b2e4c874
Instruction Fuzzy Hash: 65519070700205DBDB19CFACE889BEDBBF4AF49314F248159E491E72D0D778A981CB61

Function 006D2D20 Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 117COMMON

Download Yara Rule

APIs

_ValidateLocalCookies.LIBCMT ref: 006D2D4B
___except_validate_context_record.LIBVCRUNTIME ref: 006D2D53
_ValidateLocalCookies.LIBCMT ref: 006D2DE1
__IsNonwritableInCurrentImage.LIBCMT ref: 006D2E0C
_ValidateLocalCookies.LIBCMT ref: 006D2E61

Strings

csm, xrefs: 006D2DF6
&Hm, xrefs: 006D2DFE, 006D2E07, 006D2E18

Memory Dump Source

Source File: 00000000.00000002.1745474304.00000000006B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006B0000, based on PE: true

Associated: 00000000.00000002.1745310696.00000000006B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1745557899.000000000074C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1745557899.0000000000772000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1745607755.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1745632258.0000000000784000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6b0000_file.jbxd

Similarity

API ID: CookiesLocalValidate$CurrentImageNonwritable___except_validate_context_record
String ID: &Hm$csm
API String ID: 1170836740-972173557
Opcode ID: 01337779ccfebb4ac62c1f756822e166491050308c18d0b449d564657c16b73d
Instruction ID: aabbd29d94f4ad1587e489600f5bf2fbc6e790ee92dbf189739e721fd370bc1f
Opcode Fuzzy Hash: 01337779ccfebb4ac62c1f756822e166491050308c18d0b449d564657c16b73d
Instruction Fuzzy Hash: 21419534E0021A9BCF10DF68C855ADEBBB7BF55314F14815AE814AB392D7359A05CBD1

Function 0071C874 Relevance: 12.3, APIs: 2, Strings: 5, Instructions: 81windowCOMMON

Download Yara Rule

APIs

LoadIconW.USER32(00000000,00007F03), ref: 0071C913

Strings

question, xrefs: 0071C8CC
info, xrefs: 0071C8B4
warning, xrefs: 0071C8FC
stop, xrefs: 0071C8E4
blank, xrefs: 0071C895

Memory Dump Source

Source File: 00000000.00000002.1745474304.00000000006B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006B0000, based on PE: true

Associated: 00000000.00000002.1745310696.00000000006B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1745557899.000000000074C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1745557899.0000000000772000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1745607755.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1745632258.0000000000784000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6b0000_file.jbxd

Similarity

API ID: IconLoad
String ID: blank$info$question$stop$warning
API String ID: 2457776203-404129466
Opcode ID: 2c6504ca634087fb63a1aa8f705c24b6352278096964e1fd860820845dcb7e39
Instruction ID: 16121e5c00f46ed1f26826a26935287cec77e64590d89ffea5d9717b0189f65f
Opcode Fuzzy Hash: 2c6504ca634087fb63a1aa8f705c24b6352278096964e1fd860820845dcb7e39
Instruction Fuzzy Hash: A5112E716C9706BFA706579C9CC3CEE279CDF153A4B10402FF504AA2C1DB7C6D805268

Function 0071DE27 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 70networkCOMMON

Download Yara Rule

APIs

WSAStartup.WSOCK32(00000101,?), ref: 0071DE42
gethostname.WSOCK32(?,00000100), ref: 0071DE5C
gethostbyname.WSOCK32(?), ref: 0071DE69
inet_ntoa.WSOCK32(?), ref: 0071DEAB
_strcat.LIBCMT ref: 0071DEB9
WSACleanup.WSOCK32 ref: 0071DEDE

Strings

0.0.0.0, xrefs: 0071DE87

Memory Dump Source

Source File: 00000000.00000002.1745474304.00000000006B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006B0000, based on PE: true

Associated: 00000000.00000002.1745310696.00000000006B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1745557899.000000000074C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1745557899.0000000000772000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1745607755.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1745632258.0000000000784000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6b0000_file.jbxd

Similarity

API ID: CleanupStartup_strcatgethostbynamegethostnameinet_ntoa
String ID: 0.0.0.0
API String ID: 642191829-3771769585
Opcode ID: 3b313c7b1068a26021ad0dd3a6ca2a48f4e3a41c4fae49f9d948a20e9919e3cf
Instruction ID: 75e82e1cc4e0c3bec499d5189b650ca41afea24db0ed8f55a11d51ad1e616b29
Opcode Fuzzy Hash: 3b313c7b1068a26021ad0dd3a6ca2a48f4e3a41c4fae49f9d948a20e9919e3cf
Instruction Fuzzy Hash: 63113371904108ABCB71AB389C0AEEE37ADDF11312F00016AF405AA1D1EF78CEC48E64

Function 0071ED19 Relevance: 12.1, APIs: 8, Instructions: 137timeCOMMON

Download Yara Rule

APIs

GetLocalTime.KERNEL32 ref: 0071ED2A
_wcslen.LIBCMT ref: 0071ED3B
_wcslen.LIBCMT ref: 0071ED79
_wcslen.LIBCMT ref: 0071EDAF
_wcslen.LIBCMT ref: 0071EDDF
_wcslen.LIBCMT ref: 0071EDEF
_wcslen.LIBCMT ref: 0071EE2B
_wcslen.LIBCMT ref: 0071EE5A

Memory Dump Source

Source File: 00000000.00000002.1745474304.00000000006B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006B0000, based on PE: true

Associated: 00000000.00000002.1745310696.00000000006B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1745557899.000000000074C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1745557899.0000000000772000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1745607755.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1745632258.0000000000784000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6b0000_file.jbxd

Similarity

API ID: _wcslen$LocalTime
String ID:
API String ID: 952045576-0
Opcode ID: 4b843081a879f384bd1118254d93f856e3642425cbead6d451930eb3eb90ce8e
Instruction ID: 15174b7ce81b080e6a75b44caba578adb207e34c4a27555d95502b52784f00fd
Opcode Fuzzy Hash: 4b843081a879f384bd1118254d93f856e3642425cbead6d451930eb3eb90ce8e
Instruction Fuzzy Hash: 4141B265C1011866CB51EBB4CC8A9CFB3A9AF45300F00846BFA14E3262FB34E745C3E9

Function 006CF8D8 Relevance: 12.1, APIs: 8, Instructions: 124COMMON

Download Yara Rule

APIs

ShowWindow.USER32(FFFFFFFF,000000FF,?,00000000,?,0070682C,00000004,00000000,00000000), ref: 006CF953
ShowWindow.USER32(FFFFFFFF,00000006,?,00000000,?,0070682C,00000004,00000000,00000000), ref: 0070F3D1
ShowWindow.USER32(FFFFFFFF,000000FF,?,00000000,?,0070682C,00000004,00000000,00000000), ref: 0070F454

Memory Dump Source

Source File: 00000000.00000002.1745474304.00000000006B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006B0000, based on PE: true

Associated: 00000000.00000002.1745310696.00000000006B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1745557899.000000000074C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1745557899.0000000000772000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1745607755.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1745632258.0000000000784000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6b0000_file.jbxd

Similarity

API ID: ShowWindow
String ID:
API String ID: 1268545403-0
Opcode ID: 9b392c8af5e00c3e1f2028f051c52658bd7255d43e33da4391552732417e3d22
Instruction ID: 8df2839a51703fde9ca5551b9e0162085dc632840296337e9ee0464b0d9fcf54
Opcode Fuzzy Hash: 9b392c8af5e00c3e1f2028f051c52658bd7255d43e33da4391552732417e3d22
Instruction Fuzzy Hash: 55410B31604680FACF799B29C888F7ABBD7EB57314F14853EF44796AA0C739A881C751

Function 00742D03 Relevance: 12.1, APIs: 8, Instructions: 95windowCOMMON

Download Yara Rule

APIs

DeleteObject.GDI32(00000000), ref: 00742D1B
GetDC.USER32(00000000), ref: 00742D23
GetDeviceCaps.GDI32(00000000,0000005A), ref: 00742D2E
ReleaseDC.USER32(00000000,00000000), ref: 00742D3A
CreateFontW.GDI32(?,00000000,00000000,00000000,?,00000000,00000000,00000000,00000001,00000004,00000000,?,00000000,?), ref: 00742D76
SendMessageW.USER32(?,00000030,00000000,00000001), ref: 00742D87
MoveWindow.USER32(?,?,?,?,?,00000000,?,?,00745A65,?,?,000000FF,00000000,?,000000FF,?), ref: 00742DC2
SendMessageW.USER32(?,00000142,00000000,00000000), ref: 00742DE1

Memory Dump Source

Source File: 00000000.00000002.1745474304.00000000006B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006B0000, based on PE: true

Associated: 00000000.00000002.1745310696.00000000006B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1745557899.000000000074C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1745557899.0000000000772000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1745607755.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1745632258.0000000000784000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6b0000_file.jbxd

Similarity

API ID: MessageSend$CapsCreateDeleteDeviceFontMoveObjectReleaseWindow
String ID:
API String ID: 3864802216-0
Opcode ID: ea69923605eb8e7e0a43fb22d5e75ba468690fb2b4f7220a0f2fc55d0b2cdd61
Instruction ID: 1d5fff87927699ba3ba26d008b70311c3ad08642ed6f6ebe662fd0ece5c989ed
Opcode Fuzzy Hash: ea69923605eb8e7e0a43fb22d5e75ba468690fb2b4f7220a0f2fc55d0b2cdd61
Instruction Fuzzy Hash: 40317176202614BFEB154F50CC49FEB3FA9EF0A715F048056FE089A1A1C7799C51CBA5

Function 00715622 Relevance: 12.1, APIs: 8, Instructions: 92COMMON

Download Yara Rule

APIs

_memcmp.LIBVCRUNTIME ref: 00715637
_memcmp.LIBVCRUNTIME ref: 00715659
_memcmp.LIBVCRUNTIME ref: 00715671
_memcmp.LIBVCRUNTIME ref: 00715684
_memcmp.LIBVCRUNTIME ref: 0071569E
_memcmp.LIBVCRUNTIME ref: 007156B1
_memcmp.LIBVCRUNTIME ref: 007156C9
_memcmp.LIBVCRUNTIME ref: 007156E4

Memory Dump Source

Source File: 00000000.00000002.1745474304.00000000006B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006B0000, based on PE: true

Associated: 00000000.00000002.1745310696.00000000006B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1745557899.000000000074C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1745557899.0000000000772000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1745607755.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1745632258.0000000000784000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6b0000_file.jbxd

Similarity

API ID: _memcmp
String ID:
API String ID: 2931989736-0
Opcode ID: e99b8f75366bff7ede4608c42025d7e75bb23dd0c9fcd12d7e794c16405fcbe4
Instruction ID: 643f31d8a3433a9523e4a1b5d2a2245364aabb31f3bf018ae94d3bced4f68700
Opcode Fuzzy Hash: e99b8f75366bff7ede4608c42025d7e75bb23dd0c9fcd12d7e794c16405fcbe4
Instruction Fuzzy Hash: 982198B1A40905FBD31C55295D92FFA235DAFA2784B440025FD045A6C2FB68ED5082E9

Function 00734FAE Relevance: 10.9, APIs: 4, Strings: 2, Instructions: 359COMMON

Download Yara Rule

Strings

NULL Pointer assignment, xrefs: 0073502E, 00735383
Not an Object type, xrefs: 00735007

Memory Dump Source

Source File: 00000000.00000002.1745474304.00000000006B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006B0000, based on PE: true

Associated: 00000000.00000002.1745310696.00000000006B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1745557899.000000000074C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1745557899.0000000000772000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1745607755.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1745632258.0000000000784000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6b0000_file.jbxd

Similarity

API ID:
String ID: NULL Pointer assignment$Not an Object type
API String ID: 0-572801152
Opcode ID: 4b30b0e5af98dbf950afbb059ac948e6a73b84b72376e90a433b079e9d71f8f1
Instruction ID: 0c0cddcfc2d6e0e1ff37dbc25bc47ee85bb3656234550114dcb805ef2a7a88f6
Opcode Fuzzy Hash: 4b30b0e5af98dbf950afbb059ac948e6a73b84b72376e90a433b079e9d71f8f1
Instruction Fuzzy Hash: EED1D6B1A0060A9FEF14CFA8C881FAEB7B5FF48344F148069E915AB282D775DD41CB90

Function 006F1522 Relevance: 10.8, APIs: 7, Instructions: 268COMMON

Download Yara Rule

APIs

GetCPInfo.KERNEL32(?,?), ref: 006F15CE
MultiByteToWideChar.KERNEL32(?,00000009,?,?,00000000,00000000), ref: 006F1651
MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 006F16E4
MultiByteToWideChar.KERNEL32(?,00000009,?,?,00000000,00000000), ref: 006F16FB

Part of subcall function 006E3820: RtlAllocateHeap.NTDLL(00000000,?,00781444,?,006CFDF5,?,?,006BA976,00000010,00781440,006B13FC,?,006B13C6,?,006B1129), ref: 006E3852

MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 006F1777
__freea.LIBCMT ref: 006F17A2
__freea.LIBCMT ref: 006F17AE

Memory Dump Source

Source File: 00000000.00000002.1745474304.00000000006B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006B0000, based on PE: true

Associated: 00000000.00000002.1745310696.00000000006B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1745557899.000000000074C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1745557899.0000000000772000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1745607755.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1745632258.0000000000784000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6b0000_file.jbxd

Similarity

API ID: ByteCharMultiWide$__freea$AllocateHeapInfo
String ID:
API String ID: 2829977744-0
Opcode ID: 27da0a6b8c2198de5da3a261f1a985914481cff629ee698bacc47783be003309
Instruction ID: 445dd104d4fe2a240b7624fcefe25b43d8500be2db6363672527d9d8d04fed03
Opcode Fuzzy Hash: 27da0a6b8c2198de5da3a261f1a985914481cff629ee698bacc47783be003309
Instruction Fuzzy Hash: C891C4B1E0021EDADF209E74C891AFE7BB6AF4A390F184659EA05EF251D735DC41CB60

Function 00734523 Relevance: 10.8, APIs: 4, Strings: 2, Instructions: 262COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 00734648
VariantInit.OLEAUT32(?), ref: 00734749
VariantClear.OLEAUT32(?), ref: 00734753
VariantClear.OLEAUT32(?), ref: 007347B0

Strings

Null Object assignment in FOR..IN loop, xrefs: 007345D8, 00734706, 007347BE
Incorrect Object type in FOR..IN loop, xrefs: 0073472C

Memory Dump Source

Source File: 00000000.00000002.1745474304.00000000006B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006B0000, based on PE: true

Associated: 00000000.00000002.1745310696.00000000006B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1745557899.000000000074C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1745557899.0000000000772000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1745607755.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1745632258.0000000000784000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6b0000_file.jbxd

Similarity

API ID: Variant$ClearInit
String ID: Incorrect Object type in FOR..IN loop$Null Object assignment in FOR..IN loop
API String ID: 2610073882-625585964
Opcode ID: 29f3acee8f17cfc13b5cea1ad6030125a7ada8c69ba9b6d2b8e94a009827b81a
Instruction ID: b145a95e06cc893cd670fc2d37afef69988778e6a78f353aa5a71b316b9c300f
Opcode Fuzzy Hash: 29f3acee8f17cfc13b5cea1ad6030125a7ada8c69ba9b6d2b8e94a009827b81a
Instruction Fuzzy Hash: E3919471A00219EBEF28CFA4CC45FAE7BB8EF46714F108559F505AB281D778A941CFA0

Function 00721187 Relevance: 10.8, APIs: 7, Instructions: 254COMMON

Download Yara Rule

APIs

SafeArrayGetVartype.OLEAUT32(00000001,?), ref: 0072125C
SafeArrayAccessData.OLEAUT32(00000000,?), ref: 00721284
SafeArrayUnaccessData.OLEAUT32(00000001), ref: 007212A8
SafeArrayAccessData.OLEAUT32(00000001,?), ref: 007212D8
SafeArrayAccessData.OLEAUT32(00000001,?), ref: 0072135F
SafeArrayAccessData.OLEAUT32(00000001,?), ref: 007213C4
SafeArrayAccessData.OLEAUT32(00000001,?), ref: 00721430

Memory Dump Source

Source File: 00000000.00000002.1745474304.00000000006B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006B0000, based on PE: true

Associated: 00000000.00000002.1745310696.00000000006B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1745557899.000000000074C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1745557899.0000000000772000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1745607755.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1745632258.0000000000784000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6b0000_file.jbxd

Similarity

API ID: ArraySafe$Data$Access$UnaccessVartype
String ID:
API String ID: 2550207440-0
Opcode ID: 171ed7bad87be08b9e686df88e3c1f46eccfe2279b4f6f13a0030644a97d277e
Instruction ID: b7bbf7d0c5eadb48d70f8e36541a92f2bf319f9ad1ae5e85c14b4e1f4c339826
Opcode Fuzzy Hash: 171ed7bad87be08b9e686df88e3c1f46eccfe2279b4f6f13a0030644a97d277e
Instruction Fuzzy Hash: 2F91F475A00229DFDB00DFA8E884BBE77B6FF55324F514029E900E7291D77CA941CBA4

Function 006C948A Relevance: 10.8, APIs: 7, Instructions: 254COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1745474304.00000000006B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006B0000, based on PE: true

Associated: 00000000.00000002.1745310696.00000000006B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1745557899.000000000074C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1745557899.0000000000772000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1745607755.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1745632258.0000000000784000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6b0000_file.jbxd

Similarity

API ID: ObjectSelect$BeginCreatePath
String ID:
API String ID: 3225163088-0
Opcode ID: 65ac1adaecb2801d0f27924e83aac239306ec3b57b2cffbe8395ac0f4c62ebe2
Instruction ID: 93f5ed3c5222834db9b89418675ae30d20dfa39689adb71d91d36e7a3e92996f
Opcode Fuzzy Hash: 65ac1adaecb2801d0f27924e83aac239306ec3b57b2cffbe8395ac0f4c62ebe2
Instruction Fuzzy Hash: 69913671D00219EFCB15CFA9CC88AEEBBB9FF49320F148159E515B7291D378A942CB60

Function 00733947 Relevance: 10.7, APIs: 4, Strings: 2, Instructions: 240COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 0073396B
CharUpperBuffW.USER32(?,?), ref: 00733A7A
_wcslen.LIBCMT ref: 00733A8A
VariantClear.OLEAUT32(?), ref: 00733C1F

Part of subcall function 00720CDF: VariantInit.OLEAUT32(00000000), ref: 00720D1F
Part of subcall function 00720CDF: VariantCopy.OLEAUT32(?,?), ref: 00720D28
Part of subcall function 00720CDF: VariantClear.OLEAUT32(?), ref: 00720D34

Strings

AUTOIT.ERROR, xrefs: 00733A80, 00733A85
Incorrect Parameter format, xrefs: 007339A6, 00733BA1

Memory Dump Source

Source File: 00000000.00000002.1745474304.00000000006B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006B0000, based on PE: true

Associated: 00000000.00000002.1745310696.00000000006B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1745557899.000000000074C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1745557899.0000000000772000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1745607755.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1745632258.0000000000784000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6b0000_file.jbxd

Similarity

API ID: Variant$ClearInit$BuffCharCopyUpper_wcslen
String ID: AUTOIT.ERROR$Incorrect Parameter format
API String ID: 4137639002-1221869570
Opcode ID: 4571a6b7a968215f96f4436d950660dedc0d5658f892a5aef2dcdd0fa90b1484
Instruction ID: fa12f85095fb97e532dd6efecbab244f532bd5316c1493aadcddbb58232b66fe
Opcode Fuzzy Hash: 4571a6b7a968215f96f4436d950660dedc0d5658f892a5aef2dcdd0fa90b1484
Instruction Fuzzy Hash: A19167B56083019FC714DF28C48196AB7E5FF89314F14882DF88A9B352DB39EE45CB92

Function 00734BAD Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 236COMMON

Download Yara Rule

APIs

Part of subcall function 0071000E: CLSIDFromProgID.OLE32(?,?,?,00000000,?,?,?,-C000001E,00000001,?,0070FF41,80070057,?,?,?,0071035E), ref: 0071002B
Part of subcall function 0071000E: ProgIDFromCLSID.OLE32(?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,0070FF41,80070057,?,?), ref: 00710046
Part of subcall function 0071000E: lstrcmpiW.KERNEL32(?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,0070FF41,80070057,?,?), ref: 00710054
Part of subcall function 0071000E: CoTaskMemFree.OLE32(00000000,?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,0070FF41,80070057,?), ref: 00710064

CoInitializeSecurity.OLE32(00000000,000000FF,00000000,00000000,00000002,00000003,00000000,00000000,00000000,00000001,?,?), ref: 00734C51
_wcslen.LIBCMT ref: 00734D59
CoCreateInstanceEx.OLE32(?,00000000,00000015,?,00000001,?), ref: 00734DCF
CoTaskMemFree.OLE32(?), ref: 00734DDA

Strings

NULL Pointer assignment, xrefs: 00734E23, 00734E52

Memory Dump Source

Source File: 00000000.00000002.1745474304.00000000006B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006B0000, based on PE: true

Associated: 00000000.00000002.1745310696.00000000006B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1745557899.000000000074C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1745557899.0000000000772000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1745607755.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1745632258.0000000000784000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6b0000_file.jbxd

Similarity

API ID: FreeFromProgTask$CreateInitializeInstanceSecurity_wcslenlstrcmpi
String ID: NULL Pointer assignment
API String ID: 614568839-2785691316
Opcode ID: b0542325775b2dda0996beff0cfc6ca316c7281b2607c208473922c5426973e4
Instruction ID: ba5a5757a5a00bb07855848c8b3ff3211126e4651acfe1350c1271ef2c8b8bd5
Opcode Fuzzy Hash: b0542325775b2dda0996beff0cfc6ca316c7281b2607c208473922c5426973e4
Instruction Fuzzy Hash: 129107B1D00219AFDF14DFA4C891AEEB7B9BF08310F10856AE915A7251DB34AA45CFA0

Function 007420FD Relevance: 10.7, APIs: 7, Instructions: 196windowCOMMON

Download Yara Rule

APIs

GetMenu.USER32(?), ref: 00742183
GetMenuItemCount.USER32(00000000), ref: 007421B5
GetMenuStringW.USER32(00000000,00000000,?,00007FFF,00000400), ref: 007421DD
_wcslen.LIBCMT ref: 00742213
GetMenuItemID.USER32(?,?), ref: 0074224D
GetSubMenu.USER32(?,?), ref: 0074225B

Part of subcall function 00713A3D: GetWindowThreadProcessId.USER32(?,00000000), ref: 00713A57
Part of subcall function 00713A3D: GetCurrentThreadId.KERNEL32 ref: 00713A5E
Part of subcall function 00713A3D: AttachThreadInput.USER32(00000000,?,00000000,00000000,?,007125B3), ref: 00713A65

PostMessageW.USER32(?,00000111,00000000,00000000), ref: 007422E3

Part of subcall function 0071E97B: Sleep.KERNEL32 ref: 0071E9F3

Memory Dump Source

Source File: 00000000.00000002.1745474304.00000000006B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006B0000, based on PE: true

Associated: 00000000.00000002.1745310696.00000000006B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1745557899.000000000074C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1745557899.0000000000772000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1745607755.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1745632258.0000000000784000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6b0000_file.jbxd

Similarity

API ID: Menu$Thread$Item$AttachCountCurrentInputMessagePostProcessSleepStringWindow_wcslen
String ID:
API String ID: 4196846111-0
Opcode ID: 72987c16fbf8773249370cec64a7bf0c3fbb013652b3bc6c3f1085a21433570b
Instruction ID: a5efb07abee6c3bdeb1243675a8b581c2f4eb88f7e6b6353ef3ae0dcfac4e29c
Opcode Fuzzy Hash: 72987c16fbf8773249370cec64a7bf0c3fbb013652b3bc6c3f1085a21433570b
Instruction Fuzzy Hash: 57718175A00205AFCB50DF64C845AAEB7F6FF89310F518459F816EB352DB78ED428B90

Function 00747E9E Relevance: 10.7, APIs: 7, Instructions: 193windowCOMMON

Download Yara Rule

APIs

IsWindow.USER32(019055B8), ref: 00747F37
IsWindowEnabled.USER32(019055B8), ref: 00747F43
SendMessageW.USER32(00000000,0000041C,00000000,00000000), ref: 0074801E
SendMessageW.USER32(019055B8,000000B0,?,?), ref: 00748051
IsDlgButtonChecked.USER32(?,?), ref: 00748089
GetWindowLongW.USER32(019055B8,000000EC), ref: 007480AB
SendMessageW.USER32(?,000000A1,00000002,00000000), ref: 007480C3

Memory Dump Source

Source File: 00000000.00000002.1745474304.00000000006B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006B0000, based on PE: true

Associated: 00000000.00000002.1745310696.00000000006B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1745557899.000000000074C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1745557899.0000000000772000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1745607755.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1745632258.0000000000784000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6b0000_file.jbxd

Similarity

API ID: MessageSendWindow$ButtonCheckedEnabledLong
String ID:
API String ID: 4072528602-0
Opcode ID: 54b5509ca2abd41ed31a6dc5bd87e74289b3fb2f09fd52e072ab52923f40fe14
Instruction ID: 735ff528875693d29cdb19113c9d00d29adfcaa18f1e712b5da3aed36b98b8da
Opcode Fuzzy Hash: 54b5509ca2abd41ed31a6dc5bd87e74289b3fb2f09fd52e072ab52923f40fe14
Instruction Fuzzy Hash: 5E71A334608208AFEB29DF54CC84FBE7BB9EF0A300F14445AF94557261CB39AC4ADB11

Function 0071AEBA Relevance: 10.7, APIs: 7, Instructions: 162windowCOMMON

Download Yara Rule

APIs

GetParent.USER32(?), ref: 0071AEF9
GetKeyboardState.USER32(?), ref: 0071AF0E
SetKeyboardState.USER32(?), ref: 0071AF6F
PostMessageW.USER32(?,00000101,00000010,?), ref: 0071AF9D
PostMessageW.USER32(?,00000101,00000011,?), ref: 0071AFBC
PostMessageW.USER32(?,00000101,00000012,?), ref: 0071AFFD
PostMessageW.USER32(?,00000101,0000005B,?), ref: 0071B020

Memory Dump Source

Source File: 00000000.00000002.1745474304.00000000006B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006B0000, based on PE: true

Associated: 00000000.00000002.1745310696.00000000006B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1745557899.000000000074C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1745557899.0000000000772000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1745607755.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1745632258.0000000000784000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6b0000_file.jbxd

Similarity

API ID: MessagePost$KeyboardState$Parent
String ID:
API String ID: 87235514-0
Opcode ID: 7af5cdc573d45b7c3ac3b8be34aa509260e7dc45aba4d80460c0c69a8e280647
Instruction ID: 0d13e62d4cfcbbedc54c99bb4bbf229b97b0f34aee13a6cfdad07f47047db57f
Opcode Fuzzy Hash: 7af5cdc573d45b7c3ac3b8be34aa509260e7dc45aba4d80460c0c69a8e280647
Instruction Fuzzy Hash: 4451B3A06057D53DFB3682388C49BFA7EA95B06304F088589F1D9554C2C3ACEDC9D761

Function 0071ACDA Relevance: 10.7, APIs: 7, Instructions: 161windowCOMMON

Download Yara Rule

APIs

GetParent.USER32(00000000), ref: 0071AD19
GetKeyboardState.USER32(?), ref: 0071AD2E
SetKeyboardState.USER32(?), ref: 0071AD8F
PostMessageW.USER32(00000000,00000100,00000010,?), ref: 0071ADBB
PostMessageW.USER32(00000000,00000100,00000011,?), ref: 0071ADD8
PostMessageW.USER32(00000000,00000100,00000012,?), ref: 0071AE17
PostMessageW.USER32(00000000,00000100,0000005B,?), ref: 0071AE38

Memory Dump Source

Source File: 00000000.00000002.1745474304.00000000006B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006B0000, based on PE: true

Associated: 00000000.00000002.1745310696.00000000006B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1745557899.000000000074C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1745557899.0000000000772000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1745607755.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1745632258.0000000000784000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6b0000_file.jbxd

Similarity

API ID: MessagePost$KeyboardState$Parent
String ID:
API String ID: 87235514-0
Opcode ID: 4c1a08fda6a73300d763cafc73d98dddd11678dc4c50cc780352026f9a8c9620
Instruction ID: 93a520f0ea1c79b5e69e7eae274fc3e2d42fc1e7b9b70b14eee4bf28d1380188
Opcode Fuzzy Hash: 4c1a08fda6a73300d763cafc73d98dddd11678dc4c50cc780352026f9a8c9620
Instruction Fuzzy Hash: 3D51D7A16057D53DFB3783388C56BFA7EA96B46300F088589E1D5468C2D3ACECD8D752

Function 006E542E Relevance: 10.7, APIs: 7, Instructions: 152fileCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetConsoleCP.KERNEL32(006F3CD6,?,?,?,?,?,?,?,?,006E5BA3,?,?,006F3CD6,?,?), ref: 006E5470
__fassign.LIBCMT ref: 006E54EB
__fassign.LIBCMT ref: 006E5506
WideCharToMultiByte.KERNEL32(?,00000000,?,00000001,006F3CD6,00000005,00000000,00000000), ref: 006E552C
WriteFile.KERNEL32(?,006F3CD6,00000000,006E5BA3,00000000,?,?,?,?,?,?,?,?,?,006E5BA3,?), ref: 006E554B
WriteFile.KERNEL32(?,?,00000001,006E5BA3,00000000,?,?,?,?,?,?,?,?,?,006E5BA3,?), ref: 006E5584

Memory Dump Source

Source File: 00000000.00000002.1745474304.00000000006B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006B0000, based on PE: true

Associated: 00000000.00000002.1745310696.00000000006B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1745557899.000000000074C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1745557899.0000000000772000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1745607755.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1745632258.0000000000784000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6b0000_file.jbxd

Similarity

API ID: FileWrite__fassign$ByteCharConsoleMultiWide
String ID:
API String ID: 1324828854-0
Opcode ID: df4848d3edda679db74b1bc5743c96aab233fefac24f2f257ac10cca4ee6c478
Instruction ID: d319719fb412ad35f286643af46aa8654f3b7501c81a7b02dbf36d7a6b715b64
Opcode Fuzzy Hash: df4848d3edda679db74b1bc5743c96aab233fefac24f2f257ac10cca4ee6c478
Instruction Fuzzy Hash: 3751F6B0A017889FDB11CFA9D845AEEBBF6EF09304F24405AF556E7391E7309A41CB64

Function 007310B8 Relevance: 10.6, APIs: 7, Instructions: 110networkCOMMON

Download Yara Rule

APIs

Part of subcall function 0073304E: inet_addr.WSOCK32(?,?,?,?,?,00000000), ref: 0073307A
Part of subcall function 0073304E: _wcslen.LIBCMT ref: 0073309B

socket.WSOCK32(00000002,00000001,00000006,?,?,00000000), ref: 00731112
WSAGetLastError.WSOCK32 ref: 00731121
WSAGetLastError.WSOCK32 ref: 007311C9
closesocket.WSOCK32(00000000), ref: 007311F9

Memory Dump Source

Source File: 00000000.00000002.1745474304.00000000006B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006B0000, based on PE: true

Associated: 00000000.00000002.1745310696.00000000006B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1745557899.000000000074C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1745557899.0000000000772000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1745607755.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1745632258.0000000000784000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6b0000_file.jbxd

Similarity

API ID: ErrorLast$_wcslenclosesocketinet_addrsocket
String ID:
API String ID: 2675159561-0
Opcode ID: 4dfcf43c93c6eb42513084cb9d584186ecbc678b996c219a74e660c14612d8ab
Instruction ID: b7cf8732e7410b4a2fb27b387ba18ac08fcb8caaedc5d2b4e46381deaff23314
Opcode Fuzzy Hash: 4dfcf43c93c6eb42513084cb9d584186ecbc678b996c219a74e660c14612d8ab
Instruction Fuzzy Hash: 83410535600218AFEB119F14C884BEAB7EAEF45324F14C059FD059B292C778EE81CBE5

Function 0071CF00 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 108filestringCOMMON

Download Yara Rule

APIs

Part of subcall function 0071DDE0: GetFullPathNameW.KERNEL32(00000000,00007FFF,?,?,?,?,?,?,0071CF22,?), ref: 0071DDFD

Part of subcall function 0071DDE0: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,?,0071CF22,?), ref: 0071DE16

lstrcmpiW.KERNEL32(?,?), ref: 0071CF45
MoveFileW.KERNEL32(?,?), ref: 0071CF7F
_wcslen.LIBCMT ref: 0071D005
_wcslen.LIBCMT ref: 0071D01B
SHFileOperationW.SHELL32(?), ref: 0071D061

Strings

\*.*, xrefs: 0071CFF3

Memory Dump Source

Source File: 00000000.00000002.1745474304.00000000006B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006B0000, based on PE: true

Associated: 00000000.00000002.1745310696.00000000006B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1745557899.000000000074C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1745557899.0000000000772000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1745607755.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1745632258.0000000000784000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6b0000_file.jbxd

Similarity

API ID: FileFullNamePath_wcslen$MoveOperationlstrcmpi
String ID: \*.*
API String ID: 3164238972-1173974218
Opcode ID: 8f8e26c9d7ca1af20fe4e1ed542c688c88d6643f863365dc77697314116bcbfe
Instruction ID: a726eb2b3e87afd940c2d0449847c3145ccbfaf17483e8d61dbe0768b8e187f0
Opcode Fuzzy Hash: 8f8e26c9d7ca1af20fe4e1ed542c688c88d6643f863365dc77697314116bcbfe
Instruction Fuzzy Hash: 294166729451189FDF12EFA8D981ADD77BDAF08380F1400EAE505EB181EB38AA85CB54

Function 00742DFD Relevance: 10.6, APIs: 7, Instructions: 99windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,000000F0,00000000,00000000), ref: 00742E1C
GetWindowLongW.USER32(?,000000F0), ref: 00742E4F
GetWindowLongW.USER32(?,000000F0), ref: 00742E84
SendMessageW.USER32(?,000000F1,00000000,00000000), ref: 00742EB6
SendMessageW.USER32(?,000000F1,00000001,00000000), ref: 00742EE0
GetWindowLongW.USER32(?,000000F0), ref: 00742EF1
SetWindowLongW.USER32(?,000000F0,00000000), ref: 00742F0B

Memory Dump Source

Source File: 00000000.00000002.1745474304.00000000006B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006B0000, based on PE: true

Associated: 00000000.00000002.1745310696.00000000006B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1745557899.000000000074C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1745557899.0000000000772000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1745607755.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1745632258.0000000000784000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6b0000_file.jbxd

Similarity

API ID: LongWindow$MessageSend
String ID:
API String ID: 2178440468-0
Opcode ID: ab881e99e480e1679cb8bd91c17967906cc54e406f0bebba68073278e47e5f15
Instruction ID: 053d7ec035027f27bd06b526f77ef85b2787272bb33d8ef4cb5d67269703134c
Opcode Fuzzy Hash: ab881e99e480e1679cb8bd91c17967906cc54e406f0bebba68073278e47e5f15
Instruction Fuzzy Hash: B2315734645160AFDB21CF18DC88F6537E4FB4A710FA680A5F9148F2B2CB79AC52DB05

Function 00717726 Relevance: 10.6, APIs: 7, Instructions: 94memoryCOMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 00717769
MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 0071778F
SysAllocString.OLEAUT32(00000000), ref: 00717792
SysAllocString.OLEAUT32(?), ref: 007177B0
SysFreeString.OLEAUT32(?), ref: 007177B9
StringFromGUID2.OLE32(?,?,00000028), ref: 007177DE
SysAllocString.OLEAUT32(?), ref: 007177EC

Memory Dump Source

Source File: 00000000.00000002.1745474304.00000000006B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006B0000, based on PE: true

Associated: 00000000.00000002.1745310696.00000000006B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1745557899.000000000074C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1745557899.0000000000772000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1745607755.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1745632258.0000000000784000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6b0000_file.jbxd

Similarity

API ID: String$Alloc$ByteCharMultiWide$FreeFrom
String ID:
API String ID: 3761583154-0
Opcode ID: 66255b32e080aaa85f3478fed8e07f8a21f7938f08f7a95bca5a8e2c1c60aa95
Instruction ID: 5e3540b6ba8636a3ee5bd31280bf1acb681788203163d2203ef4bad2341bd4b0
Opcode Fuzzy Hash: 66255b32e080aaa85f3478fed8e07f8a21f7938f08f7a95bca5a8e2c1c60aa95
Instruction Fuzzy Hash: 8621DE7A604209AFDB00EFACCC88CFB77ACEB09360B008026BA15DB1D0D678DC81C764

Function 007177FD Relevance: 10.6, APIs: 7, Instructions: 89memoryCOMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 00717842
MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 00717868
SysAllocString.OLEAUT32(00000000), ref: 0071786B
SysAllocString.OLEAUT32 ref: 0071788C
SysFreeString.OLEAUT32 ref: 00717895
StringFromGUID2.OLE32(?,?,00000028), ref: 007178AF
SysAllocString.OLEAUT32(?), ref: 007178BD

Memory Dump Source

Source File: 00000000.00000002.1745474304.00000000006B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006B0000, based on PE: true

Associated: 00000000.00000002.1745310696.00000000006B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1745557899.000000000074C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1745557899.0000000000772000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1745607755.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1745632258.0000000000784000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6b0000_file.jbxd

Similarity

API ID: String$Alloc$ByteCharMultiWide$FreeFrom
String ID:
API String ID: 3761583154-0
Opcode ID: 3e559e8276bc37344239e0e2c3cc22b118e93a881689dfe76d7f61aea61aabd0
Instruction ID: c9b96fdc156db6eec65125814a64dd848f399d0f23453f1fc08dd7da00cb5948
Opcode Fuzzy Hash: 3e559e8276bc37344239e0e2c3cc22b118e93a881689dfe76d7f61aea61aabd0
Instruction Fuzzy Hash: 2D216075609204AFDB14AFACDC88DEA77BCEB097607108125F915CB2A1DB78DC81CB78

Function 007204D2 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 80pipeCOMMON

Download Yara Rule

APIs

GetStdHandle.KERNEL32(0000000C), ref: 007204F2
CreatePipe.KERNEL32(?,?,0000000C,00000000), ref: 0072052E

Strings

nul, xrefs: 00720567

Memory Dump Source

Source File: 00000000.00000002.1745474304.00000000006B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006B0000, based on PE: true

Associated: 00000000.00000002.1745310696.00000000006B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1745557899.000000000074C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1745557899.0000000000772000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1745607755.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1745632258.0000000000784000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6b0000_file.jbxd

Similarity

API ID: CreateHandlePipe
String ID: nul
API String ID: 1424370930-2873401336
Opcode ID: 168cd48d608dcbc6af130ddce8715ed3691fdc970f4da8df956aaa65eeb91b62
Instruction ID: d0a571306c8edfffde3e619425e6c09ad88ee6c74346df5fef5929a54ee34713
Opcode Fuzzy Hash: 168cd48d608dcbc6af130ddce8715ed3691fdc970f4da8df956aaa65eeb91b62
Instruction Fuzzy Hash: D32162756003199BDB209F2AEC44E5A77F4BF45724F204A19F8A1D61E1D7B49960CFB0

Function 007205A7 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 80pipeCOMMON

Download Yara Rule

APIs

GetStdHandle.KERNEL32(000000F6), ref: 007205C6
CreatePipe.KERNEL32(?,?,0000000C,00000000), ref: 00720601

Strings

nul, xrefs: 00720639

Memory Dump Source

Source File: 00000000.00000002.1745474304.00000000006B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006B0000, based on PE: true

Associated: 00000000.00000002.1745310696.00000000006B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1745557899.000000000074C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1745557899.0000000000772000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1745607755.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1745632258.0000000000784000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6b0000_file.jbxd

Similarity

API ID: CreateHandlePipe
String ID: nul
API String ID: 1424370930-2873401336
Opcode ID: 749c2ec1e94ec93bfd3fd2e2859ab10aec7abb41caecc051191c342de1a7b386
Instruction ID: 4e3120ad60b51f5c5ab2d09a8b20f72d4c70e47c8aa3c89428e49a2f5f022263
Opcode Fuzzy Hash: 749c2ec1e94ec93bfd3fd2e2859ab10aec7abb41caecc051191c342de1a7b386
Instruction Fuzzy Hash: 7021B5755003259FDB208F69EC08A5A77F4BF85720F204A19F8A1E32E1D7B89860CBB0

Function 007440AD Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 75windowCOMMON

Download Yara Rule

APIs

Part of subcall function 006B600E: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 006B604C
Part of subcall function 006B600E: GetStockObject.GDI32(00000011), ref: 006B6060
Part of subcall function 006B600E: SendMessageW.USER32(00000000,00000030,00000000), ref: 006B606A

SendMessageW.USER32(00000000,00002001,00000000,FF000000), ref: 00744112
SendMessageW.USER32(?,00000409,00000000,FF000000), ref: 0074411F
SendMessageW.USER32(?,00000402,00000000,00000000), ref: 0074412A
SendMessageW.USER32(?,00000401,00000000,00640000), ref: 00744139
SendMessageW.USER32(?,00000404,00000001,00000000), ref: 00744145

Strings

Msctls_Progress32, xrefs: 007440E3

Memory Dump Source

Source File: 00000000.00000002.1745474304.00000000006B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006B0000, based on PE: true

Associated: 00000000.00000002.1745310696.00000000006B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1745557899.000000000074C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1745557899.0000000000772000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1745607755.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1745632258.0000000000784000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6b0000_file.jbxd

Similarity

API ID: MessageSend$CreateObjectStockWindow
String ID: Msctls_Progress32
API String ID: 1025951953-3636473452
Opcode ID: 027e147c606b81761712a7b95371a9a135db57a472c42edefc3c2eafbbdf9f08
Instruction ID: 42fb90c5941a3c0f80eb4c642c2e48051a2c61afdc8542114d8244000e5d4644
Opcode Fuzzy Hash: 027e147c606b81761712a7b95371a9a135db57a472c42edefc3c2eafbbdf9f08
Instruction Fuzzy Hash: 8B11B2B214021DBEEF119F64CC86EE77F9DEF09798F018111BA18A2050C7769C61DBA4

Function 006ED7DF Relevance: 10.6, APIs: 7, Instructions: 65COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 006ED7A3: _free.LIBCMT ref: 006ED7CC

_free.LIBCMT ref: 006ED82D

Part of subcall function 006E29C8: RtlFreeHeap.NTDLL(00000000,00000000,?,006ED7D1,00000000,00000000,00000000,00000000,?,006ED7F8,00000000,00000007,00000000,?,006EDBF5,00000000), ref: 006E29DE
Part of subcall function 006E29C8: GetLastError.KERNEL32(00000000,?,006ED7D1,00000000,00000000,00000000,00000000,?,006ED7F8,00000000,00000007,00000000,?,006EDBF5,00000000,00000000), ref: 006E29F0

_free.LIBCMT ref: 006ED838
_free.LIBCMT ref: 006ED843
_free.LIBCMT ref: 006ED897
_free.LIBCMT ref: 006ED8A2
_free.LIBCMT ref: 006ED8AD
_free.LIBCMT ref: 006ED8B8

Memory Dump Source

Source File: 00000000.00000002.1745474304.00000000006B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006B0000, based on PE: true

Associated: 00000000.00000002.1745310696.00000000006B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1745557899.000000000074C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1745557899.0000000000772000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1745607755.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1745632258.0000000000784000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6b0000_file.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: d5e9bbcb1dbdafe4c8d3bd98f36014f41f46dc5d4a3df644b036f3c2391e0fc8
Instruction ID: b941bb4c90bf183b418bef4db555d500211facf1544339635078ce54a5f8e861
Opcode Fuzzy Hash: d5e9bbcb1dbdafe4c8d3bd98f36014f41f46dc5d4a3df644b036f3c2391e0fc8
Instruction Fuzzy Hash: 63115171542B88AAD9A1BFB2CC47FCB7BDF6F00700F40082DB699AA093DA69F5054654

Function 0071DA5A Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 46windowCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,?,?,00000100,00000000), ref: 0071DA74
LoadStringW.USER32(00000000), ref: 0071DA7B
GetModuleHandleW.KERNEL32(00000000,00001389,?,00000100), ref: 0071DA91
LoadStringW.USER32(00000000), ref: 0071DA98
MessageBoxW.USER32(00000000,?,?,00011010), ref: 0071DADC

Strings

%s (%d) : ==> %s: %s %s, xrefs: 0071DAB9

Memory Dump Source

Source File: 00000000.00000002.1745474304.00000000006B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006B0000, based on PE: true

Associated: 00000000.00000002.1745310696.00000000006B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1745557899.000000000074C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1745557899.0000000000772000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1745607755.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1745632258.0000000000784000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6b0000_file.jbxd

Similarity

API ID: HandleLoadModuleString$Message
String ID: %s (%d) : ==> %s: %s %s
API String ID: 4072794657-3128320259
Opcode ID: d7c614e53abe825bab9fc080f53110bc05b2933712a65d8ac716d321fb986356
Instruction ID: ce798c4c2fbfab8a1808cd29de22ad08b722ffb33bdd3586387161969f252312
Opcode Fuzzy Hash: d7c614e53abe825bab9fc080f53110bc05b2933712a65d8ac716d321fb986356
Instruction Fuzzy Hash: 940186F6500208BFE752DBA49D89EF7336CEB09701F4084A2B706E2081EB789E844F75

Function 0072096B Relevance: 10.5, APIs: 7, Instructions: 35synchronizationthreadCOMMON

Download Yara Rule

APIs

InterlockedExchange.KERNEL32(018FE7C8,018FE7C8), ref: 0072097B
EnterCriticalSection.KERNEL32(018FE7A8,00000000), ref: 0072098D
TerminateThread.KERNEL32(?,000001F6), ref: 0072099B
WaitForSingleObject.KERNEL32(?,000003E8), ref: 007209A9
CloseHandle.KERNEL32(?), ref: 007209B8
InterlockedExchange.KERNEL32(018FE7C8,000001F6), ref: 007209C8
LeaveCriticalSection.KERNEL32(018FE7A8), ref: 007209CF

Memory Dump Source

Source File: 00000000.00000002.1745474304.00000000006B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006B0000, based on PE: true

Associated: 00000000.00000002.1745310696.00000000006B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1745557899.000000000074C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1745557899.0000000000772000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1745607755.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1745632258.0000000000784000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6b0000_file.jbxd

Similarity

API ID: CriticalExchangeInterlockedSection$CloseEnterHandleLeaveObjectSingleTerminateThreadWait
String ID:
API String ID: 3495660284-0
Opcode ID: 8f55d187642a7c6420c7717b94e82cba7afa682a82b809ec4aa8bbd0a28f59b5
Instruction ID: 2a6de8320286383b8b32855c127df87a8d4f3b104283865640e518b016f78b3f
Opcode Fuzzy Hash: 8f55d187642a7c6420c7717b94e82cba7afa682a82b809ec4aa8bbd0a28f59b5
Instruction Fuzzy Hash: C4F0E135543912BBD7925F94EE8DBD67B35FF06702F405016F102508A1C7B9A465CFA4

Function 006B5D0A Relevance: 9.3, APIs: 6, Instructions: 276COMMON

Download Yara Rule

APIs

GetClientRect.USER32(?,?), ref: 006B5D30
GetWindowRect.USER32(?,?), ref: 006B5D71
ScreenToClient.USER32(?,?), ref: 006B5D99
GetClientRect.USER32(?,?), ref: 006B5ED7
GetWindowRect.USER32(?,?), ref: 006B5EF8

Memory Dump Source

Source File: 00000000.00000002.1745474304.00000000006B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006B0000, based on PE: true

Associated: 00000000.00000002.1745310696.00000000006B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1745557899.000000000074C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1745557899.0000000000772000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1745607755.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1745632258.0000000000784000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6b0000_file.jbxd

Similarity

API ID: Rect$Client$Window$Screen
String ID:
API String ID: 1296646539-0
Opcode ID: bb77ed90203e03c4a0bbe4a08ccb385e992492fd4b26ac5e646c5fae80f5a044
Instruction ID: 84693a267d8dfc7b1dc4b331484ef2f4393f3d0bd3d314f7094f943318621689
Opcode Fuzzy Hash: bb77ed90203e03c4a0bbe4a08ccb385e992492fd4b26ac5e646c5fae80f5a044
Instruction Fuzzy Hash: D6B16A74A0064ADBDB10CFA8C4407FAB7F2FF48310F14851AE9AAD7650DB34EA92DB54

Function 006E01B7 Relevance: 9.3, APIs: 6, Instructions: 269COMMON

Download Yara Rule

APIs

__allrem.LIBCMT ref: 006E00BA
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 006E00D6
__allrem.LIBCMT ref: 006E00ED
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 006E010B
__allrem.LIBCMT ref: 006E0122
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 006E0140

Memory Dump Source

Source File: 00000000.00000002.1745474304.00000000006B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006B0000, based on PE: true

Associated: 00000000.00000002.1745310696.00000000006B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1745557899.000000000074C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1745557899.0000000000772000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1745607755.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1745632258.0000000000784000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6b0000_file.jbxd

Similarity

API ID: Unothrow_t@std@@@__allrem__ehfuncinfo$??2@
String ID:
API String ID: 1992179935-0
Opcode ID: c0aa086816e9a6b10c8594d9af3fc1b6618250ddc70608c46d0048b3e4fbc764
Instruction ID: b84babdb8ac1dcdb4c2b2f4ae3afd2fb6aa053fa908de7b5de01e4aed26f3574
Opcode Fuzzy Hash: c0aa086816e9a6b10c8594d9af3fc1b6618250ddc70608c46d0048b3e4fbc764
Instruction Fuzzy Hash: 0E81E772A027469BE720AF6ACC41BAB73EBAF41364F24453EF551DA3C1E7B0D9408794

Function 00731D10 Relevance: 9.3, APIs: 6, Instructions: 254networkCOMMON

Download Yara Rule

APIs

Part of subcall function 00733149: select.WSOCK32(00000000,?,00000000,00000000,?,?,?,00000000,?,?,?,0073101C,00000000,?,?,00000000), ref: 00733195

__WSAFDIsSet.WSOCK32(00000000,?,00000000,00000000,?,00000064,00000000), ref: 00731DC0
#17.WSOCK32(00000000,?,?,00000000,?,00000010), ref: 00731DE1
WSAGetLastError.WSOCK32 ref: 00731DF2
inet_ntoa.WSOCK32(?), ref: 00731E8C
htons.WSOCK32(?,?,?,?,?), ref: 00731EDB
_strlen.LIBCMT ref: 00731F35

Part of subcall function 007139E8: _strlen.LIBCMT ref: 007139F2

Part of subcall function 006B6D9E: MultiByteToWideChar.KERNEL32(00000000,00000001,?,?,00000000,00000000,00000002,?,?,?,?,006CCF58,?,?,?), ref: 006B6DBA
Part of subcall function 006B6D9E: MultiByteToWideChar.KERNEL32(00000000,00000001,?,?,00000000,?,?,?,006CCF58,?,?,?), ref: 006B6DED

Memory Dump Source

Source File: 00000000.00000002.1745474304.00000000006B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006B0000, based on PE: true

Associated: 00000000.00000002.1745310696.00000000006B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1745557899.000000000074C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1745557899.0000000000772000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1745607755.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1745632258.0000000000784000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6b0000_file.jbxd

Similarity

API ID: ByteCharMultiWide_strlen$ErrorLasthtonsinet_ntoaselect
String ID:
API String ID: 1923757996-0
Opcode ID: bc94c72b2f35b486f1fbfd657790edccfc23ddbed6d08fa5d853dce7add426c4
Instruction ID: 927ff75058aba4b90f7f26cfed0479b43417a999366e2d6dc9efa30430d5fac1
Opcode Fuzzy Hash: bc94c72b2f35b486f1fbfd657790edccfc23ddbed6d08fa5d853dce7add426c4
Instruction Fuzzy Hash: 64A1E271204301AFE324DF24C885F6A77E6AF85318F94894CF4565B2A3CB35ED82CB91

Function 006E61FE Relevance: 9.2, APIs: 6, Instructions: 216COMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000001,00000000,?,?,00000000,00000000,?,006D82D9,006D82D9,?,?,?,006E644F,00000001,00000001,8BE85006), ref: 006E6258
MultiByteToWideChar.KERNEL32(00000001,00000001,?,?,00000000,?,?,?,?,006E644F,00000001,00000001,8BE85006,?,?,?), ref: 006E62DE
WideCharToMultiByte.KERNEL32(00000001,00000000,00000000,00000000,?,8BE85006,00000000,00000000,?,00000400,00000000,?,00000000,00000000,00000000,00000000), ref: 006E63D8
__freea.LIBCMT ref: 006E63E5

Part of subcall function 006E3820: RtlAllocateHeap.NTDLL(00000000,?,00781444,?,006CFDF5,?,?,006BA976,00000010,00781440,006B13FC,?,006B13C6,?,006B1129), ref: 006E3852

__freea.LIBCMT ref: 006E63EE
__freea.LIBCMT ref: 006E6413

Memory Dump Source

Source File: 00000000.00000002.1745474304.00000000006B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006B0000, based on PE: true

Associated: 00000000.00000002.1745310696.00000000006B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1745557899.000000000074C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1745557899.0000000000772000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1745607755.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1745632258.0000000000784000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6b0000_file.jbxd

Similarity

API ID: ByteCharMultiWide__freea$AllocateHeap
String ID:
API String ID: 1414292761-0
Opcode ID: 44d59f4fbbb13c85331d06928b3373677f9a74f2de6e9e06db5ea3cfed145c08
Instruction ID: c1e4ff22871238eb0faffaedc4a24d895b99364bab1f10af799ac0f7e8ef96ac
Opcode Fuzzy Hash: 44d59f4fbbb13c85331d06928b3373677f9a74f2de6e9e06db5ea3cfed145c08
Instruction Fuzzy Hash: E751D172602396AFDB258F66CC81EEF77ABEB64790F144629F905D7280EB34DD40C660

Function 0073BBDB Relevance: 9.2, APIs: 6, Instructions: 191registryCOMMON

Download Yara Rule

APIs

Part of subcall function 006B9CB3: _wcslen.LIBCMT ref: 006B9CBD

Part of subcall function 0073C998: CharUpperBuffW.USER32(?,?,?,?,?,?,?,0073B6AE,?,?), ref: 0073C9B5
Part of subcall function 0073C998: _wcslen.LIBCMT ref: 0073C9F1
Part of subcall function 0073C998: _wcslen.LIBCMT ref: 0073CA68
Part of subcall function 0073C998: _wcslen.LIBCMT ref: 0073CA9E

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 0073BCCA
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 0073BD25
RegCloseKey.ADVAPI32(00000000), ref: 0073BD6A
RegEnumValueW.ADVAPI32(?,-00000001,?,?,00000000,?,00000000,00000000), ref: 0073BD99
RegCloseKey.ADVAPI32(?,?,00000000), ref: 0073BDF3
RegCloseKey.ADVAPI32(?), ref: 0073BDFF

Memory Dump Source

Source File: 00000000.00000002.1745474304.00000000006B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006B0000, based on PE: true

Associated: 00000000.00000002.1745310696.00000000006B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1745557899.000000000074C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1745557899.0000000000772000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1745607755.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1745632258.0000000000784000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6b0000_file.jbxd

Similarity

API ID: _wcslen$Close$BuffCharConnectEnumOpenRegistryUpperValue
String ID:
API String ID: 1120388591-0
Opcode ID: 497d1c9e7e70903728e74333972c888b3598bd3fd3eacd829de36306227706cf
Instruction ID: 7603cc30749d086f830eaa1ee58943a5a354e63c9ddc498824e4688574e3613b
Opcode Fuzzy Hash: 497d1c9e7e70903728e74333972c888b3598bd3fd3eacd829de36306227706cf
Instruction Fuzzy Hash: D481F170218241EFE714DF24C881E6ABBE5FF84308F14885DF55A4B2A2DB36ED45CB92

Function 0070F7AD Relevance: 9.2, APIs: 6, Instructions: 183memoryCOMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(00000035), ref: 0070F7B9
SysAllocString.OLEAUT32(00000001), ref: 0070F860
VariantCopy.OLEAUT32(0070FA64,00000000), ref: 0070F889
VariantClear.OLEAUT32(0070FA64), ref: 0070F8AD
VariantCopy.OLEAUT32(0070FA64,00000000), ref: 0070F8B1
VariantClear.OLEAUT32(?), ref: 0070F8BB

Memory Dump Source

Source File: 00000000.00000002.1745474304.00000000006B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006B0000, based on PE: true

Associated: 00000000.00000002.1745310696.00000000006B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1745557899.000000000074C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1745557899.0000000000772000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1745607755.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1745632258.0000000000784000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6b0000_file.jbxd

Similarity

API ID: Variant$ClearCopy$AllocInitString
String ID:
API String ID: 3859894641-0
Opcode ID: f621e02c32e051962198d22989f06e6efbfeee2316f9b093a063093a0feddf78
Instruction ID: e210fc634b9b96329e3cd2bfb73bc1c9cdd56f43b3ccd051ea9f771fc26badd5
Opcode Fuzzy Hash: f621e02c32e051962198d22989f06e6efbfeee2316f9b093a063093a0feddf78
Instruction Fuzzy Hash: 91513731611300FACF70AF65D885B69B3E5EF45310B20952BE802DF6D1DB789C40CBAA

Function 0072910C Relevance: 9.1, APIs: 4, Strings: 1, Instructions: 383COMMON

Download Yara Rule

APIs

Part of subcall function 006B7620: _wcslen.LIBCMT ref: 006B7625

Part of subcall function 006B6B57: _wcslen.LIBCMT ref: 006B6B6A

GetOpenFileNameW.COMDLG32(00000058), ref: 007294E5
_wcslen.LIBCMT ref: 00729506
_wcslen.LIBCMT ref: 0072952D
GetSaveFileNameW.COMDLG32(00000058), ref: 00729585

Strings

X, xrefs: 00729412

Memory Dump Source

Source File: 00000000.00000002.1745474304.00000000006B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006B0000, based on PE: true

Associated: 00000000.00000002.1745310696.00000000006B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1745557899.000000000074C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1745557899.0000000000772000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1745607755.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1745632258.0000000000784000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6b0000_file.jbxd

Similarity

API ID: _wcslen$FileName$OpenSave
String ID: X
API String ID: 83654149-3081909835
Opcode ID: 62fac6e6b78b43dd4c3f15fb534caac00c69fdc75211d06d0ef6e6c02dbd09b9
Instruction ID: 6f41b2d6e96fcfa11a06b79445ca2861b5d300fd4248b448c738d9d6612184dd
Opcode Fuzzy Hash: 62fac6e6b78b43dd4c3f15fb534caac00c69fdc75211d06d0ef6e6c02dbd09b9
Instruction Fuzzy Hash: D6E1D171604350DFD764EF24D881AAAB7E1FF84310F08896DF9899B2A2DB34DD44CB96

Function 006C920C Relevance: 9.1, APIs: 6, Instructions: 113COMMON

Download Yara Rule

APIs

Part of subcall function 006C9BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 006C9BB2

BeginPaint.USER32(?,?,?), ref: 006C9241
GetWindowRect.USER32(?,?), ref: 006C92A5
ScreenToClient.USER32(?,?), ref: 006C92C2
SetViewportOrgEx.GDI32(00000000,?,?,00000000), ref: 006C92D3
EndPaint.USER32(?,?,?,?,?), ref: 006C9321
Rectangle.GDI32(00000000,00000000,00000000,?,?), ref: 007071EA

Part of subcall function 006C9339: BeginPath.GDI32(00000000), ref: 006C9357

Memory Dump Source

Source File: 00000000.00000002.1745474304.00000000006B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006B0000, based on PE: true

Associated: 00000000.00000002.1745310696.00000000006B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1745557899.000000000074C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1745557899.0000000000772000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1745607755.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1745632258.0000000000784000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6b0000_file.jbxd

Similarity

API ID: BeginPaintWindow$ClientLongPathRectRectangleScreenViewport
String ID:
API String ID: 3050599898-0
Opcode ID: 5e9eba9e7093073b8a02b1592cbfd562eb5b55796f845ef9bb7384b2decbd3cd
Instruction ID: 6f642cb45c87de5122a1f3971705ab3c4797cfa8905868996e1c7dad3602be8f
Opcode Fuzzy Hash: 5e9eba9e7093073b8a02b1592cbfd562eb5b55796f845ef9bb7384b2decbd3cd
Instruction Fuzzy Hash: DE41AC70105240EFD711DF24CC88FBA7BE9EB8A320F14466DF994872E1C739A846DB66

Function 007207EF Relevance: 9.1, APIs: 6, Instructions: 107fileCOMMON

Download Yara Rule

APIs

InterlockedExchange.KERNEL32(?,000001F5), ref: 0072080C
ReadFile.KERNEL32(?,?,0000FFFF,?,00000000), ref: 00720847
EnterCriticalSection.KERNEL32(?), ref: 00720863
LeaveCriticalSection.KERNEL32(?), ref: 007208DC
ReadFile.KERNEL32(?,?,0000FFFF,00000000,00000000), ref: 007208F3
InterlockedExchange.KERNEL32(?,000001F6), ref: 00720921

Memory Dump Source

Source File: 00000000.00000002.1745474304.00000000006B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006B0000, based on PE: true

Associated: 00000000.00000002.1745310696.00000000006B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1745557899.000000000074C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1745557899.0000000000772000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1745607755.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1745632258.0000000000784000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6b0000_file.jbxd

Similarity

API ID: CriticalExchangeFileInterlockedReadSection$EnterLeave
String ID:
API String ID: 3368777196-0
Opcode ID: 6f03a648e0aa38ab8e4891332ca038067d6bb4102106efa10c952f702e4f4d7b
Instruction ID: aebd1f3e1dbe023c72f9e71f2d93b7fa8ccfb138f4992965e0898360d4046a46
Opcode Fuzzy Hash: 6f03a648e0aa38ab8e4891332ca038067d6bb4102106efa10c952f702e4f4d7b
Instruction Fuzzy Hash: CF41AD71900205EFDF55AF54DC85A6A77BAFF04300F1080A9ED009A297DB74EE60DBA8

Function 007481DB Relevance: 9.1, APIs: 6, Instructions: 104windowCOMMON

Download Yara Rule

APIs

ShowWindow.USER32(FFFFFFFF,00000000,?,00000000,00000000,?,0070F3AB,00000000,?,?,00000000,?,0070682C,00000004,00000000,00000000), ref: 0074824C
EnableWindow.USER32(?,00000000), ref: 00748272
ShowWindow.USER32(FFFFFFFF,00000000), ref: 007482D1
ShowWindow.USER32(?,00000004), ref: 007482E5
EnableWindow.USER32(?,00000001), ref: 0074830B
SendMessageW.USER32(?,0000130C,00000000,00000000), ref: 0074832F

Memory Dump Source

Source File: 00000000.00000002.1745474304.00000000006B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006B0000, based on PE: true

Associated: 00000000.00000002.1745310696.00000000006B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1745557899.000000000074C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1745557899.0000000000772000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1745607755.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1745632258.0000000000784000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6b0000_file.jbxd

Similarity

API ID: Window$Show$Enable$MessageSend
String ID:
API String ID: 642888154-0
Opcode ID: e3874f482160d7ade33daf27a04f6d469f9dc294ef94cdc6f7ca8b768f89a61f
Instruction ID: 3e7c3e8a31130ae500826585f7cd0066e8f65c822e1568092624ca3995a0a736
Opcode Fuzzy Hash: e3874f482160d7ade33daf27a04f6d469f9dc294ef94cdc6f7ca8b768f89a61f
Instruction Fuzzy Hash: FA41C634601648EFDB52CF14C899BEC7BE0FB0A714F1882A9E5184F272CB79AC41CB56

Function 00714C7D Relevance: 9.1, APIs: 6, Instructions: 87windowCOMMON

Download Yara Rule

APIs

IsWindowVisible.USER32(?), ref: 00714C95
SendMessageW.USER32(?,0000000E,00000000,00000000), ref: 00714CB2
SendMessageW.USER32(?,0000000D,00000001,00000000), ref: 00714CEA
_wcslen.LIBCMT ref: 00714D08
CharUpperBuffW.USER32(00000000,00000000,?,?,?,?), ref: 00714D10
_wcsstr.LIBVCRUNTIME ref: 00714D1A

Memory Dump Source

Source File: 00000000.00000002.1745474304.00000000006B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006B0000, based on PE: true

Associated: 00000000.00000002.1745310696.00000000006B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1745557899.000000000074C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1745557899.0000000000772000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1745607755.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1745632258.0000000000784000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6b0000_file.jbxd

Similarity

API ID: MessageSend$BuffCharUpperVisibleWindow_wcslen_wcsstr
String ID:
API String ID: 72514467-0
Opcode ID: 714e66864d9c6b2aa9dbdaac10457e9ccf2e3d768fceaf91b63d066e5358f406
Instruction ID: f93f564bdec42050b3f7f4b2d24d43adbb0666a141874104708d831fbc3b0179
Opcode Fuzzy Hash: 714e66864d9c6b2aa9dbdaac10457e9ccf2e3d768fceaf91b63d066e5358f406
Instruction Fuzzy Hash: BA212976605200BBEB555B39EC09EBB7B9DDF46750F10C06EF905CA1D2EF69CC4092A0

Function 0072581E Relevance: 9.1, APIs: 4, Strings: 1, Instructions: 336comCOMMON

Download Yara Rule

APIs

Part of subcall function 006B3AA2: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,006B3A97,?,?,006B2E7F,?,?,?,00000000), ref: 006B3AC2

_wcslen.LIBCMT ref: 0072587B
CoInitialize.OLE32(00000000), ref: 00725995
CoCreateInstance.OLE32(0074FCF8,00000000,00000001,0074FB68,?), ref: 007259AE
CoUninitialize.OLE32 ref: 007259CC

Strings

.lnk, xrefs: 00725876, 007258C1, 00725985

Memory Dump Source

Source File: 00000000.00000002.1745474304.00000000006B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006B0000, based on PE: true

Associated: 00000000.00000002.1745310696.00000000006B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1745557899.000000000074C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1745557899.0000000000772000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1745607755.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1745632258.0000000000784000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6b0000_file.jbxd

Similarity

API ID: CreateFullInitializeInstanceNamePathUninitialize_wcslen
String ID: .lnk
API String ID: 3172280962-24824748
Opcode ID: 87741839ce5985d0cdb342e178e55d83b759cd297f13510d0c004787984755fd
Instruction ID: dca79d87dc8c4c642d36b417e42a6891f4b8f55a3adc902240639268099bd92b
Opcode Fuzzy Hash: 87741839ce5985d0cdb342e178e55d83b759cd297f13510d0c004787984755fd
Instruction Fuzzy Hash: 4BD163B16047219FC714DF24D484A6ABBE6EF89310F14885DF8899B361DB35EC85CB92

Function 0071175D Relevance: 9.1, APIs: 6, Instructions: 68memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 00710FB4: GetTokenInformation.ADVAPI32(?,00000002,?,00000000,?), ref: 00710FCA
Part of subcall function 00710FB4: GetLastError.KERNEL32(?,00000002,?,00000000,?), ref: 00710FD6
Part of subcall function 00710FB4: GetProcessHeap.KERNEL32(00000008,?,?,00000002,?,00000000,?), ref: 00710FE5
Part of subcall function 00710FB4: HeapAlloc.KERNEL32(00000000,?,00000002,?,00000000,?), ref: 00710FEC
Part of subcall function 00710FB4: GetTokenInformation.ADVAPI32(?,00000002,00000000,?,?,?,00000002,?,00000000,?), ref: 00711002

GetLengthSid.ADVAPI32(?,00000000,00711335), ref: 007117AE
GetProcessHeap.KERNEL32(00000008,00000000), ref: 007117BA
HeapAlloc.KERNEL32(00000000), ref: 007117C1
CopySid.ADVAPI32(00000000,00000000,?), ref: 007117DA
GetProcessHeap.KERNEL32(00000000,00000000,00711335), ref: 007117EE
HeapFree.KERNEL32(00000000), ref: 007117F5

Memory Dump Source

Source File: 00000000.00000002.1745474304.00000000006B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006B0000, based on PE: true

Associated: 00000000.00000002.1745310696.00000000006B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1745557899.000000000074C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1745557899.0000000000772000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1745607755.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1745632258.0000000000784000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6b0000_file.jbxd

Similarity

API ID: Heap$Process$AllocInformationToken$CopyErrorFreeLastLength
String ID:
API String ID: 3008561057-0
Opcode ID: 312eaf2065618c90114b61c5a40ee07f35802a60ab284a3f72fc516c7ccda25b
Instruction ID: 157ac32ac2aa87c65c3abe0a7c54d3a9a07c5d6fdf8c05a46b2dd33e1995af7a
Opcode Fuzzy Hash: 312eaf2065618c90114b61c5a40ee07f35802a60ab284a3f72fc516c7ccda25b
Instruction Fuzzy Hash: 9211BE75502209FFDB119FA8CC49BEE7BA9EB42355F508019F541AB290D739AD80CB60

Function 007114CE Relevance: 9.1, APIs: 6, Instructions: 64processCOMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(0000000A,00000004), ref: 007114FF
OpenProcessToken.ADVAPI32(00000000), ref: 00711506
CreateEnvironmentBlock.USERENV(?,00000004,00000001), ref: 00711515
CloseHandle.KERNEL32(00000004), ref: 00711520
CreateProcessWithLogonW.ADVAPI32(?,?,?,00000000,00000000,?,?,00000000,?,?,?), ref: 0071154F
DestroyEnvironmentBlock.USERENV(00000000), ref: 00711563

Memory Dump Source

Source File: 00000000.00000002.1745474304.00000000006B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006B0000, based on PE: true

Associated: 00000000.00000002.1745310696.00000000006B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1745557899.000000000074C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1745557899.0000000000772000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1745607755.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1745632258.0000000000784000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6b0000_file.jbxd

Similarity

API ID: Process$BlockCreateEnvironment$CloseCurrentDestroyHandleLogonOpenTokenWith
String ID:
API String ID: 1413079979-0
Opcode ID: 87d1abaee8fdc496b7158e31eac1684735dfba70abf9b0b956c8aace191f6896
Instruction ID: df46bb4c941551ac9692039af2ebd65d15e797b23fe7742506265aeb0055a1b4
Opcode Fuzzy Hash: 87d1abaee8fdc496b7158e31eac1684735dfba70abf9b0b956c8aace191f6896
Instruction Fuzzy Hash: DA115976602249ABDF128F98DD49BDE7BA9EF49704F048015FE05A60A0C3798EA0DB61

Function 006D3382 Relevance: 9.1, APIs: 6, Instructions: 60COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,006D3379,006D2FE5), ref: 006D3390
___vcrt_FlsGetValue.LIBVCRUNTIME ref: 006D339E
___vcrt_FlsSetValue.LIBVCRUNTIME ref: 006D33B7
SetLastError.KERNEL32(00000000,?,006D3379,006D2FE5), ref: 006D3409

Memory Dump Source

Source File: 00000000.00000002.1745474304.00000000006B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006B0000, based on PE: true

Associated: 00000000.00000002.1745310696.00000000006B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1745557899.000000000074C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1745557899.0000000000772000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1745607755.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1745632258.0000000000784000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6b0000_file.jbxd

Similarity

API ID: ErrorLastValue___vcrt_
String ID:
API String ID: 3852720340-0
Opcode ID: 4b104c97d1b2520b30a6f06b7e5d2da852a9186d4a564a7e7625baf56f0af120
Instruction ID: 861ed255a4c90b27c9c1b4a5aedbd35e18eb84bef24797c7dfad35e5995e64ad
Opcode Fuzzy Hash: 4b104c97d1b2520b30a6f06b7e5d2da852a9186d4a564a7e7625baf56f0af120
Instruction Fuzzy Hash: ED012832E09371BFA6562B757C855962A96EB193B5320422FF410843F0EF154D02918E

Function 006E2D74 Relevance: 9.0, APIs: 6, Instructions: 50COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,006E5686,006F3CD6,?,00000000,?,006E5B6A,?,?,?,?,?,006DE6D1,?,00778A48), ref: 006E2D78
_free.LIBCMT ref: 006E2DAB
_free.LIBCMT ref: 006E2DD3
SetLastError.KERNEL32(00000000,?,?,?,?,006DE6D1,?,00778A48,00000010,006B4F4A,?,?,00000000,006F3CD6), ref: 006E2DE0
SetLastError.KERNEL32(00000000,?,?,?,?,006DE6D1,?,00778A48,00000010,006B4F4A,?,?,00000000,006F3CD6), ref: 006E2DEC
_abort.LIBCMT ref: 006E2DF2

Memory Dump Source

Source File: 00000000.00000002.1745474304.00000000006B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006B0000, based on PE: true

Associated: 00000000.00000002.1745310696.00000000006B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1745557899.000000000074C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1745557899.0000000000772000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1745607755.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1745632258.0000000000784000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6b0000_file.jbxd

Similarity

API ID: ErrorLast$_free$_abort
String ID:
API String ID: 3160817290-0
Opcode ID: 0958e86a9e7cdc24263057238549a68063e658e2246cfc6bb3987ee96270089f
Instruction ID: f7ceb0d60cbb0a733e9efffc7ec4bf03abe61a746bf0d2081ec287a48b9f073c
Opcode Fuzzy Hash: 0958e86a9e7cdc24263057238549a68063e658e2246cfc6bb3987ee96270089f
Instruction Fuzzy Hash: 4FF0F93550778227C29327376C2BA5A165FAFC2BA0F21841DF624D22D2EF2888014169

Function 00748A24 Relevance: 9.0, APIs: 6, Instructions: 49COMMON

Download Yara Rule

APIs

Part of subcall function 006C9639: ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 006C9693
Part of subcall function 006C9639: SelectObject.GDI32(?,00000000), ref: 006C96A2
Part of subcall function 006C9639: BeginPath.GDI32(?), ref: 006C96B9
Part of subcall function 006C9639: SelectObject.GDI32(?,00000000), ref: 006C96E2

MoveToEx.GDI32(?,-00000002,00000000,00000000), ref: 00748A4E
LineTo.GDI32(?,00000003,00000000), ref: 00748A62
MoveToEx.GDI32(?,00000000,-00000002,00000000), ref: 00748A70
LineTo.GDI32(?,00000000,00000003), ref: 00748A80
EndPath.GDI32(?), ref: 00748A90
StrokePath.GDI32(?), ref: 00748AA0

Memory Dump Source

Source File: 00000000.00000002.1745474304.00000000006B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006B0000, based on PE: true

Associated: 00000000.00000002.1745310696.00000000006B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1745557899.000000000074C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1745557899.0000000000772000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1745607755.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1745632258.0000000000784000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6b0000_file.jbxd

Similarity

API ID: Path$LineMoveObjectSelect$BeginCreateStroke
String ID:
API String ID: 43455801-0
Opcode ID: be62455d2f79a24395ea614d48d35bd4d85df327a135e8c58656ec17def80065
Instruction ID: f61082fa166856ab39b7be288f33a24ae669de3300d189de810b2614955ae3cb
Opcode Fuzzy Hash: be62455d2f79a24395ea614d48d35bd4d85df327a135e8c58656ec17def80065
Instruction Fuzzy Hash: FA11057604114CFFEB129F90DC88EAA7F6DEB09350F04C022FA199A1B1C775AD55DBA4

Function 007151FD Relevance: 9.0, APIs: 6, Instructions: 49COMMON

Download Yara Rule

APIs

GetDC.USER32(00000000), ref: 00715218
GetDeviceCaps.GDI32(00000000,00000058), ref: 00715229
GetDeviceCaps.GDI32(00000000,0000005A), ref: 00715230
ReleaseDC.USER32(00000000,00000000), ref: 00715238
MulDiv.KERNEL32(000009EC,?,00000000), ref: 0071524F
MulDiv.KERNEL32(000009EC,00000001,?), ref: 00715261

Memory Dump Source

Source File: 00000000.00000002.1745474304.00000000006B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006B0000, based on PE: true

Associated: 00000000.00000002.1745310696.00000000006B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1745557899.000000000074C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1745557899.0000000000772000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1745607755.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1745632258.0000000000784000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6b0000_file.jbxd

Similarity

API ID: CapsDevice$Release
String ID:
API String ID: 1035833867-0
Opcode ID: 598699b9638e65f9d7880ca2bbecf23f43af97701cf47b0f779e703f974964ae
Instruction ID: 8eb2eaccffbec0a432611db6cb2d0a765d0c3f69dca4e6be3741e21e2a71cd30
Opcode Fuzzy Hash: 598699b9638e65f9d7880ca2bbecf23f43af97701cf47b0f779e703f974964ae
Instruction Fuzzy Hash: E7018FB5A01708FBEB119BA59C49A4EBFB8FB49351F048066FA04A7290D7749800CBA5

Function 006B1BC3 Relevance: 9.0, APIs: 6, Instructions: 44keyboardCOMMON

Download Yara Rule

APIs

MapVirtualKeyW.USER32(0000005B,00000000), ref: 006B1BF4
MapVirtualKeyW.USER32(00000010,00000000), ref: 006B1BFC
MapVirtualKeyW.USER32(000000A0,00000000), ref: 006B1C07
MapVirtualKeyW.USER32(000000A1,00000000), ref: 006B1C12
MapVirtualKeyW.USER32(00000011,00000000), ref: 006B1C1A
MapVirtualKeyW.USER32(00000012,00000000), ref: 006B1C22

Memory Dump Source

Source File: 00000000.00000002.1745474304.00000000006B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006B0000, based on PE: true

Associated: 00000000.00000002.1745310696.00000000006B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1745557899.000000000074C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1745557899.0000000000772000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1745607755.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1745632258.0000000000784000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6b0000_file.jbxd

Similarity

API ID: Virtual
String ID:
API String ID: 4278518827-0
Opcode ID: 12855113abd4c554237314376d9ebb7e576b77fb06fb431aa8275de5fa5bebeb
Instruction ID: 6f3027d95448e41e70f1df62d51112f8eaccce9cb737411c69673f422667e316
Opcode Fuzzy Hash: 12855113abd4c554237314376d9ebb7e576b77fb06fb431aa8275de5fa5bebeb
Instruction Fuzzy Hash: 740167B0902B5ABDE3008F6A8C85B52FFA8FF19354F00415BA15C4BA42C7F5A864CFE5

Function 0071EB20 Relevance: 9.0, APIs: 6, Instructions: 42windowtimethreadCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,00000010,00000000,00000000), ref: 0071EB30
SendMessageTimeoutW.USER32(?,00000010,00000000,00000000,00000002,000001F4,?), ref: 0071EB46
GetWindowThreadProcessId.USER32(?,?), ref: 0071EB55
OpenProcess.KERNEL32(001F0FFF,00000000,?,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 0071EB64
TerminateProcess.KERNEL32(00000000,00000000,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 0071EB6E
CloseHandle.KERNEL32(00000000,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 0071EB75

Memory Dump Source

Source File: 00000000.00000002.1745474304.00000000006B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006B0000, based on PE: true

Associated: 00000000.00000002.1745310696.00000000006B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1745557899.000000000074C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1745557899.0000000000772000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1745607755.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1745632258.0000000000784000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6b0000_file.jbxd

Similarity

API ID: Process$Message$CloseHandleOpenPostSendTerminateThreadTimeoutWindow
String ID:
API String ID: 839392675-0
Opcode ID: 34488d0709ef32daa8f881cdcbd49213602b5595903d52dda56c51346b94e6c6
Instruction ID: e6c1432c9ac560d9b28f4a94b95632ca2ceba8d0e53da876a503acd1e9313379
Opcode Fuzzy Hash: 34488d0709ef32daa8f881cdcbd49213602b5595903d52dda56c51346b94e6c6
Instruction Fuzzy Hash: 37F0B4B6202158BBE7225B529C0EEEF3E7CEFCBB11F00815AF601D1090D7A81A01C6B9

Function 00707439 Relevance: 9.0, APIs: 6, Instructions: 37windowCOMMON

Download Yara Rule

APIs

GetClientRect.USER32(?), ref: 00707452
SendMessageW.USER32(?,00001328,00000000,?), ref: 00707469
GetWindowDC.USER32(?), ref: 00707475
GetPixel.GDI32(00000000,?,?), ref: 00707484
ReleaseDC.USER32(?,00000000), ref: 00707496
GetSysColor.USER32(00000005), ref: 007074B0

Memory Dump Source

Source File: 00000000.00000002.1745474304.00000000006B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006B0000, based on PE: true

Associated: 00000000.00000002.1745310696.00000000006B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1745557899.000000000074C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1745557899.0000000000772000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1745607755.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1745632258.0000000000784000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6b0000_file.jbxd

Similarity

API ID: ClientColorMessagePixelRectReleaseSendWindow
String ID:
API String ID: 272304278-0
Opcode ID: 6e9ffd27583694c0dbf1f0042d55eab5f12c9b3e319403b5ae7b05710168de0f
Instruction ID: ec4b305b8132f7d29e81a4e0049183e0ddfa230e0a27932789db85ad9c0324d7
Opcode Fuzzy Hash: 6e9ffd27583694c0dbf1f0042d55eab5f12c9b3e319403b5ae7b05710168de0f
Instruction Fuzzy Hash: 9101AD35801205FFDB925FA4DC08BAE7BB5FF05311F618165F915A20E1CB392E51EB19

Function 00711874 Relevance: 9.0, APIs: 6, Instructions: 23memorysynchronizationCOMMON

Download Yara Rule

APIs

WaitForSingleObject.KERNEL32(?,000000FF), ref: 0071187F
UnloadUserProfile.USERENV(?,?), ref: 0071188B
CloseHandle.KERNEL32(?), ref: 00711894
CloseHandle.KERNEL32(?), ref: 0071189C
GetProcessHeap.KERNEL32(00000000,?), ref: 007118A5
HeapFree.KERNEL32(00000000), ref: 007118AC

Memory Dump Source

Source File: 00000000.00000002.1745474304.00000000006B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006B0000, based on PE: true

Associated: 00000000.00000002.1745310696.00000000006B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1745557899.000000000074C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1745557899.0000000000772000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1745607755.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1745632258.0000000000784000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6b0000_file.jbxd

Similarity

API ID: CloseHandleHeap$FreeObjectProcessProfileSingleUnloadUserWait
String ID:
API String ID: 146765662-0
Opcode ID: ccdfdcc4665a9fbbd823f151f48db67e56d9123de3676405e115bae90e3ba281
Instruction ID: 76be0479996f9f7d3e0e95e8dba084f90a90909402857d348f8e29548dd1148b
Opcode Fuzzy Hash: ccdfdcc4665a9fbbd823f151f48db67e56d9123de3676405e115bae90e3ba281
Instruction Fuzzy Hash: 74E0E57A206105BBDB425FA1ED0C90ABF39FF4AB22B10C222F22581070CB369820DF58

Function 006BBBE0 Relevance: 9.0, APIs: 1, Strings: 4, Instructions: 232COMMON

Download Yara Rule

APIs

__Init_thread_footer.LIBCMT ref: 006BBEB3

Strings

D%x, xrefs: 006BBE9A
D%x, xrefs: 006BBCA2
D%xD%x, xrefs: 006BBCA5
D%x, xrefs: 006BBDED, 006BBD91, 006BBD1B

Memory Dump Source

Source File: 00000000.00000002.1745474304.00000000006B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006B0000, based on PE: true

Associated: 00000000.00000002.1745310696.00000000006B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1745557899.000000000074C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1745557899.0000000000772000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1745607755.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1745632258.0000000000784000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6b0000_file.jbxd

Similarity

API ID: Init_thread_footer
String ID: D%x$D%x$D%x$D%xD%x
API String ID: 1385522511-2836779441
Opcode ID: bec86df1a508cb279ca76cf89fa21a257fae3202d1417faccef804b932de1330
Instruction ID: 8344bc8041d6e6812edf2aa23ce39e651316c0db78fa2ceb5f9aa6c39a9f378d
Opcode Fuzzy Hash: bec86df1a508cb279ca76cf89fa21a257fae3202d1417faccef804b932de1330
Instruction Fuzzy Hash: C49149B5A0020ACFCB18CF59C4916E9BBF2FF58310F24916AD945AB351D7B5ED82CB90

Function 00737B7E Relevance: 9.0, APIs: 1, Strings: 4, Instructions: 230COMMON

Download Yara Rule

APIs

Part of subcall function 006D0242: EnterCriticalSection.KERNEL32(0078070C,00781884,?,?,006C198B,00782518,?,?,?,006B12F9,00000000), ref: 006D024D
Part of subcall function 006D0242: LeaveCriticalSection.KERNEL32(0078070C,?,006C198B,00782518,?,?,?,006B12F9,00000000), ref: 006D028A

Part of subcall function 006B9CB3: _wcslen.LIBCMT ref: 006B9CBD

Part of subcall function 006D00A3: __onexit.LIBCMT ref: 006D00A9

__Init_thread_footer.LIBCMT ref: 00737BFB

Part of subcall function 006D01F8: EnterCriticalSection.KERNEL32(0078070C,?,?,006C8747,00782514), ref: 006D0202
Part of subcall function 006D01F8: LeaveCriticalSection.KERNEL32(0078070C,?,006C8747,00782514), ref: 006D0235

Strings

G, xrefs: 00737C7F
+Tp, xrefs: 00737E2E
Variable must be of type 'Object'., xrefs: 00737C3A
5, xrefs: 00737C78

Memory Dump Source

Source File: 00000000.00000002.1745474304.00000000006B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006B0000, based on PE: true

Associated: 00000000.00000002.1745310696.00000000006B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1745557899.000000000074C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1745557899.0000000000772000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1745607755.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1745632258.0000000000784000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6b0000_file.jbxd

Similarity

API ID: CriticalSection$EnterLeave$Init_thread_footer__onexit_wcslen
String ID: +Tp$5$G$Variable must be of type 'Object'.
API String ID: 535116098-1816105312
Opcode ID: a97df36e4da783f8ff51d2f4dafbb2d3fa76c00fe39dae748e0390678b2f4459
Instruction ID: 2759620fef11465a9f61b4c9294c23489362dce0d80e9d9e707c09c155e6b70e
Opcode Fuzzy Hash: a97df36e4da783f8ff51d2f4dafbb2d3fa76c00fe39dae748e0390678b2f4459
Instruction Fuzzy Hash: 99915DB0A04209EFDB28EF94D8959BDB7B6FF45300F10805DF8065B292DB79AE41CB51

Function 0071C5D0 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 191windowCOMMON

Download Yara Rule

APIs

Part of subcall function 006B7620: _wcslen.LIBCMT ref: 006B7625

GetMenuItemInfoW.USER32(?,?,00000000,?), ref: 0071C6EE
_wcslen.LIBCMT ref: 0071C735
SetMenuItemInfoW.USER32(?,?,00000000,?), ref: 0071C79C
SetMenuDefaultItem.USER32(?,000000FF,00000000), ref: 0071C7CA

Strings

0, xrefs: 0071C6AF

Memory Dump Source

Source File: 00000000.00000002.1745474304.00000000006B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006B0000, based on PE: true

Associated: 00000000.00000002.1745310696.00000000006B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1745557899.000000000074C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1745557899.0000000000772000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1745607755.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1745632258.0000000000784000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6b0000_file.jbxd

Similarity

API ID: ItemMenu$Info_wcslen$Default
String ID: 0
API String ID: 1227352736-4108050209
Opcode ID: 1752904bd776fd868c8245bb065cf43b79cc6f2927738b858d3e9b9f373a3f96
Instruction ID: 04c4500989ee233b4dd653e62cff5f977e30c9a6a84ac3ff2bc3114d03f135d0
Opcode Fuzzy Hash: 1752904bd776fd868c8245bb065cf43b79cc6f2927738b858d3e9b9f373a3f96
Instruction Fuzzy Hash: B051DF716843409BD752AFACC885BFBB7E8AF49310F040A2DF995D31D0DBA8D884CB56

Function 0073AD64 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 176COMMON

Download Yara Rule

APIs

ShellExecuteExW.SHELL32(0000003C), ref: 0073AEA3

Part of subcall function 006B7620: _wcslen.LIBCMT ref: 006B7625

GetProcessId.KERNEL32(00000000), ref: 0073AF38
CloseHandle.KERNEL32(00000000), ref: 0073AF67

Strings

<, xrefs: 0073AE6B
@, xrefs: 0073AE72

Memory Dump Source

Source File: 00000000.00000002.1745474304.00000000006B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006B0000, based on PE: true

Associated: 00000000.00000002.1745310696.00000000006B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1745557899.000000000074C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1745557899.0000000000772000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1745607755.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1745632258.0000000000784000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6b0000_file.jbxd

Similarity

API ID: CloseExecuteHandleProcessShell_wcslen
String ID: <$@
API String ID: 146682121-1426351568
Opcode ID: d246a8cc22373da0c86f630127b654f63be0e817cebff28459ce35a79cc19e02
Instruction ID: c42105cfeff3aa338a5c90698019a42c3984db49bedbf6e538c2053f52c4659a
Opcode Fuzzy Hash: d246a8cc22373da0c86f630127b654f63be0e817cebff28459ce35a79cc19e02
Instruction Fuzzy Hash: 74715871A00215EFDB14DF54C486A9EBBF1AF08310F04849DE856AB3A2DB79ED81CB95

Function 0071719E Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 120comlibraryloaderCOMMON

Download Yara Rule

APIs

CoCreateInstance.OLE32(?,00000000,00000005,?,?,?,?,?,?,?,?,?,?,?), ref: 00717206
SetErrorMode.KERNEL32(00000001,?,?,?,?,?,?,?,?,?), ref: 0071723C
GetProcAddress.KERNEL32(?,DllGetClassObject), ref: 0071724D
SetErrorMode.KERNEL32(00000000,?,?,?,?,?,?,?,?,?), ref: 007172CF

Strings

DllGetClassObject, xrefs: 00717242

Memory Dump Source

Source File: 00000000.00000002.1745474304.00000000006B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006B0000, based on PE: true

Associated: 00000000.00000002.1745310696.00000000006B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1745557899.000000000074C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1745557899.0000000000772000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1745607755.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1745632258.0000000000784000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6b0000_file.jbxd

Similarity

API ID: ErrorMode$AddressCreateInstanceProc
String ID: DllGetClassObject
API String ID: 753597075-1075368562
Opcode ID: 777215d2de8360c74617dc342f46523331b955ef0aca23300bf4b7ac16a64804
Instruction ID: 1858592394b807712952d8255fe48720fac197c8a5322893ebfa2a247aaf6574
Opcode Fuzzy Hash: 777215d2de8360c74617dc342f46523331b955ef0aca23300bf4b7ac16a64804
Instruction Fuzzy Hash: F84162B1604204DFDB19CF58C884ADA7BB9FF49310F1480ADBD059F24AD7B9D985DBA0

Function 00743D7C Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 101windowCOMMON

Download Yara Rule

APIs

GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00743E35
IsMenu.USER32(?), ref: 00743E4A
InsertMenuItemW.USER32(?,?,00000001,00000030), ref: 00743E92
DrawMenuBar.USER32 ref: 00743EA5

Strings

0, xrefs: 00743D89

Memory Dump Source

Source File: 00000000.00000002.1745474304.00000000006B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006B0000, based on PE: true

Associated: 00000000.00000002.1745310696.00000000006B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1745557899.000000000074C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1745557899.0000000000772000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1745607755.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1745632258.0000000000784000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6b0000_file.jbxd

Similarity

API ID: Menu$Item$DrawInfoInsert
String ID: 0
API String ID: 3076010158-4108050209
Opcode ID: 0624662c9fe82bf1e8b6d162c0a5ed5280429e18fc6afddde1da2f574f7ab36f
Instruction ID: b66054be13e13af7f49af586427ced02d00f172b4290daec97f14f6a08f9bee3
Opcode Fuzzy Hash: 0624662c9fe82bf1e8b6d162c0a5ed5280429e18fc6afddde1da2f574f7ab36f
Instruction Fuzzy Hash: 30418974A02219EFDB10DF50D880EEABBB9FF49350F148029F819A7250D338AE51CF60

Function 00711DE2 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 93windowCOMMON

Download Yara Rule

APIs

Part of subcall function 006B9CB3: _wcslen.LIBCMT ref: 006B9CBD

Part of subcall function 00713CA7: GetClassNameW.USER32(?,?,000000FF), ref: 00713CCA

SendMessageW.USER32(?,00000188,00000000,00000000), ref: 00711E66
SendMessageW.USER32(?,0000018A,00000000,00000000), ref: 00711E79
SendMessageW.USER32(?,00000189,?,00000000), ref: 00711EA9

Part of subcall function 006B6B57: _wcslen.LIBCMT ref: 006B6B6A

Strings

ListBox, xrefs: 00711E25
ComboBox, xrefs: 00711DF0

Memory Dump Source

Source File: 00000000.00000002.1745474304.00000000006B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006B0000, based on PE: true

Associated: 00000000.00000002.1745310696.00000000006B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1745557899.000000000074C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1745557899.0000000000772000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1745607755.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1745632258.0000000000784000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6b0000_file.jbxd

Similarity

API ID: MessageSend$_wcslen$ClassName
String ID: ComboBox$ListBox
API String ID: 2081771294-1403004172
Opcode ID: 5e8f1f25161f12d7fd8cf787a11cc6c4a7826d47713838bd21d9c2737aec38f2
Instruction ID: 386883bbdba43a17de32ae681e5aab5d71501ad25c161c17479d8990c576e159
Opcode Fuzzy Hash: 5e8f1f25161f12d7fd8cf787a11cc6c4a7826d47713838bd21d9c2737aec38f2
Instruction Fuzzy Hash: 832137B1A00104BADB14ABA8CC45CFFB7B9DF46350B54851DF925A71E1DB3C49898730

Function 0073C9EA Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 91COMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 0073C9F1
_wcslen.LIBCMT ref: 0073CA68
_wcslen.LIBCMT ref: 0073CA9E
_wcslen.LIBCMT ref: 0073CAF9
_wcslen.LIBCMT ref: 0073CB2F
_wcslen.LIBCMT ref: 0073CB7F

Strings

HKLM, xrefs: 0073CA98, 0073CA9D
HKEY_LOCAL_MACHINE, xrefs: 0073CA62, 0073CA67

Memory Dump Source

Source File: 00000000.00000002.1745474304.00000000006B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006B0000, based on PE: true

Associated: 00000000.00000002.1745310696.00000000006B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1745557899.000000000074C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1745557899.0000000000772000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1745607755.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1745632258.0000000000784000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6b0000_file.jbxd

Similarity

API ID: _wcslen
String ID: HKEY_LOCAL_MACHINE$HKLM
API String ID: 176396367-4004644295
Opcode ID: b184a1ec81e4f8176bf9cba2efbcb2355e9172725875729eff7fa50d36c06a5e
Instruction ID: bfd03d9d0d10f0dfc884f8c3a65fba60727ff9f5f50ae2f1dbcfa005905dbc38
Opcode Fuzzy Hash: b184a1ec81e4f8176bf9cba2efbcb2355e9172725875729eff7fa50d36c06a5e
Instruction Fuzzy Hash: DC31FB73A001694BEB22EF6C8D501BE33925B61790F15C029E845BB346EA79CD40D3E4

Function 00742F17 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 78windowlibraryCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000467,00000000,?), ref: 00742F8D
LoadLibraryW.KERNEL32(?), ref: 00742F94
SendMessageW.USER32(?,00000467,00000000,00000000), ref: 00742FA9
DestroyWindow.USER32(?), ref: 00742FB1

Strings

SysAnimate32, xrefs: 00742F68

Memory Dump Source

Source File: 00000000.00000002.1745474304.00000000006B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006B0000, based on PE: true

Associated: 00000000.00000002.1745310696.00000000006B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1745557899.000000000074C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1745557899.0000000000772000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1745607755.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1745632258.0000000000784000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6b0000_file.jbxd

Similarity

API ID: MessageSend$DestroyLibraryLoadWindow
String ID: SysAnimate32
API String ID: 3529120543-1011021900
Opcode ID: 1fc89bc7832817a6b94e59ee7531ee7b9ab25c8d2e74fa47e2bccb1666c4dd34
Instruction ID: 442e50befd009e8f3a2e5f38b8958c93deca049740b5e6055f7e7ac962712598
Opcode Fuzzy Hash: 1fc89bc7832817a6b94e59ee7531ee7b9ab25c8d2e74fa47e2bccb1666c4dd34
Instruction Fuzzy Hash: 5D21FD71200209ABEF118F64DC80EBB37BDEB59364FD08619FA10D20A2C379DCA69764

Function 006D4D6D Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 38libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,?,?,?,006D4D1E,006E28E9,?,006D4CBE,006E28E9,007788B8,0000000C,006D4E15,006E28E9,00000002), ref: 006D4D8D
GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 006D4DA0
FreeLibrary.KERNEL32(00000000,?,?,?,006D4D1E,006E28E9,?,006D4CBE,006E28E9,007788B8,0000000C,006D4E15,006E28E9,00000002,00000000), ref: 006D4DC3

Strings

CorExitProcess, xrefs: 006D4D98
mscoree.dll, xrefs: 006D4D86

Memory Dump Source

Source File: 00000000.00000002.1745474304.00000000006B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006B0000, based on PE: true

Associated: 00000000.00000002.1745310696.00000000006B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1745557899.000000000074C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1745557899.0000000000772000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1745607755.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1745632258.0000000000784000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6b0000_file.jbxd

Similarity

API ID: AddressFreeHandleLibraryModuleProc
String ID: CorExitProcess$mscoree.dll
API String ID: 4061214504-1276376045
Opcode ID: dbd02a2e27da07148e97ee35bf77b80061f8bd975e8d60e9e80909057654fe45
Instruction ID: 7ff035dbe406c4bd6eee74a2ca349491fd4d1275202220fe76c52461039eab69
Opcode Fuzzy Hash: dbd02a2e27da07148e97ee35bf77b80061f8bd975e8d60e9e80909057654fe45
Instruction Fuzzy Hash: B0F0A434901208BBDB515F90DC09BDDBFB6EF09752F04409AF805A2350DF745D40CAD4

Function 0070D3A0 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 29libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32 ref: 0070D3AD
GetProcAddress.KERNEL32(00000000,GetSystemWow64DirectoryW), ref: 0070D3BF
FreeLibrary.KERNEL32(00000000), ref: 0070D3E5

Strings

GetSystemWow64DirectoryW, xrefs: 0070D3B9
X64, xrefs: 0070D2A8

Memory Dump Source

Source File: 00000000.00000002.1745474304.00000000006B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006B0000, based on PE: true

Associated: 00000000.00000002.1745310696.00000000006B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1745557899.000000000074C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1745557899.0000000000772000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1745607755.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1745632258.0000000000784000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6b0000_file.jbxd

Similarity

API ID: Library$AddressFreeLoadProc
String ID: GetSystemWow64DirectoryW$X64
API String ID: 145871493-2590602151
Opcode ID: f05d742c8416aae263b864c4b924f13be8b812acc00d024824a9fe28b9830367
Instruction ID: 5247d4b4d654eb4d7a004b1aca4ea2c79b05ebecf80c9615db9741e627a0b6a8
Opcode Fuzzy Hash: f05d742c8416aae263b864c4b924f13be8b812acc00d024824a9fe28b9830367
Instruction Fuzzy Hash: AFF05CB5402710DBD77617948C08E29F796BF02701B54C36AF401E10C4D72CCD40C787

Function 006B4E90 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 24libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,?,?,006B4EDD,?,00781418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 006B4E9C
GetProcAddress.KERNEL32(00000000,Wow64DisableWow64FsRedirection), ref: 006B4EAE
FreeLibrary.KERNEL32(00000000,?,?,006B4EDD,?,00781418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 006B4EC0

Strings

kernel32.dll, xrefs: 006B4E94
Wow64DisableWow64FsRedirection, xrefs: 006B4EA8

Memory Dump Source

Source File: 00000000.00000002.1745474304.00000000006B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006B0000, based on PE: true

Associated: 00000000.00000002.1745310696.00000000006B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1745557899.000000000074C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1745557899.0000000000772000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1745607755.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1745632258.0000000000784000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6b0000_file.jbxd

Similarity

API ID: Library$AddressFreeLoadProc
String ID: Wow64DisableWow64FsRedirection$kernel32.dll
API String ID: 145871493-3689287502
Opcode ID: 1a3f88c2656a9d70af82ffb25f0ef8bec280c4f4d4086c8d59cc5ad5768df5fd
Instruction ID: fc77306ef960486453f42d937e218fd9a3fb4b33c1fbf2ff624b0c5a8eac14c4
Opcode Fuzzy Hash: 1a3f88c2656a9d70af82ffb25f0ef8bec280c4f4d4086c8d59cc5ad5768df5fd
Instruction Fuzzy Hash: 89E0CDF9A036225BD27317296C18BDF6955AF83F627054116FC04D2302DF68CD42C6A5

Function 006B4E59 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 22libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,?,?,006F3CDE,?,00781418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 006B4E62
GetProcAddress.KERNEL32(00000000,Wow64RevertWow64FsRedirection), ref: 006B4E74
FreeLibrary.KERNEL32(00000000,?,?,006F3CDE,?,00781418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 006B4E87

Strings

kernel32.dll, xrefs: 006B4E5B
Wow64RevertWow64FsRedirection, xrefs: 006B4E6E

Memory Dump Source

Source File: 00000000.00000002.1745474304.00000000006B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006B0000, based on PE: true

Associated: 00000000.00000002.1745310696.00000000006B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1745557899.000000000074C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1745557899.0000000000772000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1745607755.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1745632258.0000000000784000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6b0000_file.jbxd

Similarity

API ID: Library$AddressFreeLoadProc
String ID: Wow64RevertWow64FsRedirection$kernel32.dll
API String ID: 145871493-1355242751
Opcode ID: 46b33b0f94231595d832cf4f35b5ab519fd79d5f6b3a73b37cada2594daf34de
Instruction ID: 596535d7796003a8b6776993995481ef4151b82afefa9381e106f91e02e3ee3b
Opcode Fuzzy Hash: 46b33b0f94231595d832cf4f35b5ab519fd79d5f6b3a73b37cada2594daf34de
Instruction Fuzzy Hash: EAD0C2F9503A21574A631B246C08DCB2B1AAF83B513058112B804A2211CF28CD42C6E4

Function 00722947 Relevance: 7.8, APIs: 5, Instructions: 313fileCOMMON

Download Yara Rule

APIs

DeleteFileW.KERNEL32(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 00722C05
DeleteFileW.KERNEL32(?), ref: 00722C87
CopyFileW.KERNEL32(?,?,00000000,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001), ref: 00722C9D
DeleteFileW.KERNEL32(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 00722CAE
DeleteFileW.KERNEL32(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 00722CC0

Memory Dump Source

Source File: 00000000.00000002.1745474304.00000000006B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006B0000, based on PE: true

Associated: 00000000.00000002.1745310696.00000000006B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1745557899.000000000074C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1745557899.0000000000772000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1745607755.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1745632258.0000000000784000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6b0000_file.jbxd

Similarity

API ID: File$Delete$Copy
String ID:
API String ID: 3226157194-0
Opcode ID: 5421772da68082eaa9a5f304a2a6ae0c3b0878e83d627f8d555608d6389c2980
Instruction ID: 213892372d10109c70462af8e007599e21a1790e2a5604d03e8dfcfec13fc0da
Opcode Fuzzy Hash: 5421772da68082eaa9a5f304a2a6ae0c3b0878e83d627f8d555608d6389c2980
Instruction Fuzzy Hash: 4AB16FB1D00129ABDF11EFA4DC85EDE777DEF09340F1040AAF509E6142EA34DA458F65

Function 0073A387 Relevance: 7.8, APIs: 5, Instructions: 256COMMON

Download Yara Rule

APIs

GetCurrentProcessId.KERNEL32 ref: 0073A427
OpenProcess.KERNEL32(00000410,00000000,00000000), ref: 0073A435
GetProcessIoCounters.KERNEL32(00000000,?), ref: 0073A468
CloseHandle.KERNEL32(?), ref: 0073A63D

Memory Dump Source

Source File: 00000000.00000002.1745474304.00000000006B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006B0000, based on PE: true

Associated: 00000000.00000002.1745310696.00000000006B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1745557899.000000000074C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1745557899.0000000000772000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1745607755.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1745632258.0000000000784000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6b0000_file.jbxd

Similarity

API ID: Process$CloseCountersCurrentHandleOpen
String ID:
API String ID: 3488606520-0
Opcode ID: 60fdc9fa88683b8280861ef97ce4da3627572e359e241165f2faac0ef9089028
Instruction ID: 3ee6ed62504224f779fa3485c42c93d3389d50d45182a9a8a512af251e8b800b
Opcode Fuzzy Hash: 60fdc9fa88683b8280861ef97ce4da3627572e359e241165f2faac0ef9089028
Instruction Fuzzy Hash: 16A1B5B1604300AFE760DF14C886F2AB7E6AF84714F14885DF5999B2D2D774EC41CB56

Function 0071E3FB Relevance: 7.7, APIs: 5, Instructions: 167filestringCOMMON

Download Yara Rule

APIs

Part of subcall function 0071DDE0: GetFullPathNameW.KERNEL32(00000000,00007FFF,?,?,?,?,?,?,0071CF22,?), ref: 0071DDFD

Part of subcall function 0071DDE0: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,?,0071CF22,?), ref: 0071DE16

Part of subcall function 0071E199: GetFileAttributesW.KERNEL32(?,0071CF95), ref: 0071E19A

lstrcmpiW.KERNEL32(?,?), ref: 0071E473
MoveFileW.KERNEL32(?,?), ref: 0071E4AC
_wcslen.LIBCMT ref: 0071E5EB
_wcslen.LIBCMT ref: 0071E603
SHFileOperationW.SHELL32(?,?,?,?,?,?), ref: 0071E650

Memory Dump Source

Source File: 00000000.00000002.1745474304.00000000006B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006B0000, based on PE: true

Associated: 00000000.00000002.1745310696.00000000006B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1745557899.000000000074C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1745557899.0000000000772000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1745607755.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1745632258.0000000000784000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6b0000_file.jbxd

Similarity

API ID: File$FullNamePath_wcslen$AttributesMoveOperationlstrcmpi
String ID:
API String ID: 3183298772-0
Opcode ID: 95c56fba731ef6871bcff1e073419c294a8f40766a6879a5cb28351a62c17744
Instruction ID: 34c9c94c1972701465eec5848ed6b468489f8e433523ea0f8b6bc62672377e9b
Opcode Fuzzy Hash: 95c56fba731ef6871bcff1e073419c294a8f40766a6879a5cb28351a62c17744
Instruction Fuzzy Hash: 545186B24083859BC764DB94DC819DF73EDAF85340F00491EFA89D3191EF78A6C8876A

Function 0073B9C9 Relevance: 7.7, APIs: 5, Instructions: 167registryCOMMON

Download Yara Rule

APIs

Part of subcall function 006B9CB3: _wcslen.LIBCMT ref: 006B9CBD

Part of subcall function 0073C998: CharUpperBuffW.USER32(?,?,?,?,?,?,?,0073B6AE,?,?), ref: 0073C9B5
Part of subcall function 0073C998: _wcslen.LIBCMT ref: 0073C9F1
Part of subcall function 0073C998: _wcslen.LIBCMT ref: 0073CA68
Part of subcall function 0073C998: _wcslen.LIBCMT ref: 0073CA9E

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 0073BAA5
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 0073BB00
RegEnumKeyExW.ADVAPI32(?,-00000001,?,?,00000000,00000000,00000000,?), ref: 0073BB63
RegCloseKey.ADVAPI32(?,?), ref: 0073BBA6
RegCloseKey.ADVAPI32(00000000), ref: 0073BBB3

Memory Dump Source

Source File: 00000000.00000002.1745474304.00000000006B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006B0000, based on PE: true

Associated: 00000000.00000002.1745310696.00000000006B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1745557899.000000000074C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1745557899.0000000000772000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1745607755.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1745632258.0000000000784000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6b0000_file.jbxd

Similarity

API ID: _wcslen$Close$BuffCharConnectEnumOpenRegistryUpper
String ID:
API String ID: 826366716-0
Opcode ID: 7bda5d526520b96624186cb0cdb0c64bb94103c94139fe4abcbe19865cfe4578
Instruction ID: fdce111611c152a2fcf94fe7f52ed0dc201ab050b3855421713a6a11201d9f30
Opcode Fuzzy Hash: 7bda5d526520b96624186cb0cdb0c64bb94103c94139fe4abcbe19865cfe4578
Instruction Fuzzy Hash: B361C471208241EFD314DF24C890E6ABBE5FF84308F14895DF5998B2A2DB35ED45CB92

Function 00718BB0 Relevance: 7.7, APIs: 5, Instructions: 159COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 00718BCD
VariantClear.OLEAUT32 ref: 00718C3E
VariantClear.OLEAUT32 ref: 00718C9D
VariantClear.OLEAUT32(?), ref: 00718D10
VariantChangeType.OLEAUT32(?,?,00000000,00000013), ref: 00718D3B

Memory Dump Source

Source File: 00000000.00000002.1745474304.00000000006B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006B0000, based on PE: true

Associated: 00000000.00000002.1745310696.00000000006B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1745557899.000000000074C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1745557899.0000000000772000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1745607755.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1745632258.0000000000784000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6b0000_file.jbxd

Similarity

API ID: Variant$Clear$ChangeInitType
String ID:
API String ID: 4136290138-0
Opcode ID: 57bde3719e8a9258cb7135ae8db2f88a568bfaafe5f744503963a7762feb2f67
Instruction ID: eea85814399677317c95e00c4c85b77cfa12bfc72871267bea9635e6e22f0d3d
Opcode Fuzzy Hash: 57bde3719e8a9258cb7135ae8db2f88a568bfaafe5f744503963a7762feb2f67
Instruction Fuzzy Hash: 4B5169B5A00219EFCB10CF68D884AAABBF8FF8D310B158559E955DB350E734E911CFA0

Function 00728AFB Relevance: 7.6, APIs: 5, Instructions: 143COMMON

Download Yara Rule

APIs

GetPrivateProfileSectionW.KERNEL32(00000003,?,00007FFF,?), ref: 00728BAE
GetPrivateProfileSectionW.KERNEL32(?,00000003,00000003,?), ref: 00728BDA
WritePrivateProfileSectionW.KERNEL32(?,?,?), ref: 00728C32
WritePrivateProfileStringW.KERNEL32(00000003,00000000,00000000,?), ref: 00728C57
WritePrivateProfileStringW.KERNEL32(00000000,00000000,00000000,?), ref: 00728C5F

Memory Dump Source

Source File: 00000000.00000002.1745474304.00000000006B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006B0000, based on PE: true

Associated: 00000000.00000002.1745310696.00000000006B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1745557899.000000000074C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1745557899.0000000000772000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1745607755.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1745632258.0000000000784000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6b0000_file.jbxd

Similarity

API ID: PrivateProfile$SectionWrite$String
String ID:
API String ID: 2832842796-0
Opcode ID: bc60f934969bd3a5c2558362a8302466995c2711508b7f6059c9eacc5106a16a
Instruction ID: 50d4e57368dc1d22b9da7e19b7c99ad0e0f2a5f2c0704202b0ea81a9a08ec641
Opcode Fuzzy Hash: bc60f934969bd3a5c2558362a8302466995c2711508b7f6059c9eacc5106a16a
Instruction Fuzzy Hash: B6517175A002149FCB51DF54C881EADBBF6FF49314F048098E8096B362CB35ED81CBA5

Function 00738EE4 Relevance: 7.6, APIs: 5, Instructions: 143libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryW.KERNEL32(?,00000000,?), ref: 00738F40
GetProcAddress.KERNEL32(00000000,?), ref: 00738FD0
GetProcAddress.KERNEL32(00000000,00000000), ref: 00738FEC
GetProcAddress.KERNEL32(00000000,?), ref: 00739032
FreeLibrary.KERNEL32(00000000), ref: 00739052

Part of subcall function 006CF6C9: WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,00000000,00000000,00000000,?,00000000,?,?,?,00721043,?,753CE610), ref: 006CF6E6
Part of subcall function 006CF6C9: WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,0070FA64,00000000,00000000,?,?,00721043,?,753CE610,?,0070FA64), ref: 006CF70D

Memory Dump Source

Source File: 00000000.00000002.1745474304.00000000006B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006B0000, based on PE: true

Associated: 00000000.00000002.1745310696.00000000006B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1745557899.000000000074C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1745557899.0000000000772000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1745607755.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1745632258.0000000000784000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6b0000_file.jbxd

Similarity

API ID: AddressProc$ByteCharLibraryMultiWide$FreeLoad
String ID:
API String ID: 666041331-0
Opcode ID: 6cdcbdab693a62ba77ee38a700940fde56f0da770c812dde0546f292c0bba06b
Instruction ID: f369c249f6d906165d22d76751429005a844075a5f08b8c0bc40f044eec99cbb
Opcode Fuzzy Hash: 6cdcbdab693a62ba77ee38a700940fde56f0da770c812dde0546f292c0bba06b
Instruction Fuzzy Hash: A7517B75600206DFDB55DF58C4848ADBBF2FF49314F088099E90AAB362CB35ED85CB91

Function 00746B76 Relevance: 7.6, APIs: 5, Instructions: 131windowCOMMON

Download Yara Rule

APIs

SetWindowLongW.USER32(00000002,000000F0,?), ref: 00746C33
SetWindowLongW.USER32(?,000000EC,?), ref: 00746C4A
SendMessageW.USER32(00000002,00001036,00000000,?), ref: 00746C73
ShowWindow.USER32(00000002,00000000,00000002,00000002,?,?,?,?,?,?,?,0072AB79,00000000,00000000), ref: 00746C98
SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000027,00000002,?,00000001,00000002,00000002,?,?,?), ref: 00746CC7

Memory Dump Source

Source File: 00000000.00000002.1745474304.00000000006B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006B0000, based on PE: true

Associated: 00000000.00000002.1745310696.00000000006B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1745557899.000000000074C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1745557899.0000000000772000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1745607755.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1745632258.0000000000784000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6b0000_file.jbxd

Similarity

API ID: Window$Long$MessageSendShow
String ID:
API String ID: 3688381893-0
Opcode ID: af5558983527de95431cac247b03bae3673afc70850da1c96301cbcae2d18a7f
Instruction ID: f029e72f9c228fcbda1d6cddc7e8d0d6f6f7c2a8431eecd4299fa2acccf9f432
Opcode Fuzzy Hash: af5558983527de95431cac247b03bae3673afc70850da1c96301cbcae2d18a7f
Instruction Fuzzy Hash: 1041F379A00104AFDB25CF68CC98FB97BA5EB0B350F154269F895A72E0C379FD41CA61

Function 006E2051 Relevance: 7.6, APIs: 5, Instructions: 129COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 006E20C3
_free.LIBCMT ref: 006E20E3

Memory Dump Source

Source File: 00000000.00000002.1745474304.00000000006B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006B0000, based on PE: true

Associated: 00000000.00000002.1745310696.00000000006B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1745557899.000000000074C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1745557899.0000000000772000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1745607755.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1745632258.0000000000784000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6b0000_file.jbxd

Similarity

API ID: _free
String ID:
API String ID: 269201875-0
Opcode ID: 11bf19b88d5cbcc9833b1417cf3bfb46ed6f406dd6ebfb3a5b2551bce9344506
Instruction ID: 1418232ffce5514f6fb0733d4a5365b5bf1cded4cfe807460adf29fd4fec6519
Opcode Fuzzy Hash: 11bf19b88d5cbcc9833b1417cf3bfb46ed6f406dd6ebfb3a5b2551bce9344506
Instruction Fuzzy Hash: 3141E672A013019FCB24DF79C891A9EB3ABEF89314F15856DE615EB392D631ED01CB80

Function 006C912D Relevance: 7.6, APIs: 5, Instructions: 121keyboardCOMMON

Download Yara Rule

APIs

GetCursorPos.USER32(?), ref: 006C9141
ScreenToClient.USER32(00000000,?), ref: 006C915E
GetAsyncKeyState.USER32(00000001), ref: 006C9183
GetAsyncKeyState.USER32(00000002), ref: 006C919D

Memory Dump Source

Source File: 00000000.00000002.1745474304.00000000006B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006B0000, based on PE: true

Associated: 00000000.00000002.1745310696.00000000006B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1745557899.000000000074C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1745557899.0000000000772000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1745607755.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1745632258.0000000000784000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6b0000_file.jbxd

Similarity

API ID: AsyncState$ClientCursorScreen
String ID:
API String ID: 4210589936-0
Opcode ID: c69600f1628f06f0842134b7082da4e0be130debec463e06ede6fce267daa19f
Instruction ID: b16b1ad9e57b24cd739bc12ae2227933c69d554729f41a7b1ce4aed56f9e4f6b
Opcode Fuzzy Hash: c69600f1628f06f0842134b7082da4e0be130debec463e06ede6fce267daa19f
Instruction Fuzzy Hash: A7416031A0850AFBDF199F64C849BFEB7B5FB45324F248319E425A72D0C7346951CBA1

Function 00723874 Relevance: 7.6, APIs: 5, Instructions: 101windowCOMMON

Download Yara Rule

APIs

GetInputState.USER32 ref: 007238CB
TranslateAcceleratorW.USER32(?,00000000,?), ref: 00723922
TranslateMessage.USER32(?), ref: 0072394B
DispatchMessageW.USER32(?), ref: 00723955
PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00723966

Memory Dump Source

Source File: 00000000.00000002.1745474304.00000000006B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006B0000, based on PE: true

Associated: 00000000.00000002.1745310696.00000000006B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1745557899.000000000074C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1745557899.0000000000772000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1745607755.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1745632258.0000000000784000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6b0000_file.jbxd

Similarity

API ID: Message$Translate$AcceleratorDispatchInputPeekState
String ID:
API String ID: 2256411358-0
Opcode ID: b854396055c8f4627f605822a8b12c823431a24d6ec19dc6da56405aacea8823
Instruction ID: e4edc1f8cc2265a2164d28dfc30c971355ceb92ee8ae11d322b0a5d8b81cf890
Opcode Fuzzy Hash: b854396055c8f4627f605822a8b12c823431a24d6ec19dc6da56405aacea8823
Instruction Fuzzy Hash: E531F7709443619FEB35CB34A809BB637A8EB06308F54456DE4A6C64A0E3BCB6C5CB25

Function 0072CF1A Relevance: 7.6, APIs: 5, Instructions: 93networkfileCOMMON

Download Yara Rule

APIs

InternetQueryDataAvailable.WININET(?,?,00000000,00000000,00000000,?,00000000,?,?,?,0072C21E,00000000), ref: 0072CF38
InternetReadFile.WININET(?,00000000,?,?), ref: 0072CF6F
GetLastError.KERNEL32(?,00000000,?,?,?,0072C21E,00000000), ref: 0072CFB4
SetEvent.KERNEL32(?,?,00000000,?,?,?,0072C21E,00000000), ref: 0072CFC8
SetEvent.KERNEL32(?,?,00000000,?,?,?,0072C21E,00000000), ref: 0072CFF2

Memory Dump Source

Source File: 00000000.00000002.1745474304.00000000006B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006B0000, based on PE: true

Associated: 00000000.00000002.1745310696.00000000006B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1745557899.000000000074C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1745557899.0000000000772000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1745607755.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1745632258.0000000000784000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6b0000_file.jbxd

Similarity

API ID: EventInternet$AvailableDataErrorFileLastQueryRead
String ID:
API String ID: 3191363074-0
Opcode ID: dbc6ab74f9980e034dc861e799112b613778ca2c0f0d7fbf7124ab15a99eb87b
Instruction ID: 26b6400972e95e425312947ce96dbc63e99cacd88f345c3eac8bf90358700b57
Opcode Fuzzy Hash: dbc6ab74f9980e034dc861e799112b613778ca2c0f0d7fbf7124ab15a99eb87b
Instruction Fuzzy Hash: 1C318272500615EFDB21DFA5D984EAFBBFAEF24350B10442EF516D2150D738AE40DB60

Function 00711901 Relevance: 7.6, APIs: 5, Instructions: 93sleepwindowCOMMON

Download Yara Rule

APIs

GetWindowRect.USER32(?,?), ref: 00711915
PostMessageW.USER32(00000001,00000201,00000001), ref: 007119C1
Sleep.KERNEL32(00000000,?,?,?), ref: 007119C9
PostMessageW.USER32(00000001,00000202,00000000), ref: 007119DA
Sleep.KERNEL32(00000000,?,?,?,?), ref: 007119E2

Memory Dump Source

Source File: 00000000.00000002.1745474304.00000000006B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006B0000, based on PE: true

Associated: 00000000.00000002.1745310696.00000000006B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1745557899.000000000074C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1745557899.0000000000772000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1745607755.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1745632258.0000000000784000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6b0000_file.jbxd

Similarity

API ID: MessagePostSleep$RectWindow
String ID:
API String ID: 3382505437-0
Opcode ID: f61a0b41804bb99035da28662ea3037ac0eab8e8e5440fe21de65d10e4db26a7
Instruction ID: 146de3bcf6e11de3bae484fc07a66131f5d69665307c17621593a58e0062cb79
Opcode Fuzzy Hash: f61a0b41804bb99035da28662ea3037ac0eab8e8e5440fe21de65d10e4db26a7
Instruction Fuzzy Hash: 3B31C275900259EFCB00CFACCD99ADE3BB5EB05315F108265FA21AB2D1C774AD84CB91

Function 00745706 Relevance: 7.6, APIs: 5, Instructions: 82windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00001053,000000FF,?), ref: 00745745
SendMessageW.USER32(?,00001074,?,00000001), ref: 0074579D
_wcslen.LIBCMT ref: 007457AF
_wcslen.LIBCMT ref: 007457BA
SendMessageW.USER32(?,00001002,00000000,?), ref: 00745816

Memory Dump Source

Source File: 00000000.00000002.1745474304.00000000006B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006B0000, based on PE: true

Associated: 00000000.00000002.1745310696.00000000006B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1745557899.000000000074C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1745557899.0000000000772000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1745607755.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1745632258.0000000000784000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6b0000_file.jbxd

Similarity

API ID: MessageSend$_wcslen
String ID:
API String ID: 763830540-0
Opcode ID: 40d2c6316edf586c2053daf3db2a5e9dee3310292d08abb660fbb2868d0b05e4
Instruction ID: d177e5430dc3ca13773a0dcec97d39288ee42fe04728f3a90084d18b846ccba0
Opcode Fuzzy Hash: 40d2c6316edf586c2053daf3db2a5e9dee3310292d08abb660fbb2868d0b05e4
Instruction Fuzzy Hash: 2421A275904618DBDB219FA4CC85EEE7BB8FF05320F108266E929EA181D7789985CF50

Function 00730930 Relevance: 7.6, APIs: 5, Instructions: 69COMMON

Download Yara Rule

APIs

IsWindow.USER32(00000000), ref: 00730951
GetForegroundWindow.USER32 ref: 00730968
GetDC.USER32(00000000), ref: 007309A4
GetPixel.GDI32(00000000,?,00000003), ref: 007309B0
ReleaseDC.USER32(00000000,00000003), ref: 007309E8

Memory Dump Source

Source File: 00000000.00000002.1745474304.00000000006B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006B0000, based on PE: true

Associated: 00000000.00000002.1745310696.00000000006B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1745557899.000000000074C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1745557899.0000000000772000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1745607755.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1745632258.0000000000784000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6b0000_file.jbxd

Similarity

API ID: Window$ForegroundPixelRelease
String ID:
API String ID: 4156661090-0
Opcode ID: 930c8c976e3a564360d3ee0836216de9a8551f9248e7fe5b0ec8e75b4c6ac381
Instruction ID: 3bfb8f25cf43b3d62203eec0d2d5e7f838ae29df45f188558f4fde388b54181c
Opcode Fuzzy Hash: 930c8c976e3a564360d3ee0836216de9a8551f9248e7fe5b0ec8e75b4c6ac381
Instruction Fuzzy Hash: 5921CF79A00214AFD740EF64D888AAEBBE9FF45300F00C06DF84A97362CB34AD00CB90

Function 006ECDBD Relevance: 7.6, APIs: 5, Instructions: 68COMMON

Download Yara Rule

APIs

GetEnvironmentStringsW.KERNEL32 ref: 006ECDC6
WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 006ECDE9

Part of subcall function 006E3820: RtlAllocateHeap.NTDLL(00000000,?,00781444,?,006CFDF5,?,?,006BA976,00000010,00781440,006B13FC,?,006B13C6,?,006B1129), ref: 006E3852

WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,00000000,00000000), ref: 006ECE0F
_free.LIBCMT ref: 006ECE22
FreeEnvironmentStringsW.KERNEL32(00000000), ref: 006ECE31

Memory Dump Source

Source File: 00000000.00000002.1745474304.00000000006B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006B0000, based on PE: true

Associated: 00000000.00000002.1745310696.00000000006B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1745557899.000000000074C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1745557899.0000000000772000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1745607755.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1745632258.0000000000784000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6b0000_file.jbxd

Similarity

API ID: ByteCharEnvironmentMultiStringsWide$AllocateFreeHeap_free
String ID:
API String ID: 336800556-0
Opcode ID: 8c6cd9936f66ec0bde120209e38456b64ee7c1b43394ebe48f8301c32a66d371
Instruction ID: 61717ae670554eeda2cb3afd77ca59f8da6a846f13c00a8e7d83b15018989a63
Opcode Fuzzy Hash: 8c6cd9936f66ec0bde120209e38456b64ee7c1b43394ebe48f8301c32a66d371
Instruction Fuzzy Hash: 1101D8726033957F63211A7B6C4CC7B696EDEC7BB1315412EF905D7201DB658D0381B4

Function 006C9639 Relevance: 7.6, APIs: 5, Instructions: 66COMMON

Download Yara Rule

APIs

ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 006C9693
SelectObject.GDI32(?,00000000), ref: 006C96A2
BeginPath.GDI32(?), ref: 006C96B9
SelectObject.GDI32(?,00000000), ref: 006C96E2

Memory Dump Source

Source File: 00000000.00000002.1745474304.00000000006B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006B0000, based on PE: true

Associated: 00000000.00000002.1745310696.00000000006B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1745557899.000000000074C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1745557899.0000000000772000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1745607755.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1745632258.0000000000784000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6b0000_file.jbxd

Similarity

API ID: ObjectSelect$BeginCreatePath
String ID:
API String ID: 3225163088-0
Opcode ID: cee8103daf21ea5ba78b64f3382920c86b1263f059fe675848c316ab06972714
Instruction ID: 5abb12ed551bc47c636b3c7c717fe0cd8ebaf5fdfaf619e07117c28f43fe06c5
Opcode Fuzzy Hash: cee8103daf21ea5ba78b64f3382920c86b1263f059fe675848c316ab06972714
Instruction Fuzzy Hash: E3218670842345DBEB119F55DC08BF97BA9FB01315F60821AF410A62F0D3786852CBA8

Function 00715711 Relevance: 7.6, APIs: 5, Instructions: 61COMMON

Download Yara Rule

APIs

_memcmp.LIBVCRUNTIME ref: 00715726
_memcmp.LIBVCRUNTIME ref: 00715744
_memcmp.LIBVCRUNTIME ref: 00715757
_memcmp.LIBVCRUNTIME ref: 0071576F
_memcmp.LIBVCRUNTIME ref: 00715787

Memory Dump Source

Source File: 00000000.00000002.1745474304.00000000006B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006B0000, based on PE: true

Associated: 00000000.00000002.1745310696.00000000006B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1745557899.000000000074C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1745557899.0000000000772000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1745607755.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1745632258.0000000000784000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6b0000_file.jbxd

Similarity

API ID: _memcmp
String ID:
API String ID: 2931989736-0
Opcode ID: 7ab7fd6ac08f8311b8180a37ef912e1ee214f58f98ce14496f9f7215d2a93393
Instruction ID: 8449cfd6c21f9e1abce3d6d5fc49bd985ff044b7a3335d93eaba23aba1360567
Opcode Fuzzy Hash: 7ab7fd6ac08f8311b8180a37ef912e1ee214f58f98ce14496f9f7215d2a93393
Instruction Fuzzy Hash: CF0192A5641A09FAE34C55289D93EFA635D9BA23A4B004025FD049E2C2FB68ED50C6B4

Function 006E2DF8 Relevance: 7.6, APIs: 5, Instructions: 53COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,?,006DF2DE,006E3863,00781444,?,006CFDF5,?,?,006BA976,00000010,00781440,006B13FC,?,006B13C6), ref: 006E2DFD
_free.LIBCMT ref: 006E2E32
_free.LIBCMT ref: 006E2E59
SetLastError.KERNEL32(00000000,006B1129), ref: 006E2E66
SetLastError.KERNEL32(00000000,006B1129), ref: 006E2E6F

Memory Dump Source

Source File: 00000000.00000002.1745474304.00000000006B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006B0000, based on PE: true

Associated: 00000000.00000002.1745310696.00000000006B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1745557899.000000000074C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1745557899.0000000000772000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1745607755.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1745632258.0000000000784000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6b0000_file.jbxd

Similarity

API ID: ErrorLast$_free
String ID:
API String ID: 3170660625-0
Opcode ID: 1d70b2dd8f3d517de0a837957bfd1b65228d8348f294b7d943b3be453e13a82e
Instruction ID: 6586cfb739f944503e944c21e08251335e7289e3b74ac31e305a3df2a1a37530
Opcode Fuzzy Hash: 1d70b2dd8f3d517de0a837957bfd1b65228d8348f294b7d943b3be453e13a82e
Instruction Fuzzy Hash: B7017D362077A22BC61327372C9AD6B165FABC27B4B31802DF514A33D3EF388C010024

Function 0071000E Relevance: 7.5, APIs: 5, Instructions: 47stringCOMMON

Download Yara Rule

APIs

CLSIDFromProgID.OLE32(?,?,?,00000000,?,?,?,-C000001E,00000001,?,0070FF41,80070057,?,?,?,0071035E), ref: 0071002B
ProgIDFromCLSID.OLE32(?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,0070FF41,80070057,?,?), ref: 00710046
lstrcmpiW.KERNEL32(?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,0070FF41,80070057,?,?), ref: 00710054
CoTaskMemFree.OLE32(00000000,?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,0070FF41,80070057,?), ref: 00710064
CLSIDFromString.OLE32(?,?,?,?,?,00000000,?,?,?,-C000001E,00000001,?,0070FF41,80070057,?,?), ref: 00710070

Memory Dump Source

Source File: 00000000.00000002.1745474304.00000000006B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006B0000, based on PE: true

Associated: 00000000.00000002.1745310696.00000000006B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1745557899.000000000074C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1745557899.0000000000772000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1745607755.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1745632258.0000000000784000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6b0000_file.jbxd

Similarity

API ID: From$Prog$FreeStringTasklstrcmpi
String ID:
API String ID: 3897988419-0
Opcode ID: 19905301b1774b15d9fe45af2b7e64b1174b39dc7291c8bbd8b608376ddef5cb
Instruction ID: daa4922700da081a2c376ebf18a612f75c7639955f42ec95a7fdcf0d33ac50ad
Opcode Fuzzy Hash: 19905301b1774b15d9fe45af2b7e64b1174b39dc7291c8bbd8b608376ddef5cb
Instruction Fuzzy Hash: F601F27A601204BFDB114F68DC08BEA7AEDEF48791F108025F801D6250E7B9CEC09BA0

Function 0071E97B Relevance: 7.5, APIs: 5, Instructions: 47sleepCOMMON

Download Yara Rule

APIs

QueryPerformanceCounter.KERNEL32(?), ref: 0071E997
QueryPerformanceFrequency.KERNEL32(?), ref: 0071E9A5
Sleep.KERNEL32(00000000), ref: 0071E9AD
QueryPerformanceCounter.KERNEL32(?), ref: 0071E9B7
Sleep.KERNEL32 ref: 0071E9F3

Memory Dump Source

Source File: 00000000.00000002.1745474304.00000000006B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006B0000, based on PE: true

Associated: 00000000.00000002.1745310696.00000000006B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1745557899.000000000074C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1745557899.0000000000772000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1745607755.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1745632258.0000000000784000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6b0000_file.jbxd

Similarity

API ID: PerformanceQuery$CounterSleep$Frequency
String ID:
API String ID: 2833360925-0
Opcode ID: 143bc5d39d05a8d653ac396f648e9996cfd8838744a9cf7ce91ef000f1cbc491
Instruction ID: 600fcd511ee6ebba209128a65fbb3f897ac39916db85df2221ee962b51548863
Opcode Fuzzy Hash: 143bc5d39d05a8d653ac396f648e9996cfd8838744a9cf7ce91ef000f1cbc491
Instruction Fuzzy Hash: AC019275C0262DDBCF409FE8DC59AEDBB78FF09700F004546E902B2181DB38A590CB66

Function 007110F9 Relevance: 7.5, APIs: 5, Instructions: 46memoryCOMMON

Download Yara Rule

APIs

GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 00711114
GetLastError.KERNEL32(?,00000000,00000000,?,?,00710B9B,?,?,?), ref: 00711120
GetProcessHeap.KERNEL32(00000008,?,?,00000000,00000000,?,?,00710B9B,?,?,?), ref: 0071112F
HeapAlloc.KERNEL32(00000000,?,00000000,00000000,?,?,00710B9B,?,?,?), ref: 00711136
GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 0071114D

Memory Dump Source

Source File: 00000000.00000002.1745474304.00000000006B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006B0000, based on PE: true

Associated: 00000000.00000002.1745310696.00000000006B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1745557899.000000000074C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1745557899.0000000000772000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1745607755.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1745632258.0000000000784000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6b0000_file.jbxd

Similarity

API ID: HeapObjectSecurityUser$AllocErrorLastProcess
String ID:
API String ID: 842720411-0
Opcode ID: 88196fd20110dc9e2623c0e12b1a7fb40dac27268da075b454b110562a588779
Instruction ID: dc60c20af520075b7f70f84f522f9503e0876a8cc801e32fb8d2ef64b59cbb2f
Opcode Fuzzy Hash: 88196fd20110dc9e2623c0e12b1a7fb40dac27268da075b454b110562a588779
Instruction Fuzzy Hash: 9F018179101209BFDB524FA9DC49EAA3F7EEF86364B104415FA41C7360DB35DC409A60

Function 00710FB4 Relevance: 7.5, APIs: 5, Instructions: 43memoryCOMMON

Download Yara Rule

APIs

GetTokenInformation.ADVAPI32(?,00000002,?,00000000,?), ref: 00710FCA
GetLastError.KERNEL32(?,00000002,?,00000000,?), ref: 00710FD6
GetProcessHeap.KERNEL32(00000008,?,?,00000002,?,00000000,?), ref: 00710FE5
HeapAlloc.KERNEL32(00000000,?,00000002,?,00000000,?), ref: 00710FEC
GetTokenInformation.ADVAPI32(?,00000002,00000000,?,?,?,00000002,?,00000000,?), ref: 00711002

Memory Dump Source

Source File: 00000000.00000002.1745474304.00000000006B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006B0000, based on PE: true

Associated: 00000000.00000002.1745310696.00000000006B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1745557899.000000000074C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1745557899.0000000000772000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1745607755.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1745632258.0000000000784000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6b0000_file.jbxd

Similarity

API ID: HeapInformationToken$AllocErrorLastProcess
String ID:
API String ID: 44706859-0
Opcode ID: 1950add31eb545ddf5690648a7c85584812d1c3a0e7aefa1b6453000ce3580e7
Instruction ID: 6a1a292f268737eead7ea3168a0c3a6650539af3825653112b0eaccae3f2af4b
Opcode Fuzzy Hash: 1950add31eb545ddf5690648a7c85584812d1c3a0e7aefa1b6453000ce3580e7
Instruction Fuzzy Hash: B8F06279602305EBD7224FA8DC4DF963B6DEF8A761F508415FA45CB2A1CB78DC808A60

Function 00711014 Relevance: 7.5, APIs: 5, Instructions: 43memoryCOMMON

Download Yara Rule

APIs

GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),?,00000000,?), ref: 0071102A
GetLastError.KERNEL32(?,TokenIntegrityLevel,?,00000000,?), ref: 00711036
GetProcessHeap.KERNEL32(00000008,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00711045
HeapAlloc.KERNEL32(00000000,?,TokenIntegrityLevel,?,00000000,?), ref: 0071104C
GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),00000000,?,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00711062

Memory Dump Source

Source File: 00000000.00000002.1745474304.00000000006B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006B0000, based on PE: true

Associated: 00000000.00000002.1745310696.00000000006B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1745557899.000000000074C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1745557899.0000000000772000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1745607755.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1745632258.0000000000784000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6b0000_file.jbxd

Similarity

API ID: HeapInformationToken$AllocErrorLastProcess
String ID:
API String ID: 44706859-0
Opcode ID: 28cadfae3c7869eea97422727b76aa6205407dac61a238afbf7e11fa263dde9b
Instruction ID: 0d60636101f707a201be14baef75bd60fc01652768132bd9bd3a1cf0b70c0e6a
Opcode Fuzzy Hash: 28cadfae3c7869eea97422727b76aa6205407dac61a238afbf7e11fa263dde9b
Instruction Fuzzy Hash: D5F06279702305EBD7225FA9EC49F963B6DEF8A761F504415FA45CB2A0CB78DC80CA60

Function 0072030F Relevance: 7.5, APIs: 6, Instructions: 41COMMON

Download Yara Rule

APIs

CloseHandle.KERNEL32(?,?,?,?,0072017D,?,007232FC,?,00000001,006F2592,?), ref: 00720324
CloseHandle.KERNEL32(?,?,?,?,0072017D,?,007232FC,?,00000001,006F2592,?), ref: 00720331
CloseHandle.KERNEL32(?,?,?,?,0072017D,?,007232FC,?,00000001,006F2592,?), ref: 0072033E
CloseHandle.KERNEL32(?,?,?,?,0072017D,?,007232FC,?,00000001,006F2592,?), ref: 0072034B
CloseHandle.KERNEL32(?,?,?,?,0072017D,?,007232FC,?,00000001,006F2592,?), ref: 00720358
CloseHandle.KERNEL32(?,?,?,?,0072017D,?,007232FC,?,00000001,006F2592,?), ref: 00720365

Memory Dump Source

Source File: 00000000.00000002.1745474304.00000000006B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006B0000, based on PE: true

Associated: 00000000.00000002.1745310696.00000000006B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1745557899.000000000074C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1745557899.0000000000772000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1745607755.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1745632258.0000000000784000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6b0000_file.jbxd

Similarity

API ID: CloseHandle
String ID:
API String ID: 2962429428-0
Opcode ID: fc4d67b944f13e37eba98d4776b4cb65bddb22baef91a4dd7b53d9e5f55feea4
Instruction ID: 3216d62146024c36cf71d8388c072f9c0af064f793a0dc07d1f88799ef290f27
Opcode Fuzzy Hash: fc4d67b944f13e37eba98d4776b4cb65bddb22baef91a4dd7b53d9e5f55feea4
Instruction Fuzzy Hash: C801A276801B259FC7309F66E880412FBF5BF503153158A3FD19652932C375A954CF90

Function 006ED73A Relevance: 7.5, APIs: 5, Instructions: 40COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 006ED752

Part of subcall function 006E29C8: RtlFreeHeap.NTDLL(00000000,00000000,?,006ED7D1,00000000,00000000,00000000,00000000,?,006ED7F8,00000000,00000007,00000000,?,006EDBF5,00000000), ref: 006E29DE
Part of subcall function 006E29C8: GetLastError.KERNEL32(00000000,?,006ED7D1,00000000,00000000,00000000,00000000,?,006ED7F8,00000000,00000007,00000000,?,006EDBF5,00000000,00000000), ref: 006E29F0

_free.LIBCMT ref: 006ED764
_free.LIBCMT ref: 006ED776
_free.LIBCMT ref: 006ED788
_free.LIBCMT ref: 006ED79A

Memory Dump Source

Source File: 00000000.00000002.1745474304.00000000006B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006B0000, based on PE: true

Associated: 00000000.00000002.1745310696.00000000006B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1745557899.000000000074C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1745557899.0000000000772000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1745607755.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1745632258.0000000000784000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6b0000_file.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: 0eab6378d06155ee056a95a99dc7e5b5a872c6f91f09ad4d46bfd6a4a0e8bc80
Instruction ID: 7d00012e23f468d33003e682f7ac95a09750732de11e7b11d001fd1e344cad33
Opcode Fuzzy Hash: 0eab6378d06155ee056a95a99dc7e5b5a872c6f91f09ad4d46bfd6a4a0e8bc80
Instruction Fuzzy Hash: 40F068325023896B8A51EB57F9C2C5A77DFBB08750B95580DF048DB602C738FC804A68

Function 00715C44 Relevance: 7.5, APIs: 5, Instructions: 40windowtimeCOMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,000003E9), ref: 00715C58
GetWindowTextW.USER32(00000000,?,00000100), ref: 00715C6F
MessageBeep.USER32(00000000), ref: 00715C87
KillTimer.USER32(?,0000040A), ref: 00715CA3
EndDialog.USER32(?,00000001), ref: 00715CBD

Memory Dump Source

Source File: 00000000.00000002.1745474304.00000000006B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006B0000, based on PE: true

Associated: 00000000.00000002.1745310696.00000000006B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1745557899.000000000074C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1745557899.0000000000772000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1745607755.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1745632258.0000000000784000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6b0000_file.jbxd

Similarity

API ID: BeepDialogItemKillMessageTextTimerWindow
String ID:
API String ID: 3741023627-0
Opcode ID: 8b4d214386fddcc5db06e3bdb86ac6aaa74b3d37d11042c2c3e096ad61480dda
Instruction ID: c0f81cfe7222e5f446f93f1eac32034da0963b478625c07c7ce05d090b2ff016
Opcode Fuzzy Hash: 8b4d214386fddcc5db06e3bdb86ac6aaa74b3d37d11042c2c3e096ad61480dda
Instruction Fuzzy Hash: B301D134501B05EBEB265F14DD4EFE677B8BB01B01F00555AB683A10E0DBF8AAC48BA5

Function 006E22A0 Relevance: 7.5, APIs: 5, Instructions: 30COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 006E22BE

Part of subcall function 006E29C8: RtlFreeHeap.NTDLL(00000000,00000000,?,006ED7D1,00000000,00000000,00000000,00000000,?,006ED7F8,00000000,00000007,00000000,?,006EDBF5,00000000), ref: 006E29DE
Part of subcall function 006E29C8: GetLastError.KERNEL32(00000000,?,006ED7D1,00000000,00000000,00000000,00000000,?,006ED7F8,00000000,00000007,00000000,?,006EDBF5,00000000,00000000), ref: 006E29F0

_free.LIBCMT ref: 006E22D0
_free.LIBCMT ref: 006E22E3
_free.LIBCMT ref: 006E22F4
_free.LIBCMT ref: 006E2305

Memory Dump Source

Source File: 00000000.00000002.1745474304.00000000006B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006B0000, based on PE: true

Associated: 00000000.00000002.1745310696.00000000006B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1745557899.000000000074C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1745557899.0000000000772000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1745607755.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1745632258.0000000000784000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6b0000_file.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: 203f8f4f2bb9c9a1d6083e885d3abbcaa8be2c21165b1d3dd872dc7056410b46
Instruction ID: c608cc1574bd7c620a93a307f65317f93dda7abc36fbb17c253a1d5d567c8dce
Opcode Fuzzy Hash: 203f8f4f2bb9c9a1d6083e885d3abbcaa8be2c21165b1d3dd872dc7056410b46
Instruction Fuzzy Hash: E1F090714823518B8663AF56BC128483B6FB718BA0751D10EF014CA272C73C05429BED

Function 006C95C5 Relevance: 7.5, APIs: 5, Instructions: 29COMMON

Download Yara Rule

APIs

EndPath.GDI32(?), ref: 006C95D4
StrokeAndFillPath.GDI32(?,?,007071F7,00000000,?,?,?), ref: 006C95F0
SelectObject.GDI32(?,00000000), ref: 006C9603
DeleteObject.GDI32 ref: 006C9616
StrokePath.GDI32(?), ref: 006C9631

Memory Dump Source

Source File: 00000000.00000002.1745474304.00000000006B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006B0000, based on PE: true

Associated: 00000000.00000002.1745310696.00000000006B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1745557899.000000000074C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1745557899.0000000000772000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1745607755.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1745632258.0000000000784000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6b0000_file.jbxd

Similarity

API ID: Path$ObjectStroke$DeleteFillSelect
String ID:
API String ID: 2625713937-0
Opcode ID: 49db9fd8592cbf4488e24f430a9837f0ef8713fece59c4d7e5cd23d80b2cc753
Instruction ID: bfaa55aeda9cd8ada1cf096095e5dd6a8f19fa795cfc42ec2f3cb150b3642199
Opcode Fuzzy Hash: 49db9fd8592cbf4488e24f430a9837f0ef8713fece59c4d7e5cd23d80b2cc753
Instruction Fuzzy Hash: 3DF03C34046688EBDB265F65ED1CBB43B6AEB01322F64C219F425551F0D7389992DF28

Function 006E0F47 Relevance: 7.4, APIs: 2, Strings: 2, Instructions: 389COMMONLIBRARYCODE

Download Yara Rule

APIs

__freea.LIBCMT ref: 006E10F9
__freea.LIBCMT ref: 006E1117

Part of subcall function 006E1537: _free.LIBCMT ref: 006E154F

Strings

a/p, xrefs: 006E11DE
am/pm, xrefs: 006E117A

Memory Dump Source

Source File: 00000000.00000002.1745474304.00000000006B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006B0000, based on PE: true

Associated: 00000000.00000002.1745310696.00000000006B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1745557899.000000000074C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1745557899.0000000000772000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1745607755.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1745632258.0000000000784000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6b0000_file.jbxd

Similarity

API ID: __freea$_free
String ID: a/p$am/pm
API String ID: 3432400110-3206640213
Opcode ID: 5e3ee09c1e2c4ae9e087778401dc9b77175e025c60e08cc072a4d3611390395f
Instruction ID: 60490a9cd96694e92abd422cedaaca7deec334833708f314e922b5c118027a07
Opcode Fuzzy Hash: 5e3ee09c1e2c4ae9e087778401dc9b77175e025c60e08cc072a4d3611390395f
Instruction Fuzzy Hash: 07D1E271902386CADB248F6AC855BFEB7B2EF07300F24011AEA019F794D7759D81EB91

Function 007361D0 Relevance: 7.3, APIs: 1, Strings: 3, Instructions: 324COMMON

Download Yara Rule

APIs

Part of subcall function 006D0242: EnterCriticalSection.KERNEL32(0078070C,00781884,?,?,006C198B,00782518,?,?,?,006B12F9,00000000), ref: 006D024D
Part of subcall function 006D0242: LeaveCriticalSection.KERNEL32(0078070C,?,006C198B,00782518,?,?,?,006B12F9,00000000), ref: 006D028A

Part of subcall function 006D00A3: __onexit.LIBCMT ref: 006D00A9

__Init_thread_footer.LIBCMT ref: 00736238

Part of subcall function 006D01F8: EnterCriticalSection.KERNEL32(0078070C,?,?,006C8747,00782514), ref: 006D0202
Part of subcall function 006D01F8: LeaveCriticalSection.KERNEL32(0078070C,?,006C8747,00782514), ref: 006D0235

Part of subcall function 0072359C: LoadStringW.USER32(00000066,?,00000FFF,00000000), ref: 007235E4
Part of subcall function 0072359C: LoadStringW.USER32(00782390,?,00000FFF,?), ref: 0072360A

Strings

x#x, xrefs: 0073636F
x#x, xrefs: 0073633A
x#x, xrefs: 00736353

Memory Dump Source

Source File: 00000000.00000002.1745474304.00000000006B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006B0000, based on PE: true

Associated: 00000000.00000002.1745310696.00000000006B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1745557899.000000000074C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1745557899.0000000000772000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1745607755.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1745632258.0000000000784000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6b0000_file.jbxd

Similarity

API ID: CriticalSection$EnterLeaveLoadString$Init_thread_footer__onexit
String ID: x#x$x#x$x#x
API String ID: 1072379062-3214113500
Opcode ID: 7824ebc449e081691d5e57292943956e50480595d856d4b0bbf533eceae24f29
Instruction ID: 4289fc5f6dfd03c1be4ca7999852ecf5d266e81119b21cc3953d7a295eec518c
Opcode Fuzzy Hash: 7824ebc449e081691d5e57292943956e50480595d856d4b0bbf533eceae24f29
Instruction Fuzzy Hash: AAC15D71A00109AFDB14DF98C891EBEB7BAFF48310F148069F9459B252DB78EA55CB90

Function 006E5AA9 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 186COMMONLIBRARYCODE

Download Yara Rule

Strings

JOk, xrefs: 006E5BA8, 006E5C6C

Memory Dump Source

Source File: 00000000.00000002.1745474304.00000000006B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006B0000, based on PE: true

Associated: 00000000.00000002.1745310696.00000000006B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1745557899.000000000074C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1745557899.0000000000772000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1745607755.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1745632258.0000000000784000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6b0000_file.jbxd

Similarity

API ID:
String ID: JOk
API String ID: 0-801978910
Opcode ID: cb91a8bce686dd63c7334e4a4a4cdc721395bbc0ce37f45c34036ec8c654c65d
Instruction ID: a0c6cb8fd43ac988df283908f407fc2f13401c827442588e82386f5b8f79c232
Opcode Fuzzy Hash: cb91a8bce686dd63c7334e4a4a4cdc721395bbc0ce37f45c34036ec8c654c65d
Instruction Fuzzy Hash: 7351D171D027899BCB109FA6C855FEE7BBAAF05718F24005EF406A7292D6709A02CB65

Function 006E8A61 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 124COMMONLIBRARYCODE

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(0000FDE9,00000000,?,00000002,00000000,?,?,?,00000000,?,?,?,?), ref: 006E8B6E
GetLastError.KERNEL32(?,?,00000000,?,?,?,?,?,?,?,?,00000000,00001000,?), ref: 006E8B7A
__dosmaperr.LIBCMT ref: 006E8B81

Strings

.m, xrefs: 006E8A63

Memory Dump Source

Source File: 00000000.00000002.1745474304.00000000006B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006B0000, based on PE: true

Associated: 00000000.00000002.1745310696.00000000006B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1745557899.000000000074C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1745557899.0000000000772000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1745607755.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1745632258.0000000000784000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6b0000_file.jbxd

Similarity

API ID: ByteCharErrorLastMultiWide__dosmaperr
String ID: .m
API String ID: 2434981716-2594521899
Opcode ID: 304c928107f00c7b9fbe01e1bcd9659d709a4a78fb49ff1ec19c949920acc78d
Instruction ID: d47a164335c27259c3e4dbefd035090107fa649332801ae30a13695d0c15c4cc
Opcode Fuzzy Hash: 304c928107f00c7b9fbe01e1bcd9659d709a4a78fb49ff1ec19c949920acc78d
Instruction Fuzzy Hash: A24160705052C5AFD7259F59CC81ABD7F97DF85304B2881ADF44D8B252DE358D038794

Function 00712716 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 121windowCOMMON

Download Yara Rule

APIs

Part of subcall function 0071B403: WriteProcessMemory.KERNEL32(?,?,?,00000000,00000000,00000000,?,007121D0,?,?,00000034,00000800,?,00000034), ref: 0071B42D

SendMessageW.USER32(?,00001104,00000000,00000000), ref: 00712760

Part of subcall function 0071B3CE: ReadProcessMemory.KERNEL32(?,?,?,00000000,00000000,00000000,?,007121FF,?,?,00000800,?,00001073,00000000,?,?), ref: 0071B3F8

Part of subcall function 0071B32A: GetWindowThreadProcessId.USER32(?,?), ref: 0071B355
Part of subcall function 0071B32A: OpenProcess.KERNEL32(00000438,00000000,?,?,?,00712194,00000034,?,?,00001004,00000000,00000000), ref: 0071B365
Part of subcall function 0071B32A: VirtualAllocEx.KERNEL32(00000000,00000000,?,00001000,00000004,?,?,00712194,00000034,?,?,00001004,00000000,00000000), ref: 0071B37B

SendMessageW.USER32(?,00001111,00000000,00000000), ref: 007127CD
SendMessageW.USER32(?,00001111,00000000,00000000), ref: 0071281A

Strings

@, xrefs: 00712832

Memory Dump Source

Source File: 00000000.00000002.1745474304.00000000006B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006B0000, based on PE: true

Associated: 00000000.00000002.1745310696.00000000006B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1745557899.000000000074C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1745557899.0000000000772000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1745607755.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1745632258.0000000000784000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6b0000_file.jbxd

Similarity

API ID: Process$MessageSend$Memory$AllocOpenReadThreadVirtualWindowWrite
String ID: @
API String ID: 4150878124-2766056989
Opcode ID: c7401fae535d300a0bac7e68152b8cd3431aa92053122b1dd795a4f3b59545da
Instruction ID: 534e85acddbecfd2667a27e912dfde69311fe05919a7277dda5b4423c6c45759
Opcode Fuzzy Hash: c7401fae535d300a0bac7e68152b8cd3431aa92053122b1dd795a4f3b59545da
Instruction Fuzzy Hash: 16413076900218BFDB10DFA8CD85ADEBBB8EF05700F108095FA55B7181DB746E95CB61

Function 006E172E Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 115COMMON

Download Yara Rule

APIs

GetModuleFileNameW.KERNEL32(00000000,C:\Users\user\Desktop\file.exe,00000104), ref: 006E1769
_free.LIBCMT ref: 006E1834
_free.LIBCMT ref: 006E183E

Strings

C:\Users\user\Desktop\file.exe, xrefs: 006E1760, 006E1767, 006E1796, 006E17CE

Memory Dump Source

Source File: 00000000.00000002.1745474304.00000000006B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006B0000, based on PE: true

Associated: 00000000.00000002.1745310696.00000000006B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1745557899.000000000074C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1745557899.0000000000772000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1745607755.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1745632258.0000000000784000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6b0000_file.jbxd

Similarity

API ID: _free$FileModuleName
String ID: C:\Users\user\Desktop\file.exe
API String ID: 2506810119-1957095476
Opcode ID: bfca84f33aefd765d4577b034cd0aaefd5dfe8eecdc4a24d086cc8243e2386c7
Instruction ID: f10e67ab406912ba4da8eb8563b67721c6eb98d0cbab8b90f9e7cd72c102c66e
Opcode Fuzzy Hash: bfca84f33aefd765d4577b034cd0aaefd5dfe8eecdc4a24d086cc8243e2386c7
Instruction Fuzzy Hash: 9731C271A41398ABCB21DB9A9C85DDFBBFEEB86710B60416AF4009B311D6708E41DB94

Function 0071C27D Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 114windowCOMMON

Download Yara Rule

APIs

GetMenuItemInfoW.USER32(00000004,00000000,00000000,?), ref: 0071C306
DeleteMenu.USER32(?,00000007,00000000), ref: 0071C34C
DeleteMenu.USER32(?,00000000,00000000,?,00000000,00000000,00781990,019055E0), ref: 0071C395

Strings

0, xrefs: 0071C2DF

Memory Dump Source

Source File: 00000000.00000002.1745474304.00000000006B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006B0000, based on PE: true

Associated: 00000000.00000002.1745310696.00000000006B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1745557899.000000000074C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1745557899.0000000000772000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1745607755.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1745632258.0000000000784000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6b0000_file.jbxd

Similarity

API ID: Menu$Delete$InfoItem
String ID: 0
API String ID: 135850232-4108050209
Opcode ID: b3e1b81ea89f0be44579039acf3710fc825d7dc558ab33a1ecced60f75fa8d06
Instruction ID: aa9b7e7bc657f84cb830930eacd07b2fc2022f0de589bd830935373821cf8874
Opcode Fuzzy Hash: b3e1b81ea89f0be44579039acf3710fc825d7dc558ab33a1ecced60f75fa8d06
Instruction Fuzzy Hash: 4241E231244301DFD721DF68D885B9ABBE4AF85320F108A1EF9A5972D1C738E984CB67

Function 00744416 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 106COMMON

Download Yara Rule

APIs

SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000013,?,?,SysTreeView32,0074CC08,00000000,?,?,?,?), ref: 007444AA
GetWindowLongW.USER32 ref: 007444C7
SetWindowLongW.USER32(?,000000F0,00000000), ref: 007444D7

Strings

SysTreeView32, xrefs: 0074447C

Memory Dump Source

Source File: 00000000.00000002.1745474304.00000000006B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006B0000, based on PE: true

Associated: 00000000.00000002.1745310696.00000000006B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1745557899.000000000074C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1745557899.0000000000772000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1745607755.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1745632258.0000000000784000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6b0000_file.jbxd

Similarity

API ID: Window$Long
String ID: SysTreeView32
API String ID: 847901565-1698111956
Opcode ID: 8b99419717ab23b34a207bf56ed282339fd7e64d3120e610145b56d45da6e6c2
Instruction ID: 8c4c6e44e5fbbc696c6d1d633ef1e6db894e5e2d13797af2b542ed1ae281e53e
Opcode Fuzzy Hash: 8b99419717ab23b34a207bf56ed282339fd7e64d3120e610145b56d45da6e6c2
Instruction Fuzzy Hash: 0C31BE72200245AFDF618E78DC45FEA77A9EB09334F208319F979921D0D778EC60AB50

Function 00716E71 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 92memoryCOMMON

Download Yara Rule

APIs

SysReAllocString.OLEAUT32(?,?), ref: 00716EED
VariantCopyInd.OLEAUT32(?,?), ref: 00716F08
VariantClear.OLEAUT32(?), ref: 00716F12

Strings

*jq, xrefs: 00716E8B, 00716E90, 00716EF8

Memory Dump Source

Source File: 00000000.00000002.1745474304.00000000006B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006B0000, based on PE: true

Associated: 00000000.00000002.1745310696.00000000006B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1745557899.000000000074C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1745557899.0000000000772000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1745607755.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1745632258.0000000000784000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6b0000_file.jbxd

Similarity

API ID: Variant$AllocClearCopyString
String ID: *jq
API String ID: 2173805711-1921767587
Opcode ID: 8d8c5211bf22b9e38feef07aa165fa31f634922f7df9aad3574e7342ab4f149d
Instruction ID: b340db38ce179194b3a28e26ed2143aa41be3b549c7a64f1e136e01839a0a0af
Opcode Fuzzy Hash: 8d8c5211bf22b9e38feef07aa165fa31f634922f7df9aad3574e7342ab4f149d
Instruction Fuzzy Hash: 9031A172604245DBCB05AFA8E8529FD37BEEF85700B100499F9025B2F1C7789992DB94

Function 0073304E Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 90networkCOMMON

Download Yara Rule

APIs

Part of subcall function 0073335B: WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,00000000,00000000,00000000,?,?,?,?,?,00733077,?,?), ref: 00733378

inet_addr.WSOCK32(?,?,?,?,?,00000000), ref: 0073307A
_wcslen.LIBCMT ref: 0073309B
htons.WSOCK32(00000000,?,?,00000000), ref: 00733106

Strings

255.255.255.255, xrefs: 00733095, 0073309A

Memory Dump Source

Source File: 00000000.00000002.1745474304.00000000006B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006B0000, based on PE: true

Associated: 00000000.00000002.1745310696.00000000006B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1745557899.000000000074C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1745557899.0000000000772000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1745607755.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1745632258.0000000000784000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6b0000_file.jbxd

Similarity

API ID: ByteCharMultiWide_wcslenhtonsinet_addr
String ID: 255.255.255.255
API String ID: 946324512-2422070025
Opcode ID: 17a3136dcf953db5d0a98e890d711607c477ac0d4b7a3e8fe61a06e02626f3b4
Instruction ID: f7e323d8443e2af24623a64867d1a7c8109c07abac30362da3bd50c22ccc4355
Opcode Fuzzy Hash: 17a3136dcf953db5d0a98e890d711607c477ac0d4b7a3e8fe61a06e02626f3b4
Instruction Fuzzy Hash: 3E31C139604205DFEB24CF28C585EAA77E1EF14318F248059E9158F3A3DB3AEE81C760

Function 00743EB8 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 89windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00001009,00000000,?), ref: 00743F40
SetWindowPos.USER32(?,00000000,?,?,?,?,00000004), ref: 00743F54
SendMessageW.USER32(?,00001002,00000000,?), ref: 00743F78

Strings

SysMonthCal32, xrefs: 00743F0B

Memory Dump Source

Source File: 00000000.00000002.1745474304.00000000006B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006B0000, based on PE: true

Associated: 00000000.00000002.1745310696.00000000006B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1745557899.000000000074C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1745557899.0000000000772000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1745607755.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1745632258.0000000000784000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6b0000_file.jbxd

Similarity

API ID: MessageSend$Window
String ID: SysMonthCal32
API String ID: 2326795674-1439706946
Opcode ID: fea11accfe1acec790519ae0fb311e205f6632aeac7df5e946f7c50efc9a0ed1
Instruction ID: 1753b34d5a273b28fbb0ebdcf1b2eb23681c52a03f85428d67a05972c937d9ff
Opcode Fuzzy Hash: fea11accfe1acec790519ae0fb311e205f6632aeac7df5e946f7c50efc9a0ed1
Instruction Fuzzy Hash: 0A21BF32600219BBDF158F50CC46FEA3B79EF49724F114215FE196B1D0D7B9A954CB90

Function 00744653 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 87windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000469,?,00000000), ref: 00744705
SendMessageW.USER32(00000000,00000465,00000000,80017FFF), ref: 00744713
DestroyWindow.USER32(00000000,00000000,?,?,?,00000000,msctls_updown32,00000000,00000000,00000000,00000000,00000000,00000000,?,?,00000000), ref: 0074471A

Strings

msctls_updown32, xrefs: 00744684

Memory Dump Source

Source File: 00000000.00000002.1745474304.00000000006B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006B0000, based on PE: true

Associated: 00000000.00000002.1745310696.00000000006B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1745557899.000000000074C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1745557899.0000000000772000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1745607755.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1745632258.0000000000784000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6b0000_file.jbxd

Similarity

API ID: MessageSend$DestroyWindow
String ID: msctls_updown32
API String ID: 4014797782-2298589950
Opcode ID: 10ab6b57e4dd9fc64f890a984dfc1e0e050f7c8c34955f30c2e79bf2f0c17f06
Instruction ID: d7ae60587c7a2201a83ff6084ba10886b9ca865f3084b7d6fdc9bd3595b2cfcc
Opcode Fuzzy Hash: 10ab6b57e4dd9fc64f890a984dfc1e0e050f7c8c34955f30c2e79bf2f0c17f06
Instruction Fuzzy Hash: EC218CB5600209AFDB11DF64DC81DAB37ADEB4A3A4B114059FA009B351CB38EC12DB64

Function 007195AD Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 85COMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 0071961D

Strings

#notrayicon, xrefs: 007195B7
#requireadmin, xrefs: 007195D9
#OnAutoItStartRegister, xrefs: 007195F3

Memory Dump Source

Source File: 00000000.00000002.1745474304.00000000006B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006B0000, based on PE: true

Associated: 00000000.00000002.1745310696.00000000006B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1745557899.000000000074C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1745557899.0000000000772000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1745607755.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1745632258.0000000000784000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6b0000_file.jbxd

Similarity

API ID: _wcslen
String ID: #OnAutoItStartRegister$#notrayicon$#requireadmin
API String ID: 176396367-2734436370
Opcode ID: 1098c37c23a2a9efbf329faffd3c08c173adf2d8448b7034b29366a932781739
Instruction ID: b702578dba601e1ba0d344d3e8bddf4be6fb1850f91e4f3ac137082d96dfdb98
Opcode Fuzzy Hash: 1098c37c23a2a9efbf329faffd3c08c173adf2d8448b7034b29366a932781739
Instruction Fuzzy Hash: 4721297250411066D331AB2D9822FF773EA9F91300F10402AFA49971C1EB59ADD2C2A9

Function 007437B7 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 84windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000180,00000000,?), ref: 00743840
SendMessageW.USER32(?,00000186,00000000,00000000), ref: 00743850
MoveWindow.USER32(00000000,?,?,?,?,00000000,?,?,Listbox,00000000,00000000,?,?,?,?,?), ref: 00743876

Strings

Listbox, xrefs: 0074380F

Memory Dump Source

Source File: 00000000.00000002.1745474304.00000000006B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006B0000, based on PE: true

Associated: 00000000.00000002.1745310696.00000000006B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1745557899.000000000074C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1745557899.0000000000772000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1745607755.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1745632258.0000000000784000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6b0000_file.jbxd

Similarity

API ID: MessageSend$MoveWindow
String ID: Listbox
API String ID: 3315199576-2633736733
Opcode ID: 94b3641b0238720c41aadf58e2e40f02ae452c95619e81a307e9da12a1494474
Instruction ID: 8e91ba7258e291882d8d72a5ecf32b47f03c66e0c64fd14290aee346416d779c
Opcode Fuzzy Hash: 94b3641b0238720c41aadf58e2e40f02ae452c95619e81a307e9da12a1494474
Instruction Fuzzy Hash: 0C21D172600218BBEF228F54CC85FBB3B6EEF89760F118125F9489B190C779DC5287A0

Function 007249F4 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 78COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 00724A08
GetVolumeInformationW.KERNEL32(?,?,00007FFF,?,00000000,00000000,00000000,00000000), ref: 00724A5C
SetErrorMode.KERNEL32(00000000,?,?,0074CC08), ref: 00724AD0

Strings

%lu, xrefs: 00724A6F

Memory Dump Source

Source File: 00000000.00000002.1745474304.00000000006B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006B0000, based on PE: true

Associated: 00000000.00000002.1745310696.00000000006B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1745557899.000000000074C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1745557899.0000000000772000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1745607755.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1745632258.0000000000784000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6b0000_file.jbxd

Similarity

API ID: ErrorMode$InformationVolume
String ID: %lu
API String ID: 2507767853-685833217
Opcode ID: 2aee49619c00e33f27df7126ed989fa1897fb5413e9d4e541afbfc56d074eae3
Instruction ID: 696ccb0f929f39dc36f162792bd61c3d66d6d210becd685f919173ba0673d5f3
Opcode Fuzzy Hash: 2aee49619c00e33f27df7126ed989fa1897fb5413e9d4e541afbfc56d074eae3
Instruction Fuzzy Hash: 9731C1B5A00108AFDB50DF64C885EAA7BF9EF08308F1480A9F908DB352D775ED41CB61

Function 007441EB Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 67windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000405,00000000,00000000), ref: 0074424F
SendMessageW.USER32(?,00000406,00000000,00640000), ref: 00744264
SendMessageW.USER32(?,00000414,0000000A,00000000), ref: 00744271

Strings

msctls_trackbar32, xrefs: 00744226

Memory Dump Source

Source File: 00000000.00000002.1745474304.00000000006B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006B0000, based on PE: true

Associated: 00000000.00000002.1745310696.00000000006B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1745557899.000000000074C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1745557899.0000000000772000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1745607755.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1745632258.0000000000784000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6b0000_file.jbxd

Similarity

API ID: MessageSend
String ID: msctls_trackbar32
API String ID: 3850602802-1010561917
Opcode ID: bf7e2607f26d633b2ba614e40eee909ab259b5d9ff89febb91947dd8bf8c82c5
Instruction ID: e26b6d41882e42cfe5f318a48efc739807fff24cef0556f24760f04ea8f0b37b
Opcode Fuzzy Hash: bf7e2607f26d633b2ba614e40eee909ab259b5d9ff89febb91947dd8bf8c82c5
Instruction Fuzzy Hash: 3C110671240208BEEF205F29CC06FAB3BACFF95B64F114524FA55E2090D7B5DC519B14

Function 00712F52 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 67windowCOMMON

Download Yara Rule

APIs

Part of subcall function 006B6B57: _wcslen.LIBCMT ref: 006B6B6A

Part of subcall function 00712DA7: SendMessageTimeoutW.USER32(?,00000000,00000000,00000000,00000002,00001388,?), ref: 00712DC5
Part of subcall function 00712DA7: GetWindowThreadProcessId.USER32(?,00000000), ref: 00712DD6
Part of subcall function 00712DA7: GetCurrentThreadId.KERNEL32 ref: 00712DDD
Part of subcall function 00712DA7: AttachThreadInput.USER32(00000000,?,00000000,00000000), ref: 00712DE4

GetFocus.USER32 ref: 00712F78

Part of subcall function 00712DEE: GetParent.USER32(00000000), ref: 00712DF9

GetClassNameW.USER32(?,?,00000100), ref: 00712FC3
EnumChildWindows.USER32(?,0071303B), ref: 00712FEB

Strings

%s%d, xrefs: 00712FFF

Memory Dump Source

Source File: 00000000.00000002.1745474304.00000000006B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006B0000, based on PE: true

Associated: 00000000.00000002.1745310696.00000000006B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1745557899.000000000074C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1745557899.0000000000772000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1745607755.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1745632258.0000000000784000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6b0000_file.jbxd

Similarity

API ID: Thread$AttachChildClassCurrentEnumFocusInputMessageNameParentProcessSendTimeoutWindowWindows_wcslen
String ID: %s%d
API String ID: 1272988791-1110647743
Opcode ID: 3a9e89e6483764b3abc922ce607a5f1304b62fb0e24247ba59a55de37d2e3b54
Instruction ID: e8d0581fdff05cd03fb254b014fd7512ce1d38adc9197a07e314dd4907359aa6
Opcode Fuzzy Hash: 3a9e89e6483764b3abc922ce607a5f1304b62fb0e24247ba59a55de37d2e3b54
Instruction Fuzzy Hash: CA11D5B5300205ABDF857F64DC99EED37AAAF84304F048079B9099B292DF3859858B70

Function 00745882 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 47windowCOMMON

Download Yara Rule

APIs

GetMenuItemInfoW.USER32(?,?,?,00000030), ref: 007458C1
SetMenuItemInfoW.USER32(?,?,?,00000030), ref: 007458EE
DrawMenuBar.USER32(?), ref: 007458FD

Strings

0, xrefs: 0074588F

Memory Dump Source

Source File: 00000000.00000002.1745474304.00000000006B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006B0000, based on PE: true

Associated: 00000000.00000002.1745310696.00000000006B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1745557899.000000000074C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1745557899.0000000000772000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1745607755.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1745632258.0000000000784000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6b0000_file.jbxd

Similarity

API ID: Menu$InfoItem$Draw
String ID: 0
API String ID: 3227129158-4108050209
Opcode ID: 33db88299158b557a967e0e245e414746dae0428f60e3f3adfefa19441b0a66d
Instruction ID: 2547adafbf1726b6c6eba43c3f40ed4e1f306b8be6a5991af17500add2d9aa8d
Opcode Fuzzy Hash: 33db88299158b557a967e0e245e414746dae0428f60e3f3adfefa19441b0a66d
Instruction Fuzzy Hash: 9F01C031500208EFDB619F11DC44FAEBBB5FF46760F10C09AE849DA152DB349A90EF20

Function 0071007F Relevance: 6.3, APIs: 4, Instructions: 322COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1745474304.00000000006B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006B0000, based on PE: true

Associated: 00000000.00000002.1745310696.00000000006B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1745557899.000000000074C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1745557899.0000000000772000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1745607755.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1745632258.0000000000784000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6b0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b752b50b017e3a0e2a184fa1e00ed819e668726723ac9cfad971a4d988cc09be
Instruction ID: 81d00949685df9441dc0e54262558d9011adfa164f8d1a14b06f7d7710e922a8
Opcode Fuzzy Hash: b752b50b017e3a0e2a184fa1e00ed819e668726723ac9cfad971a4d988cc09be
Instruction Fuzzy Hash: A4C18C75A0020AEFCB14CFA8C888AAEB7B5FF48714F108598E415EB291D774EDC1DB90

Function 0073342E Relevance: 6.3, APIs: 4, Instructions: 257COMMON

Download Yara Rule

APIs

CoInitialize.OLE32(00000000), ref: 00733459
CoUninitialize.OLE32 ref: 00733463
VariantInit.OLEAUT32(?), ref: 0073346E
VariantClear.OLEAUT32(?), ref: 0073371B

Memory Dump Source

Source File: 00000000.00000002.1745474304.00000000006B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006B0000, based on PE: true

Associated: 00000000.00000002.1745310696.00000000006B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1745557899.000000000074C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1745557899.0000000000772000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1745607755.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1745632258.0000000000784000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6b0000_file.jbxd

Similarity

API ID: Variant$ClearInitInitializeUninitialize
String ID:
API String ID: 1998397398-0
Opcode ID: ec743a926b80e576661b9a5bb641850f7a2fa9a5bd9868d0f025756f2880c149
Instruction ID: 129b5de739fd80ff508cdbd9b8acb868da78a2c329b9d1eb8a286c795d5aa1af
Opcode Fuzzy Hash: ec743a926b80e576661b9a5bb641850f7a2fa9a5bd9868d0f025756f2880c149
Instruction Fuzzy Hash: FBA15BB5604210DFD760DF28C486A6AB7E5FF88314F04885DF98A9B362DB34EE41CB95

Function 00710436 Relevance: 6.2, APIs: 4, Instructions: 230COMMON

Download Yara Rule

APIs

ProgIDFromCLSID.OLE32(?,00000000,?,00000000,00000800,00000000,?,0074FC08,?), ref: 007105F0
CoTaskMemFree.OLE32(00000000,00000000,?,00000000,00000800,00000000,?,0074FC08,?), ref: 00710608
CLSIDFromProgID.OLE32(?,?,00000000,0074CC40,000000FF,?,00000000,00000800,00000000,?,0074FC08,?), ref: 0071062D
_memcmp.LIBVCRUNTIME ref: 0071064E

Memory Dump Source

Source File: 00000000.00000002.1745474304.00000000006B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006B0000, based on PE: true

Associated: 00000000.00000002.1745310696.00000000006B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1745557899.000000000074C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1745557899.0000000000772000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1745607755.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1745632258.0000000000784000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6b0000_file.jbxd

Similarity

API ID: FromProg$FreeTask_memcmp
String ID:
API String ID: 314563124-0
Opcode ID: 3eb3246d3936722bed6fa1dfc5bd3cfc82162530f82de7b27b24f5b77b1f3f17
Instruction ID: abdfbac37840139190eec42ca55ce93543da78805adc6c73325e6a200e9dfe76
Opcode Fuzzy Hash: 3eb3246d3936722bed6fa1dfc5bd3cfc82162530f82de7b27b24f5b77b1f3f17
Instruction Fuzzy Hash: 97810F75900109EFCB04DF98C984DEEB7BAFF89315F104558F506AB250DB75AE86CBA0

Function 0073A67C Relevance: 6.2, APIs: 4, Instructions: 175processCOMMON

Download Yara Rule

APIs

CreateToolhelp32Snapshot.KERNEL32 ref: 0073A6AC
Process32FirstW.KERNEL32(00000000,?), ref: 0073A6BA

Part of subcall function 006B9CB3: _wcslen.LIBCMT ref: 006B9CBD

Process32NextW.KERNEL32(00000000,?), ref: 0073A79C
CloseHandle.KERNEL32(00000000), ref: 0073A7AB

Part of subcall function 006CCE60: CompareStringW.KERNEL32(00000409,00000001,?,00000000,00000000,?,?,00000000,?,006F3303,?), ref: 006CCE8A

Memory Dump Source

Source File: 00000000.00000002.1745474304.00000000006B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006B0000, based on PE: true

Associated: 00000000.00000002.1745310696.00000000006B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1745557899.000000000074C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1745557899.0000000000772000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1745607755.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1745632258.0000000000784000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6b0000_file.jbxd

Similarity

API ID: Process32$CloseCompareCreateFirstHandleNextSnapshotStringToolhelp32_wcslen
String ID:
API String ID: 1991900642-0
Opcode ID: 497727c7fb52a0e85ccdc4cd6d2d6ed84e8ab9da81f99460357342b76ba2d68f
Instruction ID: 33d73578f7359392650b351d5ddf2f4066cff284323d7e7e8189078c055d26cd
Opcode Fuzzy Hash: 497727c7fb52a0e85ccdc4cd6d2d6ed84e8ab9da81f99460357342b76ba2d68f
Instruction Fuzzy Hash: F2517FB1508300AFD350EF24C886EABBBE9FF89754F00891DF58597252EB34D944CB96

Function 006F1391 Relevance: 6.2, APIs: 4, Instructions: 152COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 006F14C0

Memory Dump Source

Source File: 00000000.00000002.1745474304.00000000006B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006B0000, based on PE: true

Associated: 00000000.00000002.1745310696.00000000006B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1745557899.000000000074C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1745557899.0000000000772000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1745607755.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1745632258.0000000000784000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6b0000_file.jbxd

Similarity

API ID: _free
String ID:
API String ID: 269201875-0
Opcode ID: e8e6d340d334a79b75da288c0e12a3c2810189472953ee057dd43daefc10cf97
Instruction ID: f4bc31c672a6ab6846cb1e612b373928e454c88f3ee69140acdb871c24d00b47
Opcode Fuzzy Hash: e8e6d340d334a79b75da288c0e12a3c2810189472953ee057dd43daefc10cf97
Instruction Fuzzy Hash: 14412B31900208EBDB616FF99C456FE3AE7EF833B0F14422AF619DA392E634494153B5

Function 00746278 Relevance: 6.1, APIs: 4, Instructions: 138COMMON

Download Yara Rule

APIs

GetWindowRect.USER32(?,?), ref: 007462E2
ScreenToClient.USER32(?,?), ref: 00746315
MoveWindow.USER32(?,?,?,?,000000FF,00000001,?,?,?,?,?), ref: 00746382

Memory Dump Source

Source File: 00000000.00000002.1745474304.00000000006B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006B0000, based on PE: true

Associated: 00000000.00000002.1745310696.00000000006B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1745557899.000000000074C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1745557899.0000000000772000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1745607755.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1745632258.0000000000784000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6b0000_file.jbxd

Similarity

API ID: Window$ClientMoveRectScreen
String ID:
API String ID: 3880355969-0
Opcode ID: bf038644edd80aa3db6e7338185a218fcea31a6ef756565b1d7cd3b970bd6010
Instruction ID: 6149236404ab7314e087c9285a1514277164f6fd6d5fa0d3cad1518a5750d795
Opcode Fuzzy Hash: bf038644edd80aa3db6e7338185a218fcea31a6ef756565b1d7cd3b970bd6010
Instruction Fuzzy Hash: 6A516074A00249EFCF14DF68D8809AE7BB6FF46364F208259F9259B290D734ED81CB51

Function 00731AD6 Relevance: 6.1, APIs: 4, Instructions: 138networkCOMMON

Download Yara Rule

APIs

socket.WSOCK32(00000002,00000002,00000011), ref: 00731AFD
WSAGetLastError.WSOCK32 ref: 00731B0B
#21.WSOCK32(?,0000FFFF,00000020,00000002,00000004), ref: 00731B8A
WSAGetLastError.WSOCK32 ref: 00731B94

Memory Dump Source

Source File: 00000000.00000002.1745474304.00000000006B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006B0000, based on PE: true

Associated: 00000000.00000002.1745310696.00000000006B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1745557899.000000000074C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1745557899.0000000000772000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1745607755.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1745632258.0000000000784000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6b0000_file.jbxd

Similarity

API ID: ErrorLast$socket
String ID:
API String ID: 1881357543-0
Opcode ID: 65c576d2b128ae67fcd7775266cb86aeab97adff9a69b1091d697be3639285d6
Instruction ID: 2d091fcfcc2d5a4b332d65fa40eb10077d93c508747b6baff0d6ea664fec6e50
Opcode Fuzzy Hash: 65c576d2b128ae67fcd7775266cb86aeab97adff9a69b1091d697be3639285d6
Instruction Fuzzy Hash: 6541B0B4600200AFE760AF24C886F6677E6AB44718F54C48CF91A9F6D3D776DD818B94

Function 006EB41F Relevance: 6.1, APIs: 4, Instructions: 133COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1745474304.00000000006B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006B0000, based on PE: true

Associated: 00000000.00000002.1745310696.00000000006B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1745557899.000000000074C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1745557899.0000000000772000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1745607755.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1745632258.0000000000784000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6b0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 546b472cc0b81a86fda5eca5905d79a25835cf40d675f2cdb5721ba978570bbc
Instruction ID: cf8b047d6823d46f8d3c661af7685f25d4e4d434bc6b8b69240f3333d3acf0be
Opcode Fuzzy Hash: 546b472cc0b81a86fda5eca5905d79a25835cf40d675f2cdb5721ba978570bbc
Instruction Fuzzy Hash: D941D3B1A01384EFD7249F79CC41BABBBEAEB88710F10552EF542DB2C2D771A9018784

Function 007256D9 Relevance: 6.1, APIs: 4, Instructions: 110fileCOMMON

Download Yara Rule

APIs

CreateHardLinkW.KERNEL32(00000002,?,00000000), ref: 00725783
GetLastError.KERNEL32(?,00000000), ref: 007257A9
DeleteFileW.KERNEL32(00000002,?,00000000), ref: 007257CE
CreateHardLinkW.KERNEL32(00000002,?,00000000,?,00000000), ref: 007257FA

Memory Dump Source

Source File: 00000000.00000002.1745474304.00000000006B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006B0000, based on PE: true

Associated: 00000000.00000002.1745310696.00000000006B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1745557899.000000000074C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1745557899.0000000000772000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1745607755.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1745632258.0000000000784000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6b0000_file.jbxd

Similarity

API ID: CreateHardLink$DeleteErrorFileLast
String ID:
API String ID: 3321077145-0
Opcode ID: 1ba6f1b87425402b3dce9d5d9740ddceb37f284dc6289fbe674d75200d41ddcb
Instruction ID: 8e02f0be2b3aa021c9f74e9c1517fe23fbf6e358a9340803ee850b314bef38c7
Opcode Fuzzy Hash: 1ba6f1b87425402b3dce9d5d9740ddceb37f284dc6289fbe674d75200d41ddcb
Instruction Fuzzy Hash: C941417A600620DFCB21DF15C445A5DBBF2EF89320B18C488E84A5B362CB74FD40CB95

Function 006ED8C3 Relevance: 6.1, APIs: 4, Instructions: 110COMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(?,00000000,?,006D6D71,00000000,00000000,006D82D9,?,006D82D9,?,00000001,006D6D71,?,00000001,006D82D9,006D82D9), ref: 006ED910
MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 006ED999
GetStringTypeW.KERNEL32(?,00000000,00000000,?), ref: 006ED9AB
__freea.LIBCMT ref: 006ED9B4

Part of subcall function 006E3820: RtlAllocateHeap.NTDLL(00000000,?,00781444,?,006CFDF5,?,?,006BA976,00000010,00781440,006B13FC,?,006B13C6,?,006B1129), ref: 006E3852

Memory Dump Source

Source File: 00000000.00000002.1745474304.00000000006B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006B0000, based on PE: true

Associated: 00000000.00000002.1745310696.00000000006B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1745557899.000000000074C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1745557899.0000000000772000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1745607755.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1745632258.0000000000784000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6b0000_file.jbxd

Similarity

API ID: ByteCharMultiWide$AllocateHeapStringType__freea
String ID:
API String ID: 2652629310-0
Opcode ID: ac012b9371c86bbcb9a5bca7d1aa1e5719d61118d6c28ae868567c9975ad3911
Instruction ID: b873375fe744805186e9619e4d69bfdb8ec40c57dd9b684463763812c7ae87a2
Opcode Fuzzy Hash: ac012b9371c86bbcb9a5bca7d1aa1e5719d61118d6c28ae868567c9975ad3911
Instruction Fuzzy Hash: 1931DC72A0124AABDF258F66DC45EEE7BA6EB41310F054169FC04DB292EB35CD50CBA4

Function 007452C1 Relevance: 6.1, APIs: 4, Instructions: 104windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00001024,00000000,?), ref: 00745352
GetWindowLongW.USER32(?,000000F0), ref: 00745375
SetWindowLongW.USER32(?,000000F0,00000000), ref: 00745382
InvalidateRect.USER32(?,00000000,00000001,?,?,?), ref: 007453A8

Memory Dump Source

Source File: 00000000.00000002.1745474304.00000000006B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006B0000, based on PE: true

Associated: 00000000.00000002.1745310696.00000000006B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1745557899.000000000074C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1745557899.0000000000772000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1745607755.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1745632258.0000000000784000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6b0000_file.jbxd

Similarity

API ID: LongWindow$InvalidateMessageRectSend
String ID:
API String ID: 3340791633-0
Opcode ID: f40cf645c33d41ba1581fbf7be196176bfc9951d2abd7e9b5114cf0796c511d1
Instruction ID: 3d724506e8c251019aace64e09d1736763856f21ceec0bce6a7633ff4ab9d6fd
Opcode Fuzzy Hash: f40cf645c33d41ba1581fbf7be196176bfc9951d2abd7e9b5114cf0796c511d1
Instruction Fuzzy Hash: 2831D634A55A0CEFEF319F14CC05FE87765AB05398F588142FA10961E2C7BC9D40DB46

Function 0071AB9C Relevance: 6.1, APIs: 4, Instructions: 103keyboardwindowCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?,75C0C0D0,?,00008000), ref: 0071ABF1
SetKeyboardState.USER32(00000080,?,00008000), ref: 0071AC0D
PostMessageW.USER32(00000000,00000101,00000000), ref: 0071AC74
SendInput.USER32(00000001,?,0000001C,75C0C0D0,?,00008000), ref: 0071ACC6

Memory Dump Source

Source File: 00000000.00000002.1745474304.00000000006B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006B0000, based on PE: true

Associated: 00000000.00000002.1745310696.00000000006B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1745557899.000000000074C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1745557899.0000000000772000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1745607755.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1745632258.0000000000784000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6b0000_file.jbxd

Similarity

API ID: KeyboardState$InputMessagePostSend
String ID:
API String ID: 432972143-0
Opcode ID: 6943d20ecf0fb9c2ce392110040d60a395d06287df58b087a0bfe0c1d2ae0d66
Instruction ID: eebafb818d2774281ab701e09f3938dd157f085f329c649e677268fe508a91f0
Opcode Fuzzy Hash: 6943d20ecf0fb9c2ce392110040d60a395d06287df58b087a0bfe0c1d2ae0d66
Instruction Fuzzy Hash: 9D31F630A01618BFEB35CF6D88097FA7BA6AB85310F04821AE485921D1D37D89C587F2

Function 00747674 Relevance: 6.1, APIs: 4, Instructions: 102windowCOMMON

Download Yara Rule

APIs

ClientToScreen.USER32(?,?), ref: 0074769A
GetWindowRect.USER32(?,?), ref: 00747710
PtInRect.USER32(?,?,00748B89), ref: 00747720
MessageBeep.USER32(00000000), ref: 0074778C

Memory Dump Source

Source File: 00000000.00000002.1745474304.00000000006B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006B0000, based on PE: true

Associated: 00000000.00000002.1745310696.00000000006B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1745557899.000000000074C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1745557899.0000000000772000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1745607755.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1745632258.0000000000784000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6b0000_file.jbxd

Similarity

API ID: Rect$BeepClientMessageScreenWindow
String ID:
API String ID: 1352109105-0
Opcode ID: ca74b375d1e730e17b435c297cdd9a53460a21ab328632b0ca90b8447d3aad41
Instruction ID: 137e0a6b50cc383767835fecb26ff5b3c013521b24652f090812da5bd9c65fcd
Opcode Fuzzy Hash: ca74b375d1e730e17b435c297cdd9a53460a21ab328632b0ca90b8447d3aad41
Instruction Fuzzy Hash: 7B41C338605254DFCB16CF58C894EA9B7F9FF49314F9680A9E514DB261C738E942CF90

Function 007416DA Relevance: 6.1, APIs: 4, Instructions: 101COMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32 ref: 007416EB

Part of subcall function 00713A3D: GetWindowThreadProcessId.USER32(?,00000000), ref: 00713A57
Part of subcall function 00713A3D: GetCurrentThreadId.KERNEL32 ref: 00713A5E
Part of subcall function 00713A3D: AttachThreadInput.USER32(00000000,?,00000000,00000000,?,007125B3), ref: 00713A65

GetCaretPos.USER32(?), ref: 007416FF
ClientToScreen.USER32(00000000,?), ref: 0074174C
GetForegroundWindow.USER32 ref: 00741752

Memory Dump Source

Source File: 00000000.00000002.1745474304.00000000006B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006B0000, based on PE: true

Associated: 00000000.00000002.1745310696.00000000006B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1745557899.000000000074C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1745557899.0000000000772000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1745607755.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1745632258.0000000000784000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6b0000_file.jbxd

Similarity

API ID: ThreadWindow$Foreground$AttachCaretClientCurrentInputProcessScreen
String ID:
API String ID: 2759813231-0
Opcode ID: c3637cd8d654135c96d538f952cb8365c0e06e3bf6ce255d001a52dcde21b16b
Instruction ID: bc9d1959dd1b2a7988beea6c13a69ea385e111479bdba65a608aa548d75b31e5
Opcode Fuzzy Hash: c3637cd8d654135c96d538f952cb8365c0e06e3bf6ce255d001a52dcde21b16b
Instruction Fuzzy Hash: F93130B5D00149AFC741EFA9C885CEEBBFDEF88304B5480AAE415E7211D7359E85CBA4

Function 00748FC9 Relevance: 6.1, APIs: 4, Instructions: 78windowCOMMON

Download Yara Rule

APIs

Part of subcall function 006C9BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 006C9BB2

GetCursorPos.USER32(?), ref: 00749001
TrackPopupMenuEx.USER32(?,00000000,?,?,?,00000000,?,00707711,?,?,?,?,?), ref: 00749016
GetCursorPos.USER32(?), ref: 0074905E
DefDlgProcW.USER32(?,0000007B,?,?,?,?,?,?,?,?,?,?,00707711,?,?,?), ref: 00749094

Memory Dump Source

Source File: 00000000.00000002.1745474304.00000000006B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006B0000, based on PE: true

Associated: 00000000.00000002.1745310696.00000000006B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1745557899.000000000074C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1745557899.0000000000772000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1745607755.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1745632258.0000000000784000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6b0000_file.jbxd

Similarity

API ID: Cursor$LongMenuPopupProcTrackWindow
String ID:
API String ID: 2864067406-0
Opcode ID: 019e61ac31ef7140a2f48840edb8988cd17e27f6b45cc7dc04d039dfc03d40b6
Instruction ID: ccef8f06b41f2d749668158fb65b509b62200eb45ddfdd76ca8004d1baa90304
Opcode Fuzzy Hash: 019e61ac31ef7140a2f48840edb8988cd17e27f6b45cc7dc04d039dfc03d40b6
Instruction Fuzzy Hash: 9B219F35601018EFDB26CF94C859EFBBBB9EB4A350F148069FA0547271C739AD51DB60

Function 0071D2C1 Relevance: 6.1, APIs: 4, Instructions: 78COMMON

Download Yara Rule

APIs

GetFileAttributesW.KERNEL32(?,0074CB68), ref: 0071D2FB
GetLastError.KERNEL32 ref: 0071D30A
CreateDirectoryW.KERNEL32(?,00000000), ref: 0071D319
CreateDirectoryW.KERNEL32(?,00000000,00000000,000000FF,0074CB68), ref: 0071D376

Memory Dump Source

Source File: 00000000.00000002.1745474304.00000000006B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006B0000, based on PE: true

Associated: 00000000.00000002.1745310696.00000000006B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1745557899.000000000074C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1745557899.0000000000772000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1745607755.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1745632258.0000000000784000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6b0000_file.jbxd

Similarity

API ID: CreateDirectory$AttributesErrorFileLast
String ID:
API String ID: 2267087916-0
Opcode ID: 5e20cfd47c9976e828b1b7b6ec26bed078011a01aa712280225dab9898886cd7
Instruction ID: 89062262b3ad29e06d83a796968747cbe02fb0ab06ac4f0be18c8e12d209292c
Opcode Fuzzy Hash: 5e20cfd47c9976e828b1b7b6ec26bed078011a01aa712280225dab9898886cd7
Instruction Fuzzy Hash: 5F2180B4505201DF8764DF28C8814AA77E4EE56324F104A1DF4A9C32E1DB34DD86CF97

Function 00711571 Relevance: 6.1, APIs: 4, Instructions: 78memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 00711014: GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),?,00000000,?), ref: 0071102A
Part of subcall function 00711014: GetLastError.KERNEL32(?,TokenIntegrityLevel,?,00000000,?), ref: 00711036
Part of subcall function 00711014: GetProcessHeap.KERNEL32(00000008,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00711045
Part of subcall function 00711014: HeapAlloc.KERNEL32(00000000,?,TokenIntegrityLevel,?,00000000,?), ref: 0071104C
Part of subcall function 00711014: GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),00000000,?,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00711062

LookupPrivilegeValueW.ADVAPI32(00000000,?,?), ref: 007115BE
_memcmp.LIBVCRUNTIME ref: 007115E1
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00711617
HeapFree.KERNEL32(00000000), ref: 0071161E

Memory Dump Source

Source File: 00000000.00000002.1745474304.00000000006B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006B0000, based on PE: true

Associated: 00000000.00000002.1745310696.00000000006B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1745557899.000000000074C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1745557899.0000000000772000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1745607755.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1745632258.0000000000784000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6b0000_file.jbxd

Similarity

API ID: Heap$InformationProcessToken$AllocErrorFreeLastLookupPrivilegeValue_memcmp
String ID:
API String ID: 1592001646-0
Opcode ID: bbe472b05b811e4e265cbaf54685f00a63ea24b2ba623a13e7f655c5cbe32a81
Instruction ID: 4f7f97e203bdc07641ac53929e50ba941eeb10db0e0555185068b6c3cc74ec68
Opcode Fuzzy Hash: bbe472b05b811e4e265cbaf54685f00a63ea24b2ba623a13e7f655c5cbe32a81
Instruction Fuzzy Hash: 3721B371E01108EFDF00DFA8C945BEEB7B9EF85344F498459E541AB281EB39AE45CB50

Function 00742782 Relevance: 6.1, APIs: 4, Instructions: 75COMMON

Download Yara Rule

APIs

GetWindowLongW.USER32(?,000000EC), ref: 0074280A
SetWindowLongW.USER32(?,000000EC,00000000), ref: 00742824
SetWindowLongW.USER32(?,000000EC,00000000), ref: 00742832
SetLayeredWindowAttributes.USER32(?,00000000,?,00000002), ref: 00742840

Memory Dump Source

Source File: 00000000.00000002.1745474304.00000000006B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006B0000, based on PE: true

Associated: 00000000.00000002.1745310696.00000000006B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1745557899.000000000074C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1745557899.0000000000772000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1745607755.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1745632258.0000000000784000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6b0000_file.jbxd

Similarity

API ID: Window$Long$AttributesLayered
String ID:
API String ID: 2169480361-0
Opcode ID: 6198f342da4ae1aac16152ef8708afd7dc622b36e0672b6129e809373944d226
Instruction ID: 1f244d6595fe565200463da1b1a253b707a1871001b69b36a80307bffc9d0c62
Opcode Fuzzy Hash: 6198f342da4ae1aac16152ef8708afd7dc622b36e0672b6129e809373944d226
Instruction Fuzzy Hash: FF210635305110AFD7159B24C844FAA7799AF45324F148158F8268B2D3CB79FC92CB90

Function 007178F5 Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 71stringCOMMON

Download Yara Rule

APIs

Part of subcall function 00718D7D: lstrlenW.KERNEL32(?,00000002,000000FF,?,?,?,0071790A,?,000000FF,?,00718754,00000000,?,0000001C,?,?), ref: 00718D8C
Part of subcall function 00718D7D: lstrcpyW.KERNEL32(00000000,?,?,0071790A,?,000000FF,?,00718754,00000000,?,0000001C,?,?,00000000), ref: 00718DB2
Part of subcall function 00718D7D: lstrcmpiW.KERNEL32(00000000,?,0071790A,?,000000FF,?,00718754,00000000,?,0000001C,?,?), ref: 00718DE3

lstrlenW.KERNEL32(?,00000002,000000FF,?,000000FF,?,00718754,00000000,?,0000001C,?,?,00000000), ref: 00717923
lstrcpyW.KERNEL32(00000000,?,?,00718754,00000000,?,0000001C,?,?,00000000), ref: 00717949
lstrcmpiW.KERNEL32(00000002,cdecl,?,00718754,00000000,?,0000001C,?,?,00000000), ref: 00717984

Strings

cdecl, xrefs: 0071797B

Memory Dump Source

Source File: 00000000.00000002.1745474304.00000000006B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006B0000, based on PE: true

Associated: 00000000.00000002.1745310696.00000000006B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1745557899.000000000074C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1745557899.0000000000772000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1745607755.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1745632258.0000000000784000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6b0000_file.jbxd

Similarity

API ID: lstrcmpilstrcpylstrlen
String ID: cdecl
API String ID: 4031866154-3896280584
Opcode ID: 590b497b647293d51d19c2767a1f4f8f13dba04167e87087b868e406e099da64
Instruction ID: 203976b40e13309cf51cd29dc40ce24424e558d600cc429ea1ef1a8a3882281f
Opcode Fuzzy Hash: 590b497b647293d51d19c2767a1f4f8f13dba04167e87087b868e406e099da64
Instruction Fuzzy Hash: A511063A200301ABCB159F38D844EBA77B9FF89750B10802AF946C72A4EB359841C795

Function 00747CC2 Relevance: 6.1, APIs: 4, Instructions: 70COMMON

Download Yara Rule

APIs

GetWindowLongW.USER32(?,000000F0), ref: 00747D0B
SetWindowLongW.USER32(00000000,000000F0,?), ref: 00747D2A
SetWindowLongW.USER32(00000000,000000EC,000000FF), ref: 00747D42
SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,?,?,?,?,?,?,?,?,0072B7AD,00000000), ref: 00747D6B

Part of subcall function 006C9BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 006C9BB2

Memory Dump Source

Source File: 00000000.00000002.1745474304.00000000006B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006B0000, based on PE: true

Associated: 00000000.00000002.1745310696.00000000006B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1745557899.000000000074C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1745557899.0000000000772000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1745607755.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1745632258.0000000000784000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6b0000_file.jbxd

Similarity

API ID: Window$Long
String ID:
API String ID: 847901565-0
Opcode ID: 1e1287278b7f5d9496a9de637806f8c6aaa0a2a83fe687d24078a54420fae026
Instruction ID: d8db3d736af625779ecfc794c2ab162562ec9d666ff5775acbe25d6a8e08f415
Opcode Fuzzy Hash: 1e1287278b7f5d9496a9de637806f8c6aaa0a2a83fe687d24078a54420fae026
Instruction Fuzzy Hash: FD11D231615614AFCB149F28CC04A7A3BA9AF46360B218324F839CB2F0E7389D11CB54

Function 00745660 Relevance: 6.1, APIs: 4, Instructions: 67windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00001060,?,00000004), ref: 007456BB
_wcslen.LIBCMT ref: 007456CD
_wcslen.LIBCMT ref: 007456D8
SendMessageW.USER32(?,00001002,00000000,?), ref: 00745816

Memory Dump Source

Source File: 00000000.00000002.1745474304.00000000006B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006B0000, based on PE: true

Associated: 00000000.00000002.1745310696.00000000006B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1745557899.000000000074C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1745557899.0000000000772000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1745607755.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1745632258.0000000000784000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6b0000_file.jbxd

Similarity

API ID: MessageSend_wcslen
String ID:
API String ID: 455545452-0
Opcode ID: e6607cf6ac0a7d48916fbb4004351ec20a472a3da09a5a1e1c637e1889158c8a
Instruction ID: d485d98f0e08ac46c972f89dbb29b74feb4613a45fb0805ddbe7fd7c80ef3095
Opcode Fuzzy Hash: e6607cf6ac0a7d48916fbb4004351ec20a472a3da09a5a1e1c637e1889158c8a
Instruction Fuzzy Hash: 96110675A00604A7DB209F75CC85EEE376CEF12760B50806AF905DA082EB78D980CB65

Function 006E1D09 Relevance: 6.1, APIs: 4, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1745474304.00000000006B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006B0000, based on PE: true

Associated: 00000000.00000002.1745310696.00000000006B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1745557899.000000000074C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1745557899.0000000000772000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1745607755.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1745632258.0000000000784000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6b0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 43130814d0719f008764897e67b5860bfaf62e0b47fd100f186425e89e38dba7
Instruction ID: 24d921619d7b78807425ae47d7d32d3389c1b8601d8de59f38f93a6ed0d94bc1
Opcode Fuzzy Hash: 43130814d0719f008764897e67b5860bfaf62e0b47fd100f186425e89e38dba7
Instruction Fuzzy Hash: 8A01F2B220B78A3EF651167A6CC1FA7261FDF827B8B34032AF520592D2DB748C006174

Function 00711A27 Relevance: 6.1, APIs: 4, Instructions: 56windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,000000B0,?,?), ref: 00711A47
SendMessageW.USER32(?,000000C9,?,00000000), ref: 00711A59
SendMessageW.USER32(?,000000C9,?,00000000), ref: 00711A6F
SendMessageW.USER32(?,000000C9,?,00000000), ref: 00711A8A

Memory Dump Source

Source File: 00000000.00000002.1745474304.00000000006B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006B0000, based on PE: true

Associated: 00000000.00000002.1745310696.00000000006B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1745557899.000000000074C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1745557899.0000000000772000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1745607755.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1745632258.0000000000784000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6b0000_file.jbxd

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: 3f6adfe94d57c15eaebe163b2377241aaac9bc9e4d0d11272fc9909a0dc2cbe8
Instruction ID: e431778e5264896f6fe0655e331e8db2cddcc12e74f53c35bcd86dde834ba082
Opcode Fuzzy Hash: 3f6adfe94d57c15eaebe163b2377241aaac9bc9e4d0d11272fc9909a0dc2cbe8
Instruction Fuzzy Hash: 0711FA3A901219FFEB119BA9CD85FEDBB78EF04750F604091EA04B7290D6716E50DB94

Function 0071E1D6 Relevance: 6.1, APIs: 4, Instructions: 55synchronizationthreadwindowCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 0071E1FD
MessageBoxW.USER32(?,?,?,?), ref: 0071E230
WaitForSingleObject.KERNEL32(00000000,000000FF,?,?,?,?), ref: 0071E246
CloseHandle.KERNEL32(00000000,?,?,?,?), ref: 0071E24D

Memory Dump Source

Source File: 00000000.00000002.1745474304.00000000006B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006B0000, based on PE: true

Associated: 00000000.00000002.1745310696.00000000006B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1745557899.000000000074C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1745557899.0000000000772000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1745607755.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1745632258.0000000000784000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6b0000_file.jbxd

Similarity

API ID: CloseCurrentHandleMessageObjectSingleThreadWait
String ID:
API String ID: 2880819207-0
Opcode ID: daf4cad46e0c990c743de76a40371eeee5629c806c0c997f27eb281698e1fc74
Instruction ID: f07a3c3ceb2a8f62c6af499a998ba28ca2eb24cd50e4d425e8c32e1c29507fdc
Opcode Fuzzy Hash: daf4cad46e0c990c743de76a40371eeee5629c806c0c997f27eb281698e1fc74
Instruction Fuzzy Hash: 86112B76E04258BBC7019FAC9C05ADE7FACAB46310F108216FD14D32D1D3B8CD0087A4

Function 006DD1CC Relevance: 6.1, APIs: 4, Instructions: 55threadCOMMON

Download Yara Rule

APIs

CreateThread.KERNEL32(00000000,?,006DCFF9,00000000,00000004,00000000), ref: 006DD218
GetLastError.KERNEL32 ref: 006DD224
__dosmaperr.LIBCMT ref: 006DD22B
ResumeThread.KERNEL32(00000000), ref: 006DD249

Memory Dump Source

Source File: 00000000.00000002.1745474304.00000000006B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006B0000, based on PE: true

Associated: 00000000.00000002.1745310696.00000000006B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1745557899.000000000074C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1745557899.0000000000772000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1745607755.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1745632258.0000000000784000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6b0000_file.jbxd

Similarity

API ID: Thread$CreateErrorLastResume__dosmaperr
String ID:
API String ID: 173952441-0
Opcode ID: 4c140bf5899cdf3d2c581232ae72df78ed9f600ea93ad37163187d5fc20fc403
Instruction ID: 458c7c6bb6cf5dad3f7421826242a1c8a1cf602598773004ba95cdda727292bc
Opcode Fuzzy Hash: 4c140bf5899cdf3d2c581232ae72df78ed9f600ea93ad37163187d5fc20fc403
Instruction Fuzzy Hash: DC01D636C052087BCB516FA5DC05BEA7A6FDF82330F10421FF925923D0CB718A01C6A5

Function 00749EF3 Relevance: 6.1, APIs: 4, Instructions: 55COMMON

Download Yara Rule

APIs

Part of subcall function 006C9BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 006C9BB2

GetClientRect.USER32(?,?), ref: 00749F31
GetCursorPos.USER32(?), ref: 00749F3B
ScreenToClient.USER32(?,?), ref: 00749F46
DefDlgProcW.USER32(?,00000020,?,00000000,?,?,?), ref: 00749F7A

Memory Dump Source

Source File: 00000000.00000002.1745474304.00000000006B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006B0000, based on PE: true

Associated: 00000000.00000002.1745310696.00000000006B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1745557899.000000000074C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1745557899.0000000000772000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1745607755.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1745632258.0000000000784000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6b0000_file.jbxd

Similarity

API ID: Client$CursorLongProcRectScreenWindow
String ID:
API String ID: 4127811313-0
Opcode ID: c681c1ffb8ec80a3691706ed05bd123775342b9a3d65fcbeef8ec5aa4a08b0a2
Instruction ID: 438da901a87a7e5efd37ff72b968c01c358ca4ece808da77a083605675eb6a3b
Opcode Fuzzy Hash: c681c1ffb8ec80a3691706ed05bd123775342b9a3d65fcbeef8ec5aa4a08b0a2
Instruction Fuzzy Hash: 1E11883690111AEBDB01DF68C84A9EFB7B8FB06311F104455FA01E3040C338BE86CBA5

Function 006B600E Relevance: 6.1, APIs: 4, Instructions: 53windowCOMMON

Download Yara Rule

APIs

CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 006B604C
GetStockObject.GDI32(00000011), ref: 006B6060
SendMessageW.USER32(00000000,00000030,00000000), ref: 006B606A

Memory Dump Source

Source File: 00000000.00000002.1745474304.00000000006B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006B0000, based on PE: true

Associated: 00000000.00000002.1745310696.00000000006B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1745557899.000000000074C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1745557899.0000000000772000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1745607755.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1745632258.0000000000784000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6b0000_file.jbxd

Similarity

API ID: CreateMessageObjectSendStockWindow
String ID:
API String ID: 3970641297-0
Opcode ID: b1cf7d04436fd1b407e15104c005d543a79140cec244076eb181c2d0a7e29ab8
Instruction ID: d269780dd1356449710b957280ad83ee81491c28810572797781c1f793bee334
Opcode Fuzzy Hash: b1cf7d04436fd1b407e15104c005d543a79140cec244076eb181c2d0a7e29ab8
Instruction Fuzzy Hash: 0811A1B2102508BFEF125F95CD44EFA7B6AEF09364F004106FA0452120D73A9CA0DB90

Function 006D3B3C Relevance: 6.1, APIs: 4, Instructions: 53COMMONLIBRARYCODE

Download Yara Rule

APIs

___BuildCatchObject.LIBVCRUNTIME ref: 006D3B56

Part of subcall function 006D3AA3: BuildCatchObjectHelperInternal.LIBVCRUNTIME ref: 006D3AD2
Part of subcall function 006D3AA3: ___AdjustPointer.LIBCMT ref: 006D3AED

_UnwindNestedFrames.LIBCMT ref: 006D3B6B
__FrameHandler3::FrameUnwindToState.LIBVCRUNTIME ref: 006D3B7C
CallCatchBlock.LIBVCRUNTIME ref: 006D3BA4

Memory Dump Source

Source File: 00000000.00000002.1745474304.00000000006B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006B0000, based on PE: true

Associated: 00000000.00000002.1745310696.00000000006B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1745557899.000000000074C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1745557899.0000000000772000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1745607755.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1745632258.0000000000784000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6b0000_file.jbxd

Similarity

API ID: Catch$BuildFrameObjectUnwind$AdjustBlockCallFramesHandler3::HelperInternalNestedPointerState
String ID:
API String ID: 737400349-0
Opcode ID: 12ea49abee573113f57dbd3ec3a577afcc9c348439d29e6cbe32e78011ac24d3
Instruction ID: 217eff2915417b57b57933b635f3cf55f6045c66385598f6622b4ee9f6de400c
Opcode Fuzzy Hash: 12ea49abee573113f57dbd3ec3a577afcc9c348439d29e6cbe32e78011ac24d3
Instruction Fuzzy Hash: 1F012932900148BBDF125F95CC46EEB3B6AEF58794F04401AFE4856321C732E961EBA5

Function 006E3073 Relevance: 6.1, APIs: 4, Instructions: 52libraryCOMMONLIBRARYCODE

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32(00000000,00000000,00000800,006B13C6,00000000,00000000,?,006E301A,006B13C6,00000000,00000000,00000000,?,006E328B,00000006,FlsSetValue), ref: 006E30A5
GetLastError.KERNEL32(?,006E301A,006B13C6,00000000,00000000,00000000,?,006E328B,00000006,FlsSetValue,00752290,FlsSetValue,00000000,00000364,?,006E2E46), ref: 006E30B1
LoadLibraryExW.KERNEL32(00000000,00000000,00000000,?,006E301A,006B13C6,00000000,00000000,00000000,?,006E328B,00000006,FlsSetValue,00752290,FlsSetValue,00000000), ref: 006E30BF

Memory Dump Source

Source File: 00000000.00000002.1745474304.00000000006B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006B0000, based on PE: true

Associated: 00000000.00000002.1745310696.00000000006B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1745557899.000000000074C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1745557899.0000000000772000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1745607755.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1745632258.0000000000784000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6b0000_file.jbxd

Similarity

API ID: LibraryLoad$ErrorLast
String ID:
API String ID: 3177248105-0
Opcode ID: 23ff62d0855aeb1add960c218bc643c026c902449acdfebdc05eebe3d17f5e3f
Instruction ID: 38949c27ebf04d83a129cb4ab8ea0d6cb1d5b8d8d768103e2cc2d1448f9df9b9
Opcode Fuzzy Hash: 23ff62d0855aeb1add960c218bc643c026c902449acdfebdc05eebe3d17f5e3f
Instruction Fuzzy Hash: B9012036303372ABCB318B7B9C4C9A77799AF46771B204621F905D7340C725D901C6E4

Function 00717464 Relevance: 6.1, APIs: 4, Instructions: 51registryCOMMON

Download Yara Rule

APIs

GetModuleFileNameW.KERNEL32(?,?,00000104,00000000), ref: 0071747F
LoadTypeLibEx.OLEAUT32(?,00000002,?), ref: 00717497
RegisterTypeLib.OLEAUT32(?,?,00000000), ref: 007174AC
RegisterTypeLibForUser.OLEAUT32(?,?,00000000), ref: 007174CA

Memory Dump Source

Source File: 00000000.00000002.1745474304.00000000006B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006B0000, based on PE: true

Associated: 00000000.00000002.1745310696.00000000006B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1745557899.000000000074C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1745557899.0000000000772000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1745607755.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1745632258.0000000000784000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6b0000_file.jbxd

Similarity

API ID: Type$Register$FileLoadModuleNameUser
String ID:
API String ID: 1352324309-0
Opcode ID: 1f06d14e3caf7ad8842e944a7fc37a058d1cc571bd96124ca8c49903c65a55f6
Instruction ID: ca9e51f99fcc8b08cf68659c8cc32397a6a9a28a7fd88f5213a80cfe99583821
Opcode Fuzzy Hash: 1f06d14e3caf7ad8842e944a7fc37a058d1cc571bd96124ca8c49903c65a55f6
Instruction Fuzzy Hash: CE11A1B52063549BE7208F5CDD08BD27FFCEB00B10F10856AAA56D6191D778E984DB50

Function 0071B0A8 Relevance: 6.0, APIs: 4, Instructions: 50sleepCOMMON

Download Yara Rule

APIs

QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,?,?,0071ACD3,?,00008000), ref: 0071B0C4
Sleep.KERNEL32(00000000,?,?,?,?,?,?,?,?,0071ACD3,?,00008000), ref: 0071B0E9
QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,?,?,0071ACD3,?,00008000), ref: 0071B0F3
Sleep.KERNEL32(00000000,?,?,?,?,?,?,?,?,0071ACD3,?,00008000), ref: 0071B126

Memory Dump Source

Source File: 00000000.00000002.1745474304.00000000006B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006B0000, based on PE: true

Associated: 00000000.00000002.1745310696.00000000006B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1745557899.000000000074C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1745557899.0000000000772000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1745607755.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1745632258.0000000000784000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6b0000_file.jbxd

Similarity

API ID: CounterPerformanceQuerySleep
String ID:
API String ID: 2875609808-0
Opcode ID: 890e59eee227314297ab8b35748ede0f29020ddd6b4e057449e1bfd2ddb37a3e
Instruction ID: 9a1afa3c92f31aefc618a33f4d6ec7ecf3781dbbd85bc53a44793bbd75275764
Opcode Fuzzy Hash: 890e59eee227314297ab8b35748ede0f29020ddd6b4e057449e1bfd2ddb37a3e
Instruction Fuzzy Hash: 99116171C0151CE7CF009FE8D9596FEBB78FF0A711F11808AD951B2181CB389A909B55

Function 00747E14 Relevance: 6.0, APIs: 4, Instructions: 46COMMON

Download Yara Rule

APIs

GetWindowRect.USER32(?,?), ref: 00747E33
ScreenToClient.USER32(?,?), ref: 00747E4B
ScreenToClient.USER32(?,?), ref: 00747E6F
InvalidateRect.USER32(?,?,?,?,?,?,?,?,?,?,?,?), ref: 00747E8A

Memory Dump Source

Source File: 00000000.00000002.1745474304.00000000006B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006B0000, based on PE: true

Associated: 00000000.00000002.1745310696.00000000006B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1745557899.000000000074C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1745557899.0000000000772000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1745607755.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1745632258.0000000000784000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6b0000_file.jbxd

Similarity

API ID: ClientRectScreen$InvalidateWindow
String ID:
API String ID: 357397906-0
Opcode ID: 2c7049a44d172a931365d39e808c211e0ec4d54b21568509894b45384fbb76f7
Instruction ID: d11ede347ae8e720a9295574722d6fff409826e3ceea58d8c513f7c74b06677b
Opcode Fuzzy Hash: 2c7049a44d172a931365d39e808c211e0ec4d54b21568509894b45384fbb76f7
Instruction Fuzzy Hash: 251153B9D0020AAFDB41CF98C884AEEBBF9FF09310F509166E915E3210D735AA54CF95

Function 00712DA7 Relevance: 6.0, APIs: 4, Instructions: 34threadwindowtimeCOMMON

Download Yara Rule

APIs

SendMessageTimeoutW.USER32(?,00000000,00000000,00000000,00000002,00001388,?), ref: 00712DC5
GetWindowThreadProcessId.USER32(?,00000000), ref: 00712DD6
GetCurrentThreadId.KERNEL32 ref: 00712DDD
AttachThreadInput.USER32(00000000,?,00000000,00000000), ref: 00712DE4

Memory Dump Source

Source File: 00000000.00000002.1745474304.00000000006B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006B0000, based on PE: true

Associated: 00000000.00000002.1745310696.00000000006B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1745557899.000000000074C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1745557899.0000000000772000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1745607755.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1745632258.0000000000784000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6b0000_file.jbxd

Similarity

API ID: Thread$AttachCurrentInputMessageProcessSendTimeoutWindow
String ID:
API String ID: 2710830443-0
Opcode ID: 811e1963b461a6ba2e0b25614e8a044efbaf5e02ddf2a79b8cb38106af4f1817
Instruction ID: 4458b17f4b3ba2ed9b65f4a6395868178d69e9573b60b904ce87e7c4115838eb
Opcode Fuzzy Hash: 811e1963b461a6ba2e0b25614e8a044efbaf5e02ddf2a79b8cb38106af4f1817
Instruction Fuzzy Hash: A1E092752022287BD7211BB6EC0EFEB3E6CEF43BA1F018016F105D10C19BA8C881C6B2

Function 00748863 Relevance: 6.0, APIs: 4, Instructions: 31COMMON

Download Yara Rule

APIs

Part of subcall function 006C9639: ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 006C9693
Part of subcall function 006C9639: SelectObject.GDI32(?,00000000), ref: 006C96A2
Part of subcall function 006C9639: BeginPath.GDI32(?), ref: 006C96B9
Part of subcall function 006C9639: SelectObject.GDI32(?,00000000), ref: 006C96E2

MoveToEx.GDI32(?,00000000,00000000,00000000), ref: 00748887
LineTo.GDI32(?,?,?), ref: 00748894
EndPath.GDI32(?), ref: 007488A4
StrokePath.GDI32(?), ref: 007488B2

Memory Dump Source

Source File: 00000000.00000002.1745474304.00000000006B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006B0000, based on PE: true

Associated: 00000000.00000002.1745310696.00000000006B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1745557899.000000000074C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1745557899.0000000000772000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1745607755.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1745632258.0000000000784000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6b0000_file.jbxd

Similarity

API ID: Path$ObjectSelect$BeginCreateLineMoveStroke
String ID:
API String ID: 1539411459-0
Opcode ID: 646f3ce1740c53a29f6ae19eed8469db91d680e9c8fe9417a1cce3fe241c33ca
Instruction ID: e99c9a0d1903c2a30d60196c698bdb1aff11a9d21047b2f5096547ce3bb9d0f2
Opcode Fuzzy Hash: 646f3ce1740c53a29f6ae19eed8469db91d680e9c8fe9417a1cce3fe241c33ca
Instruction Fuzzy Hash: 13F03A3A042258BAEB535F94AC09FDE3A59AF06310F54C101FA11651E2C7795511CBAD

Function 006C98B0 Relevance: 6.0, APIs: 4, Instructions: 23COMMON

Download Yara Rule

APIs

GetSysColor.USER32(00000008), ref: 006C98CC
SetTextColor.GDI32(?,?), ref: 006C98D6
SetBkMode.GDI32(?,00000001), ref: 006C98E9
GetStockObject.GDI32(00000005), ref: 006C98F1

Memory Dump Source

Source File: 00000000.00000002.1745474304.00000000006B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006B0000, based on PE: true

Associated: 00000000.00000002.1745310696.00000000006B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1745557899.000000000074C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1745557899.0000000000772000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1745607755.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1745632258.0000000000784000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6b0000_file.jbxd

Similarity

API ID: Color$ModeObjectStockText
String ID:
API String ID: 4037423528-0
Opcode ID: 21318a7cda3f706ac3b4a32e02bca9cc3f6231497f528a50c46019a943bb9ca4
Instruction ID: a5518ed5b51a89fffab703f3af86e8b63842024b0395e599f84f69b5c5bd246a
Opcode Fuzzy Hash: 21318a7cda3f706ac3b4a32e02bca9cc3f6231497f528a50c46019a943bb9ca4
Instruction Fuzzy Hash: E8E0ED35640284EAEB220B34AC08BE83F60EB02332F04C31AF6FA580E1C7794650CB20

Function 0071162B Relevance: 6.0, APIs: 4, Instructions: 22threadCOMMON

Download Yara Rule

APIs

GetCurrentThread.KERNEL32 ref: 00711634
OpenThreadToken.ADVAPI32(00000000,?,?,?,007111D9), ref: 0071163B
GetCurrentProcess.KERNEL32(00000028,?,?,?,?,007111D9), ref: 00711648
OpenProcessToken.ADVAPI32(00000000,?,?,?,007111D9), ref: 0071164F

Memory Dump Source

Source File: 00000000.00000002.1745474304.00000000006B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006B0000, based on PE: true

Associated: 00000000.00000002.1745310696.00000000006B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1745557899.000000000074C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1745557899.0000000000772000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1745607755.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1745632258.0000000000784000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6b0000_file.jbxd

Similarity

API ID: CurrentOpenProcessThreadToken
String ID:
API String ID: 3974789173-0
Opcode ID: 32188f3f2068c99f557e17dde1506ceb6bde373229bd203d855ff150835751d9
Instruction ID: 7fd2e17f672ec9235ec145b8810f029089450276101d17eed877bff17f2daf4f
Opcode Fuzzy Hash: 32188f3f2068c99f557e17dde1506ceb6bde373229bd203d855ff150835751d9
Instruction Fuzzy Hash: D8E04F356022119BD7A01FA49E0DB863B78AF46791F158809F345C90A0DB6C44808B58

Function 0070D858 Relevance: 6.0, APIs: 4, Instructions: 19COMMON

Download Yara Rule

APIs

GetDesktopWindow.USER32 ref: 0070D858
GetDC.USER32(00000000), ref: 0070D862
GetDeviceCaps.GDI32(00000000,0000000C), ref: 0070D882
ReleaseDC.USER32(?), ref: 0070D8A3

Memory Dump Source

Source File: 00000000.00000002.1745474304.00000000006B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006B0000, based on PE: true

Associated: 00000000.00000002.1745310696.00000000006B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1745557899.000000000074C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1745557899.0000000000772000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1745607755.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1745632258.0000000000784000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6b0000_file.jbxd

Similarity

API ID: CapsDesktopDeviceReleaseWindow
String ID:
API String ID: 2889604237-0
Opcode ID: 8552ed186f19d25d9fb6517fe80c91185c783995045db38c4afab1a3faccbd84
Instruction ID: faa35a145544b3cd0f569de133e4c01535bda8a804f287bd7d9cdbd14e28cd8f
Opcode Fuzzy Hash: 8552ed186f19d25d9fb6517fe80c91185c783995045db38c4afab1a3faccbd84
Instruction Fuzzy Hash: D9E01AB8801204DFCB929FA0D808A6DBBB6FB09310F11C05AF806E7260C73C8941AF45

Function 0070D86C Relevance: 6.0, APIs: 4, Instructions: 18COMMON

Download Yara Rule

APIs

GetDesktopWindow.USER32 ref: 0070D86C
GetDC.USER32(00000000), ref: 0070D876
GetDeviceCaps.GDI32(00000000,0000000C), ref: 0070D882
ReleaseDC.USER32(?), ref: 0070D8A3

Memory Dump Source

Source File: 00000000.00000002.1745474304.00000000006B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006B0000, based on PE: true

Associated: 00000000.00000002.1745310696.00000000006B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1745557899.000000000074C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1745557899.0000000000772000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1745607755.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1745632258.0000000000784000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6b0000_file.jbxd

Similarity

API ID: CapsDesktopDeviceReleaseWindow
String ID:
API String ID: 2889604237-0
Opcode ID: 6e8d7946be8133993404a151731447d0954c85f3ddff549de94efac8512a84a9
Instruction ID: 5fcfd1e2006b78ac14406d3e765243db0d65d0f86b15f9c3254f802dfd628400
Opcode Fuzzy Hash: 6e8d7946be8133993404a151731447d0954c85f3ddff549de94efac8512a84a9
Instruction Fuzzy Hash: 88E01AB8801200DFCB929FA0D80866DBBB6FB08310B11C04AF906E7260C73C99019F45

Function 00724D87 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 230shareCOMMON

Download Yara Rule

APIs

Part of subcall function 006B7620: _wcslen.LIBCMT ref: 006B7625

WNetUseConnectionW.MPR(00000000,?,0000002A,00000000,?,?,0000002A,?), ref: 00724ED4

Strings

LPT, xrefs: 00724DFB
*, xrefs: 00724E10

Memory Dump Source

Source File: 00000000.00000002.1745474304.00000000006B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006B0000, based on PE: true

Associated: 00000000.00000002.1745310696.00000000006B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1745557899.000000000074C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1745557899.0000000000772000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1745607755.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1745632258.0000000000784000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6b0000_file.jbxd

Similarity

API ID: Connection_wcslen
String ID: *$LPT
API String ID: 1725874428-3443410124
Opcode ID: 63cea8ce1b03a50d8e43bbeca787b2b143ede141077e44d7b7106715f02c5088
Instruction ID: 87ac5c36127ee9db92d0fe3d90362a8274f71ba75620ab8f62fe2280f4b5bf89
Opcode Fuzzy Hash: 63cea8ce1b03a50d8e43bbeca787b2b143ede141077e44d7b7106715f02c5088
Instruction Fuzzy Hash: CF917175A002149FDB14DF58D584EA9BBF1BF84304F19809DE40A9F3A2D735EE85CB91

Function 006DE27D Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 189COMMON

Download Yara Rule

APIs

__startOneArgErrorHandling.LIBCMT ref: 006DE30D

Strings

pow, xrefs: 006DE2E5, 006DE302

Memory Dump Source

Source File: 00000000.00000002.1745474304.00000000006B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006B0000, based on PE: true

Associated: 00000000.00000002.1745310696.00000000006B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1745557899.000000000074C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1745557899.0000000000772000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1745607755.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1745632258.0000000000784000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6b0000_file.jbxd

Similarity

API ID: ErrorHandling__start
String ID: pow
API String ID: 3213639722-2276729525
Opcode ID: c3de87d80be4f79a38e86faee7335ff2b4c7d701768a7c2101a967a1e6f2f0fd
Instruction ID: a6f462991ef1baa527095ccfca9c0c294099769a9018a4436b45c536495b1202
Opcode Fuzzy Hash: c3de87d80be4f79a38e86faee7335ff2b4c7d701768a7c2101a967a1e6f2f0fd
Instruction Fuzzy Hash: 66518F61E0D34296CB157715DD013F93BABDF40741F30899AE0D54A3E9EB368C929A8A

Function 00737771 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 189COMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(0070569E,00000000,?,0074CC08,?,00000000,00000000), ref: 007378DD

Part of subcall function 006B6B57: _wcslen.LIBCMT ref: 006B6B6A

CharUpperBuffW.USER32(0070569E,00000000,?,0074CC08,00000000,?,00000000,00000000), ref: 0073783B

Strings

<sw, xrefs: 007377C8

Memory Dump Source

Source File: 00000000.00000002.1745474304.00000000006B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006B0000, based on PE: true

Associated: 00000000.00000002.1745310696.00000000006B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1745557899.000000000074C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1745557899.0000000000772000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1745607755.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1745632258.0000000000784000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6b0000_file.jbxd

Similarity

API ID: BuffCharUpper$_wcslen
String ID: <sw
API String ID: 3544283678-407046988
Opcode ID: 072c729fb563e0269b41fb85013de5102485013c6aaf5b14ab450dbe3a0a3cbc
Instruction ID: f8e8995ea0f71b9bc8b2d5dcbbd5e6d4d2e993c6bd0421050fd3e0b845e0668d
Opcode Fuzzy Hash: 072c729fb563e0269b41fb85013de5102485013c6aaf5b14ab450dbe3a0a3cbc
Instruction Fuzzy Hash: A5615EB2914128EADF58EBE4CC91DFDB3B5BF14300F444129F542A7192EF386A85DBA4

Function 006CE187 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 184COMMON

Download Yara Rule

Strings

#, xrefs: 006CE1B1

Memory Dump Source

Source File: 00000000.00000002.1745474304.00000000006B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006B0000, based on PE: true

Associated: 00000000.00000002.1745310696.00000000006B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1745557899.000000000074C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1745557899.0000000000772000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1745607755.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1745632258.0000000000784000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6b0000_file.jbxd

Similarity

API ID:
String ID: #
API String ID: 0-1885708031
Opcode ID: fd4ff5a0d3af0f9d3f5e35c6ab0280af87510b39c12aa31534b66ad1e05ecb26
Instruction ID: 3106c0aac32cfbfc0dc4272646a10b6a9906d8d292d0b76a2729b9776dd5583b
Opcode Fuzzy Hash: fd4ff5a0d3af0f9d3f5e35c6ab0280af87510b39c12aa31534b66ad1e05ecb26
Instruction Fuzzy Hash: CD513675600246DFDB29DF28C081BFA7BF6EF15310F248559E8919B2C0D7389E42CBA0

Function 006CF291 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 144sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNEL32(00000000), ref: 006CF2A2
GlobalMemoryStatusEx.KERNEL32(?), ref: 006CF2BB

Strings

@, xrefs: 006CF2AF

Memory Dump Source

Source File: 00000000.00000002.1745474304.00000000006B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006B0000, based on PE: true

Associated: 00000000.00000002.1745310696.00000000006B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1745557899.000000000074C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1745557899.0000000000772000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1745607755.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1745632258.0000000000784000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6b0000_file.jbxd

Similarity

API ID: GlobalMemorySleepStatus
String ID: @
API String ID: 2783356886-2766056989
Opcode ID: 6bd607f2af1b2dffddb5a450d1e6821317907104c96cc49aad0f38ff22f192ea
Instruction ID: 0ff0decb43e7dc4ab508df73f16f3a8b4d16c145c3df29244664cbda75609256
Opcode Fuzzy Hash: 6bd607f2af1b2dffddb5a450d1e6821317907104c96cc49aad0f38ff22f192ea
Instruction Fuzzy Hash: 1C5125B14087449BD360AF10D886BABBBF9FFC4310F81885DF199811A5EB709569CB6A

Function 00735745 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 125COMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?,?,00000003,?,?), ref: 007357E0
_wcslen.LIBCMT ref: 007357EC

Strings

CALLARGARRAY, xrefs: 007357E6, 007357EB

Memory Dump Source

Source File: 00000000.00000002.1745474304.00000000006B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006B0000, based on PE: true

Associated: 00000000.00000002.1745310696.00000000006B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1745557899.000000000074C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1745557899.0000000000772000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1745607755.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1745632258.0000000000784000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6b0000_file.jbxd

Similarity

API ID: BuffCharUpper_wcslen
String ID: CALLARGARRAY
API String ID: 157775604-1150593374
Opcode ID: 7cbad970585b1bd9cd3004504674f60d9db2e359c2334e04b5b52647072a13ac
Instruction ID: a0b2cd7153f685f66ab05f2ec37ef40dd338c7b3d11b250ffa254c8e3dfa6250
Opcode Fuzzy Hash: 7cbad970585b1bd9cd3004504674f60d9db2e359c2334e04b5b52647072a13ac
Instruction Fuzzy Hash: C9418D71A00209DFDB14DFA9C8859FEBBB5EF59320F10806DE505A7292E7389D81CBA0

Function 0072D0F4 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 98networkCOMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 0072D130
InternetCrackUrlW.WININET(?,00000000,00000000,0000007C), ref: 0072D13A

Strings

|, xrefs: 0072D10B

Memory Dump Source

Source File: 00000000.00000002.1745474304.00000000006B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006B0000, based on PE: true

Associated: 00000000.00000002.1745310696.00000000006B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1745557899.000000000074C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1745557899.0000000000772000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1745607755.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1745632258.0000000000784000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6b0000_file.jbxd

Similarity

API ID: CrackInternet_wcslen
String ID: |
API String ID: 596671847-2343686810
Opcode ID: b5db48b026c068da9ca7484e5a936f618d68f64c363cf1c76522ffe9c3e042f2
Instruction ID: 2a398cf6cc11a9f87ffcb93634e4b251c39ab0cfdb7a0dc2ad37d6c8c5403332
Opcode Fuzzy Hash: b5db48b026c068da9ca7484e5a936f618d68f64c363cf1c76522ffe9c3e042f2
Instruction Fuzzy Hash: BE315071D00219AFCF55EFA4DC85AEE7FBAFF04304F100019F915A6162E735A956CB54

Function 0074356C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 96COMMON

Download Yara Rule

APIs

DestroyWindow.USER32(?,?,?,?), ref: 00743621
MoveWindow.USER32(?,?,?,?,?,00000001,?,?,?), ref: 0074365C

Strings

static, xrefs: 007435BC

Memory Dump Source

Source File: 00000000.00000002.1745474304.00000000006B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006B0000, based on PE: true

Associated: 00000000.00000002.1745310696.00000000006B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1745557899.000000000074C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1745557899.0000000000772000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1745607755.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1745632258.0000000000784000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6b0000_file.jbxd

Similarity

API ID: Window$DestroyMove
String ID: static
API String ID: 2139405536-2160076837
Opcode ID: 218fdbd3a859a7d28a7cea5987cca409a0587afdfca2d417ee2ceb097dd5756b
Instruction ID: af4ef99cd26250a427f487070544580240edf054a143ee653a9b65a8cf701de6
Opcode Fuzzy Hash: 218fdbd3a859a7d28a7cea5987cca409a0587afdfca2d417ee2ceb097dd5756b
Instruction Fuzzy Hash: B0318B71100204AAEB109F38DC81EFB73A9FF88720F11861DF8A997280DB38AD91C765

Function 00744537 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 95windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000027,00001132,00000000,?), ref: 0074461F
SendMessageW.USER32(?,00001105,00000000,00000000), ref: 00744634

Strings

', xrefs: 0074458E

Memory Dump Source

Source File: 00000000.00000002.1745474304.00000000006B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006B0000, based on PE: true

Associated: 00000000.00000002.1745310696.00000000006B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1745557899.000000000074C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1745557899.0000000000772000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1745607755.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1745632258.0000000000784000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6b0000_file.jbxd

Similarity

API ID: MessageSend
String ID: '
API String ID: 3850602802-1997036262
Opcode ID: 0d74d3d4a1e1341cbeafa6ae3bfe4987483ec85f24706b5ef29e60e5ea3e72ca
Instruction ID: bc28a42118f61eba283b933808722b5daf1cdc8c679377cf2e2f4167ce5a022a
Opcode Fuzzy Hash: 0d74d3d4a1e1341cbeafa6ae3bfe4987483ec85f24706b5ef29e60e5ea3e72ca
Instruction Fuzzy Hash: 683136B4A0120A9FDF14CFA9C981BDABBB5FF09300F11406AE904AB381D774A951DF90

Function 007431EF Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 72windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000143,00000000,?), ref: 0074327C
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 00743287

Strings

Combobox, xrefs: 00743249

Memory Dump Source

Source File: 00000000.00000002.1745474304.00000000006B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006B0000, based on PE: true

Associated: 00000000.00000002.1745310696.00000000006B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1745557899.000000000074C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1745557899.0000000000772000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1745607755.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1745632258.0000000000784000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6b0000_file.jbxd

Similarity

API ID: MessageSend
String ID: Combobox
API String ID: 3850602802-2096851135
Opcode ID: 98e047642713f3c924bbb0a71bed32f9fffb99dc9e200b2c2fc5cf20664b27d3
Instruction ID: e3f26c7c5ff7ebb897440e1235813267033e130c049f3e2042cb25fdb6a08eae
Opcode Fuzzy Hash: 98e047642713f3c924bbb0a71bed32f9fffb99dc9e200b2c2fc5cf20664b27d3
Instruction Fuzzy Hash: EC11B271300208BFFF259E54DC85EBB376AFB953A4F104129F91897290D7B99D518760

Function 00743710 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 67COMMON

Download Yara Rule

APIs

Part of subcall function 006B600E: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 006B604C
Part of subcall function 006B600E: GetStockObject.GDI32(00000011), ref: 006B6060
Part of subcall function 006B600E: SendMessageW.USER32(00000000,00000030,00000000), ref: 006B606A

GetWindowRect.USER32(00000000,?), ref: 0074377A
GetSysColor.USER32(00000012), ref: 00743794

Strings

static, xrefs: 00743757

Memory Dump Source

Source File: 00000000.00000002.1745474304.00000000006B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006B0000, based on PE: true

Associated: 00000000.00000002.1745310696.00000000006B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1745557899.000000000074C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1745557899.0000000000772000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1745607755.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1745632258.0000000000784000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6b0000_file.jbxd

Similarity

API ID: Window$ColorCreateMessageObjectRectSendStock
String ID: static
API String ID: 1983116058-2160076837
Opcode ID: 740bf5e863857d2f7ebcb1f81dfc903075ffd4e481751904b70fed1296781d0b
Instruction ID: 23c2713db3a88c90529d8ca0ec84d5fa40b4d61cbd8e851acd1e255f19f7b8a0
Opcode Fuzzy Hash: 740bf5e863857d2f7ebcb1f81dfc903075ffd4e481751904b70fed1296781d0b
Instruction Fuzzy Hash: D31129B2610209AFDB01DFA8CC46AFA7BB8EB09314F004515F995E2250D739E8519B50

Function 0072CD1E Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 66networkCOMMON

Download Yara Rule

APIs

InternetOpenW.WININET(?,00000000,00000000,00000000,00000000), ref: 0072CD7D
InternetSetOptionW.WININET(00000000,00000032,?,00000008), ref: 0072CDA6

Strings

<local>, xrefs: 0072CD66

Memory Dump Source

Source File: 00000000.00000002.1745474304.00000000006B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006B0000, based on PE: true

Associated: 00000000.00000002.1745310696.00000000006B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1745557899.000000000074C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1745557899.0000000000772000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1745607755.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1745632258.0000000000784000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6b0000_file.jbxd

Similarity

API ID: Internet$OpenOption
String ID: <local>
API String ID: 942729171-4266983199
Opcode ID: d916f27bc88ff450df5348ecacb0e3d53a7560da535cdeefe731293c47a52e91
Instruction ID: 117e4fcd77672dd1571c883accc5baf3cd8495700ec130cf42200a803b0d8a91
Opcode Fuzzy Hash: d916f27bc88ff450df5348ecacb0e3d53a7560da535cdeefe731293c47a52e91
Instruction Fuzzy Hash: 1911C6753056317AD7364B669C45EFBBE6CEF237A4F004226B10983180D7789845D6F0

Function 00743429 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 64windowCOMMON

Download Yara Rule

APIs

GetWindowTextLengthW.USER32(00000000), ref: 007434AB
SendMessageW.USER32(?,000000B1,00000000,00000000), ref: 007434BA

Strings

edit, xrefs: 0074348F

Memory Dump Source

Source File: 00000000.00000002.1745474304.00000000006B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006B0000, based on PE: true

Associated: 00000000.00000002.1745310696.00000000006B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1745557899.000000000074C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1745557899.0000000000772000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1745607755.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1745632258.0000000000784000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6b0000_file.jbxd

Similarity

API ID: LengthMessageSendTextWindow
String ID: edit
API String ID: 2978978980-2167791130
Opcode ID: 747e606118c662ead5f21dd137dd8b4d24570863844d5075eebd044cef76e4f9
Instruction ID: 572df542c9e519475d3e8ceb7bcbee76de60757557a85dab59337bbd3349556b
Opcode Fuzzy Hash: 747e606118c662ead5f21dd137dd8b4d24570863844d5075eebd044cef76e4f9
Instruction Fuzzy Hash: 4911CE71200248AFEB528E68DC44AFB376AEF15374F608324F968931E0C739EC919B64

Function 00716C86 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 56COMMON

Download Yara Rule

APIs

Part of subcall function 006B9CB3: _wcslen.LIBCMT ref: 006B9CBD

CharUpperBuffW.USER32(?,?,?), ref: 00716CB6
_wcslen.LIBCMT ref: 00716CC2

Strings

STOP, xrefs: 00716CBC, 00716CC1

Memory Dump Source

Source File: 00000000.00000002.1745474304.00000000006B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006B0000, based on PE: true

Associated: 00000000.00000002.1745310696.00000000006B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1745557899.000000000074C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1745557899.0000000000772000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1745607755.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1745632258.0000000000784000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6b0000_file.jbxd

Similarity

API ID: _wcslen$BuffCharUpper
String ID: STOP
API String ID: 1256254125-2411985666
Opcode ID: d0943e978cdb8d0774c5ff5efd39c10170cadff2d05ee69d1d94ef64cb9d5a7c
Instruction ID: 8d6ab65dbf2283e22bd8757de6d3daad6dea4ef3368f9011c3124fab41c68ad3
Opcode Fuzzy Hash: d0943e978cdb8d0774c5ff5efd39c10170cadff2d05ee69d1d94ef64cb9d5a7c
Instruction Fuzzy Hash: 3A01C432B005268BCB21AFBDDC909FF77B5EA617107500929E852961D0EB39E980C7A0

Function 00711CDE Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 52windowCOMMON

Download Yara Rule

APIs

Part of subcall function 006B9CB3: _wcslen.LIBCMT ref: 006B9CBD

Part of subcall function 00713CA7: GetClassNameW.USER32(?,?,000000FF), ref: 00713CCA

SendMessageW.USER32(?,000001A2,000000FF,?), ref: 00711D4C

Strings

ListBox, xrefs: 00711D16
ComboBox, xrefs: 00711CEB

Memory Dump Source

Source File: 00000000.00000002.1745474304.00000000006B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006B0000, based on PE: true

Associated: 00000000.00000002.1745310696.00000000006B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1745557899.000000000074C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1745557899.0000000000772000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1745607755.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1745632258.0000000000784000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6b0000_file.jbxd

Similarity

API ID: ClassMessageNameSend_wcslen
String ID: ComboBox$ListBox
API String ID: 624084870-1403004172
Opcode ID: 3959537b629a2537abc11ba282270cf3dd5889f3587f410a69c7d7620b4b7908
Instruction ID: 798159bfed9eae1ddc64c95605a0c29cada89cdcc4ce5845f6fef248fdd0d8e3
Opcode Fuzzy Hash: 3959537b629a2537abc11ba282270cf3dd5889f3587f410a69c7d7620b4b7908
Instruction Fuzzy Hash: 040128B1701218AB8B08EFA8DC55CFE7779EB02350B500919F9725B2D1EA385988C770

Function 00711BD8 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 50windowCOMMON

Download Yara Rule

APIs

Part of subcall function 006B9CB3: _wcslen.LIBCMT ref: 006B9CBD

Part of subcall function 00713CA7: GetClassNameW.USER32(?,?,000000FF), ref: 00713CCA

SendMessageW.USER32(?,00000180,00000000,?), ref: 00711C46

Strings

ListBox, xrefs: 00711C10
ComboBox, xrefs: 00711BE5

Memory Dump Source

Source File: 00000000.00000002.1745474304.00000000006B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006B0000, based on PE: true

Associated: 00000000.00000002.1745310696.00000000006B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1745557899.000000000074C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1745557899.0000000000772000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1745607755.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1745632258.0000000000784000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6b0000_file.jbxd

Similarity

API ID: ClassMessageNameSend_wcslen
String ID: ComboBox$ListBox
API String ID: 624084870-1403004172
Opcode ID: 104342efc0b900ee2000cd730e980d5cd63b00dd9d0c407b543be1895e0e6ff0
Instruction ID: a2c82ad96f38ecd333182d9dfef2e8cdaff99fd5d619cabe404d54e37f30bce5
Opcode Fuzzy Hash: 104342efc0b900ee2000cd730e980d5cd63b00dd9d0c407b543be1895e0e6ff0
Instruction Fuzzy Hash: 9101F7B5781108A7CF08EF94C951DFF77B89B12340F500419AA16672C1EA289E8887F5

Function 00711C5C Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 49windowCOMMON

Download Yara Rule

APIs

Part of subcall function 006B9CB3: _wcslen.LIBCMT ref: 006B9CBD

Part of subcall function 00713CA7: GetClassNameW.USER32(?,?,000000FF), ref: 00713CCA

SendMessageW.USER32(?,00000182,?,00000000), ref: 00711CC8

Strings

ListBox, xrefs: 00711C94
ComboBox, xrefs: 00711C69

Memory Dump Source

Source File: 00000000.00000002.1745474304.00000000006B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006B0000, based on PE: true

Associated: 00000000.00000002.1745310696.00000000006B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1745557899.000000000074C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1745557899.0000000000772000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1745607755.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1745632258.0000000000784000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6b0000_file.jbxd

Similarity

API ID: ClassMessageNameSend_wcslen
String ID: ComboBox$ListBox
API String ID: 624084870-1403004172
Opcode ID: cff864fcbd80918889e09a2ae58e9e51380aee5c40f98f6812f739cfb55a7117
Instruction ID: ad4c3b1e87b917d267962e732f65359394a0fa32eed462034af28be4c89145f2
Opcode Fuzzy Hash: cff864fcbd80918889e09a2ae58e9e51380aee5c40f98f6812f739cfb55a7117
Instruction Fuzzy Hash: C101D6F568111867CF04EFA8CA41EFF77A89B12380F540419BA06772C1EA689F88C7F5

Function 006CA4D6 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 47COMMON

Download Yara Rule

APIs

__Init_thread_footer.LIBCMT ref: 006CA529

Part of subcall function 006B9CB3: _wcslen.LIBCMT ref: 006B9CBD

Strings

,%x, xrefs: 006CA509
3yp, xrefs: 006CA545, 006CA54D, 006CA552

Memory Dump Source

Source File: 00000000.00000002.1745474304.00000000006B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006B0000, based on PE: true

Associated: 00000000.00000002.1745310696.00000000006B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1745557899.000000000074C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1745557899.0000000000772000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1745607755.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1745632258.0000000000784000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6b0000_file.jbxd

Similarity

API ID: Init_thread_footer_wcslen
String ID: ,%x$3yp
API String ID: 2551934079-2889311038
Opcode ID: dc48f5cc4255deb78e24b7f95670392888928fb9f8f745736deb4bf589fb811b
Instruction ID: fd711dd4a796c346e99a2af753f519ebe854cc69f11b7ec48b612937d38cbdf0
Opcode Fuzzy Hash: dc48f5cc4255deb78e24b7f95670392888928fb9f8f745736deb4bf589fb811b
Instruction Fuzzy Hash: 93012431A8021897C504F3E89C57FBD3366DB04714F90806CF601573C2DE549D428B9A

Function 00711D68 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 46windowCOMMON

Download Yara Rule

APIs

Part of subcall function 006B9CB3: _wcslen.LIBCMT ref: 006B9CBD

Part of subcall function 00713CA7: GetClassNameW.USER32(?,?,000000FF), ref: 00713CCA

SendMessageW.USER32(?,0000018B,00000000,00000000), ref: 00711DD3

Strings

ListBox, xrefs: 00711DA0
ComboBox, xrefs: 00711D75

Memory Dump Source

Source File: 00000000.00000002.1745474304.00000000006B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006B0000, based on PE: true

Associated: 00000000.00000002.1745310696.00000000006B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1745557899.000000000074C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1745557899.0000000000772000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1745607755.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1745632258.0000000000784000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6b0000_file.jbxd

Similarity

API ID: ClassMessageNameSend_wcslen
String ID: ComboBox$ListBox
API String ID: 624084870-1403004172
Opcode ID: 0c34d8a0e86cbc75f878a559a088d5e6ea501dfe898067ac1c6b2618622b0b1f
Instruction ID: 8da0d0356d02f3196a1d0d5500790874686197fab496cf1b8ae800e1e8a71ed6
Opcode Fuzzy Hash: 0c34d8a0e86cbc75f878a559a088d5e6ea501dfe898067ac1c6b2618622b0b1f
Instruction Fuzzy Hash: 6BF02DB1B4121867CB04F7A8DC51FFF7778AB02740F440D19B962672C1EB68594883B4

Function 00748172 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 40processCOMMON

Download Yara Rule

APIs

CreateProcessW.KERNEL32(00000000,?,00000000,00000000,00000000,00000020,00000000,00000000,00783018,0078305C), ref: 007481BF
CloseHandle.KERNEL32 ref: 007481D1

Strings

\0x, xrefs: 0074818A

Memory Dump Source

Source File: 00000000.00000002.1745474304.00000000006B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006B0000, based on PE: true

Associated: 00000000.00000002.1745310696.00000000006B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1745557899.000000000074C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1745557899.0000000000772000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1745607755.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1745632258.0000000000784000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6b0000_file.jbxd

Similarity

API ID: CloseCreateHandleProcess
String ID: \0x
API String ID: 3712363035-461357371
Opcode ID: 95f75288e2dc42d1478353055180f943d66334a98913096b8bb7cc40f44097a2
Instruction ID: 877d899ccf4036572ac7d4a99037a8459d0dfc444609c1beea961de2b7fa005e
Opcode Fuzzy Hash: 95f75288e2dc42d1478353055180f943d66334a98913096b8bb7cc40f44097a2
Instruction Fuzzy Hash: C5F054B1680304BAF2606B69AC45F773A5DDB05B54F108426BB08D51A1D67E9A0093BD

Function 0073747E Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 36COMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 00737493
_wcslen.LIBCMT ref: 007374B9

Strings

3, 3, 16, 1, xrefs: 00737483

Memory Dump Source

Source File: 00000000.00000002.1745474304.00000000006B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006B0000, based on PE: true

Associated: 00000000.00000002.1745310696.00000000006B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1745557899.000000000074C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1745557899.0000000000772000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1745607755.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1745632258.0000000000784000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6b0000_file.jbxd

Similarity

API ID: _wcslen
String ID: 3, 3, 16, 1
API String ID: 176396367-3042988571
Opcode ID: f45031534be1af5a68a1e65e2d495474e0c3d0961bfaadae1804cff3e6076cd6
Instruction ID: 360d39f43f858df81b4870cf2fd196b8e7e556e98f2db8bbf1e44a812154d2e3
Opcode Fuzzy Hash: f45031534be1af5a68a1e65e2d495474e0c3d0961bfaadae1804cff3e6076cd6
Instruction Fuzzy Hash: 8CE02B826043A061A279137A9CC197F578ACFC9790B10182FF9C5C6367EEA89D91D3E4

Function 00710B15 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 28windowCOMMON

Download Yara Rule

APIs

MessageBoxW.USER32(00000000,Error allocating memory.,AutoIt,00000010), ref: 00710B23

Strings

AutoIt, xrefs: 00710B17
Error allocating memory., xrefs: 00710B1C

Memory Dump Source

Source File: 00000000.00000002.1745474304.00000000006B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006B0000, based on PE: true

Associated: 00000000.00000002.1745310696.00000000006B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1745557899.000000000074C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1745557899.0000000000772000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1745607755.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1745632258.0000000000784000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6b0000_file.jbxd

Similarity

API ID: Message
String ID: AutoIt$Error allocating memory.
API String ID: 2030045667-4017498283
Opcode ID: 43aec69ad5c955553a5378dddc9d07acd2a08cf29de70efdf485ae5b527901af
Instruction ID: c1035ce349ee6a431ce7d1d75bb0545d7a402b451510614c768ff913ad40dce2
Opcode Fuzzy Hash: 43aec69ad5c955553a5378dddc9d07acd2a08cf29de70efdf485ae5b527901af
Instruction Fuzzy Hash: 03E0927128531837D2913794AC03FD97B86CF05B50F10442EF748555C38BE5689046ED

Function 006D0D42 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 22COMMON

Download Yara Rule

APIs

Part of subcall function 006CF7C9: InitializeCriticalSectionAndSpinCount.KERNEL32(?,00000000,?,006D0D71,?,?,?,006B100A), ref: 006CF7CE

IsDebuggerPresent.KERNEL32(?,?,?,006B100A), ref: 006D0D75
OutputDebugStringW.KERNEL32(ERROR : Unable to initialize critical section in CAtlBaseModule,?,?,?,006B100A), ref: 006D0D84

Strings

ERROR : Unable to initialize critical section in CAtlBaseModule, xrefs: 006D0D7F

Memory Dump Source

Source File: 00000000.00000002.1745474304.00000000006B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006B0000, based on PE: true

Associated: 00000000.00000002.1745310696.00000000006B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1745557899.000000000074C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1745557899.0000000000772000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1745607755.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1745632258.0000000000784000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6b0000_file.jbxd

Similarity

API ID: CountCriticalDebugDebuggerInitializeOutputPresentSectionSpinString
String ID: ERROR : Unable to initialize critical section in CAtlBaseModule
API String ID: 55579361-631824599
Opcode ID: eaccf5bd93a6828029516516ff45bed6185574a28787e02ab76278a9bbe72c31
Instruction ID: d0fc6e27288e6cf2a14ba077feebf8c9e7bc9274ccbbab2f33bb3c6f1c5fd561
Opcode Fuzzy Hash: eaccf5bd93a6828029516516ff45bed6185574a28787e02ab76278a9bbe72c31
Instruction Fuzzy Hash: 7EE06DB46003118BE3A0AFB8E8047827BE6BF04741F00892FE482C6751DBF8E4448BA5

Function 006CE398 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 21COMMON

Download Yara Rule

APIs

__Init_thread_footer.LIBCMT ref: 006CE3D5

Strings

8%x, xrefs: 006CE3CA
0%x, xrefs: 006CE3B5

Memory Dump Source

Source File: 00000000.00000002.1745474304.00000000006B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006B0000, based on PE: true

Associated: 00000000.00000002.1745310696.00000000006B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1745557899.000000000074C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1745557899.0000000000772000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1745607755.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1745632258.0000000000784000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6b0000_file.jbxd

Similarity

API ID: Init_thread_footer
String ID: 0%x$8%x
API String ID: 1385522511-415883279
Opcode ID: 9c018a40a1998f8330142128940fc285b35a0655d2b05371a03d063cc9904108
Instruction ID: ec3e1ba3f0825dc9d757712fe2247146231e5cb59e620d88b5a0e93e5ac6af8c
Opcode Fuzzy Hash: 9c018a40a1998f8330142128940fc285b35a0655d2b05371a03d063cc9904108
Instruction Fuzzy Hash: 8CE026318D8990CBCA04A798B85CFA833B7EB0A321B2041FDE006876D3DB393943874C

Function 00723017 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 18COMMON

Download Yara Rule

APIs

GetTempPathW.KERNEL32(00000104,?,00000001), ref: 0072302F
GetTempFileNameW.KERNEL32(?,aut,00000000,?), ref: 00723044

Strings

aut, xrefs: 00723038

Memory Dump Source

Source File: 00000000.00000002.1745474304.00000000006B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006B0000, based on PE: true

Associated: 00000000.00000002.1745310696.00000000006B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1745557899.000000000074C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1745557899.0000000000772000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1745607755.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1745632258.0000000000784000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6b0000_file.jbxd

Similarity

API ID: Temp$FileNamePath
String ID: aut
API String ID: 3285503233-3010740371
Opcode ID: edf2a9920c037e915d76ce04af241efb504f6c20812be43801251fe8023d4654
Instruction ID: 46f4615d314129eea6799226db1870f02237e7ee7ac774325b91f63b8c7086a4
Opcode Fuzzy Hash: edf2a9920c037e915d76ce04af241efb504f6c20812be43801251fe8023d4654
Instruction Fuzzy Hash: 5DD05EB654132867DA60A7A4AC0EFCB3A6CEB05750F0042A2B655E6091DBF89984CAD8

Function 0070D21C Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 17timeCOMMON

Download Yara Rule

APIs

GetLocalTime.KERNEL32(?), ref: 0070D220

Strings

%.3d, xrefs: 0070D22B
X64, xrefs: 0070D2A8

Memory Dump Source

Source File: 00000000.00000002.1745474304.00000000006B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006B0000, based on PE: true

Associated: 00000000.00000002.1745310696.00000000006B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1745557899.000000000074C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1745557899.0000000000772000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1745607755.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1745632258.0000000000784000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6b0000_file.jbxd

Similarity

API ID: LocalTime
String ID: %.3d$X64
API String ID: 481472006-1077770165
Opcode ID: 9e4b403e8397f2418929a7dd3948dd7087ce7664625d736b4219be46307fca8e
Instruction ID: 5267befdfbc92bcc266b6d4e456e7f7d353bd9e558c99fbfe81d7d24db2e3449
Opcode Fuzzy Hash: 9e4b403e8397f2418929a7dd3948dd7087ce7664625d736b4219be46307fca8e
Instruction Fuzzy Hash: D2D012A1809318EACBA097D0CC49DB9B3FDFB08341F508566F90A92080D76CCD08AB65

Function 00742356 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15windowCOMMON

Download Yara Rule

APIs

FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 0074236C
PostMessageW.USER32(00000000), ref: 00742373

Part of subcall function 0071E97B: Sleep.KERNEL32 ref: 0071E9F3

Strings

Shell_TrayWnd, xrefs: 00742365

Memory Dump Source

Source File: 00000000.00000002.1745474304.00000000006B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006B0000, based on PE: true

Associated: 00000000.00000002.1745310696.00000000006B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1745557899.000000000074C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1745557899.0000000000772000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1745607755.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1745632258.0000000000784000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6b0000_file.jbxd

Similarity

API ID: FindMessagePostSleepWindow
String ID: Shell_TrayWnd
API String ID: 529655941-2988720461
Opcode ID: 05ed3bf375ead76cd3cb654722000cad3d8da4fa4d522edd1ccf89fdcb98116b
Instruction ID: bd3ea0114958b268b2bd52d3ed6c53fc82e164f916ea171d7a60dcba574a09ac
Opcode Fuzzy Hash: 05ed3bf375ead76cd3cb654722000cad3d8da4fa4d522edd1ccf89fdcb98116b
Instruction Fuzzy Hash: 0FD0A976382300BAE6A8A3309C0FFCAA6149B02B00F0089127706AA0D0CAA8B8008A48

Function 00742322 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15windowCOMMON

Download Yara Rule

APIs

FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 0074232C
PostMessageW.USER32(00000000,00000111,00000197,00000000), ref: 0074233F

Part of subcall function 0071E97B: Sleep.KERNEL32 ref: 0071E9F3

Strings

Shell_TrayWnd, xrefs: 00742325

Memory Dump Source

Source File: 00000000.00000002.1745474304.00000000006B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006B0000, based on PE: true

Associated: 00000000.00000002.1745310696.00000000006B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1745557899.000000000074C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1745557899.0000000000772000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1745607755.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1745632258.0000000000784000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6b0000_file.jbxd

Similarity

API ID: FindMessagePostSleepWindow
String ID: Shell_TrayWnd
API String ID: 529655941-2988720461
Opcode ID: 1cf72bca060485f80bd38a5bbb67b0ef29dd70e929e59b348aa50c18b543f509
Instruction ID: 15381b4803fbf9282a30b558dc54feca417c9961b3f413c58cfbc5792bccf25c
Opcode Fuzzy Hash: 1cf72bca060485f80bd38a5bbb67b0ef29dd70e929e59b348aa50c18b543f509
Instruction Fuzzy Hash: F6D0227A381300B7E6A8B330DC0FFCABA149B01B00F00C913770AAA0D0CAF8B800CA48

Function 006EBDFD Relevance: 5.1, APIs: 4, Instructions: 139COMMONLIBRARYCODE

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(?,00000009,?,00000000,00000000,?,?,?,00000000,?,?,?,?,?,00000000,?), ref: 006EBE93
GetLastError.KERNEL32 ref: 006EBEA1
MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 006EBEFC

Memory Dump Source

Source File: 00000000.00000002.1745474304.00000000006B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006B0000, based on PE: true

Associated: 00000000.00000002.1745310696.00000000006B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1745557899.000000000074C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1745557899.0000000000772000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1745607755.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1745632258.0000000000784000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6b0000_file.jbxd

Similarity

API ID: ByteCharMultiWide$ErrorLast
String ID:
API String ID: 1717984340-0
Opcode ID: 0f8f1f9521d0148104d8dc930527798a7a4ada707e59f2d13b0fdcf541389cc1
Instruction ID: 5d6206b32af7b5aa28c9b50f343b3bf2f085562192ecaeb1110c0c0889a0c4ac
Opcode Fuzzy Hash: 0f8f1f9521d0148104d8dc930527798a7a4ada707e59f2d13b0fdcf541389cc1
Instruction Fuzzy Hash: B841E734602386AFCF218FA6CC44AFB7BA6AF41350F149169F959573A1DB308D01CB65

Source: Joe Sandbox View	IP Address: 34.149.100.209 34.149.100.209
Source: Joe Sandbox View	IP Address: 34.117.188.166 34.117.188.166
Source: Joe Sandbox View	IP Address: 151.101.193.91 151.101.193.91
Source: Joe Sandbox View	IP Address: 34.160.144.191 34.160.144.191

Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache

Source: firefox.exe, 0000000D.00000003.1818319765.000001CCF6D4A000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1878692758.0000062E54203000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: ://www.facebook.com/ equals www.facebook.com (Facebook)
Source: firefox.exe, 0000000D.00000003.1878692758.0000062E54203000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: ://www.facebook.com/Z equals www.facebook.com (Facebook)
Source: firefox.exe, 0000000D.00000003.1818319765.000001CCF6D4E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: ://www.youtube.com/ equals www.youtube.com (Youtube)
Source: firefox.exe, 0000000D.00000003.1817611864.000001CCF2D3F000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1887766640.000001CCF2D4B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: 8://www.facebook.com/ equals www.facebook.com (Facebook)
Source: firefox.exe, 0000000D.00000003.1881342024.000001CCF7B66000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1814571172.000001CCF7B66000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: 8://www.youtube.com/ equals www.youtube.com (Youtube)
Source: firefox.exe, 0000000D.00000003.1815252044.000001CCF6B7E000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1824244835.000001CCF6EBF000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1815252044.000001CCF6BB5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: 8https://www.facebook.com/ equals www.facebook.com (Facebook)
Source: firefox.exe, 0000000D.00000003.1815252044.000001CCF6B7E000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1824244835.000001CCF6EBF000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1815252044.000001CCF6BB5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: 8https://www.youtube.com/ equals www.youtube.com (Youtube)
Source: firefox.exe, 0000000D.00000003.1817611864.000001CCF2D3F000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1902551446.000001CCEC09A000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1887766640.000001CCF2D4B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: 8www.facebook.com equals www.facebook.com (Facebook)
Source: firefox.exe, 0000000D.00000003.1814571172.000001CCF7B66000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1815252044.000001CCF6BCC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: 8www.youtube.com equals www.youtube.com (Youtube)
Source: firefox.exe, 0000000D.00000003.1894709494.000001CCEE559000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: `https://www.facebook.com/ equals www.facebook.com (Facebook)
Source: firefox.exe, 0000000D.00000003.1894709494.000001CCEE559000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: `https://www.youtube.com/ equals www.youtube.com (Youtube)
Source: firefox.exe, 0000000D.00000003.1815252044.000001CCF6B7E000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1824244835.000001CCF6EBF000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1815252044.000001CCF6BB5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.facebook.com/ equals www.facebook.com (Facebook)
Source: firefox.exe, 0000000D.00000003.1815252044.000001CCF6B7E000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1824244835.000001CCF6EBF000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1815252044.000001CCF6BB5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/ equals www.youtube.com (Youtube)
Source: firefox.exe, 00000010.00000002.2939224125.0000024FC4C03000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000011.00000002.2938434541.000001AF6E80C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.wikipedia.org/,https://www.reddit.com/,https://www.amazon.com/,https://twitter.com/ equals www.facebook.com (Facebook)
Source: firefox.exe, 00000010.00000002.2939224125.0000024FC4C03000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000011.00000002.2938434541.000001AF6E80C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.wikipedia.org/,https://www.reddit.com/,https://www.amazon.com/,https://twitter.com/ equals www.twitter.com (Twitter)
Source: firefox.exe, 00000010.00000002.2939224125.0000024FC4C03000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000011.00000002.2938434541.000001AF6E80C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.wikipedia.org/,https://www.reddit.com/,https://www.amazon.com/,https://twitter.com/ equals www.youtube.com (Youtube)
Source: firefox.exe, 00000010.00000002.2939224125.0000024FC4C03000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.wikipedia.org/,https://www.reddit.com/,https://www.amazon.com/,https://twitter.com/&O equals www.facebook.com (Facebook)
Source: firefox.exe, 00000010.00000002.2939224125.0000024FC4C03000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.wikipedia.org/,https://www.reddit.com/,https://www.amazon.com/,https://twitter.com/&O equals www.twitter.com (Twitter)
Source: firefox.exe, 00000010.00000002.2939224125.0000024FC4C03000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.wikipedia.org/,https://www.reddit.com/,https://www.amazon.com/,https://twitter.com/&O equals www.youtube.com (Youtube)
Source: firefox.exe, 0000000D.00000003.1824244835.000001CCF6EBF000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1818319765.000001CCF6D4E000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1858689624.000001CCF6EBF000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: moz-extension://a581a2f1-688c-434b-8db8-16166b1993d9/injections/js/bug1842437-www.youtube.com-performance-now-precision.js equals www.youtube.com (Youtube)
Source: firefox.exe, 0000000D.00000003.1884262283.000001CCF34F0000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1817611864.000001CCF2D3F000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1902551446.000001CCEC09A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: www.facebook.com equals www.facebook.com (Facebook)
Source: firefox.exe, 0000000D.00000003.1878692758.0000062E54203000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: www.facebook.comZ equals www.facebook.com (Facebook)
Source: firefox.exe, 0000000D.00000003.1814571172.000001CCF7B66000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1815252044.000001CCF6BCC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: www.youtube.com equals www.youtube.com (Youtube)
Source: firefox.exe, 0000000D.00000003.1884262283.000001CCF34F0000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1886215413.000001CCF34F0000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1897446962.000001CCF34F0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: www.youtube.com- equals www.youtube.com (Youtube)
Source: firefox.exe, 0000000D.00000003.1896907300.000001CCEC34C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: x://www.facebook.com/platform/impression.php equals www.facebook.com (Facebook)

Source: global traffic	DNS traffic detected: DNS query: prod.classify-client.prod.webservices.mozgcp.net
Source: global traffic	DNS traffic detected: DNS query: youtube.com
Source: global traffic	DNS traffic detected: DNS query: detectportal.firefox.com
Source: global traffic	DNS traffic detected: DNS query: prod.detectportal.prod.cloudops.mozgcp.net
Source: global traffic	DNS traffic detected: DNS query: contile.services.mozilla.com
Source: global traffic	DNS traffic detected: DNS query: prod.balrog.prod.cloudops.mozgcp.net
Source: global traffic	DNS traffic detected: DNS query: spocs.getpocket.com
Source: global traffic	DNS traffic detected: DNS query: prod.ads.prod.webservices.mozgcp.net
Source: global traffic	DNS traffic detected: DNS query: content-signature-2.cdn.mozilla.net
Source: global traffic	DNS traffic detected: DNS query: prod.content-signature-chains.prod.webservices.mozgcp.net
Source: global traffic	DNS traffic detected: DNS query: example.org
Source: global traffic	DNS traffic detected: DNS query: ipv4only.arpa
Source: global traffic	DNS traffic detected: DNS query: shavar.services.mozilla.com
Source: global traffic	DNS traffic detected: DNS query: push.services.mozilla.com
Source: global traffic	DNS traffic detected: DNS query: telemetry-incoming.r53-2.services.mozilla.com
Source: global traffic	DNS traffic detected: DNS query: firefox.settings.services.mozilla.com
Source: global traffic	DNS traffic detected: DNS query: prod.remote-settings.prod.webservices.mozgcp.net
Source: global traffic	DNS traffic detected: DNS query: support.mozilla.org
Source: global traffic	DNS traffic detected: DNS query: us-west1.prod.sumo.prod.webservices.mozgcp.net
Source: global traffic	DNS traffic detected: DNS query: www.youtube.com
Source: global traffic	DNS traffic detected: DNS query: www.facebook.com
Source: global traffic	DNS traffic detected: DNS query: www.wikipedia.org
Source: global traffic	DNS traffic detected: DNS query: dyna.wikimedia.org
Source: global traffic	DNS traffic detected: DNS query: star-mini.c10r.facebook.com
Source: global traffic	DNS traffic detected: DNS query: youtube-ui.l.google.com
Source: global traffic	DNS traffic detected: DNS query: www.reddit.com
Source: global traffic	DNS traffic detected: DNS query: twitter.com
Source: global traffic	DNS traffic detected: DNS query: reddit.map.fastly.net
Source: global traffic	DNS traffic detected: DNS query: services.addons.mozilla.org
Source: global traffic	DNS traffic detected: DNS query: normandy.cdn.mozilla.net
Source: global traffic	DNS traffic detected: DNS query: normandy-cdn.services.mozilla.com

Source: unknown	HTTPS traffic detected: 35.244.181.201:443 -> 192.168.2.4:49743 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.160.144.191:443 -> 192.168.2.4:49745 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.160.144.191:443 -> 192.168.2.4:49752 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 35.244.181.201:443 -> 192.168.2.4:49758 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.120.208.123:443 -> 192.168.2.4:49764 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.120.208.123:443 -> 192.168.2.4:49763 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.149.100.209:443 -> 192.168.2.4:49773 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 151.101.193.91:443 -> 192.168.2.4:49775 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 35.244.181.201:443 -> 192.168.2.4:49774 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 35.244.181.201:443 -> 192.168.2.4:49779 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 35.244.181.201:443 -> 192.168.2.4:49778 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 35.244.181.201:443 -> 192.168.2.4:49780 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.149.100.209:443 -> 192.168.2.4:49781 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.120.208.123:443 -> 192.168.2.4:49820 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.120.208.123:443 -> 192.168.2.4:49819 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.120.208.123:443 -> 192.168.2.4:49818 version: TLS 1.2

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49744
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49743
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49820
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49742
Source: unknown	Network traffic detected: HTTP traffic on port 49779 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49740
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49783
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49781
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49780
Source: unknown	Network traffic detected: HTTP traffic on port 49743 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49762 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49781 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49769 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49961 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49819
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49818
Source: unknown	Network traffic detected: HTTP traffic on port 49776 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49739
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49737
Source: unknown	Network traffic detected: HTTP traffic on port 49736 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49736
Source: unknown	Network traffic detected: HTTP traffic on port 49759 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49779
Source: unknown	Network traffic detected: HTTP traffic on port 49772 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49778
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49777
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49776
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49775
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49774
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49773
Source: unknown	Network traffic detected: HTTP traffic on port 49820 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49772
Source: unknown	Network traffic detected: HTTP traffic on port 49742 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49749 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49763 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49780 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49752 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49777 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49773 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49769
Source: unknown	Network traffic detected: HTTP traffic on port 49739 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49756 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49758 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49783 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49764
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49763
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49961
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49762
Source: unknown	Network traffic detected: HTTP traffic on port 49819 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49760
Source: unknown	Network traffic detected: HTTP traffic on port 49760 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49764 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49745 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49751 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49759
Source: unknown	Network traffic detected: HTTP traffic on port 49778 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49758
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49757
Source: unknown	Network traffic detected: HTTP traffic on port 49774 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49756
Source: unknown	Network traffic detected: HTTP traffic on port 49755 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49755
Source: unknown	Network traffic detected: HTTP traffic on port 49757 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49752
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49751
Source: unknown	Network traffic detected: HTTP traffic on port 49818 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49740 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49747 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49744 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49775 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49749
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49747
Source: unknown	Network traffic detected: HTTP traffic on port 49737 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49745

Description:	Adversaries may obtain and abuse credentials of existing accounts as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion. Compromised credentials may be used to bypass access controls placed on various resources on systems within the network and may even be used for persistent access to remote systems and externally available services, such as VPNs, Outlook Web Access, network devices, and remote desktop.Compromised credentials may also grant an adversary increased privilege to specific systems or access to restricted areas of the network. Adversaries may choose not to use malware or tools in conjunction with the legitimate access those credentials provide to make it harder to detect their presence.
Tactics:	Defense Evasion, Initial Access, Persistence, Privilege Escalation
Data Sources:	Logon Session: Logon Session Creation, Logon Session: Logon Session Metadata, User Account: User Account Authentication
Platforms:	Azure AD, Containers, Google Workspace, IaaS, Linux, macOS, Network, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to execute malicious commands and payloads. WMI is an administration feature that provides a uniform environment to access Windows system components. The WMI service enables both local and remote access, though the latter is facilitated by Remote Services such as Distributed Component Object Model (DCOM) and Windows Remote Management (WinRM).Remote WMI over DCOM operates using port 135, whereas WMI over WinRM operates over port 5985 when using HTTP and 5986 for HTTPS.
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Connection Creation, Process: Process Creation, WMI: WMI Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may exploit software vulnerabilities in an attempt to elevate privileges. Exploitation of a software vulnerability occurs when an adversary takes advantage of a programming error in a program, service, or within the operating system software or kernel itself to execute adversary-controlled code. Security constructs such as permission levels will often hinder access to information and use of certain techniques, so adversaries will likely need to perform privilege escalation to include use of software exploitation to circumvent those restrictions.
Tactics:	Privilege Escalation
Data Sources:	Driver: Driver Load, Process: Process Creation
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject malicious code into process via Extra Window Memory (EWM) in order to evade process-based defenses as well as possibly elevate privileges. EWM injection is a method of executing arbitrary code in the address space of a separate live process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Process: OS API Execution
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify access tokens to operate under a different user or system security context to perform actions and bypass access controls. Windows uses access tokens to determine the ownership of a running process. A user can manipulate access tokens to make a running process appear as though it is the child of a different process or belongs to someone other than the user that started the process. When this occurs, the process also takes on the security context associated with the new token.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Active Directory: Active Directory Object Modification, Command: Command Execution, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, User Account: User Account Metadata
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	Driver: Driver Load, File: File Modification, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Windows Registry: Windows Registry Key Modification
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of valid accounts, usernames, or email addresses on a system or within a compromised environment. This information can help adversaries determine which accounts exist, which can aid in follow-on behavior such as brute-forcing, spear-phishing attacks, or account takeovers (e.g., Valid Accounts ).
Tactics:	Discovery
Data Sources:	Command: Command Execution, File: File Access, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report file.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Memory Dumps

Sigma Signatures

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Spreading

Software Vulnerabilities

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

Private

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\ProgramData\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\uninstall_ping_308046B0AF4A39CB_255b4412-0df3-4832-be32-5037f020fd1a.json (copy)

C:\ProgramData\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\uninstall_ping_308046B0AF4A39CB_255b4412-0df3-4832-be32-5037f020fd1a.json.tmp

C:\Users\user\AppData\Local\Temp\mozilla-temp-files\mozilla-temp-41

C:\Users\user\AppData\Local\Temp\tmpaddon

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\ExperimentStoreData.json (copy)

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\ExperimentStoreData.json.tmp

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\addonStartup.json.lz4 (copy)

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\addonStartup.json.lz4.tmp

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\addons.json (copy)

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\addons.json.tmp

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\content-prefs.sqlite

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\crashes\store.json.mozlz4 (copy)

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\crashes\store.json.mozlz4.tmp

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\extensions.json (copy)

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\extensions.json.tmp

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\favicons.sqlite-shm

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll (copy)

Windows Analysis Report
file.exe

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to identify the primary user, currently logged in user, set of users that commonly uses a system, or whether a user is actively using the system. They may do this, for example, by retrieving account usernames or by using OS Credential Dumping . The information may be collected in a number of different ways using other Discovery techniques, because user and username details are prevalent throughout a system and include running process ownership, file/directory ownership, session information, and system logs. Adversaries may use the information from [System Owner/User Discovery](https://attack.mitre.org/techniques/T1033) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may collect data stored in the clipboard from users copying information within or between applications.
Tactics:	Collection
Data Sources:	Command: Command Execution, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may shutdown/reboot systems to interrupt access to, or aid in the destruction of, those systems. Operating systems may contain commands to initiate a shutdown/reboot of a machine or network device. In some cases, these commands may also be used to initiate a shutdown/reboot of a remote computer or network device via Network Device CLI (e.g. `reload` ).
Tactics:	Impact
Data Sources:	Command: Command Execution, Process: Process Creation, Sensor Health: Host Status
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre